Ctrl+K

Highlights in 4.9.10

The FreeIPA team would like to announce FreeIPA 4.9.10 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.10#

  • 1539: [RFE] Add code to check password expiration on ldap bind

    User can no longer do LDAP BIND operation with expired password.

  • 8803: Add support for managing IdP references

    FreeIPA can now authenticate users with the help of OAuth 2.0 identity providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use Keycloak can be found in FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html

  • 8977: subid: subid-match displays the DN of the owner, not its UID.

    subid: subid-match now displays the UID of the range owner, not its DN.

  • 9128: Turn down debug from ipa-dnskeysyncd

    ipa-dnskeysyncd and ipa-ods-exporter daemons used to log all debug messages in the journal. The log level can now be configured by setting debug=True in /etc/ipa/dns.conf. For more information refer to default.conf(5).

  • 9147: ipa-server-install –uninstall fails on Fedora 33, returned non-zero exit status 2: Unable to disable feature: No such file or directory

    The uninstaller is now able to properly handle configurations originally done with authconfig instead of authselect.

  • 9150: Remove ‘Remove’ button from subid page

    subid ranges cannot be removed. A button in Web UI subid management page to remove the range was removed to not confuse users

  • 9159: [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf

    IPA installers now provide the ability to configure SSSD as datasource for subid

  • 9171: Boolean value not mapped on WebUI checkbox

    FreeIPA now properly exposes boolean LDAP values at IPA API Python and JSON-RPC levels. External IPA API consumers might need to switch from using “TRUE” and “FALSE” strings to True and False boolean values.

  • 9174: Update Suse support in freeipa

    FreeIPA client installer should now configure openSUSE 15.3 to Thumbleweed versions

Bug fixes#

FreeIPA 4.9.10 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 20 bug-fixes since FreeIPA 4.9.9 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets#

  • #1539 (rhbz#782917) [RFE] Add code to check password expiration on ldap bind

  • #8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck

  • #8803 Add support for managing IdP references

  • #8804 Extend supported user authentication methods in IPA to allow IdP auth

  • #8805 Extend `ipa-otpd` daemon to recognize IdP references

  • #8977 (rhbz#2000947) subid: subid-match displays the DN of the owner, not its UID.

  • #9121 (rhbz#2056508) Ipa server ignores max ticket lifetime when using spake preauth, issues ticket with 24h lifetime

  • #9128 (rhbz#2059396) Turn down debug from ipa-dnskeysyncd

  • #9136 (rhbz#1872467) Add tests for ipa-healthcheck setting command-line options in configuration

  • #9140 Test test_rekey_keytype_DSA should be disabled

  • #9145 Configure email subject line for IPA EPN

  • #9146 Nightly test failure in `test_epn.py::TestEPN::test_EPN_config_file`

  • #9147 (rhbz#1958777) ipa-server-install –uninstall fails on Fedora 33, returned non-zero exit status 2: Unable to disable feature: No such file or directory

  • #9148 documentation build fails in readthedocs

  • #9150 (rhbz#2063155) Remove ‘Remove’ button from subid page

  • #9151 (rhbz#2012911) Disable DNSSEC in ipa-healthcheck tests

  • #9152 Regression in TestIpaHealthCheckWithoutDNS

  • #9155 Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split

  • #9157 implement support for bind 9.18+

  • #9159 (rhbz#2068088) [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf

  • #9162 (rhbz#2004646) RFE: Improve error message with more detail for ipa-replica-install command

  • #9165 Nightly test failure (rawhide) in test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp

  • #9167 Nightly test failure in test_graceperiod_not_replicated

  • #9171 Boolean value not mapped on WebUI checkbox

  • #9173 Inconsistent ACI before/after running ipa-server-upgrade

  • #9174 Update Suse support in freeipa

  • #9175 ipatests: need to update expected output for ipa-healthcheck’s DogtagCertsConnectivityCheck

  • #9176 (rhbz#2092015) secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml

  • #9178 idviews: use cached ipaOriginalUid value when resolving ID override anchor

  • #9180 Add new config option for LDAP cache debugging

Detailed changelog since 4.9.9#

Armando Neto (2)#

  • ipatests: bump pr-ci templates commit

  • workshop: Update docs and support default cloud image commit

Alexander Bokovoy (29)#

  • idviews: use cached ipaOriginalUid value when resolving ID override anchor commit #9178

  • ipaldap: fix conversion from boolean OID to Python commit #9171

  • ipa-kdb: avoid additional checks for a well-known anonymous principal commit #9165

  • Ignore dnssec-enable-related named-checkonf errors in test commit #9157

  • Support dnssec utils from bind 9.17.2+ commit #9157

  • ipa-kdb: apply per-indicator settings from inherited ticket policy commit #9121

  • freeipa.spec.in: Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split commit #9155

  • docs: tune RTD to display lists with disc and left margin commit

  • workshop: add chapter 12: External IdP support commit

  • freeipa.spec.in: use SSSD 2.7.0 to add IdP pre-auth mechanism commit #8805

  • doc/workshop: document use of pam_sss_gss PAM module commit

  • External IdP: initial SELinux policy commit

  • External IdP: add Web UI to manage IdP references commit

  • KDB: support external IdP configuration commit #8804

  • ipa-otpd: add support for SSSD OIDC helper commit #8805

  • external-idp: add XMLRPC tests for External IdP objects and idp indicator commit #8803, #8804

  • external-idp: add support to manage external IdP objects commit #8803, #8804

  • external-idp: add LDAP schema, indices and other LDAP objects commit #8803

  • doc/designs: add External IdP support design documents commit #8803, #8804, #8805

  • js tests: use latest grunt commit

  • Azure CI: don’t force non-existing OpenSSL configuration anymore commit

  • Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use commit

  • Switch Azure CI to Fedora 36 pre-release commit

  • web ui: do not provide Remove button in subid page commit #9150

  • docs: force sphinx version above 3.0 to avoid caching in RTD commit

  • docs: update Sphinx requirements in ipasphinx package commit #9148

  • docs: add the readthedocs configuration commit #9148

  • docs: add plantuml and use virtual environment to generate docs commit #9148

  • doc: migrate to m2r2 and newer sphinx, add plantuml to venv commit #9148

Anuja More (2)#

  • pr-ci definitions: add external idp related jobs. commit

  • ipatests: Add integration tests for External IdP support commit #8803, #8804, #8805

Antonio Torres (1)#

  • Back to git snapshots commit

Matthew Davis (1)#

  • Create missing SSSD_PUBCONF_KRB5_INCLUDE_D_DIR commit #9174

Florence Blanc-Renaud (12)#

  • ACI: define “Read DNS entries from a zone” aci during install commit #9173

  • ipatests: update expected output for boolean attribute commit #9171

  • ipa-replica-install: nsds5replicaUpdateInProgress is a Boolean commit #9171

  • ipatest: update expected out for ipa-healthcheck’s DogtagCertsConnectivityCheck commit #9175

  • ipatests: add new test with –subid installer option commit #9159

  • man pages: document the –subid installer option commit #9159

  • Installer: add –subid option to select the sssd profile with-subid commit #9159

  • client uninstall: handle uninstall with authconfig commit #9147

  • ipatests: –no-dnssec-validation requires –setup-dns commit #9152

  • ipatests: remove test_rekey_keytype_DSA commit #9140

  • ipatests: update the expected sha256sum of epn.conf file commit #9146

  • EPN: document missing option msg_subject commit #9145

Francisco Trivino (3)#

  • Update subordinate design doc commit

  • Update ipa-replica-install replication agreement error message commit #9162

  • ipatests: Bump PR-CI latest templates to Fedora 36 commit

Matthew Davis (1)#

Michal Polovka (4)#

  • ipatests: xfail for test_ipahealthcheck_hidden_replica to respect pki version commit #8582

  • ipatests: tasks: add ipactl start, stop and restart commit

  • ipatests: RFE: Improve ipa-replica-install error message commit #9162

  • ipatests: test_subids: test subid-match shows UID of the owner commit #8977

Rob Crittenden (14)#

  • Add switch for LDAP cache debug output commit #9180

  • Remove extraneous AJP secret from server.xml on upgrades commit #9176

  • graceperiod: ignore case when checking for missing objectclass commit #1539

  • Set default LDAP password grace period to -1 commit #1539

  • doc: Design document for LDAP graceperiod commit #1539

  • Don’t duplicate the LDAP gracelimit set in the previous test commit #9167

  • Configure and enable the graceperiod plugin on upgrades commit #1539

  • dnssec daemons: read the dns context config file for debug state commit #9128

  • healthcheck: add tests for setting cli options in config file commit #9136

  • Exclude passwordgraceusertime from replication commit #1539

  • Remove the replicated attribute constants commit #1539

  • Implement LDAP bind grace period 389-ds plugin commit #1539

  • If the password auth type is enabled also enable the hardened policy commit #9121

  • kdb: The jitter offset should always be positive commit #9121

Sudhir Menon (2)#

  • ipatests: ipahealthcheck tests to check change in permission of ipaserver log files commit

  • ipatests: Adding –no-dnssec-validation option for healthcheck commit #9151

Thorsten Scherf (2)#

  • workshop: add freeipa version requirements commit

  • workshop: add freeipa version requirements commit

Contents