The FreeIPA team would like to announce FreeIPA 4.9.11 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.11#

  • 9083: Support MIT Kerberos KDB version 9


  • 9187: [UX] Preserving a user account produces output saying it was deleted


  • 9228: ipa-client-install does not maintain server affinity during installation


  • 9237: Show order in sudo rule list in web interface


  • 9258: Do not add TLS CA configuration to ldap.conf anymore


Bug fixes#

FreeIPA 4.9.11 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 50 bug-fixes since FreeIPA 4.9.10 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets#

  • #8946 RFE: Add label name to Certificates section in WebUI to enable testing

  • #8951 Test for RFE ipa-healthcheck tool can include check to see if the system is FIPS enabled or not

  • #9062 [ipatests] SID generation and test_xmlrpc/test_user_plugin.py

  • #9083 Support MIT Kerberos KDB version 9

  • #9158 Internal error when setting dnsconfig or dnsforwardzone forwarders.

  • #9160 cryptography.utils.register_interface is scheduled for removal

  • #9161 Nightly test failure in test_selinuxusermap.py::test_selinuxusermap::test_misc

  • #9183 Timeout issue in test_installation.py when using interactive mode

  • #9185 Fix missing parameter for Suse ipaplatform task

  • #9187 (rhbz#2022028) [UX] Preserving a user account produces output saying it was deleted

  • #9188 (rhbz#2098187) Add warning for empty targetattr when creating ACI with RBAC

  • #9189 ipatests: Fix test_idp.py for downstream idm-ci

  • #9190 ipatests.test_ipaserver.test_secure_ajp_connector failing with python 3.6.8 with: TypeError: a bytes-like object is required, not ‘str’

  • #9192 (rhbz#2094672) IdM WebUI Pagination Size should not allow empty value

  • #9198 [Tracker] nightly failure: after ipa trust-add, cred cache contains cifs/master.ipa.test@IPA.TEST instead of admin principal

  • #9204 [Tracker] In ipa-server-upgrade ca_upgrade_schema() results in unnecessary pki restarts

  • #9206 (rhbz#2109236) ldap bind occurs when admin user changes password with gracelimit=0

  • #9207 Failure in AzurePipeline.freeipa (GATING InstallDNSSECFirst_1_to_5)

  • #9208 ap: Doc build fails against Sphinx 5.1.0

  • #9211 (rhbz#2109243) RFE: Allow grace login limit to be set in IPA WebUI.

  • #9212 (rhbz#2115475) Nightly test failure in test_user.py::test_user::test_password_expiration_notification

  • #9214 Nightly failure in webui test test_subid.py::test_subid::test_subid_range_deletion_not_allowed

  • #9218 (rhbz#2116966) Random failure in test-winsyncmigrate

  • #9225 pytest library module rename from quarkus to keycloak

  • #9226 (rhbz#2124547) Infinite redirect loop in the WebUI for user root

  • #9228 (rhbz#2148258) ipa-client-install does not maintain server affinity during installation

  • #9230 build failure against gcc < 11

  • #9231 /run/ipa/ccaches uses all available tmpfs space

  • #9237 Show order in sudo rule list in web interface

  • #9243 (rhbz#2127833) Password Policy Grace login limit allows invalid maximum value

  • #9245 (rhbz#2117167) `extdom` plugin can return object from a wrong domain.

  • #9246 Nightly test failure in test_user_permissions.TestInstallClientNoAdmin

  • #9248 (rhbz#2124369) OTP token sync always returns OK even with random numbers

  • #9249 (rhbz#2108630) Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones

  • #9252 (rhbz#2129895) [DDF] The Examples in the RHEL ipa(1) man page show “ipa help commands” with content for “ipa halp topics” and “ipa hel

  • #9254 Exclude installed policy module file from RPM verification

  • #9255 ipapython.dn_ctypes is not compatible with libldap 2.6

  • #9257 (rhbz#2104185) Introduction of URI records for kerberos breaks location functionality

  • #9258 (rhbz#2094673) Do not add TLS CA configuration to ldap.conf anymore

  • #9259 (rhbz#2144737) vault interoperability with older RHEL systems is broken

  • #9269 (rhbz#2143224, rhbz#2075452) ipa-certupdate does not restart/reload KDC on servers

  • #9271 (rhbz#2143224) Support PKINIT with ipa-client-install

  • #9274 ipa-join: pass the curl write function by name, not address

Detailed changelog since 4.9.10#

Armando Neto (1)#

  • webui: Do not allow empty pagination size commit #9192

Alexander Bokovoy (10)#

  • ipa-kdb: for delegation check, use different error codes before and after krb5 1.20 commit #9083

  • ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later commit

  • ipa-kdb: fix PAC requester check commit #9083

  • ipa-kdb: handle empty S4U proxy in allowed_to_delegate commit #9083

  • ipa-kdb: handle cross-realm TGT entries when generating PAC commit #9083

  • ipa-kdb: add krb5 1.20 support commit #9083

  • ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20 commit #9083

  • ipaclient: do not set TLS CA options in ldap.conf anymore commit #9258

  • fix canonicalization issue in Web UI commit #9226

  • ipa-otpd: initialize local pointers and handle gcc 10 commit #9230

Anuja More (4)#

  • ipatests : Test query to AD specific attributes is successful. commit #9127

  • ipatests: Fix install_master for test_idp.py commit #9189

  • ipatests: update prci definitions for test_idp.py commit

  • Add end to end integration tests for external IdP commit #8803, #8804, #8805

Antonio Torres (5)#

  • Update list of contributors commit

  • Update translations to FreeIPA ipa-4-9 state commit

  • Add basic API usage guide commit

  • doc: generate API Reference commit

  • Back to git snapshots commit

Alexey Tikhonov (3)#

  • extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization) commit

  • extdom: make sure result doesn’t miss domain part commit #9245

  • extdom: internal functions should be static commit

Carla Martinez (9)#

  • webui: Add name to ‘Certificates’ table commit #8946

  • webui: Add label name to ‘Certificates’ section commit #8946

  • Update API and VERSION commit #9249

  • webui: Set ‘SOA serial’ field as read-only commit #9249

  • ipatest: Remove warning message for ‘idnssoaserial’ commit #9249

  • Set ‘idnssoaserial’ to deprecated commit #9249

  • webui: Show ‘Sudo order’ column commit #9237

  • Set pkeys in test_selinuxusermap.py::test_misc::delete_record commit #9161

  • webui: Allow grace login limit commit #9211

Christian Heimes (1)#

Jan Kuparinen (20)#

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Added translation using Weblate (Finnish) commit

David Pascual (2)#

  • ipatest: fix prci checker target masked return code & add pylint commit

  • ipatests: Checker script for prci definitions commit

Erik Belko (3)#

  • ipatests: Add test for grace login limit commit #9211

  • ipatests: test for root using admin password in webUI commit #9226

  • ipatests: healthcheck: test if system is FIPS enabled commit #8951

Florence Blanc-Renaud (15)#

  • API doc: adapt the generated doc for 4.9 branch commit

  • API reference: update dnszone_add generated doc commit #9249

  • API reference: update vault doc commit #9259

  • ipatests: update vagrant boxes commit

  • Spec file: bump the selinux-policy version commit #9198

  • webui tests: fix test_subid suite commit #9214

  • ipa man page: format the EXAMPLES section commit #9252

  • ipatests: add negative test for otptoken-sync commit #9248

  • ipa otptoken-sync: return error when sync fails commit #9248

  • gitignore: add install/oddjob/org.freeipa.server.config-enable-sid commit

  • ipatests: Fix expected object classes commit #9062

  • check_repl_update: in progress is a boolean commit #9218

  • azure tests: disable TestInstallDNSSECFirst commit #9216

  • xmlrpc tests: updated expected output for preserved user commit #9187

  • Preserve user: fix the confusing summary commit #9187

Francisco Trivino (1)#

  • Vault: fix interoperability issues with older RHEL systems commit #9259

Fraser Tweedale (2)#

  • install: suggest –skip-mem-check when mem check fails commit #8404

  • man: add –skip-mem-check to man pages commit #8404

Matthew Davis (1)#

  • Add missing parameter to Suse modify_nsswitch_pam_stack commit #9185

Jesse Sandberg (1)#

  • Fix ipa-ccache-sweeper activation timer and clean up service file commit #9231

Julien Rische (1)#

  • Generate CNAMEs for TXT+URI location krb records commit #9257

Michal Polovka (3)#

  • ipatests: Healthcheck use subject base from IPA not REALM commit

  • ipatests: Healthcheck should ignore pki errors when CA is not configured commit

  • ipatests: Increase expect timeout for interactive mode commit #9183

Marcin Stanclik (1)#

  • Translated using Weblate (Polish) commit

Mohammad Rizwan (1)#

  • ipatests: Test newly added certificate lable commit

Nikola Knazekova (1)#

  • Exclude installed policy module file from RPM verification commit #9254

Pavel Březina (1)#

Piotr Drąg (1)#

  • Translated using Weblate (Polish) commit

Hela Basa (3)#

  • Added translation using Weblate (Korean) commit

  • Translated using Weblate (Sinhala) commit

  • Added translation using Weblate (Sinhala) commit

Rob Crittenden (12)#

  • Pass the curl write callback by name instead of address commit #9274

  • Move client certificate request after krb5.conf is created commit #9246

  • Defer creating the final krb5.conf on clients commit #9228

  • Fix upper bound of password policy grace limit commit #9243

  • Set default on group pwpolicy with no grace limit in upgrade commit #9212

  • Set default gracelimit on group password policies to -1 commit #9212

  • doc: Update LDAP grace period design with default values commit #9212

  • upgrades: Don’t restart the CA on ACME and profile schema change commit #9204

  • Disabling gracelimit does not prevent LDAP binds commit #9206

  • Warn for permissions with read/write/search/compare and no attrs commit #9188

  • Only calculate LDAP password grace when the password is expired commit #1539

  • Fix test_secure_ajp_connector.py failing with Python 3.6.8 commit #9190

Ricky Tigg (4)#

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

Sumit Bose (1)#

  • ipa-kdb: do not fail if certmap rule cannot be added commit

김인수 (44)#

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

Stanislav Levin (6)#

Scott Poore (1)#

  • ipatests: Rename create_quarkus to create_keycloak commit #9225

Sudhir Menon (2)#

  • ipatests: WebUI: do not allow subid range deletion commit #9150

  • ipatests: ipa-client-install –subid adds entry in nsswitch.conf commit #9159

Timo Aaltonen (2)#

  • ipaplatform/debian: Drop the path for ldap.so commit

  • ipaplatform/debian: Use multiarch path for libsofthsm2.so commit

Thomas Woerner (1)#

  • DNSResolver: Fix use of nameservers with ports commit #9158

Yuri Chornoivan (3)#

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit