[Freeipa-interest] Announcing FreeIPA 3.2.0 Beta 1

Rob Crittenden rcritten at redhat.com
Thu Apr 18 13:38:14 UTC 2013

The FreeIPA team is proud to announce the first Beta of FreeIPA v3.2.0. 
We would like to welcome any early testers of this Beta to provide us 
feedback and help us stabilize this feature release which we plan to 
release as final in the beginning of May 2013.

It can be downloaded from http://www.freeipa.org/page/Downloads. The new 
version has also been built for Fedora 19 Alpha.

== Highlights in 3.2.0 Beta 1 ==

=== New features for 3.2.0 ===

* Support installing FreeIPA without an embedded Certificate Authority, 
with user-provided SSL certificates for the HTTP and Directory servers. [1]
* New cert-find command. Search certificates in the Dogtag database 
based on their serial number, validity or revocation details. This 
feature is available both as a CLI command and Web UI page. [2]
* New trustconfig-show and trustconfig-mod command. Show or modify AD 
Trust settings generated during AD Trust installation 
(ipa-adtrust-install) [3]
* Multiple FreeIPA servers can now be designated as Domain Controllers 
for trusts with Active Directory [12]
* New realmdomains-show and realmdomains-mod command. Manage list of DNS 
domains associated with FreeIPA realm (realmdomains sommand). This list 
is primarily used by AD, which can pull all domains managed by FreeIPA 
and use that list for routing authentication requests for domains which 
do not match FreeIPA realm name. [4]
* Support trusted domain users in HBAC test command (hbactest command).
* Allow filtering incoming trusted domain SIDs per-trust (trust-mod 
command). [5]
* Configurable PAC type for services. Service commands can now configure 
a set of PAC types (MS-PAC, PAD, no PAC) that are supported and handled 
for the service.
* Faster UI loading. FreeIPA Web UI application is now packaged in 
minimalized format. FreeIPA web server is now also able to transmit data 
in compressed format. [6] [7]
* UI now accepts confirmation of cancel of its dialogs via keyboard [11]
* Client reenrollment. A host that has been recreated can now be 
reenrolled to FreeIPA server using a backed up host keytab or admin 
credentials [8]
* Service and Host commands now provide options to add or remove 
selected Kerberos flags [9]
* Full system backup and restore [13]
* Source hosts have been completely removed from HBAC. They haven't been 
used by SSSD for quite some time and are being removed to avoid the 
suggestion that they might actually do something.
* Updated French and Ukranian translations.

=== Beta 1 limitations ===

* List of DNS domains associated with FreeIPA realm currently only works 
with a special Samba build available for Fedora 18:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to
rebuild FreeIPA 3.2.0 beta 1 against this Samba version in order to get
it working.
* Test of trusted domain users in HBAC rules is accessible to only to 
members of 'Trust Admins' group due to privilege limitations
* Same applies to any other trust-specific operations that require 
translation between user/group name and its security identifier (SID)

=== Bug fixes ===

* Fixed migration from OpenLDAP. FreeIPA is now able to migrate users 
and groups from OpenLDAP database instances.
* Migration process is now also a lot faster and provides more debug 
output (to httpd error log).
* SUDO rules disabled by sudorule-disable command are now removed from
ou=sudoers compat tree without a need to restart 389 Directory Server 
* Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release
* Fixed server installation with external CA (--external-ca)
* Consolidate on-line help system, show help without need of valid 
Kerberos credentials (ipa help)
* New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial
attribute for replicas which either do not have integrated DNS service 
enabled to which have disabled SOA serial autoincrement
* LDAP lockout plugin has been fixed so that lockout policies are 
applied consistently both for LDAP binds and Kerberos authentication
* ... and many others stabilization fixes, see Detailed changelog for 
full details

== Changes in API or CLI ==

=== Dropped --selfsign option ===

FreeIPA servers prior to 3.2.0 could be installed with --selfsign 
option. This configured the server with a NSS database based Certificate 
Authority with a selfsigned CA certificate and limited certificate 
operation support.

This option was always intended for development or testing purposes only 
and was not intended for use in production. This release drops this 
option and deprecates the functionality. Current FreeIPA servers 
installed with --selfsigned option will still work, instructions on how 
to migrate to supported certificate options will be provided.

FreeIPA servers version 3.2.0 and later supports the following 2 flavors 
of certificate management:
* FreeIPA with pki-ca (dogtag) with either a self-signed certificate or 
with a certificate signed by external CA (--external-ca option)
* FreeIPA with no pki-ca installed with certificates signed and provided 
by an external CA [1]

=== Dropped CSV support ===

FreeIPA client CLI supported CSV in some arguments so that multiple 
values could be added with just one convenient option:

  ipa permission-add some-perm --permissions=read,write --attrs=sn,cn
  ipa dnsrecord-add example.com --a-rec=,

CSV parsing however introduces great difficulty when trying to include a 
value with an embedded space in it. Escaping these values is not 
intuitive and made it very difficult to add such values. The level of 
effort in working around the CSV problems has come to the point where 
the benefits of it are outweighed by the problems which lead to decision 
to drop CSV support in CLI altogether [10].

There are several ways to workaround lack of CSV:

Provide an argument multiple times on the command-line:

  ipa permission-add some-perm --permissions=read --permissions=write 
--attrs=sn --attrs=cn
  ipa dnsrecord-add example.com --a-rec= --a-rec=

Let BASH do the expansion for you:

  ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn}
  ipa dnsrecord-add example.com --a-rec={,}

== Upgrading ==

An IPA server can be upgraded simply by installing updated rpms. The 
server does not need to be shut down in advance.

Please note, that the referential integrity extension requires an 
extended set of indexes to be configured. RPM update for an IPA server 
with a excessive number of hosts, SUDO or HBAC entries may require 
several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is 
expected that all servers will be upgraded in a relatively short period 
(days or weeks not months). They should be able to co-exist peacefully 
but new features will not be available on old servers and enrolling a 
new client against an old server will result in the SSH keys not being 

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from 
previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you 
want to re-enroll it. SSH keys for already installed clients are not 
uploaded, you will have to re-enroll the client or manually upload the keys.

== Feedback ==

Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.

== Documentation ==

* [1] http://www.freeipa.org/page/V3/CA-less_install
* [2] http://www.freeipa.org/page/V3/Cert_find
* [3] http://www.freeipa.org/page/V3/Trust_config_command
* [4] http://www.freeipa.org/page/V3/Realm_Domains
* [5] http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
* [6] http://www.freeipa.org/page/V3/WebUI_gzip_compression
* [7] http://www.freeipa.org/page/V3/WebUI_build
* [8] http://www.freeipa.org/page/V3/Forced_client_re-enrollment
* [9] http://www.freeipa.org/page/V3/Kerberos_Flags
* [10] http://www.freeipa.org/page/V3/Drop_CSV
* [11] http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation
* [12] http://www.freeipa.org/page/V3/MultipleTrustServers
* [13] http://freeipa.org/page/V3/Backup_and_Restore

== Detailed Changelog since 3.2.0.pre1 ==

Alexander Bokovoy (1):
* spec: detect Kerberos DAL driver ABI change from installed krb5-devel

Ana Krivokapic (7):
* Remove CA cert on client uninstall
* Fix output for some CLI commands
* Add missing summary message to dnszone_del
* Remove HBAC source hosts from web UI
* Remove any reference to HBAC source hosts from help
* Deprecate HBAC source hosts from CLI
* Integrate realmdomains with IPA DNS

Jan Cholasta (4):
* Do actually stop pki_cad in stop_pkicad instead of starting it.
* Use only one URL for OCSP and CRL in IPA certificate profile.
* Use A/AAAA records instead of CNAME records in ipa-ca.
* Delete DNS records in ipa-ca on ipa-csreplica-manage del.

Martin Kosek (2):
* Fix trustconfig-mod primary group error
* Require new samba and krb5

Petr Viktorin (7):
* Display full command documentation in online help
* Remove 'cn' attribute from idnsRecord and idnsZone objectClasses
* ipa-server-install: correct help text for --external_{cert,ca}_file
* Update translations from Transifex
* Uninstall selfsign CA on upgrade
* Remove obsolete self-sign references from man pages, docstrings, comments
* Drop --selfsign server functionality

Petr Vobornik (6):
* Add ipakrbokasdelegate option to service and host Web UI pages
* Run permission target switch action only for visible widgets
* Filter groups by type (POSIX, non-POSIX, external)
* Global trust config page
* Don't show trusts pages when trust is not configured
* Fix regression in group type selection in group adder dialog

Rob Crittenden (5):
* Fix two failing tests due to missing krb ticket flags
* Full system backup and restore
* Apply LDAP update files in blocks of 10, as originally designed.
* Revert "Fix permission_find test error"
* Become 3.2.0 Beta 1

Tomas Babej (2):
* Add nfs:NONE to default PAC types only when needed
* Update only selected attributes for winsync agreement

More information about the Freeipa-interest mailing list