The FreeIPA team is proud to announce FreeIPA v4.0.2!
It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds will be available for Fedora 21. Builds for Fedora 20 are
available in the official
[https://copr.fedoraproject.org/coprs/mkosek/freeipa/ COPR repository].
== Highlights in 4.0.2 ==
=== Enhancements ===
* TOTP watermark support was added. The last token interval is now being
added to database and replicated in FreeIPA realm. Note that the number
of writes is kept the same as an unnecessary LDAP write was eliminated.
* Effective Attributes widget in the Add Permission Web UI page was improved
* ipa-csreplica-manage can now set CA renewal master
* trust-add is now capable of ensuring conditions for a Trust are met
prior to establishing it in complex environments (e.g. only adding trust
via AD DC with a PDC role in a forest root domain, falling back when no
closest AD DC is available for the local site)
=== Bug fixes ===
* Server installation with certificates signed by external CA could
crash with IndexError
* ipa-client-install could add duplicate "sss" to /etc/nsswitch.conf
when configuring sudo
* ipa-client-install crashed when non-zero minSSF was set on FreeIPA server
* Installers and helper tools now communicate with certmonger via its
DBUS API instead of manipulating its configuration files, fixing the
related intermittent uninstallation failures
* idrange-* commands no longer allow unsupported range types
* user-add no longer fails when --user-auth-type is specified
* Entries in Schema Compatibility tree are now accessible anonymously by
default to aid legacy clients.
== Known Issues ==
* The Directory Server may crash during install due to 389-ds bug 47889
* Enumeration in SSSD may fail due to 389-ds bug 47885
* Zone removal may misbehave due to a bind-dyndb-ldap bug. If FreeIPA
is used to manage DNS root zones, bind-dyndb-ldap 5.1 or higher is
recommended. Bind-dyndb-ldap 5.2 was built for Fedora 20
== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The
server does not need to be shut down in advance.
Please note that if you are doing the upgrade in special environment
(e.g. FedUp) which does not allow running the LDAP server during upgrade
process, upgrade scripts need to be run manually after the first boot:
# ipa-ldap-updater --upgrade
Also note that the performance improvements require an extended set of
indexes to be configured. RPM update for an IPA server with a excessive
number of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is
expected that all servers will be upgraded in a relatively short period
(days or weeks, not months). They should be able to co-exist peacefully
but new features will not be available on old servers and enrolling a
new client against an old server will result in the SSH keys not being
Downgrading a server once upgraded is not supported.
Upgrading from 3.3.0 and later versions is supported. Upgrading from
previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you
want to re-enroll it. SSH keys for already installed clients are not
uploaded, you will have to re-enroll the client or manually upload the keys.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or
#freeipa channel on Freenode.
== Detailed Changelog since 4.0.1 ==
=== Alexander Bokovoy (5) ===
* ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC
* ipaserver/dcerpc.py: make PDC discovery more robust
* ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on
Windows Server prior to 2012
* ipaserver/dcerpc.py: be more open to what domains can be seen through
the forest trust
* ipaserver/dcerpc.py: Make sure trust is established only to forest
=== David Kupka (7) ===
* Fix group-remove-member crash when group is removed from a protected group
* test group: remove group from protected group.
* Verify otptoken timespan is valid
* Add record(s) to /etc/host when IPA is configured as DNS server.
* Use certmonger D-Bus API instead of messing with its files.
* Do not restart apache server when not necessary.
* Allow user to force Kerberos realm during installation.
=== Gabe (1) ===
* ipa trust-add command should be interactive
=== Jakub Hrozek (1) ===
* CLIENT: Explicitly require python-backports-ssl_match_hostname
=== Jan Cholasta (11) ===
* Check if /root/ipa.csr exists when installing server with external CA.
* Exclude attributelevelrights from --raw result processing in baseldap.
* Add test for baseldap.entry_to_dict.
* Convert external CA chain to PKCS#7 before passing it to pkispawn.
* Allow changing CA renewal master in ipa-csreplica-manage.
* Add method for setting CA renewal master in LDAP to CAInstance.
* Pick new CA renewal master when deleting a replica.
* Normalize external CA cert before passing it to pkispawn
* Add new NSSDatabase method get_cert for getting certs from NSS databases.
* Make CA-less ipa-server-install option --root-ca-file optional.
* Backup CS.cfg before modifying it
=== Martin Bašti (7) ===
* Fix DNS upgrade plugin should check if DNS container exists
* FIX: named_enable_dnssec should verify if DNS is installed
* Allow to add host if AAAA record exists
* Tests: host tests with dns
* Fix dnsrecord-mod raise error if last record attr is removed
* FIX DNS wildcard records (RFC4592)
* Tests: DNS wildcard records
=== Martin Košek (2) ===
* Do not crash client basedn discovery when SSF not met
* ipa-adtrust-install does not re-add member in adtrust agents group
=== Nathaniel McCallum (1) ===
* Ensure ipaUserAuthTypeClass when needed on user creation
=== Petr Viktorin (8) ===
* Update API.txt
* test_ipagetkeytab: Fix assertion in negative test
* freeipa.spec.in: Add python-backports-ssl_match_hostname to BuildRequires
* permission plugin: Make --target available in the CLI
* permission plugin: Improve description of the target option
* Add managed read permissions for compat tree
* Fix: Add managed read permissions for compat tree and operational attrs
* Become IPA 4.0.2
=== Petr Voborník (10) ===
* webui: support wildcard attribute level rights
* webui: fix nested items creation in dropdown list
* webui: internet explorer fixes
* webui: detach facet nodes
* webui: replace action_buttons with action_widget
* webui: remove remaining action-button-disabled occurrences
* webui-ci: fix reset password check
* webui: better error reporting
* webui-ci: fix table widget add
* webui: extract complex pkey on Add and Edit
=== Rob Crittenden (1) ===
* No longer generate a machine certificate on client installs
=== Stephen Gallagher (1) ===
* Change BuildRequires for Java
=== Tomáš Babej (3) ===
* ipalib: idrange: Make non-implemented range types fail the validation
* ipatests: test_trust: Add test to cover lookup of trusdomains
* ipa-client-install: Do not add already configured sources to
Freeipa-interest mailing list