[Freeipa-users] Announcing FreeIPA v3.1.0 Release

Tue Dec 11 18:04:37 UTC 2012

This appears to require dirsrv-1.3, which I assume is part of
389-base-devel. I don't see where 1.3 has been made available yet, or am I
missing something?

On Mon, Dec 10, 2012 at 1:58 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> The FreeIPA team is proud to announce version FreeIPA v3.1.0.
>
> It can be downloaded from http://www.freeipa.org/page/**Downloads<http://www.freeipa.org/page/Downloads>
> .
>
> A build will be submitted to updates-testing for Fedora 18 soon.
>
> == Highlights in 3.1.0 ==
>
> * A single 389-ds instance is used both for IPA identity data and for the
> dogtag CA server on new installs.
> * Support for Windows 2012 Server Trusts.
> * Verify that the IPA certificates are not tracked by certmonger after
> server uninstallation.
> * Enable 389-ds transactions.
> * If chronyd is running on a server disable it and replace it with ntpd by
> default.
> * Add new OCSP and CRL URIs to the IPA certificate profile for a new CNAME
> entry, ipa-ca.example.com.
> * Fix potential security error in cookie handling in ipa client tool,
> CVE-2012-5631.
>
> == Upgrading ==
>
> An IPA server can be upgraded simply by installing updated rpms. The
> server does not need to be shut down in advance.
>
> Please note, that the referential integrity extension requires an extended
> set of indexes to be configured. RPM update for an IPA server with a
> excessive number of hosts, SUDO or HBAC entries may require several minutes
> to finish.
>
> If you have multiple servers you may upgrade them one at a time. It is
> expected that all servers will be upgraded in a relatively short period
> (days or weeks not months). They should be able to co-exist peacefully but
> new features will not be available on old servers and enrolling a new
> client against an old server will result in the SSH keys not being uploaded.
>
> Downgrading a server once upgraded is not supported.
>
> Upgrading from 2.2.0 is supported. Upgrading from previous versions is not
> supported and has not been tested.
>
> Upgrading from a previous version will not consolidate the 389-ds
> instances. Only new installations get a unified 389-ds backend. Upgraded
> servers will retain both instances.
>
> An enrolled client does not need the new packages installed unless you
> want to re-enroll it. SSH keys for already installed clients are not
> uploaded, you will have to re-enroll the client or manually upload the keys.
>
> == Feedback ==
>
> Please provide comments, bugs and other feedback via the freeipa-devel
> mailing list: http://www.redhat.com/mailman/**listinfo/freeipa-devel<http://www.redhat.com/mailman/listinfo/freeipa-devel>
>
> == Detailed Changelog since 3.0.1 ==
>
> Ade Lee (1):
> * Changes to use a single database for dogtag and IPA
>
> Alexander Bokovoy (8):
> * ipa-kdb: Support Windows 2012 Server
> * Remove bogus check for smbpasswd
> * Warn about DNA plugin configuration when working with local ID ranges
> * Resolve external members from trusted domain via Global Catalog
> * Clarify trust-add help regarding multiple runs against the same domain
> * ipasam: better Kerberos error handling in ipasam
> * trusts: replace use of python-crypto by m2crypto
> * Propagate kinit errors with trust account
>
> Endi Sukma Dewata (1):
> * Configuring CA with ConfigParser.
>
> Jakub Hrozek (5):
> * ipa-client-automount: Add the autofs service if it doesn't exist yet
> * Make enabling the autofs service more robust
> * ipachangeconf: allow specifying non-default delimeter for options
> * Specify includedir in krb5.conf on new installs
> * Add the includedir to krb5.conf on upgrades
>
> Jan Cholasta (1):
> * Reword description of the --passsync option of ipa-replica-manage.
>
> John Dennis (2):
> * log dogtag errors
> * Compliant client side session cookie behavior
>
> Lubomir Rintel (1):
> * Drop unused readline import
>
> Martin Kosek (18):
> * Update SELinux policy for dogtag10
> * Bump 389-ds-base minimum in our spec file
> * Add OCSP and CRL URIs to certificates
> * Stop and disable conflicting time&date services
> * Create reverse zone in unattended mode
> * Add fallback for httpd restarts on sysV platforms
> * Report ipa-upgradeconfig errors during RPM upgrade
> * Avoid uninstalling dependencies during package lifetime
> * Remove servertrls and clientctrls options from rename_s
> * Use common encoding in modlist generation
> * Process relative nameserver DNS record correctly
> * Do not require resolvable nameserver in DNS install
> * Disable global forwarding per-zone
> * Prepare spec file for Fedora 18
> * Filter suffix in replication management tools
> * Change network configuration file
> * Improve ipa-replica-prepare error message
> * Fix sshd feature check
>
> Nikolai Kondrashov (1):
> * Add uninstall command hints to ipa-*-instal
>
> Petr Viktorin (12):
> * Fix schema replication from old masters
> * Use correct Dogtag configuration in get_pin and get_ca_certchain
> * Update certmap.conf on IPA upgrades
> * Properly stop tracking certificates on uninstall
> * Provide 'protocol' argument to IPAdmin
> * Make ipa-csreplica-manage work with both merged and non-merged DBs
> * Use DN objects for Dogtag configuration
> * ipautil.run: Log the command line before running the command
> * ipa-replica-install: Use configured IPA DNS servers in forward/reverse
> resolution check
> * Make sure the CA is running when starting services
> * Provide explicit user name for Dogtag installation scripts
> * Add Lubomir Rintel to Contributors.txt
>
> Petr Vobornik (7):
> * Simpler instructions to generate certificate
> * Fixed incorrect link to browser config after session expiration
> * Web UI: disable global forwarding per zone
> * WebUI: Change of default value of type of new group back to POSIX
> * Editable sshkey, mac address field after upgrade
> * Better licensing information of 3rd party code
> * Better error message for login of users from other realms
>
> Rob Crittenden (16):
> * Enable transactions by default, make password and modrdn TXN-aware
> * Become IPA 3.1.0
> * Password change in a transaction, ensure passwords are truly expired
> * Don't configure a reverse zone if not desired in interactive installer.
> * Fix requesting certificates that contain subject altnames.
> * Improve error messages in ipa-replica-manage.
> * Close connection after each request, avoid NSS shutdown problem.
> * The SECURE_NFS value needs to be lower-case yes on SysV systems.
> * After unininstall see if certmonger is still tracking any of our certs.
> * Wait for the directory server to come up when updating the agent
> certificate.
> * Set MLS/MCS for user_u context to what will be on remote systems.
> * Handle the case where there are no replicas with list-ruv
> * Honor the kdb options disabling KDC writes in ipa_lockout plugin
> * Only update the list of running services in the installer or ipactl.
> * Set min for selinux-policy to 3.11.1-60
> * Reorder XML-RPC initialization in ipa-join to avoid segfault.
>
> Simo Sorce (7):
> * Add support for using AES for cross-realm TGTs
> * Preserve original service_name in services
> * Save service name on service startup
> * Get list of service from LDAP only at startup
> * Revert "Save service name on service startup"
> * Save service name on service startup/shutdown
> * MS-PAC: Special case NFS services
>
> Sumit Bose (7):
> * Fix various issues found by Coverity
> * extdom: handle INP_POSIX_UID and INP_POSIX_GID requests
> * Restart httpd if ipa-server-trust-ad is installed or updated
> * ipa-adtrust-install: allow to reset te NetBIOS domain name
> * Lookup the user SID in external group as well
> * Restart sssd after authconfig update
> * Do not recommend how to configure DNS in error message
>
> Tomas Babej (5):
> * Forbid overlapping primary and secondary rid ranges
> * Refactoring of default.conf man page
> * Make service naming in ipa-server-install consistent
> * IPA Server check in ipa-replica-manage
> * Add detection for users from trusted/invalid realms
>
> ______________________________**_________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>

-- 
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121211/af7ea6ec/attachment.htm>