[Freeipa-interest] Announcing FreeIPA 4.4.2

[Petr Vobornik]

The FreeIPA team would like to announce FreeIPA 4.4.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 24 will be available in the official COPR repository
<https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/>.

This announcement is also available on
http://www.freeipa.org/page/Releases/4.4.2

Fedora 25 update:
https://bodhi.fedoraproject.org/updates/freeipa-4.4.2-1.fc25

== Highlights in 4.4.2 ==
=== Known Issues ===
* ipa-ca-install fails on replica when master is CA-less #6226
* ipa cert-find command doesn't return revocation reason in output, Web
UI then cannot display proper state of a certificate #6269

=== Bug fixes ===
FreeIPA 4.4.2 is a stabilization release for the features delivered as a
part of 4.4.0. There are more than 40 bug-fixes which details can be
seen in the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on upgrade page
<http://www.freeipa.org/page/Upgrade>.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or
#freeipa channel on Freenode.

== Resolved tickets ==
* 4802 Investigate & document if TLS 1.2 is properly supported
* 5557 Strict dependency of optional package pam_krb5
* 5644 dnsrecord-del incompatible with admintools < ver 3.2 and server
>= ver 3.2
* 5725 failed ipa-server-install --uninstall returns exit code 0
* 5754 ipa-client-install man page has incorrect data on hostname
* 5755 test_0006_service_show  in test_cert_plugin uses global variable
wrong
* 5809 ipa-server-install fails when using external certificates that
encapsulate RDN components in double quotes
* 5814 Change IP address validation errors to warnings [support for
cloud environments]
* 5818 webui: "Restore" option is not available for a preserved user in
detailed info
* 5822 Cannot create user with username exactly 255 charaters long
* 5855 method get_primary_key_from_dn does not work for netgroups properly
* 6057 adding two way non transitive(external) trust displays internal
error on the console
* 6095 ipa command stuck forever on higher versioned client with lower
versioned server
* 6155 [tracker] Failed to configure CA instance
* 6190 Regressions found by test: ipa.test_ipalib.test_parameters
* 6203 dnsrecord-add does not prompt for missing record parts internactively
* 6212 Pretty-print mismatches in tests
* 6216 webui: cert_revoke should use --cacn to set correct CA when
revoking certificate
* 6221 Certificate revocation in service-del and host-del isn't aware of
Sub CAs
* 6230 installer: external CA step 1 successful but reports ScriptError
* 6238 Unable to view certificates issued by Sub CA in Web UI
* 6256 [tracker] Revoke certificate on lightweight CA deletion
* 6257 Implement ca-enable/disable commands.
* 6260 cert-request: use better error message when CA is disabled
* 6273 Command autocompletion without installed server prints an error
message
* 6279 CLI always sends default command version
* 6285 Tests: Regex errors in trust tests
* 6288 ipa-certupdate fails with "CA is not configured"
* 6294 TypeError in installer
* 6296 client-install with IPv6 address fails on link-local address (always)
* 6300 Remove the assertion of incorrect return code from
replica_promotion tests
* 6301 Fix replica_promotion tests
* 6304 cert-find --certificate does not work for certificates not in LDAP
* 6306 Add cleanup to integration trust tests
* 6309 cert-request does not raise error when CSR does not match profile
pattern
* 6312 Failing ldap backend test because service not found
* 6313 Failing test in test_ipalib/test_plugable
* 6322 Add krb5kdc restart to integration trust tests
* 6323 Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
* 6326 Update host test with ipa-join
* 6327 regression in `ipa cert-revoke --help`
* 6328 ipa trust-fetch-domains throws internal error
* 6329 WinSync users who have First.Last casing creates users who can
have their password set
* 6330 Invalid description for --hostname option in ipa-server-install
man page
* 6333 Skipped test_ipalib/test_text::test_TestLang::test_test_lang in
outoftree suite
* 6338 [Tests] Remove SSSD restart from integration tests
* 6341 Certificate UI on details page shows add button even if user
doesn't have write right
* 6349 Tests: incomplete cleanup of CA plugin XMLRPC tests
* 6366 Extend CA ACL tests for test cases with CSR containing Subject
Alt Name
* 6368 otpd doesn't properly handle closing of ldap connection
* 6373 test_util.test_assert_deepequal fails
* 6382 Test: disable test for wrong client domain in domain level 0
* 6385 ipa-server-install --external-ca fails with AttributeError
* 6390 python-dns 1.15.0 breaks FreeIPA
* 6391 make FreeIPA codebase ready for pylint in Fedora rawhide
* 5791 CA fails to start after doing ipa-ca-install --external-ca
== Detailed changelog since 4.4.1 ==
=== Christian Heimes (1) ===
* Use RSA-OAEP instead of RSA PKCS#1 v1.5

=== David Kupka (2) ===
* UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper
(un)pickling
* schema cache: Store and check info for pre-schema servers

=== Florence Blanc-Renaud (2) ===
* Fix regression introduced in ipa-certupdate
* Fix ipa-certupdate for CA-less installation

=== Fraser Tweedale (10) ===
* Add commentary about CA deletion to plugin doc
* spec: require Dogtag >= 10.3.5-6
* cert-request: raise error when request fails
* Make host/service cert revocation aware of lightweight CAs
* cert-request: raise CertificateOperationError if CA disabled
* Use Dogtag REST API for certificate requests
* Add HTTPRequestError class
* Allow Dogtag RestClient to perform requests without logging in
* Add ca-disable and ca-enable commands
* Track lightweight CAs on replica installation

=== Jan Cholasta (8) ===
* test_plugable: update the rest of test_init
* dns: re-introduce --raw in dnsrecord-del
* client: remove hard dependency on pam_krb5
* cert: fix cert-find --certificate when the cert is not in LDAP
* dns: fix crash in interactive mode against old servers
* dns: prompt for missing record parts in CLI
* dns: normalize record type read interactively in dnsrecord_add
* cli: use full name when executing a command

=== Lenka Doudova (11) ===
* Tests: Certificate revocation
* Tests: Remove invalid certplugin tests
* Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
* Tests: Fix host attributes in ipa-join host test
* Tests: Update host test with ipa-join
* Tests: Add krb5kdc.service restart to integration trust tests
* Tests: Remove SSSD restart from integration tests
* Tests: Fix integration sudo tests setup and checks
* Tests: Fix failing ldap.backend test
* Tests: Add cleanup to integration trust tests
* Tests: Fix regex errors in integration trust tests

=== Martin Babinsky (13) ===
* disable warnings reported by pylint-1.6.4-1
* mod_nss: use more robust quoting of NSSNickname directive
* Move character escaping function to ipautil
* Make Continuous installer continuous only during execution phase
* use separate exception handlers for executors and validators
* ipa passwd: use correct normalizer for user principals
* trust-fetch-domains: contact forest DCs when fetching trust domain info
* netgroup: avoid extraneous LDAP search when retrieving primary key from DN
* ldapupdate: Use proper inheritance in BadSyntax exception
* raise ValidationError when deprecated param is passed to command
* Always fetch forest info from root DCs when establishing one-way trust
* factor out `populate_remote_domain` method into module-level function
* Always fetch forest info from root DCs when establishing two-way trust

=== Martin Basti (17) ===
* test_text: add test ipa.pot file for tests
* Test: dont use global variable for iteration in test_cert_plugin
* Use constant for user and group patterns
* Fix regexp patterns in parameters to not enforce length
* Add check for IP addresses into DNS installer
* Fix missing config.ips in promote_check
* Abstract procedures for IP address warnings
* Catch DNS exceptions during emptyzones named.conf upgrade
* Start named during configuration upgrade.
* Tests: extend DNS cmdline tests with lowercased record type
* Show warning when net/broadcast IP address is used in installer
* Allow multicast addresses in A/AAAA records
* Allow broadcast ip addresses
* Allow network ip addresses
* Fix parse errors with link-local addresses
* Fix ScriptError to always return string from __str__
* Set zanata project-version fo 4.4 branch

=== Milan Kubík (3) ===
* ipatests: Implement tests with CSRs requesting SAN
* ipatests: Fix name property on a service tracker
* ipatests: provide context manager for keytab usage in RPC tests

=== Nathaniel McCallum (1) ===
* Properly handle LDAP socket closures in ipa-otpd

=== Oleg Fayans (4) ===
* Test: disabled wrong client domain tests for domlevel 0
* Changed addressing to the client hosts to be replicas
* Several fixes in replica_promotion tests
* Removed incorrect check for returncode

=== Petr Spacek (1) ===
* Fix compatibility with python-dns 1.15.0

=== Pavel Vomacka (5) ===
* WebUI: hide buttons in certificate widget according to acl
* Add 'Restore' option to action dropdown menu
* WebUI add support for sub-CAs while revoking certificates
* WebUI: Fix showing certificates issued by sub-CA
* Add support for additional options taken from table facet

=== Stanislav Laznicka (5) ===
* Make installer quit more nicely on external CA installation
* Fix test_util.test_assert_deepequal test
* Pretty-print structures in assert_deepequal
* Remove update_from_dict() method
* Updated help/man information about hostname

=== Tomas Krizek (4) ===
* Keep NSS trust flags of existing certificates
* Update ipa-server-install man page for hostname
* Add help info about certificate revocation reasons
* Don't show error messages in bash completion


-- 
Petr Vobornik