The FreeIPA team is proud to announce version 2.1.3.

It can be downloaded from

== What happened to 2.1.2!? ==

Right after tagging 2.1.2 we found an upgrade issue that would have affected any users using the selfsign CA (installed with --selfsign). We decided to hold back the release, fix a few more bugs, and just push out 2.1.3 instead about a week later. So here we are.

== Highlights in 2.1.3 ==

* Enforce that system hostname matches hostname of IPA server.
* Require that /etc/hosts is sane even when configuring DNS.
* Increase default server-side LDAP search limits.
* Client enrollment improvements including longer wait for sssd to start, recovery if discovered IPA server is not responsive and when anonymous bind is disabled in 389-ds.

== Highlights in 2.1.2 ==

* Upgrade older dogtag installs to use new PKI proxy configuration
* hbactest improvements
* Added platform-independent code to make ipa-client-install more portable
* Make client uninstaller more robust, should restore state more completely.
* UI usability improvements
* Tool for Enabling/Disabling Managed Entry Plugins
* Managed Entries configuration is now replicated
* IPv6 client enrollment improvements
* Man page improvements
* Performance improvements when calculating indirect membership
* Improved handling of disabled anonymous binds in 389-ds
* user is now prompted to enter current password when changing to a new
* ipa server now support multiple namingContexts. ipa-client-install and
password migration were fixed

== Upgrading ==

=== Server ===

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
 # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds,, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process:

 # service dirsrv start
 # ipa-ldap-updater --update

=== Client ===

The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled.

== Detailed Changelog for 2.1.3 ==

Adam Young (1):
 * Fix dynamic display of UI tabs based on rights

Alexander Bokovoy (8):
 * Increase number of 'getent passwd attempts' to 10
 * Force kerberos realm to be a string
* Include indirect membership and canonicalize hosts during HBAC rules testi
* Refactor backup_and_replace_hostname() into a flexible config modification tool * Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool
 * Refactor authconfig use in ipa-client-install
 * Document --preserve-sssd option of ipa-client-install
 * Use set class instead of dictview class as set is wider supported

Jan Cholasta (3):
 * Disallow deletion of global password policy.
 * Don't leak passwords through kdb5_ldap_util command line arguments.
 * Remove more redundant configuration values from krb5.conf.

John Dennis (1):
 * Fix Spanish po translation file

Martin Kosek (12):
 * Improve default user/group object class validation
 * Fix i18n in config plugin
 * Fix dnszone-add name_from_ip server validation
 * Improve handling of GIDs when migrating groups
 * ipa-client-install hangs if the discovered server is unresponsive
 * Optimize member/memberof searches in LDAP
 * Make IPv4 address parsing more strict
 * Check hostname resolution sanity
 * Hostname used by IPA must be a system hostname
 * Check /etc/hosts file in ipa-server-install
 * Fix ipa-client-install -U option alignment
 * Improve hostgroup/netgroup collision checks

Petr Vobornik (2):
 * Added missing fields to password policy page
 * Fixed: Unable to add external user for RunAs User for Sudo rules

Rob Crittenden (12):
 * Fix DNS permissions and membership in privileges
 * Fix upgrades of selfsign server
 * Make ipa-join work against an LDAP server that disallows anon binds
 * Fix has_upg() to work with relocated managed entries configuration.
 * Work around limits not being updatable in 389-ds.
* Save the value of hostname even if it doesn't appear in /etc/sysconfig/network
 * Add explicit instructions to ipa-replica-manage for winsync replication
* Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324)
 * Handle an empty value in a name/value pair in config_replace_variables()
 * Update all LDAP configuration files that we can.
* If our domain is already configured in sssd.conf start with a new config.
 * Fix typo in invalid PTR record error message

Simo Sorce (1):
 * updates: Change default limits on ldap searches

== Detailed Changelog for 2.1.2 ==

Adam Young (4):
 * split metadata call
 * Make mod_nss renegotiation configuration a public function
 * Execute pki proxy setup when server is upgraded if needed
 * Force the upgrade of pki-setup when upgrading the RPMS

Alexander Bokovoy (13):
 * Incorrect name in examples of ipa help hbactest
 * Unroll groups when testing HBAC rules
 * Introduce platform-specific adaptation for services used by FreeIPA.
* Convert server install code to platform-independent access to system services * Convert client-side tools to platform-independent access to system services * Convert installation tools to platform-independent access to system services
 * Cleanup whitespace
* When external host is specified in HBAC rule, allow its use in simulation
 * Unroll StrEnum values when displaying help
 * Configure pam_krb5 on the client only if sssd is not configured
 * Setup and restore ntp configuration on the client side properly
 * Fix 'referenced before assignment' warning
* Before kinit, try to sync time with the NTP servers of the domain we are joining

Endi S. Dewata (24):
 * Fixed unit test for entity select widget.
 * Fixed layout problem in permission adder dialog.
 * Fixed sudo rule association dialogs.
 * Fixed missing optional field.
 * Fixed labels for run-as users and groups.
 * Fixed problem opening host adder dialog.
 * Removed entitlement menu.
 * Fixed posix group checkbox.
 * Fixed columns in HBAC/sudo rules list pages.
 * Fixed missing cancel button in unprovisioning dialog.
 * Fixed problem enabling/disabling DNS zone.
 * Fixed problem enrolling member with the same name.
 * Modified dialog to use sections.
 * Removed undo flags from dialog field specs.
 * Fixed problem on combobox with search limit.
 * Fixed problem displaying special characters.
 * Fixed add/delete arrows position.
 * Fixed duplicate entries in enrollment dialog.
 * Updated color scheme.
 * Fixed tab and dialog widths.
 * Disable enroll button if nothing selected.
 * Fixed missing default shell field.
 * I18n clean-up.
 * Disable sudo options Delete button if nothing selected.

JR Aquino (1):
 * Create Tool for Enabling/Disabling Managed Entry Plugins

Jakub Hrozek (1):
 * Silence a compilation warning in ipa_kpasswd

Jan Cholasta (6):
 * Check that install hostname matches the server hostname.
 * Fix client install on IPv6 machines.
* Fix ipa-replica-prepare always warning the user about not using the system hostname.
 * Validate name_from_ip parameter of dnszone.
* Add a function for formatting network locations of the form host:port for use in URLs.
 * Work around pkisilent bugs.

Jr Aquino (1):
 * Move Managed Entries into their own container in the replicated space.

Marko Myllynen (1):
 * Don't remove /tmp when removing temp cert dir

Martin Kosek (21):
 * Improve man pages structure
 * Improve ipa-join man page
 * Fix permissions in installers
 * Fix configure.jar permissions
 * Set bind and bind-dyndb-ldap min nvr
 * Fix pylint false positive in hbactest module
 * ipactl does not stop dirsrv
 * dirsrv is not stopped correctly in the fallback
 * Remove checks for ds-replication plugin
 * Fix /usr/bin/ipa dupled server list
 * Revert "Always require SSL in the Kerberos authorization block."
 * Fix error messages in hbacrule
 * Fix LDAPCreate search failure
 * Fix HBAC tests hostnames
 * ipa-client assumes a single namingcontext
 * migrate process cannot handle multivalued pkey attribute
 * Be more clear about selfsign option
 * Install tools crash when password prompt is interrupted
 * Improve ipa-replica-prepare DNS check
 * Prevent collisions of hostgroup and netgroup
 * Make sure ipa-client-install returns correct error code

Nalin Dahyabhai (2):
 * list users from nested groups, too
* Update man pages to note that PKCS#12 files also contain private keys, and that the "pkinit" options refer to the KDC's credentials

Petr Vobornik (10):
 * Fixed: JavaScript type error in entitlement page
 * Fixed inconsistency in enabling delete buttons
 * Code cleanup: widget creation
 * Fixed: Column header for attributes table should be full width
 * Fixed: Enrolment dialog offers to add entity to reflexive association.
 * Fixed: Some widgets do not have space for validation error message
 * Disables gid field if not posix group in group adder dialog
 * Fixed links to images in config and migration pages
 * Split Web UI initialization to several smaller calls #2
 * Split Web UI initialization to several smaller calls

Rob Crittenden (20):
 * Don't allow a OTP to be set on an enrolled host
* Remove normalizer that made role, privilege and permission names lower-case
 * Improved handling for ipa-pki-proxy.conf
 * The precendence on the modrdn plugin was set in the wrong location.
 * Update ipa-ldap-updater man page saying it is not an end-user utility
 * Skip the cert validator if the csr we are passed in is a valid filename
 * Change the Requires for the server and server-selinux for proper order
 * Suppress managed netgroups as indirect members of hosts.
 * The return value of restorecon is not reliable, ignore it.
 * Normalize uid in user principal to lower-case and do validation
 * Shut down duplicated file handle when HTTP response code is not 200.
 * Don't log one-time password in logs when configuring client.
 * Always require SSL in the Kerberos authorization block.
 * Include failed service and service groups in hbac rule management
 * Add regular expression pattern to host names.
 * Detect CA installation type in ipa-replica-prepare and ipa-ca-install.
 * Require current password when using passwd to change your own password.
 * Migration: don't assume there is only one naming context, add logging.
* When calculating indirect membership don't test nesting on users and hosts.

Simo Sorce (4):
 * ipa-pwd-extop: Fix segfault in password change.
 * ipa-pwd-extop: Enforce old password checks
 * ipa-client-install: Fix joining when LDAP access is restricted
 * replica-prepare: anonymous binds may be disallowed

Sumit Bose (2):
 * Call standard_logging_setup() before any logging is done
 * ipa-pwd-extop: allow password change on all connections with SSF>1

Yuri Chornoivan (1):
 * Fix typos

Freeipa-interest mailing list

Reply via email to