[Freeipa-users] Announcing FreeIPA 4.2.0
The FreeIPA team is proud to announce FreeIPA v4.2.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds for Fedora 22 and Fedora Rawhide will be available in the
official COPR repository
https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/.
This announcement with additional ticket and design page links is
available at http://www.freeipa.org/page/Releases/4.2.0.
== Highlights in 4.2 ==
=== Enhancements ===
* Support for multiple certificate profiles, including support for user
certificates. The profiles are now replicated between FreeIPA server to
have consistent state for all certificate creation request. The
certificate submission requests are authorized by the new CA ACL rules
* Support One-Way Trust to Active Directory
* User life-cycle management management - add inactive stage users using
UI or LDAP interface and have them moved to active users by single
command. Deleted users can now be also moved - 'preserved' - to special
tree and re-activated when user returns, preserving it's UID/GID
* Support for Password Vault (KRA) component of PKI for storing user or
service secrets. All encrypted with public key cryptography so that even
FreeIPA server does not know the secrets!
* Datepicker is now used for datetime fields in the Web UI
* Upgrade process was overhauled. There is now single upgrade tool
('ipa-server-upgrade') providing simplified interface for upgrading the
FreeIPA server. See details in separate subsection.
* Service constrained delegation rules can be now added by UI and CLI
* FreeIPA Web UI now provides API browser and documentation. See 'IPA
Server' - 'API Browser' tab
* Access control instructions were updated so that hosts can create
their own services
* FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service
* FreeIPA Web Server no longer use deprecated 'mod_auth_kerb' but
switched to the modern 'mod_auth_gssapi'
* New automated migration tool from winsync to 'ID Views'
* 'migrate-ds' command can now search the migrated users and groups with
different scope
* DNSSEC integration was improved and FreeIPA server is configured to do
DNSSEC validation by default. This might potentially affect
installations which did not follow
Deployment_Recommendations#DNS|Deployment Recommendations for DNS.
* 'ipa migrate-ds' command can now run with different search scopes
* And many other small improvements or bug fixes!
=== Changes to upgrade ===
The server still upgrades automatically during RPM update. However,
'ipactl start' now verifies that the server was really upgraded before
starting FreeIPA to prevent running upgraded bits on old data when
'ipa-server-upgrade' was not run during RPM update (for example during
FedUp Fedora upgrade).
Update files (files in '/usr/share/ipa/updates/') format was changed.
Namely:
* Updates are not merged, update files are applied one at a time
* Update entries no longer support CSV - commas can be now freely used
in the added attributes
* Update can now use base64 values
* Update plugins are now not run automatically, but when referenced from
update files ('plugin: plugin name')
== Upgrading ==
Upgrade instructions are available on the Upgrade page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or
#freeipa channel on Freenode.
== Detailed Changelog since 4.1 ==
=== Ade Lee (3) ===
* Add a KRA to IPA
* Add man page for ipa-kra-install
* Re-enable uninstall feature for ipa-kra-install
=== Ales 'alich' Marecek (1) ===
* Ipatests DNS SOA Record Maintenance
=== Alexander Bokovoy (21) ===
* Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
* Update slapi-nis dependency to pull 0.54.1
* AD trust: improve trust validation
* Support Samba PASSDB 0.2.0 aka interface version 24
* ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
* ipa-kdb: when processing transitions, hand over unknown ones to KDC
* ipa-kdb: reject principals from disabled domains as a KDC policy
* fix Makefile.am for daemons
* slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
* ipaserver/dcerpc: Ensure LSA pipe has session key before using it
* ipa-kdb: use proper memory chunk size when moving sids
* ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
* add one-way trust support to ipasam
* ipa-adtrust-install: add IPA master host principal to adtrust agents
* trusts: pass AD DC hostname if specified explicitly
* ipa-sidgen: reduce log level to normal if domain SID is not available
* ipa-adtrust-install: allow configuring of trust agents
* trusts: add support for one-way trust and switch to it by default
* ipa-pwd-extop: expand error message to tell what user is not allowed
to fetch keytab
* trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
* trust: support retrieving POSIX IDs with one-way trust during trust-add
===
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Are copr builds for RHEL 7 / CentOS 7 planned? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. Hmm, when I run dnf install freeipa-server the 4.1.4-4 from fedora updates repository gets put to the transaction. When I specify dnf install freeipa-server-4.2.0 I get Error: nothing provides 389-ds-base = 1.3.4.0 needed by freeipa-server-4.2.0-0.fc22.x86_64 -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On 07/10/2015 02:40 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. I was able to install freeipa-server-4.2.0-0.fc22.x86_64 using the COPR repository. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On Fri, Jul 10, 2015 at 04:09:45PM +0200, Petr Vobornik wrote: Some of the dependencies are still in updates-testing repository. They have been added to the COPR repository. Now FreeIPA 4.2 could be installed even with the updates-testing repo disabled. Sorry for your inconvenience. I confirm things work now, I'm able to install and setup FreeIPA 4.2 server on Fedora 22 with the copr repo. Thank you! Any plans for the RHEL/CentOS 7 copr repo? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On 07/10/2015 04:51 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 04:09:45PM +0200, Petr Vobornik wrote: Some of the dependencies are still in updates-testing repository. They have been added to the COPR repository. Now FreeIPA 4.2 could be installed even with the updates-testing repo disabled. Sorry for your inconvenience. I confirm things work now, I'm able to install and setup FreeIPA 4.2 server on Fedora 22 with the copr repo. Thank you! Any plans for the RHEL/CentOS 7 copr repo? I'm sorry, I don't have a date for you yet. But as IPA 4.1 has Epel 7 COPR repo, IPA 4.2 will have it as well. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Announcing FreeIPA 4.2.0
On 07/10/2015 02:55 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Any ETA about the availability of the Fedora 22 bits? I can see https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/build/103134/ succeeded but when I try to install with that repo enabled on my Fedora 22, I don't get the 4.2.0 packages. Hmm, when I run dnf install freeipa-server the 4.1.4-4 from fedora updates repository gets put to the transaction. When I specify dnf install freeipa-server-4.2.0 I get Error: nothing provides 389-ds-base = 1.3.4.0 needed by freeipa-server-4.2.0-0.fc22.x86_64 Some of the dependencies are still in updates-testing repository. They have been added to the COPR repository. Now FreeIPA 4.2 could be installed even with the updates-testing repo disabled. Sorry for your inconvenience. # dnf clean metadata # dnf install freeipa-server --disablerepo=*testing # rpm -q freeipa-server freeipa-server-4.2.0-0.fc22.x86_64 ... -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Announcing FreeIPA 4.2.0 Alpha 1
The FreeIPA team is proud to announce FreeIPA v4.2.0 Alpha 1 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide is available in the official COPR repository https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. This announcement with additional ticket and design page links is available at http://www.freeipa.org/page/Releases/4.2.0.alpha1. == Highlights in 4.2 == === Enhancements === * Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules * User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - 'preserved' - to special tree and re-activated when user returns, preserving it's UID/GID * Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! * Replication topology is now managed by Directory Server 'Topology plugin' which allows modifications to the topology via standard FreeIPA UI. The plugin is enabled for new 4.2 based deployment and for upgraded deployments that raised the Domain Level to 1 * Datepicker is now used for datetime fields in the Web UI * Upgrade process was overhauled. There is now single upgrade tool (`ipa-server-upgrade`) providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. * Service constrained delegation rules can be now added by UI and CLI * FreeIPA Web Server no longer use deprecated `mod_auth_kerb` but switched to the modern `mod_auth_gssapi` * Add support for Domain Levels * `migrate-ds` command can now search the migrated users and groups with different scope * DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow deployment recommendations for DNS. === Changes to upgrade === The server still upgrades automatically during RPM update. However, `ipactl start` now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when `ipa-server-upgrade` was not run during RPM update (for example during [https://fedoraproject.org/wiki/FedUp FedUp] Fedora upgrade). Update files (files in `/usr/share/ipa/updates/`) format was changed. Namely: * Updates are not merged, update files are applied one at a time * Update entries no longer support CSV - commas can be now freely used in the added attributes * Update can now use base64 values * Update plugins are now not run automatically, but when referenced from update files (`plugin: plugin name`) == Known Issues == === Installation === * missing dependency on `python-setuptools`, run `dnf install python-setuptools` before installing FreeIPA rpms. === Topology management === * `ipa-replica-manage del` doesn't check for disconnection of topology * replica reinitialization after `ipa topologysegment-reinitialize` could be executed multiple times https://fedorahosted.org/freeipa/ticket/5065 * topology segment direction and 'enable' can be still modified. It will not be allowed in final version. === Certificates === * Certificate profiles are not correctly upgraded and therefore certificate signing requests fail * Web UI does not support multiple certificates == Upgrading == Upgrade instructions are available on the Upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.1 == === Ade Lee (3) === * Add a KRA to IPA * Add man page for ipa-kra-install * Re-enable uninstall feature for ipa-kra-install === Ales 'alich' Marecek (1) === * Ipatests DNS SOA Record Maintenance === Alexander Bokovoy (10) === * Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides * Update slapi-nis dependency to pull 0.54.1 * AD trust: improve trust validation * Support Samba PASSDB 0.2.0 aka interface version 24 * ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly * ipa-kdb: when processing transitions, hand over unknown ones to KDC * ipa-kdb: reject principals from disabled domains as a KDC policy * fix Makefile.am for daemons * slapi-nis: require 0.54.2 for CVE-2015-0283 fixes * ipaserver/dcerpc: Ensure LSA pipe has session key before using it === David Kupka (25) === * Respect UID and GID soft static allocation. * Stop dirsrv last in ipactl stop. * Remove unneeded internal methods. Move code to public methods. * Remove service file even if it isn't link. * Produce
