Cross posted from the FreeIPA mailing lists:
The FreeIPA Project is proud to announce the latest release of the FreeIPA. As always, the latest tarball can be found at http://freeipa.org/
FreeIPA 2.1 is available in Fedora 15. It is currently in the updates-testing repository along with a number of its dependencies. Fedora 16 and rawhide builds will be coming soon.
== Highlights ==
* General client and server installation improvements. Server installation is significantly faster.
* Improved support for IPv6.
* General UI improvements related to navigation and work flow.
* Added UI for automount.
* A Host-based Access Control (HBAC) test tool
* Deprecation of HBAC deny rules
* A CA is no longer required on every replica and may be added post-install to a replica (see ipa-ca-install).
* A new replication tool for dogtag has been added (ipa-cs-manage). This allows you to control the replication topology of your CA.
== Upgrading ==
=== Server ===
To upgrade a 2.0.0 or 2.0.1 server do the following:
# yum update freeipa-server –enablerepo=updates-testing
This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes.
There is a bug reported against 389-ds, https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process:
# service dirsrv start
=== Client ===
The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled.
== Detailed Changelog ==
Adam Young (62):
* Fixed labels for sudo and hbac rules
* update metadata with label changes
* define entities using builder and more declarative syntax
* default all false no longer default to all: true for searches, only specify it for user searches
* code review fixes
* make use of new user-find columns.
* fix JSL error
* Upgrade to jquery 1.5.2
* action panel to top tabs
* remove jquery-cookie library
* update ipa init a simple script to update the metatdate et alles that come
s from the ipa_init batch call
* whitespace and -x removal
* create entities on demand. fixed changes from code review
* automount UI
* redirect on show error.
* redirect on error Code for redirecting on error has been moved to IPA.face
t so it can be called from both details and assocaiton facets.
* automount delete key indirect automount maps
* scrollable content areas
* dialog scrolling table
* JSON marshalling list
* dns multiple records show multiple records that share the same dnsname
* no redirect on search
* test for dirty
* test dirty textarea runs the testdirty check before setting the undo tag for a textarea
* test dirty multivalue test the multivalue widgets for changes before showing the undo link.
* test dirty onchange
* entity select widget for manager
* hide automount tabs.
* service host entity select Use the entity select widget for add service
* entity select undo
* no redirect on unknown error If the error name is indicates a server wide error, do not attempt to redirect.
* editable entity_select
* ipaddress for host add
* entity select for password policy
* tooltips for host add
* automountkey details
* identify target as section for permissions
* optional uid
* validate required fields
* Generate record type list from metadata
* containing entity pkeys
* undefined pkeys
* config fields
* config widgets entity select default group checkbox for migration
* entity link for password policy
* validate ints
* password expiration label
* HBAC deny warning
* check required on add
* clear errors on reset
* indirect admins
* entity_select naming
* remove HBAC warning from static UI
* dnsrecord-mod ui
* no dns
* remove hardcoded DNS label for record name.
* move dns to identity tab
* removing setters setup and init
* dns section header i18n.
* use other_entity for adder columns
Alexander Bokovoy (10):
* Convert Bool to TRUE/FALSE when working with LDAP backend
* Minor typos in the examples
* Convert nsaccountlock to always work as bool towards Python code
* Rearrange logging for NSCD daemon.
* Fix sssd.conf to always have IPA certificate for the domain.
* Add hbactest command.
* Modify /etc/sysconfig/network on a client when IPA manages hostname
* Make proper LDAP configuration reporting for ipa-client-install
* Ensure network configuration file has proper permissions
* Pass empty options as empty arrays for supported dns record types.
Endi S. Dewata (114):
* Fixed undefined label in permission adder dialog box.
* Initial Selenium test cases.
* Added functional test runner.
* Refactored action panel and client area.
* Refactored builder interface.
* Refactored search facet.
* Updated Selenium tests.
* Merged IPA.cmd() into IPA.command().
* Entitlement registration.
* Entitlement import.
* Entitlement download.
* Moved adder dialog box into entity.
* Standardized action panel buttons creation.
* Entitlement quantity validation.
* Refactored navigation.
* Use entity names for tab state.
* Moved entity contents outside navigation.
* Added facet container.
* Fixed self-service UI.
* Updated Selenium tests.
* Updated Selenium tests.
* Updated DNS interface.
* Added Selenium tests for DNS.
* Added UUID field for entitlement registration.
* Added Self-Service and Delegation tests.
* Customizable facet groups.
* Read-only association facet.
* jQuery ordered map.
* Fixed problem disabling HBAC and SUDO rules.
* Fixed Ajax error handling.
* Fixed details tests.
* Fixed adder dialog title.
* Fixed Add and Edit without primary key.
* Fixed Selenium tests.
* Fixed URL parameter parsing.
* Added Update and Reset buttons into Dirty dialog.
* Fixed problem deleting value in text field.
* Added pagination for associations.
* Fixed pagination problem.
* Temporary fix for indirect member tabs.
* Fixed blank dialog box on internal error.
* Fixed resizing issues.
* Added selectable option for table widget.
* Entitlement status.
* Fixed tab navigation.
* Fixed build break.
* Fixed paging for indirect members.
* Renamed associate.js to association.js.
* Fixed self-service links.
* Merged direct and indirect association facets
* Storing page number in URL.
* Removed FreeWay font files.
* Fixed problem with navigation tabs on reload.
* Converted entity header into facet header.
* Added navigation breadcrumb.
* Added record count into association facet tabs.
* Added singular entity labels.
* Fixed entity labels.
* Fixed DNS records page title.
* Fixed undo all problem.
* Removed unused images.
* Fixed hard-coded messages.
* Added confirmation dialog for user activation.
* Fixed button style in Entitlements
* Removed invalid associations.
* Added arrow icons for details sections.
* Fixed object_name usage.
* Fixed HBAC/Sudo rules associations.
* Fixed blank self-service page.
* Fixed dirty dialog problems in HBAC/Sudo rules.
* Fixed test fixture file name.
* Fixed missing entitlement import button label
* Added sudo options.
* Fixed collapsed table in Chrome.
* Fixed object_name and object_name_plural internationalization
* Fixed label capitalization
* Entity select widget improvements
* Removed reverse zones from host adder dialog.
* Fixed host details fields.
* Added checkbox to remove hosts from DNS.
* Creating reverse zones from IP address.
* Removed entitlement registration UUID field.
* Fixed problem loading data in HBAC/sudo details page.
* Removed HBAC access time code.
* Removed custom layouts using HTML templates.
* Refactored IPA.current_facet().
* Fixed problem with navigation state loading.
* Fixed navigation problems.
* Fixed navigation unit test.
* Fixed click handlers on certificate buttons.
* New icons for entitlement buttons
* Fixed problem bookmarking Policy/IPA Server tabs
* Fixed problem setting host OTP.
* Fixed hard-coded labels in sudo rules.
* Fixed hard-coded label in Find button.
* Fixed missing section header in sudo command group.
* Fixed problem unprovisioning service.
* Fixed missing memberof definition in HBAC service.
* Added association facets for HBAC and sudo.
* Fixed certificate buttons.
* Fixed missing icons.
* Fixed misaligned search icon.
* Resizable adder dialog box.
* Linked entries in HBAC/sudo details page.
* Fixed 3rd level tab style.
* Fixed facet group labels.
* Fixed error after login on IE
* Fixed host adder dialog.
* Fixed DNS zone adder dialog.
* Fixed broken links in ipa_error.css and ipa_migration.css.
* Fixed problem clicking 3rd level tabs.
* Fixed link style in dialog box.
* Fixed problem with buttons in enrollment dialog.
Jakub Hrozek (1):
* Remove wrong kpasswd sysconfig
Jan Cholasta (34):
* Fix wording of error message.
* Add note about ipa-dns-install to ipa-server-install man page.
* Fix typo in ipa-server-install.
* Fix uninitialized variables.
* Fix double definition of output_for_cli.
* Add lint script for static code analysis.
* Fix lint false positives.
* Remove unused classes.
* Fix some minor issues uncovered by pylint.
* Fix uninitialized attributes.
* Run lint during each build.
* Several improvements of the lint script.
* Fix issues found by Coverity.
* Fix regressions introduced by pylint false positive fixes.
* Assume ipa help for plugins.
* Parse netmasks in IP addresses passed to server install.
* Honor netmask in DNS reverse zone setup.
* Do stricter checking of IP addressed passed to server install.
* Fix directory manager password validation in ipa-nis-manage.
* Improve IP address handling in the host-add command.
* Verify that the hostname is fully-qualified before accessing the service information in ipactl.
* Remove redundant configuration values from krb5.conf.
* Replace the ‘private’ option in netgroup-find with ‘managed’.
* Configure SSSD to store user password if offline.
* Fix creation of reverse DNS zones.
* Add ability to specify DNS reverse zone name by IP network address.
* Fix exit status of ipa-nis-manage enable.
* Update minimum required version of python-netaddr.
* Clean up of IP address checks in install scripts.
* Don’t delete NIS netgroup compat suffix on ‘ipa-nis-manage disable’.
* Fix ipa-compat-manage not working after recent ipa-nis-manage change.
* Make sure that hostname specified by user is not an IP address.
* Fix external CA install.
* Ask for reverse DNS zone information in attended install right after asking for DNS forwarders, so that DNS configuration is done in one place.
John Dennis (9):
* Module for DN objects plus unit test
* assert_deepequal supports callback for equality testing
* Add backslash escape support for cvs reader
* Use DN class in get_primary_key_from_dn to return decoded value
* Update test_role_plugin test to include a comma in a privilege
* Ticket 1485 – DN pairwise grouping
* Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization.
* Clean up existing DN object usage
* transifex translation adjustment
Jr Aquino (15):
* Escape LDAP characters in member and memberof searches
* Add memberHost and memberUser to default indexes
* Optimize and dynamically verify group membership
* Delete the sudoers entry when disabling Schema Compat
* Return copy of config from ipa_get_config()
* Typo in host_nis_groups has been creating 2 CN’s
* Add sudorule and hbacrule to memberof and indirectmemberof attributes
* Display remaining external hosts when removing from sudorule
* Raise DuplicateEntry Error when adding a duplicate sudo option
* Don’t add empty tuple to entry_attrs[‘externalhost’]
* oneliner correct typo in ipasudorunas_group
* Return correct “RunAs External Group” when removing members
* remove escapes from the cvs parser in ipaserver/install/ldapupdate
* Correct behavior for sudorunasgroup vs sudorunasuser
* Correct sudo runasuser and runasgroup attributes in schema
Martin Kosek (68):
* Inconsistent error message for duplicate user
* Replica installation fails for self-signed server
* Remove doc from API.txt
* Revert “Remove doc from API.txt”
* Password policy commands do not include cospriority
* Improve DNS PTR record validation
* Remove unwanted trimming in text fields
* Need force option in DNS zone adder dialog
* IPA replica is not started after the reboot
* Improve Directory Service open port checker
* Log temporary files in ipa-client-install
* Prevent uninstalling client on the IPA server
* pwpolicy-mod doesn’t accept old attribute values
* Forbid reinstallation in ipa-client-install
* ipa-client-install uninstall does not work on IPA server
* LDAP Updater may crash IPA installer
* NS records not updated by replica
* Bad return values for ipa-rmkeytab command
* Update spec with missing BuildRequires for pylint check
* Let selinux-policy handle port 7390
* Limit passwd plugin to user container
* Consolidate man pages and IPA tools help
* Remove doc from API.txt
* Improve service manipulation in client install
* Running ipa-replica-manage as non-root cause errors
* KDC autodiscovery may fail when domain is not realm
* A new flag to disable creation of UPG
* Fix reverse zone creation in ipa-replica-prepare
* Improve interactive mode for DNS plugin
* Localization fails for MaxArgumentError
* Fix forward zone creation in ipa-replica-prepare
* Connection check program for replica installation
* Fix support for nss-pam-ldapd
* Skip know_host check for ipa-replica-conncheck
* IPA installation with –no-host-dns fails
* Handle LDAP search references
* Add ignore lists to migrate-ds command
* Improve DNS zone creation
* Add a list of managed hosts
* Missing krbprincipalname when uid is not set
* Add port 9443 to replica port checking
* Fix doc for sudorule runasuser commands
* Improve IP address handling in IPA option parser
* Multi-process build problems
* DNS installation fails when domain and host domain mismatch
* Fix IPA install for secure umask
* Allow recursion by default
* Add DNS record modification command
* Filter reverse zones in dnszone-find
* Remove sensitive information from logs
* Fix ipa-dns-install
* Fix self-signed replica installation
* Check IPA configuration in install tools
* Add new dnszone-find test
* Fix typo in ipa-replica-prepare
* Improve long integer type validation
* Fix sudorule-remove-user
* Add missing automount summaries
* Fix man page ipa-csreplica-manage
* Fix automountkey commands summary
* Fix invalid issuer in unit tests
* Hide continue option from automountkey-del
* Improve error message in ipactl
* Improve dnszone-add error message
* Fix idnsUpdatePolicy for reverse zone record
* Fix client enrollment
* Update 389-ds-base version
* Update pki-ca version
Nalin Dahyabhai (1):
* Select a server with a CA on it when submitting signing requests.
Pavel Zuna (1):
* Fix gidnumber option of user-add command.
Petr Vobornik (3):
* fixed empty dns record update
* Fixed adding host without DNS reverse zone
* Redirection after changing browser configuration
Rich Megginson (3):
* winsync enables disabled users in AD
* modify user deleted in AD crashes winsync
* memory leak in ipa_winsync_get_new_ds_user_dn_cb
Rob Crittenden (90):
* Allow a client to enroll using principal when the host has a OTP
* Make retrieval of the CA during DNS discovery non-fatal.
* Cache the value of get_ipa_config() in the request context.
* Change default gecos from uid to first and last name.
* Fix ORDERING in some attributetypes and remove other unnecessary elements.
* postalCode should be a string not an integer.
* Fix traceback in ipa-nis-manage.
* Suppress –on-master from ipa-client-install command-line and man page.
* Sort entries returned by *-find by the primary key (if any).
* The default groups we create should have ipaUniqueId set
* Always ask members in LDAP*ReverseMember commands.
* Provide attributelevelrights for the aci components in permission_show.
* Wait for memberof task and DS to start before proceeding in installation.
* Convert manager from userid to dn for storage and back for displaying.
* Modify the default attributes shown in user-find to match the UI design.
* Ensure that the zonemgr passed to the installer conforms to IA5String.
* Handle principal not found errors when converting replication a greements
* Bump version to 2.0.90 to distinguish between 2.0.x
* Properly handle –no-reverse being passed on the CLI in interactive mode
* Update min nvr for selinux-policy and pki-ca for F-15+
* Test for forwarded Kerberos credentials cache in wsgi code.
* Properly configure nsswitch.conf when using the –no-sssd option.
* Enable 389-ds SSL host checking by defauilt
* Configure Managed Entries on replicas.
* Document that deleting and re-adding a replica requires a dirsrv restart.
* Fix migration to work between v2 servers and remove search/size limits.
* Add option to limit the attributes allowed in an entry.
* Include the word ‘member’ with autogenerated optional member labels.
* Do a lazy retrieval of the LDAP schema rather than at module load.
* Add UID, GID and e-mail to the user default attributes.
* Fix external CA installation
* Remove root autobind search restriction, fix upgrade logging & error handling
* Support initializing memberof during replication re-init using GSSAPI
* Do better detection on status of CA DS instance when installing.
* Fix indirect member calculation
* Remove automountinformation as part of the DN for automount.
* Don’t let a JSON error get lost in cascading errors.
* Add message output summary to sudorule del, mod and find.
* Return an error message when revocation reason 7 is used
* Require an imported certificate’s issuer to match our issuer.
* On a master configure sssd to only talk to the local master.
* The IP address provided to ipa-server-install must be local
* Do lazy LDAP schema retrieval in json handler.
* Make data type of certificates more obvious/predictable internally.
* Update translation files
* Let the framework be able to override the hostname.
* Make dogtag an optional (and default un-) installed component in a replica.
* Slight performance improvement by not doing some checking in production mode
* Set the client auth callback after creating the SSL connection.
* Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def attr list
* Enforce class rules when query=True, continue to not run validators.
* find_entry_by_attr() should fail if multiple entries are found
* Fix error in AttrValueNotFound exception example
* Fix test failure in updater when adding values to a single-value attr
* Reset failed login count to 0 when admin resets password.
* Disallow direct modifications to enrolledBy.
* Document registering to an entitlement server with a UUID as not implemented.
* In sudo labels we should use RunAs and not Run As.
* Remove the ability to create new HBAC deny rules.
* Validate that the certificate subject base is in valid DN format.
* Use information from the certificate subject when setting the NSS nickname.
* Create tool to manage dogtag replication agreements
* Fix failing tests due to object name changes
* Set nickname of the RA to ‘IPA RA’ to avoid confusion with dogtag RA
* Set the ipa-modrdn plugin precedence to 60 so it runs last
* Generate a database password by default in all cases.
* Specify the package name when the replication plugin is missing.
* Change client enrollment principal prompt to hopefully be clearer.
* Optionally wait for 389-ds postop plugins to complete
* A removed external host is shown in output when removing external hosts.
* Don’t set krbLastPwdChange when setting a host OTP password.
* Fix regression when calculating external groups.
* With the external user/group management fixed, correct the unit tests.
* Set a default minimum value for class Int, handle long values better.
* Make ipa-client-install error messages more understandable and relevant.
* Add Alexander Bokovoy and Jan Cholasta to contributors file
* Only call entry_from_entry() after waiting for the new entry.
* Hide the HBAC access type attribute now that deny is deprecated.
* Autofill the default revocation reason
* Don’t check for leading/trailing spaces in a File parameter
* Add an arch-specific Requires on cyrus-sasl-gssapi
* Revert use of ‘can be at least’ to ‘must be at least’ in minvalue validator
* Don’t leave dangling map if adding an indirect map fails
* Fix message in test case for checking minimum values
* When setting a host password don’t set krbPasswordExpiration.
* Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile
* Deprecated managing users and runas user/group in sudorule add/mod
* Fix date order in changelog.
* Re-arrange CA configuration code to reduce the number of restarts.
Simo Sorce (4):
* Fix resource leaks.
* ipautil: Preserve environment unless explicitly overridden by caller.
* install-scripts: avoid using –list with chkconfig
* Don’t set the password expiration to the current time
Yuri Chornoivan (1):
* Typos in freeIPA messages and man page
Kyle Baker (5):
* Background images and tab hover
* Search bar style and positioning changes
* List page spacing changes
* Tab and spacing on list
* Facet icon swap and tab sizing
Freeipa-users mailing list