[Freeipa-devel] Announcing FreeIPA v2.2.0 Release

Dmitri Pal dpal at redhat.com
Thu May 3 19:57:06 UTC 2012 

On 05/03/2012 03:49 PM, Rob Crittenden wrote:
> The FreeIPA team is proud to announce version FreeIPA v2.2.0.
>
> It can be downloaded from http://www.freeipa.org/Downloads.
>
It can be downloaded from http://www.freeipa.org/downloads.

> A build is on the way to updates-testing for Fedora 17. Fedora 15 and
> 16 are not supported by FreeIPA 2.2.0 due to missing dependencies.
>
> == Highlights in 2.2.0 ==
>
>  * Forms-based login. If Kerberos Single-Sign-On authentication fails,
> you now have the option to authenticate through a form-base login page
> using your domain username and password. You an also go directly to
> the page named /ipa/ui/login.html to do form-based authentication
> without attempting a Kerberos login at all
>  * Logout from the UI
>  * Support for SSH known-hosts with sssd 1.8.0. This will create a
> known-hosts file dynamically based on information stored in IPA.
>  * SELinux user maps to control a user's SELinux context depending on
> what host they log into (requires sssd 1.8.0+).
>  * Support for global configuration of the name server stored in LDAP,
> including a list of global forwarders, forward policy, DNS zone
> refresh poll timeout.
>  * Enhanced per-zone configuration, including query and transfer
> policy, and conditional forwarding.
>  * DNS record CLI and Web UI is vastly improved, including an improved
> validation of supported DNS record types, an ability to create
> compound DNS records (like LOC or SRV) by its parts.
>  * Migration improvements including being able to specify the basedn,
> translation of stored DN values. User-Private groups are no longer
> being created for migrated users.
>  * We recommend that the compat plugin be disabled during migration to
> avoid unnecessary overhead.
>  * On new installations the default users group, ipausers, is now
> non-POSIX to speed up user enumeration in SSSD. To make ipausers a
> POSIX group run ipa group-mod --posix ipausers.
>  * The WebUI now has support for HBAC testing and Automember
> mananagement.
>
> == Upgrading ==
>
> An IPA server can be upgraded simply by installing updated rpms. The
> server does not need to be shut down in advance.
>
> If you have multiple servers you may upgrade them one at a time. It is
> expected that all servers will be upgraded in a relatively short
> period (days or weeks not months). They should be able to co-exist
> peacefully but new features will not be available on old servers and
> enrolling a new client against an old server will result in the SSH
> keys not being uploaded.
>
> Downgrading a server once upgraded is not supported.
>
> Upgrading from 2.1.90 rc1 has not been tested.
>
> An enrolled client does not need the new packages installed unless you
> want to re-enroll it. SSH keys for already installed clients are not
> uploaded, you will have to re-enroll the client or manually upload the
> keys.
>
> == Feedback ==
>
> Please provide comments, bugs and other feedback via the freeipa-devel
> mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel
>
> == Detailed Changelog since 2.1.90 rc 1 ==
>
> Alexander Bokovoy (1):
> *  When changing multiple booleans with setsebool, pass each of them
> separately.
>
> Jan Cholasta (9):
> *  Wait for child process to terminate after receiving SIGINT in
> ipautil.run.
> *  Parse zone indices in IPv6 addresses in CheckedIPAddress.
> *  Fix uses of O=REALM instead of the configured certificate subject
> base.
> *  Fix the procedure for getting default values of command parameters.
> *  Change parameters to use only default_from for dynamic default values.
> *  Check whether the default user group is POSIX when adding new user
> with --noprivate.
> *  Check configured maximum user login length on user rename.
> *  Fix internal error when renaming user with an empty string.
> *  Set the "KerberosAuthentication" option in sshd_config to "no"
> instead of "yes".
>
> John Dennis (7):
> *  Replace broken i18n shell test with Python test
> *  improve handling of ds instances during uninstall
> *  Use indexed format specifiers in i18n strings
> *  text unit test should validate using installed mo file
> *  Validate DN & RDN parameters for migrate command
> *  don't append basedn to container if it is included
> *  Fix name error in hbactest
>
> Lars Sjostrom (1):
> *  Add disovery domain if client domain is different from server domain
>
> Martin Kosek (29):
> *  Ignore case in yes/no prompts
> *  Refresh resolvers after DNS install
> *  Fix migration plugin compat check
> *  Fix ipa-replica-manage TLS connection error
> *  Treat UPGs correctly in winsync replication
> *  Allow port numbers for idnsForwarders
> *  Add missing global options in dnsconfig
> *  Fix precallback validators in DNS plugin
> *  Harden raw record processing in DNS plugin
> *  Fix LDAP effective rights control with python-ldap 2.4.x
> *  Avoid deleting DNS zone when a context is reused
> *  Fix default SOA serial format
> *  Amend permissions for new DNS attributes
> *  Improve user awareness about dnsconfig
> *  Fix dnsrecord-del interactive mode
> *  Tolerate UDP port failures in conncheck
> *  Improve automount indirect map error message
> *  Forbid public access to DNS tree
> *  Configure SELinux for httpd during upgrades
> *  Fix installation when server hostname is not in a default domain
> *  Return correct record name in DNS plugin
> *  Fix dnsrecord_add interactive mode
> *  Fix DNS and permissions unit tests
> *  Raise proper exception when LDAP limits are exceeded
> *  Do not fail migration because of duplicate groups
> *  Fix help of --hostname option in ipa-client-install
> *  Sort password policies properly with --pkey-only
> *  Improve error message in zonemgr validator
> *  Make ipa 2.2 client capable of joining an older server
>
> Ondrej Hamada (7):
> *  More exception handlers in ipa-client-install
> *  Search allowed attributes in superior objectclasses
> *  Typos in FreeIPA messages
> *  Netgroup nisdomain and hosts validation
> *  Confusing default user groups
> *  Unable to rename permission object
> *  Fix empty external member processing
>
> Petr Viktorin (22):
> *  Allow removing sudo commands with special characters from command
> groups
> *  Enforce that required attributes can't be set to None in CRUD Update
> *  Mark most config options as required
> *  Don't crash when searching with empty relationship options
> *  Remove ipausers' gidnumber from tests
> *  Use nose tools to check for exceptions
> *  Only split CSV in the client, quote instead of escaping
> *  Add missing BuildRequires
> *  Use valid argument names in tests
> *  Add CLI parsing tests
> *  Allow multi-line CSV parameters
> *  Move test skipping to class setup
> *  Fix little test errors
> *  Test the batch plugin
> *  Defer conversion and validation until after --{add,del,set}attr are
> handled
> *  Limit permission and selfservice names to alphanumerics, -, _, space
> *  Convert --setattr values for attributes marked no_update
> *  Fix expected error messages in tests
> *  Remove pattern_errmsg from API.txt
> *  Pass make-test arguments through to Nose
> *  Document the 'nonempty' flag
> *  Additional tests for pwpolicy
>
> Petr Vobornik (22):
> *  Fixed mask validation in network_validator
> *  Fixed checkbox value in table without pkey
> *  Certificate serial number in hex format - ui testing data
> *  Fixed evaluating checkbox dirty status
> *  Better hbactest validation message
> *  Content is no more overwritten by error message
> *  Show_content on refresh success
> *  Fixed rpm build warning - extension.js listed twice
> *  Add support of new options in dnsconfig
> *  DNS forwarder validator
> *  Added mac address to host page
> *  Facet expiration flag
> *  Inter-facet expiration
> *  Reworked netgroup Web UI to allow setting user/host category
> *  Fixed: permission attrs table didn't update its available options
> on load
> *  Added attrs field to permission for target=subtree
> *  DNS forward policy: checkboxes changed to radio buttons
> *  Removed mutex option from checkboxes
> *  Removal of memberofindirect_permissons from privileges
> *  User is notified that password needs to be reset in forms-based login
> *  Added permission field to delegation
> *  Paging disable for password policies
>
> Rob Crittenden (34):
> *  Fix NSS no_init in the NSSHTTPS class
> *  Set minimum version of selinux-policy to pick up memcached fix
> *  Fix nsslapd-anonlimitsdn dn in cn=config
> *  Set SELinux boolean httpd_manage_ipa so ipa_memcached will work.
> *  Don't set dbdir in the connection until after the connection is
> created.
> *  Display serial number as HEX (DECIMAL) when showing certificates.
> *  Add subject key identifier to the dogtag server cert profile.
> *  Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf
> *  Import the ipaserver plugins based on context, not env.in_server.
> *  Don't allow hosts and services of IPA masters to be disabled.
> *  Use a consistent parameter name in errors, defaulting to cli_name.
> *  No longer shell escape the DM password when calling pkisilent.
> *  Fix test failure testing rename with an invalid hostname.
> *  Fix attributes that contain DNs when migrating.
> *  Normalize the primary key value to lowercase during migration.
> *  Fix unit tests to work with new comma-support, validation requirements
> *  Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue
> *  Set nsslapd-minssf-exclude-rootdse to on so the DSE is always
> available.
> *  Add requires on python-krbV to client subpackage
> *  Fix failure count interval attribute name in query for password
> policy.
> *  Handle updating replication agreements that lack
> nsDS5ReplicatedAttributeList
> *  Don't create private groups for migrated users, check for valid
> gidnumber
> *  Add updated Output format for batch to API.txt
> *  Make revocation_reason required when revoking a certificate.
> *  Add missing comma to list of services that cannot be disabled.
> *  Return consistent value when hostcat and usercat is all.
> *  Dereference pointer when comparing password history in qsort compare.
> *  Configure certmonger to execute restart scripts on renewal.
> *  Remove the running state when uninstalling DS instances.
> *  Return consistent expiration message for forms-based login
> *  Use mixed-case for Read DNS Entries permission
> *  Update docs for user-status, always show disabled, time for each
> server.
>
> Simo Sorce (1):
> *  Fix memleak and silence Coverity defects
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list