ReleaseDate: 2017-06-18
The FreeIPA team would like to announce FreeIPA 4.5.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 25/26 will be available in the official COPR repository
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-5/ .

== Highlights in 4.5.2 ==

* 5860: depracate --no-sssd option
Option '--no-sssd' has been deprecated because SSSD is recommened to use
on modern platforms - Fedora, RHEL 6, RHEL 7, Debian.

=== Enhancements ===
=== Known Issues ===

=== Bug fixes ===
FreeIPA 4.5.2 is a stabilization release for the features delivered as a
part of 4.5.0. There are more than 20 bug-fixes details of which can be
seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on page:
https://www.freeipa.org/page/Upgrade

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/)
or #freeipa channel on Freenode.


== Resolved tickets ==
* 7020 Installation of KRA replica fails
* 7015 allow to modify list of UPNs of a trusted forest
* 7001 Do not send Max-Age in ipa_session cookie to avoid breaking older
clients
* 7000 Provide a simple command to issue KDC certificates on a IPA master
* 6993 certauth: use canonical principal for lookups
* 6982 Provide a tooling automating the configuration of Smart Card
authentication on a FreeIPA master
* 6981 Enabling OCSP checks in mod_nss breaks certificate issuance when
ipa-ca records are not resolvable
* 6977 Simple service uninstallers must be able to handle missing
service files gracefully
* 6972 Replica installation grants HTTP principal access in WebUI
* 6966 Document that port 8080 needs to be open on IPA masters for cert-find
* 6965 ipa-replica-manage del replica.name fails
* 6963 ipa certmaprule change not reflected in krb5kdc workers
* 6958 [tracker] SELinux policy denies IPA framework to perform
anonymous PKINIT on localhost during FAST armoring
* 6948 services entries missing krbCanonicalName attribute.
* 6937 Provide an API command to retrieve PKINIT status in the FreeIPA
topology
* 6936 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
* 6935 ipa-replica-conncheck fails when there is no ssh executable on
the master
* 6885 ipa cert-show does not raise error if no file name specified
* 6867 [ipa-replica-install] - KDC has no support for encryption type
* 6800 Investigate how privilege separation feature will work after
DL0->DL1 update
* 6796 WSGI fails with recursion error in GSSAPI
* 6749 "ipa: ERROR: an internal error has occurred" on executing command
"ipa cert-request --add" after upgrade
* 6736 Add pkinit_indicator option to KDC configuration
* 6572 server-del doesn't remove dns-server configuration from ldap
* 5860 depracate --no-sssd option
* 5788 user-add postcallback is not efficient when --noprivate flag is set
* 5406 ipa-client-install should not use hardcoded admin principal
== Detailed changelog since 4.5.1 ==
=== Alexander Bokovoy (4) ===
* trust-mod: allow modifying list of UPNs of a trusted forest
* ipa-kdb: add pkinit authentication indicator in case of a successful
certauth
* Fix index definition for ipaAnchorUUID
* krb5: make sure KDC certificate is readable

=== David Kupka (1) ===
* kra: promote: Get ticket before calling custodia

=== Felipe Volpone (2) ===
* Changing cert-find to go through the proxy instead of using the port 8080
* Changing cert-find to do not use only primary key to search in LDAP.

=== Florence Blanc-Renaud (1) ===
* ipa-replica-conncheck: handle ssh not installed

=== Jan Cholasta (4) ===
* server upgrade: do not enable PKINIT by default
* pkinit manage: introduce ipa-pkinit-manage
* server certinstall: update KDC master entry
* httpinstance: wait until the service entry is replicated

=== Martin Babinsky (10) ===
* Prepare advise plugin for smart card auth configuration
* Extend the advice printing code by some useful abstractions
* fix incorrect suffix handling in topology checks
* only stop/disable simple service if it is installed
* test_serverroles: Get rid of MockLDAP and use ldap2 instead
* Add `pkinit-status` command
* Add the list of PKINIT servers as a virtual attribute to global config
* Add an attribute reporting client PKINIT-capable servers
* Refactor the role/attribute member reporting code
* Allow for multivalued server attributes

=== Martin Basti (4) ===
* Only warn when specified server IP addresses don't match intf
* Add remote_plugins subdirectories to RPM
* custodia dep: require explictly python2 version
* 4.5 set back to git snapshot

=== Pavel Vomacka (4) ===
* WebUI: add support for changing trust UPN suffixes
* Bump version of python-gssapi
* Turn off OCSP check
* Change python-cryptography to python2-cryptography

=== Sumit Bose (2) ===
* ipa-kdb: use canonical principal in certauth plugin
* ipa-kdb: reload certificate mapping rules periodically

=== Simo Sorce (3) ===
* Revert setting sessionMaxAge for old clients
* Add code to be able to set default kinit lifetime
* Fix rare race condition with missing ccache file

=== Stanislav Laznicka (6) ===
* rpc: avoid possible recursion in create_connection
* rpc: preparations for recursion fix
* Avoid possible endless recursion in RPC call
* kdc.key should not be visible to all
* Remove pkinit-anonymous command
* ca/cert-show: check certificate_out in options

=== Tibor Dudlák (3) ===
* server.py: Removes dns-server configuration from ldap
* sssd.py: Deprecating no-sssd option.
* client.py: Replace hardcoded 'admin' with options.principal

=== Tibor Dudlák (1) ===
* user.py: replace user_mod with ldap.update_entry()

=== Tomas Krizek (2) ===
* Become IPA 4.5.2
* Update translations

-- 
Tomas Krizek

PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to