The FreeIPA team is proud to announce FreeIPA v3.2.2.
It can be downloaded from http://www.freeipa.org/page/Downloads. The new
version has also been built for Fedora 19 and is on its way to updates-testing.
== Highlights in 3.2.2 ==
=== New features for 3.2.2 ===
* Significant improvement of performance with large number of users or groups.
Several LDAP server indexes were added for this purpose.
* freeipa-server-selinux package with custom FreeIPA SELinux policy is dropped,
all policy is now contained in system policy package
=== Bug fixes ===
* Removes systemd-related deadlock when a server with running FreeIPA services
* Fixes ownership issues in CRL publishing directory
* ipa-replica-prepare and ipa-replica-install now do not crash on system with
gnupg2 package only (without older gnupg package)
* CRL file can now be retrieved via plain http protocol without redirection to
https, as defined in certificates published by FreeIPA
* Entitlement plugin is removed from FreeIPA codebase as it was neither
supported nor tested
* Many bugfixes related to CA-less installation
* ... and many others stabilization fixes, see Detailed changelog for full
== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The server
does not need to be shut down in advance.
Please note, that the performance improvements requires an extended set of
indexes to be configured. RPM update for an IPA server with a excessive number
of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected
that all servers will be upgraded in a relatively short period (days or weeks
not months). They should be able to co-exist peacefully but new features will
not be available on old servers and enrolling a new client against an old
server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 2.2.0 and later versions is supported. Upgrading from previous
versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to
re-enroll it. SSH keys for already installed clients are not uploaded, you will
have to re-enroll the client or manually upload the keys.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel
== Detailed Changelog since 3.2.1 ==
=== Ana Krivokapic (8): ===
* Fix displaying of success message
* Improve handling of options in ipa-client-install
* Do not display traceback to user
* Fix bug in adtrustinstance
* Use correct DS instance in ipactl status
* Avoid systemd service deadlock during shutdown
* Make sure replication works after DM password is changed
* Use --ignore-dependencies only when necessary
=== Jan Cholasta (16): ===
* Use the correct PKCS#12 file for HTTP server.
* Remove stray error condition in ipa-server-install.
* Handle exceptions gracefully when verifying PKCS#12 files.
* Skip empty lines when parsing pk12util output.
* Do not allow installing CA replicas in CA-less setup.
* Do not track DS certificate in CA-less setup.
* Fix CA-less check in ipa-replica-install and ipa-ca-install.
* Do not skip SSSD known hosts in ipa-client-install --ssh-trust-dns.
* Skip cert issuer validation in service and host commands in CA-less install.
* Check trust chain length in CA-less install.
* Use LDAP search instead of *group_show to check if a group exists.
* Use LDAP search instead of *group_show to check for a group objectclass.
* Use LDAP modify operation directly to add/remove group members.
* Add missing substring indices for attributes managed by the referint plugin.
* Add missing equality index for ipaUniqueId.
* Run gpg-agent explicitly when encrypting/decrypting files.
=== Lukas Slebodnik (1): ===
* Use pkg-config to detect cmocka
=== Martin Kosek (7): ===
* Remove entitlement support
* Enable SASL mapping fallback.
* Drop SELinux subpackage
* Drop redundant directory /var/cache/ipa/sessions
* Run server upgrade and restart in posttrans
* Require new selinux-policy replacing old server-selinux subpackage
* Become 3.2.2
=== Nathaniel McCallum (3): ===
* Fix client install exception if /etc/ssh is missing
* Permit reads to ipatokenRadiusProxyUser objects
* Fix for small syntax error in OTP schema
=== Petr Vobornik (5): ===
* Regression fix: rule table with ext. member support doesn't offer any items
* Fix default value selection in radio widget
* Do not redirect to https in /ipa/ui on non-HTML files
* Create Firefox configuration extension on CA-less install
* Disable checkboxes and radios for readonly attributes
=== Rob Crittenden (1): ===
* Return the correct Content-type on negotiated XML-RPC requests.
=== Sumit Bose (1): ===
* Fix type of printf argument
=== Tomas Babej (2): ===
* Do not redirect ipa/crl to HTTPS
* Change group ownership of CRL publish directory
Freeipa-users mailing list