The FreeIPA team would like to announce FreeIPA 4.9.10 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.10#
1539: [RFE] Add code to check password expiration on ldap bind
User can no longer do LDAP BIND operation with expired password.
8803: Add support for managing IdP references
FreeIPA can now authenticate users with the help of OAuth 2.0 identity providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use Keycloak can be found in FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html
8977: subid: subid-match displays the DN of the owner, not its UID.
subid: subid-match now displays the UID of the range owner, not its DN.
9128: Turn down debug from ipa-dnskeysyncd
ipa-dnskeysyncd and ipa-ods-exporter daemons used to log all debug messages in the journal. The log level can now be configured by setting debug=True in /etc/ipa/dns.conf. For more information refer to default.conf(5).
9147: ipa-server-install –uninstall fails on Fedora 33, returned non-zero exit status 2: Unable to disable feature: No such file or directory
The uninstaller is now able to properly handle configurations originally done with authconfig instead of authselect.
9150: Remove ‘Remove’ button from subid page
subid ranges cannot be removed. A button in Web UI subid management page to remove the range was removed to not confuse users
9159: [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf
IPA installers now provide the ability to configure SSSD as datasource for subid
9171: Boolean value not mapped on WebUI checkbox
FreeIPA now properly exposes boolean LDAP values at IPA API Python and JSON-RPC levels. External IPA API consumers might need to switch from using “TRUE” and “FALSE” strings to True and False boolean values.
9174: Update Suse support in freeipa
FreeIPA client installer should now configure openSUSE 15.3 to Thumbleweed versions
Bug fixes#
FreeIPA 4.9.10 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 20 bug-fixes since FreeIPA 4.9.9 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#1539 (rhbz#782917) [RFE] Add code to check password expiration on ldap bind
#8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck
#8803 Add support for managing IdP references
#8804 Extend supported user authentication methods in IPA to allow IdP auth
#8805 Extend `ipa-otpd` daemon to recognize IdP references
#8977 (rhbz#2000947) subid: subid-match displays the DN of the owner, not its UID.
#9121 (rhbz#2056508) Ipa server ignores max ticket lifetime when using spake preauth, issues ticket with 24h lifetime
#9128 (rhbz#2059396) Turn down debug from ipa-dnskeysyncd
#9136 (rhbz#1872467) Add tests for ipa-healthcheck setting command-line options in configuration
#9140 Test test_rekey_keytype_DSA should be disabled
#9145 Configure email subject line for IPA EPN
#9146 Nightly test failure in `test_epn.py::TestEPN::test_EPN_config_file`
#9147 (rhbz#1958777) ipa-server-install –uninstall fails on Fedora 33, returned non-zero exit status 2: Unable to disable feature: No such file or directory
#9148 documentation build fails in readthedocs
#9150 (rhbz#2063155) Remove ‘Remove’ button from subid page
#9151 (rhbz#2012911) Disable DNSSEC in ipa-healthcheck tests
#9152 Regression in TestIpaHealthCheckWithoutDNS
#9155 Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split
#9157 implement support for bind 9.18+
#9159 (rhbz#2068088) [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf
#9162 (rhbz#2004646) RFE: Improve error message with more detail for ipa-replica-install command
#9165 Nightly test failure (rawhide) in test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp
#9167 Nightly test failure in test_graceperiod_not_replicated
#9171 Boolean value not mapped on WebUI checkbox
#9173 Inconsistent ACI before/after running ipa-server-upgrade
#9174 Update Suse support in freeipa
#9175 ipatests: need to update expected output for ipa-healthcheck’s DogtagCertsConnectivityCheck
#9176 (rhbz#2092015) secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml
#9178 idviews: use cached ipaOriginalUid value when resolving ID override anchor
#9180 Add new config option for LDAP cache debugging
Detailed changelog since 4.9.9#
Armando Neto (2)#
Alexander Bokovoy (29)#
idviews: use cached ipaOriginalUid value when resolving ID override anchor commit #9178
ipaldap: fix conversion from boolean OID to Python commit #9171
ipa-kdb: avoid additional checks for a well-known anonymous principal commit #9165
Ignore dnssec-enable-related named-checkonf errors in test commit #9157
ipa-kdb: apply per-indicator settings from inherited ticket policy commit #9121
freeipa.spec.in: Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split commit #9155
docs: tune RTD to display lists with disc and left margin commit
workshop: add chapter 12: External IdP support commit
freeipa.spec.in: use SSSD 2.7.0 to add IdP pre-auth mechanism commit #8805
doc/workshop: document use of pam_sss_gss PAM module commit
External IdP: initial SELinux policy commit
External IdP: add Web UI to manage IdP references commit
external-idp: add XMLRPC tests for External IdP objects and idp indicator commit #8803, #8804
external-idp: add support to manage external IdP objects commit #8803, #8804
external-idp: add LDAP schema, indices and other LDAP objects commit #8803
doc/designs: add External IdP support design documents commit #8803, #8804, #8805
js tests: use latest grunt commit
Azure CI: don’t force non-existing OpenSSL configuration anymore commit
Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use commit
Switch Azure CI to Fedora 36 pre-release commit
web ui: do not provide Remove button in subid page commit #9150
docs: force sphinx version above 3.0 to avoid caching in RTD commit
docs: update Sphinx requirements in ipasphinx package commit #9148
docs: add plantuml and use virtual environment to generate docs commit #9148
doc: migrate to m2r2 and newer sphinx, add plantuml to venv commit #9148
Anuja More (2)#
Antonio Torres (1)#
Back to git snapshots commit
Matthew Davis (1)#
Florence Blanc-Renaud (12)#
ACI: define “Read DNS entries from a zone” aci during install commit #9173
ipatests: update expected output for boolean attribute commit #9171
ipa-replica-install: nsds5replicaUpdateInProgress is a Boolean commit #9171
ipatest: update expected out for ipa-healthcheck’s DogtagCertsConnectivityCheck commit #9175
ipatests: add new test with –subid installer option commit #9159
man pages: document the –subid installer option commit #9159
Installer: add –subid option to select the sssd profile with-subid commit #9159
client uninstall: handle uninstall with authconfig commit #9147
ipatests: –no-dnssec-validation requires –setup-dns commit #9152
ipatests: update the expected sha256sum of epn.conf file commit #9146
Francisco Trivino (3)#
Matthew Davis (1)#
Michal Polovka (4)#
Rob Crittenden (14)#
Remove extraneous AJP secret from server.xml on upgrades commit #9176
graceperiod: ignore case when checking for missing objectclass commit #1539
Don’t duplicate the LDAP gracelimit set in the previous test commit #9167
Configure and enable the graceperiod plugin on upgrades commit #1539
dnssec daemons: read the dns context config file for debug state commit #9128
healthcheck: add tests for setting cli options in config file commit #9136
If the password auth type is enabled also enable the hardened policy commit #9121
kdb: The jitter offset should always be positive commit #9121