The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR repository<https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3/>. Experimental builds for CentOS 7 will be available in the official FreeIPA CentOS7 COPR repository<https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos7/> shortly after Easter Holidays.

This announcement with links to Trac tickets is available on http://www.freeipa.org/page/Releases/4.3.1 .

Fedora 24 update: https://bodhi.fedoraproject.org/updates/freeipa-4.3.1-1.fc24

== Highlights in 4.3.1 ==
=== Enhancements ===
* FreeIPA Apache instance has an update mod_nss cipher suite to only allow secure ciphers #5589 * [[Directory Server]] is configured with "default" cipher suite instead of "+all" #5684 * topology graph user experience was improved. Graph is enlarged to fill all available space. It can be moved and zoomed so that it handles bigger topologies better. #5502, #5649, #5647 * MS-PAC extension was made optional for users #2579, currently without UI #5752 * added option to disable preauth for service principal names. Configurable via ipaconfigstring value "KDC:Disable Default Preauth for SPNs" in server config. #3860 * improved behavior of DNA plugin in complex FreeIPA environments where replicas are not all interconnected so that directory server is able to lookup ranges on other servers once a range is exhausted #4026 * 3des and rc4 enctypes are no longer used on new installations of FreeIPA server #4740 * `ipa-replica-manage clean-dangling-ruv` subcommand was added to help with cases with dandling RUVs, especially the ones related to CA suffix #5411 * deprecated keytab_set extended operation was removed from ipasam module #5495 * an option was added to Web UI to allow to specify GID number in user adder dialog * improved warning message on uninstallation of replica notifying that admin might be removing the last CA, KRA or DNSSec master #5544 * FreeIPA python packages were made independent on architecture(noarch) #5596 * AD users are now shown as members of IPA groups when external group is added to IPA group #4403

=== Bug fixes ===
* fixed bug where `ipa-cacert-manage install` failed on intermediate CA certs #5612 * fixed bug where ipa-server-install didn't stop on error and subsequently reported incorrect root cause #2539 * fixed bug where ipa-ca-install hang on creating a temporary CA admin during replica promotion #5412
* fixed issue with vault-archive command sometimes not working #5538
* fixed regression in Web UI where required indicator '*' was missing on Global Password Policy page, priority field #5553 * fixed regression in reverse zone creation/handling on domain level 0 in ipa-replica-prepare by adding --auto-reverse and --allow-zone-overlap options #5563 * fixed bug where DNS zone overlap check caused failure of ipa-dns-install #5564 * fixed upgrade bug which prevents installation of replicas from masters updated to 4.3.0 #5575
* fixed rare bug in connection handling which can cause a crash of KDC #5577
* fixed regression in updating DNS entries in `ipa-csreplica-manage del` #5583
* fixed not displaying suffixes in IPA servers table in Web UI #5609
* fixed deadlock in directory server between slapi-nis/memberof when a topology segment was added/removed #5637 * fixed issue where ipa-adtrust-install sometimes created incorrect SRV records #5663

== Upgrading ==
Upgrade instructions are available on upgrade page<http://www.freeipa.org/page/Upgrade>.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

== Detailed Changelog since 4.3.0 ==
=== Abhijeet Kasurde (1) ===
* Fixed login error message box in LoginScreen page

=== Alexander Bokovoy (1) ===
* slapi-nis: update configuration to allow external members of IPA groups

=== Christian Heimes (3) ===
* Require Dogtag 10.2.6-13 to fix KRA uninstall
* Modernize mod_nss's cipher suites
* Move user/group constants for PKI and DS into ipaplatform

=== David Kupka (19) ===
* installer: Propagate option values from components instead of copying them.
* installer: Fix logic of reading option values from cache.
* ipa-dns-install: Do not check for zone overlap when DNS installed.
* ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options
* installer: Change reverse zones question to better reflect reality.
* Fix: Use unattended parameter instead of options.unattended
* CI: Add '2-connected' topology generator.
* CI: Add simple replication test in 2-connected topology.
* CI: Add test for 2-connected topology generator.
* CI: Fix pep8 errors in 2-connected topology generator
* CI: add empty topology test for 2-connected topology generator
* CI: Add double circle topology.
* CI: Add replication test utilizing double-circle topology.
* CI: Add test for double-circle topology generator.
* CI: Make double circle topology python3 compatible
* upgrade: Match whole pre/post command not just basename.
* dsinstance: add start_tracking_certificates method
* httpinstance: add start_tracking_certificates method
* Look up HTTPD_USER's UID and GID during installation.

=== Filip Skola (3) ===
* Refactor test_user_plugin, use UserTracker for tests
* Refactor test_replace
* Refactor test_attr

=== Fraser Tweedale (1) ===
* Do not decode HTTP reason phrase from Dogtag

=== Jan Cholasta (13) ===
* ipalib: assume version 2.0 when skip_version_check is enabled
* ipapython: remove default_encoding_utf8
* ipapython: port p11helper C code to Python
* ipapython: use python-cryptography instead of libcrypto in p11helper
* spec file: package python-ipalib as noarch
* cert renewal: import all external CA certs on IPA CA cert renewal
* replica install: validate DS and HTTP server certificates
* replica promotion: fix AVC denials in remote connection check
* test_ipagetkeytab: fix missing import
* cacert install: fix trust chain validation
* client: stop using /etc/pki/nssdb
* certdb: never use the -r option of certutil
* daemons: remove unused erroneous _ipap11helper import

=== Ludwig Krispenz (1) ===
* prevent moving of topology entries out of managed scope by modrdn operations

=== Lukáš Slebodník (1) ===
* IPA-SAM: Fix build with samba 4.4

=== Martin Babinsky (21) ===
* raise more descriptive Backend connection-related exceptions
* prevent crash of CA-less server upgrade due to absent certmonger
* use FFI call to rpmvercmp function for version comparison
* tests for package version comparison
* fix Py3 incompatible exception instantiation in replica install code
* ipa-csreplica-manage: remove extraneous ldap2 connection
* IPA upgrade: move replication ACIs to the mapping tree entry
* uninstallation: more robust check for master removal from topology
* correctly set LDAP bind related attributes when setting up replication
* disable RA plugins when promoting a replica from CA-less master
* fix standalone installation of externally signed CA on IPA master
* reset ldap.conf to point to newly installer replica after promotion
* always start certmonger during IPA server configuration upgrade
* upgrade: unconditional import of certificate profiles into LDAP
* CI tests: use old schema when testing hostmask-based sudo rules
* use LDAPS during standalone CA/KRA subsystem deployment
* test_cert_plugin: use only first part of the hostname to construct short name
* only search for Kerberos SRV records when autodiscovery was requested
* spec: add conflict with bind-chroot to freeipa-server-dns
* spec: require python-cryptography newer than 0.9
* otptoken-add: improve the robustness of QR code printing

=== Martin Bašti (36) ===
* Fix DNS tests: dns-resolve returns warning
* Fix version comparison
* Fix: replace mkdir with chmod
* Allow to used mixed case for sysrestore
* Upgrade: Fix upgrade of NIS Server configuration
* DNSSEC test: fix adding zones with --skip-overlap-check
* DNSSEC CI: add missing ldns-utils dependency
* CI test: fix regression in task.install_kra
* Warn about potential loss of CA, KRA, DNSSEC during uninstall
* Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
* Exclude o=ipaca subtree from Retro Changelog (syncrepl)
* Fix DNSSEC test: add glue record
* DNSSEC CI: fix zone delegations
* make lint: use config file and plugin for pylint
* Disable new pylint checks
* Py3: do not use dict.iteritems()
* upgrade: fix config of sidgen and extdom plugins
* trusts: use ipaNTTrustPartner attribute to detect trust entries
* Warn user if trust is broken
* fix upgrade: wait for proper DS socket after DS restart
* Revert "test: Temporarily increase timeout in vault test."
* Pylint: add missing attributes of errors to definitions
* fix permission: Read Replication Agreements
* Make PTR records check optional for IPA installation
* Fix connections to DS during installation
* pylint: supress false positive no-member errors
* CI: allow customized DS install test to work with domain levels
* fix suspicious except statements
* Configure 389ds with "default" cipher suite
* krb5conf: use 'true' instead of 'yes' for forwardable option
* stageuser-activate: Normalize manager value
* Remove redundant parameters from CS.cfg in dogtaginstance
* Fix broken trust warnings
* spec: Add missing dependencies to python*-ipalib package
* SPEC: do not run upgrade when ipa server is not installed
* Fix stageuser-activate - managers test

=== Michael Simacek (1) ===
* Fix bytes/string handling in rpc

=== Milan Kubík (6) ===
* ipatests: Roll back the forwarder config after a test case
* ipatests: Fix configuration problems in dns tests
* ipatests: Make the A record for hosts in topology conditional
* ipatests: fix the install of external ca
* ipatests: Add missing certificate profile fixture
* ipatests: extend permission plugin test with new expected output

=== Oleg Fayans (17) ===
* CI tests: Enabled automatic creation of reverse zone during master installation * CI tests: Added domain realm as a parameter to master installation in integration tests
* Fixed install_ca and install_kra under domain level 0
* fixed an issue with master installation not creating reverse zone
* Enabled recreation of test directory in apply_common_fixes function
* Updated connect/disconnect replica to work with both domainlevels
* Removed --ip-address option from replica installation
* Removed messing around with resolv.conf
* Integration tests for replica promotion feature
* Enabled setting domain level explicitly in test class
* Removed a constantly failing call to prepare_host
* Made apply_common_fixes call at replica installation independent on domain_level
* Workaround for ticket 5627
* Added copyright info to replica promotion tests
* rewrite a misprocessed teardown_method method as a custom decorator
* Reverted changes in mh fixture causing some tests to fail
* Fixed a bug with prepare_host failing upon existing ipatests folder

=== Pavel Vomacka (4) ===
* Add pan and zoom functionality to the topology graph
* Nodes stay fixed after initial animation.
* Add field for group id in user add dialog
* Resize topology graph canvas according to window size

=== Petr Viktorin (23) ===
* Use explicit truncating division
* Don't index exceptions directly
* Use print_function future definition wherever print() is used
* Alias "unicode" to "str" under Python 3
* Avoid builtins that were removed in Python 3
* dnsutil: Rename __nonzero__ to __bool__
* Remove deprecated contrib/RHEL4
* make-lint: Allow running pylint --py3k to detect Python3 issues
* Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)
* test_parameters: Ignore specific error message
* ipaldap, ldapupdate: Encoding fixes for Python 3
* ipautil.run, kernel_keyring: Encoding fixes for Python 3
* tests: Use absolute imports
* ipautil: Use mode 'w+' in write_tmp_file
* test_util: str/bytes check fixes for Python 3
* p11helper: Port to Python 3
* cli: Don't encode/decode for stdin/stdout on Python 3
* Package python3-ipaclient
* migration.py: Remove stray get_ipa_basedn import
* Move get_ipa_basedn from ipautil to ipadiscovery
* ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
* ipapython.sysrestore: Use str methods instead of functions from the string module
* ipalib.x809: Accept bytes for make_pem

=== Petr Voborník (11) ===
* webui: add examples to network address validator error message
* webui: pwpolicy cospriority field was marked as required
* spec: do not require arch specific ipalib package from noarch packages
* webui: dislay server suffixes in server search page
* stop installer when setup-ds.pl fail
* webui: remove moot error from webui build
* webui: use API call ca_is_enabled instead of enable_ra env variable.
* advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
* cookie parser: do not fail on cookie with empty value
* fix incorrect name of ipa-winsync-migrate command in help
* Become IPA 4.3.1

=== Petr Špaček (15) ===
* DNSSEC: Improve error reporting from ipa-ods-exporter
* DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
* DNSSEC: Make sure that current key state in LDAP matches key state in BIND
* DNSSEC: remove obsolete TODO note
* DNSSEC: add debug mode to ldapkeydb.py
* DNSSEC: logging improvements in ipa-ods-exporter
* DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
* DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
* DNSSEC: ipa-ods-exporter: add ldap-cleanup command
* DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
* DNSSEC: Log debug messages at log level DEBUG
* Fix --auto-reverse option in --unattended mode.
* Fix dns_is_enabled() API command to throw exceptions as appropriate
* Fix DNS zone overlap check to allow ipa-replica-install to work
* Fix ipa-adtrust-install to always generate SRV records with FQDNs

=== Simo Sorce (6) ===
* Use only AES enctypes by default
* Always verify we have a valid ldap context.
* Improve keytab code to select the right principal.
* Convert ipa-sam to use the new getkeytab control
* Allow admins to disable preauth for SPNs.
* Allow to specify Kerberos authz data type per user

=== Stanislav Laznicka (4) ===
* Listing and cleaning RUV extended for CA suffix
* Automatically detect and remove dangling RUVs
* Cosmetic changes to the code
* Fixes minor issues

=== Sumit Bose (1) ===
* ipa-kdb: map_groups() consider all results

=== Thierry Bordaz (2) ===
* configure DNA plugin shared config entries to allow connection with GSSAPI
* DS deadlock when memberof scopes topology plugin updates

=== Timo Aaltonen (6) ===
* Use HTTPD_USER in dogtaginstance.py
* Move freeipa certmonger helpers to libexecdir.
* ipa_restore: Import only FQDN from ipalib.constants
* ipaplatform: Move remaining user/group constants to ipaplatform.constants.
* Use ODS_USER/ODS_GROUP in opendnssec_conf.template
* Fix kdc.conf.template to use ipaplatform.paths.

=== Tomáš Babej (4) ===
* py3: Remove py3 incompatible exception handling
* ipa-adtrust-install: Allow dash in the NETBIOS name
* spec: Bump required sssd version to 1.13.3-5
* adtrustinstance: Make sure smb.conf exists

--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to