The FreeIPA team would like to announce FreeIPA v4.3.2 bug fixing release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Experimental builds for CentOS 7 will be available in the official FreeIPA CentOS7 COPR repository <https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/>
This announcement is also available on http://www.freeipa.org/page/Releases/4.3.2 Fedora 24 update: https://bodhi.fedoraproject.org/updates/freeipa-4.3.2-1.fc24 == Highlights in 4.3.2 == === Enhancements === * added possibility to list/clean dangling RUV records for o=ipaca suffix https://fedorahosted.org/freeipa/ticket/4987 * --domain-level of `ipa-server-install` was deprecated https://fedorahosted.org/freeipa/ticket/5907 === Bug fixes === * fixed upgrade bug on servers without CA https://fedorahosted.org/freeipa/ticket/5958 * fixed installation of server with DNS if A record didn't exist https://fedorahosted.org/freeipa/ticket/5962 * fixed issue where A/AAAA DNS records were not created for CA https://fedorahosted.org/freeipa/ticket/5966 * fixed installation of CA less replica on domain level 1 https://fedorahosted.org/freeipa/ticket/5721 * fixed forward zone conflicts with automatic empty zones from BIND https://fedorahosted.org/freeipa/ticket/5710 * fixed race condition with multiple simultaneous request from the same principal https://fedorahosted.org/freeipa/ticket/5653 == Upgrading == Upgrade instructions are available on upgrade page <http://www.freeipa.org/page/Upgrade>. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.3.2 == === Abhijeet Kasurde (2) === * Added description related to 'status' in ipactl man page * Updated ipa command man page === Alexander Bokovoy (1) === * otptoken: support Python 3 for the qr code === David Kupka (3) === * man: Decribe ipa-client-install workaround for broken D-Bus enviroment. * installer: positional_arguments must be tuple or list of strings * installer: index() raises ValueError === Florence Blanc-Renaud (2) === * Do not allow installation in FIPS mode * Fix session cookies === Fraser Tweedale (5) === * caacl: correctly handle full user principal name * Prevent replica install from overwriting cert profiles * Detect and repair incorrect caIPAserviceCert config * upgrade: do not try to start CA if not configured * Move normalize_hostname to where it is expected === Jan Cholasta (4) === * spec file: bump minimum required pki-core version * build: fix client-only build * makeapi: use the same formatting for `int` and `long` values * replica install: do not set CA renewal master flag === Lenka Doudova (2) === * WebUI: Test creating user without private group * Test fix: Cleanup for host certificate === Martin Babinsky (1) === * replica-prepare: do not add PTR records if there is no IPA managed reverse zone === Martin Bašti (18) === * Add missing pre_common_callback to stageuser_add * Revert "ipatests: extend permission plugin test with new expected output" * make: fail when ACI.txt or API.txt differs from values in source code * Upgrade: always start CA * Set proper zanata project-version * Translations: remove deprecated locale configuration * Test: fix failing host_test * Fix: exceptions in DNS tests should not have data attribute * Translations: update translations for IPA 4.3.x * Fix resolve_rrsets: RRSet is not hashable * Translations: update ipa-4-3 translations * Revert "Switch /usr/bin/ipa to Python 3" * Use python2 for ipa cli * Replica promotion: use the correct IPA domain for replica * CA replica promotion: add proper CA DNS records * CA replica promotion: fix forgotten import * Fix replica install with CA * Use copy when replacing files to keep SELinux context === Milan Kubík (3) === * ipatests: fix for change_principal context manager * ipatests: Add test case for requesting a certificate with full principal. * spec: Add python-sssdconfig dependency for python-ipatests package === Oleg Fayans (9) === * Added a kdestroy call to clean ccache at master/client uninstallation * Added 5 more tests to Replica Promotion testsuite * Fixed a failure in legacy_client tests * Add test if replica is working after domain upgrade * Improve reporting of failed tests in topology test suite * Bugfixes in managed topology tests * A workaround for ticket N 5348 * Increased certmonger timeout * Test for incorrect client domain === Pavel Vomacka (3) === * Add X-Frame-Options and frame-ancestors options * Add 'skip overlap check' checkbox into add zone dialog * Add 'skip overlap check' checkbox to the add dns forward zone dialog === Petr Viktorin (23) === * dns plugin: Fix zone normalization under Python 3 * sysrestore: Iterate over a list of dict keys * test_xmlrpc: Use absolute imports * xmlrpc_test: Rename exception instance before working with it * radiusproxy plugin: Use str(error) rather than error.message * xmlrpc_test: Expect bytes rather than strings for binary attributes * ipalib.rpc: Send base64-encoded data as string under Python 3 * range plugin tests: Use bytes with MockLDAP under Python 3 * radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret * certprofile plugin: Use binary mode for file with binary data * test_add_remove_cert_cmd: Use bytes for base64.b64encode() * Switch /usr/bin/ipa to Python 3 * Fix remaining relative import and enable Pylint check * ipalib.cli: Improve reporting of binary values in the CLI * test_cert_plugin: Encode 'certificate' for comparison with 'usercertificate' * ipaldap: Keep attribute names as text, not bytes * ipapython.secrets.kem: Use ConfigParser from six.moves * test_topology_plugin: Don't rely on order of an attribute's values * test_rpcserver: Expect updated error message under Python 3 * ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison * test_ipaserver.test_ldap: Use bytestrings for raw LDAP values * ipaldap: Convert dict items to list before iterating * test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView === Petr Voborník (2) === * mod_auth_gssapi: enable unique credential caches names * Become IPA 4.3.2 === Petr Špaček (30) === * Remove function ipapython.ipautil.host_exists() * Extend installers with --forward-policy option * Move automatic empty zone list into ipapython.dnsutil and make it reusable * Add assert_absolute_dnsname() helper to ipapython.dnsutil * Move function is_auto_empty_zone() into ipapython.dnsutil * Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone() * Add function ipapython.dnsutil.inside_auto_empty_zone() * Auto-detect default value for --forward-policy option in installers * DNS: Fix upgrade - master to forward zone transformation * DNS installer: accept --auto-forwarders option in unattended mode * Batch command: avoid accessing potentially undefined context.principal * Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil * Use root_logger for verify_host_resolvable() * Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil * Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil * Add ipaDNSVersion option to dnsconfig* commands and use new attribute * DNS upgrade: separate backup logic to make it reusable * Add function ipapython.dnsutil.related_to_auto_empty_zone() * DNS upgrade: change forwarding policy to = only for conflicting forward zones * DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used * DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used * DNS: Warn if forwarding policy conflicts with automatic empty zones * DNS: Fix realm domains integration with DNS zone add. * client: Share validator and domain name normalization with server install * DNS: Fix tests for realm domains integration with DNS zone add * client-install: do not fail if DNS times out during DNS update generation * Use NSS for name->resolution in IPA installer * DNS: Remove unnecessary DNS check from installer * Remove unused is_local(), interface, and defaultnet from CheckedIPAddress * Fix internal errors in host-add and other commands caused by DNS resolution === Stanislav Laznicka (9) === * replica-manage: fail nicely when DM psswd required * ipa-replica-manage refactoring * abort-clean/list/clean-ruv now work for both suffixes * Moved password check from clean_dangling_ruv * Fix to clean-dangling-ruv for single CA topologies * Added pyusb as a dependency * Deprecated the domain-level option in ipa-server-install * fixes premature sys.exit in ipa-replica-manage del * Remove dangling RUVs even if replicas are offline === Thierry Bordaz (1) === * Make sure ipapwd_extop takes precedence over passwd_modify_extop -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code