[Freeipa-interest] Announcing FreeIPA 4.8.0
Alexander Bokovoy
abokovoy at redhat.com
Wed Jul 3 07:03:56 UTC 2019
The FreeIPA team would like to announce FreeIPA 4.8.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 30 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-8/ COPR repository].
== Highlights in 4.8.0 ==
=== Enhancements ===
FreeIPA 4.8.0 is a major release. Below is the list of noticeable
changes between FreeIPA 4.7 and 4.8.0:
* Removal or deprecation of weak ciphers
Following a general effort to harden FreeIPA deployments, FreeIPA 4.8.0
removes default support for weak ciphers. 3DES and RC4 ciphers are not
accessible for use in Kerberos anymore, and, in addition, Camelia
ciphers are not accessible when FreeIPA is deployed in FIPS mode. The
only permitted ciphers are the AES family (called aes, which is the
combination of: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96,
aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode by the underlying
system crypto libraries. While 3DES is permitted, the KDF used for it
in Kerberos V protocol is not, and Microsoft doesn't implement 3DES
anyway.
--------
* 3999: [RFE] Fix and Document how to set up Samba File Server with IPA
FreeIPA 4.8.0 introduces a tool to configure Samba file server on IPA
client. The tool, "ipa-client-samba" performs Samba configuration and
creates all required services on IPA side. Both the client side and the
server side (IPA master) require FreeIPA 4.8.0 due to multiple changes
introduced. Please see
[https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md domain controller] and
[https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-member.md domain member]
design documents for more details.
--------
* 4440: Add support for bounce_url to /ipa/ui/reset_password.html
The /ipa/ui/reset_password.html page accepts url parameter to provide
the user with a back link after successful password reset, to support
resets initiated by external web applications. Additional parameter
delay automatically redirects back after the specified number of seconds
has elapsed.
--------
* 4491: Use lib389 to install 389-ds instead of setup-ds.pl
FreeIPA now utilizes Python-based installer of 389-ds directory server
--------
* 4580: FreeIPA's LDAP server requires SASL security strength factor of >= 56
Original FreeIPA 4.7.90.pre1 set FreeIPA LDAP server default
configuration to require SASL security strength factor higher than 56
bit. However, this change caused "realmd" and other enrollment tools to
fail as they expected to be able to retrieve certain information from
FreeIPA LDAP server unauthenticated. The change for the server
configuration was backed off. We intend to revisit this hardnening later
in FreeIPA 4.8 series.
--------
* 5608: Tech preview: add Dogtag configuration extensions
FreeIPA team started rewrite of the Certificate Authority configuration
to make possible passing additional options when configuring Dogtag.
This is required to allow use of hardware secure (HSM) modules within
FreeIPA CA but also to allow tuning CA defaults. HSM configuration is
not yet fully available due to a number of open issues in Dogtag itself.
--------
* 5803: Add utility to promote CA replica to CRL master
New utility was added to promote a CA replica to be the CRL master.
[https://www.freeipa.org/page/V4/Promotion_to_CRL_generation_master
Design page] provides more details and use examples.
--------
* 6077: Support One-Way Trust authenticated by trust secret
Samba integration was updated to allow establishing trust to Active
Directory from Windows side using a Trust wizard. This allows to
establish a one-way trust authenticated by a shared trust secret.
Additionally, it allows to establish a trust with Samba AD DC 4.7 or
later, initiated from Samba AD DC side.
--------
* 6790: Allow creating IPA CA with 3084-bit key.
CA key size default is raised to 3072 instead of 2048 because it's the
recommended size by NIST. An extensibility feature added with ticket
5608 allows increasing the CA key size further buta 4096-bit key is
considerably slower. The change only affects new deployments. There is
no way to upgrade existing CA infrastructure other than issuing a new CA
key and re-issuing new certificates to all existing users of the old
root CA. In addition, lightweight sub-CAs are currently hard-coded to
2048 bit key size. All relevant public root CAs in the CA/B forum use
2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.
--------
* 7193: Warn or adjust umask if it is too restrictive to break installation
FreeIPA deployment now enforces own umask settings that are known to
work at install time at hardened sites which follow some of STIG
recommendations.
--------
* 7200: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not
The command ipa-pkinit-manage enable|disable is reporting success even
though the PKINIT cert is not re-issued. The command triggers the
request of a new certificate (signed by IPA CA when state=enable,
selfsigned when disabled), but as the cert file is still present,
certmonger does not create a new request and the existing certificate is
kept.
The fix consists in deleting the cert and key file before calling certmonger to request a new cert.
--------
* 7206: Provide an option to include FQDN in IDM topology graph
In the replication topology graph visualization, it is now possible to
see a fully qualified name of the server. This change helps to reduce
confusion when managing complex multi-datacenter topologies.
--------
* 7365: make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable
Log level for technical messages of a KDC proxy was reduced to keep logs
clean.
--------
* 7451: Allow issuing certificates with IP addresses in subjectAltName
FreeIPA now allows issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true:
** One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).
** All of the DNS entries in the resolution chain are managed by this IPA instance.
** The IP address has a (correct) reverse DNS entry that is managed by this IPA instance
--------
* 7568: FreeIPA no longer supports Python 2
Removed Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility anymore.
--------
* 7632: Allow IPA Services to Start After the IPA Backup Has Completed
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window. This fix restarts the services as soon as all the required files
are gathered, and compresses after services are restarted.
--------
* 7619, 7640, 7641: UI migration, password reset and configuration pages support translations
Static pages in FreeIPA web UI now allow translated content
--------
* 7658: sysadm_r should be included in default SELinux user map order
sysadm_r is a standard SELinux user role included in Red Hat Enterprise
Linux.
--------
* 7667: Use only TLS 1.2 by default
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet. TLS 1.0 and 1.1 are no longer state of the art and now
disabled by default. TLS 1.2 works everywhere and supports perfect
forward secrecy mode (PFS).
--------
* 7689: Domain Level 0 is no longer supported
Code to support operation on Domain Level 0 is removed. In order to
upgrade to FreeIPA 4.8.0 via replication, an existing deployment must
first be brought up to Domain Level 1.
--------
* 7716: [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
If a supplier or consumer of LDAP replication data has never done a
total update, its status is not shown anymore in "ipa-replica-manage
list" output
--------
* 7747: Support interactive prompt for NTP options for FreeIPA
FreeIPA now asks user for NTP source server or pool address in
interactive mode if there is no server nor pool specified and
autodiscovery has not found any NTP source in DNS records.
--------
* 7892: hidden / unadvertised IPA replica
A hidden replica is an IPA master server that is not advertised to
clients or other masters. Hidden replicas have all services running and
available, but none of the services has any DNS SRV records or enabled
LDAP server roles. This makes hidden replicas invisible for service
discovery.
[https://pagure.io/freeipa/blob/master/f/doc/designs/hidden-replicas.md Design document]
provides more details on use cases and management of hidden replicas.
--------
* PyPI packages have fewer dependencies
The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient
no longer depend on the binary extensions netifaces and python-ldap by
default.
--------
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.8.0 is a first stable release in 4.8 series.
There are more than 50 bug-fixes since 4.7.90pre1 pre-release. Details
of the bug-fixes can be seen in the list of resolved tickets below.
Changes for 4.7.90pre1 can be found at
[https://www.freeipa.org/page/Releases/4.7.90.pre1 4.7.90.pre1 release
page]
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.
== Resolved tickets ==
* [https://pagure.io/freeipa/issue/2018 #2018] Change hostname length limit to 64
* [https://pagure.io/freeipa/issue/3999 #3999] [RFE] Fix and Document how to set up Samba File Server with IPA
* [https://pagure.io/freeipa/issue/4812 #4812] Switch nsslapd-unhashed-pw-switch to nolog
* [https://pagure.io/freeipa/issue/5062 #5062] [WebUI] Unlock option is enabled for all user.
* [https://pagure.io/freeipa/issue/6077 #6077] [RFE] Support One-Way Trust authenticated by trust secret
* [https://pagure.io/freeipa/issue/6627 #6627] WebUI: Enable pagination
* [https://pagure.io/freeipa/issue/7139 #7139] Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.
* [https://pagure.io/freeipa/issue/7647 #7647] Error message should be more useful while ipa-backup fails for insufficient space
* [https://pagure.io/freeipa/issue/7667 #7667] When setting up mod_ssl, define range of the TLS protocols within the system-wide crypto policy
* [https://pagure.io/freeipa/issue/7716 #7716] [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
* [https://pagure.io/freeipa/issue/7761 #7761] External CA renewal accepts issuer key < 2048-bit
* [https://pagure.io/freeipa/issue/7836 #7836] print appropriate message when uninstalling non-existent IPA client
* [https://pagure.io/freeipa/issue/7885 #7885] RFE: wrapper for Dogtag cert-fix command
* [https://pagure.io/freeipa/issue/7895 #7895] ipa trust fetch-domains, server parameter ignored
* [https://pagure.io/freeipa/issue/7917 #7917] Occasional 'whoami.data is undefined' error in FreeIPA web UI
* [https://pagure.io/freeipa/issue/7918 #7918] ipa-client-automount needs option to specify domain
* [https://pagure.io/freeipa/issue/7926 #7926] cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign
* [https://pagure.io/freeipa/issue/7927 #7927] Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd
* [https://pagure.io/freeipa/issue/7928 #7928] cn=cacert could show expired certificate
* [https://pagure.io/freeipa/issue/7930 #7930] Interactive promt for NTP options after install check.
* [https://pagure.io/freeipa/issue/7934 #7934] ipa-server-common expected file permissions in package don't match runtime permissions
* [https://pagure.io/freeipa/issue/7937 #7937] `build_requestinfo` crashes in OpenSSL1.1.0+ enviroments
* [https://pagure.io/freeipa/issue/7939 #7939] Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured
* [https://pagure.io/freeipa/issue/7940 #7940] ipatests.test_integration.test_legacy_clients failure
* [https://pagure.io/freeipa/issue/7941 #7941] ipapython/dn_ctypes.py: libldap_r shared library missing
* [https://pagure.io/freeipa/issue/7942 #7942] WebUI test for automount is broken
* [https://pagure.io/freeipa/issue/7943 #7943] [FIPS] Use PKCS#8 instead of weaker traditional OpenSSL private key format
* [https://pagure.io/freeipa/issue/7948 #7948] [FIPS] Use 3DES for certificate encryption when creating a PKCS#12
* [https://pagure.io/freeipa/issue/7951 #7951] IPA i18n_messages call does not obey translations requests
* [https://pagure.io/freeipa/issue/7952 #7952] ipa-backup file logging does not work
* [https://pagure.io/freeipa/issue/7953 #7953] ipa-pwd-extop: do not remove MagicRegen mod, replace it
* [https://pagure.io/freeipa/issue/7956 #7956] Ipatests don't honor TMPDIR, TEMP or TMP environment variables
* [https://pagure.io/freeipa/issue/7959 #7959] ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character
* [https://pagure.io/freeipa/issue/7960 #7960] tests are failing to create secure LDAP connection in some test configurations
* [https://pagure.io/freeipa/issue/7962 #7962] Different pycodestyle results: Travis vs Azure
* [https://pagure.io/freeipa/issue/7963 #7963] x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs
* [https://pagure.io/freeipa/issue/7964 #7964] GSSAPI failure causing LWCA key replication failure on f30
* [https://pagure.io/freeipa/issue/7965 #7965] Stop using 389-ds legacy tools for backup and restore
* [https://pagure.io/freeipa/issue/7969 #7969] test failure in test_caless.py::TestServerInstall
* [https://pagure.io/freeipa/issue/7970 #7970] test failure in test_backup_and_restore.py::TestBackupAndRestore
* [https://pagure.io/freeipa/issue/7972 #7972] automember rebuild sometimes appears to return before the rebuild is complete
* [https://pagure.io/freeipa/issue/7974 #7974] Nightly test failure in ipatests.test_integration.test_user_permissions.TestUserPermissions
* [https://pagure.io/freeipa/issue/7977 #7977] tox 3.8.0+ fails on `make wheel_bundle`
* [https://pagure.io/freeipa/issue/7978 #7978] Missing configuration point for the default shell of user/admin
* [https://pagure.io/freeipa/issue/7981 #7981] Pytest4.x warnings
* [https://pagure.io/freeipa/issue/7982 #7982] Cannot modify TTL with ipa dnsrecord-mod --ttl alone on command line
* [https://pagure.io/freeipa/issue/7983 #7983] Staged user is not being recognized if the user entry doesn't have an objectClass "posixaccount"
* [https://pagure.io/freeipa/issue/7984 #7984] make sure 'make fastlint' processes Python .in files
* [https://pagure.io/freeipa/issue/7986 #7986] Increase debugging level of certmonger
* [https://pagure.io/freeipa/issue/7988 #7988] test_nfs.py: errors when running ipa-client-automount
* [https://pagure.io/freeipa/issue/7990 #7990] Assumptions about systemd name of `named`
* [https://pagure.io/freeipa/issue/7992 #7992] ipa upgrade fails with trust entry already exists
* [https://pagure.io/freeipa/issue/7996 #7996] `test_selinuxusermap_plugin` fails against not default SELinux settings
* [https://pagure.io/freeipa/issue/7998 #7998] Use system-wide crypto policy in TLS client
* [https://pagure.io/freeipa/issue/7999 #7999] download errors in dnf in Azure pipelines
== Detailed changelog since 4.7.90pre1 ==
Detailed changelog since 4.7.90pre1 is available at https://www.freeipa.org/page/Releases/4.8.0
Detailed changelog for 4.7.90pre1 release is available at https://www.freeipa.org/page/Releases/4.7.90.pre1
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the Freeipa-interest
mailing list