The FreeIPA team would like to announce FreeIPA 4.8.7 release!

It can be downloaded from Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.8.7

TODO RELEASE NOTES - put release notes (if any) to proper categories

EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.

DNS record time to live (TTL) parameters can be edited in Web UI

host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod group-name --rename new-name'. Protected hostgroups ('ipaservers') cannot be renamed.

The ``--setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.

When deleting services, report exact name of a system required principal that couldn't be deleted.

On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.

ipa-backup now checks whether the local replica's roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.

Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.

Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.

cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The "Default System Accounts Password Policy" has a minimum password length in case the password is directly modified with LDAP.

Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.

service delegation rules and targets now allow to specify hosts as a rule or a target's member principal.

Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.

389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.

389-ds introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.

In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.

CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.

When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.

Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.

A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.

LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.



Known Issues

Bug fixes

FreeIPA 4.8.7 is a stabilization release for the features delivered as a part of 4.8 version series.

There are more than 60 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Resolved tickets

Detailed changelog since 4.8.6

Armando Neto (1)

Alexander Bokovoy (32)

Peter Keresztes Schmidt (10)

Christian Heimes (37)

François Cami (13)

Florence Blanc-Renaud (4)

Francisco Trivino (1)

Fraser Tweedale (8)

Kaleemullah Siddiqui (1)

Miro Hrončok (1)

Michal Polovka (2)

Mohammad Rizwan Yusuf (6)

Rob Crittenden (3)

Sam Morris (1)

Sergio Oliveira Campos (1)

Stanislav Levin (18)

Sergey Orlov (10)

Sumedh Sidhaye (2)

Stasiek Michalski (1)

Serhii Tsymbaliuk (6)

sumenon (7)

Timo Aaltonen (4)

Viktor Ashirov (1)