The FreeIPA team is proud to announce version 2.1.90 alpha 2. Alpha 1 was an internal-only release. This will eventually become FreeIPA v2.2.0.

It can be downloaded from http://www.freeipa.org/Downloads or from our development repo (http://freeipa.org/downloads/freeipa-devel.repo). Fedora 15, 16 and 17 builds are available.

For Fedora 17 users the the required version of 389-ds-base has not been pushed to updates-testing yet. You can retrieve it manually from http://koji.fedoraproject.org/koji/buildinfo?buildID=299543 or download the packages with:

 # koji download-build 299543

== Highlights in 2.1.90 alpha 2 ==

* A new KDC LDAP backend, ipa-kdb. This simplifies our set up code and will is a big piece of future MS PAC support. It also removes the need for the separate ipa_kpasswd daemon, kadmind is used instead.
 * Support for storing SSH user and host public keys.
* SELinux user map rules. These let you set the SELinux context for users in an HBAC rule.
 * Improved DNS UI and command-line with vastly improved argument handling.
 * UI screens for Automember were added.
* Session support in the Web UI. This removes the need to do Kerberos negotiation with every request significantly improving Web UI performance. * Support for S4U2Proxy. This is a Kerberos feature which allows a delegated service (HTTP in our case) to request a ticket (ldap) on a user's behalf. We no longer require the TGT to be delegated to the server. A delegatable TGT is still required.
 * Improved command-line performance. It is approximately 50% faster.
 * MAC address has been added to hosts.

== Upgrading ==

We tested upgrades from 2.1.4 successfully but this is alpha code. We do not recommend upgrading a production server.

Installing updated rpms is all that is required to upgrade from 2.1.4.

It is unlikely that downgrading to a previous release once 2.1.90 is installed will work.

== Feedback ==

Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel

== Detailed Changelog since 2.1.4 ==

Adam Young (4):
 * remove enrolled column
 * Add priority to pwpolicy list
 * Remove delegation from browser config
 * ignore generated services file.

Alexander Bokovoy (14):
* Re-enable web password migration on Fedora 16 after SE Linux policy restrictions
 * Check for Python.h during build of py_default_encoding extension
 * Add configure check for libintl.h
 * Create directories for client install
 * Add "Extending FreeIPA" developer guide
 * Small fix to the guide CSS: enable vertical scroll bar
 * Rename included snippets to avoid problems with pylint
 * Fix dependency for samba4-devel package
 * Check through all LDAP servers in the domain during IPA discovery
 * Validate sudo RunAsUser/RunAsGroup arguments
 * Allow hbactest to work with HBAC rules exceeding default IPA limits
 * Add management of inifiles to allow manipulation of systemd units
 * Handle upgrade issues with systemd in Fedora 16 and above
* Adopt to python-ldap 2.4.6 by removing unused references which are not available in python-ldap anymore

Endi S. Dewata (60):
 * Updated DNS zone details page.
 * Replaced description text fields with text areas.
 * Use editable combobox for service type.
 * Added confirmation when adding multiple entries.
 * Added selectable labels for radio buttons.
 * Fixed dependency problem in UI test.
 * Fixed inconsistent required/optional attributes.
 * Fixed host Enrolled column.
 * Fixed problem clearing validation error on checkboxes.
 * Fixed "enroll" labels.
 * Merged widget's metadata and param_info.
 * Refactored validation code.
 * Fixed inconsistent image names.
 * Fixed inconsistent details facet validation.
 * Added password field in user adder dialog.
 * Fixed blank krbtpolicy and config pages.
 * Moved facet code into facet.js.
 * Added extensible UI framework.
 * Fixed problem changing page in association facet.
 * Updated sample data.
 * Added paging on search facet.
 * Refactored permission target section.
 * Removed develop.js.
 * Added commands into metadata.
 * Removed HBAC rule type.
 * Removed HBAC deny rule warning.
 * Refactored entity object resolution.
 * Fixed ipa.js for sessions.
 * Fixed entity definition in test cases.
 * Added support for radio buttons in table widget.
 * Fixed entity metadata resolution.
 * Refactored facet.load().
 * Added HBAC Test page.
 * Fixed navigation buttons for HBAC Test.
 * Fixed search filter in HBAC Test.
 * Added external fields for HBAC Test.
 * Fixed CSS for HBAC Test
 * Fixed I18n labels for HBAC Test
 * Fixed matched/unmatched checkboxes in HBAC Test
 * Added HBAC Test input validation.
 * Fixed problem loading DNS records.
 * Fixed unmatched checkbox name.
 * Fixed combobox icon position.
 * Fixed combobox search icon position.
 * Reload UI when the user changes.
 * Reload UI on server upgrade.
 * Added account status into user search facet.
 * Added policies into user details page.
 * Load user data and policies in a single batch.
 * Added instructions to generate CSR.
 * Fixed problem removing automount keys and DNS records.
 * Enabled paging on self-service permissions and delegations.
 * Enabled paging on automount keys.
 * Show disabled entries in gray.
 * Fixed inconsistent status labels.
 * Fixed host managed-by adder dialog.
 * Added icons for status column.
 * Hide Add/Delete buttons in self-service mode.
 * Use fixed font when displaying certificate.
 * Show password expiration date.

JR Aquino (1):
* Replication: Adjust replica installation to omit processing memberof computations

Jan Cholasta (15):
 * Finalize plugin initialization on demand.
 * Don't leak passwords through kdb5_ldap_util command line arguments.
* Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True.
 * Fix make-lint crash under certain circumstances.
 * Fix attempted write to attribute of read-only object.
 * Add LDAP schema for SSH public keys.
 * Add LDAP ACIs for SSH public key schema.
 * Add support for SSH public keys to user and host objects.
 * Add API initialization to ipa-client-install.
* Move the nsupdate functionality to separate function in ipa-client-install.
 * Update host SSH public keys on the server during client install.
 * Configure ssh and sshd during ipa-client-install.
 * Base64-decode unicode values in Bytes parameters.
 * Add SSH service to platform-specific services.
 * Move the compat module from ipalib to ipapython.

John Dennis (10):
 * If "make rpms" fails so will the next make
 * Remove old RPMROOT contents before it is used for rpmbuild
 * update i18n pot file for branch ipa-2-1
 * Add log manager module
 * modify codebase to utilize IPALogManager, obsoletes logging
 * IPAdmin undefined anonymous parameter lists
 * subclass SimpleLDAPObject
 * Restore default log level in server to INFO
 * Add ipa_memcached service
 * add session manager and cache krb auth

Marko Myllynen (1):
 * include <stdint.h> for uintptr_t

Martin Kosek (52):
 * Add connection failure recovery to IPAdmin
 * Make sure that install tools log
 * Add --zonemgr/--admin-mail validator
 * Create pkey-only option for find commands
 * Allow custom server backend encoding
 * Fix DNS zone --allow-dynupdate option behavior
 * Improve DNS record data validation
 * Polish ipa config help
 * Hosts file not updated when IP is passed as option
 * Fix API.txt
 * Fix LDAP object parameter encoding
 * Remove redundant information from API.txt
 * Fix coverity issues in client CLI tools
 * Make ipa-server-install clean after itself
 * Add --delattr option to complement --setattr/--addattr
 * Improve zonemgr validator and normalizer
 * Change default DNS zone manager to hostmaster
 * Fix config migration option
 * Ask for user confirmation in ipa-server-install
 * Add DNS check to conncheck port probe
 * Refactor dnsrecord processing
 * Fix Parameter csv parsing
 * Improve CLI output for complex commands
 * Create per-type DNS API
 * Fix maxvalue in DNS plugin
 * Fix LDAP add calls in replication module
 * Prevent service restart failures in ipa-replica-install
 * Fix LDAP updates in ipa-replica-install
 * Let replicas install without DNS
 * Restore ACI when aci_mod fails
 * Add missing --pkey-only option for selfservice and delegation
 * Replace float with Decimal
 * Improve host-add error message
 * Fix ipa-server-install for dual NICs
 * Fix selfservice-find crashes
 * Mark optional DNS record parts
 * Fix ldap2 combine_filters for ldap2.MATCH_NONE
 * Add missing managing hosts filtering options
 * Improve netgroup-add error messages
 * Fix TXT record parsing
 * Fix NSEC record conversion
 * Add SRV record target validator
 * Add data field for A6 record
 * Improve dnszone-add error message
 * Improve migration help
 * Fix raw format for ACI commands
 * Improve password change error message
 * Remove debug messages
 * Add argument help to CLI
 * Return proper DN in netgroup-add
 * Remove unused options from ipa-managed-entries
 * Add Petr Viktorín to Contributors.txt

Ondrej Hamada (9):
 * Misleading Keytab field
 * Sort password policy by priority
 * Client install checks for nss_ldap
 * User-add random password support
 * HBAC test optional sourcehost option
 * localhost.localdomain clients refused to join
 * Leave nsds5replicaupdateschedule parameter unset
 * Fix 'no-reverse' option description
 * Memberof attribute control and update

Petr Viktorin (5):
 * Switch --group and --membergroup in example for delegation
 * Fix/add options in ipa-managed-entries man page
 * Honor default home directory and login shell in user_add
 * Clean up i18n strings
 * Internationalization for HBAC and ipalib.output

Petr Voborník (55):
 * Circular entity dependency
 * Fixed: Duplicate CSS definitions
 * Fixing infinite loop in UI navigation unit test.
 * Minor visual enhancement of required indicator
 * Page is cleared before it is visible
 * Field for DNS SOA class changed to combobox with options
 * Extending facet's mechanism of gathering changes
 * Added cross browser support of Array.indexOf method
 * Splitting widget into widget and field
 * Splitting basic widgets into visual widgets and fields
 * Improved fields dirty status detection logic
 * Builders and collections for fields and widgets
 * Removing sections as special type of object
 * Added possibility to define facet/dialog specific policies
 * Modifying users to work with new concept
 * Modifying hosts to work with new concept
 * Modifying dns to work with new concept
 * Modifying services to work with new concept
 * Separation of writable update from field load method
 * Modifying ACI to work with new concept
 * Modifying groups to work with new concept
 * Code cleanup of HBAC, Sudo rules
 * Changing definition of basic fields in section from factory to type
 * Modifying automount to work with new concept
 * Fixed unit tests after widget refactoring
 * Removed usage of bitwise assignment operators in logical operations
 * Search facets show translated boolean values
 * Better displaying of long names in tables and facet headers
 * Additional better displaying of long names
 * Reordered facets in ACI
 * Association facets are read only in self service
 * Added facet tabs coloring
 * Fixed displaying of external records in rule association widgets
 * Distinguishing of external values in association tables
 * Better table column width computing
 * Fixed labels in Sudo, HBAC rules
 * Parsing of IPv4 and IPv6 addresses
 * Added support of custom field validators
 * Added validation logic to multivalued text field
 * Added client-side validation of A and AAAA DNS records
 * Fixed IPv6 validation special case: single colon
 * Added support for memberof attribute in permission
 * Added IP address validator to Host and DNS record adder dialog
 * Fixed entity link disabling
 * UI for SELinux user mapping
 * Added refresh button for UI
 * Modifying DNS UI to benefit from new DNS API
 * Added paging to DNS record search facet
 * Navigation and redirection to various facets
 * Automember UI
 * Automember UI - default groups
 * Automember UI - Fixed I18n labels
 * Removed question marks from field labels
 * UI support for ssh keys
 * Redirection to PTR records from A,AAAA records

Rob Crittenden (54):
 * Use absolute paths when trying to find certmonger request id.
* Reorder privileges so that memberof for permissions are generated properly.
 * Fix some pylint issues found in F-16
 * Fix two typos in role help.
* Move ONLY_CLIENT in spec so services.py always gets generated in %install
 * Remove calls to has_managed_entries()
 * Fix copy/paste error in parameter description.
 * Add Ondrej Hamada to Contributors.txt
 * Don't check for 389-instances.
 * Clarify usage of --posix argument in group plugin.
 * Add plugin framework to LDAP updates.
 * Fix some issues introduced when rebasing update patch
 * Mark some attributes required to match the schema.
 * Add SELinux user mapping framework.
 * Display the value of memberOf ACIs in permission plugin.
 * Set minimum version of 389-ds to 1.2.10-0.5.a5
 * Fix typos in in 60basev3.ldif
 * Remove include for errno.h that was specific to 2.1 branch
 * Remove ipa_get_random_salt() from ipapwd_encoding.c
 * update i18n pot file for branch ipa-2-2
 * Remove buffer log handling.
 * Configure s4u2proxy during installation.
 * Document the ping plugin.
 * Catch exception when trying to list missing managed entries definitions
 * Fix some typos in automember help and paramters.
 * Add labels so HBAC and Sudo rules show under hosts/hostgroups.
 * Use correct template variable for hosts, FQDN.
 * In sudo when the category is all do not allow members, and vice versa.
 * Update and package ipa-upgradeconfig man page.
 * Fix deletion of HBAC Rules when there are SELinux user maps defined
 * Add support for storing MAC address in host entries.
 * Don't try to bind on TLS failure
 * Check for the existence of a replication agreement before deleting it.
 * %ghost the UI files that we install/create on the fly
 * Make submount automount maps work.
 * Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.
 * Consolidate external member code into two functions in baseldap.py
 * Make ipaconfigstring modifiable by users.
 * Don't use sets when calculating the modlist so order is preserved.
 * Add update files for SELinuxUserMap
 * Add update file for new schema in v2.2/3.0
 * Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf
 * Don't set delegation flag in client, we're using S4U2Proxy now
 * Update S4U2proxy delegation list when creating replicas
 * Correct update syntax in 30-s4u2proxy.update
 * Remove Apache ccache on upgrade.
 * Add S4U2Proxy delegation permissions on upgrades
 * Disable false pylint error in freeipa-systemd-upgrade
 * Enable ipa_memcached when upgrading
 * Configure ipa_memcached when a replica is installed.
 * Use FQDN in place of FQHN for consistency in sub_dict.
* Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication.

Simo Sorce (77):
 * Fix build warnings
 * ipa-pwd_extop: use endian.h instead of nih function
 * krbinstance: use helper function to get realm suffix
 * ipa-pwd-extop: Remove unused variables and code to set them
 * ipa-pwd-extop: do not append mkvno to krbExtraData
 * ipa-pwd-extop: Use the proper mkvno number in keys
 * ipa-pwd-extop: re-indent code using old style
 * ipa-pwd-extop: Use common krb5 structs from kdb.h
 * ipa-pwd-extop: Move encryption of keys in common
 * ipa-pwd-extop: Move encoding in common too
 * ipa-pwd-extop: make encsalt parsing function common
 * ipa-kdb: Initial plugin skeleton
 * ipa-kdb: add exports file
 * ipa-kdb: initialize module functions
 * ipa-kdb: implement get_time function
 * ipa-kdb: add common utility ldap wrapper functions
 * ipa-kdb: functions to get principal
 * ipa-kdb: add function to free principals
 * ipa-kdb: add functions to delete principals
 * ipa-kdb: add function to iterate over principals
 * ipa-kdb: add functions to change principals
 * ipa-kdb: Get/Store Master Key directly from LDAP
 * ipa-kdb: implement function to retrieve password policies
 * ipa-kdb: implement change_pwd function
 * util: add password policy manipulation functions
 * ipa-pwd-extop: Use common password policy code
 * ipa-kdb: add password policy support
 * ipa-pwd-extop: Allow kadmin to set krb keys
 * ipa-kdb: Change install to use the new ipa-kdb kdc backend
 * install: Remove uid=kdc user
 * ipa-kdb: Be flexible
 * install: Use proper case for boolean values
 * daemons: Remove ipa_kpasswd
 * schema: Split ipadns definitions from basev2 ones
 * v3-schema: Add new ipaExternalGroup objectclass
 * install: We do not need a ldap password anymore
 * install: We do not need a kpasswd keytab anymore
 * ipa-kdb: Properly set password expiration time.
 * conncheck: Additional check to verify the admin password is ok
 * ipa-kdb: Fix expiration time calculation
 * ipa-kdb: Fix legacy password hashes generation
 * ipa-kdb: Fix memory leak
 * Fix CID 10742: Unchecked return value
 * Fix CID 10743: Unchecked return value
 * Fix CID 10745: Unchecked return value
 * Fix CID 11019: Resource leak
 * Fix CID 11020: Resource leak
 * Fix CID 11021: Resource leak
 * Fix CID 11022: Resource leak
 * Fix CID 11023: Resource leak
 * Fix CID 11024: Resource leak
 * Fix CID 11025: Resource leak
 * Fix CID 11026: Resource leak
 * Fix CID 11027: Wrong sizeof argument
 * Add support for generating PAC for AS requests for user principals
 * MS-PAC: Add support for verifying PAC in TGS requests
 * Modify random salt creation for interoperability
 * Amend #2038 fix
 * Add missing copyright header
 * ipa-kdb: Support re-signing PAC with different checksum
 * spec: We do not need krb5-server-ldap anymore
 * ipa-kdb: fix free() of uninitialized var
 * ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles
 * ipa-kdb: fix memleaks in ipa_kdb_mspac.c
 * ipa-kdb: Fix copy and paste typo
 * ipa-kdb: enhance deref searches
 * ipa-kdb: Add delgation access control support
 * ipa-kdb: return properly when no PAC is available
 * ipa-kdb: Verify the correct checksum in PAC validation
 * ipa-kdb: Create PAC's KDC checksum with right key
 * Disable MS-PAC handling in 2.2
 * Fix replication setup
 * slapi-plugins: use thread-safe ldap library
 * ipa-kdb: add AS auditing support
 * ipa-kdb: Avoid lookup on modify if possible
* ipa-kdb: set krblastpwdchange only when keys have been effectively changed

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to