[Freeipa-interest] Announcing FreeIPA 2.1.1

Rob Crittenden rcritten at redhat.com
Thu Sep 8 14:34:54 UTC 2011

The FreeIPA Project is proud to announce the latest release of the 
FreeIPA. As always, the latest tarball can be found at http://freeipa.org/

FreeIPA 2.1.1 is available in Fedora 15. It is currently in the 
updates-testing repository along with a number of its dependencies. 
Fedora 16 and rawhide builds will be coming soon.

== Highlights ==

  * Reduced number of ports needed to punch through firewall by proxying 
dogtag through port 443
  * New plugin, automember, that can automatically add users and hosts 
to groups and hostgroups based on regular expressions.
  * Indicator in the UI and CLI when a host has a one-time password set
  * DNS improvements - loading new zones via regular polling or LDAP 
persistent search

== Upgrading ==

=== Server ===

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
  # yum update freeipa-server --enablerepo=updates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c 
packages (and perhaps some others). A script will be executed in the rpm 
postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, 
https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to 
read-write locks. The NSPR RW lock implementation does not safely allow 
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During 
testing one user experienced this and the upgrade hung. To break the 
hang kill the ns-slapd process for your realm, wait for the yum 
transaction to complete, then restart 389-ds and manually run the update 

  # service dirsrv start
  # ipa-ldap-updater

=== Client ===

The ipa-client-install tool in the ipa-client package is just a 
configuration tool. There should be no need to re-run this on every 
client already enrolled.

== Detailed Changelog ==

Adam Young (1):
  * enable proxy for dogtag

Alexander Bokovoy (1):
  * Propagate environment when it is required.

Endi S. Dewata (19):
  * Fixed browser configuration pages
  * Hide activation/deactivation link from regular users.
  * Fixed problem selecting value from combobox
  * Fixed inconsistent layout for password reset dialog.
  * Removed 'Hide already enrolled' checkbox.
  * Replaced page dirty dialog title.
  * Updated add and delete association dialog titles.
  * Removed unnecessary HBAC/sudo rule category modification.
  * Fixed command partial failure handling.
  * Fixed default map type in automount map adder dialog.
  * Fixed host OTP status.
  * Fixed host keytab status after setting OTP.
  * Fixed host adder dialog to show default DNS zone.
  * Fixed hard-coded UI messages.
  * Fixed problem adding hostgroup into netgroup.
  * Fixed problem with combobox.
  * Fixed hard-coded UI message in entity.js.
  * Fixed missing permission filter field.
  * Fixed problem with combobox using Sahi

Jan Cholasta (6):
  * Make sure messagebus is running prior to starting certmonger.
  * Verify that passwords specified through command line options of 
ipa-server-install meet the length requirement.
  * Add option to install without the automatic redirect to the Web UI.
  * Search for users in all the naming contexts present on the directory 
  * Add subscription-manager dependency for RHEL.
  * Verify that the external CA certificate files are correct.

John Dennis (11):
  * ticket 1568 - DN objects should support the insert method
  * ticket 1569 - Test DN object non-latin Unicode support
  * ticket 1600 - convert unittests to use DN objects
  * ticket 1659 - invalid i18n string in dns.py
  * ticket 1660 - update LINGUAS file, add missing po files
  * ticket 1661 - Update all po files
  * ticket 1650 - compute accurate translation statistics
  * ticket 1707 - add documentation validation to makeapi tool
  * ticket 1705 - internationalize help topics
  * ticket 1706 - internationalize cli help framework
  * ticket 1669 - improve i18n docstring extraction

Jr Aquino (2):
  * Improve sudorule documentation
  * Create FreeIPA CLI Plugin for the 389 Auto Membership plugin

Martin Kosek (6):
  * Add missing attribute labels for sudorule
  * Fix automountkey-mod
  * Fix automountlocation-import conflicts
  * ipa-client-install breaks network configuration
  * Fix sudo help and summaries
  * Let Bind track data changes

Petr Vobornik (8):
  * error dialog for batch command
  * Uncheck checkboxes in association after deletion
  * Show error in adding associations
  * Validation of details facet before update
  * Modify serial associator to use batch
  * Modifying sudo options refreshes the whole page
  * Enable update and reset button only if dirty
  * Attributes table not scrollable

Rob Crittenden (24):
  * Add information on setting api.env.host in the ipactl.8 man page
  * Log each command in a batch separately.
  * Do batch logging on successful commands too, not just failures.
  * Fix wording in examples of delegation plugin.
  * Suppress 389-ds debug output when starting services
  * Fix thread deadlock by using pthreads library instead of NSPR.
  * Change the way has_keytab is determined, also check for password.
  * Add additional pam ftp services to HBAC, and a ftp HBAC service group
  * Add label for HBAC services to show as members
  * Add option to only prompt once for passwords, use in entitle_register
  * Retrieve password/keytab state when modifying a host.
  * Disable reverse lookups in ipa-join and ipa-getkeytab
  * Remove more 389-ds files/directories on uninstallation.
  * Remove 389-ds upgrade state during uninstall
  * Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505
  * Add common is_installed() fn, better uninstall logging, check for 
  * Add external source hosts to HBAC.
  * Roll back changes if client installation fails.
  * Add netgroup as possible memberOf for hostgroups
  * Sort lists so order is predictable and tests pass as expected.
  * Suppress managed netgroups from showing as memberof hostgroups.
  * Use the IPA server cert profile in the installer.
  * Set min nvr of 389-ds-base to for BZ 728605
  * Become IPA 2.1.1

Simo Sorce (1):
  * conncheck: Fix List of ports to check

More information about the Freeipa-interest mailing list