FreeIPA version 2.0.

Posted on by

The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA
version 2.0.

FreeIPA is an integrated security information management solution
combining Linux (Fedora), 389 Directory Server, MIT Kerberos and NTP.
FreeIPA binds together a number of technologies and adds a web interface
and command-line administration tools.

(Cross Posted from the FreeIPA mailing list)

Features of FreeIPA v2.0 include:
* Centralized authentication via Kerberos or LDAP
* Identity management for users, groups, hosts and services
* Pluggable and extensible framework for UI/CLI
* Rich CLI
* Web-based User Interface
* Server X.509 v3 certificate provisioning capabilities
* Managing host identities including grouping hosts
* Defining host-based access control rules that will be enforced
on the client side by the IPA back end for SSSD [1]
* Serving netgroups based on user and host objects stored in IPA
* Serving sets of automount maps to different clients
* Finer-grained management delegation
* Group-based password policies
* Centrally-managed SUDO
* Automatic management of private groups
* Compatibility with broad set of clients
* Painless password migration
* Optional integrated DNS server managed by IPA
* Optional integrated Certificate Authority to manage server certificates managed by IPA
* Can act as NIS server for legacy systems
* Supports multi-server deployment based on the multi-master replication
* User and group replication with MS Active Directory

We encourage users and developers to start testing and deploying FreeIPA in their environments. A very simple installation procedure is provided and is part of the effort of making these complex technologies simple to use and friendly to administrators. We encourage people to experiment and evaluate the current release, we welcome feedback on the overall experience and bug reports [2].

We also would like to encourage interested users and developers to join our mailing list and discuss features and development directions [3].

The complete source code[4] is available for download here:
http://www.freeipa.org/page/Downloads

See our git repository at http://git.fedorahosted.org/git/freeipa.git/ for a complete changelog.

FreeIPA 2.0 is available in Fedora 15, see Known Issues below. You will need to enable the updates-testing repository, e.g.

# yum install freeipa-server –enablerepo=updates-testing

Have Fun!

The FreeIPA Project Team.

[1] https://fedorahosted.org/sssd/
[2] https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora (component is ipa)
[3] http://freeipa.org/page/Contribute

Known Issues

* The latest tomcat6 package has not been pushed to updates-testing. You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . The installation will fail restarting the CA with the current tomcat6 package in Fedora 15.
* If the domain and realm do not match you may need to use the –force flag with ipa-client-install.
* Dogtag replication is done separately from IPA replication. The ipa-replica-manage tool does not currently operate on dogtag replication agreements.
* The OCSP URL encoded in dogtag certificates is by default the CA machine that issued the certificate.

Detailed Changlog since FreeIPA v2.0.0 rc3

Adam Young (1):
* pwpolicy priority Priority is now a required field in order to add a new password policy. Thus, not having the field present means we cannot create one.

Endi S. Dewata (1):
* Removed nested role from UI.

Martin Kosek (2):
* Wait for Directory Server ports to open
* Prevent stacktrace when DNS AAAA record is added

Pavel Zuna (1):
* Update translation file (ipa.pot).

Rob Crittenden (4):
* Always consider domain and server when doing DNS discovery in client.
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.
* Ensure that the system hostname is lower-case.
* Automatically update IPA LDAP on rpm upgrades

Simo Sorce (1):
* Domain to Realm Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same.
* Fix uninitialized variable.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

6 thoughts on “FreeIPA version 2.0.

  1. Great project !

    I have tested Free IPA on F-15 nonetheless I had some little problems to make it works. e.g. : with the firefox version provided in F-15.
    After all, F-15 is still in Alpha.

    In addition, as I did not have so much time, I did not investigate deeply.

    Nonetheless, the web interface is much better than Free IPA v1.x

    As soon as F-15 is officially released, I will retry it.

    Thanks for your great job and your time.

    BR
    Frederic 😉

  2. Thanks for the endorsement! Ia am very proud of this release, and have really enjoyed working with the FreeIPA team.

    What did you find wrong? We know of no FF specific issues, on F15 or else where. Please provide details, and I can either work through the issue or get a ticket filed and working on fixes.

  3. I installed Free IPA on Fedora 15 beta. I cannot access web admin as Firefox just keeps me asking to run “kinit” or running Firefox config for first use. I have accepted all certificates and did allow configure script to run in Firefox. It just won’t work, I cannot access web admin interface.

  4. Tomi, FreeIPA depends on Kerberos authentication to work. Unfortunately there integration between the OS layer and the browser is not as tight as it should be. Assuming you install FreeIPA with an admin password of ‘freeipa4all’ then, in a command prompt, run ‘echo freeipa4all | kinit admin’ and refresh the browser.

  5. I got the same problem as Tomi, and also tried Adam’s suggestion, but it won’t work.
    Firefox still says kerberos ticket no longer valid.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.