[Freeipa-devel] Announcing FreeIPA 4.2.0

2015-07-10 Thread Petr Vobornik 

The FreeIPA team is proud to announce FreeIPA v4.2.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The 
builds for Fedora 22 and Fedora Rawhide will be available in the 
official COPR repository 
.


This announcement with additional ticket and design page links is 
available at .


== Highlights in 4.2 ==
=== Enhancements ===
* Support for multiple certificate profiles, including support for user 
certificates. The profiles are now replicated between FreeIPA server to 
have consistent state for all certificate creation request. The 
certificate submission requests are authorized by the new CA ACL rules

* Support One-Way Trust to Active Directory
* User life-cycle management management - add inactive stage users using 
UI or LDAP interface and have them moved to active users by single 
command. Deleted users can now be also moved - 'preserved' - to special 
tree and re-activated when user returns, preserving it's UID/GID
* Support for Password Vault (KRA) component of PKI for storing user or 
service secrets. All encrypted with public key cryptography so that even 
FreeIPA server does not know the secrets!

* Datepicker is now used for datetime fields in the Web UI
* Upgrade process was overhauled. There is now single upgrade tool 
('ipa-server-upgrade') providing simplified interface for upgrading the 
FreeIPA server. See details in separate subsection.

* Service constrained delegation rules can be now added by UI and CLI
* FreeIPA Web UI now provides API browser and documentation. See 'IPA 
Server' - 'API Browser' tab
* Access control instructions were updated so that hosts can create 
their own services

* FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service
* FreeIPA Web Server no longer use deprecated 'mod_auth_kerb' but 
switched to the modern 'mod_auth_gssapi'

* New automated migration tool from winsync to 'ID Views'
* 'migrate-ds' command can now search the migrated users and groups with 
different scope
* DNSSEC integration was improved and FreeIPA server is configured to do 
DNSSEC validation by default. This might potentially affect 
installations which did not follow 
Deployment_Recommendations#DNS|Deployment Recommendations for DNS.

* 'ipa migrate-ds' command can now run with different search scopes
* And many other small improvements or bug fixes!

=== Changes to upgrade ===
The server still upgrades automatically during RPM update. However, 
'ipactl start' now verifies that the server was really upgraded before 
starting FreeIPA to prevent running upgraded bits on old data when 
'ipa-server-upgrade' was not run during RPM update (for example during 
FedUp Fedora upgrade).


Update files (files in '/usr/share/ipa/updates/') format was changed. 
Namely:

* Updates are not merged, update files are applied one at a time
* Update entries no longer support CSV - commas can be now freely used 
in the added attributes

* Update can now use base64 values
* Update plugins are now not run automatically, but when referenced from 
update files ('plugin: ')


== Upgrading ==
Upgrade instructions are available on the Upgrade page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.


== Detailed Changelog since 4.1 ==
=== Ade Lee (3) ===
* Add a KRA to IPA
* Add man page for ipa-kra-install
* Re-enable uninstall feature for ipa-kra-install

=== Ales 'alich' Marecek (1) ===
* Ipatests DNS SOA Record Maintenance

=== Alexander Bokovoy (21) ===
* Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
* Update slapi-nis dependency to pull 0.54.1
* AD trust: improve trust validation
* Support Samba PASSDB 0.2.0 aka interface version 24
* ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
* ipa-kdb: when processing transitions, hand over unknown ones to KDC
* ipa-kdb: reject principals from disabled domains as a KDC policy
* fix Makefile.am for daemons
* slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
* ipaserver/dcerpc: Ensure LSA pipe has session key before using it
* ipa-kdb: use proper memory chunk size when moving sids
* ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
* add one-way trust support to ipasam
* ipa-adtrust-install: add IPA master host principal to adtrust agents
* trusts: pass AD DC hostname if specified explicitly
* ipa-sidgen: reduce log level to normal if domain SID is not available
* ipa-adtrust-install: allow configuring of trust agents
* trusts: add support for one-way trust and switch to it by default
* ipa-pwd-extop: expand error message to tell what user is not allowed 
to fetch keytab

* trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
* trust: support retrieving POSIX IDs with one-way trust during trust-add

=== Christian Heime

[Freeipa-devel] Announcing FreeIPA 4.2.0 Alpha 1

2015-06-22 Thread Petr Vobornik 

The FreeIPA team is proud to announce FreeIPA v4.2.0 Alpha 1 release!

It can be downloaded from . The 
builds for Fedora 22 and Fedora Rawhide is available in the official 
COPR repository .


This announcement with additional ticket and design page links is 
available at .


== Highlights in 4.2 ==
=== Enhancements ===
* Support for multiple certificate profiles, including support for user 
certificates. The profiles are now replicated between FreeIPA server to 
have consistent state for all certificate creation request. The 
certificate submission requests are authorized by the new CA ACL rules
* User life-cycle management management - add inactive stage users using 
UI or LDAP interface and have them moved to active users by single 
command. Deleted users can now be also moved - 'preserved' - to special 
tree and re-activated when user returns, preserving it's UID/GID
* Support for Password Vault (KRA) component of PKI for storing user or 
service secrets. All encrypted with public key cryptography so that even 
FreeIPA server does not know the secrets!
* Replication topology is now managed by Directory Server 'Topology 
plugin' which allows modifications to the topology via standard FreeIPA 
UI. The plugin is enabled for new 4.2 based deployment and for upgraded 
deployments that raised the Domain Level to 1

* Datepicker is now used for datetime fields in the Web UI
* Upgrade process was overhauled. There is now single upgrade tool 
(`ipa-server-upgrade`) providing simplified interface for upgrading the 
FreeIPA server. See details in separate subsection.

* Service constrained delegation rules can be now added by UI and CLI
* FreeIPA Web Server no longer use deprecated `mod_auth_kerb` but 
switched to the modern `mod_auth_gssapi`

* Add support for Domain Levels
* `migrate-ds` command can now search the migrated users and groups with 
different scope
* DNSSEC integration was improved and FreeIPA server is configured to do 
DNSSEC validation by default. This might potentially affect 
installations which did not follow deployment recommendations for DNS.


=== Changes to upgrade ===
The server still upgrades automatically during RPM update. However, 
`ipactl start` now verifies that the server was really upgraded before 
starting FreeIPA to prevent running upgraded bits on old data when 
`ipa-server-upgrade` was not run during RPM update (for example during 
[https://fedoraproject.org/wiki/FedUp FedUp] Fedora upgrade).


Update files (files in `/usr/share/ipa/updates/`) format was changed. 
Namely:

* Updates are not merged, update files are applied one at a time
* Update entries no longer support CSV - commas can be now freely used 
in the added attributes

* Update can now use base64 values
* Update plugins are now not run automatically, but when referenced from 
update files (`plugin: `)


== Known Issues ==
=== Installation ===
* missing dependency on `python-setuptools`, run `dnf install 
python-setuptools` before installing FreeIPA rpms.

=== Topology management ===
* `ipa-replica-manage del` doesn't check for disconnection of topology
* replica reinitialization after `ipa topologysegment-reinitialize` 
could be executed multiple times 

* topology segment direction and 'enable' can be still modified. It will 
not be allowed in final version.


=== Certificates ===
* Certificate profiles are not correctly upgraded and therefore 
certificate signing requests fail

* Web UI does not support multiple certificates

== Upgrading ==
Upgrade instructions are available on the Upgrade page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.


== Detailed Changelog since 4.1 ==
=== Ade Lee (3) ===
* Add a KRA to IPA
* Add man page for ipa-kra-install
* Re-enable uninstall feature for ipa-kra-install

=== Ales 'alich' Marecek (1) ===
* Ipatests DNS SOA Record Maintenance

=== Alexander Bokovoy (10) ===
* Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
* Update slapi-nis dependency to pull 0.54.1
* AD trust: improve trust validation
* Support Samba PASSDB 0.2.0 aka interface version 24
* ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
* ipa-kdb: when processing transitions, hand over unknown ones to KDC
* ipa-kdb: reject principals from disabled domains as a KDC policy
* fix Makefile.am for daemons
* slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
* ipaserver/dcerpc: Ensure LSA pipe has session key before using it

=== David Kupka (25) ===
* Respect UID and GID soft static allocation.
* Stop dirsrv last in ipactl stop.
* Remove unneeded internal methods. Move code to public methods.
* Remove service file even if it isn't link.
* Produce better er