Jump to: navigation, search


Release date Released 2023-05-19

The FreeIPA team would like to announce FreeIPA 4.9.12 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.12

  • 9287: [RFE] makeapi should validate the generated API doc vs stored doc


Known Issues

  • 9298: [Tracker] Nightly test failure (updates-testing) in test_acme.py::TestACME::test_certbot_certonly_standalone
With Certbot update to 2.0.0, Certbot defaults to ECDSA certificate private keys for all new certificates. PKI ACME cert profile supports only rsa private keys, meaning that the key type needs to be forced to rsa when requesting an ACME certificate, using certbot --key-type rsa [...]

Bug fixes

FreeIPA 4.9.12 is a stabilization release for the features delivered as a part of 4.9.0 version series.

There are more than 30 bug-fixes since FreeIPA 4.9.11 release. Details of the bug-fixes can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets

  • #5130 (rhbz#1243261) non-admin users cannot search hbac rules
  • #6044 (rhbz#1353899) ipa-advise: object of type 'type' has no len()
  • #9195 (rhbz#2158775) Hiding a server does not completely clean up DNS records
  • #9226 (rhbz#2124547) Infinite redirect loop in the WebUI for user root
  • #9238 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ds_configcheck_passwordstorage
  • #9279 ipa-otpd@.service: deprecated syslog setting
  • #9282 Nightly test failure in test_webui/test_subid.py/test_subid/test_subid_range_deletion_not_allowed
  • #9285 ipa-certupdate restarts HTTPd too early
  • #9286 (rhbz#2056009) memberManager ACIs aren't allowing group-based manager access due to missing upgrade code
  • #9287 [RFE] makeapi should validate the generated API doc vs stored doc
  • #9290 (rhbz#2149889) idm:client is missing dependency on krb5-pkinit.
  • #9291 Nightly test failure (rawhide) in test_ipa_dns_systemrecords_check
  • #9306 (rhbz#2160389) 'ERROR Could not remove /tmp/tmpbkw6hawo.ipabkp' can be seen prior to 'ipa-client-install' command was successful.
  • #9310 (rhbz#2162335) ipa-trust-add with --range-type=ipa-ad-trust-posix fails while creating an ID range
  • #9314 Redundant build dependency on python3-paste (if with lint)
  • #9315 [tests] test_ipa_healthcheck_fips_enabled fails on system without fips-mode-setup
  • #9316 (rhbz#2166324) Passwordless (GSSAPI) SSH login with AD user
  • #9318 Incomplete fast lint/codestyle check if both Python template files and Python modules were changed
  • #9319 [tests] TestDNSResolver failures on systems without or empty /etc/resolv.conf
  • #9320 (rhbz#2018198) RFE - Add a warning note about possible performance impact of the Auto Member rebuild task.
  • #9324 ipatests: Frequent timeout of test_acme
  • #9326 ipatests: timeout of test_trust
  • #9329 Azure test: WebUI_Unit_Tests are failing
  • #9333 ipa-client-install --pkinit-identity can block in unattended mode
  • #9338 Update 'Auth indicators' doc string to show 'ipd' usage
  • #9339 Broken support for dnspython < 2
  • #9349 (rhbz#2180914) Sequence processing failures for group_add using server context
  • #9355 support python cryptography 40.0
  • #9358 update_dna_shared_config sometimes blocks installation for 2 minutes

Detailed changelog since 4.9.11

Alexander Bokovoy (6)

  • ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by commit #9355
  • Fix tox in Azure CI commit #9347
  • Use system-wide chromium for webui tests commit #9347
  • Don't fail if optional RPM macros file is missing commit #9347
  • ipa-kdb: PAC consistency checker needs to handle child domains as well commit #9316
  • updates: fix memberManager ACI to allow managers from a specified group commit #9286

Anuja More (4)

  • ipatests: Test that non admin user can search hbac rule. commit #5130
  • ipatests: Test ipa-advise is not failing with error. commit #6044
  • PRCI: update test_trust.py for nightly pipelines. commit #9326
  • Add test for SSH with GSSAPI auth. commit #9316

Antonio Torres (8)

  • Extend API documentation commit
  • doc: allow notes on Param API Reference pages commit
  • ipaserver: deepcopy objectclasses list from IPA config commit #9349
  • API doc: add usage guides for groups, HBAC and sudo rules commit
  • API doc: add note about ipa show-mappings to usage guide commit
  • API doc: validate generated reference commit #9287
  • API doc: add basic user management guide commit
  • Back to git snapshots commit

Carla Martinez (1)

Christian Heimes (3)

  • Speed up installer by restarting DS after DNA plugin commit #9358
  • Don't block when kinit_pkinit() fails commit #9333
  • ipa-certupdate: Update client certs before KDC/HTTPd restart commit #9285

Chris Kelley (1)

  • Check that CADogtagCertsConfigCheck can handle cert renewal commit

David Pascual (2)

  • doc: Use case examples for PR-CI checker tool commit
  • ipatests: fix (prci_checker) duplicated check & error return code commit

Erik Belko (1)

  • ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario commit #9286

Florence Blanc-Renaud (16)

  • ipatests: increase timeout for test_trust commit #9326
  • ipatests: remove wrong job definition TestACMEPrune commit #9324
  • ipatests: increase timeout for test_acme commit #9324
  • automember-rebuild: add a notice about high CPU usage commit #9320
  • trust-add: handle missing msSFU30MaxGidNumber commit #9310
  • Tests: force key type in ACME tests commit #9298
  • server install: remove error log about missing bkup file commit #9306
  • ipatests: mark test_smb as xfail commit #9124
  • ipatests: update the xfail annotation for test_number_of_zones commit #9135
  • Spec file: bump krb5_kdb_version on rawhide commit
  • FIPS setup: fix typo filtering camellia encryption commit
  • cert utilities: MAC verification is incompatible with FIPS mode commit
  • ipatests: update the fake fips mode expected message commit #9002
  • Spec file: ipa-client depends on krb5-pkinit-openssl commit #9290
  • webui tests: fix assertion in test_subid.py commit #9282
  • PRCI: update memory reqs for each topology commit

mbhalodi (4)

  • ipatests: Test for sequence processing failures with server context commit #9349
  • ipatests: add missing automember-cli tests commit #9332
  • ipatests: WebUI - ensure that ipa automember-rebuild prints a warning commit #9320
  • ipatests: ensure that ipa automember-rebuild prints a warning commit #9320

Michal Polovka (1)

  • ipatest: loginscreen: do not use hardcoded password commit #9226

Rob Crittenden (3)

  • Wipe the ipa-ca DNS record when updating system records commit #9195
  • tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck commit #9291
  • tests: Add ipa_ca_name checking to DNS system records commit #9291

Stanislav Levin (9)

  • fastlint: Correct concatenation of file lists commit #9318
  • dns: Fix support for dnspython 1.1x commit #9339
  • tests: webui: Update vendored qunit commit #9329
  • AP: webui: List installed nodejs packages commit #9329
  • tests: webui: Load qunit only once commit #9329
  • tests: webui: Allow file access from files in tests commit #9329
  • tests: Configure DNSResolver as platform agnostic resolver commit #9319
  • spec: Drop no longer used build dependency on paste commit #9314
  • ipatests: healthcheck: Handle missing fips-mode-setup commit #9315

Sumedh Sidhaye (1)

  • With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck. commit #9238

Sudhir Menon (1)

  • Fixes: ipa-otpd@.service: deprecated syslog setting commit #9279

Thorsten Scherf (1)

  • external-idp: change idp server name to reference name commit