[Freeipa-interest] Announcing FreeIPA 2.1.0

Rob Crittenden rcritten at redhat.com
Wed Aug 17 15:00:58 UTC 2011

The FreeIPA Project is proud to announce the latest release of the 
FreeIPA. As always, the latest tarball can be found at http://freeipa.org/

FreeIPA 2.1 is available in Fedora 15. It is currently in the 
updates-testing repository along with a number of its dependencies. 
Fedora 16 and rawhide builds will be coming soon.

== Highlights ==

  * General client and server installation improvements. Server 
installation is significantly faster.
  * Improved support for IPv6.
  * General UI improvements related to navigation and work flow.
  * Added UI for automount.
  * A Host-based Access Control (HBAC) test tool
  * Deprecation of HBAC deny rules
  * A CA is no longer required on every replica and may be added 
post-install to a replica (see ipa-ca-install).
  * A new replication tool for dogtag has been added (ipa-cs-manage). 
This allows you to control the replication topology of your CA.

== Upgrading ==

=== Server ===

To upgrade a 2.0.0 or 2.0.1 server do the following:
  # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c 
packages (and perhaps some others). A script will be executed in the rpm 
postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, 
https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to 
read-write locks. The NSPR RW lock implementation does not safely allow 
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During 
testing one user experienced this and the upgrade hung. To break the 
hang kill the ns-slapd process for your realm, wait for the yum 
transaction to complete, then restart 389-ds and manually run the update 

  # service dirsrv start
  # ipa-ldap-updater

=== Client ===

The ipa-client-install tool in the ipa-client package is just a 
configuration tool. There should be no need to re-run this on every 
client already enrolled.

== Detailed Changelog ==

Adam Young (62):
  * Fixed labels for sudo and hbac rules
  * update metadata with label changes
  * define entities using builder and more declarative syntax
  * default all false no longer default to all: true for searches, only 
specify it for user searches
  * code review fixes
  * make use of new user-find columns.
  * fix JSL error
  * Upgrade to jquery 1.5.2
  * action panel to top tabs
  * remove jquery-cookie library
  * update ipa init a simple script to update the metatdate et alles 
that come
s from the ipa_init batch call
  * whitespace and -x removal
  * create entities on demand. fixed changes from code review
  * automount UI
  * redirect on show error.
  * redirect on error Code for redirecting on error has been moved to 
t so it can be called from both details and assocaiton facets.
  * automount delete key indirect automount maps
  * scrollable content areas
  * dialog scrolling table
  * JSON marshalling list
  * dns multiple records show multiple records that share the same dnsname
  * no redirect on search
  * test for dirty
  * test dirty textarea runs the testdirty check before setting the undo 
tag for a textarea
  * test dirty multivalue test the multivalue widgets for changes before 
showing the undo link.
  * test dirty onchange
  * entity select widget for manager
  * hide automount tabs.
  * service host entity select Use the entity select widget for add service
  * entity select undo
  * no redirect on unknown error If the error name is indicates a server 
wide error, do not attempt to redirect.
  * editable entity_select
  * ipaddress for host add
  * entity select for password policy
  * tooltips for host add
  * automountkey details
  * identify target as section for permissions
  * optional uid
  * validate required fields
  * Generate record type list from metadata
  * shorten url cache state in a javascript variable, and leave on 
information about the current entity in the URL hash params
  * containing entity pkeys
  * undefined pkeys
  * config fields
  * ipadefaultemaildomain
  * config widgets entity select default group checkbox for migration
  * entity link for password policy
  * validate ints
  * password expiration label
  * HBAC deny warning
  * check required on add
  * clear errors on reset
  * indirect admins
  * entity_select naming
  * remove HBAC warning from static UI
  * dnsrecord-mod ui
  * no dns
  * remove hardcoded DNS label for record name.
  * move dns to identity tab
  * removing setters setup and init
  * dns section header i18n.
  * use other_entity for adder columns

Alexander Bokovoy (10):
  * Convert Bool to TRUE/FALSE when working with LDAP backend
  * Minor typos in the examples
  * Convert nsaccountlock to always work as bool towards Python code
  * Rearrange logging for NSCD daemon.
  * Fix sssd.conf to always have IPA certificate for the domain.
  * Add hbactest command.
  * Modify /etc/sysconfig/network on a client when IPA manages hostname
  * Make proper LDAP configuration reporting for ipa-client-install
  * Ensure network configuration file has proper permissions
  * Pass empty options as empty arrays for supported dns record types.

Endi S. Dewata (114):
  * Fixed undefined label in permission adder dialog box.
  * Initial Selenium test cases.
  * Added functional test runner.
  * Refactored action panel and client area.
  * Refactored builder interface.
  * Refactored search facet.
  * Entitlements.
  * Updated Selenium tests.
  * Merged IPA.cmd() into IPA.command().
  * Entitlement registration.
  * Entitlement import.
  * Entitlement download.
  * Moved adder dialog box into entity.
  * Standardized action panel buttons creation.
  * Entitlement quantity validation.
  * Refactored navigation.
  * Use entity names for tab state.
  * Moved entity contents outside navigation.
  * Added facet container.
  * Fixed self-service UI.
  * Updated Selenium tests.
  * Updated Selenium tests.
  * Updated DNS interface.
  * Added Selenium tests for DNS.
  * Added UUID field for entitlement registration.
  * Added Self-Service and Delegation tests.
  * Customizable facet groups.
  * Read-only association facet.
  * jQuery ordered map.
  * Fixed problem disabling HBAC and SUDO rules.
  * Fixed Ajax error handling.
  * Fixed details tests.
  * Fixed adder dialog title.
  * Fixed Add and Edit without primary key.
  * Fixed Selenium tests.
  * Fixed URL parameter parsing.
  * Added Update and Reset buttons into Dirty dialog.
  * Fixed problem deleting value in text field.
  * Added pagination for associations.
  * Fixed pagination problem.
  * Temporary fix for indirect member tabs.
  * Fixed blank dialog box on internal error.
  * Fixed resizing issues.
  * Added selectable option for table widget.
  * Entitlement status.
  * Fixed tab navigation.
  * Fixed build break.
  * Fixed paging for indirect members.
  * Renamed associate.js to association.js.
  * Fixed self-service links.
  * Merged direct and indirect association facets
  * Storing page number in URL.
  * Removed FreeWay font files.
  * Fixed problem with navigation tabs on reload.
  * Converted entity header into facet header.
  * Added navigation breadcrumb.
  * Added record count into association facet tabs.
  * Added singular entity labels.
  * Fixed entity labels.
  * Fixed DNS records page title.
  * Fixed undo all problem.
  * Removed unused images.
  * Fixed hard-coded messages.
  * Added confirmation dialog for user activation.
  * Fixed button style in Entitlements
  * Removed invalid associations.
  * Added arrow icons for details sections.
  * Fixed object_name usage.
  * Fixed HBAC/Sudo rules associations.
  * Fixed blank self-service page.
  * Fixed dirty dialog problems in HBAC/Sudo rules.
  * Fixed test fixture file name.
  * Fixed missing entitlement import button label
  * Added sudo options.
  * Fixed collapsed table in Chrome.
  * Fixed object_name and object_name_plural internationalization
  * Fixed label capitalization
  * Entity select widget improvements
  * Removed reverse zones from host adder dialog.
  * Fixed host details fields.
  * Added checkbox to remove hosts from DNS.
  * Creating reverse zones from IP address.
  * Removed entitlement registration UUID field.
  * Fixed problem loading data in HBAC/sudo details page.
  * Removed HBAC access time code.
  * Removed custom layouts using HTML templates.
  * Refactored IPA.current_facet().
  * Fixed problem with navigation state loading.
  * Fixed navigation problems.
  * Fixed navigation unit test.
  * Fixed click handlers on certificate buttons.
  * New icons for entitlement buttons
  * Fixed problem bookmarking Policy/IPA Server tabs
  * Fixed problem setting host OTP.
  * Fixed hard-coded labels in sudo rules.
  * Fixed hard-coded label in Find button.
  * Fixed missing section header in sudo command group.
  * Fixed problem unprovisioning service.
  * Fixed missing memberof definition in HBAC service.
  * Added association facets for HBAC and sudo.
  * Fixed certificate buttons.
  * Fixed missing icons.
  * Fixed misaligned search icon.
  * Resizable adder dialog box.
  * Linked entries in HBAC/sudo details page.
  * Fixed 3rd level tab style.
  * Fixed facet group labels.
  * Fixed error after login on IE
  * Fixed host adder dialog.
  * Fixed DNS zone adder dialog.
  * Fixed broken links in ipa_error.css and ipa_migration.css.
  * Fixed problem clicking 3rd level tabs.
  * Fixed link style in dialog box.
  * Fixed problem with buttons in enrollment dialog.

Jakub Hrozek (1):
  * Remove wrong kpasswd sysconfig

Jan Cholasta (34):
  * Fix wording of error message.
  * Add note about ipa-dns-install to ipa-server-install man page.
  * Fix typo in ipa-server-install.
  * Fix uninitialized variables.
  * Fix double definition of output_for_cli.
  * Add lint script for static code analysis.
  * Fix lint false positives.
  * Remove unused classes.
  * Fix some minor issues uncovered by pylint.
  * Fix uninitialized attributes.
  * Run lint during each build.
  * Several improvements of the lint script.
  * Fix issues found by Coverity.
  * Fix regressions introduced by pylint false positive fixes.
  * Assume ipa help for plugins.
  * Parse netmasks in IP addresses passed to server install.
  * Honor netmask in DNS reverse zone setup.
  * Do stricter checking of IP addressed passed to server install.
  * Fix directory manager password validation in ipa-nis-manage.
  * Improve IP address handling in the host-add command.
  * Verify that the hostname is fully-qualified before accessing the 
service information in ipactl.
  * Remove redundant configuration values from krb5.conf.
  * Replace the 'private' option in netgroup-find with 'managed'.
  * Configure SSSD to store user password if offline.
  * Fix creation of reverse DNS zones.
  * Add ability to specify DNS reverse zone name by IP network address.
  * Fix exit status of ipa-nis-manage enable.
  * Update minimum required version of python-netaddr.
  * Clean up of IP address checks in install scripts.
  * Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'.
  * Fix ipa-compat-manage not working after recent ipa-nis-manage change.
  * Make sure that hostname specified by user is not an IP address.
  * Fix external CA install.
  * Ask for reverse DNS zone information in attended install right after 
asking for DNS forwarders, so that DNS configuration is done in one place.

John Dennis (9):
  * Module for DN objects plus unit test
  * assert_deepequal supports callback for equality testing
  * Add backslash escape support for cvs reader
  * Use DN class in get_primary_key_from_dn to return decoded value
  * Update test_role_plugin test to include a comma in a privilege
  * Ticket 1485 - DN pairwise grouping
  * Make AVA, RDN & DN comparison case insensitive. No need for 
lowercase normalization.
  * Clean up existing DN object usage
  * transifex translation adjustment

Jr Aquino (15):
  * Escape LDAP characters in member and memberof searches
  * Add memberHost and memberUser to default indexes
  * Optimize and dynamically verify group membership
  * Delete the sudoers entry when disabling Schema Compat
  * Return copy of config from ipa_get_config()
  * Typo in host_nis_groups has been creating 2 CN's
  * Add sudorule and hbacrule to memberof and indirectmemberof attributes
  * Display remaining external hosts when removing from sudorule
  * Raise DuplicateEntry Error when adding a duplicate sudo option
  * Don't add empty tuple to entry_attrs['externalhost']
  * oneliner correct typo in ipasudorunas_group
  * Return correct "RunAs External Group" when removing members
  * remove escapes from the cvs parser in ipaserver/install/ldapupdate
  * Correct behavior for sudorunasgroup vs sudorunasuser
  * Correct sudo runasuser and runasgroup attributes in schema

Martin Kosek (68):
  * Inconsistent error message for duplicate user
  * Replica installation fails for self-signed server
  * Remove doc from API.txt
  * Revert "Remove doc from API.txt"
  * Password policy commands do not include cospriority
  * Improve DNS PTR record validation
  * Remove unwanted trimming in text fields
  * Need force option in DNS zone adder dialog
  * IPA replica is not started after the reboot
  * Improve Directory Service open port checker
  * Log temporary files in ipa-client-install
  * Prevent uninstalling client on the IPA server
  * pwpolicy-mod doesn't accept old attribute values
  * Forbid reinstallation in ipa-client-install
  * ipa-client-install uninstall does not work on IPA server
  * LDAP Updater may crash IPA installer
  * NS records not updated by replica
  * Bad return values for ipa-rmkeytab command
  * Update spec with missing BuildRequires for pylint check
  * Let selinux-policy handle port 7390
  * Limit passwd plugin to user container
  * Consolidate man pages and IPA tools help
  * Remove doc from API.txt
  * Improve service manipulation in client install
  * Running ipa-replica-manage as non-root cause errors
  * KDC autodiscovery may fail when domain is not realm
  * A new flag to disable creation of UPG
  * Fix reverse zone creation in ipa-replica-prepare
  * Improve interactive mode for DNS plugin
  * Localization fails for MaxArgumentError
  * Fix forward zone creation in ipa-replica-prepare
  * Connection check program for replica installation
  * Fix support for nss-pam-ldapd
  * Skip know_host check for ipa-replica-conncheck
  * IPA installation with --no-host-dns fails
  * Handle LDAP search references
  * Add ignore lists to migrate-ds command
  * Improve DNS zone creation
  * Add a list of managed hosts
  * Missing krbprincipalname when uid is not set
  * Add port 9443 to replica port checking
  * Fix doc for sudorule runasuser commands
  * Improve IP address handling in IPA option parser
  * Multi-process build problems
  * DNS installation fails when domain and host domain mismatch
  * Fix IPA install for secure umask
  * Allow recursion by default
  * Add DNS record modification command
  * Filter reverse zones in dnszone-find
  * Remove sensitive information from logs
  * Fix ipa-dns-install
  * Fix self-signed replica installation
  * Check IPA configuration in install tools
  * Add new dnszone-find test
  * Fix typo in ipa-replica-prepare
  * Improve long integer type validation
  * Fix sudorule-remove-user
  * Add missing automount summaries
  * Fix man page ipa-csreplica-manage
  * Fix automountkey commands summary
  * Fix invalid issuer in unit tests
  * Hide continue option from automountkey-del
  * Improve error message in ipactl
  * Improve dnszone-add error message
  * Fix idnsUpdatePolicy for reverse zone record
  * Fix client enrollment
  * Update 389-ds-base version
  * Update pki-ca version

Nalin Dahyabhai (1):
  * Select a server with a CA on it when submitting signing requests.

Pavel Zuna (1):
  * Fix gidnumber option of user-add command.

Petr Vobornik (3):
  * fixed empty dns record update
  * Fixed adding host without DNS reverse zone
  * Redirection after changing browser configuration

Rich Megginson (3):
  * winsync enables disabled users in AD
  * modify user deleted in AD crashes winsync
  * memory leak in ipa_winsync_get_new_ds_user_dn_cb

Rob Crittenden (90):
  * Allow a client to enroll using principal when the host has a OTP
  * Make retrieval of the CA during DNS discovery non-fatal.
  * Cache the value of get_ipa_config() in the request context.
  * Change default gecos from uid to first and last name.
  * Fix ORDERING in some attributetypes and remove other unnecessary 
  * postalCode should be a string not an integer.
  * Fix traceback in ipa-nis-manage.
  * Suppress --on-master from ipa-client-install command-line and man page.
  * Sort entries returned by *-find by the primary key (if any).
  * The default groups we create should have ipaUniqueId set
  * Always ask members in LDAP*ReverseMember commands.
  * Provide attributelevelrights for the aci components in permission_show.
  * Wait for memberof task and DS to start before proceeding in 
  * Convert manager from userid to dn for storage and back for displaying.
  * Modify the default attributes shown in user-find to match the UI design.
  * Ensure that the zonemgr passed to the installer conforms to IA5String.
  * Handle principal not found errors when converting replication a 
  * Bump version to 2.0.90 to distinguish between 2.0.x
  * Properly handle --no-reverse being passed on the CLI in interactive mode
  * Update min nvr for selinux-policy and pki-ca for F-15+
  * Test for forwarded Kerberos credentials cache in wsgi code.
  * Properly configure nsswitch.conf when using the --no-sssd option.
  * Enable 389-ds SSL host checking by defauilt
  * Configure Managed Entries on replicas.
  * Document that deleting and re-adding a replica requires a dirsrv 
  * Fix migration to work between v2 servers and remove search/size limits.
  * Add option to limit the attributes allowed in an entry.
  * Include the word 'member' with autogenerated optional member labels.
  * Do a lazy retrieval of the LDAP schema rather than at module load.
  * Add UID, GID and e-mail to the user default attributes.
  * Fix external CA installation
  * Remove root autobind search restriction, fix upgrade logging & error 
  * Support initializing memberof during replication re-init using GSSAPI
  * Do better detection on status of CA DS instance when installing.
  * Fix indirect member calculation
  * Remove automountinformation as part of the DN for automount.
  * Don't let a JSON error get lost in cascading errors.
  * Add message output summary to sudorule del, mod and find.
  * Return an error message when revocation reason 7 is used
  * Require an imported certificate's issuer to match our issuer.
  * On a master configure sssd to only talk to the local master.
  * The IP address provided to ipa-server-install must be local
  * Do lazy LDAP schema retrieval in json handler.
  * Make data type of certificates more obvious/predictable internally.
  * Update translation files
  * Let the framework be able to override the hostname.
  * Make dogtag an optional (and default un-) installed component in a 
  * Slight performance improvement by not doing some checking in 
production mode
  * Set the client auth callback after creating the SSL connection.
  * Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def 
attr list
  * Enforce class rules when query=True, continue to not run validators.
  * find_entry_by_attr() should fail if multiple entries are found
  * Fix error in AttrValueNotFound exception example
  * Fix test failure in updater when adding values to a single-value attr
  * Reset failed login count to 0 when admin resets password.
  * Disallow direct modifications to enrolledBy.
  * Document registering to an entitlement server with a UUID as not 
  * In sudo labels we should use RunAs and not Run As.
  * Remove the ability to create new HBAC deny rules.
  * Validate that the certificate subject base is in valid DN format.
  * Use information from the certificate subject when setting the NSS 
  * Create tool to manage dogtag replication agreements
  * Fix failing tests due to object name changes
  * Set nickname of the RA to 'IPA RA' to avoid confusion with dogtag RA
  * Set the ipa-modrdn plugin precedence to 60 so it runs last
  * Generate a database password by default in all cases.
  * Specify the package name when the replication plugin is missing.
  * Change client enrollment principal prompt to hopefully be clearer.
  * Optionally wait for 389-ds postop plugins to complete
  * A removed external host is shown in output when removing external hosts.
  * Don't set krbLastPwdChange when setting a host OTP password.
  * Fix regression when calculating external groups.
  * With the external user/group management fixed, correct the unit tests.
  * Set a default minimum value for class Int, handle long values better.
  * Make ipa-client-install error messages more understandable and relevant.
  * Add Alexander Bokovoy and Jan Cholasta to contributors file
  * Only call entry_from_entry() after waiting for the new entry.
  * Hide the HBAC access type attribute now that deny is deprecated.
  * Autofill the default revocation reason
  * Don't check for leading/trailing spaces in a File parameter
  * Add an arch-specific Requires on cyrus-sasl-gssapi
  * Revert use of 'can be at least' to 'must be at least' in minvalue 
  * Don't leave dangling map if adding an indirect map fails
  * Fix message in test case for checking minimum values
  * When setting a host password don't set krbPasswordExpiration.
  * Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile
  * Deprecated managing users and runas user/group in sudorule add/mod
  * Fix date order in changelog.
  * Re-arrange CA configuration code to reduce the number of restarts.

Simo Sorce (4):
  * Fix resource leaks.
  * ipautil: Preserve environment unless explicitly overridden by caller.
  * install-scripts: avoid using --list with chkconfig
  * Don't set the password expiration to the current time

Yuri Chornoivan (1):
  * Typos in freeIPA messages and man page

Kyle Baker (5):
  * Background images and tab hover
  * Search bar style and positioning changes
  * List page spacing changes
  * Tab and spacing on list
  * Facet icon swap and tab sizing

More information about the Freeipa-interest mailing list