The FreeIPA team would like to announce FreeIPA 4.9.6 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.6#

8402: [RFE] ipa-client-install forces nsupdate to bind with gssapi

Invoke nsupdate without authentication if the GSS-TSIG attempt fails at install time ; configure SSSD to use nsupdate without GSS-TSIG in this case.

Enhancements#

Known Issues#

FreeIPA 4.9.4 contains a new LDAP caching layer that might incorrectly return data in certain cases. This is known to affect ansible-freeipa operations with automember rules. FreeIPA 4.9.6 addresses this issue.

Bug fixes#

FreeIPA 4.9.6 is a stabilization release for the features delivered as a part of 4.9.0 version series.

There are more than 10 bug-fixes since FreeIPA 4.9.5 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

#7752 ipa client throws http.client.ResponseNotReady error
#8402 (rhbz#1854557) [RFE] ipa-client-install forces nsupdate to bind with gssapi
#8532 (rhbz#1886837) Revise PKINIT upgrade code
#8726 Provide a better error message with updatedns and FQDN Is not provided
#8754 (rhbz#1919384) Certificate Serial Number issue
#8817 Running ipa-server-certinstall with v1 certificate fails with Attempted “__iter__” operation on ASN.1 schema object
#8880 (rhbz#1973023) CA_less ipa-server-install fails if CA cert subject contains non ascii chars
#8882 Directly integrate custodia
#8884 (rhbz#1967325) API returns the misleading error “Insufficient Access” if run as non-admin
#8885 (rhbz#1975139) Upgrade error: Add failure missing required attribute “objectclass”
#8889 [tests] healthcheck 0.9
#8897 (rhbz#1976286) ansible-freeipa automember test fails with `automember_add_condition: testgroup: ‘objectclass’` due to ldap cache
#8898 plugin `plugins` doesn’t work

Detailed changelog since 4.9.5#

Alexander Bokovoy (2)#

Become IPA v.4.9.6 commit
Back to git snapshots commit

Antonio Torres (3)#

ipatests: test host update using shortname commit #8726, #8884
host: try to resolve FQDN before command execution commit #8726, #8884
Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server commit #8532

Christian Heimes (7)#

Also drop Custodia client and forwarder commit #8882
Add Custodia tests commit
Remove more unused Custodia code commit #8882
Fix Custodia pylint issues commit #8882
Fix Custodia imports commit #8882
Remove unused Custodia modules commit #8882
Add Custodia 0.6.0 to ipaserver package commit #8882

François Cami (3)#

ipa-client-install: update sssd.conf if nsupdate requires -g commit #8402
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain) commit #8402
ipa-client-install: remove fsync in do_nsupdate() commit #8402

Florence Blanc-Renaud (2)#

ipatests: use non-ascii chars in CA-less install commit #8880
CA-less install: non-ASCII chars in CA cert subject commit #8880

Rob Crittenden (3)#

Return a copy of cached entries, only with requested attributes commit #8897
Use get_replication_plugin_name in LDAP updater commit #8885
When loading certificates verify that it is X.509 v3 commit #8817

Stanislav Levin (4)#

ipatests: Add tests for `env` plugin commit
ipatests: Add tests for `plugins` plugin commit #8898
plugins: Don’t treat keys of api as bytes commit #8898
ipatests: healthcheck: Update IPAHostKeytab assumptions commit #8889

Serhii Tsymbaliuk (1)#

WebUI: Fix certificate serial number representation commit #8754

Sudhir Menon (2)#

Increase timeout for test_commands.py commit
ipatests: Test to check that ResponseNotReady error is not displayed when user session cache is deleted commit #7752

Highlights in 4.9.6

Contents