ReleaseDate: 2017-06-18 The FreeIPA team would like to announce FreeIPA 4.5.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25/26 will be available in the official COPR repository https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-5/ . == Highlights in 4.5.2 == * 5860: depracate --no-sssd option Option '--no-sssd' has been deprecated because SSSD is recommened to use on modern platforms - Fedora, RHEL 6, RHEL 7, Debian. === Enhancements === === Known Issues === === Bug fixes === FreeIPA 4.5.2 is a stabilization release for the features delivered as a part of 4.5.0. There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on page: https://www.freeipa.org/page/Upgrade == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://email@example.com/) or #freeipa channel on Freenode. == Resolved tickets == * 7020 Installation of KRA replica fails * 7015 allow to modify list of UPNs of a trusted forest * 7001 Do not send Max-Age in ipa_session cookie to avoid breaking older clients * 7000 Provide a simple command to issue KDC certificates on a IPA master * 6993 certauth: use canonical principal for lookups * 6982 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master * 6981 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable * 6977 Simple service uninstallers must be able to handle missing service files gracefully * 6972 Replica installation grants HTTP principal access in WebUI * 6966 Document that port 8080 needs to be open on IPA masters for cert-find * 6965 ipa-replica-manage del replica.name fails * 6963 ipa certmaprule change not reflected in krb5kdc workers * 6958 [tracker] SELinux policy denies IPA framework to perform anonymous PKINIT on localhost during FAST armoring * 6948 services entries missing krbCanonicalName attribute. * 6937 Provide an API command to retrieve PKINIT status in the FreeIPA topology * 6936 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ * 6935 ipa-replica-conncheck fails when there is no ssh executable on the master * 6885 ipa cert-show does not raise error if no file name specified * 6867 [ipa-replica-install] - KDC has no support for encryption type * 6800 Investigate how privilege separation feature will work after DL0->DL1 update * 6796 WSGI fails with recursion error in GSSAPI * 6749 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade * 6736 Add pkinit_indicator option to KDC configuration * 6572 server-del doesn't remove dns-server configuration from ldap * 5860 depracate --no-sssd option * 5788 user-add postcallback is not efficient when --noprivate flag is set * 5406 ipa-client-install should not use hardcoded admin principal == Detailed changelog since 4.5.1 == === Alexander Bokovoy (4) === * trust-mod: allow modifying list of UPNs of a trusted forest * ipa-kdb: add pkinit authentication indicator in case of a successful certauth * Fix index definition for ipaAnchorUUID * krb5: make sure KDC certificate is readable === David Kupka (1) === * kra: promote: Get ticket before calling custodia === Felipe Volpone (2) === * Changing cert-find to go through the proxy instead of using the port 8080 * Changing cert-find to do not use only primary key to search in LDAP. === Florence Blanc-Renaud (1) === * ipa-replica-conncheck: handle ssh not installed === Jan Cholasta (4) === * server upgrade: do not enable PKINIT by default * pkinit manage: introduce ipa-pkinit-manage * server certinstall: update KDC master entry * httpinstance: wait until the service entry is replicated === Martin Babinsky (10) === * Prepare advise plugin for smart card auth configuration * Extend the advice printing code by some useful abstractions * fix incorrect suffix handling in topology checks * only stop/disable simple service if it is installed * test_serverroles: Get rid of MockLDAP and use ldap2 instead * Add `pkinit-status` command * Add the list of PKINIT servers as a virtual attribute to global config * Add an attribute reporting client PKINIT-capable servers * Refactor the role/attribute member reporting code * Allow for multivalued server attributes === Martin Basti (4) === * Only warn when specified server IP addresses don't match intf * Add remote_plugins subdirectories to RPM * custodia dep: require explictly python2 version * 4.5 set back to git snapshot === Pavel Vomacka (4) === * WebUI: add support for changing trust UPN suffixes * Bump version of python-gssapi * Turn off OCSP check * Change python-cryptography to python2-cryptography === Sumit Bose (2) === * ipa-kdb: use canonical principal in certauth plugin * ipa-kdb: reload certificate mapping rules periodically === Simo Sorce (3) === * Revert setting sessionMaxAge for old clients * Add code to be able to set default kinit lifetime * Fix rare race condition with missing ccache file === Stanislav Laznicka (6) === * rpc: avoid possible recursion in create_connection * rpc: preparations for recursion fix * Avoid possible endless recursion in RPC call * kdc.key should not be visible to all * Remove pkinit-anonymous command * ca/cert-show: check certificate_out in options === Tibor Dudlák (3) === * server.py: Removes dns-server configuration from ldap * sssd.py: Deprecating no-sssd option. * client.py: Replace hardcoded 'admin' with options.principal === Tibor Dudlák (1) === * user.py: replace user_mod with ldap.update_entry() === Tomas Krizek (2) === * Become IPA 4.5.2 * Update translations -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org