Release date: 2017-05-23

The FreeIPA team would like to announce FreeIPA 4.5.1 release!

It can be downloaded from Builds for
Fedora 25 and Fedora 26 will be available in the official
COPR repository <>.

This announcement is also available at <>.

== Highlights in 4.5.1 ==

=== Enhancements ===
* HBAC rule names can be renamed (#6784)
HBAC rules can now be renamed.

* SUDO rules can be renamed (#2466)
The attribute "rdn_is_primary_key" of the LDAPObject class was renamed to "allow_rename" because the name of the former did not reflect the purpose of the attribute. Thanks to this objects whose primary key is not in RDN can be now renamed. As a result of this, sudo rules can now be renamed.

=== Known Issues ===

=== Bug fixes ===
FreeIPA 4.5.1 is a stabilization release for the features delivered as a
part of 4.5.0. There are more than 90 bug-fixes details of which can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on page: <>

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa
channel on Freenode.

== Resolved tickets ==
* 6950 ipa-server-install --uninstall fails with ERROR 'tuple' object has no attribute 'append'
* 6934 ipa-kra-install timeouts on replica
* 6925 KRA installation fails on server that was originally installed as CA-less
* 6924 Fix SELinux contex of http.keytab during upgrade
* 6923 Update warning message when KRA installation fails
* 6922 Update man page of ipa-kra-install
* 6921 ipa-server-install with external CA fails in issue_selfsigned_pkinit_certs
* 6920 Upgrade from ipa-4.1 fails when enabling KDC proxy
* 6916 ipa-client-install: extra space in pkinit_anchors definition
* 6911 error adding authenticator indicators to host
* 6907 ipa vault-add raises TypeError
* 6904 pki_client_database_password is shown in ipaserver-install.log
* 6902 ipa restore fails to restore IPA user
* 6900 otptoken-add-yubikey  KeyError: 'ipatokenotpdigits'
* 6899 ipa vault: archival and retrival is broken in IPA 4.5.0
* 6897 ipa-server-install with external-ca fails in FIPS mode
* 6896 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
* 6895 ipa-kra-install fails when primary KRA server has been decommissioned
* 6894 DNS forwarder address added during IPA installation shouldn't add IP-Address ''
* 6892 ipa-[ca|kra]-install with invalid DM password break replica
* 6883 ipa cert-show raises stack traces when --certificate-out=/tmp
* 6881 ipa.ipaserver.install.plugins.adtrust.update_tdo_gidnumber: ERROR Default SMB Group not found
* 6878 Replica install fails during migration from older IPA master
* 6876 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA
* 6875 Correct wheel package dependencies
* 6872 ipa server install fails with --external-ca option
* 6869 CA-less pkinit not installable with --pkinit-cert-file option
* 6866 ipa trust-fetch-domains: ValidationError: invalid 'Credentials': Missing credentials for cross-forest communication
* 6864 minor spelling mistake #2
* 6862 WebUI cert auth fails after ipa-adtrust-install
* 6861 uninstall ipa client automount failed with RuntimeWarning
* 6860 Add the name of URL parameter which will be check for username during cert login * 6859 Console output message while adding trust should be mapped with texts changed in Samba.
* 6854 CA less setup is broken
* 6853 Conversion of CA-less server to CA fails on CA instance spawn
* 6850 Use /usr/bin/env python for ipaclient via pypi / macOS fixes for ipaclient * 6846 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA * 6839 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password * 6838 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host
* 6833 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap
* 6831 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors
* 6830 Configure local PKINIT on DL0 or when '--no-pkinit' option is used
* 6828 error: implicit declaration of function ‘sss_nss_getlistbycert’
* 6827 ipasam: gidNumber attribute is not created in the trusted domain entry
* 6826  IdM Server Smart Cards: extdom: improve cert request
* 6825 Allow erasing ipaDomainResolutionOrder attribute
* 6824 Add workaround for pki_pin for FIPS
* 6823 Bump packages versions for certificate login
* 6821 Deadlock between topology and schema-compat plugins
* 6819 Login into WebUI using certificate does not work - mod_wsgi returns error * 6817 4.5 replica install fails against <4.5 master due to rejected PKINIT cert request
* 6816 BUILD_IPA_CERTAUTH_PLUGIN broke configure --disable-server
* 6813 Renewal of IPA RA fails on replica
* 6812 WebUI: in self-service Vault menu item is shown even if KRA is not installed * 6808 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page
* 6807 Server CA-less impossible option check
* 6806 CA-less installation fails on publishing CA certificate
* 6803 Master tree fails to install
* 6801 Remove pkinit-related options from server/replica-install on DL0
* 6799 ipa-replica-install with DL0 fails to get annonymous keytab
* 6798 Changes to ipa-run-tests broke helper test tools
* 6797 As a ID user I cannot call a command with --rights option
* 6795 man ipa-cacert-manage install needs clarification
* 6792 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT
* 6787 Make KRA cert cache concurrency safe
* 6786 make sure that runtime hostname result is consistent with the configuration in AD trust
* 6784 [RFE] HBAC rule names command rename
* 6777 ipa-replica-install can't install replica file produced by ipa-replica-prepare on 4.5 * 6775 [ipalib/] - "maximum recursion depth exceeded" with ipa vault commands * 6773 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated
* 6772 WebUI: Adding certificate mapping data using certificate fails
* 6771 Set GssProxy options to enable caching of ldap tickets
* 6768 debian: daemons/dnssec/* hardcode user/groupnames
* 6757 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica
* 6748 CLI doesn't work after ipa-restore
* 6743 [copr] Replica install failing
* 6716 cert-find does not find all certificates without sizelimit=0
* 6715 Uninstall fails with No such file or directory: '/var/run/ipa/services.list'
* 6697 [Tracker] FIPS mode for trust to AD feature
* 6688 [tracker] ipa-replica-install fails with 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca
* 6671 Privilege separation in IPA framework broke trust-add
* 6641 RPC client should use HTTP persistent connection
* 6618 "Truncated search results" pop-up appears in user details in WebUI
* 6549 replica install against IPA v3 master fails with ACIError
* 6494 Enumerate all available request type options in ipa cert-request help
* 6404 Need to have validation for idrange names
* 6370 [RFE] Web UI must check OCSP and CRL during smartcard login
* 6319 ipa cert-request limits key size to 1024,2048,3072,4096 bits
* 6183 ipa-replica-install may suggest --force-join option which does not exist
* 5959 The framework needs to run in a spearate process
* 5952 Add git commit template
* 5799 Errors from AD when trying to sign ipa.csr, conflicting template on
* 5734 cert-request: PKCS #10 only is supported but `--request-type' option suggests otherwise
* 5313 [RFE] disable last successful authentication by default in ipa.
* 4639 ipa-server-install does not clean /etc/httpd/alias
* 3242 [RFE] IPA WebUI login for AD Trusted User fails
* 2466 [RFE] Support SUDO command rename

== Detailed changelog since 4.5.0 ==

=== Alexander Bokovoy (5) ===
* trust: always use oddjobd helper for fetching trust information
* ipaserver/dcerpc: unify error processing
* adtrust: make sure that runtime hostname result is consistent with the configuration
* server: make sure we test for sss_nss_getlistbycert
* ldap2: use LDAP whoami operation to retrieve bind DN for current connection

=== Abhijeet Kasurde (2) ===
* Hide PKI Client database password in log file
* Hide request_type doc string in cert-request help

=== Christian Heimes (21) ===
* Correct PyPI package dependencies
* Vault: Explicitly default to 3DES CBC
* Use entry_points for ipa CLI
* Skip test_session_storage in ipaclient unittest mode
* Add make devcheck for developers
* Python 3: Fix session storage
* Use Custodia 0.3.1 features
* Simplify KRA transport cert cache
* Constrain wheel package versions
* Move remaining util functions to tasks module
* Ship ipatests.pytest_plugins.integration
* Move function run_repeatedly to tasks module
* Move hosts module to ipatests.pytest_plugins.integration.hosts
* Move tasks module to ipatests.pytest_plugins.integration.tasks
* Move env_config module to ipatests.pytest_plugins.integration.env_config
* Move config module to ipatests.pytest_plugins.integration.config
* Move helper code for integration plugin
* Increase Apache HTTPD's default keep alive timeout
* Add debug logging for keep-alive
* Use connection keep-alive
* Add options to run only ipaclient unittests

=== David Kupka (10) ===
* Add option to set umask before executing command
* otptoken-add-yubikey: When --digits not provided use default value
* Bump version of ipa.conf file
* Create system users for FreeIPA services during package installation
* WebUI: cert login: Configure name of parameter used to pass username
* httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available
* spec file: Bump requires to make Certificate Login in WebUI work
* rpcserver.login_x509: Actually return reply from __call__ method
* Create temporaty directories at the begining of uninstall
* ipapython.ipautil.nolog_replace: Do not replace empty value

=== felipe (1) ===
* Fixing replica install: fix ldap connection in domlvl 0

=== Felipe Volpone (1) ===
* Fixing adding authenticator indicators to host

=== Fabiano Fidêncio (1) ===
* Allow erasing ipaDomainResolutionOrder attribute

=== Florence Blanc-Renaud (16) ===
* ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
* ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
* ipa-server-install: fix uninstall
* ipa-kra-install manpage: document domain-level 1
* ipa-kra-install: fix check_host_keys
* ipa-server-install with external CA: fix pkinit cert issuance
* ipa-client-install: remove extra space in pkinit_anchors definition
* vault: piped input for ipa vault-add fails
* upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed
* tests: add non-reg for idrange-add
* Upgrade: add gidnumber to trusted domain entry
* ipa-sam: create the gidNumber attribute in the trusted domain entry
* idrange-add: properly handle empty --dom-name option
* ipa-ca-install man page: Add domain level 1 help
* dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
* man ipa-cacert-manage install needs clarification

=== Fraser Tweedale (1) ===
* Support 8192-bit RSA keys in default cert profile

=== Jan Cholasta (38) ===
* server certinstall: support PKINIT
* cacert manage: support PKINIT
* replica install: respect --pkinit-cert-file
* server install: fix KDC certificate validation in CA-less
* certs: do not export CA certs in install_pem_from_p12
* certs: do not export keys world-readable in install_key_from_p12
* server install: fix KDC PKINIT configuration
* install: introduce generic Kerberos Augeas lens
* client install: fix client PKINIT configuration
* install: trust IPA CA for PKINIT
* certdb: use custom object for trust flags
* certdb, certs: make trust flags argument mandatory
* certdb: add named trust flag constants
* ipa-cacert-manage: add --external-ca-type
* renew agent: get rid of virtual profiles
* renew agent: always export CSR on IPA CA certificate renewal
* renew agent: allow reusing existing certs
* cainstance: use correct profile for lightweight CA certificates
* server upgrade: always fix certmonger tracking request
* renew agent: respect CA renewal master setting
* spec file: bump python-netaddr Requires
* spec file: bump krb5 Requires for certauth fixes
* configure: fix AC_CHECK_LIB usage
* cert: defer cert-find result post-processing
* renew agent, restart scripts: connect to LDAP after kinit
* renew agent: revert to host keytab authentication
* install: request service certs after host keytab is set up
* dsinstance, httpinstance: consolidate certificate request code
* httpinstance: avoid httpd restart during certificate request
* dsinstance: reconnect ldap2 after DS is restarted by certmonger
* httpinstance: make sure NSS database is backed up
* spec file: bump libsss_nss_idmap-devel BuildRequires
* spec file: bump krb5-devel BuildRequires for certauth
* cert: do not limit internal searches in cert-find
* replica prepare: fix wrong IPA CA nickname in replica file
* httpinstance: clean up /etc/httpd/alias on uninstall
* certs: do not implicitly create DS pin.txt
* tasks: run `systemctl daemon-reload` after httpd.service.d updates

=== Martin Babinsky (16) ===
* Travis CI: explicitly update pip before running the builds
* Do not test anonymous PKINIT after install/upgrade
* Upgrade: configure local/full PKINIT depending on the master status
* Use local anchor when armoring password requests
* Stop requesting anonymous keytab and purge all references of it
* Use only anonymous PKINIT to fetch armor ccache
* API for retrieval of master's PKINIT status and publishing it in LDAP
* Allow for configuration of all three PKINIT variants when deploying KDC
* separate function to set ipaConfigString values on service entry
* Revert "Store GSSAPI session key in /var/run/ipa"
* Remove duplicate functionality in upgrade
* Always check and create anonymous principal during KDC install
* Ensure KDC is propery configured after upgrade
* Split out anonymous PKINIT test to a separate method
* Remove unused variable from failed anonymous PKINIT handling
* Upgrade: configure PKINIT after adding anonymous principal

=== Martin Basti (13) ===
* Become IPA 4.5.1
* 4.5.1 Translation update
* 4.5.1 Contributors update
* ipasetup: fix dependencies handling based on python version
* ipaclient: fix missing RPM ownership
* ca_status: add HTTP timeout 30 seconds
* http_request: add timeout option
* Use proper SELinux context with http.keytab
* Store GSSAPI session key in /var/run/ipa
* Fix PKCS11 helper
* Remove surplus 'the' in output of ipa-adtrust-install
* Set "KDC:Disable Last Success" by default
* Set zanata version to ipa-4-5

=== Michal Reznik (2) ===
* test_caless: mark TestCertinstall intermediate CA tests as xfail
* test_caless: add pkinit option and test it

=== Oliver Gutierrez (1) ===
* Added plugins directory to ipaclient subpackages

=== Petr Vobornik (3) ===
* kerberos session: use CA cert with full cert chain for obtaining cookie
* restore: restart/reload gssproxy after restore
* automount install: fix checking of SSSD functionality on uninstall

=== Pavel Vomacka (8) ===
* Turn on NSSOCSP check in mod_nss conf
* WebUI: Allow to add certs to certmapping with CERT LINES around
* WebUI: Fix showing vault in selfservice view
* WebUI: suppress truncation warning in select widget
* WebUI: Add support for suppressing warnings
* WebUI: Add support for login for AD users
* WebUI: add method for disabling item in user dropdown menu
* WebUI: check principals in lowercase

=== Gabe (1) ===
* Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches

=== Sumit Bose (7) ===
* IPA-KDB: use relative path in ipa-certmap config snippet
* extdom: improve cert request
* extdom: do reverse search for domain separator
* ipa-kdb: do not depend on certauth_plugin.h
* configure: fix --disable-server with certauth plugin
* IPA certauth plugin
* ipa-kdb: add ipadb_fetch_principals_with_extra_filter()

=== Simo Sorce (7) ===
* Make sure remote hosts have our keys
* Fix s4u2self with adtrust
* Prevent churn on ccaches
* Work around issues fetching session data
* Handle failed authentication via cookie
* Avoid growing FILE ccaches unnecessarily
* Add options to allow ticket caching

=== Stanislav Laznicka (33) ===
* cert-show: writable files does not mean dirs
* Fix wrong message on Dogtag instances stop
* Make CA/KRA fail when they don't start
* Remove the cachedproperty class
* Refresh Dogtag RestClient.ca_host property
* Fix CA/server cert validation in FIPS
* compat plugin: Update link to slapi-nis project
* compat: ignore cn=topology,cn=ipa,cn=etc subtree
* Move the compat plugin setup at the end of install
* compat-manage: behave the same for all users
* Fix CAInstance.import_ra_cert for empty passwords
* Fix RA cert import during DL0 replication
* ext. CA: correctly write the cert chain
* server-install: No double Kerberos install
* Fix CA-less to CA-full upgrade
* replicainstall: better client install exception handling
* Add the force-join option to replica install
* server-install: remove broken no-pkinit check
* Add pki_pin only when needed
* Remove publish_ca_cert() method from NSSDatabase
* Get correct CA cert nickname in CA-less
* Remove redundant option check for cert files
* replica-prepare man: remove pkinit option refs
* Don't allow setting pkinit-related options on DL0
* Fix the order of cert-files check
* Generate PIN for PKI to help Dogtag in FIPS
* Backup CA cert from kerberos folder
* Allow renaming of the sudorule objects
* Allow renaming of the HBAC rule objects
* Reworked the renaming mechanism
* Bump samba version for FIPS and priv. separation
* Backup ipa-specific httpd unit-file
* Add debug log in case cookie retrieval went wrong

=== Timo Aaltonen (1) ===
* configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*

=== Tomas Krizek (7) ===
* ca, kra install: validate DM password
* installutils: add DM password validator
* ca install: merge duplicated code for DM password
* upgrade: add missing suffix to http instance
* installer service: fix typo in service entry
* python2-ipalib: add missing python dependency
* kra install: update installation failure message

Martin Bašti
Software Engineer
Red Hat Czech

Freeipa-interest mailing list

Reply via email to