The FreeIPA team would like to announce FreeIPA 4.9.11 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.11#
9083: Support MIT Kerberos KDB version 9
9187: [UX] Preserving a user account produces output saying it was deleted
9228: ipa-client-install does not maintain server affinity during installation
9237: Show order in sudo rule list in web interface
9258: Do not add TLS CA configuration to ldap.conf anymore
Bug fixes#
FreeIPA 4.9.11 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 50 bug-fixes since FreeIPA 4.9.10 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#8946 RFE: Add label name to Certificates section in WebUI to enable testing
#8951 Test for RFE ipa-healthcheck tool can include check to see if the system is FIPS enabled or not
#9062 [ipatests] SID generation and test_xmlrpc/test_user_plugin.py
#9083 Support MIT Kerberos KDB version 9
#9158 Internal error when setting dnsconfig or dnsforwardzone forwarders.
#9160 cryptography.utils.register_interface is scheduled for removal
#9161 Nightly test failure in test_selinuxusermap.py::test_selinuxusermap::test_misc
#9183 Timeout issue in test_installation.py when using interactive mode
#9185 Fix missing parameter for Suse ipaplatform task
#9187 (rhbz#2022028) [UX] Preserving a user account produces output saying it was deleted
#9188 (rhbz#2098187) Add warning for empty targetattr when creating ACI with RBAC
#9189 ipatests: Fix test_idp.py for downstream idm-ci
#9190 ipatests.test_ipaserver.test_secure_ajp_connector failing with python 3.6.8 with: TypeError: a bytes-like object is required, not ‘str’
#9192 (rhbz#2094672) IdM WebUI Pagination Size should not allow empty value
#9198 [Tracker] nightly failure: after ipa trust-add, cred cache contains cifs/master.ipa.test@IPA.TEST instead of admin principal
#9204 [Tracker] In ipa-server-upgrade ca_upgrade_schema() results in unnecessary pki restarts
#9206 (rhbz#2109236) ldap bind occurs when admin user changes password with gracelimit=0
#9207 Failure in AzurePipeline.freeipa (GATING InstallDNSSECFirst_1_to_5)
#9208 ap: Doc build fails against Sphinx 5.1.0
#9211 (rhbz#2109243) RFE: Allow grace login limit to be set in IPA WebUI.
#9212 (rhbz#2115475) Nightly test failure in test_user.py::test_user::test_password_expiration_notification
#9214 Nightly failure in webui test test_subid.py::test_subid::test_subid_range_deletion_not_allowed
#9218 (rhbz#2116966) Random failure in test-winsyncmigrate
#9225 pytest library module rename from quarkus to keycloak
#9226 (rhbz#2124547) Infinite redirect loop in the WebUI for user root
#9228 (rhbz#2148258) ipa-client-install does not maintain server affinity during installation
#9230 build failure against gcc < 11
#9231 /run/ipa/ccaches uses all available tmpfs space
#9237 Show order in sudo rule list in web interface
#9243 (rhbz#2127833) Password Policy Grace login limit allows invalid maximum value
#9245 (rhbz#2117167) `extdom` plugin can return object from a wrong domain.
#9246 Nightly test failure in test_user_permissions.TestInstallClientNoAdmin
#9248 (rhbz#2124369) OTP token sync always returns OK even with random numbers
#9249 (rhbz#2108630) Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones
#9252 (rhbz#2129895) [DDF] The Examples in the RHEL ipa(1) man page show “ipa help commands” with content for “ipa halp topics” and “ipa hel
#9254 Exclude installed policy module file from RPM verification
#9255 ipapython.dn_ctypes is not compatible with libldap 2.6
#9257 (rhbz#2104185) Introduction of URI records for kerberos breaks location functionality
#9258 (rhbz#2094673) Do not add TLS CA configuration to ldap.conf anymore
#9259 (rhbz#2144737) vault interoperability with older RHEL systems is broken
#9269 (rhbz#2143224, rhbz#2075452) ipa-certupdate does not restart/reload KDC on servers
#9271 (rhbz#2143224) Support PKINIT with ipa-client-install
#9274 ipa-join: pass the curl write function by name, not address
Detailed changelog since 4.9.10#
Armando Neto (1)#
Alexander Bokovoy (10)#
ipa-kdb: for delegation check, use different error codes before and after krb5 1.20 commit #9083
ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later commit
ipa-kdb: handle empty S4U proxy in allowed_to_delegate commit #9083
ipa-kdb: handle cross-realm TGT entries when generating PAC commit #9083
ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20 commit #9083
ipaclient: do not set TLS CA options in ldap.conf anymore commit #9258
ipa-otpd: initialize local pointers and handle gcc 10 commit #9230
Anuja More (4)#
Antonio Torres (5)#
Alexey Tikhonov (3)#
Carla Martinez (9)#
Christian Heimes (1)#
Jan Kuparinen (20)#
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Translated using Weblate (Finnish) commit
Added translation using Weblate (Finnish) commit
David Pascual (2)#
Erik Belko (3)#
Florence Blanc-Renaud (15)#
API doc: adapt the generated doc for 4.9 branch commit
API reference: update dnszone_add generated doc commit #9249
ipatests: update vagrant boxes commit
ipa otptoken-sync: return error when sync fails commit #9248
gitignore: add install/oddjob/org.freeipa.server.config-enable-sid commit
xmlrpc tests: updated expected output for preserved user commit #9187
Francisco Trivino (1)#
Fraser Tweedale (2)#
Matthew Davis (1)#
Jesse Sandberg (1)#
Julien Rische (1)#
Michal Polovka (3)#
Marcin Stanclik (1)#
Translated using Weblate (Polish) commit
Mohammad Rizwan (1)#
ipatests: Test newly added certificate lable commit
Nikola Knazekova (1)#
Pavel Březina (1)#
Piotr Drąg (1)#
Translated using Weblate (Polish) commit
Hela Basa (3)#
Rob Crittenden (12)#
Pass the curl write callback by name instead of address commit #9274
Move client certificate request after krb5.conf is created commit #9246
Set default on group pwpolicy with no grace limit in upgrade commit #9212
Set default gracelimit on group password policies to -1 commit #9212
doc: Update LDAP grace period design with default values commit #9212
upgrades: Don’t restart the CA on ACME and profile schema change commit #9204
Disabling gracelimit does not prevent LDAP binds commit #9206
Warn for permissions with read/write/search/compare and no attrs commit #9188
Only calculate LDAP password grace when the password is expired commit #1539
Fix test_secure_ajp_connector.py failing with Python 3.6.8 commit #9190
Ricky Tigg (4)#
Sumit Bose (1)#
ipa-kdb: do not fail if certmap rule cannot be added commit
김인수 (44)#
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit