The FreeIPA team would like to announce FreeIPA 4.6.2 release!

It can be downloaded from Builds for
Fedora 26 and 27 will be available in the official

== Highlights in 4.6.2 ==
=== Enhancements ===
=== Known Issues ===

=== Bug fixes ===
FreeIPA 4.6.2 is a stabilization release for the features delivered as a
part of 4.6.0.
There are more than 20 bug-fixes details of which can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
list (
or #freeipa channel on Freenode.

== Resolved tickets ==
* 7275 Viewing DNS Records with WebUI fails
* 7254 test_caless: fix http.p12 is not valid and provide domain_level for
replica tests
* 7226 Remove remaining references to Firefox configuration extension
* 7213 Increase dbus client timeouts during CA install
* 7210 Firefox reports insecure TLS configuration when visiting FreeIPA web
UI after standard server deployment
* 7208 freeipa: binary RPMs require both Python 2 and Python 3
* 7190 Wrong info message from
* 7189 make check is failed
* 7187 ipa-replica-manage should provide a debug option
* 7186 testing: get back command outputs when running tests
* 7155 test_caless: add caless to external CA test
* 7154 test_external_ca: switch to python-cryptography
* 7153 Switch "ipa-run-tests" symlink to "ipa-run-tests-3.6"
* 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start
tracking certs
* 7148 py3: ipa cert-request --principal --database fails with
BytesWarning: str() on a bytes instance
* 7142 py3: ipa ca-add fails with 'an internal error has occurred'
* 7134 ipa param-find: command displays internal error
* 7133 tox -e pylint3 fails under Python 3.6
* 7132 [4.6] PyPI packages are broken
* 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails
due to missing dns records
* 7033 vault: TypeError: ... is not JSON serializable
* 6994 RFE: Remove 389-ds tuning step
* 6858 RFE - Option to add custom OID or display name in IPA Cert
* 6844 ipa-restore fails when umask is set to 0027
* 6702 Update Dogtag to 10.4
* 5887 IDNA domains does not work under py3
* 5442 [tracker] SELinux 'execmem' denials
== Detailed changelog since 4.6.1 ==
=== Alexander Bokovoy (10) ===
* ipaserver/plugins/ pep8 compliance
* trust: detect and error out when non-AD trust with IPA domain name exists
* ipaserver/plugins/; fix some indenting issues
* ipa-extdom-extop: refactor nsswitch operations
* test_dns_plugin: cope with missing IPv6 in Travis
* travis-ci: collect logs from cmocka tests
* ipa-kdb: override krb5.conf when testing KDC code in cmocka
* adtrust: filter out subdomains when defining our topology to AD
* ipa-replica-manage: implicitly ignore initial time skew in force-sync
* ds: ignore time skew during initial replication step

=== Abhijeet Kasurde (3) ===
* Trivial typo fix.
* ipatests: Fix interactive prompt in ca_less tests
* tests: correct usage of hostname in logger in tasks

=== Alexander Koksharov (1) ===
* kra-install: better warning message

=== Aleksei Slaikovskii (6) ===
* ipa-restore: Set umask to 0022 while restoring
* View plugin/command help in pager
* Add a notice to restart ipa services after certs are installed
* Fix TypeError while ipa-restore is restoring a backup
* ipaclient.plugins.dns: Cast DNS name to unicode
* Less confusing message for PKINIT configuration during install

=== Christian Heimes (23) ===
* Update IPA_GIT_BRANCH to ipa-4-6
* Add make targets for fast linting and testing
* Add marker needs_ipaapi and option to skip tests
* Add python_requires to Python package metadata
* Remove Custodia keys on uninstall
* Update to python-ldap 3.0.0
* Update builddep command to install Python 3 and tox deps
* Add workaround for pytest 3.3.0 bug
* Fix dict iteration bug in dnsrecord_show
* Reproducer for bug in structured dnsrecord_show
* Use Python 3 on Travis
* Prevent installation of Py2 and Py3 mod_wsgi
* libotp: add libraries after objects
* Require UTF-8 fs encoding
* Run tox tests for PyPI packages on Travis
* Py3: Fix vault tests
* Use namespace-aware meta importer for ipaplatform
* Test script for ipa-custodia
* Remove ignore_import_errors
* Backup ipa-custodia conf and keys
* Py3: fix fetching of tar files
* Use os.path.isfile() and isdir()
* Block PyOpenSSL to prevent SELinux execmem in wsgi

=== David Kupka (2) ===
* schema: Fix internal error in param-{find,show} with nonexistent object
* tests: Add LDAP URI to ldappasswd explicitly

=== Felipe Barreto (6) ===
* Warning the user when using a loopback IP as forwarder
* Removing replica-s4u2proxy.ldif since it's not used anymore
* Fix log capture when running pytests_multihosts commands
* Checks if replica-s4u2proxy.ldif should be applied
* Fixing tox and pylint errors
* Fixing param-{find,show} and output-{find,show} commands

=== Florence Blanc-Renaud (10) ===
* Improve help message for ipa trust-add --range-type
* Fix ca less IPA install on fips mode
* Fix ipa-restore (python2)
* ipa-getkeytab man page: add more details about the -r option
* Py3: fix ipa-replica-conncheck
* Fix ipa-replica-conncheck when called with --principal
* py3: fix ipa cert-request --database ...
* ipa-cacert-manage renew: switch from ext-signed CA to self-signed
* ipa-server-upgrade: do not add untracked certs to the request list
* ipa-server-upgrade: fix the logic for tracking certs

=== Fraser Tweedale (22) ===
* ipa_certupdate: avoid classmethod and staticmethod
* Run certupdate after promoting to CA-ful deployment
* ipa-ca-install: run certupdate as initial step
* CertUpdate: make it easy to invoke from other programs
* renew_ra_cert: fix update of IPA RA user entry
* Use correct version of Python in RPM scripts
* Re-enable some KRA installation tests
* Remove caJarSigningCert profile and related code
* CertDB: remove unused method issue_signing_cert
* Remove XPI and JAR MIME types from httpd config
* Remove mention of firefox plugin after CA-less install
* ipa-cacert-manage: avoid some duplicate string definitions
* ipa-cacert-manage: handle alternative tracking request CA name
* Add tests for external CA profile specifiers
* ipa-cacert-manage: support MS V2 template extension
* certmonger: add support for MS V2 template
* certmonger: refactor 'resubmit_request' and 'modify'
* ipa-ca-install: add --external-ca-profile option
* install: allow specifying external CA template
* Remove duplicate references to external CA type
* cli: simplify parsing of arbitrary types
* py3: fix pkcs7 file processing

=== John Morris (1) ===
* Increase dbus client timeouts during CA install

=== Michal Reznik (12) ===
* test_batch_plugin: fix py2/3 failing assertion
* test_vault: increase WAIT_AFTER_ARCHIVE
* test_caless: fix http.p12 is not valid
* test_caless: fix TypeError on domain_level compare
* manpage: ipa-replica-conncheck - fix minor typo
* test_forced_client: decode get_file_contents() result
* test_external_dns: add missing test cases
* test_caless: open CA cert in binary mode
* tests: add host zone with overlap
* tests_py3: decode get_file_contents() result
* test_caless: add caless to external CA test
* test_external_ca: switch to python-cryptography

=== Mohammad Rizwan Yusuf (1) ===
* ipatest: replica install with existing entry on master

=== Petr Čech (2) ===
* tests: Mark failing tests as failing
* ipatests: Fix on logs collection

=== Pavel Vomacka (1) ===
* WebUI: make Domain Resolution Order writable

=== Rob Crittenden (7) ===
* Run server upgrade in ipactl start/restart
* If the cafile is not present or readable then raise an exception
* Add test to ensure that properties are being set in rpcclient
* Use the CA chain file from the RPC context
* Fix cert-find for CA-less installations
* Use 389-ds provided method for file limits tuning
* Collect group membership without a size limit

=== Rishabh Dave (1) ===
* ipa-ca-install: mention REPLICA_FILE as optional in help

=== Sumit Bose (1) ===
* ipa-kdb: reinit trusted domain data for enterprise principals

=== Stanislav Laznicka (22) ===
* Don't allow OTP or RADIUS in FIPS mode
* caless tests: decode cert bytes in debug log
* caless tests: make debug log of certificates sensible
* Add indexing to improve host-find performance
* Add the sub operation for fqdn index config
* x509: remove subject_base() function
* x509: remove the strip_header() function
* py3: pass raw entries to LDIFWriter
* ipatests: use python3 if built with python3
* PRCI: use a new template for py3 testing
* csrgen_ffi: cast the DN value to unsigned char *
* Remove pkcs10 module contents
* Add tests for CertificateSigningRequest
* parameters: introduce CertificateSigningRequest
* parameters: relax type checks
* csrgen: update docstring for py3
* csrgen: accept public key info as Bytes
* csrgen_ffi: pass bytes where "char *" is required
* travis: pep8 changes to pycodestyle
* p11-kit: add serial number in DER format
* travis: make tests fail if pep8 does not pass
* Remove the `message` attribute from exceptions

=== Thierry Bordaz (1) ===
* 389-ds-base crashed as part of ipa-server-intall in ipa-uuid

=== Tibor Dudlák (3) ===
* Become IPA 4.6.2
* Update Contributors.txt
* Update zanata translations

=== Tomas Krizek (13) ===
* prci: define testing topologies
* prci: start testing PRs on fedora 27
* py3 spec: remove python2 dependencies from server-trust-ad
* py3 spec: remove python2 dependencies from freeipa-server
* py3 spec: use proper python2 package names
* ipatests: fix circular import for collect_logs
* ipatests: collect logs for external_ca test suite
* prci: add external_ca test
* ldap: limit the retro changelog to dns subtree
* spec: bump 389-ds-base to
* ipatests: set default 389-ds log level to 0
* prci: update F26 template
* 4.6 set back to git snapshot

=== Thorsten Scherf (1) ===
* Add debug option to ipa-replica-manage and remove references to api_env

Tibor Dudlák
Identity management - FreeIPA
Brno, TPB-C, 2C403
Red Hat
Freeipa-interest mailing list

Reply via email to