FreeIPA 4.12.0#
The FreeIPA team would like to announce FreeIPA 4.12.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.12.0#
3656: [RFE] FreeIPA-to-FreeIPA migration
FreeIPA 4.12 adds a new specialized tool to migrate IPA-specific data between FreeIPA deployments. This allows to migrate between development/staging and production environments, as well as create new environment based on old setup. More information about supported features and semantics can be found at https://freeipa.readthedocs.io/en/latest/designs/ipa_to_ipa_migration.html
5169: [RFE] Enforce OTP for a subset of scenarios
When IPA user has an OTP token authentication enabled, it is now possible to enforce LDAP authentication to fail without providing OTP token. This is already the case for Kerberos authentication since 2014; however, some administrators like to enforce it for LDAP-backed applications. The fact that OTP was used for authentication will be recorded in LDAP server logs as MFA note, according to the design described at https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
9273: [RFE] Support IPA CA installation on an HSM
FreeIPA CA can now be deployed with a hardware security module as a CA storage device. Supported use case details can be found in HSM design document: https://freeipa.readthedocs.io/en/ipa-4-10/designs/hsm.html
9390: [webui][RFE] Unify user group members columns with users columns
9477: Document ID mapping in FreeIPA
A general description of how identity mapping is handled in FreeIPA is available at https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html
9501: Support for OpenCloudOS/TencentOS ipaplatform
FreeIPA now recognizes OpenCloudOS and TencentOS platforms.
9536: Client configuration of ssh: Replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts
Deprecated sss_ssh_knownhostsproxy in favor of sss_ssh_knownhosts. With this update, if /usr/bin/sss_ssh_knownhosts is present, it will be used instead of /usr/bin/sss_ssh_knownhostsproxy. We implemented a mechanism to apply this change when upgrading from older versions, and downgrading from newer versions.
9542: Fix replica connection check for use with AD administrator
Privilege checks in IPA API now support ID overrides, allowing trusted Active Directory users to perform various operations like enrolling a replica.
9551: filter out subdomains from realmdomains list when submitting to a trusted AD DCs
When trust to Active Directory is established, trust topology communicated to the trusted Active Directory domain controllers may have contained conflicting information. This information is now refreshed and conflicts are removed as a part of the process to establish trust.
9558: ipa idrange-add should display a warning that 389ds restart is required
When new local ID range is added, `ipa idrange-add` now displays a warning asking for restart of LDAP server to allow SID generation plugin to pick up the changes.
9562: ipa ca-show NAME –certificate-out=file creates empty file when NAME does not exist
When saving a CA certificate as part of `ipa ca/cert-show NAME` commands, an empty file was created when CA was not found by that name. Empty file is not created anymore, making easier an automated certificate issuance.
9586: Spec file: depend on nfs-utils or nfsv4-client-utils
FreeIPA now allows to use either nfs-utils or nfsv4-client-utils, allowing for more lightweight NFSv4 client setups on Fedora and RHEL 9.
9589: add systemd journal audit of executed API commands
FreeIPA now audits all IPA API calls through systemd journal on IPA servers. For details please see design page https://freeipa.readthedocs.io/en/latest/designs/audit-ipa-api.html
Bug fixes#
FreeIPA 4.12.0 is a stabilization release for the features delivered as a part of 4.12 version series.
There are more than 80 bug-fixes since FreeIPA 4.11.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#3656 (rhbz#1465917) [RFE] FreeIPA-to-FreeIPA migration
#5169 [RFE] Enforce OTP for a subset of scenarios
#7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key
#9191 ipa vault-add is failing with ipa in RHEL9: ERROR: an internal error has occurred in FIPS mode
#9272 Install CA certificates only for PKINIT or TLS client auth
#9273 (rhbz#1405935) [RFE] Support IPA CA installation on an HSM
#9295 Nightly test failure (sssd) in test_trust.py::TestNonPosixAutoPrivateGroup and test_trust.py::TestPosixAutoPrivateGroup
#9297 Minimum length parameter in pwpolicy cannot be removed with empty string.
#9353 certmonger helper renew_ca_cert does not set the P trust flag on the KRA audit certificate during renewal
#9390 [webui][RFE] Unify user group members columns with users columns
#9400 Nightly test failure: healthcheck reports nsslapd-accesslog-logbuffering is set to ‘off’
#9405 Nightly test failure (rawhide) in test_installation_TestKRAinstallAfterCertRenew
#9415 Nightly test failure in test_integration/test_installation.py::TestInstallMaster::test_ipactl_scenario_check
#9438 (rhbz#1513934) Allow applications to override cache directory
#9449 Squished FreeIPA favicon
#9454 module ‘datetime’ has no attribute ‘UTC’
#9459 Nightly test failure (with healthcheck 0.14) in test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS::test_ipa_dns_systemrecords_check
#9460 Nightly test failure (with healthcheck 0.14) in test_ipahealthcheck.py::TestIpaHealthCheck::test_source_ipahealthcheck_meta_services_check
#9462 Server install: failure to install with externally signed CA because of timezone issue
#9465 IPA stops working if HTTP/… service principal was created before FreeIPA 4.4.0 and never modified
#9466 Regression: group-add-member –external does not work
#9467 Mitigate deprecations included in python 3.13+
#9471 Pre-authentication with trusted domain object over IPA to IPA trust fails due to wrong canonical name choice
#9476 Nightly test failure in test_sso.py::TestSsoBridge::test_sso_login_with_ipa_user
#9477 Document ID mapping in FreeIPA
#9482 Test failure in test_integration.test_ipahealthcheck.py::TestIpaHealthCheck::test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
#9483 Fixes: Python warnings in ipa-replica-manage
#9484 Traceback in ipaserver/dcerpc.py
#9485 handle better default user authentication types for services
#9486 hbactest does not display messages, like search truncated
#9487 ipa-client-install –automount-location does not work
#9489 The change for preventing deletion of the admin user caused a regression in disable
#9490 The test test_external_ca.py fails if running on a test controller with python-cryptography 41.0.0
#9491 CA less servers are failing to be added in topology segment for domain suffix
#9492 WebUI tests: code not compatible with selenium driver 4.10
#9493 test_external_idp fails in f39+
#9496 ipa client 4.10.2 - Failed to obtain host TGT
#9497 Improve debugging logging in DS plugins
#9498 Test failure in tests calling dnf upgrade
#9499 ipa-client should check if IPA_CA_CERT is not empty after it has been downloaded from server
#9501 Support for OpenCloudOS/TencentOS ipaplatform
#9503 Handle change in behavior of pki-server ca-config-show in pki 11.5.0
#9504 Gating-DL1 test failure in test_integration/test_dns_locations.py::TestDNSLocations::()::test_ipa_ca_records
#9506 ‘DogtagCertsConfigCheck’ fails, displaying the error message ‘Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca’
#9510 Nightly test failure in test_replication_layouts.py::TestLineTopologyWithoutCA::test_line_topology_without_ca
#9514 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor
#9515 Improve test coverage for ipa user plugin
#9516 Nightly test failure (389ds) in test_backup_and_restore_TestUserRootFilesOwnershipPermission
#9517 sidgen plugin does not ignore staged users
#9518 tox failure on ipa-4-10 and ipa-4-9 branches
#9519 session cookie can’t be read
#9520 Memory leak in PAC verification process
#9522 Nightly test failure (rawhide) in test_external_idp
#9526 (rhbz#2262860) ipa-restore fails with ‘Cannot restore a data backup into an empty system’
#9530 ipatests: wait_for_replication method is broken
#9535 ipa-kdb: Cannot determine if PAC generator is available
#9536 Client configuration of ssh: Replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts
#9541 (rhbz#2265129) specially crafted HTTP requests potentially lead to DoS or data exposure
#9542 Fix replica connection check for use with AD administrator
#9544 AD administrator in the admin group blocks admin group management on replicas without adtrust setup
#9547 Update ipa to ipa migration doc
#9548 Nightly test failure in test_integration/test_ipa_cert_fix.py/TestCertFixReplica/test_renew_expired_cert_replica
#9551 filter out subdomains from realmdomains list when submitting to a trusted AD DCs
#9554 Nightly tests: fail to build if @389ds/389-ds-base-nightly copr repo is enabled
#9555 Remove dependency on python-netifaces.
#9558 ipa idrange-add should display a warning that 389ds restart is required
#9562 ipa ca-show NAME –certificate-out=file creates empty file when NAME does not exist
#9565 Python 3.12 SyntaxWarning
#9566 [CI] docker-compose V1 was removed from images
#9567 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_opensslchainvalidation_ipa_ca_cert
#9568 Update IPA to IPA migration design doc
#9569 ipa-crlgen-manage should unset ca.certStatusUpdateInterval on enable
#9570 IPA migration tool - migrate nsaccountlock
#9574 Nightly failure in test_webui/test_user.py::test_user::test_disable_delete_admin
#9575 Update of a test test_adtrust_install_with_incorrect_admin_password
#9579 Remove bash_completions_dir for rhel builds
#9583 batch is failing on missing attribute principal in error case using server context
#9586 Spec file: depend on nfs-utils or nfsv4-client-utils
#9589 add systemd journal audit of executed API commands
#9590 handle IPA public exceptions in ‘ipa console’ in a better way
#9591 ipa-replica-manage clean-dangling-ruv is failing to handle invalid RUVs
#9593 ipa-kra-install tries to validate the HSM config even when no HSM is set up
#9594 topologysegment commands cannot be delegated
#9597 Remove use of deprecated functions in custodia
#9598 Nightly test failure in test_ipahealthcheck
Detailed changelog since 4.11.1#
007hacky007 (1)#
Alexander Bokovoy (43)#
console: for public errors only print a final one commit #9590
custodia: do not use deprecated jwcrypto wrappers commit #9597
frontend: add systemd journal audit of executed API commands commit #9589
ipalib/rpc: Reformat after moving json code around commit
ipalib: move json formatter to a separate file commit
pylint: use yield_from for trivial cases commit
passwd: handle LDAP auto-bind use case as well commit
cert: use context.principal only when it is defined commit #9583
trust: handle stray pylint warning commit
trust: use context.principal only when it is defined commit #9583
server: use context.principal only when it is defined commit #9583
config: use context.principal only when it is defined commit #9583
batch: account for auto-binding in server context commit #9583
privilege: use context.principal only when it is defined commit #9583
internal: fix ‘tokensfor’ typo and regenerate pot file commit
Use raw strings for Python 3 compatibility in old API client code commit #9565
idrange: only issue warning to restart services for a local range commit #9558
dcerpc: invalidate forest trust info cache when filtering out realm domains commit #9551
ipa-pwd-extop: declare operation notes support from 389-ds locally commit #9554
ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP commit #5169
ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind commit #5169
rpcserver: validate Kerberos principal name before running kinit commit #9541
ipa-kdb: support Samba 4.20 private libraries commit
kdb: PAC generator: do not fail if canonical principal is missing commit #9465
sidgen: fix missing prototypes commit
sidgen: ignore staged users when generating SIDs commit #9517
doc/designs/id-mapping.md: expand on ID range allocation details commit #9477
doc/Makefile: run sphinx in serial mode commit
adtrustinstance: make sure NetBIOS name defaults are set properly commit #9514
host: update System: Manage Host Keytab permission commit #9496
ipatests: make sure PKINIT enrollment works with a strict policy commit #9485
ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD commit #9485
ipa-kdb: when applying ticket policy, do not deny PKINIT commit #9485
ipa-kdb: add better detection of allowed user auth type commit #9485
doc/designs: add description of identity mapping in IPA commit #9477
Remove upgrade test from Azure CI commit
Azure CI: increase memory for forced reenrollment test commit
Increase memory usage for Azure CI upgrade test commit
Use datetime.timezone.utc instead of newer datetime.UTC alias commit #9454
Alexandra Nikandrova (1)#
doc: typo in basic_usage.md commit
Andika Triwidada (1)#
Translated using Weblate (Indonesian) commit
Antonio Torres (4)#
Carla Martinez (1)#
ipatests: test new columns in group details commit
Christian Heimes (6)#
Jan Kuparinen (1)#
Translated using Weblate (Finnish) commit
Erik Belko (2)#
Endi Sukma Dewata (4)#
Emilio Herrera (1)#
Translated using Weblate (Spanish) commit
Florence Blanc-Renaud (30)#
ipa-replica-manage list-ruvs: display FQDN in the output commit #9598
Spec file: depend on nfs-utils or nfsv4-client-utils commit #9586
webui test: Update message for admin disable commit #9489, #9574
idrange-add: add a warning because 389ds restart is required commit #9558
ipatests: some tests are date-sensitive and fail Feb 29 commit #9548
ipatests: fix tasks.wait_for_replication method commit #9530
ipatests: add xfail for autoprivate group test with override commit
Nightly tests: test on f38 and f39 commit
Tox: use sitepackages commit
pylint: fix errors commit
pylint: disable new checks commit
pylint: updates related to deprecations commit
azure tests: move to fedora 39 commit
ipatests: disable dnssec validation in tests using dnf commit #9498
Webui: use service options to init Firefox driver commit #9492
test_install: restart services after date change commit #9405
test_external_idp: update code for selenium 4.10 commit #9493
Make test_external_ca.py compatible with crypto 41.0.0 commit #9490
ipatests: fix expected output for ipahealthcheck.meta.services commit #9460
Handle samba changes in samba.security.dom_sid() commit #9466
ipatests: fix healthcheck test for –indent option commit
Francisco Trivino (6)#
Jeremy Frasier (1)#
Julien Rische (3)#
Masahiro Matsuya (1)#
Mark Reynolds (16)#
Issue 9591 - Allow get_ruv() to handle incomplete RUV elements commit #9591
Issue 9579 - Remove bash_completions_dir for RHEL commit #9579
Issue 9568 - Update IPA to IPA migration design doc commit #9568
Issue 9547 - Update IPA to IPA migration design doc commit #9547
Issue 9497 - update debug logging in ipa-pwd-extop commit #9497
Issue 9497 - update debug logging in ipa_otp_lasttoken commit #9497
Issue 9497 - update debug logging in ipa_otp_counter commit #9497
Issue 9497 - update debug logging in ipa_modrdn commit #9497
Issue 9497 - update debug logging in ipa_lockout commit #9497
Issue 9497 - update debug logging in ipa_graceperiod commit #9497
Issue 9497 - Add new password policy logging function commit #9497
Issue 3656 - Extend schema function to return MAY or MUST attrs commit #3656
Mohammad Rizwan (2)#
Weblate Translation Memory (19)#
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Georgian) commit
Translated using Weblate (Georgian) commit
Translated using Weblate (Georgian) commit
Weblate (1)#
Update translation files commit
Pavel Březina (1)#
ipaserver: fix incorrect double negative in exception message commit
Piotr Drąg (1)#
Translated using Weblate (Polish) commit
Rafael Fontenelle (2)#
Rob Crittenden (55)#
Don’t try to validate the HSM arguments on a non-HSM installation commit #9593
docs: Add a section on SELinux modules to the HSM design commit #9273
Call hsm_validator on KRA installs and validate the HSM password commit #9273
Require certmonger 0.79.17+ for required HSM changes commit #9273
After an HSM replica install ensure all certs are visible commit #9273
KRA: force OAEP for some HSM-based installations commit #9191
Prompt for token password if not provided in replica/ipa-ca-install commit #9273
dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs commit #9273
tests: Fix failing test test_testconfig.py with missing token variables commit
Add SELinux subpackage for Thales Luna HSM support commit
Add SELinux subpackage for nCipher nfast HSM support commit
Remove caSigningCert from list of certs to renew commit
Validate the HSM token library path and name during installation commit #9273
After installing a KRA, copy the updated token to other machines commit
tests: helper to copy files from one host to another commit
renew_ca_cert: set peer trust on the KRA audit certificate commit #9353
renew_ca_cert: skip removing non-CA certs, fix nickname commit #9273
If HSM is configured add the token name to config-show output commit #9273
Add token support to the renew_ca_cert certmonger helper commit #9273
Update SELinux policy to allow certmonger to PKI config files commit #9273
Add attribute ipacahsmconfiguration to the “Read CAs” ACI commit #9273
Add HSM configuration options to installer scripts commit #9273
Add LDAP attribute ipaCaHSMConfiguration to store HSM state commit #9273
doc: Add token-password-file to HSM design, set new OID commit #9273
Don’t move KRA keys when key backup is disabled commit #7677, #9273
Only generate kracert.p12 when not installing with HSM commit #9273
Add token support to installer certificate handling commit #9273
ipa-crlgen-manage: manage the cert status task execution time commit #9569
ipatests: Ignore spacing in OpenSSL validation error message commit #9567
Return 2 when certificates are not found during requests commit #9562
Check for file permissions after the ca/cert-show is complete commit #9562
Vault: add additional fallback to RSA-OAEP wrapping algo commit #9191
validate_principal: Don’t try to verify that the realm is known commit #9541
Server affinity: call ca.install() if there is a CA in the topology commit #9510
Server affinity: Don’t rely just on [ca|kra]_enabled for installs commit #9510
get_directive: don’t error out on substring mismatch commit #9506
ipa-client-automount: Don’t use deprecated ipadiscovery.IPADiscovery commit #9487
ipatests: Test client install/uninstall with automount enabled commit #9487
Fix ipa-client-automount install/uninstall with new install states commit #9487
ACME: Don’t treat pki-server ca-config-show failures as fatal commit #9503
Include supported migration scenarios in the ipa-to-ipa docs commit
ipatests: Verify that hbactest will return messages commit #9486
hbactest was not collecting or returning messages commit #9486
ipatests: fix expected output for ipahealthcheck.ipa.host commit #9482
ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck commit #9400
WIP: Get the PKI version from the remote to determine the argument commit
ipa-client: correct directory location by using constants instead commit
Allow password policy minlength to be removed like other values commit #9297
Rafael Guterres Jeffman (2)#
김인수 (19)#
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Translated using Weblate (Korean) commit
Stanislav Levin (4)#
Sudhir Menon (4)#
Temuri Doghonadze (7)#
Translated using Weblate (Georgian) commit
Translated using Weblate (Georgian) commit
Translated using Weblate (Georgian) commit
Translated using Weblate (Georgian) commit
Translated using Weblate (Georgian) commit
Translated using Weblate (Georgian) commit
Translated using Weblate (Georgian) commit
Thorsten Scherf (1)#
Thomas Woerner (2)#
Viktor Ashirov (1)#
Yuri Chornoivan (1)#
Translated using Weblate (Ukrainian) commit