FreeIPA 4.8.7 release notes

The FreeIPA team would like to announce FreeIPA 4.8.7 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.8.7

TODO RELEASE NOTES - put release notes (if any) to proper categories

3687: [RFE] IPA user account expiry warning.

: EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.

3827: [RFE] Expose TTL in web UI

: DNS record time to live (TTL) parameters can be edited in Web UI

6783: [RFE] Host-group names command rename

: host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod group-name --rename new-name'. Protected hostgroups ('ipaservers') cannot be renamed.

7577: [RFE] DNS package check should be called earlier in installation routine

: The ``--setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.

7695: ipa service-del should display principal name instead of Invalid 'principal'.

: When deleting services, report exact name of a system required principal that couldn't be deleted.

8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install

: On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.

8217: RFE: ipa-backup should compare locally and globally installed server roles

: ipa-backup now checks whether the local replica's roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.

8222: Upgrade dojo.js

: Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.

8268: Prevent use of too long passwords

: Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.

8276: Add default password policy for sysaccounts

: cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The "Default System Accounts Password Policy" has a minimum password length in case the password is directly modified with LDAP.

8284: Upgrade jQuery version to actual one

: Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.

8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets

: service delegation rules and targets now allow to specify hosts as a rule or a target's member principal.

8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias

: Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.

8301: The value of the first character in target* keywords is expected to be a double quote

: 389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.

8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings

: 389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.

8322: [RFE] Changing default hostgroup is too easy

: In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.

8325: [WebUI] Fix htmlPrefilter issue in jQuery

: CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.

8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain

: When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.

8348: Allow managed permissions with ldap:///self bind rule

: Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.

8357: Allow managing IPA resources as a user from a trusted Active Directory forest

: A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.

8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp

: LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.

END TODO

Enhancements

Known Issues

Bug fixes

FreeIPA 4.8.7 is a stabilization release for the features delivered as a part of 4.8 version series.

There are more than 60 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

#3687 (rhbz#913799) [RFE] IPA user account expiry warning.
#3827 [RFE] Expose TTL in web UI
#6474 Remove ipaplatform dependency from ipa modules
#6783 (rhbz#1430365) [RFE] Host-group names command rename
#6857 ipa_pwd.c: Use OpenSSL instead of NSS for hashing
#6884 (rhbz#1441262) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
#7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
#7577 (rhbz#1579296) [RFE] DNS package check should be called earlier in installation routine
#7695 (rhbz#1623763) ipa service-del should display principal name instead of Invalid 'principal'.
#8017 (rhbz#1817927) host-add --password logs cleartext userpassword to Apache error log
#8064 Request for IPA CI to enable DS audit/auditfail logging
#8066 (rhbz#1750242) Don't use -t option to klist in adtrust code when timestamp is not needed
#8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.
#8101 Wrong pytest requirement in specfile
#8106 ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
#8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements
#8159 please migrate to the new Fedora translation platform
#8163 (rhbz#1782572) "Internal Server Error" reported for minor issues implies IPA is broken [IdmHackfest2019]
#8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs
#8186 Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
#8217 (rhbz#1810154) RFE: ipa-backup should compare locally and globally installed server roles
#8222 Upgrade dojo.js
#8247 test_fips PR-CI templates have a too-short timeout
#8251 [Azure] Catch coredumps
#8254 [Azure] 'Tox' task fails against Python3.8
#8261 [ipatests] Integration tests fail on non-firewalld distros
#8262 test_ipahealthcheck needs a higher timeout than 3600
#8264 Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
#8265 [ipatests] `/var/log/ipaupgrade.log` is not collected
#8266 test_webui_server requires a higher timeout than 3600
#8268 Prevent use of too long passwords
#8272 Use /run instead of /var/run
#8273 (rhbz#1834385) Man page syntax issue detected by rpminspect
#8276 Add default password policy for sysaccounts
#8283 Failures and AVCs with OpenDNSSEC 2.1
#8284 Upgrade jQuery version to actual one
#8287 named not starting after #8079, ipa-ext.conf breaks bind
#8289 ipa servicedelegationtarget-add-member does not allow to add hosts as targets
#8290 API inconsistencies
#8291 krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
#8297 Fix new pylint 2.5.0 warnings and errors
#8298 [WebUI] Cover membership management with UI tests
#8300 Replace uglify-js with python3-rjsmin
#8301 The value of the first character in target* keywords is expected to be a double quote
#8306 Adopt Black code style
#8307 make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py
#8308 (rhbz#1829787) ipa service-del deletes the required principal when specified in lower/upper case
#8309 Convert ipaplatform from namespace package to regular package
#8311 (rhbz#1825829) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
#8312 Fix api.env.in_tree detection logic
#8313 Values of api.env.mode are inconsistent
#8315 (rhbz#1833266) [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
#8316 [Azure] Whitelist clock_adjtime syscall
#8317 XML-RCP and CLI tests depend on internal --force option
#8319 Support server referrals for enterprise principals
#8322 [RFE] Changing default hostgroup is too easy
#8323 [Build failure] Race: make po fails on parallel build
#8325 [WebUI] Fix htmlPrefilter issue in jQuery
#8328 krbtpolicy-mod cannot handle two auth ind options of the same type at the same time
#8330 [Azure] Build job fails on `tests` container preparation
#8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain
#8338 [WebUI] Host detail with no assigned ID view makes invalid RPC call
#8339 [WebUI] User details tab headers don't show member count when on settings tab
#8348 Allow managed permissions with ldap:///self bind rule
#8349 bind-9.16 and dnssec-enable
#8350 bind-9.16 and DLV
#8352 RPC API crashes when a user is disabled while a session exists
#8357 Allow managing IPA resources as a user from a trusted Active Directory forest
#8358 TTL of DNS record can be set to negative value
#8359 [WebUI] dnsrecord_mod results in JS error
#8362 (rhbz#1826659) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp

Detailed changelog since 4.8.6

Armando Neto (1)

prci: update templates for new Fedora release commit

Alexander Bokovoy (32)

ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset commit #8362
ipatests: test that adding Active Directory user to a role makes it an administrator commit #8357
Web UI: allow users from trusted Active Directory forest manage IPA commit #8335
tests: account for ID overrides as members of groups and roles commit #7255
Support adding user ID overrides as group and role members commit #7255
idviews: handle unqualified ID override lookups from Web UI commit #7255
support using trust-related operations in the server console commit
kdb: handle enterprise principal lookup in AS_REQ commit #8319
azure: do not run test_commands due to failures in low memory cases commit
test_smb: test S4U2Self operation by IPA service commit #8319
ipa-kdb: refactor principal lookup to support S4U2Self correctly commit #8319
ipa-kdb: cache local TGS in the driver context commit #8319
ipa-kdb: add primary group to list of groups in MS-PAC commit #8319
ipa-kdb: Always allow services to get PAC if needed commit #8319
ipa-kdb: add asserted identity SIDs commit #8319
kdb: add minimal server referrals support for enterprise principals commit #8319
ipa-tests: add a test to make sure MS-PAC is produced by KDC commit #8319
ipa-print-pac: acquire and print PAC record for a user commit #8319
ipa-kdb: add UPN_DNS_INFO PAC structure commit #8319
baseldap: de-duplicate passed attributes when checking for limits commit #8328
service delegation: allow to add and remove host principals commit #8289
WebUI: use python3-rjsmin to minify JavaScript files commit #8300
test_smb: test that we can auth as NetBIOS alias commit #8291
kdb: fix memory handling in ipadb_find_principal commit #8291
kdb: initialize flags in ipadb_delete_principal() commit #8291
Azure Pipelines: switch to Fedora 32 commit
Azure Pipelines: Override services known to not work in containers commit
Add pytest.skip_if_container() commit
CVE-2020-1722: prevent use of too long passwords commit #8268
Allow rename of a host group commit #6783
Add 'api' and 'aci' targets to make commit
Remove Fedora repository fastmirror selection commit

Peter Keresztes Schmidt (10)

Split named custom config to allow changes in options stanza commit #8287
util: replace NSS usage with OpenSSL commit #6857
util: add unit test for pw hashing commit #6857
po: remove zanata config since translation was moved to weblate commit #8159
Specify min and max values for TTL of a DNS record commit #8358
WebUI: Add units to some DNS zone and IPA config fields commit
WebUI: Expose TTL of DNS records commit #3827
WebUI: Refresh DNS record data correctly after mod operation commit #8359
WebUI: Fix invalid RPC calls when link widget has no pkey passed commit #8338
WebUI: Use data adapter to load facet header data commit #8339

Christian Heimes (37)

libotp: Replace NSS with OpenSSL HMAC commit #6857
Include named config files in backup commit
Handle DatabaseError in RPC-Server connect() commit #8352
Allow permissions with 'self' bindruletype commit #8348
make: serialize strip-po / strip-pot commit #8323
Remove obsolete BIND named.conf options commit #8349, #8350
Add ipa-print-pac to gitignore commit
Allow dnsrecord-add --force on clients commit #8317
Check for freeipa-server-dns package early commit #7577
Hard-code in_tree=True for tests commit #8317
Fix detection logic for api.env.in_tree commit #8312
Make api.env.mode consistent commit #8313
Disable password schema update on LDAP bind commit #8315
Use httpd 2.4 syntax for access control commit
Fix make devcheck commit #8307
Make ipaplatform a regular top-level package commit #6474, #8309
Reconfigure pycodestyle commit #8306
Manually reformat ipapython/version.py.in commit #8306
Silence W601 .has_key() is deprecated commit #8306
Fix E722 do not use bare 'except' commit #8306
Fix E721 do not compare types, use 'isinstance()' commit #8306
Fix E714 test for object identity should be 'is not' commit #8306
Fix E713 test for membership should be 'not in' commit #8306
Fix E712 comparison to True / False commit #8306
Fix E711 comparison to None commit #8306
Fix E266 too many leading '#' for block comment commit #8306
Simplify pki proxy conf commit
Make check_required_principal() case-insensitive commit #8308
Address issues found by new pylint 2.5.0 commit #8297
Add skip_if_platform marker commit
Define default password policy for sysaccounts commit #8276
Use api.env.container_sysaccounts commit #8276
Fix exception escape warning commit
Fix APIVersion.__getnewargs__ commit
servrole: takes_params must be a tuple commit #8290
Fix various OpenDNSSEC 2.1 issues commit #8283
Use /run and /run/lock instead of /var commit #8272

François Cami (13)

IPA-EPN: Test suite. commit #3687
IPA-EPN: First version. commit #3687
ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py commit
tasks.py: add krb5_trace to create_active_user and kinit_as_user commit
tox.ini: switch from W503 to W504 commit
ipatests: increase test_webui_server timeout commit #8266
ipatests: increase test_ipahealthcheck timeout commit #8262
ipatests: move ipa_backup to tasks commit #8217
ipa-backup: Make sure all roles are installed on the current master. commit #8217
test_backup_and_restore: add server role verification steps commit #8217
ipatests: test ipa-backup with different role configurations. commit #8217
nightly_ipa-4-8_previous.yaml: fix typo commit
pr-ci templates: update test_fips timeouts commit #8247

Florence Blanc-Renaud (4)

ipatests: Check if user with 'User Administrator' role can delete group. commit #6884
ipatests: enable 389-ds audit log and collect audit file commit #8064
ipa-advise: fallback to /usr/libexec/platform-python if python3 not found commit #8311
Man pages: fix syntax issues commit #8273

Francisco Trivino (1)

prci_definitions: remove test_smb from ipa-4-8 gating workflow commit

Fraser Tweedale (8)

ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname commit #8186
upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate commit #8186
httpinstance: add ipa-ca.$DOMAIN alias in initial request commit #8186
cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers commit #8186
httpinstance: add fqdn and ipa-ca alias to Certmonger request commit #8186
certmonger: support dnsname as request search criterion commit #8186
certmonger: move 'criteria' description to module docstring commit #8186
certmonger: avoid mutable default argument commit #8186

Kaleemullah Siddiqui (1)

Test for check of HostKeyAlgorithms option in ssh_config commit #8082

Miro Hrončok (1)

Fix a syntax typo commit

Michal Polovka (2)

Test for healthcheck being run on replica with stopped master commit
Test for output being indented by default value if not stated implicitly. commit

Mohammad Rizwan Yusuf (6)

ipatests: Test deletion of required principal throws proper error commit #7695
Display principal name while del required principal commit #7695
WebUI tests: fix PEP8 issues in test_webui/test_user.py commit
webui: check if notification area doesn't intercept menu button commit #8120
ipatests: Test to check password leak in apache error log commit #8017
ipatests:Test if proper error thrown when AD user tries to run IPA commands commit #8163

Rob Crittenden (3)

Add index for krbPasswordExpiration for EPN commit #3687
Add a jinja2 e-mail template for EPN commit #3687
Perform baseline healthcheck commit

Sam Morris (1)

Debian: write out only one CA certificate per file commit #8106

Sergio Oliveira Campos (1)

Add test for sssd ad trust lookup with dn in certmaprule commit

Stanislav Levin (18)

Azure: Make dnf repos consistent commit #8330
Azure: Always update apt cache commit
Azure: Allow chronyd to sync time commit #8316
Azure: Add custom seccomp profile commit #8316
Azure: Increase memory limit commit #8264
ipatests: Collect all logs on all Unix hosts commit #8265
ipatests: Pretty print multihost config commit #8265
ipatests: Cleanup 'collect_logs' decorator commit #8265
ipatests: Specify shell implementation commit #8101
ipatests: Specify Pytest XML report schema commit #8101
ipatests: Remove no longer needed 'skip' compatibility commit #8101
ipatests: Remove no longer needed 'capture' compatibility commit #8101
ipatests: Remove no longer needed 'get_marker' commit #8101
ipatests: Remove deprecated yield_fixture commit #8101
ipatests: Bump required Pytest commit #8101
ipatests: Mark firewalld commands as no-op on non-firewalld distros commit #8261
Azure: Gather coredumps commit #8251
Azure: Allow distros to install Python they want commit #8254

Sergey Orlov (10)

ipatests: mark test_trustdomain_disable test as expectedly failing commit
ipatests: add context manager for declaring part of test as xfail commit
ipatests: add utility for getting sssd version on remote host commit
update prci definitions for test_sssd.py commit
ipatests: add test for sssd behavior with disabled trustdomains commit
ipatests: run all cases from test_integration/test_idviews.py in nightlies commit
ipatests: explicitly save output of certutil commit
ipatests: add AD DC as a DNS forwarder before establishing trust commit
ipatests: add missing classes from test_installation in nightly runs commit
ipatests: run test_integration/test_cert.py in PR-CI commit

Sumedh Sidhaye (2)

Test for removing a subgroup commit
Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state commit #8164

Stasiek Michalski (1)

Support for SUSE/openSUSE ipaplatform commit

Serhii Tsymbaliuk (6)

WebUI: Apply jQuery patch to fix htmlPrefilter issue commit #8325
WebUI tests: Add confirmation step after changing default group in automember tests commit #8322
WebUI: Add confirmation dialog for changing default user/host group commit #8322
WebUI tests: cover membership management with UI tests commit #8298
Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1 commit #8284
Web UI: Upgrade Dojo version 1.13.0 -> 1.16.2 commit #8222

sumenon (7)

ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files commit
ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck commit
ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck commit
ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8 commit #8066
ipatests: Test for ipahealthcheck tool for IPADomainCheck. commit
ipatests: Test for ipahealthcheck.ds.ruv check commit
Test for ipahealthcheck.ipa.idns check when integrated DNS is setup commit

Timo Aaltonen (4)

ipatests/test_installation: Use knownservices to map the service name. commit
ipatests/test_commands: Check sssd version like on test_sssd commit
Debian: Use parse_ipa_version from redhat. commit
Debian: Use enable/disable_ldap_automount() from base commit

Viktor Ashirov (1)

Update ACIs with the correct syntax commit #8301