Jump to: navigation, search

Releases/4.9.4

Release date Released 2021-06-04

The FreeIPA team would like to announce FreeIPA 4.9.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.4

  • 2575: [RFE] Installer wizard should prompt for DNS
The prompting during the server installation was enhanced to ask whether user wants to install the DNS component.

  • 8807: [RFE] IPA to allow setting a new range type.
A new option was added to define how private groups represented in ID ranges of trusted Active Directory domains. More details can be found in the design document: https://freeipa.readthedocs.io/en/latest/designs/adtrust/auto-private-groups.html

Enhancements

Known Issues

Bug fixes

FreeIPA 4.9.4 is a stabilization release for the features delivered as a part of 4.9.0 version series.

There are more than 40 bug-fixes since FreeIPA 4.9.3 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.


Resolved tickets

  • #2575 (rhbz#952756) [RFE] Installer wizard should prompt for DNS
  • #2692 (rhbz#817071) ipa-server-install ignores --hostname
  • #4011 (rhbz#1026434) ipa-server-install crashes when AD subpackage is not installed
  • #4166 (rhbz#1059135) Backup CS.cfg before modifying it
  • #4751 (rhbz#1851835) Implement ACME certificate enrolment
  • #6587 ipa-otpd: systemctl reports "degraded" for "is-system-running" after todays CentOS updates
  • #7397 ipa host-add --ip-address... returns Internal error when forward-policy=none is defined
  • #7835 (rhbz#1658280) Cert revocation for services and hosts is inefficient
  • #8203 (rhbz#1835853) User page on WebUi only has half the information in CA-less install
  • #8361 Add support for managing subuids and subgids in FreeIPA
  • #8534 Nightly test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::test_hidden_replica_promote
  • #8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck
  • #8632 [CA-less] user fails to login via WebUI in case of `--no-pkinit`
  • #8641 Random failure in test_webui/test_user.py::TestLifeCycles::test_life_cycles
  • #8676 (rhbz#1955440) [Tracker] Multiple nightly test failure in test_integration/test_ntp_options/TestNTPoptions
  • #8738 (rhbz#1934991) ACME fails to generate a cert on migrated RHEL8.4 server
  • #8767 (rhbz#1943151) ipa-server-install displays debug output when --debug output is not specified.
  • #8784 RFE: Reduce number of LDAP operations during hbacrule-del
  • #8785 Nightly test failure in test_integration/test_commands.py/TestIPACommand/test_proxycommand_invalid_shell
  • #8787 Add pkey_only to the service_find calls in the host plugin
  • #8792 Random nightly test failure in test_replica_promotion.py::TestRenewalMaster::test_automatic_renewal_master_transfer_ondelete
  • #8793 [Tracker] Nightly failure (rawhide/f34) in test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
  • #8794 (rhbz#1948034) Failure to deploy FreeIPA domain controller in Rawhide with systemd-resolved 248-1.fc35
  • #8797 Cache the value of ca_is_enabled in the request context
  • #8798 (rhbz#1953656) RFE: Cache LDAP data within a request
  • #8799 Remove DS problematic code
  • #8801 user-mod requires two searches for a user entry
  • #8802 IPA test failing with long serial numbers
  • #8807 (rhbz#1688267) [RFE] IPA to allow setting a new range type.
  • #8809 RFE: A tool to collect and analyze etimes from IPA logs
  • #8814 Use Dogtag's CryptographyCryptoProvider instead of NSSCryptoProvider for KRAClient()
  • #8818 new pylint 2.8 and astroid 2.5.5
  • #8830 [azure] performance instability
  • #8831 update_dna_shared_config may not update all entries
  • #8832 (rhbz#1957768) ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
  • #8837 Add support of 'ipaautoprivategroups' LDAP attribute on 'ID ranges' page
  • #8844 [Tracker] Nightly test failure (sssd 2.5.0-1) in test_smb and test_sudo
  • #8847 [F34] JS linter
  • #8848 F32 is going to be EOL
  • #8851 pkispawn: use loopback IP address instead of localhost4/localhost6 for AJP
  • #8856 (rhbz#1951511) Allow specifying permanent logging settings for BIND
  • #8872 FreeIPA 4.9.3 Web UI reports "Internal Server Error" on Fedora 34 Server after reboot
  • #8873 Missing credential cache can raise 500 when authenticating instead of 401
  • #8874 (rhbz#1962570) depend on system-logos-ipa instead of redhat-logos-ipa

Detailed changelog since 4.9.3

Armando Neto (1)

  • ipatests: Bump PR-CI templates to Fedora 34 commit

Alexander Bokovoy (37)

  • Become FreeIPA 4.9.4 commit
  • po/uk.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/ru.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/ipa.pot: Update translations to FreeIPA ipa-4-9 state commit
  • po/es.po: Update translations to FreeIPA ipa-4-9 state commit
  • Depend on system-logos-ipa on RHEL/CentOS Stream commit #8874
  • service: enforce keytab user when retrieving the keytab commit #8872
  • po/zh_CN.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/tr.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/tg.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/sk.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/ru.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/pt_BR.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/pt.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/pa.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/nl.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/mr.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/kn.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/ja.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/ipa.pot: Update translations to FreeIPA ipa-4-9 state commit
  • po/id.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/hu.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/hi.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/fr.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/eu.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/es.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/en_GB.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/de.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/cs.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/ca.po: Update translations to FreeIPA ipa-4-9 state commit
  • po/bn_IN.po: Update translations to FreeIPA ipa-4-9 state commit
  • ds: Support renaming of a replication plugin in 389-ds commit #8799
  • Update IRC links to point to Libera.chat commit
  • freeipa.spec: do not use jsl for linting on Fedora 34+ commit #8847
  • ipa-otpd: handle LDAP timeout in a better way commit #6587
  • ipaserver/install/dns: handle SERVFAIL when checking reverse zone commit #8794
  • Back to git snapshots commit

Antonio Torres (1)

  • hbacrule: reduce number of LDAP searches during deletion commit #8784

Carl George (1)

  • Also use uglifyjs on CentOS Stream 8 commit

Christian Heimes (7)

François Cami (7)

  • ipatests: mark test_ipahealthcheck_hidden_replica as expected failure commit #8534, #8582
  • ipatests: hidden replica: misc fixes commit #8534
  • ipatests: hidden replica: use dns_update_system_records commit #8534
  • ipatests: use wait_for_replication for hidden replica checks commit #8534
  • ipatests: hiddenreplica: use wait_for_ipa_to_start after restore commit #8534
  • ipatests: tasks.py: add dns_update_system_records commit #8534
  • ipatests: tasks.py: add wait_for_ipa_to_start commit #8534

Florence Blanc-Renaud (12)

  • pkispawn: override AJP connector address commit #8851
  • Spec file: bump augeas-libs version commit #8676
  • xmlrpc tests: add test for idrange auto-private-groups option commit #8807
  • Trust: add auto private groups option commit #8807
  • LDAP schema: new attribute ipaautoprivategroups commit #8807
  • Design doc for idrange option "auto-private-groups" commit #8807
  • ipatests: check that the output of sudo -V is not displayed commit #8767
  • client install: do not capture sudo -V stdout commit #8767
  • Bumps openssl requires commit #8632
  • ipatests: TestIpaHealthCheck now needs 1 client commit
  • ipatests: call server-del before replica uninstall commit #8792
  • ipatests: collect PKI config files and NSSDB commit

MIZUTA Takeshi (8)

  • Add --keyfile option to ipa-otptoken-import.1 commit
  • Add argument for --entry option in ipa-managed-entries.1 commit
  • Remove -s option from ipa-ldap-updater usage commit
  • Add argument for --schema-file option in ipa-ldap-updater.1 commit
  • Add arguments to the description of OPTIONS in ipa-winsync-migrate.1 commit
  • Fix the option to match in the ipa-client-automount usage and man-page commit
  • Add -d option to match in the ipa-client-samba usage and man-page commit
  • man: fix typos in ipa-epn.1 commit

Michal Polovka (3)

Mohammad Rizwan (1)

  • ipatests: Test if ACME renews the issued cert with cerbot commit #4751

Rob Crittenden (15)

  • Catch ValueError when trying to retrieve existing credentials commit #8873
  • ipatests: kinit on server for test_proxycommand_invalid_shell commit #8785
  • Add ability to search on certificate revocation status commit #7835
  • Load dogtag RA plugin in installers so profiles can be loaded commit #8738
  • Parse the debugging cache log to determine the read savings commit #8798
  • Add a unit test for the LDAP cache layer commit #8798
  • Add LDAP cache options to the default.conf man page commit #8798
  • Implement simple LDAP cache layer commit #8798
  • Unify installer context to be 'installer' commit #8798
  • Call the LDAPClient layer when modifying values commit #8798
  • Only attempt to upgrade ACME configuration files if deployed commit #8832
  • Parse Apache log etime and display average per command commit #8809
  • Retrieve the user objectclasses when checking for existence commit #8801
  • Cache the value of ca_is_enabled in the request context commit #8797
  • Add pkey_only to the service_find calls in host del and disable commit #8787

Stanislav Levin (27)

  • ipatests: Fetch sudo rules without time offset commit #8844
  • azure: Make it possible to adjust Docker resources per test env commit
  • azure: coredump: Wait for systemd fully booted commit
  • azure: Re-balance tests envs commit
  • azure: Warn about extra and missing gating tests compared to PR-CI commit
  • ipatests: dnssec: Add alternative approach for checking chain of trust commit #8793
  • azure: Collect installed packages commit
  • ipatests: Suppress list trust or certificates commit
  • ipatests: Ignore warnings on failed to read files on tarring commit
  • pytest: Show extra summary information for all except passed tests commit
  • dns: get_reverse_zone: Ignore resolver's timeout commit #7397
  • dnsutil: Improvements for IPA DNS Resolver commit
  • ipatests: Handle network-isolated mode commit
  • azure: Run Base and XMLRPC tests is isolated network commit
  • ipatests: Setup and collect BIND logs commit
  • BIND: Setup logging commit #8856
  • azure: Warn about memory issues commit
  • azure: Add workaround for PhantomJS against OpenSSL 1.1.1 commit
  • ipatests: Update expectations for test_detect_container commit
  • azure: Mask systemd-resolved commit
  • azure: Remove no longer needed repo commit
  • azure: Wait for systemd booted commit
  • azure: Enforce multi-user.target as default systemd's target commit
  • azure: Collect systemd boot log commit
  • azure: bump F32->F34 commit #8848
  • pkispawn: Make timeout consistent with IPA's startup_timeout commit #8830
  • pylint: Adapt to new Pylint 2.8 commit #8818

Sergey Orlov (1)

  • ipatests: increase timeout for test_commands up to 1.5 hours commit

Serhii Tsymbaliuk (2)

  • WebUI tests: Add test for 'ipaautoprivategroups' field on 'ID Ranges' page commit #8837
  • WebUI: Add support of 'ipaautoprivategroups' LDAP attribute on 'ID Ranges' page commit #8837

Sudhir Menon (1)

  • ipatests: Test to check ipa-healthcheck tool displays warning when run on ipa-client commit