The FreeIPA team would like to announce FreeIPA 4.8.6 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. == Highlights in 4.8.6 * 5662: ID Views: do not allow custom Views for the masters Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects. * 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases. * 8233: 4.8.5 master Installation error On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn't actually needed and thus was removed. * 8236: Enforce a check to prevent adding objects from IPA as external members of external groups Command 'ipa group-add-member' allowed to specify any user or group for '--external' option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain. * 8239: Actualize Bootstrap version Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1. * 8241: Build fails on Fedora 30 SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions. === Enhancements === Known Issues * 8240: KRA install fails if all KRA members are Hidden Replicas If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete. === Bug fixes FreeIPA 4.8.6 is a stabilization release for the features delivered as a part of 4.8 version series. There are more than 10 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/) or #freeipa channel on Freenode. == Resolved tickets * https://pagure.io/freeipa/issue/5662[#5662] ID Views: do not allow custom Views for the masters * https://pagure.io/freeipa/issue/6891[#6891] Move FreeIPA SELinux policy from system policy to project policy * https://pagure.io/freeipa/issue/7181[#7181] ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled * https://pagure.io/freeipa/issue/7895[#7895] ipa trust fetch-domains, server parameter ignored * https://pagure.io/freeipa/issue/8159[#8159] please migrate to the new Fedora translation platform * https://pagure.io/freeipa/issue/8193[#8193] Re-order 50-externalmembers.update to be after 80-schema_compat.update * https://pagure.io/freeipa/issue/8228[#8228] Nightly failure in backup/restore while calling 'id admin' * https://pagure.io/freeipa/issue/8233[#8233] 4.8.5 master Installation error * https://pagure.io/freeipa/issue/8236[#8236] Enforce a check to prevent adding objects from IPA as external members of external groups * https://pagure.io/freeipa/issue/8239[#8239] Actualize Bootstrap version * https://pagure.io/freeipa/issue/8240[#8240] KRA install fails if all KRA members are Hidden Replicas * https://pagure.io/freeipa/issue/8241[#8241] Build fails on Fedora 30 == Detailed changelog since 4.8.5 === Alexander Bokovoy (35) * Become FreeIPA 4.8.6 https://pagure.io/freeipa/c/75d04b5e0e5709d98440209f803175242a52d119[commit] * ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager https://pagure.io/freeipa/c/bcbf64b1bf287d2b0b23bc7ac0cca9e8b789ba4a[commit] https://pagure.io/freeipa/issue/7181[#7181] * ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN https://pagure.io/freeipa/c/5bae736bc81eaa1167ec64a69a32506dad2ca286[commit] https://pagure.io/freeipa/issue/7181[#7181] * ipatests: test sysaccount password change with a password policy applied https://pagure.io/freeipa/c/313542e8a125c4904750826ef9eabdead7d874bd[commit] https://pagure.io/freeipa/issue/7181[#7181] * ipatests: allow changing sysaccount passwords as cn=Directory Manager https://pagure.io/freeipa/c/f4dc10b8caac44f5c2a8edbb4c647e6dcf71c3bd[commit] https://pagure.io/freeipa/issue/7181[#7181] * Fix indentation levels https://pagure.io/freeipa/c/c62b9e7f6ab0dec54540dc6cd389fe58f8858275[commit] * ipatests: always skip additional input for group-add-member --external https://pagure.io/freeipa/c/74f36e7c2f7f6d17b56e06b5f05205edb8a286d7[commit] https://pagure.io/freeipa/issue/8236[#8236] * po: update Chinese (China) translation https://pagure.io/freeipa/c/c6adee04068ce946f8c9b8ad5db19721db13c602[commit] * po: update Ukrainian translation https://pagure.io/freeipa/c/855a36b6c093fd21af7cf87524acc5d297692de3[commit] * po: update Tajik translation timestamp https://pagure.io/freeipa/c/3d411cf29f29e1d391ed8f6eb159b88d450a332b[commit] * po: update Slovak translation timestamp https://pagure.io/freeipa/c/3c15e47a7c2212aab0ecdc320093bee2afa0bfdc[commit] * po: update Russian translation https://pagure.io/freeipa/c/db433fbe4e521d08dee2cdc2e65344d8203e03a4[commit] * po: update Portuguese (Brazil) translation timestamp https://pagure.io/freeipa/c/eab195ff3884b482279279326b3a84ced4723b7e[commit] * po: update Portuguese translation timestamp https://pagure.io/freeipa/c/31a9da8efa793d492352f646fc804b902beec088[commit] * po: update Polish translation https://pagure.io/freeipa/c/4e3867fcc49a8d2ff1085e630abd77666a06d838[commit] * po: update Punjabi translation timestamp https://pagure.io/freeipa/c/e4dfb7409bd25dc5bc2cc1e99562f912a98509f8[commit] * po: update Dutch translation timestamp https://pagure.io/freeipa/c/e7945284906998da0a798a1ff15a42dd3fdb96d9[commit] * po: update Marathi translation timestamp https://pagure.io/freeipa/c/28a963eed0f27c214543b02fc34e15182e6fcc04[commit] * po: update Kannada translation timestamp https://pagure.io/freeipa/c/89b048d1408834dde38321ac4f402083ebd30247[commit] * po: update Japanese translation timestamp https://pagure.io/freeipa/c/89dbf88abb108cad7f44f92b4e94e66f21746cd3[commit] * po: update Indonesian translation timestamp https://pagure.io/freeipa/c/124a563eb64d7f9a2190a13e9d68a7b608be2d22[commit] * po: update Hungarian translation timestamp https://pagure.io/freeipa/c/595d5062b9e770a946156f69df2fe522d4745d9e[commit] * po: update Hindi translation timestamp https://pagure.io/freeipa/c/c4dd8b226ae97011bcc0546209f8473fbcd75ab8[commit] * po: update French translation https://pagure.io/freeipa/c/a2ca393d35a1f34b2dbbd54c9c1d24b9f20960f0[commit] * po: update Basque translation timestamp https://pagure.io/freeipa/c/92fb5c5268b8b1b02b7a1d12b9a6417c893a18f1[commit] * po: update Spanish translation https://pagure.io/freeipa/c/7af52df7a8e54afe36649c5436fcfce759111751[commit] * po: update English (United Kingdom) translation timestamp https://pagure.io/freeipa/c/37a1e927a1f123b8b9fdbaf815003cb04726f72c[commit] * po: update German translation https://pagure.io/freeipa/c/0d053d8b1df33f5602ae0e154743f1d1dce2c72d[commit] * po: update Czech translation timestamp https://pagure.io/freeipa/c/c8ba436c0dad467bf12dec4d4f141916d0b3fbbd[commit] * po: update Catalan translation timestamp https://pagure.io/freeipa/c/29e3ade05c8bea23c07ed1a1b5612af01f924d2d[commit] * po: update Bengali translation timestamp https://pagure.io/freeipa/c/16d9556c6f3d19f73256d6698a7659f78961a378[commit] * po: update ipa.pot template https://pagure.io/freeipa/c/e23ba779d3aefd871e348b91e7b0fa003d97c96e[commit] * Update translation infrastructure https://pagure.io/freeipa/c/831f4dd320a93d01df6b06058c3ab618a98c9fd8[commit] https://pagure.io/freeipa/issue/8159[#8159] * Keep ipa.pot translation file in git for weblate https://pagure.io/freeipa/c/9ff7b4a411d13ca148d2f53603dbcc812d92380a[commit] https://pagure.io/freeipa/issue/8159[#8159] * Prevent adding IPA objects as external members of external groups https://pagure.io/freeipa/c/127b8d9cf23bf65aa42e6ee9ed8d7f8628bbac19[commit] https://pagure.io/freeipa/issue/8236[#8236] === Christian Heimes (5) * po: fix LINGUAS to use whitespace separation https://pagure.io/freeipa/c/616ad399c99292542638e9e8f0995873e5c4f311[commit] https://pagure.io/freeipa/issue/8159[#8159] * SELinux: apache_manage_pid_files for F30 https://pagure.io/freeipa/c/f08ced1b25e14f91526c82610a8219ae8ed898a3[commit] https://pagure.io/freeipa/issue/8241[#8241] * Add pytest OpenSSH transport with password https://pagure.io/freeipa/c/42aa86fadd7a7f2209e05291be9c76a8497998dd[commit] * Move freeipa-selinux dependency to freeipa-common https://pagure.io/freeipa/c/7d525ab4308060435808a311de55a76fb26a28c6[commit] https://pagure.io/freeipa/issue/6891[#6891] * Integrate ipa_custodia policy https://pagure.io/freeipa/c/04cc0450125e3c9e989c3e769a25ba2f1f336060[commit] https://pagure.io/freeipa/issue/6891[#6891] === François Cami (1) * ipatests: test_replica_promotion.py: test KRA on Hidden Replica https://pagure.io/freeipa/c/a692212e3bee36fbccba73ed21f7825381eeade4[commit] https://pagure.io/freeipa/issue/8240[#8240] === Florence Blanc-Renaud (3) * ipatests: wait for SSSD to become online in backup/restore tests https://pagure.io/freeipa/c/ebb3c22ddb998997eb05e7bd4da2157e88b6c8f3[commit] https://pagure.io/freeipa/issue/8228[#8228] * xmlrpc tests: add a test for idview-apply on a master https://pagure.io/freeipa/c/c37a84628601d369f83546085b7e29be8fe11a59[commit] https://pagure.io/freeipa/issue/5662[#5662] * idviews: prevent applying to a master https://pagure.io/freeipa/c/7905891341197cb90faf635cf93ce63ae7a7a38b[commit] https://pagure.io/freeipa/issue/5662[#5662] === Mohammad Rizwan Yusuf (3) * ipatests: Skip test using paramiko when FIPS is enabled https://pagure.io/freeipa/c/45507c1e86b634507fdc21dbb88ea9edd43e4166[commit] * Test if schema-compat-entry-attribute is set https://pagure.io/freeipa/c/3f3fa403a944035cf5531939fe3a2e338da99612[commit] https://pagure.io/freeipa/issue/8193[#8193] * Test if schema-compat-entry-attribute is set https://pagure.io/freeipa/c/210619a98f0d8a042a181bab5891bdd595aa5351[commit] https://pagure.io/freeipa/issue/8193[#8193] === Rob Crittenden (4) * Test that pwpolicy only applied on Kerberos entries https://pagure.io/freeipa/c/b34063e700ac4c65b117705bafb0255c26bca060[commit] * Add ability to change a user password as the Directory Manager https://pagure.io/freeipa/c/840671b1cdc508ea86f8412e6423f00b8c3bf809[commit] * Don't save password history on non-Kerberos accounts https://pagure.io/freeipa/c/8b7bb96b327207284c8c0a45cf2979843482cf48[commit] * Test that ipa-healthcheck human output translates error strings https://pagure.io/freeipa/c/7974ac9f8c7969df85f689d94f5b30c18e661daa[commit] === Stanislav Levin (1) * pki-proxy: Don't rely on running apache until it's configured https://pagure.io/freeipa/c/24c6ea3c9f2df757b3d714044c16083716e377ca[commit] https://pagure.io/freeipa/issue/8233[#8233] === Sergey Orlov (2) * ipatests: provide AD admin password when trying to establish trust https://pagure.io/freeipa/c/814b47e85c87bc3c80c91ebd0aa9085ac06b521e[commit] https://pagure.io/freeipa/issue/7895[#7895] * ipatests: remove test_ordering https://pagure.io/freeipa/c/0e9b020db201ff5797f0dabff05c3fc16a9bf79a[commit] === Serhii Tsymbaliuk (1) * Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 https://pagure.io/freeipa/c/f1855dd51e1544a77f1b4a3d4c90f173c29fbed4[commit] https://pagure.io/freeipa/issue/8239[#8239] === sumenon (1) * ipatests: Added testcase to check logrotate is added for healthcheck tool https://pagure.io/freeipa/c/7d4687926e9866c378db8075dd7b55b3c40e71a9[commit] === Vit Mojzis (1) * selinux: disable ipa_custodia when installing custom policy https://pagure.io/freeipa/c/f99cfa1443dfa33422eb4a7613d3dd9e921ccacd[commit] https://pagure.io/freeipa/issue/6891[#6891] -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
