The FreeIPA team would like to announce FreeIPA v4.4.1 release!

It can be downloaded from

Builds for Fedora 24 will be available in the official COPR repository <>.

== Highlights in 4.4.1 ==
=== Enhancements ===
* Kerberos KDC now takes Authentication Indicators into account when issuing service tickets. This allows, for example, to require two-factor authenticated Kerberos credentials prior to obtaining tickets to a VPN service. * FreeIPA Certificate Authority now is able to create subordinate CAs to issue certificates with a specific scope * Web UI and API end-points now can be configured to log-in with client certificates and smart cards. Additional configuration details are described in the External Authentication design page <>.
* Web UI now suggests to have redundancy in Certificate Authority topology
* Custom FreeIPA plugins can now be built without modifying core FreeIPA code * When establishing trust to an Active Directory forest, FreeIPA now is capable on automatically resolving DNS namespace conflicts with another Active Directory forest.

=== Known Issues ===
* Interactive CLI input for dnsrecord-* commands does not work properly for multipart records <> * ipa-ca-install fails on replica when master is CA-less <> * Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` <> * Certificate revocation in service-del and host-del isn't aware of Sub CAs and causes command to fail when Sub CA cert is used <>

=== Bug fixes ===
FreeIPA 4.4.1 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 140 bug-fixes which details can be seen in the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

== Detailed changelog since 4.4.0 ==
=== Abhijeet Kasurde (4) ===
* Minor fix in ipa-replica-manage MAN page
* Corrected minor spell check in AD Trust information doc messages
* Removed unwanted line break from RefererError Dialog message
* Handled empty hostname in server-del command

=== Alexander Bokovoy (9) ===
* service: add flag to allow S4U2Self
* support schema files from third-party plugins
* ipaserver/dcerpc: reformat to make the code closer to pep8
* trust: automatically resolve DNS trust conflicts for triangle trusts
* trust: make sure external trust topology is correctly rendered
* trust: make sure ID range is created for the child domain even if it exists
* ipa-kdb: simplify trusted domain parent search
* support multiple uid values in schema compatibility tree
* move ipa CLI utility to freeipa-client

=== Ben Lipton (3) ===
* Fix several small typos
* Use existing HostKey config to test sshd
* Silence sshd messages during install

=== Christian Heimes (5) ===
* Correct path to HTTPD's systemd service directory
* RedHatCAService should wait for local Dogtag instance
* Remove Custodia server keys from LDAP
* Secure permissions of Custodia server.keys
* Require httpd 2.4.6-31 with mod_proxy Unix socket support

=== David Kupka (21) ===
* schema: Fix subtopic -> topic mapping
* help: Add dnsserver commands to help topic 'dns'
* vault: Catch correct exception in decrypt
* schema: Speed up schema cache
* frontend: Change doc, summary, topic and NO_CLI to class properties
* schema: Introduce schema cache format
* schema: Generate bits for help load them on request
* help: Do not create instances to get information about commands and topics
* compat: Save server's API version in for pre-schema servers
* schema cache: Do not reset ServerInfo dirty flag
* schema cache: Do not read fingerprint and format from cache
* Access data for help separately
* frontent: Add summary class property to CommandOverride
* schema cache: Read server info only once
* schema cache: Store API schema cache in memory
* client: Do not create instance just to check isinstance
* schema cache: Read schema instead of rewriting it when SchemaUpToDate
* schema check: Check current client language against cached one
* compat: Fix ping command call
* schema cache: Fallback to 'en_us' when locale is not available
* otptoken, permission: Convert custom type parameters on server

=== Florence Blanc-Renaud (4) ===
* Show full error message for selinuxusermap-add-hostgroup
* server uninstall fails to remove krb principals
* Fix session cookies
* Fix ipa hbactest output

=== Fraser Tweedale (11) ===
* uninstall: untrack lightweight CA certs
* caacl: expand plugin documentation
* spec: require Dogtag >= 10.3.3-3
* Create server and host certs with DNS altname
* caacl: fix regression in rule instantiation
* cert-revoke: fix permission check bypass (CVE-2016-5404)
* Move GeneralName parsing code to ipalib.x509
* x509: fix SAN directoryName parsing
* x509: use NSS enums and OIDs to identify SAN types
* x509: include otherName DER value in GeneralNameInfo
* cert-show: show subject alternative names

=== Ganna Kaihorodova (2) ===
* Fix conflict between "got" and "expected" values
* Fix for integration tests replication layouts

=== Jan Cholasta (19) ===
* frontend: copy command arguments to output params on client
* Revert "Enable vault-* commands on client"
* client: fix hiding of commands which lack server support
* compat: fix ping call
* install: fix external CA cert validation
* vault: add missing salt option to vault_mod
* Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
* parameters: move the `confirm` kwarg to Param
* client: add missing output params to client-side commands
* cert: speed up cert-find
* cert: do not crash on invalid data in cert-find
* server install: do not prompt for cert file PIN repeatedly
* tests: fix test_ipalib.test_frontend.test_Object
* custodia: include known CA certs in the PKCS#12 file for Dogtag
* cert: add missing param values to cert-find output
* cert: include CA name in cert command output
* rpcserver: assume version 1 for unversioned command calls
* custodia: force reconnect before retrieving CA certs from LDAP
* rpcserver: fix crash in XML-RPC system commands

=== Lenka Doudova (26) ===
* Tests: Tracker class for services
* Tests: Authentication indicators xmlrpc tests
* Tests: Authentication indicators integration tests
* Tests: External trust
* Tests: Support of UPN for trusted domains
* Tests: Improve handling of rename operation by user tracker
* Tests: IPA user can kinit using enterprise principal with IPA domain
* Tests: Removing manipulation with /etc/hosts file from integration tests
* Tests: Remove has_keytab from list of expected keys of update command
* Tests: Add data attribute to messages
* Tests: test_ipalib/test_output fails due to change of Output behaviour
* Fix malformed or missing docstrings in ipalib/messages
* Tests: Fix failing tests in test_ipalib/test_parameters
* Tests: Fix failing tests in test_ipalib/test_frontend
* Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute
* Tests: Duplicate declaration on variables in ID views tests
* Tests: ID views tests do not recognize krbcanonicalname attribute
* Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute * Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute
* Tests: Failing test_ipalib/test_rpc
* Tests: Failing test_ipaserver/test_ldap test
* Tests: Failing tests in test_ipalib/test_plugable
* Raise error when running ipa-adtrust-install with empty netbios--name
* Tests: Random issuer certificate can be added to a service
* Tests: Add missing attributes to test_xmlrpc/test_trust tests
* Tests: Avoid skipping tests due to missing files

=== Lukáš Slebodník (4) ===
* ipa_pwd_extop: Fix warning declaration shadows previous local
* ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
* ipa-kdb: Allow to build with samba 4.5
* ipa-kdb: Fix unit test after packaging changes in krb5

=== Martin Babinsky (20) ===
* Fix incorrect check for principal type when evaluating CA ACLs
* ipa-nis-manage: Use server API to retrieve plugin status
* ipa-compat-manage: use server API to retrieve plugin status
* ipa-advise: correct handling of plugin namespace iteration
* vault-add: set the default vault type on the client side if none was given
* Preserve user principal aliases during rename operation
* messages: specify message type for ResultFormattingError
* DNS install: Ensure that DNS servers container exists
* Use server API in oddjob helper
* allow 'value' output param in commands without primary key
* allow multiple dashes in the components of server hostname
* expose `--secret` option in radiusproxy-* commands
* prevent search for RADIUS proxy servers by secret
* trust-add: handle `--all/--raw` options properly
* baseldap: Fix MidairCollision instantiation during entry modification
* Create indexes for krbCanonicalName attribute
* harden the check for trust namespace overlap in new principals
* re-set canonical principal name on migrated users
* add python-libsss_nss_idmap and python-sss to BuildRequires
* do not use trusted forest name to construct domain admin principal

=== Martin Bašti (18) ===
* Enable vault-* commands on client
* host-find: do not show SSH key by default
* CI: DNS locations
* Host-del: fix behavior of --updatedns and PTR records
* DNS Locations: fix update-system-records unpacking error
* Use copy when replacing files to keep SELinux context
* CI tests: improve log collecting
* CI tests: fix SSSD log collecting
* idrange: fix unassigned global variable
* Do not initialize API in ipa-client-automount uninstall
* Increase default length of auto generated passwords
* ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
* Fix: container owner should be able to add vault
* Remove forgotten print from DN.__str__ implementation
* Raise DuplicatedEnrty error when user exists in delete_container
* Update translations
* Print to debug output answer from CA
* Revert "Enable LDAPS in replica promotion"

=== Milan Kubík (12) ===
* ipatests: Tracker implementation for Sub CA feature
* ipatests: Extend CAACL suite to cover Sub CA members
* ipatests: Test Sub CA with CAACL and certificate profile
* ipatests: remove ipacertbase option from test CSR configuration
* ipatests: Add tracker class for kerberos principal aliases
* ipatests: Extend the MockLDAP utility class
* ipatests: Provide a context manager for mocking a trust in RPC tests
* ipatests: Move trust mock helper functions to a separate module
* ipapython: Extend kinit_password to support principal canonicalization
* ipatests: Allow change_principal context manager to use canonicalization
* ipatests: Add kerberos principal alias tests
* ipatests: Fix wrong fixture in kerberos principal alias test

=== Oleg Fayans (7) ===
* Test for incorrect client domain
* Fixed import error
* Fixed incorrect return code assert
* Fixed incorrect domainlevel determination in tests
* Fixed incorrect sequence of method calls in
* Added a sleep interval after domainlevel raise in tests
* Disabled raiseonerr in kinit call during topology level check

=== Pavel Vomacka (12) ===
* Close host adder dialog before showing 4304 dialog
* Remove navigation using breadcrumb menus
* Fix test_navigation tests
* Fix test which checks removing of user
* Set default delete action name to 'delete'
* Remove full name from adding user to user group dialog
* Add function which check whether the field is empty
* Add jslint into Makefile
* Fix unicode characters in ca and domain adders
* Add warning about only one existing CA server
* Set servers list as default facet in topology facet group
* Add 'trusted to auth as user' checkbox

=== Peter Lacko (1) ===
* Test URIs in certificate.

=== Petr Voborník (2) ===
* unite log file name of ipa-ca-install
* ca-less tests: fix getting cert in pem format from nssdb

=== Petr Špaček (15) ===
* client-install: log exceptions from certmonger.request_cert
* replica-install: Fix --domain
* Fix ipa-replica-prepare's error message about missing local CA instance
* client: RPM require initscripts to get *-domainname.service
* server-install: Fix --hostname option to always override api.env values
* install: Call hostnamectl set-hostname only if --hostname option is used
* DNS server upgrade: do not fail when DNS server did not respond
* server upgrade: do not start BIND if it was not running before the upgrade
* DNS: allow to add forward zone to already broken sub-domain
* adtrust-install: Mention AD GC port 3286 in list of required ports.
* config-mod: normalize attribute names for --usersearch/--groupsearch
* migrate-ds: Mention --enable-migration in error message about migration mode * Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup
* Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
* Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin

=== Simo Sorce (4) ===
* Simplify date manipulation in pwd plugin
* Regenerate asn1 code
* Additional coverity fixes.
* Fix CA ACL Check on SubjectAltNames

=== Stanislav Laznicka (7) ===
* Removed unused method parameter from migrate-ds
* Improvements for the ipa-cacert-manage man and help
* Removed objectclass from LDAP*ReverseMember based tests
* Don't show --force-ntpd option in replica install
* Remove sys.exit from install modules and scripts
* Fail on topology disconnect/last role removal
* Don't ignore --ignore-last-of-role for last CA

=== Sumit Bose (1) ===
* kdb: check for local realm in enterprise principals

=== Thierry Bordaz (2) ===
* Heap corruption in ipapwd plugin
* ipa-pwd-extop memory leak during passord update

=== Tiboris (1) ===
* Added new authentication method

=== Tomas Krizek (5) ===
* Update ipa-replica-install documentation
* Fix ipa-caalc-add-service error message
* Validate key in otptoken-add
* Fix ipa-server-install in pure IPv6 environment
* Enable LDAPS in replica promotion

=== gkaihoro (1) ===
* Test for caacl-add-service

=== tester (4) ===
* Add possibility to choose parent element by css
* TEST: managing user certificates
* TEST: managing host certificates
* TEST: managing service certificates

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to