The FreeIPA team would like to announce FreeIPA v4.3.2 bug fixing release!

It can be downloaded from The
builds are available for Fedora 24 and rawhide. Experimental builds for
CentOS 7 will be available in the official FreeIPA CentOS7 COPR

This announcement is also available on

Fedora 24 update:

== Highlights in 4.3.2 ==
=== Enhancements ===
* added possibility to list/clean dangling RUV records for o=ipaca
* --domain-level  of `ipa-server-install` was deprecated

=== Bug fixes ===
* fixed upgrade bug on servers without CA
* fixed installation of server with DNS if A record didn't exist
* fixed issue where A/AAAA DNS records were not created for CA
* fixed installation of CA less replica on domain level 1
* fixed forward zone conflicts with automatic empty zones from BIND
* fixed race condition with multiple simultaneous request from the same

== Upgrading ==
Upgrade instructions are available on upgrade page

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list ( or
#freeipa channel on Freenode.

== Detailed Changelog since 4.3.2 ==
=== Abhijeet Kasurde (2) ===
* Added description related to 'status' in ipactl man page
* Updated ipa command man page

=== Alexander Bokovoy (1) ===
* otptoken: support Python 3 for the qr code

=== David Kupka (3) ===
* man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
* installer: positional_arguments must be tuple or list of strings
* installer: index() raises ValueError

=== Florence Blanc-Renaud (2) ===
* Do not allow installation in FIPS mode
* Fix session cookies

=== Fraser Tweedale (5) ===
* caacl: correctly handle full user principal name
* Prevent replica install from overwriting cert profiles
* Detect and repair incorrect caIPAserviceCert config
* upgrade: do not try to start CA if not configured
* Move normalize_hostname to where it is expected

=== Jan Cholasta (4) ===
* spec file: bump minimum required pki-core version
* build: fix client-only build
* makeapi: use the same formatting for `int` and `long` values
* replica install: do not set CA renewal master flag

=== Lenka Doudova (2) ===
* WebUI: Test creating user without private group
* Test fix: Cleanup for host certificate

=== Martin Babinsky (1) ===
* replica-prepare: do not add PTR records if there is no IPA managed
reverse zone

=== Martin Bašti (18) ===
* Add missing pre_common_callback to stageuser_add
* Revert "ipatests: extend permission plugin test with new expected output"
* make: fail when ACI.txt or API.txt differs from values in source code
* Upgrade: always start CA
* Set proper zanata project-version
* Translations: remove deprecated locale configuration
* Test: fix failing host_test
* Fix: exceptions in DNS tests should not have data attribute
* Translations: update translations for IPA 4.3.x
* Fix resolve_rrsets: RRSet is not hashable
* Translations: update ipa-4-3 translations
* Revert "Switch /usr/bin/ipa to Python 3"
* Use python2 for ipa cli
* Replica promotion: use the correct IPA domain for replica
* CA replica promotion: add proper CA DNS records
* CA replica promotion: fix forgotten import
* Fix replica install with CA
* Use copy when replacing files to keep SELinux context

=== Milan Kubík (3) ===
* ipatests: fix for change_principal context manager
* ipatests: Add test case for requesting a certificate with full principal.
* spec: Add python-sssdconfig dependency for python-ipatests package

=== Oleg Fayans (9) ===
* Added a kdestroy call to clean ccache at master/client uninstallation
* Added 5 more tests to Replica Promotion testsuite
* Fixed a failure in legacy_client tests
* Add test if replica is working after domain upgrade
* Improve reporting of failed tests in topology test suite
* Bugfixes in managed topology tests
* A workaround for ticket N 5348
* Increased certmonger timeout
* Test for incorrect client domain

=== Pavel Vomacka (3) ===
* Add X-Frame-Options and frame-ancestors options
* Add 'skip overlap check' checkbox into add zone dialog
* Add 'skip overlap check' checkbox to the add dns forward zone dialog

=== Petr Viktorin (23) ===
* dns plugin: Fix zone normalization under Python 3
* sysrestore: Iterate over a list of dict keys
* test_xmlrpc: Use absolute imports
* xmlrpc_test: Rename exception instance before working with it
* radiusproxy plugin: Use str(error) rather than error.message
* xmlrpc_test: Expect bytes rather than strings for binary attributes
* ipalib.rpc: Send base64-encoded data as string under Python 3
* range plugin tests: Use bytes with MockLDAP under Python 3
* radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret
* certprofile plugin: Use binary mode for file with binary data
* test_add_remove_cert_cmd: Use bytes for base64.b64encode()
* Switch /usr/bin/ipa to Python 3
* Fix remaining relative import and enable Pylint check
* ipalib.cli: Improve reporting of binary values in the CLI
* test_cert_plugin: Encode 'certificate' for comparison with
* ipaldap: Keep attribute names as text, not bytes
* ipapython.secrets.kem: Use ConfigParser from six.moves
* test_topology_plugin: Don't rely on order of an attribute's values
* test_rpcserver: Expect updated error message under Python 3
* ipaplatform.redhat: Use bytestrings when calling for version
* test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
* ipaldap: Convert dict items to list before iterating
* test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView

=== Petr Voborník (2) ===
* mod_auth_gssapi: enable unique credential caches names
* Become IPA 4.3.2

=== Petr Špaček (30) ===
* Remove function ipapython.ipautil.host_exists()
* Extend installers with --forward-policy option
* Move automatic empty zone list into ipapython.dnsutil and make it reusable
* Add assert_absolute_dnsname() helper to ipapython.dnsutil
* Move function is_auto_empty_zone() into ipapython.dnsutil
* Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()
* Add function ipapython.dnsutil.inside_auto_empty_zone()
* Auto-detect default value for --forward-policy option in installers
* DNS: Fix upgrade - master to forward zone transformation
* DNS installer: accept --auto-forwarders option in unattended mode
* Batch command: avoid accessing potentially undefined context.principal
* Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
* Use root_logger for verify_host_resolvable()
* Move IP address resolution from ipaserver.install.installutils to
* Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
* Add ipaDNSVersion option to dnsconfig* commands and use new attribute
* DNS upgrade: separate backup logic to make it reusable
* Add function ipapython.dnsutil.related_to_auto_empty_zone()
* DNS upgrade: change forwarding policy to = only for conflicting
forward zones
* DNS upgrade: change global forwarding policy in LDAP to "only" if
private IPs are used
* DNS upgrade: change global forwarding policy in named.conf to "only"
if private IPs are used
* DNS: Warn if forwarding policy conflicts with automatic empty zones
* DNS: Fix realm domains integration with DNS zone add.
* client: Share validator and domain name normalization with server install
* DNS: Fix tests for realm domains integration with DNS zone add
* client-install: do not fail if DNS times out during DNS update generation
* Use NSS for name->resolution in IPA installer
* DNS: Remove unnecessary DNS check from installer
* Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
* Fix internal errors in host-add and other commands caused by DNS

=== Stanislav Laznicka (9) ===
* replica-manage: fail nicely when DM psswd required
* ipa-replica-manage refactoring
* abort-clean/list/clean-ruv now work for both suffixes
* Moved password check from clean_dangling_ruv
* Fix to clean-dangling-ruv for single CA topologies
* Added pyusb as a dependency
* Deprecated the domain-level option in ipa-server-install
* fixes premature sys.exit in ipa-replica-manage del
* Remove dangling RUVs even if replicas are offline

=== Thierry Bordaz (1) ===
* Make sure ipapwd_extop takes precedence over passwd_modify_extop

Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to