The FreeIPA team would like to announce FreeIPA v4.1.3 bug fix release!

It can be downloaded from . Fedora 21 builds are already on their way to updates-testing repository. Builds for Fedora 20 are available in the official COPR repository [].

== Highlights in 4.1.3 ==

=== Enhancements ===
* ID Views support user SSH public keys
* ID Views support IPA user overrides
* OTP token authentication and synchronization windows are configurable
* RADIUS server proxy fields added to user page in Web UI

=== Bug fixes ===
* Issues fixed in ipa-restore:
** doesn't crash if replica is unreachable
** checks if it isn't a restore on non matching host
** improved validation of input options to disallow invalid combinations
** doesn't fail if run on a system without IPA installed
** creates correct log directories
* certificate renewal process is synchronized
* migrate-ds: warns user if compat plugin is enabled
* PassSync plugin could not update synchronized users due to too strict access control * replication agreements by Replication Administrators could not be removed due to strict access control * anonymous read of a DUA profile was not possible due to strict access control
* various upgrade fixes related to DNSSEC

== Upgrading ==
Upgrade instructions are available on upgrade page [].

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

== Detailed Changelog since 4.1.2 ==

=== Alexander Bokovoy (4) ===
* Support Samba PASSDB 0.2.0 aka interface version 24
* ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
* ipa-kdb: when processing transitions, hand over unknown ones to KDC
* ipa-kdb: reject principals from disabled domains as a KDC policy

=== David Kupka (5) ===
* Use singular in help metavars + update man pages.
* Always add /etc/hosts record when DNS is being configured.
* Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.
* Abort backup restoration on not matching host.
* idviews: Allow setting ssh public key on ipauseroverride-add

=== Gabe Alford (3) ===
* Remove dependency on subscription-manager
* Typos in ipa-rmkeytab options help and man page
* permission-add does not prompt for ipapermright in interactive mode

=== Jan Cholasta (18) ===
* Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent
* Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
* Improve validation of --instance and --backend options in ipa-restore
* Check subject name encoding in ipa-cacert-manage renew
* Refer the user to when something goes wrong in ipa-cacert-manage
* Fix ipa-restore on systems without IPA installed
* Remove RUV from LDIF files before using them in ipa-restore
* Fix CA certificate renewal syslog alert
* Do not crash on unknown services in installutils.stopped_service
* Restart dogtag when its server certificate is renewed
* Make certificate renewal process synchronized
* Fix validation of ipa-restore options
* Do not assume certmonger is running in httpinstance
* Put LDIF files to their original location in ipa-restore
* Revert "Make all ipatokenTOTP attributes mandatory"
* Create correct log directories during full restore in ipa-restore
* Do not crash when replica is unreachable in ipa-restore
* Bump 389-ds-base and pki-ca dependencies for POODLE fixes

=== Jan Pazdziora (1) ===
* No explicit zone specification.

=== Martin Babinsky (11) ===
* Moved dbus-python dependence to freeipa-python package
* ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message
* always get PAC for client principal if AS_REQ is true
* ipa-kdb: more robust handling of principal addition/editing
* OTP: failed search for the user of last token emits an error message
* ipa-pwd-extop: added an informational comment about intentional fallthrough
* ipa-uuid: emit a message when unexpected mod type is encountered
* OTP: emit a log message when LDAP entry for config record is not found
* ipa-client-install: put eol character after the last line of altered config file(s) * migrate-ds: exit with error message if no users/groups to migrate are found
* Changing the token owner changes also the manager

=== Martin Bašti (19) ===
* Fix zonemgr option encoding detection
* Throw zonemgr error message before installation proceeds
* Upgrade fix: masking named should be executed only once
* Using wget to get status of CA
* Show SSHFP record containing space in fingerprint
* Fix don't check certificate during getting CA status
* Fix: Upgrade forwardzones zones after adding newer replica
* Fix zone find during forwardzone upgrade
* Fix traceback if zonemgr error contains unicode
* DNS tests: separate current forward zone tests
* New test cases for Forward_zones
* Detect and warn about invalid DNS forward zone configuration
* DNS tests: warning if forward zone is inactive
* Add debug messages into client autodetection
* DNSSEC catch ldap exceptions in ipa-dnskeysyncd
* DNSSEC: fix root zone dns name conversion
* Always return absolute idnsname in dnszone commands
* Use dyndns_update instead of deprecated sssd option
* Fix reference counting in pkcs11 extension

=== Martin Košek (7) ===
* Bump SSSD Requires to 1.12.3
* Allow PassSync user to locate and update NT users
* Allow Replication Administrators manipulate Winsync Agreements
* Replication Administrators cannot remove replication agreements
* Add anonymous read ACI for DUA profile
* Print PublicError traceback when in debug mode
* group-detach does not add correct objectclasses

=== Nathaniel McCallum (7) ===
* Catch USBError during YubiKey location
* Preliminary refactoring of libotp files
* Move authentication configuration cache into libotp
* Enable last token deletion when password auth type is configured
* Make token auth and sync windows configurable
* Create an OTP help topic
* Prefer TCP connections to UDP in krb5 clients

=== Petr Voborník (10) ===
* webui: add radius fields to user page
* fix indentation in ipa-restore page
* add --hosts and --hostgroup options to allow/retrieve keytab methods
* webui: fix service unprovisioning
* webui: increase duration of notification messages
* revert removal of cn attribute from idnsRecord
* migrate-ds: fix compat plugin check
* rpcclient: use json_encode_binary for verbose output
* Fix TOTP Synchronization Window label
* Become IPA 4.1.3

=== Simo Sorce (3) ===
* Avoid calling ldap functions without a context
* Remove the removal of the ccache
* Handle DAL ABI change in MIT 1.13

=== Tomáš Babej (9) ===
* Re-initialize NSS database after otptoken plugin tests
* certs: Fix incorrect flag handling in load_cacert
* hosts: Display assigned ID view by default in host-find and show commands
* idviews: Complain if host is already assigned the ID View in idview-apply
* idviews: Ignore host or hostgroup options set to None
* baseldap: Handle missing parent objects properly in *-find commands
* ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView
* ipatests: Fix old command references in the ID views tests
* ipatests: Fix incorrect assumptions in idviews tests

Petr Vobornik

Freeipa-interest mailing list

Reply via email to