[Freeipa-users] Announcing FreeIPA 4.0.4

Petr Vobornik pvoborni at redhat.com
Thu Oct 23 15:22:27 UTC 2014


The FreeIPA team would like to announce FreeIPA v4.0.4 bugfix release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds 
for Fedora 21 are available in the official COPR repository 
[https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.0/].

== Highlights in 4.0.4 ==
=== Enhancements ===
* Packages can be now built and installed on RHEL/CentOS 7.0
* ipa-replica-prepare now waits for the replica DNS record to be 
available to fix race conditions in automated test environments
* Port 8443 is now checked before server installation to prevent 
failures in configuring PKI which uses the port

=== Bug fixes ===
* Certmonger CAs are now set with correct path to ipa-submit which 
caused problems with new certificate submission
* Directory Server again returns basic RootDSE attributes by default - 
namingContexts, supportedControl, supportedExtension, 
supportedLDAPVersion, supportedSASLMechanisms, vendorName, vendorVersion
* "IPA OTP Last Token" plugin is now enabled also on upgraded FreeIPA 
servers before 4.0.0
* Better error message is provided if cert-request command fails for 
certificates with SAN
* PKI|CA certificate renewal script (ca_renewal_master) triggered by 
certmonger could fail
* sudorule-add-runasuser command now works with external users
* "IPA" CA is now properly selected for Web Service and Directory 
Service certificates

== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The 
server does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment 
(e.g. FedUp) which does not allow running the LDAP server during upgrade 
process, upgrade scripts need to be run manually after the first boot:

  # ipa-ldap-updater --upgrade
  # ipa-upgradeconfig

Also note that the performance improvements require an extended set of 
indexes to be configured. RPM update for an IPA server with a excessive 
number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is 
expected that all servers will be upgraded in a relatively short period 
(days or weeks, not months). They should be able to co-exist peacefully 
but new features will not be available on old servers and enrolling a 
new client against an old server will result in the SSH keys not being 
uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 3.3.0 and later versions is supported. Upgrading from 
previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you 
want to re-enroll it. SSH keys for already installed clients are not 
uploaded, you will have to re-enroll the client or manually upload the keys.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.

== Detailed Changelog since 4.0.3 ==

=== Alexander Bokovoy (1) ===
* Default to use TLSv1.0 and TLSv1.1 on the IPA server side

=== David Kupka (5) ===
* Fix example usage in ipa man page.
* Check that port 8443 is available when installing PKI.
* Set IPA CA for freeipa certificates.
* Stop dogtag when updating its configuration in ipa-upgradeconfig.
* Fix typo causing certmonger is provided with wrong path to ipa-submit.

=== Gabe (1) ===
* Missing requires on python-dns in spec file

=== Jan Cholasta (9) ===
* Fix certmonger code causing the ca_renewal_master update plugin to fail
* Allow RPM upgrade from ipa-* packages
* Include ipaplatform in client-only build
* Include the ipa command in client-only build
* Remove misleading authorization error message in cert-request with --add
* Split off generic Red Hat-like platform code from Fedora platform code
* Add RHEL platform module
* Support building RPMs for RHEL/CentOS 7.0
* Do not check if port 8443 is available in step 2 of external CA install

=== Ludwig Krispenz (1) ===
* Ignore irrelevant subtrees in schema compat plugin

=== Martin Basti (2) ===
* dnszone-remove-permission should raise error
* Fix ipactl service ordering

=== Martin Kosek (2) ===
* Sudorule RunAsUser should work with external groups
* Remove changetype attribute from update plugin

=== Nathaniel McCallum (1) ===
* Configure IPA OTP Last Token plugin on upgrade

=== Petr Viktorin (4) ===
* test_permission_plugin: Check legacy permissions
* ipa-replica-prepare: Wait for the DNS entry to be resolvable
* test_forced_client_reenrollment: Don't check for host certificates
* sudo integration test: Remove the local user test

=== Petr Vobornik (4) ===
* webui-ci: case-insensitive record check
* dns: fix privileges' memberof during dns install
* build: increase java stack size for all arches
* Become IPA 4.0.4

=== Sumit Bose (1) ===
* ipa-kdb: fix unit tests

=== Tomas Babej (1) ===
* Set the default attributes for RootDSE
-- 
Petr Vobornik




More information about the Freeipa-users mailing list