The FreeIPA team is proud to announce version 2.1.90 alpha 2. Alpha 1
was an internal-only release. This will eventually become FreeIPA v2.2.0.
It can be downloaded from http://www.freeipa.org/Downloads or from our
development repo (http://freeipa.org/downloads/freeipa-devel.repo).
Fedora 15, 16 and 17 builds are available.
For Fedora 17 users the the required version of 389-ds-base has not been
pushed to updates-testing yet. You can retrieve it manually from
http://koji.fedoraproject.org/koji/buildinfo?buildID=299543 or download
the packages with:
# koji download-build 299543
== Highlights in 2.1.90 alpha 2 ==
* A new KDC LDAP backend, ipa-kdb. This simplifies our set up code and
will is a big piece of future MS PAC support. It also removes the need
for the separate ipa_kpasswd daemon, kadmind is used instead.
* Support for storing SSH user and host public keys.
* SELinux user map rules. These let you set the SELinux context for
users in an HBAC rule.
* Improved DNS UI and command-line with vastly improved argument handling.
* UI screens for Automember were added.
* Session support in the Web UI. This removes the need to do Kerberos
negotiation with every request significantly improving Web UI performance.
* Support for S4U2Proxy. This is a Kerberos feature which allows a
delegated service (HTTP in our case) to request a ticket (ldap) on a
user's behalf. We no longer require the TGT to be delegated to the
server. A delegatable TGT is still required.
* Improved command-line performance. It is approximately 50% faster.
* MAC address has been added to hosts.
== Upgrading ==
We tested upgrades from 2.1.4 successfully but this is alpha code. We do
not recommend upgrading a production server.
Installing updated rpms is all that is required to upgrade from 2.1.4.
It is unlikely that downgrading to a previous release once 2.1.90 is
installed will work.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-devel
mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel
== Detailed Changelog since 2.1.4 ==
Adam Young (4):
* remove enrolled column
* Add priority to pwpolicy list
* Remove delegation from browser config
* ignore generated services file.
Alexander Bokovoy (14):
* Re-enable web password migration on Fedora 16 after SE Linux policy
* Check for Python.h during build of py_default_encoding extension
* Add configure check for libintl.h
* Create directories for client install
* Add "Extending FreeIPA" developer guide
* Small fix to the guide CSS: enable vertical scroll bar
* Rename included snippets to avoid problems with pylint
* Fix dependency for samba4-devel package
* Check through all LDAP servers in the domain during IPA discovery
* Validate sudo RunAsUser/RunAsGroup arguments
* Allow hbactest to work with HBAC rules exceeding default IPA limits
* Add management of inifiles to allow manipulation of systemd units
* Handle upgrade issues with systemd in Fedora 16 and above
* Adopt to python-ldap 2.4.6 by removing unused references which are
not available in python-ldap anymore
Endi S. Dewata (60):
* Updated DNS zone details page.
* Replaced description text fields with text areas.
* Use editable combobox for service type.
* Added confirmation when adding multiple entries.
* Added selectable labels for radio buttons.
* Fixed dependency problem in UI test.
* Fixed inconsistent required/optional attributes.
* Fixed host Enrolled column.
* Fixed problem clearing validation error on checkboxes.
* Fixed "enroll" labels.
* Merged widget's metadata and param_info.
* Refactored validation code.
* Fixed inconsistent image names.
* Fixed inconsistent details facet validation.
* Added password field in user adder dialog.
* Fixed blank krbtpolicy and config pages.
* Moved facet code into facet.js.
* Added extensible UI framework.
* Fixed problem changing page in association facet.
* Updated sample data.
* Added paging on search facet.
* Refactored permission target section.
* Removed develop.js.
* Added commands into metadata.
* Removed HBAC rule type.
* Removed HBAC deny rule warning.
* Refactored entity object resolution.
* Fixed ipa.js for sessions.
* Fixed entity definition in test cases.
* Added support for radio buttons in table widget.
* Fixed entity metadata resolution.
* Refactored facet.load().
* Added HBAC Test page.
* Fixed navigation buttons for HBAC Test.
* Fixed search filter in HBAC Test.
* Added external fields for HBAC Test.
* Fixed CSS for HBAC Test
* Fixed I18n labels for HBAC Test
* Fixed matched/unmatched checkboxes in HBAC Test
* Added HBAC Test input validation.
* Fixed problem loading DNS records.
* Fixed unmatched checkbox name.
* Fixed combobox icon position.
* Fixed combobox search icon position.
* Reload UI when the user changes.
* Reload UI on server upgrade.
* Added account status into user search facet.
* Added policies into user details page.
* Load user data and policies in a single batch.
* Added instructions to generate CSR.
* Fixed problem removing automount keys and DNS records.
* Enabled paging on self-service permissions and delegations.
* Enabled paging on automount keys.
* Show disabled entries in gray.
* Fixed inconsistent status labels.
* Fixed host managed-by adder dialog.
* Added icons for status column.
* Hide Add/Delete buttons in self-service mode.
* Use fixed font when displaying certificate.
* Show password expiration date.
JR Aquino (1):
* Replication: Adjust replica installation to omit processing memberof
Jan Cholasta (15):
* Finalize plugin initialization on demand.
* Don't leak passwords through kdb5_ldap_util command line arguments.
* Parse comma-separated lists of values in all parameter types. This
can be enabled for a specific parameter by setting the "csv" option to True.
* Fix make-lint crash under certain circumstances.
* Fix attempted write to attribute of read-only object.
* Add LDAP schema for SSH public keys.
* Add LDAP ACIs for SSH public key schema.
* Add support for SSH public keys to user and host objects.
* Add API initialization to ipa-client-install.
* Move the nsupdate functionality to separate function in
* Update host SSH public keys on the server during client install.
* Configure ssh and sshd during ipa-client-install.
* Base64-decode unicode values in Bytes parameters.
* Add SSH service to platform-specific services.
* Move the compat module from ipalib to ipapython.
John Dennis (10):
* If "make rpms" fails so will the next make
* Remove old RPMROOT contents before it is used for rpmbuild
* update i18n pot file for branch ipa-2-1
* Add log manager module
* modify codebase to utilize IPALogManager, obsoletes logging
* IPAdmin undefined anonymous parameter lists
* subclass SimpleLDAPObject
* Restore default log level in server to INFO
* Add ipa_memcached service
* add session manager and cache krb auth
Marko Myllynen (1):
* include <stdint.h> for uintptr_t
Martin Kosek (52):
* Add connection failure recovery to IPAdmin
* Make sure that install tools log
* Add --zonemgr/--admin-mail validator
* Create pkey-only option for find commands
* Allow custom server backend encoding
* Fix DNS zone --allow-dynupdate option behavior
* Improve DNS record data validation
* Polish ipa config help
* Hosts file not updated when IP is passed as option
* Fix API.txt
* Fix LDAP object parameter encoding
* Remove redundant information from API.txt
* Fix coverity issues in client CLI tools
* Make ipa-server-install clean after itself
* Add --delattr option to complement --setattr/--addattr
* Improve zonemgr validator and normalizer
* Change default DNS zone manager to hostmaster
* Fix config migration option
* Ask for user confirmation in ipa-server-install
* Add DNS check to conncheck port probe
* Refactor dnsrecord processing
* Fix Parameter csv parsing
* Improve CLI output for complex commands
* Create per-type DNS API
* Fix maxvalue in DNS plugin
* Fix LDAP add calls in replication module
* Prevent service restart failures in ipa-replica-install
* Fix LDAP updates in ipa-replica-install
* Let replicas install without DNS
* Restore ACI when aci_mod fails
* Add missing --pkey-only option for selfservice and delegation
* Replace float with Decimal
* Improve host-add error message
* Fix ipa-server-install for dual NICs
* Fix selfservice-find crashes
* Mark optional DNS record parts
* Fix ldap2 combine_filters for ldap2.MATCH_NONE
* Add missing managing hosts filtering options
* Improve netgroup-add error messages
* Fix TXT record parsing
* Fix NSEC record conversion
* Add SRV record target validator
* Add data field for A6 record
* Improve dnszone-add error message
* Improve migration help
* Fix raw format for ACI commands
* Improve password change error message
* Remove debug messages
* Add argument help to CLI
* Return proper DN in netgroup-add
* Remove unused options from ipa-managed-entries
* Add Petr Viktorín to Contributors.txt
Ondrej Hamada (9):
* Misleading Keytab field
* Sort password policy by priority
* Client install checks for nss_ldap
* User-add random password support
* HBAC test optional sourcehost option
* localhost.localdomain clients refused to join
* Leave nsds5replicaupdateschedule parameter unset
* Fix 'no-reverse' option description
* Memberof attribute control and update
Petr Viktorin (5):
* Switch --group and --membergroup in example for delegation
* Fix/add options in ipa-managed-entries man page
* Honor default home directory and login shell in user_add
* Clean up i18n strings
* Internationalization for HBAC and ipalib.output
Petr Voborník (55):
* Circular entity dependency
* Fixed: Duplicate CSS definitions
* Fixing infinite loop in UI navigation unit test.
* Minor visual enhancement of required indicator
* Page is cleared before it is visible
* Field for DNS SOA class changed to combobox with options
* Extending facet's mechanism of gathering changes
* Added cross browser support of Array.indexOf method
* Splitting widget into widget and field
* Splitting basic widgets into visual widgets and fields
* Improved fields dirty status detection logic
* Builders and collections for fields and widgets
* Removing sections as special type of object
* Added possibility to define facet/dialog specific policies
* Modifying users to work with new concept
* Modifying hosts to work with new concept
* Modifying dns to work with new concept
* Modifying services to work with new concept
* Separation of writable update from field load method
* Modifying ACI to work with new concept
* Modifying groups to work with new concept
* Code cleanup of HBAC, Sudo rules
* Changing definition of basic fields in section from factory to type
* Modifying automount to work with new concept
* Fixed unit tests after widget refactoring
* Removed usage of bitwise assignment operators in logical operations
* Search facets show translated boolean values
* Better displaying of long names in tables and facet headers
* Additional better displaying of long names
* Reordered facets in ACI
* Association facets are read only in self service
* Added facet tabs coloring
* Fixed displaying of external records in rule association widgets
* Distinguishing of external values in association tables
* Better table column width computing
* Fixed labels in Sudo, HBAC rules
* Parsing of IPv4 and IPv6 addresses
* Added support of custom field validators
* Added validation logic to multivalued text field
* Added client-side validation of A and AAAA DNS records
* Fixed IPv6 validation special case: single colon
* Added support for memberof attribute in permission
* Added IP address validator to Host and DNS record adder dialog
* Fixed entity link disabling
* UI for SELinux user mapping
* Added refresh button for UI
* Modifying DNS UI to benefit from new DNS API
* Added paging to DNS record search facet
* Navigation and redirection to various facets
* Automember UI
* Automember UI - default groups
* Automember UI - Fixed I18n labels
* Removed question marks from field labels
* UI support for ssh keys
* Redirection to PTR records from A,AAAA records
Rob Crittenden (54):
* Use absolute paths when trying to find certmonger request id.
* Reorder privileges so that memberof for permissions are generated
* Fix some pylint issues found in F-16
* Fix two typos in role help.
* Move ONLY_CLIENT in spec so services.py always gets generated in
* Remove calls to has_managed_entries()
* Fix copy/paste error in parameter description.
* Add Ondrej Hamada to Contributors.txt
* Don't check for 389-instances.
* Clarify usage of --posix argument in group plugin.
* Add plugin framework to LDAP updates.
* Fix some issues introduced when rebasing update patch
* Mark some attributes required to match the schema.
* Add SELinux user mapping framework.
* Display the value of memberOf ACIs in permission plugin.
* Set minimum version of 389-ds to 1.2.10-0.5.a5
* Fix typos in in 60basev3.ldif
* Remove include for errno.h that was specific to 2.1 branch
* Remove ipa_get_random_salt() from ipapwd_encoding.c
* update i18n pot file for branch ipa-2-2
* Remove buffer log handling.
* Configure s4u2proxy during installation.
* Document the ping plugin.
* Catch exception when trying to list missing managed entries definitions
* Fix some typos in automember help and paramters.
* Add labels so HBAC and Sudo rules show under hosts/hostgroups.
* Use correct template variable for hosts, FQDN.
* In sudo when the category is all do not allow members, and vice versa.
* Update and package ipa-upgradeconfig man page.
* Fix deletion of HBAC Rules when there are SELinux user maps defined
* Add support for storing MAC address in host entries.
* Don't try to bind on TLS failure
* Check for the existence of a replication agreement before deleting it.
* %ghost the UI files that we install/create on the fly
* Make submount automount maps work.
* Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.
* Consolidate external member code into two functions in baseldap.py
* Make ipaconfigstring modifiable by users.
* Don't use sets when calculating the modlist so order is preserved.
* Add update files for SELinuxUserMap
* Add update file for new schema in v2.2/3.0
* Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf
* Don't set delegation flag in client, we're using S4U2Proxy now
* Update S4U2proxy delegation list when creating replicas
* Correct update syntax in 30-s4u2proxy.update
* Remove Apache ccache on upgrade.
* Add S4U2Proxy delegation permissions on upgrades
* Disable false pylint error in freeipa-systemd-upgrade
* Enable ipa_memcached when upgrading
* Configure ipa_memcached when a replica is installed.
* Use FQDN in place of FQHN for consistency in sub_dict.
* Set min for 389-ds-base to 188.8.131.52-1 to fix install segfault,
Simo Sorce (77):
* Fix build warnings
* ipa-pwd_extop: use endian.h instead of nih function
* krbinstance: use helper function to get realm suffix
* ipa-pwd-extop: Remove unused variables and code to set them
* ipa-pwd-extop: do not append mkvno to krbExtraData
* ipa-pwd-extop: Use the proper mkvno number in keys
* ipa-pwd-extop: re-indent code using old style
* ipa-pwd-extop: Use common krb5 structs from kdb.h
* ipa-pwd-extop: Move encryption of keys in common
* ipa-pwd-extop: Move encoding in common too
* ipa-pwd-extop: make encsalt parsing function common
* ipa-kdb: Initial plugin skeleton
* ipa-kdb: add exports file
* ipa-kdb: initialize module functions
* ipa-kdb: implement get_time function
* ipa-kdb: add common utility ldap wrapper functions
* ipa-kdb: functions to get principal
* ipa-kdb: add function to free principals
* ipa-kdb: add functions to delete principals
* ipa-kdb: add function to iterate over principals
* ipa-kdb: add functions to change principals
* ipa-kdb: Get/Store Master Key directly from LDAP
* ipa-kdb: implement function to retrieve password policies
* ipa-kdb: implement change_pwd function
* util: add password policy manipulation functions
* ipa-pwd-extop: Use common password policy code
* ipa-kdb: add password policy support
* ipa-pwd-extop: Allow kadmin to set krb keys
* ipa-kdb: Change install to use the new ipa-kdb kdc backend
* install: Remove uid=kdc user
* ipa-kdb: Be flexible
* install: Use proper case for boolean values
* daemons: Remove ipa_kpasswd
* schema: Split ipadns definitions from basev2 ones
* v3-schema: Add new ipaExternalGroup objectclass
* install: We do not need a ldap password anymore
* install: We do not need a kpasswd keytab anymore
* ipa-kdb: Properly set password expiration time.
* conncheck: Additional check to verify the admin password is ok
* ipa-kdb: Fix expiration time calculation
* ipa-kdb: Fix legacy password hashes generation
* ipa-kdb: Fix memory leak
* Fix CID 10742: Unchecked return value
* Fix CID 10743: Unchecked return value
* Fix CID 10745: Unchecked return value
* Fix CID 11019: Resource leak
* Fix CID 11020: Resource leak
* Fix CID 11021: Resource leak
* Fix CID 11022: Resource leak
* Fix CID 11023: Resource leak
* Fix CID 11024: Resource leak
* Fix CID 11025: Resource leak
* Fix CID 11026: Resource leak
* Fix CID 11027: Wrong sizeof argument
* Add support for generating PAC for AS requests for user principals
* MS-PAC: Add support for verifying PAC in TGS requests
* Modify random salt creation for interoperability
* Amend #2038 fix
* Add missing copyright header
* ipa-kdb: Support re-signing PAC with different checksum
* spec: We do not need krb5-server-ldap anymore
* ipa-kdb: fix free() of uninitialized var
* ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles
* ipa-kdb: fix memleaks in ipa_kdb_mspac.c
* ipa-kdb: Fix copy and paste typo
* ipa-kdb: enhance deref searches
* ipa-kdb: Add delgation access control support
* ipa-kdb: return properly when no PAC is available
* ipa-kdb: Verify the correct checksum in PAC validation
* ipa-kdb: Create PAC's KDC checksum with right key
* Disable MS-PAC handling in 2.2
* Fix replication setup
* slapi-plugins: use thread-safe ldap library
* ipa-kdb: add AS auditing support
* ipa-kdb: Avoid lookup on modify if possible
* ipa-kdb: set krblastpwdchange only when keys have been effectively
Freeipa-interest mailing list