FreeIPA 4.9.4

The FreeIPA team would like to announce FreeIPA 4.9.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.4

• 2575: [RFE] Installer wizard should prompt for DNS

The prompting during the server installation was enhanced to ask whether user wants to install the DNS component.

• 8807: [RFE] IPA to allow setting a new range type.

A new option was added to define how private groups represented in ID ranges of trusted Active Directory domains. More details can be found in the design document: https://freeipa.readthedocs.io/en/latest/designs/adtrust/auto-private-groups.html

Enhancements

Known Issues

Bug fixes

FreeIPA 4.9.4 is a stabilization release for the features delivered as a part of 4.9.0 version series.

There are more than 40 bug-fixes since FreeIPA 4.9.3 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

• #2575 (rhbz#952756) [RFE] Installer wizard should prompt for DNS
• #2692 (rhbz#817071) ipa-server-install ignores --hostname
• #4011 (rhbz#1026434) ipa-server-install crashes when AD subpackage is not installed
• #4166 (rhbz#1059135) Backup CS.cfg before modifying it
• #4751 (rhbz#1851835) Implement ACME certificate enrolment
• #6587 ipa-otpd: systemctl reports "degraded" for "is-system-running" after todays CentOS updates
• #7397 ipa host-add --ip-address... returns Internal error when forward-policy=none is defined
• #7835 (rhbz#1658280) Cert revocation for services and hosts is inefficient
• #8203 (rhbz#1835853) User page on WebUi only has half the information in CA-less install
• #8361 Add support for managing subuids and subgids in FreeIPA
• #8534 Nightly test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::test_hidden_replica_promote
• #8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck
• #8632 [CA-less] user fails to login via WebUI in case of `--no-pkinit`
• #8641 Random failure in test_webui/test_user.py::TestLifeCycles::test_life_cycles
• #8676 (rhbz#1955440) [Tracker] Multiple nightly test failure in test_integration/test_ntp_options/TestNTPoptions
• #8738 (rhbz#1934991) ACME fails to generate a cert on migrated RHEL8.4 server
• #8767 (rhbz#1943151) ipa-server-install displays debug output when --debug output is not specified.
• #8784 RFE: Reduce number of LDAP operations during hbacrule-del
• #8785 Nightly test failure in test_integration/test_commands.py/TestIPACommand/test_proxycommand_invalid_shell
• #8787 Add pkey_only to the service_find calls in the host plugin
• #8792 Random nightly test failure in test_replica_promotion.py::TestRenewalMaster::test_automatic_renewal_master_transfer_ondelete
• #8793 [Tracker] Nightly failure (rawhide/f34) in test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
• #8794 (rhbz#1948034) Failure to deploy FreeIPA domain controller in Rawhide with systemd-resolved 248-1.fc35
• #8797 Cache the value of ca_is_enabled in the request context
• #8798 (rhbz#1953656) RFE: Cache LDAP data within a request
• #8799 Remove DS problematic code
• #8801 user-mod requires two searches for a user entry
• #8802 IPA test failing with long serial numbers
• #8807 (rhbz#1688267) [RFE] IPA to allow setting a new range type.
• #8809 RFE: A tool to collect and analyze etimes from IPA logs
• #8814 Use Dogtag's CryptographyCryptoProvider instead of NSSCryptoProvider for KRAClient()
• #8818 new pylint 2.8 and astroid 2.5.5
• #8830 [azure] performance instability
• #8831 update_dna_shared_config may not update all entries
• #8832 (rhbz#1957768) ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
• #8837 Add support of 'ipaautoprivategroups' LDAP attribute on 'ID ranges' page
• #8844 [Tracker] Nightly test failure (sssd 2.5.0-1) in test_smb and test_sudo
• #8847 [F34] JS linter
• #8848 F32 is going to be EOL
• #8851 pkispawn: use loopback IP address instead of localhost4/localhost6 for AJP
• #8856 (rhbz#1951511) Allow specifying permanent logging settings for BIND
• #8872 FreeIPA 4.9.3 Web UI reports "Internal Server Error" on Fedora 34 Server after reboot
• #8873 Missing credential cache can raise 500 when authenticating instead of 401
• #8874 (rhbz#1962570) depend on system-logos-ipa instead of redhat-logos-ipa

Detailed changelog since 4.9.3

Armando Neto (1)

• ipatests: Bump PR-CI templates to Fedora 34 commit

Alexander Bokovoy (37)

• Become FreeIPA 4.9.4 commit
• po/uk.po: Update translations to FreeIPA ipa-4-9 state commit
• po/ru.po: Update translations to FreeIPA ipa-4-9 state commit
• po/ipa.pot: Update translations to FreeIPA ipa-4-9 state commit
• po/es.po: Update translations to FreeIPA ipa-4-9 state commit
• Depend on system-logos-ipa on RHEL/CentOS Stream commit #8874
• service: enforce keytab user when retrieving the keytab commit #8872
• po/zh_CN.po: Update translations to FreeIPA ipa-4-9 state commit
• po/tr.po: Update translations to FreeIPA ipa-4-9 state commit
• po/tg.po: Update translations to FreeIPA ipa-4-9 state commit
• po/sk.po: Update translations to FreeIPA ipa-4-9 state commit
• po/ru.po: Update translations to FreeIPA ipa-4-9 state commit
• po/pt_BR.po: Update translations to FreeIPA ipa-4-9 state commit
• po/pt.po: Update translations to FreeIPA ipa-4-9 state commit
• po/pa.po: Update translations to FreeIPA ipa-4-9 state commit
• po/nl.po: Update translations to FreeIPA ipa-4-9 state commit
• po/mr.po: Update translations to FreeIPA ipa-4-9 state commit
• po/kn.po: Update translations to FreeIPA ipa-4-9 state commit
• po/ja.po: Update translations to FreeIPA ipa-4-9 state commit
• po/ipa.pot: Update translations to FreeIPA ipa-4-9 state commit
• po/id.po: Update translations to FreeIPA ipa-4-9 state commit
• po/hu.po: Update translations to FreeIPA ipa-4-9 state commit
• po/hi.po: Update translations to FreeIPA ipa-4-9 state commit
• po/fr.po: Update translations to FreeIPA ipa-4-9 state commit
• po/eu.po: Update translations to FreeIPA ipa-4-9 state commit
• po/es.po: Update translations to FreeIPA ipa-4-9 state commit
• po/en_GB.po: Update translations to FreeIPA ipa-4-9 state commit
• po/de.po: Update translations to FreeIPA ipa-4-9 state commit
• po/cs.po: Update translations to FreeIPA ipa-4-9 state commit
• po/ca.po: Update translations to FreeIPA ipa-4-9 state commit
• po/bn_IN.po: Update translations to FreeIPA ipa-4-9 state commit
• ds: Support renaming of a replication plugin in 389-ds commit #8799
• Update IRC links to point to Libera.chat commit
• freeipa.spec: do not use jsl for linting on Fedora 34+ commit #8847
• ipa-otpd: handle LDAP timeout in a better way commit #6587
• ipaserver/install/dns: handle SERVFAIL when checking reverse zone commit #8794
• Back to git snapshots commit

Antonio Torres (1)

• hbacrule: reduce number of LDAP searches during deletion commit #8784

Carl George (1)

• Also use uglifyjs on CentOS Stream 8 commit

Christian Heimes (7)

• Move constants, document timeout loop commit
• Fix update_dna_shared_config to wait for both entries commit #8831
• Constrain pylint to supported versions commit #8818
• Add max/min safe integer commit #8361, #8802
• Use PyCA crypto provider for KRAClient commit #8814
• Improve wsgi app loading commit
• Better mod_wsgi configuration commit

François Cami (7)

• ipatests: mark test_ipahealthcheck_hidden_replica as expected failure commit #8534, #8582
• ipatests: hidden replica: misc fixes commit #8534
• ipatests: hidden replica: use dns_update_system_records commit #8534
• ipatests: use wait_for_replication for hidden replica checks commit #8534
• ipatests: hiddenreplica: use wait_for_ipa_to_start after restore commit #8534
• ipatests: tasks.py: add dns_update_system_records commit #8534
• ipatests: tasks.py: add wait_for_ipa_to_start commit #8534

Florence Blanc-Renaud (12)

• pkispawn: override AJP connector address commit #8851
• Spec file: bump augeas-libs version commit #8676
• xmlrpc tests: add test for idrange auto-private-groups option commit #8807
• Trust: add auto private groups option commit #8807
• LDAP schema: new attribute ipaautoprivategroups commit #8807
• Design doc for idrange option "auto-private-groups" commit #8807
• ipatests: check that the output of sudo -V is not displayed commit #8767
• client install: do not capture sudo -V stdout commit #8767
• Bumps openssl requires commit #8632
• ipatests: TestIpaHealthCheck now needs 1 client commit
• ipatests: call server-del before replica uninstall commit #8792
• ipatests: collect PKI config files and NSSDB commit

MIZUTA Takeshi (8)

• Add --keyfile option to ipa-otptoken-import.1 commit
• Add argument for --entry option in ipa-managed-entries.1 commit
• Remove -s option from ipa-ldap-updater usage commit
• Add argument for --schema-file option in ipa-ldap-updater.1 commit
• Add arguments to the description of OPTIONS in ipa-winsync-migrate.1 commit
• Fix the option to match in the ipa-client-automount usage and man-page commit
• Add -d option to match in the ipa-client-samba usage and man-page commit
• man: fix typos in ipa-epn.1 commit

Michal Polovka (3)

• ipatests: test_installation: add install test scenarios commit #2575, #2692, #4011, #4166
• WebUI: Handle assertion if multiple notifications are present commit #8641
• WebUI: test_user: test if user is enabled by default commit #8203

Mohammad Rizwan (1)

• ipatests: Test if ACME renews the issued cert with cerbot commit #4751

Rob Crittenden (15)

• Catch ValueError when trying to retrieve existing credentials commit #8873
• ipatests: kinit on server for test_proxycommand_invalid_shell commit #8785
• Add ability to search on certificate revocation status commit #7835
• Load dogtag RA plugin in installers so profiles can be loaded commit #8738
• Parse the debugging cache log to determine the read savings commit #8798
• Add a unit test for the LDAP cache layer commit #8798
• Add LDAP cache options to the default.conf man page commit #8798
• Implement simple LDAP cache layer commit #8798
• Unify installer context to be 'installer' commit #8798
• Call the LDAPClient layer when modifying values commit #8798
• Only attempt to upgrade ACME configuration files if deployed commit #8832
• Parse Apache log etime and display average per command commit #8809
• Retrieve the user objectclasses when checking for existence commit #8801
• Cache the value of ca_is_enabled in the request context commit #8797
• Add pkey_only to the service_find calls in host del and disable commit #8787

Stanislav Levin (27)

• ipatests: Fetch sudo rules without time offset commit #8844
• azure: Make it possible to adjust Docker resources per test env commit
• azure: coredump: Wait for systemd fully booted commit
• azure: Re-balance tests envs commit
• azure: Warn about extra and missing gating tests compared to PR-CI commit
• ipatests: dnssec: Add alternative approach for checking chain of trust commit #8793
• azure: Collect installed packages commit
• ipatests: Suppress list trust or certificates commit
• ipatests: Ignore warnings on failed to read files on tarring commit
• pytest: Show extra summary information for all except passed tests commit
• dns: get_reverse_zone: Ignore resolver's timeout commit #7397
• dnsutil: Improvements for IPA DNS Resolver commit
• ipatests: Handle network-isolated mode commit
• azure: Run Base and XMLRPC tests is isolated network commit
• ipatests: Setup and collect BIND logs commit
• BIND: Setup logging commit #8856
• azure: Warn about memory issues commit
• azure: Add workaround for PhantomJS against OpenSSL 1.1.1 commit
• ipatests: Update expectations for test_detect_container commit
• azure: Mask systemd-resolved commit
• azure: Remove no longer needed repo commit
• azure: Wait for systemd booted commit
• azure: Enforce multi-user.target as default systemd's target commit
• azure: Collect systemd boot log commit
• azure: bump F32->F34 commit #8848
• pkispawn: Make timeout consistent with IPA's startup_timeout commit #8830
• pylint: Adapt to new Pylint 2.8 commit #8818

Sergey Orlov (1)

• ipatests: increase timeout for test_commands up to 1.5 hours commit

Serhii Tsymbaliuk (2)

• WebUI tests: Add test for 'ipaautoprivategroups' field on 'ID Ranges' page commit #8837
• WebUI: Add support of 'ipaautoprivategroups' LDAP attribute on 'ID Ranges' page commit #8837

Sudhir Menon (1)

• ipatests: Test to check ipa-healthcheck tool displays warning when run on ipa-client commit