The FreeIPA team would like to announce FreeIPA 4.4.2 release!

It can be downloaded from Builds
for Fedora 24 will be available in the official COPR repository

This announcement is also available on

Fedora 25 update:

== Highlights in 4.4.2 ==
=== Known Issues ===
* ipa-ca-install fails on replica when master is CA-less #6226
* ipa cert-find command doesn't return revocation reason in output, Web
UI then cannot display proper state of a certificate #6269

=== Bug fixes ===
FreeIPA 4.4.2 is a stabilization release for the features delivered as a
part of 4.4.0. There are more than 40 bug-fixes which details can be
seen in the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on upgrade page

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list ( or
#freeipa channel on Freenode.

== Resolved tickets ==
* 4802 Investigate & document if TLS 1.2 is properly supported
* 5557 Strict dependency of optional package pam_krb5
* 5644 dnsrecord-del incompatible with admintools < ver 3.2 and server
>= ver 3.2
* 5725 failed ipa-server-install --uninstall returns exit code 0
* 5754 ipa-client-install man page has incorrect data on hostname
* 5755 test_0006_service_show  in test_cert_plugin uses global variable
* 5809 ipa-server-install fails when using external certificates that
encapsulate RDN components in double quotes
* 5814 Change IP address validation errors to warnings [support for
cloud environments]
* 5818 webui: "Restore" option is not available for a preserved user in
detailed info
* 5822 Cannot create user with username exactly 255 charaters long
* 5855 method get_primary_key_from_dn does not work for netgroups properly
* 6057 adding two way non transitive(external) trust displays internal
error on the console
* 6095 ipa command stuck forever on higher versioned client with lower
versioned server
* 6155 [tracker] Failed to configure CA instance
* 6190 Regressions found by test: ipa.test_ipalib.test_parameters
* 6203 dnsrecord-add does not prompt for missing record parts internactively
* 6212 Pretty-print mismatches in tests
* 6216 webui: cert_revoke should use --cacn to set correct CA when
revoking certificate
* 6221 Certificate revocation in service-del and host-del isn't aware of
Sub CAs
* 6230 installer: external CA step 1 successful but reports ScriptError
* 6238 Unable to view certificates issued by Sub CA in Web UI
* 6256 [tracker] Revoke certificate on lightweight CA deletion
* 6257 Implement ca-enable/disable commands.
* 6260 cert-request: use better error message when CA is disabled
* 6273 Command autocompletion without installed server prints an error
* 6279 CLI always sends default command version
* 6285 Tests: Regex errors in trust tests
* 6288 ipa-certupdate fails with "CA is not configured"
* 6294 TypeError in installer
* 6296 client-install with IPv6 address fails on link-local address (always)
* 6300 Remove the assertion of incorrect return code from
replica_promotion tests
* 6301 Fix replica_promotion tests
* 6304 cert-find --certificate does not work for certificates not in LDAP
* 6306 Add cleanup to integration trust tests
* 6309 cert-request does not raise error when CSR does not match profile
* 6312 Failing ldap backend test because service not found
* 6313 Failing test in test_ipalib/test_plugable
* 6322 Add krb5kdc restart to integration trust tests
* 6323 Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
* 6326 Update host test with ipa-join
* 6327 regression in `ipa cert-revoke --help`
* 6328 ipa trust-fetch-domains throws internal error
* 6329 WinSync users who have First.Last casing creates users who can
have their password set
* 6330 Invalid description for --hostname option in ipa-server-install
man page
* 6333 Skipped test_ipalib/test_text::test_TestLang::test_test_lang in
outoftree suite
* 6338 [Tests] Remove SSSD restart from integration tests
* 6341 Certificate UI on details page shows add button even if user
doesn't have write right
* 6349 Tests: incomplete cleanup of CA plugin XMLRPC tests
* 6366 Extend CA ACL tests for test cases with CSR containing Subject
Alt Name
* 6368 otpd doesn't properly handle closing of ldap connection
* 6373 test_util.test_assert_deepequal fails
* 6382 Test: disable test for wrong client domain in domain level 0
* 6385 ipa-server-install --external-ca fails with AttributeError
* 6390 python-dns 1.15.0 breaks FreeIPA
* 6391 make FreeIPA codebase ready for pylint in Fedora rawhide
* 5791 CA fails to start after doing ipa-ca-install --external-ca
== Detailed changelog since 4.4.1 ==
=== Christian Heimes (1) ===
* Use RSA-OAEP instead of RSA PKCS#1 v1.5

=== David Kupka (2) ===
* UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper
* schema cache: Store and check info for pre-schema servers

=== Florence Blanc-Renaud (2) ===
* Fix regression introduced in ipa-certupdate
* Fix ipa-certupdate for CA-less installation

=== Fraser Tweedale (10) ===
* Add commentary about CA deletion to plugin doc
* spec: require Dogtag >= 10.3.5-6
* cert-request: raise error when request fails
* Make host/service cert revocation aware of lightweight CAs
* cert-request: raise CertificateOperationError if CA disabled
* Use Dogtag REST API for certificate requests
* Add HTTPRequestError class
* Allow Dogtag RestClient to perform requests without logging in
* Add ca-disable and ca-enable commands
* Track lightweight CAs on replica installation

=== Jan Cholasta (8) ===
* test_plugable: update the rest of test_init
* dns: re-introduce --raw in dnsrecord-del
* client: remove hard dependency on pam_krb5
* cert: fix cert-find --certificate when the cert is not in LDAP
* dns: fix crash in interactive mode against old servers
* dns: prompt for missing record parts in CLI
* dns: normalize record type read interactively in dnsrecord_add
* cli: use full name when executing a command

=== Lenka Doudova (11) ===
* Tests: Certificate revocation
* Tests: Remove invalid certplugin tests
* Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
* Tests: Fix host attributes in ipa-join host test
* Tests: Update host test with ipa-join
* Tests: Add krb5kdc.service restart to integration trust tests
* Tests: Remove SSSD restart from integration tests
* Tests: Fix integration sudo tests setup and checks
* Tests: Fix failing ldap.backend test
* Tests: Add cleanup to integration trust tests
* Tests: Fix regex errors in integration trust tests

=== Martin Babinsky (13) ===
* disable warnings reported by pylint-1.6.4-1
* mod_nss: use more robust quoting of NSSNickname directive
* Move character escaping function to ipautil
* Make Continuous installer continuous only during execution phase
* use separate exception handlers for executors and validators
* ipa passwd: use correct normalizer for user principals
* trust-fetch-domains: contact forest DCs when fetching trust domain info
* netgroup: avoid extraneous LDAP search when retrieving primary key from DN
* ldapupdate: Use proper inheritance in BadSyntax exception
* raise ValidationError when deprecated param is passed to command
* Always fetch forest info from root DCs when establishing one-way trust
* factor out `populate_remote_domain` method into module-level function
* Always fetch forest info from root DCs when establishing two-way trust

=== Martin Basti (17) ===
* test_text: add test ipa.pot file for tests
* Test: dont use global variable for iteration in test_cert_plugin
* Use constant for user and group patterns
* Fix regexp patterns in parameters to not enforce length
* Add check for IP addresses into DNS installer
* Fix missing config.ips in promote_check
* Abstract procedures for IP address warnings
* Catch DNS exceptions during emptyzones named.conf upgrade
* Start named during configuration upgrade.
* Tests: extend DNS cmdline tests with lowercased record type
* Show warning when net/broadcast IP address is used in installer
* Allow multicast addresses in A/AAAA records
* Allow broadcast ip addresses
* Allow network ip addresses
* Fix parse errors with link-local addresses
* Fix ScriptError to always return string from __str__
* Set zanata project-version fo 4.4 branch

=== Milan KubĂ­k (3) ===
* ipatests: Implement tests with CSRs requesting SAN
* ipatests: Fix name property on a service tracker
* ipatests: provide context manager for keytab usage in RPC tests

=== Nathaniel McCallum (1) ===
* Properly handle LDAP socket closures in ipa-otpd

=== Oleg Fayans (4) ===
* Test: disabled wrong client domain tests for domlevel 0
* Changed addressing to the client hosts to be replicas
* Several fixes in replica_promotion tests
* Removed incorrect check for returncode

=== Petr Spacek (1) ===
* Fix compatibility with python-dns 1.15.0

=== Pavel Vomacka (5) ===
* WebUI: hide buttons in certificate widget according to acl
* Add 'Restore' option to action dropdown menu
* WebUI add support for sub-CAs while revoking certificates
* WebUI: Fix showing certificates issued by sub-CA
* Add support for additional options taken from table facet

=== Stanislav Laznicka (5) ===
* Make installer quit more nicely on external CA installation
* Fix test_util.test_assert_deepequal test
* Pretty-print structures in assert_deepequal
* Remove update_from_dict() method
* Updated help/man information about hostname

=== Tomas Krizek (4) ===
* Keep NSS trust flags of existing certificates
* Update ipa-server-install man page for hostname
* Add help info about certificate revocation reasons
* Don't show error messages in bash completion

Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to