[Freeipa-interest] Announcing FreeIPA 2.1.1
rcritten at redhat.com
Thu Sep 8 14:34:54 UTC 2011
The FreeIPA Project is proud to announce the latest release of the
FreeIPA. As always, the latest tarball can be found at http://freeipa.org/
FreeIPA 2.1.1 is available in Fedora 15. It is currently in the
updates-testing repository along with a number of its dependencies.
Fedora 16 and rawhide builds will be coming soon.
== Highlights ==
* Reduced number of ports needed to punch through firewall by proxying
dogtag through port 443
* New plugin, automember, that can automatically add users and hosts
to groups and hostgroups based on regular expressions.
* Indicator in the UI and CLI when a host has a one-time password set
* DNS improvements - loading new zones via regular polling or LDAP
== Upgrading ==
=== Server ===
To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
# yum update freeipa-server --enablerepo=updates-testing
This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c
packages (and perhaps some others). A script will be executed in the rpm
postinstall phase to update the IPA LDAP server with any required changes.
There is a bug reported against 389-ds,
https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to
read-write locks. The NSPR RW lock implementation does not safely allow
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During
testing one user experienced this and the upgrade hung. To break the
hang kill the ns-slapd process for your realm, wait for the yum
transaction to complete, then restart 389-ds and manually run the update
# service dirsrv start
=== Client ===
The ipa-client-install tool in the ipa-client package is just a
configuration tool. There should be no need to re-run this on every
client already enrolled.
== Detailed Changelog ==
Adam Young (1):
* enable proxy for dogtag
Alexander Bokovoy (1):
* Propagate environment when it is required.
Endi S. Dewata (19):
* Fixed browser configuration pages
* Hide activation/deactivation link from regular users.
* Fixed problem selecting value from combobox
* Fixed inconsistent layout for password reset dialog.
* Removed 'Hide already enrolled' checkbox.
* Replaced page dirty dialog title.
* Updated add and delete association dialog titles.
* Removed unnecessary HBAC/sudo rule category modification.
* Fixed command partial failure handling.
* Fixed default map type in automount map adder dialog.
* Fixed host OTP status.
* Fixed host keytab status after setting OTP.
* Fixed host adder dialog to show default DNS zone.
* Fixed hard-coded UI messages.
* Fixed problem adding hostgroup into netgroup.
* Fixed problem with combobox.
* Fixed hard-coded UI message in entity.js.
* Fixed missing permission filter field.
* Fixed problem with combobox using Sahi
Jan Cholasta (6):
* Make sure messagebus is running prior to starting certmonger.
* Verify that passwords specified through command line options of
ipa-server-install meet the length requirement.
* Add option to install without the automatic redirect to the Web UI.
* Search for users in all the naming contexts present on the directory
* Add subscription-manager dependency for RHEL.
* Verify that the external CA certificate files are correct.
John Dennis (11):
* ticket 1568 - DN objects should support the insert method
* ticket 1569 - Test DN object non-latin Unicode support
* ticket 1600 - convert unittests to use DN objects
* ticket 1659 - invalid i18n string in dns.py
* ticket 1660 - update LINGUAS file, add missing po files
* ticket 1661 - Update all po files
* ticket 1650 - compute accurate translation statistics
* ticket 1707 - add documentation validation to makeapi tool
* ticket 1705 - internationalize help topics
* ticket 1706 - internationalize cli help framework
* ticket 1669 - improve i18n docstring extraction
Jr Aquino (2):
* Improve sudorule documentation
* Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
Martin Kosek (6):
* Add missing attribute labels for sudorule
* Fix automountkey-mod
* Fix automountlocation-import conflicts
* ipa-client-install breaks network configuration
* Fix sudo help and summaries
* Let Bind track data changes
Petr Vobornik (8):
* error dialog for batch command
* Uncheck checkboxes in association after deletion
* Show error in adding associations
* Validation of details facet before update
* Modify serial associator to use batch
* Modifying sudo options refreshes the whole page
* Enable update and reset button only if dirty
* Attributes table not scrollable
Rob Crittenden (24):
* Add information on setting api.env.host in the ipactl.8 man page
* Log each command in a batch separately.
* Do batch logging on successful commands too, not just failures.
* Fix wording in examples of delegation plugin.
* Suppress 389-ds debug output when starting services
* Fix thread deadlock by using pthreads library instead of NSPR.
* Change the way has_keytab is determined, also check for password.
* Add additional pam ftp services to HBAC, and a ftp HBAC service group
* Add label for HBAC services to show as members
* Add option to only prompt once for passwords, use in entitle_register
* Retrieve password/keytab state when modifying a host.
* Disable reverse lookups in ipa-join and ipa-getkeytab
* Remove more 389-ds files/directories on uninstallation.
* Remove 389-ds upgrade state during uninstall
* Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505
* Add common is_installed() fn, better uninstall logging, check for
* Add external source hosts to HBAC.
* Roll back changes if client installation fails.
* Add netgroup as possible memberOf for hostgroups
* Sort lists so order is predictable and tests pass as expected.
* Suppress managed netgroups from showing as memberof hostgroups.
* Use the IPA server cert profile in the installer.
* Set min nvr of 389-ds-base to 184.108.40.206-1 for BZ 728605
* Become IPA 2.1.1
Simo Sorce (1):
* conncheck: Fix List of ports to check
More information about the Freeipa-interest