The FreeIPA team would like to announce FreeIPA 4.7.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 29 and Fedora 28 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR
repository] and also published to Fedora 28 and Fedora 29 updates.
== Highlights in 4.7.2 ==
Bugfixes to make FreeIPA 4.7 work well on Fedora 29 and RHEL 8.0 beta.
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.7.2 is a stabilization release for the features delivered as a
part of 4.7 release series.
There are more than 10 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7779 Update PR-CI definitions to use Fedora 29
* 7776 authselect 1.0.2 fails on unknown feature
* 7772 pylint 2.2.0 violations
* 7769 Installer does not detect that kadmin port 749/UDP is blocked
* 7767 make fasttest errors because of missing python3-lib389
* 7758 pylint-2.1.1 errors on Fedora 29
* 7754 Replace archaic term messagebus with dbus
* 7753 CID 323644: logically dead code in ipaserver.install.adtrust.py
* 7741 Smart card advise script uses hard-coded Python interpreter
* 7729 Bad output on failed client installation rollback
* 7728 RFE: Validation and better error messages when novajoin fails because of SSL errors
* 7723 NTP options fails on ipa replica
* 7671 Remove --no-sssd and --noac options
* 7658 [RFE] sysadm_r should be included in default SELinux user map order
* 7651 ipa-replica-install --setup-kra broken on DL1
* 7408 ipa-replica-install command should display proper message on the console.
* 5378 Incorrect error message at wrong password from private key file
== Detailed changelog since 4.7.1 ==
=== Alexander Bokovoy (6) ===
* Become IPA 4.7.2
* ipa-kdb: reduce LDAP operations timeout to 30 seconds
* ipa-4-7: merge translations from zanata
* ipaserver.install.adtrust: fix CID 323644
* net groupmap: force using empty config when mapping Guests
* adtrust: define Guests mapping after creating cifs/ principal
=== Adam Williamson (1) ===
* Fix authselect invocations to work with 1.0.2
=== Christian Heimes (35) ===
* Update temp commit template to F29
* Increase debugging for blocked port 749 and 464
* Address misc pylint issues in CLI scripts
* pylint: also verify scripts
* pylint: Fix duplicate-string-formatting-argument
* pylint 2.2: Fix unnecessary pass statement
* PR-CI: Restart rpcbind when it blocks kadmin port
* Fix pytest deprecation warning
* certdb: validate server cert signature
* Require pylint 2.1.1-2
* Silence comparison-with-itself in tests
* Fix raising-format-tuple
* Fix various dict related pylint warnings
* Fix Module 'pytest' has no 'config' member
* Fix useless-import-alias
* Fix comparison-with-callable
* Address consider-using-in
* Ignore consider-using-enumerate for now
* Address inconsistent-return-statements
* Address pylint violations in lite-server
* Ignore W504 code style like in travis config
* Fix test_cli_fsencoding on Python 3.7, take 2
* Replace messagebus with modern name dbus
* Copy-paste error in permssions plugin, CID 323649
* Allow ipaapi user to access SSSD's info pipe
* Fix test_cli_fsencoding on Python 3.7
* ipapwd_pre_mod: NULL ptr deref
* ipadb_mspac_get_trusted_domains: NULL ptr deref
* has_krbprincipalkey: avoid double free
* Require Dogtag 10.6.7-3
* Use tasks.install_master() in external_ca tests
* Keep Dogtag's client db in external CA step 1
* Replace hard-coded interpreter with sys.executable
* Don't abuse strncpy() length limitation
* Fix ipadb_multires resource handling
=== François Cami (3) ===
* Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
* Add a shared-vault-retrieve test
* Add sysadm_r to default SELinux user map order
=== Florence Blanc-Renaud (19) ===
* ipatests: add upgrade test for double-encoded cacert
* ipa upgrade: handle double-encoded certificates
* ipatests: add xmlrpc test for user|host-find --certificate
* ipaldap.py: fix method creating a ldap filter for IPACertificate
* ipatests: fix test_replica_uninstall_deletes_ruvs
* ipatests: add test for ipa-replica-install options
* ipa-replica-install: password and admin-password options mutually exclusive
* freeipa.spec.in: add BuildRequires for python3-lib389
* ipatests: add integration test for "Read radius servers" perm
* radiusproxy: add permission for reading radius proxy servers
* tests: add xmlrpc test for ipa user-add --radius-username
* ipa user-add: add optional objectclass for radius-username
* ipatest: add functional test for ipa-backup
* ipa-backup: restart services before compressing the backup
* ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
* ipatests: fix path in expected error message
* Bump requires 389-ds-base
* ipa tests: CA less
* certdb: provide meaningful err msg for wrong PIN
=== Francisco Trivino (2) ===
* PR-CI: Move to Fedora 29 template, version 0.2.0
* prci_definitions: update vagrant memory topology requirements
=== Fraser Tweedale (6) ===
* certdb: validate certificate signatures
* Print correct subject on CA cert verification failure
* certdb: ensure non-empty Subject Key Identifier
* ipaldap: avoid invalid modlist when attribute encoding differs
* rpc: always read response
* Restore KRA clone installation integration test
=== Varun Mylaraiah (1) ===
* Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
=== Petr Vobornik (1) ===
* ipa-advise: update url of cacerdir_rehash tool
=== Rob Crittenden (10) ===
* Add support for multiple certificates/formats to ipa-cacert-manage
* Add tests for ipa-cacert-manage install
* Enable replica install info logging to match ipa-server-install
* Demote log message in custodia _wait_keys to debug
* Pass a list of values into add_master_dns_records
* Collect the client and server uninstall logs in tests
* Fix misleading errors during client install rollback
* Remove the authselect profile warning if sssd was not configured.
* Handle NTP configuration in a replica server installation
* Enable LDAP debug output in client to display TLS errors in join
=== Stanislav Levin (1) ===
* Move ipa's systemd tmpfiles from /var/run to /run
=== Sergey Orlov (2) ===
* ipatests: add test for ipa-restore in multi-master configuration
* ipatests: add test for ipa-advise for enabling sudo for admins group
=== sudharsanomprakash (1) ===
* Don't use deprecated Apache Access options.
=== Thomas Woerner (5) ===
* Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
* Fix ressource leak in client/config.c get_config_entry
* Update annobin to fix continuous-integration/travis-ci/pr issues
* Find orphan automember rules
* ipaclient: Remove --no-sssd and --no-ac options
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
URL: https://github.com/freeipa/freeipa/pull/2542
Author: t-woerner
Title: #2542: Enable firewall in the tests
Action: opened
PR body:
"""
Currently the firewall is not enabled in the tests. The goal is to enable the file firewall using firewalld in the tests.
All uses of iptables and ip6tables commands in the tests need to be replaced.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2542/head:pr2542
git checkout pr2542
URL: https://github.com/freeipa/freeipa/pull/2623
Author: tiran
Title: #2623: [Backport][ipa-4-7] Update temp commit template to F29
Action: opened
PR body:
"""
Manual backport of PR #2619
The temp_commit.yaml template now uses F29 as well. It also contains all
topology configurations from the nightly jobs.
Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2623/head:pr2623
git checkout pr2623
I started a design of an IPA healthcheck framework at
https://www.freeipa.org/page/V4/Healthcheck
Have at it.
Note that this concentrates more on how it will work big picture and
less on individual checks that may be performed. I'm happy to add any
ideas you come up with for specific tests.
rob