Here are the draft release notes for the second pre-release of 4.7.0.
Let me know if I've missed anything.
{{ReleaseDate|2018-05-14}}
The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 28 and rawhide will be available in the Fedora repositories.
== Highlights in 4.6.90.pre2 ==
The major new features of this release are:
* Switch from using mod_nss for the Apache TLS engine to using mod_ssl.
Upgrading will move the certificates and keys from /etc/httpd/alias to
/var/lib/ipa/certs/.
* Switch time client and server from ntp to chrony.
* Switch from using authconfig to authselect to configure the PAM stack.
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.6.90.pre2 is a preview release for the features delivered as a
part of 4.7.0.
There are more than 70 bug-fixes details of which can be seen ina
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7530 external CA replica installation fails with CA_UNREACHABLE
* 7529 AVC denials and errors for IPA server installed on Fedora28
* 7524 ipa-client-install fails because of missing file
/usr/share/ipa/freeipa.template
* 7523 external CA installation: step two reports self-signed configuration
* 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has
occurred"
* 7519 Adding SSH keys for AD users as I created overrides
* 7518 Improve Custodia client and key distribution handling
* 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf
despite the migration to ssl.conf
* 7514 Allow to create Kerberos services without a corresponding host object
* 7513 Allow Kerberos services to be members of IPA groups
* 7512 Missing dependency for freeipa-client: python3-augeas
* 7510 validate_selinuxuser does not allow a period in selinux user
identifier
* 7508 Trust tests for Posix support are failing with Assertion Error
None on Windows Server 2016
* 7507 ui_tests: extend test_user suite
* 7505 WebUI tests: Extend netgroup tests
* 7503 multiple occurrences of profileId in certprofile causes incorrect
behaviour
* 7499 Integration tests dns_location in regards of check NTP records
failing
* 7498 [F28] CA replica fails with could not find certificate named
"caSigningCert cert-pki-ca"
* 7496 csrgen fails if subject base contains lower-case attribute names
* 7490 installutils.set_directive doesn't handle debian ssl.conf properly
* 7489 Test test_caless_TestCertInstall is failing in nightly
* 7488 Set nsds5ReplicaReleaseTimeout on all replicas and databases
* 7486 Allow hosts to delete their own services
* 7485 Extending webui user group test
* 7484 Load ipaclient.csrgen on demand to speed up CLI
* 7478 [F28] ipa-backup fails with "Failed to execute authconfig command"
* 7474 ipa-server-install --uninstall on replica fails with
"NoOptionError: No option 'ldap_uri' in section: 'global'"
* 7473 ERROR: No valid Negotiate header in server response
* 7470 TestBasicADTrust.test_ipauser_authentication is failing with
error "Confidentiality required"
* 7469 ipa-replica-prepare fail with "stat: path should be string,
bytes, os.PathLike or integer, not NoneType"
* 7468 test_host.py::test_host::test_crud is failing in nightly tests
* 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
* 7463 test_webui: add user life-cycles tests
* 7461 Hardening of topology plugin to prevent erronous deletion of a
replica agreement
* 7459 [RFE] replica-install: warn when only one CA exists in topology
* 7458 ui_tests: extend test_hostgroup.py suite
* 7456 ipa otptoken-add should use LDAP Whoami call
* 7454 Upgrade from F27 to F28 produces an error while updating
ipa.conf.template
* 7450 "This entry already exists" error when upgrading on IPA 4.5
* 7442 Replication agreement status incorrectly checked
* 7441 ui_tests: extend test_service.py suite
* 7436 ipa: Please log something after restarting the KDC
* 7427 User Administrator doesn't have enough privileges to edit
homeDirectory attribute
* 7426 DogtagInstance.backup_config creates backup with wrong owner
* 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn
-s CA
* 7424 Improve Realm Domains doc text
* 7421 Store HTTPD private keys encrypted
* 7415 CA installer need to check availability of port 8080
* 7410 ipa-replica-install --add-agents option doesn't install
trust-agent on replica
* 7377 Investigate and define plan of authconfig replacement in FreeIPA
* 7376 clear sssd cache when uninstalling client
* 7366 RFE: ipa client should setup openldap for GSSAPI
* 7330 ipa-server-install --uninstall does not return error code on error
* 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall
* 7095 [tracker] please rotate & compress
/var/lib/pki/pki-tomcat/logs/ca/debug
* 7041 [ipa-replica-install] - KDC has no support for encryption type -
reoccurence in multireplica scenario
* 7024 freeipa depends on ntp
* 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still
deletes group
* 6843 ipa-backup does not create log file at /var/log/
* 5776 webui: some data disappear from user details page after the save
action is performed
* 5673 contrib/nssciphersuite/nssciphersuite.py raising error in tests
* 4853 Utilize system-wide crypto-policies
== Detailed changelog since 4.6.90.pre1 ==
=== Alexander Bokovoy (13) ===
* group: allow services as members of groups
* service: allow creating services without a host to manage them
* group-del: add a warning to logs when password policy could not be removed
* idoverrideuser-add: allow adding ssh key in web ui
* ACL: Allow hosts to remove services they manage
* install: validate AD trust-related options in installers
* replication: support error messages from 389-ds 1.3.5 or later
* upgrade: treat duplicate entry when updating as not an error
* Allow anonymous access to parentID attribute
* upgrade: Run configuration upgrade under empty ccache collection
* use LDAP Whoami command when creating an OTP token
* Update template directory with new variables when upgrading
ipa.conf.template
* Processing of server roles should ignore errors.EmptyResult
=== Alexey Slaykovsky (1) ===
* Make tox tests to generate results in JUnit XML
=== amitkuma (5) ===
* RFE: ipa client should setup openldap for GSSAPI
* Correcting detect typo in server.m4
* Correction of management spelling.
* clear sssd cache when uninstalling client
* clear sssd cache when uninstalling client
=== Anuja More (2) ===
* Adding test-cases for ipa-cacert-manage
* Adding test-cases for ipa-cacert-manage
=== Christian Heimes (32) ===
* Revert "Validate the Directory Manager password"
* Create missing /etc/httpd/alias for ipasession.key
* Only run subset of external CA tests
* Require Dogtag 10.6.1
* Require nss with fix for nickname bug
* ipa-client package needs sssd-tool
* Make ipatests' create_external_ca a script
* Load certificate files as binary data
* Remove contrib/nssciphersuite
* Compatibility with pytest 3.4
* Use shutil to copy file
* Use single Custodia instance in installers
* Add augeas dependency to client package
* Create users in server-common pre hook
* Require 389-ds-base >= 1.4.0.8-1
* CA replica PKCS12 workaround for SQL NSSDB
* Add nsds5ReplicaReleaseTimeout to replica config
* Fix Python dependencies
* Remove os.chdir() from test_ipap11helper
* certdb: Move chdir into subprocess call
* Provide ldap_uri in Custodia uninstaller
* Defer import of ipaclient.csrgen
* Require more recent glibc on F27
* Load librpm on demand for IPAVersion
* Fix installer CA port check for port 8080
* Temporarily disable authconfig backup and restore
* Cleanup and remove more files on uninstall
* Fix compatibility with latest pytest
* More cleanup after uninstall
* Require Dogtag PKI >= 10.6
* Keep owner when backing up CA.cfg
* Pylint 1.8.3 fixes
=== Felipe Barreto (10) ===
* Fixing tests on TestReplicaManageDel
* Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
* Fixing
TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
* Adding GSSPROXY_CONF to be backed up on ipa-backup
* Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
* Fix TestSubCAkeyReplication providing the right path to pki log
* temp commit: adding test to PR CI run
* Adding right parameters to install IPA in
TestInstallMasterReservedIPasForwarder
* Changing Django's CoC to reflect FreeIPA CoC
* Adding Django's Code of Conduct
=== Florence Blanc-Renaud (8) ===
* authselect migration: use stable interface to query current config
* authselect test: skip test if authselect is not available
* ipa-advise: adapt config-client-for-smart-card-auth to authselect
* Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
* New tests for authselect migration
* Migration from authconfig to authselect
* ipa-advise config-server-for-smart-card-auth: use mod-ssl
* ipa-replica-install: make sure that certmonger picks the right master
=== Fraser Tweedale (12) ===
* install: fix reported external CA configuration
* csrgen: fix when attribute shortname is lower case
* csrgen: drive-by docstring
* csrgen: support initialising OpenSSL adaptor with key object
* py3: fix csrgen error handling
* certprofile: add tests for config profileId scenarios
* certprofile: reject config with multiple profileIds
* Fix upgrade (update_replica_config) in single master mode
* Add commentary about PKI admin password
* Fix upgrade when named.conf does not exist
* replica-install: warn when there is only one CA in topology
* install: configure dogtag status request timeout
=== Ganna Kaihorodova (5) ===
* Fix trust tests for Posix Support
* Fix for integration tests dns_locations
* Fix in IPA's multihost fixture
* TestBasicADTrust.test_ipauser_authentication
* Fix for test TestInstallMasterReservedIPasForwarder
=== Takeshi MIZUTA (1) ===
* Fix some typos in man page
=== Michal Reznik (18) ===
* ui_tests: introduce new test_misc cases file
* ui_driver: extension and modifications related to test_user
* ui_tests: extend test_user suite
* test_web_ui: extend ui_driver methods
* test_webui: add user life-cycles tests
* ui_tests: run ipa-get/rmkeytab command on UI host
* ui_tests: select_combobox() fixes
* ui_tests: test cancel and delete without button
* ui_tests: make associations cancelable
* ui_tests: add function to run cmd on UI host
* ui_tests: add funcs to add/remove users public SSH key
* ui_tests: add assert_field_required()
* ui_tests: add assert_notification()
* ui_tests: add more test cases
* ui_tests: add more test cases to test_certification
* ui_tests: add_service() support func in test_service
* ui_tests: add_host() support func in test_service
* ui_tests: change get_http_pkey() function
=== Varun Mylaraiah (3) ===
* WebUI tests: Extend netgroup tests with more scenarios
* Fixed improper clean-up in test_host::test_kerberos_flags added
closing the notification in kerberos flags
* WebUI tests: Extend user group tests with more scenarios
=== Pavel Picka (1) ===
* WebUI Hostgroups tests cases added
=== Petr Vobornik (4) ===
* webui: refresh complex pages after modification
* Fix order of commands in test for removing topology segments
* webui tests: fix test_host:test_crud failure
* realm domains: improve doc text
=== Rob Crittenden (16) ===
* Fix certificate retrieval in ipa-replica-prepare for DL0
* Disable message about log in ipa-backup if IPA is not configured
* Use a regex in installutils.get_directive instead of line splitting
* Handle whitespace, add separator to regex in set_directive_lines
* Validate the Directory Manager password before starting restore
* Log service start/stop/restart message
* Update project metadata in ipasetup.py.in
* Allow dot as a valid character in an selinux identity name
* Remove xfail from CALes test test_http_intermediate_ca
* Some PKCS#12 errors are reported with full path names
* ipa-server-certinstall failing, unknown option realm
* Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
* Break out of teardown in test_replica_promotion.py if no config
* Remove the Continuous installer class, it is unused
* Return a value if exceptions are raised in server uninstall
* VERSION.m4: Set back to git snapshot
=== Robbie Harwood (2) ===
* Move krb5 snippet into freeipa-client-common
* Enable SPAKE support using krb5.conf.d snippet
=== Stanislav Laznicka (11) ===
* Allow user administrator to change user homedir
* mod_ssl: add SSLVerifyDepth for external CA installs
* Add absolute_import to test_authselect
* Fix typo in ipa-getkeytab --help
* Add absolute_import future imports
* replica-install: pass --ip-address to client install
* ipa_backup: Backup the password to HTTPD priv key
* Fix upgrading of FreeIPA HTTPD
* Remove py35 env from tox testing
* Encrypt httpd key stored on disk
* Dogtag configs: rename deprecated options
=== Thierry Bordaz (1) ===
* Hardening of topology plugin to prevent erronous deletion of a replica
agreement
=== Tibor Dudlák (14) ===
* Use temporary pid file for chronyd -q task
* Fix format string passed to pytest-multihost
* Configure chrony with pool when server not set
* Add enabling chrony daemon when not configured
* Remove unnecessary option --force-chrony
* Remove NTP server role while upgrading
* Removes NTP server role from servroles and description
* Update man pages for FreeIPA client, replica and server install
* Adding method to ipa-server-upgrade to cleanup ntpd
* Add --ntp-pool option to installers
* FreeIPA server is time synchronization client only
* Replace ntpd with chronyd in installation
* Add dependency and paths for chrony
* Removes ntp from dependencies and behave as there is always -N option
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
