The FreeIPA team would like to announce FreeIPA v4.2.1 bug fixing release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are
available in the official COPR repository
<https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/>.
This announcement is also available at
<http://www.freeipa.org/page/Releases/4.2.1>.
== Highlights in 4.2.1 ==
=== Enhancements ===
* Added support for multiple IP addresses during client installation
=== Bug fixes ===
* Various fixes for new Vault feature
* Various fixes for new Certificates Profiles feature
* Fixed ACI issue in search for hbac rules, sudo rules, users and other
IPA objects by non-admin users
* Backup and restore fixes, mostly related to DNSSEC
* ipa-client-install is able to request a certificate in kickstart
environment
* Fixed server upgrade failure in "Enabling KDC proxy" step
* Added option to establish bidirectional trust in Web UI
== Upgrading ==
Upgrade instructions are available on Upgrade page
<http://www.freeipa.org/page/Upgrade>.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or
#freeipa channel on Freenode.
== Detailed Changelog since 4.2.0 ==
=== Alexander Bokovoy (5) ===
* selinux: enable httpd_run_ipa to allow communicating with oddjobd services
* oddjob: avoid chown keytab to sssd if sssd user does not exist
* Fix selector of protocol for LSA RPC binding string
* trusts: harden trust-fetch-domains oddjobd-based script
* trusts: format Kerberos principal properly when fetching trust topology
=== Christian Heimes (10) ===
* Start dirsrv for kdcproxy upgrade
* Fix selinux denial during kdcproxy user creation
* certprofile-import: improve profile format documentation
* otptoken: use ipapython.nsslib instead of Python's ssl module
* Require Dogtag PKI >= 10.2.6
* Validate vault's file parameters
* certprofile-import: do not require profileId in profile data
* Asymmetric vault: validate public key in client
* Add flag to list all service and user vaults
* Change internal rsa_(public|private)_key variable names
=== David Kupka (9) ===
* migration: Use api.env variables.
* cermonger: Use private unix socket when DBus SystemBus is not available.
* ipa-client-install: Do not (re)start certmonger and DBus daemons.
* user-undel: Fix error messages.
* client: Add support for multiple IP addresses during installation.
* client: Add description of --ip-address and --all-ip-addresses to man page
* Backup/resore authentication control configuration
* vault: Limit size of data stored in vault
* ipactl: Do not start/stop/restart single service multiple times
=== Endi Sukma Dewata (6) ===
* Fixed missing KRA agent cert on replica.
* Added CLI param and ACL for vault service operations.
* Fixed vault container ownership.
* Added support for changing vault encryption.
* Removed clear text passwords from KRA install log.
* Using LDAPI to setup CA and KRA agents.
=== Fraser Tweedale (14) ===
* user-show: add --out option to save certificates to file
* Fix otptoken-remove-managedby command summary
* Give more info on virtual command access denial
* Allow SAN extension for cert-request self-service
* Add profile for DNP3 / IEC 62351-8 certificates
* Work around python-nss bug on unrecognised OIDs
* Fix default CA ACL added during upgrade
* Fix KRB5PrincipalName / UPN SAN comparison
* certprofile: add profile format explanation
* Add permission for bypassing CA ACL enforcement
* Prohibit deletion of predefined profiles
* cert-request: remove allowed extensions check
* certprofile: prevent rename (modrdn)
* certprofile: remove 'rename' option
=== Jan Cholasta (14) ===
* spec file: Move /etc/ipa/kdcproxy to the server subpackage
* spec file: Update minimum required version of krb5
* install: Fix server and replica install options
* ULC: Prevent preserved users from being assigned membership
* spec file: Fix install with the server-dns subpackage
* baseldap: Allow overriding member param label in LDAPModMember
* vault: Fix param labels in output of vault owner commands
* install: Fix replica install with custom certificates
* vault: Fix vault-find with criteria
* vault: Add container information to vault command results
* spec file: Add Requires(post) on selinux-policy
* cert renewal: Include KRA users in Dogtag LDAP update
* cert renewal: Automatically update KRA agent PEM file
* ldap: Make ldap2 connection management thread-safe again
=== Lenka Doudova (2) ===
* Automated test for stageuser plugin
* Fix user tracker to reflect new user-del message
=== Martin Babinsky (12) ===
* ipa-ca-install: print more specific errors when CA is already installed
* enable debugging of ntpd during client installation
* fix broken search for users by their manager
* ACI plugin: correctly parse bind rules enclosed in parentheses
* test suite for user/host/service certificate management API commands
* store certificates issued for user entries as userCertificate;binary
* idranges: raise an error when local IPA ID range is being modified
* fix typo in BasePathNamespace member pointing to ods exporter config
* ipa-backup: archive DNSSEC zone file and kasp.db
* ipa-restore: check whether DS is running before attempting connection
* improve the handling of krb5-related errors in dnssec daemons
* improve the usability of `ipa user-del --preserve` command
=== Martin Bašti (23) ===
* Prevent to rename certprofile profile id
* Stageusedr-activate: show username instead of DN
* copy-schema-to-ca: allow to overwrite schema files
* fix selinuxusermap search for non-admin users
* Validate adding privilege to a permission
* sysrestore: copy files instead of moving them to avoind SELinux issues
* Allow value 'no' for replica-certify-all attr in abort-clean-ruv
subcommand
* Py3: replace tab with space
* DNS: Consolidate DNS RR types in API and schema
* DNS: check if DNS package is installed
* Remove ico files from Makefile
* Use 'mv -Z' in specfile to restore SELinux context
* ULC: Fix stageused-add --from-delete command
* Fix upgrade of sidgen and extdom plugins
* Add dependency to SSSD 1.13.1
* Server Upgrade: Start DS before CA is started.
* Add user-stage command
* DNSSEC: fix forward zone forwarders checks
* DNSSEC: remove "DNSSEC is experimental" warnings
* Backup: back up the hosts file
* Installer: do not modify /etc/hosts before user agreement
* DNSSEC: backup and restore opendnssec zone list file
* DNSSEC: remove ccache and keytab of ipa-ods-exporter
=== Milan Kubík (4) ===
* ipalib: pass api instance into textui in doctest snippets
* spec file: update the python package names for libipa_hbac and
libsss_nss_idmap
* tests: Allow Tracker.dn be an instance of Fuzzy
* ipatests: Take otptoken import test out of execution
=== Oleg Fayans (2) ===
* Added a user-friendly output to an import error
* Temporary fix for ticket 5240
=== Petr Voborník (17) ===
* Become IPA 4.2.0
* do not import memcache on client
* webui: fix user reset password dialog
* fix hbac rule search for non-admin users
* webui: add Kerberos configuration instructions for Chrome
* webui: fix regressions failed auth messages
* webui: add LDAP vs Kerberos behavior description to user auth types
* adjust search so that it works for non-admin users
* validate mutually exclusive options in vault-add
* add permission: System: Manage User Certificates
* vault: normalize service principal in service vault operations
* vault: validate vault type
* vault: change default vault type to symmetric
* fix missing information in object metadata
* webui: add option to establish bidirectional trust
* vault: fix vault tests after default type change
* Become IPA 4.2.1
=== Petr Špaček (6) ===
* Create server-dns sub-package.
* DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart
* DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
* DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on
DNSSEC key master
* DNSSEC: Fix key metadata export
* DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.
=== Rob Crittenden (1) ===
* Use %license instead of %doc for packaging the license
=== Simo Sorce (1) ===
* Fix DNS records installation for replicas
=== Stanislav Laznicka (1) ===
* ipa-client-install: warn when IP used in --server
=== Tomáš Babej (24) ===
* ipalib: Fix missing format for InvalidDomainLevelError
* trusts: Check for AD root domain among our trusted domains
* ipaplatform: Add constants submodule
* tests: user_plugin: Add preserved flag when --all is used
* dcerpc: Expand explanation for WERR_ACCESS_DENIED
* idviews: Check for the Default Trust View only if applying the view
* tests: service_plugin: Make sure the cert is decoded from base64
* tests: realmdomains_plugin: Add explanatory comment
* tests: Version is currently generated during command call
* tests: vault_plugin: Skip tests if KRA not available
* tests: test_rpc: Create connection for the current thread
* tests: test_cert: Services can have multiple certificates
* dcerpc: Fix UnboundLocalError for ccache_name
* dcerpc: Add get_trusted_domain_object_type method
* idviews: Restrict anchor to name and name to anchor conversions
* idviews: Enforce objectclass check in idoverride*-del
* replication: Fix incorrect exception invocation
* Fix incorrect type comparison in trust-fetch-domains
* dcerpc: Simplify generation of LSA-RPC binding strings
* adtrust-install: Correctly determine 4.2 FreeIPA servers
* trusts: Detect domain clash with IPA domain when adding a AD trust
* trusts: Detect missing Samba instance
* winsync-migrate: Add warning about passsync
* winsync-migrate: Expand the man page
=== Yuri Chornoivan (1) ===
* Fix minor typos
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
