[Freeipa-interest] FreeIPA 4.8.6 released
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 27 07:27:51 UTC 2020
The FreeIPA team would like to announce FreeIPA 4.8.6 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.8.6
* 5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added
to both IPA CLI and Web UI to prevent applying custom ID views to
avoid confusion and unintended side-effects.
* 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory
is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt
non-Kerberos LDAP objects from checking Kerberos policy during
password changes by the Directory Manager or a password
synchronization manager. This issue affected, among others, an
integrated CA administrator account during deployment of more than
one replica in some cases.
* 8233: 4.8.5 master Installation error
On Debian and ALT Linux setup of AJP connector did restart Apache
instance before it was configured. The restart wasn't actually
needed and thus was removed.
* 8236: Enforce a check to prevent adding objects from IPA as external
members of external groups
Command 'ipa group-add-member' allowed to specify any user or group
for '--external' option. A stricter check is added to verify that a
group or user to be added as an external member does not come from
IPA domain.
* 8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to
version 3.4.1.
* 8241: Build fails on Fedora 30
SELinux rules for ipa-custodia were merged into FreeIPA SELinux
policy. The policy relied on an SELinux interface that is not
available in Fedora 30. The logic was changed to allow better
portability across SELinux versions.
=== Enhancements
=== Known Issues
* 8240: KRA install fails if all KRA members are Hidden Replicas
If the first KRA instance is installed on a hidden replica, more KRA
instances cannot be added to the cluster. As a workaround,
temporarily make the the hidden replica with the KRA role visible
before adding more KRA instances. The previously-hidden replica can
be hidden again as soon as ipa-kra-install is complete.
=== Bug fixes
FreeIPA 4.8.6 is a stabilization release for the features delivered as a
part of 4.8 version series.
There are more than 10 bug-fixes details of which can be seen in the
list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.
== Resolved tickets
* https://pagure.io/freeipa/issue/5662[#5662] ID Views: do not allow
custom Views for the masters
* https://pagure.io/freeipa/issue/6891[#6891] Move FreeIPA SELinux
policy from system policy to project policy
* https://pagure.io/freeipa/issue/7181[#7181] ipa-replica-prepare fails
for 2nd replica when passwordHistory is enabled
* https://pagure.io/freeipa/issue/7895[#7895] ipa trust fetch-domains,
server parameter ignored
* https://pagure.io/freeipa/issue/8159[#8159] please migrate to the new
Fedora translation platform
* https://pagure.io/freeipa/issue/8193[#8193] Re-order
50-externalmembers.update to be after 80-schema_compat.update
* https://pagure.io/freeipa/issue/8228[#8228] Nightly failure in
backup/restore while calling 'id admin'
* https://pagure.io/freeipa/issue/8233[#8233] 4.8.5 master Installation
error
* https://pagure.io/freeipa/issue/8236[#8236] Enforce a check to prevent
adding objects from IPA as external members of external groups
* https://pagure.io/freeipa/issue/8239[#8239] Actualize Bootstrap
version
* https://pagure.io/freeipa/issue/8240[#8240] KRA install fails if all
KRA members are Hidden Replicas
* https://pagure.io/freeipa/issue/8241[#8241] Build fails on Fedora 30
== Detailed changelog since 4.8.5
=== Alexander Bokovoy (35)
* Become FreeIPA 4.8.6
https://pagure.io/freeipa/c/75d04b5e0e5709d98440209f803175242a52d119[commit]
* ipa-pwd-extop: don't check password policy for non-Kerberos account
set by DM or a passsync manager
https://pagure.io/freeipa/c/bcbf64b1bf287d2b0b23bc7ac0cca9e8b789ba4a[commit]
https://pagure.io/freeipa/issue/7181[#7181]
* ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN
https://pagure.io/freeipa/c/5bae736bc81eaa1167ec64a69a32506dad2ca286[commit]
https://pagure.io/freeipa/issue/7181[#7181]
* ipatests: test sysaccount password change with a password policy
applied
https://pagure.io/freeipa/c/313542e8a125c4904750826ef9eabdead7d874bd[commit]
https://pagure.io/freeipa/issue/7181[#7181]
* ipatests: allow changing sysaccount passwords as cn=Directory Manager
https://pagure.io/freeipa/c/f4dc10b8caac44f5c2a8edbb4c647e6dcf71c3bd[commit]
https://pagure.io/freeipa/issue/7181[#7181]
* Fix indentation levels
https://pagure.io/freeipa/c/c62b9e7f6ab0dec54540dc6cd389fe58f8858275[commit]
* ipatests: always skip additional input for group-add-member --external
https://pagure.io/freeipa/c/74f36e7c2f7f6d17b56e06b5f05205edb8a286d7[commit]
https://pagure.io/freeipa/issue/8236[#8236]
* po: update Chinese (China) translation
https://pagure.io/freeipa/c/c6adee04068ce946f8c9b8ad5db19721db13c602[commit]
* po: update Ukrainian translation
https://pagure.io/freeipa/c/855a36b6c093fd21af7cf87524acc5d297692de3[commit]
* po: update Tajik translation timestamp
https://pagure.io/freeipa/c/3d411cf29f29e1d391ed8f6eb159b88d450a332b[commit]
* po: update Slovak translation timestamp
https://pagure.io/freeipa/c/3c15e47a7c2212aab0ecdc320093bee2afa0bfdc[commit]
* po: update Russian translation
https://pagure.io/freeipa/c/db433fbe4e521d08dee2cdc2e65344d8203e03a4[commit]
* po: update Portuguese (Brazil) translation timestamp
https://pagure.io/freeipa/c/eab195ff3884b482279279326b3a84ced4723b7e[commit]
* po: update Portuguese translation timestamp
https://pagure.io/freeipa/c/31a9da8efa793d492352f646fc804b902beec088[commit]
* po: update Polish translation
https://pagure.io/freeipa/c/4e3867fcc49a8d2ff1085e630abd77666a06d838[commit]
* po: update Punjabi translation timestamp
https://pagure.io/freeipa/c/e4dfb7409bd25dc5bc2cc1e99562f912a98509f8[commit]
* po: update Dutch translation timestamp
https://pagure.io/freeipa/c/e7945284906998da0a798a1ff15a42dd3fdb96d9[commit]
* po: update Marathi translation timestamp
https://pagure.io/freeipa/c/28a963eed0f27c214543b02fc34e15182e6fcc04[commit]
* po: update Kannada translation timestamp
https://pagure.io/freeipa/c/89b048d1408834dde38321ac4f402083ebd30247[commit]
* po: update Japanese translation timestamp
https://pagure.io/freeipa/c/89dbf88abb108cad7f44f92b4e94e66f21746cd3[commit]
* po: update Indonesian translation timestamp
https://pagure.io/freeipa/c/124a563eb64d7f9a2190a13e9d68a7b608be2d22[commit]
* po: update Hungarian translation timestamp
https://pagure.io/freeipa/c/595d5062b9e770a946156f69df2fe522d4745d9e[commit]
* po: update Hindi translation timestamp
https://pagure.io/freeipa/c/c4dd8b226ae97011bcc0546209f8473fbcd75ab8[commit]
* po: update French translation
https://pagure.io/freeipa/c/a2ca393d35a1f34b2dbbd54c9c1d24b9f20960f0[commit]
* po: update Basque translation timestamp
https://pagure.io/freeipa/c/92fb5c5268b8b1b02b7a1d12b9a6417c893a18f1[commit]
* po: update Spanish translation
https://pagure.io/freeipa/c/7af52df7a8e54afe36649c5436fcfce759111751[commit]
* po: update English (United Kingdom) translation timestamp
https://pagure.io/freeipa/c/37a1e927a1f123b8b9fdbaf815003cb04726f72c[commit]
* po: update German translation
https://pagure.io/freeipa/c/0d053d8b1df33f5602ae0e154743f1d1dce2c72d[commit]
* po: update Czech translation timestamp
https://pagure.io/freeipa/c/c8ba436c0dad467bf12dec4d4f141916d0b3fbbd[commit]
* po: update Catalan translation timestamp
https://pagure.io/freeipa/c/29e3ade05c8bea23c07ed1a1b5612af01f924d2d[commit]
* po: update Bengali translation timestamp
https://pagure.io/freeipa/c/16d9556c6f3d19f73256d6698a7659f78961a378[commit]
* po: update ipa.pot template
https://pagure.io/freeipa/c/e23ba779d3aefd871e348b91e7b0fa003d97c96e[commit]
* Update translation infrastructure
https://pagure.io/freeipa/c/831f4dd320a93d01df6b06058c3ab618a98c9fd8[commit]
https://pagure.io/freeipa/issue/8159[#8159]
* Keep ipa.pot translation file in git for weblate
https://pagure.io/freeipa/c/9ff7b4a411d13ca148d2f53603dbcc812d92380a[commit]
https://pagure.io/freeipa/issue/8159[#8159]
* Prevent adding IPA objects as external members of external groups
https://pagure.io/freeipa/c/127b8d9cf23bf65aa42e6ee9ed8d7f8628bbac19[commit]
https://pagure.io/freeipa/issue/8236[#8236]
=== Christian Heimes (5)
* po: fix LINGUAS to use whitespace separation
https://pagure.io/freeipa/c/616ad399c99292542638e9e8f0995873e5c4f311[commit]
https://pagure.io/freeipa/issue/8159[#8159]
* SELinux: apache_manage_pid_files for F30
https://pagure.io/freeipa/c/f08ced1b25e14f91526c82610a8219ae8ed898a3[commit]
https://pagure.io/freeipa/issue/8241[#8241]
* Add pytest OpenSSH transport with password
https://pagure.io/freeipa/c/42aa86fadd7a7f2209e05291be9c76a8497998dd[commit]
* Move freeipa-selinux dependency to freeipa-common
https://pagure.io/freeipa/c/7d525ab4308060435808a311de55a76fb26a28c6[commit]
https://pagure.io/freeipa/issue/6891[#6891]
* Integrate ipa_custodia policy
https://pagure.io/freeipa/c/04cc0450125e3c9e989c3e769a25ba2f1f336060[commit]
https://pagure.io/freeipa/issue/6891[#6891]
=== François Cami (1)
* ipatests: test_replica_promotion.py: test KRA on Hidden Replica
https://pagure.io/freeipa/c/a692212e3bee36fbccba73ed21f7825381eeade4[commit]
https://pagure.io/freeipa/issue/8240[#8240]
=== Florence Blanc-Renaud (3)
* ipatests: wait for SSSD to become online in backup/restore tests
https://pagure.io/freeipa/c/ebb3c22ddb998997eb05e7bd4da2157e88b6c8f3[commit]
https://pagure.io/freeipa/issue/8228[#8228]
* xmlrpc tests: add a test for idview-apply on a master
https://pagure.io/freeipa/c/c37a84628601d369f83546085b7e29be8fe11a59[commit]
https://pagure.io/freeipa/issue/5662[#5662]
* idviews: prevent applying to a master
https://pagure.io/freeipa/c/7905891341197cb90faf635cf93ce63ae7a7a38b[commit]
https://pagure.io/freeipa/issue/5662[#5662]
=== Mohammad Rizwan Yusuf (3)
* ipatests: Skip test using paramiko when FIPS is enabled
https://pagure.io/freeipa/c/45507c1e86b634507fdc21dbb88ea9edd43e4166[commit]
* Test if schema-compat-entry-attribute is set
https://pagure.io/freeipa/c/3f3fa403a944035cf5531939fe3a2e338da99612[commit]
https://pagure.io/freeipa/issue/8193[#8193]
* Test if schema-compat-entry-attribute is set
https://pagure.io/freeipa/c/210619a98f0d8a042a181bab5891bdd595aa5351[commit]
https://pagure.io/freeipa/issue/8193[#8193]
=== Rob Crittenden (4)
* Test that pwpolicy only applied on Kerberos entries
https://pagure.io/freeipa/c/b34063e700ac4c65b117705bafb0255c26bca060[commit]
* Add ability to change a user password as the Directory Manager
https://pagure.io/freeipa/c/840671b1cdc508ea86f8412e6423f00b8c3bf809[commit]
* Don't save password history on non-Kerberos accounts
https://pagure.io/freeipa/c/8b7bb96b327207284c8c0a45cf2979843482cf48[commit]
* Test that ipa-healthcheck human output translates error strings
https://pagure.io/freeipa/c/7974ac9f8c7969df85f689d94f5b30c18e661daa[commit]
=== Stanislav Levin (1)
* pki-proxy: Don't rely on running apache until it's configured
https://pagure.io/freeipa/c/24c6ea3c9f2df757b3d714044c16083716e377ca[commit]
https://pagure.io/freeipa/issue/8233[#8233]
=== Sergey Orlov (2)
* ipatests: provide AD admin password when trying to establish trust
https://pagure.io/freeipa/c/814b47e85c87bc3c80c91ebd0aa9085ac06b521e[commit]
https://pagure.io/freeipa/issue/7895[#7895]
* ipatests: remove test_ordering
https://pagure.io/freeipa/c/0e9b020db201ff5797f0dabff05c3fc16a9bf79a[commit]
=== Serhii Tsymbaliuk (1)
* Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1
https://pagure.io/freeipa/c/f1855dd51e1544a77f1b4a3d4c90f173c29fbed4[commit]
https://pagure.io/freeipa/issue/8239[#8239]
=== sumenon (1)
* ipatests: Added testcase to check logrotate is added for healthcheck
tool
https://pagure.io/freeipa/c/7d4687926e9866c378db8075dd7b55b3c40e71a9[commit]
=== Vit Mojzis (1)
* selinux: disable ipa_custodia when installing custom policy
https://pagure.io/freeipa/c/f99cfa1443dfa33422eb4a7613d3dd9e921ccacd[commit]
https://pagure.io/freeipa/issue/6891[#6891]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the Freeipa-interest
mailing list