The FreeIPA Project is proud to announce the latest release of the FreeIPA. As always, the latest tarball can be found at

FreeIPA 2.1.1 is available in Fedora 15. It is currently in the updates-testing repository along with a number of its dependencies. Fedora 16 and rawhide builds will be coming soon.

== Highlights ==

* Reduced number of ports needed to punch through firewall by proxying dogtag through port 443 * New plugin, automember, that can automatically add users and hosts to groups and hostgroups based on regular expressions.
 * Indicator in the UI and CLI when a host has a one-time password set
* DNS improvements - loading new zones via regular polling or LDAP persistent search

== Upgrading ==

=== Server ===

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
 # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds,, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process:

 # service dirsrv start
 # ipa-ldap-updater

=== Client ===

The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled.

== Detailed Changelog ==

Adam Young (1):
 * enable proxy for dogtag

Alexander Bokovoy (1):
 * Propagate environment when it is required.

Endi S. Dewata (19):
 * Fixed browser configuration pages
 * Hide activation/deactivation link from regular users.
 * Fixed problem selecting value from combobox
 * Fixed inconsistent layout for password reset dialog.
 * Removed 'Hide already enrolled' checkbox.
 * Replaced page dirty dialog title.
 * Updated add and delete association dialog titles.
 * Removed unnecessary HBAC/sudo rule category modification.
 * Fixed command partial failure handling.
 * Fixed default map type in automount map adder dialog.
 * Fixed host OTP status.
 * Fixed host keytab status after setting OTP.
 * Fixed host adder dialog to show default DNS zone.
 * Fixed hard-coded UI messages.
 * Fixed problem adding hostgroup into netgroup.
 * Fixed problem with combobox.
 * Fixed hard-coded UI message in entity.js.
 * Fixed missing permission filter field.
 * Fixed problem with combobox using Sahi

Jan Cholasta (6):
 * Make sure messagebus is running prior to starting certmonger.
* Verify that passwords specified through command line options of ipa-server-install meet the length requirement.
 * Add option to install without the automatic redirect to the Web UI.
* Search for users in all the naming contexts present on the directory server.
 * Add subscription-manager dependency for RHEL.
 * Verify that the external CA certificate files are correct.

John Dennis (11):
 * ticket 1568 - DN objects should support the insert method
 * ticket 1569 - Test DN object non-latin Unicode support
 * ticket 1600 - convert unittests to use DN objects
 * ticket 1659 - invalid i18n string in
 * ticket 1660 - update LINGUAS file, add missing po files
 * ticket 1661 - Update all po files
 * ticket 1650 - compute accurate translation statistics
 * ticket 1707 - add documentation validation to makeapi tool
 * ticket 1705 - internationalize help topics
 * ticket 1706 - internationalize cli help framework
 * ticket 1669 - improve i18n docstring extraction

Jr Aquino (2):
 * Improve sudorule documentation
 * Create FreeIPA CLI Plugin for the 389 Auto Membership plugin

Martin Kosek (6):
 * Add missing attribute labels for sudorule
 * Fix automountkey-mod
 * Fix automountlocation-import conflicts
 * ipa-client-install breaks network configuration
 * Fix sudo help and summaries
 * Let Bind track data changes

Petr Vobornik (8):
 * error dialog for batch command
 * Uncheck checkboxes in association after deletion
 * Show error in adding associations
 * Validation of details facet before update
 * Modify serial associator to use batch
 * Modifying sudo options refreshes the whole page
 * Enable update and reset button only if dirty
 * Attributes table not scrollable

Rob Crittenden (24):
 * Add information on setting in the ipactl.8 man page
 * Log each command in a batch separately.
 * Do batch logging on successful commands too, not just failures.
 * Fix wording in examples of delegation plugin.
 * Suppress 389-ds debug output when starting services
 * Fix thread deadlock by using pthreads library instead of NSPR.
 * Change the way has_keytab is determined, also check for password.
 * Add additional pam ftp services to HBAC, and a ftp HBAC service group
 * Add label for HBAC services to show as members
 * Add option to only prompt once for passwords, use in entitle_register
 * Retrieve password/keytab state when modifying a host.
 * Disable reverse lookups in ipa-join and ipa-getkeytab
 * Remove more 389-ds files/directories on uninstallation.
 * Remove 389-ds upgrade state during uninstall
 * Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505
* Add common is_installed() fn, better uninstall logging, check for errors.
 * Add external source hosts to HBAC.
 * Roll back changes if client installation fails.
 * Add netgroup as possible memberOf for hostgroups
 * Sort lists so order is predictable and tests pass as expected.
 * Suppress managed netgroups from showing as memberof hostgroups.
 * Use the IPA server cert profile in the installer.
 * Set min nvr of 389-ds-base to for BZ 728605
 * Become IPA 2.1.1

Simo Sorce (1):
 * conncheck: Fix List of ports to check

Freeipa-devel mailing list

Reply via email to