The FreeIPA team would like to announce FreeIPA 4.4.2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository <https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/>.
This announcement is also available on http://www.freeipa.org/page/Releases/4.4.2 Fedora 25 update: https://bodhi.fedoraproject.org/updates/freeipa-4.4.2-1.fc25 == Highlights in 4.4.2 == === Known Issues === * ipa-ca-install fails on replica when master is CA-less #6226 * ipa cert-find command doesn't return revocation reason in output, Web UI then cannot display proper state of a certificate #6269 === Bug fixes === FreeIPA 4.4.2 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 40 bug-fixes which details can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on upgrade page <http://www.freeipa.org/page/Upgrade>. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Resolved tickets == * 4802 Investigate & document if TLS 1.2 is properly supported * 5557 Strict dependency of optional package pam_krb5 * 5644 dnsrecord-del incompatible with admintools < ver 3.2 and server >= ver 3.2 * 5725 failed ipa-server-install --uninstall returns exit code 0 * 5754 ipa-client-install man page has incorrect data on hostname * 5755 test_0006_service_show in test_cert_plugin uses global variable wrong * 5809 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes * 5814 Change IP address validation errors to warnings [support for cloud environments] * 5818 webui: "Restore" option is not available for a preserved user in detailed info * 5822 Cannot create user with username exactly 255 charaters long * 5855 method get_primary_key_from_dn does not work for netgroups properly * 6057 adding two way non transitive(external) trust displays internal error on the console * 6095 ipa command stuck forever on higher versioned client with lower versioned server * 6155 [tracker] Failed to configure CA instance * 6190 Regressions found by test: ipa.test_ipalib.test_parameters * 6203 dnsrecord-add does not prompt for missing record parts internactively * 6212 Pretty-print mismatches in tests * 6216 webui: cert_revoke should use --cacn to set correct CA when revoking certificate * 6221 Certificate revocation in service-del and host-del isn't aware of Sub CAs * 6230 installer: external CA step 1 successful but reports ScriptError * 6238 Unable to view certificates issued by Sub CA in Web UI * 6256 [tracker] Revoke certificate on lightweight CA deletion * 6257 Implement ca-enable/disable commands. * 6260 cert-request: use better error message when CA is disabled * 6273 Command autocompletion without installed server prints an error message * 6279 CLI always sends default command version * 6285 Tests: Regex errors in trust tests * 6288 ipa-certupdate fails with "CA is not configured" * 6294 TypeError in installer * 6296 client-install with IPv6 address fails on link-local address (always) * 6300 Remove the assertion of incorrect return code from replica_promotion tests * 6301 Fix replica_promotion tests * 6304 cert-find --certificate does not work for certificates not in LDAP * 6306 Add cleanup to integration trust tests * 6309 cert-request does not raise error when CSR does not match profile pattern * 6312 Failing ldap backend test because service not found * 6313 Failing test in test_ipalib/test_plugable * 6322 Add krb5kdc restart to integration trust tests * 6323 Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap * 6326 Update host test with ipa-join * 6327 regression in `ipa cert-revoke --help` * 6328 ipa trust-fetch-domains throws internal error * 6329 WinSync users who have First.Last casing creates users who can have their password set * 6330 Invalid description for --hostname option in ipa-server-install man page * 6333 Skipped test_ipalib/test_text::test_TestLang::test_test_lang in outoftree suite * 6338 [Tests] Remove SSSD restart from integration tests * 6341 Certificate UI on details page shows add button even if user doesn't have write right * 6349 Tests: incomplete cleanup of CA plugin XMLRPC tests * 6366 Extend CA ACL tests for test cases with CSR containing Subject Alt Name * 6368 otpd doesn't properly handle closing of ldap connection * 6373 test_util.test_assert_deepequal fails * 6382 Test: disable test for wrong client domain in domain level 0 * 6385 ipa-server-install --external-ca fails with AttributeError * 6390 python-dns 1.15.0 breaks FreeIPA * 6391 make FreeIPA codebase ready for pylint in Fedora rawhide * 5791 CA fails to start after doing ipa-ca-install --external-ca == Detailed changelog since 4.4.1 == === Christian Heimes (1) === * Use RSA-OAEP instead of RSA PKCS#1 v1.5 === David Kupka (2) === * UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling * schema cache: Store and check info for pre-schema servers === Florence Blanc-Renaud (2) === * Fix regression introduced in ipa-certupdate * Fix ipa-certupdate for CA-less installation === Fraser Tweedale (10) === * Add commentary about CA deletion to plugin doc * spec: require Dogtag >= 10.3.5-6 * cert-request: raise error when request fails * Make host/service cert revocation aware of lightweight CAs * cert-request: raise CertificateOperationError if CA disabled * Use Dogtag REST API for certificate requests * Add HTTPRequestError class * Allow Dogtag RestClient to perform requests without logging in * Add ca-disable and ca-enable commands * Track lightweight CAs on replica installation === Jan Cholasta (8) === * test_plugable: update the rest of test_init * dns: re-introduce --raw in dnsrecord-del * client: remove hard dependency on pam_krb5 * cert: fix cert-find --certificate when the cert is not in LDAP * dns: fix crash in interactive mode against old servers * dns: prompt for missing record parts in CLI * dns: normalize record type read interactively in dnsrecord_add * cli: use full name when executing a command === Lenka Doudova (11) === * Tests: Certificate revocation * Tests: Remove invalid certplugin tests * Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap * Tests: Fix host attributes in ipa-join host test * Tests: Update host test with ipa-join * Tests: Add krb5kdc.service restart to integration trust tests * Tests: Remove SSSD restart from integration tests * Tests: Fix integration sudo tests setup and checks * Tests: Fix failing ldap.backend test * Tests: Add cleanup to integration trust tests * Tests: Fix regex errors in integration trust tests === Martin Babinsky (13) === * disable warnings reported by pylint-1.6.4-1 * mod_nss: use more robust quoting of NSSNickname directive * Move character escaping function to ipautil * Make Continuous installer continuous only during execution phase * use separate exception handlers for executors and validators * ipa passwd: use correct normalizer for user principals * trust-fetch-domains: contact forest DCs when fetching trust domain info * netgroup: avoid extraneous LDAP search when retrieving primary key from DN * ldapupdate: Use proper inheritance in BadSyntax exception * raise ValidationError when deprecated param is passed to command * Always fetch forest info from root DCs when establishing one-way trust * factor out `populate_remote_domain` method into module-level function * Always fetch forest info from root DCs when establishing two-way trust === Martin Basti (17) === * test_text: add test ipa.pot file for tests * Test: dont use global variable for iteration in test_cert_plugin * Use constant for user and group patterns * Fix regexp patterns in parameters to not enforce length * Add check for IP addresses into DNS installer * Fix missing config.ips in promote_check * Abstract procedures for IP address warnings * Catch DNS exceptions during emptyzones named.conf upgrade * Start named during configuration upgrade. * Tests: extend DNS cmdline tests with lowercased record type * Show warning when net/broadcast IP address is used in installer * Allow multicast addresses in A/AAAA records * Allow broadcast ip addresses * Allow network ip addresses * Fix parse errors with link-local addresses * Fix ScriptError to always return string from __str__ * Set zanata project-version fo 4.4 branch === Milan KubĂk (3) === * ipatests: Implement tests with CSRs requesting SAN * ipatests: Fix name property on a service tracker * ipatests: provide context manager for keytab usage in RPC tests === Nathaniel McCallum (1) === * Properly handle LDAP socket closures in ipa-otpd === Oleg Fayans (4) === * Test: disabled wrong client domain tests for domlevel 0 * Changed addressing to the client hosts to be replicas * Several fixes in replica_promotion tests * Removed incorrect check for returncode === Petr Spacek (1) === * Fix compatibility with python-dns 1.15.0 === Pavel Vomacka (5) === * WebUI: hide buttons in certificate widget according to acl * Add 'Restore' option to action dropdown menu * WebUI add support for sub-CAs while revoking certificates * WebUI: Fix showing certificates issued by sub-CA * Add support for additional options taken from table facet === Stanislav Laznicka (5) === * Make installer quit more nicely on external CA installation * Fix test_util.test_assert_deepequal test * Pretty-print structures in assert_deepequal * Remove update_from_dict() method * Updated help/man information about hostname === Tomas Krizek (4) === * Keep NSS trust flags of existing certificates * Update ipa-server-install man page for hostname * Add help info about certificate revocation reasons * Don't show error messages in bash completion -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project