[Freeipa-interest] FreeIPA 4.9.0 released
Alexander Bokovoy
abokovoy at redhat.com
Wed Dec 23 15:02:52 UTC 2020
Hello,
The FreeIPA team would like to announce FreeIPA 4.9.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
Due to the large size of the updates, please see all the details at
https://www.freeipa.org/page/Releases/4.9.0. Many of the updates were
already seen in FreeIPA 4.8 releases as they were backported there.
Nevertheless, the full list of changes can be found at the page linked
above.
== Highlights in 4.9.0
* 298: [RFE] Add support for cracklib to password policies
FreeIPA password quality checking plugin has been extended to use
libpwquality library. Password policies can now check for a reuse of
a user name, dictionary words using a cracklib package, numbers and
symbols replacement and repeating characters in the passwords.
* 2445: [RFE] IdM password policy should include checks for repeating
characters
FreeIPA password quality checking plugin has been extended to use
libpwquality library. Password policies can now check for a reuse of
a user name, dictionary words using a cracklib package, numbers and
symbols replacement and repeating characters in the passwords.
* 3299: [RFE] Switch the client to JSON RPC
Clients now communicate with FreeIPA server via JSON-RPC instead of
XML-RPC by default. The new interface for example allows sending
additional information (notices, warnings) when a management
operation ends with an error.
* 3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a
machine-readable (JSON) format, or send email notifications to these
users. EPN provides command-line options to display the list of
affected users. This provides data introspection and helps
understand how many emails would be sent for a given day, or a given
date range. The command-line options can also be used by a
monitoring system to alert whenever a number of emails over the SMTP
quota would be sent. EPN is meant to be launched once a day from an
IPA client (preferred) or replica from a systemd timer. EPN does not
keep state: the list of affected users is built at runtime but never
kept.
* 3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
* 3999: [RFE] Fix and Document how to set up Samba File Server with IPA
Samba file server can now be configured on the FreeIPA-enrolled
system to provide file services to users in IPA domain and to users
from trusted Active Directory forests
* 4751: Implement ACME certificate enrolment
Configure the Automatic Certificate Management Environment (ACME)
protocol support provided by the dogtag CA.
* 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI
* 5608: [RFE] Add Dogtag configuration extensions
* 5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added
to both IPA CLI and Web UI to prevent applying custom ID views to
avoid confusion and unintended side-effects.
* 5948: [RFE] Implement pam_pwquality featureset in IPA password
policies
* 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod
group-name --rename new-name'. Protected hostgroups ('ipaservers')
cannot be renamed.
* 7137: [RFE]: Able to browse different links from IPA web gui in new
tabs
* 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory
is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt
non-Kerberos LDAP objects from checking Kerberos policy during
password changes by the Directory Manager or a password
synchronization manager. This issue affected, among others, an
integrated CA administrator account during deployment of more than
one replica in some cases.
* 7522: Disable cert publishing in dogtag
Dogtag certificate publishing facility is not configured anymore as
it is not used in FreeIPA.
* 7577: [RFE] DNS package check should be called earlier in installation
routine
The ``--setup-dns`` knob and interactive installer now both check
for the presence of freeipa-server-dns early and abort the installer
with an error before starting actual deployment.
* 7695: ipa service-del should display principal name instead of Invalid
'principal'.
When deleting services, report exact name of a system required
principal that couldn't be deleted.
* 7966: Add support for JSON-RPC in ipa-join
ipa-join tool defaults to use of JSON-RPC protocol when
communicating to IPA masters by default. The choice of JSON-RPC or
XML-RPC is a compile-time setting now.
* 7971: [RFE] Include hint for replication_wait_timeout if timeout fails
* 8106: ca-certificate file not being parsed correctly on Ubuntu with
p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support
multiple certificates in a single file. IPA installers now write
individual files per each certificate for Debian-based platforms.
* 8114: [RFE] Delegate group membership management
It is now possible to associate group managers with the groups.
Group managers have rights to add and remove members of the
individual group rather than being administrators for every group.
* 8129: Tests: Replace paramiko with OpenSSH
Paramiko is not compatible with FIPS mode, therefore convert most
tests to using ssh directly. The only non-converted test is the
2-prompt OTP test because sshpass does not support 2-prompt password
authentication ( https://pagure.io/freeipa/issue/8431 ).
* 8151: test_commands timing-out
Re-enable test_sss_ssh_authorizedkeys ; add -v to ssh in order to
get debug information if this test fails or stalls again. The test
was run 16 times without a failure before re-enabling it.
* 8189: NIghtly test failure in
test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
Previously, ipa-client-installation saved the pre-install state
using "authselect current" command and the uninstallation reverted
to the same authselect state. In cases where the system was
installed using authconfig instead of authselect, the uninstallation
was unable to revert to the same state and picked "sssd"'s
authselect profile instead. Now, the client installation relies on
the backup functionality of authselect and is able to revert to the
exact pre-install state
* 8217: RFE: ipa-backup should compare locally and globally installed
server roles
ipa-backup now checks whether the local replica's roles match those
used in the cluster and exits with a warning if this is not the case
as backups taken on this host would not be sufficient for a proper
restore. FreeIPA administrators are advised to double check whether
the host backups are run has all the necessary (used) roles.
* 8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to
1.16.2.
* 8233: 4.8.5 master Installation error
On Debian and ALT Linux setup of AJP connector did restart Apache
instance before it was configured. The restart wasn't actually
needed and thus was removed.
* 8236: Enforce a check to prevent adding objects from IPA as external
members of external groups
Command 'ipa group-add-member' allowed to specify any user or group
for '--external' option. A stricter check is added to verify that a
group or user to be added as an external member does not come from
IPA domain.
* 8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to
version 3.4.1.
* 8241: Build fails on Fedora 30
SELinux rules for ipa-custodia were merged into FreeIPA SELinux
policy. The policy relied on an SELinux interface that is not
available in Fedora 30. The logic was changed to allow better
portability across SELinux versions.
* 8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to
1024 characters but do not allow to distinguish between passwords
cut off at 1024 characters and passwords with 1024 characters. Thus,
a limit of 1000 characters is now applied everywhere in FreeIPA.
* 8275: Support systemd-resolved
FreeIPA DNS servers now detect systemd-resolved and configure it to
pass through itself.
* 8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit
system accounts with krbPrincipalAux object class. This allows
system accounts to have a keytab that does not expire. The "Default
System Accounts Password Policy" has a minimum password length in
case the password is directly modified with LDAP.
* 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to
3.4.1.
* 8289: ipa servicedelegationtarget-add-member does not allow to add
hosts as targets
service delegation rules and targets now allow to specify hosts as a
rule or a target's member principal.
* 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal
alias
Memory handling in various FreeIPA KDC functions was improved,
preventing potential crashes when looking up machine account aliases
for Windows machines.
* 8301: The value of the first character in target* keywords is expected
to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr,
targetfilter, etc) to have quoted attributes. Otherwise the aci that
contains unquoted parameters is ignored. Default FreeIPA access
controls were fixed to follow 389-ds syntax. Any third-party ACIs
need to be updated manually.
* 8304: [fed32] client-install does not properly set
ChallengeResponseAuthentication yes in sshd conf
ipa-client-installation now writes the sshd configuration to the
drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf
snippet, thus ensuring that the setting
"ChallengeResponseAuthentication yes" take precedence.
* 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises
warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP
binds. FreeIPA now disables this feature because changing password
hash in FreeIPA is not allowed by the internal plugins that
synchronize password hashes between LDAP and Kerberos.
* 8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember
configuration to prevent unintended modification of a default host
group.
* 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and
before 3.5.0, passing HTML from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(), .append(), and others) may execute untrusted code. FreeIPA
is not allowing to pass arbitrary code into affected jQuery path but
we applied jQuery fix anyway.
* 8335: [WebUI] manage IPA resources as a user from a trusted Active
Directory domain
When users from trusted Active Directory domains have permissions to
manage IPA resources, they can do so through a Web UI management
console.
* 8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This
makes possible for 3rd-party plugins to supply full set of managed
permissions.
* 8357: Allow managing IPA resources as a user from a trusted Active
Directory forest
A 3rd-party plugin to provide management of IPA resources as users
from trusted Active Directory domains was merged into FreeIPA core.
ID user overrides can now be added to IPA management groups and
roles and thus allow AD users to manage IPA.
* 8362: IPA: Ldap authentication failure due to Kerberos principal
expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password
expiration time in UTC time zone. Previously, a local server time
zone was applied even though UTC was implied in the settings.
* 8374: EPN does not ship its default configuration (/etc/ipa/epn.conf)
in freeipa-client-epn
EPN did not ship any configuration file. This was an oversight, but
the tool itself would work fine as it had sane defaults ; moreover,
the man page for the configuration file was present.
* 8391: Remove dnf workaround from test_epn.y
The new PR-CI images are cleaner and do not need the *epn* packages
to be uninstalled/reinstalled.
* 8401: Create platform definitions for freeipa-container
ipaplatform now provides container platform flavors for
freeipa/freeipa-container
* 8404: Detect and fail if not enough memory is available for
installation
FreeIPA server now requires at least 1.2 GiB RAM for installation to
prevent performance degradation.
* 8432: test failure in
test_commands.py::TestIPACommand::test_login_wrong_password:
AssertionError
Sometimes test_login_wrong_password fails because the log window the
string message is searched in is too narrow. Broaden the window by
looking at the past 10 seconds.
* 8444: EPN: enhance input validation
Various input validation checks were added to EPN.
* 8445: EPN: '[Errno 111] Connection refused' when the SMTP is down
EPN now displays a proper message if the configured SMTP server
cannot be contacted.
* 8449: EPN: enhance CLI option tests
EPN: enhance existing tests for --dry-run, --from-nbdays and
--to-nbdays.
* 8488: SELinux blocks custodia key replication / retrieval for sub-CAs
SELinux: Make sure ipa_custodia_t has the necessary rights ; add
dedicated policy rules for ipa-pki-retrieve-key.
* 8490: It is not possible to edit KDC database when the FreeIPA server
is running
kadmin.local command 'getprincs' is now supported
* 8493: Synchronize index LDIF and index update files
Configuration of LDAP indices was moved into a single place. New
indices were added to attributes related to trusted domains
operations. Performance improvement is expected for Kerberos service
tickets requested by users from trusted Active Directory domains.
* 8503: pkispawn logs files are empty
On recent versions of Dogtag PKI, pkispawn does not create logs by
default, making debugging failed IPA installs impossible. Invoke
pkispawn with --debug to revert to the previous behavior.
* 8507: [WebUI] Backport jQuery patches from newer versions of the
library (e.g. 3.5.0)
Support reproducible builds for jQuery library
* 8510: create_active_user and kinit_as_user should collect
kdcinfo.REALM on failure
Sometimes, requesting a TGT after a password reset fails because
SSSD seems to select different hosts for these two sequential tasks,
leaving no time for replication to replicate the password hashes.
Add debug information to the test suites that exhibit the problem
and always display the kdcinfo file maintained by SSSD that contains
the KRB5KDC IP it should be pinned to.
* 8530: Running ipa-server-install fails on machine where libsss_sudo is
not installed
The FreeIPA client RPM now has a soft dependency on libsss_sudo and
sudo itself.
* 8536: RFE: ipatests: run healthcheck on hidden replica
ipatests: freeipa-healthcheck is now executed on each member of a
cluster that contains a hidden replica.
=== Known Issues
* 8240: KRA install fails if all KRA members are Hidden Replicas
If the first KRA instance is installed on a hidden replica, more KRA
instances cannot be added to the cluster. As a workaround,
temporarily make the the hidden replica with the KRA role visible
before adding more KRA instances. The previously-hidden replica can
be hidden again as soon as ipa-kra-install is complete.
=== Bug fixes
FreeIPA 4.9.0 is the first stable release for the features delivered as
a part of 4.9 version series.
There are more than 370 bug-fixes since FreeIPA 4.8.10 release. Details
of the bug-fixes can be seen in the list of resolved tickets.
Due to the large size of the updates, please see all the details at
https://www.freeipa.org/page/Releases/4.9.0
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the Freeipa-interest
mailing list