[Freeipa-interest] Announcing FreeIPA v2.1.90 Alpha 2 Release

Rob Crittenden rcritten at redhat.com
Fri Feb 17 17:21:45 UTC 2012

The FreeIPA team is proud to announce version 2.1.90 alpha 2. Alpha 1 
was an internal-only release. This will eventually become FreeIPA v2.2.0.

It can be downloaded from http://www.freeipa.org/Downloads or from our 
development repo (http://freeipa.org/downloads/freeipa-devel.repo). 
Fedora 15, 16 and 17 builds are available.

For Fedora 17 users the the required version of 389-ds-base has not been 
pushed to updates-testing yet. You can retrieve it manually from 
http://koji.fedoraproject.org/koji/buildinfo?buildID=299543 or download 
the packages with:

  # koji download-build 299543

== Highlights in 2.1.90 alpha 2 ==

  * A new KDC LDAP backend, ipa-kdb. This simplifies our set up code and 
will is a big piece of future MS PAC support. It also removes the need 
for the separate ipa_kpasswd daemon, kadmind is used instead.
  * Support for storing SSH user and host public keys.
  * SELinux user map rules. These let you set the SELinux context for 
users in an HBAC rule.
  * Improved DNS UI and command-line with vastly improved argument handling.
  * UI screens for Automember were added.
  * Session support in the Web UI. This removes the need to do Kerberos 
negotiation with every request significantly improving Web UI performance.
  * Support for S4U2Proxy. This is a Kerberos feature which allows a 
delegated service (HTTP in our case) to request a ticket (ldap) on a 
user's behalf. We no longer require the TGT to be delegated to the 
server. A delegatable TGT is still required.
  * Improved command-line performance. It is approximately 50% faster.
  * MAC address has been added to hosts.

== Upgrading ==

We tested upgrades from 2.1.4 successfully but this is alpha code. We do 
not recommend upgrading a production server.

Installing updated rpms is all that is required to upgrade from 2.1.4.

It is unlikely that downgrading to a previous release once 2.1.90 is 
installed will work.

== Feedback ==

Please provide comments, bugs and other feedback via the freeipa-devel 
mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel

== Detailed Changelog since 2.1.4 ==

Adam Young (4):
  * remove enrolled column
  * Add priority to pwpolicy list
  * Remove delegation from browser config
  * ignore generated services file.

Alexander Bokovoy (14):
  * Re-enable web password migration on Fedora 16 after SE Linux policy 
  * Check for Python.h during build of py_default_encoding extension
  * Add configure check for libintl.h
  * Create directories for client install
  * Add "Extending FreeIPA" developer guide
  * Small fix to the guide CSS: enable vertical scroll bar
  * Rename included snippets to avoid problems with pylint
  * Fix dependency for samba4-devel package
  * Check through all LDAP servers in the domain during IPA discovery
  * Validate sudo RunAsUser/RunAsGroup arguments
  * Allow hbactest to work with HBAC rules exceeding default IPA limits
  * Add management of inifiles to allow manipulation of systemd units
  * Handle upgrade issues with systemd in Fedora 16 and above
  * Adopt to python-ldap 2.4.6 by removing unused references which are 
not available in python-ldap anymore

Endi S. Dewata (60):
  * Updated DNS zone details page.
  * Replaced description text fields with text areas.
  * Use editable combobox for service type.
  * Added confirmation when adding multiple entries.
  * Added selectable labels for radio buttons.
  * Fixed dependency problem in UI test.
  * Fixed inconsistent required/optional attributes.
  * Fixed host Enrolled column.
  * Fixed problem clearing validation error on checkboxes.
  * Fixed "enroll" labels.
  * Merged widget's metadata and param_info.
  * Refactored validation code.
  * Fixed inconsistent image names.
  * Fixed inconsistent details facet validation.
  * Added password field in user adder dialog.
  * Fixed blank krbtpolicy and config pages.
  * Moved facet code into facet.js.
  * Added extensible UI framework.
  * Fixed problem changing page in association facet.
  * Updated sample data.
  * Added paging on search facet.
  * Refactored permission target section.
  * Removed develop.js.
  * Added commands into metadata.
  * Removed HBAC rule type.
  * Removed HBAC deny rule warning.
  * Refactored entity object resolution.
  * Fixed ipa.js for sessions.
  * Fixed entity definition in test cases.
  * Added support for radio buttons in table widget.
  * Fixed entity metadata resolution.
  * Refactored facet.load().
  * Added HBAC Test page.
  * Fixed navigation buttons for HBAC Test.
  * Fixed search filter in HBAC Test.
  * Added external fields for HBAC Test.
  * Fixed CSS for HBAC Test
  * Fixed I18n labels for HBAC Test
  * Fixed matched/unmatched checkboxes in HBAC Test
  * Added HBAC Test input validation.
  * Fixed problem loading DNS records.
  * Fixed unmatched checkbox name.
  * Fixed combobox icon position.
  * Fixed combobox search icon position.
  * Reload UI when the user changes.
  * Reload UI on server upgrade.
  * Added account status into user search facet.
  * Added policies into user details page.
  * Load user data and policies in a single batch.
  * Added instructions to generate CSR.
  * Fixed problem removing automount keys and DNS records.
  * Enabled paging on self-service permissions and delegations.
  * Enabled paging on automount keys.
  * Show disabled entries in gray.
  * Fixed inconsistent status labels.
  * Fixed host managed-by adder dialog.
  * Added icons for status column.
  * Hide Add/Delete buttons in self-service mode.
  * Use fixed font when displaying certificate.
  * Show password expiration date.

JR Aquino (1):
  * Replication: Adjust replica installation to omit processing memberof 

Jan Cholasta (15):
  * Finalize plugin initialization on demand.
  * Don't leak passwords through kdb5_ldap_util command line arguments.
  * Parse comma-separated lists of values in all parameter types. This 
can be enabled for a specific parameter by setting the "csv" option to True.
  * Fix make-lint crash under certain circumstances.
  * Fix attempted write to attribute of read-only object.
  * Add LDAP schema for SSH public keys.
  * Add LDAP ACIs for SSH public key schema.
  * Add support for SSH public keys to user and host objects.
  * Add API initialization to ipa-client-install.
  * Move the nsupdate functionality to separate function in 
  * Update host SSH public keys on the server during client install.
  * Configure ssh and sshd during ipa-client-install.
  * Base64-decode unicode values in Bytes parameters.
  * Add SSH service to platform-specific services.
  * Move the compat module from ipalib to ipapython.

John Dennis (10):
  * If "make rpms" fails so will the next make
  * Remove old RPMROOT contents before it is used for rpmbuild
  * update i18n pot file for branch ipa-2-1
  * Add log manager module
  * modify codebase to utilize IPALogManager, obsoletes logging
  * IPAdmin undefined anonymous parameter lists
  * subclass SimpleLDAPObject
  * Restore default log level in server to INFO
  * Add ipa_memcached service
  * add session manager and cache krb auth

Marko Myllynen (1):
  * include <stdint.h> for uintptr_t

Martin Kosek (52):
  * Add connection failure recovery to IPAdmin
  * Make sure that install tools log
  * Add --zonemgr/--admin-mail validator
  * Create pkey-only option for find commands
  * Allow custom server backend encoding
  * Fix DNS zone --allow-dynupdate option behavior
  * Improve DNS record data validation
  * Polish ipa config help
  * Hosts file not updated when IP is passed as option
  * Fix API.txt
  * Fix LDAP object parameter encoding
  * Remove redundant information from API.txt
  * Fix coverity issues in client CLI tools
  * Make ipa-server-install clean after itself
  * Add --delattr option to complement --setattr/--addattr
  * Improve zonemgr validator and normalizer
  * Change default DNS zone manager to hostmaster
  * Fix config migration option
  * Ask for user confirmation in ipa-server-install
  * Add DNS check to conncheck port probe
  * Refactor dnsrecord processing
  * Fix Parameter csv parsing
  * Improve CLI output for complex commands
  * Create per-type DNS API
  * Fix maxvalue in DNS plugin
  * Fix LDAP add calls in replication module
  * Prevent service restart failures in ipa-replica-install
  * Fix LDAP updates in ipa-replica-install
  * Let replicas install without DNS
  * Restore ACI when aci_mod fails
  * Add missing --pkey-only option for selfservice and delegation
  * Replace float with Decimal
  * Improve host-add error message
  * Fix ipa-server-install for dual NICs
  * Fix selfservice-find crashes
  * Mark optional DNS record parts
  * Fix ldap2 combine_filters for ldap2.MATCH_NONE
  * Add missing managing hosts filtering options
  * Improve netgroup-add error messages
  * Fix TXT record parsing
  * Fix NSEC record conversion
  * Add SRV record target validator
  * Add data field for A6 record
  * Improve dnszone-add error message
  * Improve migration help
  * Fix raw format for ACI commands
  * Improve password change error message
  * Remove debug messages
  * Add argument help to CLI
  * Return proper DN in netgroup-add
  * Remove unused options from ipa-managed-entries
  * Add Petr Viktorín to Contributors.txt

Ondrej Hamada (9):
  * Misleading Keytab field
  * Sort password policy by priority
  * Client install checks for nss_ldap
  * User-add random password support
  * HBAC test optional sourcehost option
  * localhost.localdomain clients refused to join
  * Leave nsds5replicaupdateschedule parameter unset
  * Fix 'no-reverse' option description
  * Memberof attribute control and update

Petr Viktorin (5):
  * Switch --group and --membergroup in example for delegation
  * Fix/add options in ipa-managed-entries man page
  * Honor default home directory and login shell in user_add
  * Clean up i18n strings
  * Internationalization for HBAC and ipalib.output

Petr Voborník (55):
  * Circular entity dependency
  * Fixed: Duplicate CSS definitions
  * Fixing infinite loop in UI navigation unit test.
  * Minor visual enhancement of required indicator
  * Page is cleared before it is visible
  * Field for DNS SOA class changed to combobox with options
  * Extending facet's mechanism of gathering changes
  * Added cross browser support of Array.indexOf method
  * Splitting widget into widget and field
  * Splitting basic widgets into visual widgets and fields
  * Improved fields dirty status detection logic
  * Builders and collections for fields and widgets
  * Removing sections as special type of object
  * Added possibility to define facet/dialog specific policies
  * Modifying users to work with new concept
  * Modifying hosts to work with new concept
  * Modifying dns to work with new concept
  * Modifying services to work with new concept
  * Separation of writable update from field load method
  * Modifying ACI to work with new concept
  * Modifying groups to work with new concept
  * Code cleanup of HBAC, Sudo rules
  * Changing definition of basic fields in section from factory to type
  * Modifying automount to work with new concept
  * Fixed unit tests after widget refactoring
  * Removed usage of bitwise assignment operators in logical operations
  * Search facets show translated boolean values
  * Better displaying of long names in tables and facet headers
  * Additional better displaying of long names
  * Reordered facets in ACI
  * Association facets are read only in self service
  * Added facet tabs coloring
  * Fixed displaying of external records in rule association widgets
  * Distinguishing of external values in association tables
  * Better table column width computing
  * Fixed labels in Sudo, HBAC rules
  * Parsing of IPv4 and IPv6 addresses
  * Added support of custom field validators
  * Added validation logic to multivalued text field
  * Added client-side validation of A and AAAA DNS records
  * Fixed IPv6 validation special case: single colon
  * Added support for memberof attribute in permission
  * Added IP address validator to Host and DNS record adder dialog
  * Fixed entity link disabling
  * UI for SELinux user mapping
  * Added refresh button for UI
  * Modifying DNS UI to benefit from new DNS API
  * Added paging to DNS record search facet
  * Navigation and redirection to various facets
  * Automember UI
  * Automember UI - default groups
  * Automember UI - Fixed I18n labels
  * Removed question marks from field labels
  * UI support for ssh keys
  * Redirection to PTR records from A,AAAA records

Rob Crittenden (54):
  * Use absolute paths when trying to find certmonger request id.
  * Reorder privileges so that memberof for permissions are generated 
  * Fix some pylint issues found in F-16
  * Fix two typos in role help.
  * Move ONLY_CLIENT in spec so services.py always gets generated in 
  * Remove calls to has_managed_entries()
  * Fix copy/paste error in parameter description.
  * Add Ondrej Hamada to Contributors.txt
  * Don't check for 389-instances.
  * Clarify usage of --posix argument in group plugin.
  * Add plugin framework to LDAP updates.
  * Fix some issues introduced when rebasing update patch
  * Mark some attributes required to match the schema.
  * Add SELinux user mapping framework.
  * Display the value of memberOf ACIs in permission plugin.
  * Set minimum version of 389-ds to 1.2.10-0.5.a5
  * Fix typos in in 60basev3.ldif
  * Remove include for errno.h that was specific to 2.1 branch
  * Remove ipa_get_random_salt() from ipapwd_encoding.c
  * update i18n pot file for branch ipa-2-2
  * Remove buffer log handling.
  * Configure s4u2proxy during installation.
  * Document the ping plugin.
  * Catch exception when trying to list missing managed entries definitions
  * Fix some typos in automember help and paramters.
  * Add labels so HBAC and Sudo rules show under hosts/hostgroups.
  * Use correct template variable for hosts, FQDN.
  * In sudo when the category is all do not allow members, and vice versa.
  * Update and package ipa-upgradeconfig man page.
  * Fix deletion of HBAC Rules when there are SELinux user maps defined
  * Add support for storing MAC address in host entries.
  * Don't try to bind on TLS failure
  * Check for the existence of a replication agreement before deleting it.
  * %ghost the UI files that we install/create on the fly
  * Make submount automount maps work.
  * Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.
  * Consolidate external member code into two functions in baseldap.py
  * Make ipaconfigstring modifiable by users.
  * Don't use sets when calculating the modlist so order is preserved.
  * Add update files for SELinuxUserMap
  * Add update file for new schema in v2.2/3.0
  * Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf
  * Don't set delegation flag in client, we're using S4U2Proxy now
  * Update S4U2proxy delegation list when creating replicas
  * Correct update syntax in 30-s4u2proxy.update
  * Remove Apache ccache on upgrade.
  * Add S4U2Proxy delegation permissions on upgrades
  * Disable false pylint error in freeipa-systemd-upgrade
  * Enable ipa_memcached when upgrading
  * Configure ipa_memcached when a replica is installed.
  * Use FQDN in place of FQHN for consistency in sub_dict.
  * Set min for 389-ds-base to to fix install segfault, 
schema replication.

Simo Sorce (77):
  * Fix build warnings
  * ipa-pwd_extop: use endian.h instead of nih function
  * krbinstance: use helper function to get realm suffix
  * ipa-pwd-extop: Remove unused variables and code to set them
  * ipa-pwd-extop: do not append mkvno to krbExtraData
  * ipa-pwd-extop: Use the proper mkvno number in keys
  * ipa-pwd-extop: re-indent code using old style
  * ipa-pwd-extop: Use common krb5 structs from kdb.h
  * ipa-pwd-extop: Move encryption of keys in common
  * ipa-pwd-extop: Move encoding in common too
  * ipa-pwd-extop: make encsalt parsing function common
  * ipa-kdb: Initial plugin skeleton
  * ipa-kdb: add exports file
  * ipa-kdb: initialize module functions
  * ipa-kdb: implement get_time function
  * ipa-kdb: add common utility ldap wrapper functions
  * ipa-kdb: functions to get principal
  * ipa-kdb: add function to free principals
  * ipa-kdb: add functions to delete principals
  * ipa-kdb: add function to iterate over principals
  * ipa-kdb: add functions to change principals
  * ipa-kdb: Get/Store Master Key directly from LDAP
  * ipa-kdb: implement function to retrieve password policies
  * ipa-kdb: implement change_pwd function
  * util: add password policy manipulation functions
  * ipa-pwd-extop: Use common password policy code
  * ipa-kdb: add password policy support
  * ipa-pwd-extop: Allow kadmin to set krb keys
  * ipa-kdb: Change install to use the new ipa-kdb kdc backend
  * install: Remove uid=kdc user
  * ipa-kdb: Be flexible
  * install: Use proper case for boolean values
  * daemons: Remove ipa_kpasswd
  * schema: Split ipadns definitions from basev2 ones
  * v3-schema: Add new ipaExternalGroup objectclass
  * install: We do not need a ldap password anymore
  * install: We do not need a kpasswd keytab anymore
  * ipa-kdb: Properly set password expiration time.
  * conncheck: Additional check to verify the admin password is ok
  * ipa-kdb: Fix expiration time calculation
  * ipa-kdb: Fix legacy password hashes generation
  * ipa-kdb: Fix memory leak
  * Fix CID 10742: Unchecked return value
  * Fix CID 10743: Unchecked return value
  * Fix CID 10745: Unchecked return value
  * Fix CID 11019: Resource leak
  * Fix CID 11020: Resource leak
  * Fix CID 11021: Resource leak
  * Fix CID 11022: Resource leak
  * Fix CID 11023: Resource leak
  * Fix CID 11024: Resource leak
  * Fix CID 11025: Resource leak
  * Fix CID 11026: Resource leak
  * Fix CID 11027: Wrong sizeof argument
  * Add support for generating PAC for AS requests for user principals
  * MS-PAC: Add support for verifying PAC in TGS requests
  * Modify random salt creation for interoperability
  * Amend #2038 fix
  * Add missing copyright header
  * ipa-kdb: Support re-signing PAC with different checksum
  * spec: We do not need krb5-server-ldap anymore
  * ipa-kdb: fix free() of uninitialized var
  * ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles
  * ipa-kdb: fix memleaks in ipa_kdb_mspac.c
  * ipa-kdb: Fix copy and paste typo
  * ipa-kdb: enhance deref searches
  * ipa-kdb: Add delgation access control support
  * ipa-kdb: return properly when no PAC is available
  * ipa-kdb: Verify the correct checksum in PAC validation
  * ipa-kdb: Create PAC's KDC checksum with right key
  * Disable MS-PAC handling in 2.2
  * Fix replication setup
  * slapi-plugins: use thread-safe ldap library
  * ipa-kdb: add AS auditing support
  * ipa-kdb: Avoid lookup on modify if possible
  * ipa-kdb: set krblastpwdchange only when keys have been effectively 

More information about the Freeipa-interest mailing list