The FreeIPA team is proud to announce FreeIPA v3.3.1!
This is a bugfix release.
It can be downloaded from http://www.freeipa.org/page/Downloads. Fedora
19 builds will be ready soon.
== Highlights in 3.3.1 ==
=== Bug fixes ===
* ipa-server-certinstall now works correctly both with a CA subsystem
and in CA-less installations
* The --subject option in ipa-server-install is now handled correctly
* During installation, directory server tuning is performed correctly on
sysV and systemd systems
* During installation, the CA service is stopped during configuration
file changes to prevent race conditions
=== Test improvements ===
* Integration tests for CA-less installation, Kerberos flags, and
related Web UI parts were added to the test suite
* Test suite now passes after ipa-adtrust-install
== Upgrading ==
=== FreeIPA servers with CA installed prior to version 3.1 ===
Manual upgrade procedure is required for FreeIPA servers installed with
prior to 3.1.
Please see http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration for
=== Other FreeIPA servers and clients ===
An IPA server can be upgraded simply by installing updated rpms. The server
does not need to be shut down in advance.
Please note that if you are doing the upgrade in special environment (e.g.
FedUp) which does not allow running the LDAP server during upgrade process,
upgrade scripts need to be run manually after the first boot:
# ipa-ldap-updater --upgrade
Also note that the performance improvements require an extended set of
indexes to be configured. RPM update for an IPA server with a excessive
of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is
that all servers will be upgraded in a relatively short period (days or
not months). They should be able to co-exist peacefully but new features
not be available on old servers and enrolling a new client against an old
server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 2.2.0 and later versions is supported. Upgrading from
versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you
re-enroll it. SSH keys for already installed clients are not uploaded,
have to re-enroll the client or manually upload the keys.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa
== Detailed Changelog since 3.3.0 ==
=== Alexander Bokovoy (1): ===
* Remove systemd upgrader as it is not used anymore
=== Ana Krivokapic (4): ===
* Handle --subject option in ipa-server-install
* Fix broken replica installation
* Add integration tests for Kerberos Flags
* Fix tests which fail after ipa-adtrust-install
=== Jakub Hrozek (1): ===
* EXTDOM: Do not overwrite domain_name for INP_SID
=== Jan Cholasta (12): ===
* Make PKCS#12 handling in ipa-server-certinstall closer to what other
* Port ipa-server-certinstall to the admintool framework.
* Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12.
* Ignore empty mod error when updating DS SSL config in
* Replace only the cert instead of the whole NSS DB in
* Untrack old and track new cert with certmonger in ipa-server-certinstall.
* Add --pin option to ipa-server-certinstall.
* Ask for PKCS#12 password interactively in ipa-server-certinstall.
* Fix nsSaslMapping object class before configuring SASL mappings.
* Add --dirman-password option to ipa-server-certinstall.
* Fix ipa-server-certinstall usage string.
* Fix service-disable in CA-less install.
=== Martin Kosek (3): ===
* Prevent *.pyo and *.pyc multilib problems
* Remove rpmlint warnings in spec file
* Fix selected minor issues in the spec file and license
=== Nathaniel McCallum (1): ===
* Bypass ipa-replica-conncheck ssh tests when ssh is not installed
=== Petr Viktorin (4): ===
* Allow freeipa-tests to work with older paramiko versions
* Add missing license header to ipa-test-config
* Add CA-less install tests
* Add man pages for testing tools
=== Petr Vobornik (7): ===
* Removal of deprecated selenium tests
* Add base-id, range-size and range-type options to trust-add dialog
* Hide 'New Certificate' action on CA-less install
* Web UI integration tests: CA-less
* Web UI Integration tests: Kerberos Flags
* Web UI integration tests: ID range types
* Update idrange search facet after trust creation
=== Rob Crittenden (1): ===
* Re-order NULL check in ipa_lockout.
=== Simo Sorce (3): ===
* pwd-plugin: Fix ignored return error
* kdb-mspac: Fix out of bounds memset
* kdb-princ: Fix memory leak
=== Sumit Bose (1): ===
* CLDAP: make sure an empty reply is returned on any error
=== Tomas Babej (6): ===
* Remove support for IPA deployments with no persistent search
* Remove redundant shebangs
* Perform dirsrv tuning at platform level
* Make CS.cfg edits with CA instance stopped
* Fix incorrect error message occurence when re-adding the trust
* Log proper error message when defaultNamingContext not found
Freeipa-interest mailing list