The FreeIPA team would like to announce FreeIPA 4.6.3 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 27 will be available in the official COPR repository [1].
== Highlights in 4.6.3 == === Bug fixes === FreeIPA 4.6.3 is a stabilization release for the features delivered as a part of 4.6.0. There are more than 31 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on the Upgrade [2] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/) or #freeipa channel on Freenode. == Resolved tickets == * 7253 Custodia keys are not removed on uninstall * 7381 Drop PyOpenSSL requirement * 7373 "An internal error has occurred" show up when trying to add a user to the Member User table in Vault. * 7350 ObjectclassViolation seen while adding idview with domain-resolution-order option. * 7341 nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during install even if another value was provided in an LDIF ( --dirsrv-config-file ) * 7338 FreeIPA server install/upgrade does not process schema.d/ files correctly * 7333 Need to document kinit_lifetime in /etc/ipa/default.conf * 7318 Cannot uninstall ipaserver after fresh install - {'desc': "Can't contact LDAP server", 'errno': 111, 'info': 'Connection refused'} * 7315 Packaging: use pylint 1.7.5 and remove disable for import stat * 7312 Turn installutils.set_directive() into a context manager * 7288 set_directive can overwrite wrong directives * 7280 CA less IPA install with external certificates fails on RHEL 7 in FIPS mode * 7276 ipatest: automation for pagure ticket 7174 * 7265 test_vault: increase WAIT_AFTER_ARCHIVE * 7264 IPA trust-add internal error (expected security.dom_sid got None) * 7250 Spelling error in ipa-replica-conncheck man page * 7247 ipa-backup does not backup Custodia keys and files * 7237 ipa-getkeytab man page should have more details about consequences of krb5 key renewal * 7231 ipa-restore broken with python2 * 7227 389-ds-base crashed as part of ipa-server-intall in ipa-uuid * 7223 show REPLICA_FILE as optional when ipa-ca-install is executed with --help * 7221 Replica installation at domain-level 0 fails against upgraded ipa-server * 7220 Third KRA installation in topology fails * 7202 IPA User Details not being displayed in WebUI * 7182 ca_less testcase fixes * 7174 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFI * 7169 domain resolution order field in Identity->ID Views->Settings tab missing in WebUI * 7168 IPA failing to authenticate via password+OTP on RHEL7.4 with fips enabled * 7161 ipaplatform module import error in 4.5 branch on f26 causing server installation failure * 7145 ca_certfile is not honored on API requests * 7111 Incorrect attribute level rights (ipaallowedtoperform) of service object * 7016 ipa_server_certinstall - restart krb5kdc service after kdc cert is installed * 6968 Consider moving upgrades from rpm install post * 6703 Enable ephemeral KRA requests * 6666 Unable to re-add broken AD trust - Unexpected Information received * 6611 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running * 6371 host-find slowness caused by missing host attributes in index * 6091 [CI test]: improve DNS locations test * 5801 ipa-server-install: error: option --forwarder: invalid IP address 127.0.0.11: cannot use loopback IP address when using Docker embedded DNS server == Detailed changelog since 4.6.2 == === Alexander Bokovoy (13) === * ipaserver/plugins/trust.py: pep8 compliance * trust: detect and error out when non-AD trust with IPA domain name exists * ipaserver/plugins/trust.py; fix some indenting issues * ipa-extdom-extop: refactor nsswitch operations * test_dns_plugin: cope with missing IPv6 in Travis * travis-ci: collect logs from cmocka tests * ipa-kdb: override krb5.conf when testing KDC code in cmocka * adtrust: filter out subdomains when defining our topology to AD * ipa-replica-manage: implicitly ignore initial time skew in force-sync * ds: ignore time skew during initial replication step * Make sure upgrade also checks for IPv6 stack * OTP import: support hash names with HMAC- prefix * dsinstance: Restore context after changing dse.ldif === Abhijeet Kasurde (3) === * Trivial typo fix. * ipatests: Fix interactive prompt in ca_less tests * tests: correct usage of hostname in logger in tasks === Alexander Koksharov (2) === * ensuring 389-ds plugins are enabled after install * kra-install: better warning message === amitkuma (2) === * Custom ca-subject logging * Documenting kinit_lifetime in /etc/ipa/default.conf === Aleksei Slaikovskii (9) === * test_backup_and_restore.py AssertionError fix * ipalib/frontend.py output_for_cli loops optimization * View plugin/command help in pager * ipa-restore: Set umask to 0022 while restoring * Prevent installation with single label domains * Add a notice to restart ipa services after certs are installed * Fix TypeError while ipa-restore is restoring a backup * ipaclient.plugins.dns: Cast DNS name to unicode * Less confusing message for PKINIT configuration during install === Christian Heimes (58) === * Remove unused PyOpenSSL from spec file * Give ODS socket a bit of time * Require dbus-python on F27 * Fix pylint error in ipapython/dn.py * Lower python-ldap requirement for F27 * ipa-run-tests: make --ignore absolute, too * Sort external schema files * LGTM: unnecessary else in for loop * LGTM: Use explicit string concatenation * LGTM: raise handle_not_found() * LGTM: Fix multiple use before assignment * LGTM: Remove redundant assignment * LGTM: Fix exception in permission_del * LGTM: Membership test with a non-container * LGTM: Name unused variable in loop * LGTM: Use of exit() or quit() * LGTM: Silence unmatchable dollar * Make fastlint even faster * ipa-run-tests: replace chdir with plugin * Include ipa_krb5.h without util prefix * Custodia uninstall: Don't fail when LDAP is down * Require python-ldap 3.0.0b2 * Use pylint 1.7.5 with fix for bad python3 import * Vault: Add argument checks to encrypt/decrypt * Fix pylint warnings inconsistent-return-statements * Travis: Add workaround for missing IPv6 support * Replace nose with unittest and pytest * Add safe DirectiveSetter context manager * More log in verbs * Address more 'to login' * Fix grammar error: Log out * Fix grammar in login screen * Add make targets for fast linting and testing * Add marker needs_ipaapi and option to skip tests * Add python_requires to Python package metadata * Remove Custodia keys on uninstall * NSSDB: use preferred convert command * Skip test_rpcclient_context in client tests * Update to python-ldap 3.0.0 * Update builddep command to install Python 3 and tox deps * Add workaround for pytest 3.3.0 bug * Fix dict iteration bug in dnsrecord_show * Reproducer for bug in structured dnsrecord_show * Use Python 3 on Travis * Prevent installation of Py2 and Py3 mod_wsgi * Require UTF-8 fs encoding * libotp: add libraries after objects * Run tox tests for PyPI packages on Travis * Support sqlite NSSDB * Py3: Fix vault tests * Test script for ipa-custodia * ipa-custodia: use Dogtag's alias/pwdfile.txt * Use namespace-aware meta importer for ipaplatform * Remove ignore_import_errors * Backup ipa-custodia conf and keys * Py3: fix fetching of tar files * Use os.path.isfile() and isdir() * Block PyOpenSSL to prevent SELinux execmem in wsgi === David Kupka (2) === * schema: Fix internal error in param-{find,show} with nonexistent object * tests: Add LDAP URI to ldappasswd explicitly === Felipe Barreto (12) === * Fixing vault-add-member to be compatible with py3 * Fixing test_backup_and_restore assert to do not rely on the order * Fixing test_testconfig with proper asserts * Warning the user when using a loopback IP as forwarder * Removing replica-s4u2proxy.ldif since it's not used anymore * Fix log capture when running pytests_multihosts commands * Checks if replica-s4u2proxy.ldif should be applied * Fixing tox and pylint errors * Fixing param-{find,show} and output-{find,show} commands * Checks if Dir Server is installed and running before IPA installation * Changing idoverrideuser-* to treat objectClass case insensitively * Fixing how sssd.conf is updated when promoting a client to replica === François Cami (1) === * 10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server. === Florence Blanc-Renaud (16) === * test_integration: backup custodia conf and keys * Idviews: fix objectclass violation on idview-add * Improve help message for ipa trust-add --range-type * Fix ca less IPA install on fips mode * Fix ipa-replica-install when key not protected by PIN * Fix ipa-restore (python2) * ipa-getkeytab man page: add more details about the -r option * Py3: fix ipa-replica-conncheck * Fix ipa-replica-conncheck when called with --principal * py3: fix ipa cert-request --database ... * ipa-cacert-manage renew: switch from ext-signed CA to self-signed * ipa-server-upgrade: do not add untracked certs to the request list * ipa-server-upgrade: fix the logic for tracking certs * Fix ipa-server-upgrade with server cert tracking * Python3: Fix winsync replication agreement * Fix ipa config-mod --ca-renewal-master === Fraser Tweedale (32) === * Don't use admin cert during KRA installation * Add uniqueness constraint on CA ACL name * Add tests for installutils.set_directive * installutils: refactor set_directive * pep8: reduce line lengths in CAInstance.__enable_crl_publish * Prevent set_directive from clobbering other keys * install: report CA Subject DN and subject base to be used * ipa_certupdate: avoid classmethod and staticmethod * Run certupdate after promoting to CA-ful deployment * ipa-ca-install: run certupdate as initial step * CertUpdate: make it easy to invoke from other programs * renew_ra_cert: fix update of IPA RA user entry * Re-enable some KRA installation tests * Use correct version of Python in RPM scripts * Remove caJarSigningCert profile and related code * CertDB: remove unused method issue_signing_cert * Remove XPI and JAR MIME types from httpd config * Remove mention of firefox plugin after CA-less install * Add missing space in ipa-replica-conncheck error * ipa-cacert-manage: avoid some duplicate string definitions * ipa-cacert-manage: handle alternative tracking request CA name * Add tests for external CA profile specifiers * ipa-cacert-manage: support MS V2 template extension * certmonger: add support for MS V2 template * certmonger: refactor 'resubmit_request' and 'modify' * ipa-ca-install: add --external-ca-profile option * install: allow specifying external CA template * Remove duplicate references to external CA type * cli: simplify parsing of arbitrary types * py3: fix pkcs7 file processing * ipa-pki-retrieve-key: ensure we do not crash * issue_server_cert: avoid application of str to bytes === John Morris (1) === * Increase dbus client timeouts during CA install === Martin Basti (1) === * py3: set samba dependencies === Michal Reznik (23) === * test_caless: add SAN extension to other certs * prci: run full external_ca test suite * tests: move CA related modules to pytest_plugins * test_external_ca: selfsigned->ext_ca->selfsigned * test_tasks: add sign_ca_and_transport() function * paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants * test_caless: test PKINIT install and anchor update * test_renewal_master: add ipa csreplica-manage test * test_cert_plugin: check if SAN is added with default profile * test_help: test "help" command without cache * test_x509: test very long OID * test_batch_plugin: fix py2/3 failing assertion * test_vault: increase WAIT_AFTER_ARCHIVE * test_caless: fix http.p12 is not valid * test_caless: fix TypeError on domain_level compare * manpage: ipa-replica-conncheck - fix minor typo * test_external_dns: add missing test cases * test_caless: open CA cert in binary mode * test_forced_client: decode get_file_contents() result * tests: add host zone with overlap * tests_py3: decode get_file_contents() result * test_caless: add caless to external CA test * test_external_ca: switch to python-cryptography === Mohammad Rizwan Yusuf (1) === * ipatest: replica install with existing entry on master === Petr Čech (2) === * tests: Mark failing tests as failing * ipatests: Fix on logs collection === Petr Vobornik (1) === * browser config: cleanup after removal of Firefox extension === Pavel Vomacka (16) === * WebUI: make keytab tables on service and host pages writable * Include npm related files into Makefile and .gitignore * Update jsl.conf in tests subfolder * Edit TravisCI conf files to run WebUI unit tests * Update README about WebUI unit tests * Update tests * Create symlink to qunit.js * Update jsl to not warn about module in Gruntfile * Add Gruntfile and package.json to ui directory * Update QUnit CSS file to 2.4.1 * Update qunit.js to version 2.4.1 * Extend ui_driver to support geckodriver log_path * WebUI: make Domain Resolution Order writable * WebUI: Fix calling undefined method during reset passwords * WebUI: remove unused parameter from get_whoami_command * Adds whoami DS plugin in case that plugin is missing === Rob Crittenden (13) === * Log contents of files created or modified by IPAChangeConf * Don't manually generate default.conf in server, use IPAChangeConf * Enable ephemeral KRA requests * Make the path to CS.cfg a class variable * Run server upgrade in ipactl start/restart * If the cafile is not present or readable then raise an exception * Add test to ensure that properties are being set in rpcclient * Use the CA chain file from the RPC context * Fix cert-find for CA-less installations * Use 389-ds provided method for file limits tuning * Collect group membership without a size limit * Add exec to /var/lib/ipa/sysrestore for install status inquiries * Use TLS for the cert-find operation === Robbie Harwood (1) === * ipa-kdb: support KDB DAL version 7.0 === Rishabh Dave (1) === * ipa-ca-install: mention REPLICA_FILE as optional in help === Sumit Bose (1) === * ipa-kdb: reinit trusted domain data for enterprise principals === Stanislav Laznicka (53) === * replica_prepare: Remove the correct NSS DB files * Add a helpful comment to ca.py:install_check() * Don't allow OTP or RADIUS in FIPS mode * caless tests: decode cert bytes in debug log * caless tests: make debug log of certificates sensible * Add indexing to improve host-find performance * Add the sub operation for fqdn index config * x509: remove subject_base() function * x509: remove the strip_header() function * py3: pass raw entries to LDIFWriter * ipatests: use python3 if built with python3 * PRCI: use a new template for py3 testing * travis: pep8 changes to pycodestyle * csrgen_ffi: cast the DN value to unsigned char * * Remove pkcs10 module contents * Add tests for CertificateSigningRequest * parameters: introduce CertificateSigningRequest * parameters: relax type checks * csrgen: update docstring for py3 * csrgen: accept public key info as Bytes * csrgen_ffi: pass bytes where "char *" is required * p11-kit: add serial number in DER format * travis: make tests fail if pep8 does not pass * Remove the `message` attribute from exceptions * rpc: don't decode cookie_string if it's None * Don't write p11-kit EKU extension object if no EKU * pylint: fix missing module * travis: run the same tests in python2/3 * certmap testing: fix wrong cert construction * ldap2: don't use decode() on str instance * client: fix retrieving certs from HTTP * uninstall: remove deprecation warning * ldif: handle attribute names as strings * pkinit: don't fail when no pkinit servers found * pkinit: fix sorting dictionaries * travis: remove "fast" from "makecache fast" * Change Travis CI container to FreeIPA-owned * Change the requirements for pylint in wheel * rpcserver: don't call xmlserver.Command * secrets: disable relative-imports for custodia * pylint: disable __hash__ for some classes * install.util: disable no-value-for-parameter * pylint: make unsupported-assignment-operation check local * sudocmd: fix unsupported assignment * pylint: Iterate through dictionaries * parameters: convert Decimal.precision to int * dcerpc: disable unbalanced-tuple-unpacking * dcerpc: refactor assess_dcerpc_exception * pylint: fix no-member in schema plugin * csrgen: fix incorrect codec for pyasn BitString * pylint: fix not-context-manager false positives * travis: temporary workaround for Travis CI * Travis: archive logs of py3 jobs === Thierry Bordaz (1) === * 389-ds-base crashed as part of ipa-server-intall in ipa-uuid === Tomas Krizek (17) === * prci: bump ci-master-f27 template to 1.0.2 * prci: define testing topologies * prci: start testing PRs on fedora 27 * py3 spec: remove python2 dependencies from server-trust-ad * py3 spec: remove python2 dependencies from freeipa-server * py3 spec: use proper python2 package names * ipatests: fix circular import for collect_logs * ipatests: collect logs for external_ca test suite * prci: add external_ca test * ldap: limit the retro changelog to dns subtree * spec: bump 389-ds-base to 1.3.7.6-1 * ipatests: set default 389-ds log level to 0 * prci: update F26 template * spec: bump python-pyasn1 to 0.3.2-2 * prci: use f26 template for master * VERSION: set 4.6 git snapshot * Contributors.txt: update === Thorsten Scherf (1) === * Add debug option to ipa-replica-manage and remove references to api_env var. [1] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ [2] https://www.freeipa.org/page/Upgrade _______________________________________________ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest