The FreeIPA team would like to announce FreeIPA 4.8.7 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.8.7
* 3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.
* 3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
* 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod group-name --rename new-name'. Protected hostgroups ('ipaservers') cannot be renamed.
* 7577: [RFE] DNS package check should be called earlier in installation routine
The ``--setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.
* 7695: ipa service-del should display principal name instead of Invalid 'principal'.
When deleting services, report exact name of a system required principal that couldn't be deleted.
* 8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.
* 8217: RFE: ipa-backup should compare locally and globally installed server roles
ipa-backup now checks whether the local replica's roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.
* 8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.
* 8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.
* 8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The "Default System Accounts Password Policy" has a minimum password length in case the password is directly modified with LDAP.
* 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.
* 8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets
service delegation rules and targets now allow to specify hosts as a rule or a target's member principal.
* 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.
* 8301: The value of the first character in target* keywords is expected to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.
* 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.
* 8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.
* 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.
* 8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain
When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.
* 8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.
* 8357: Allow managing IPA resources as a user from a trusted Active Directory forest
A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.
* 8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.
=== Enhancements
=== Known Issues
=== Bug fixes
FreeIPA 4.8.7 is a stabilization release for the features delivered as a part of 4.8 version series.
There are more than 70 bug-fixes details of which can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...) or #freeipa channel on Freenode.
== Resolved tickets
* https://pagure.io/freeipa/issue/3687%5B#3687%5D(https://bugzilla.redhat.com/...]) [RFE] IPA user account expiry warning. * https://pagure.io/freeipa/issue/3827%5B#3827] [RFE] Expose TTL in web UI * https://pagure.io/freeipa/issue/6474%5B#6474] Remove ipaplatform dependency from ipa modules * https://pagure.io/freeipa/issue/6783%5B#6783] (https://bugzilla.redhat.com/show_bug.cgi?id=1430365%5Brhbz#1430365]) [RFE] Host-group names command rename * https://pagure.io/freeipa/issue/6857%5B#6857] ipa_pwd.c: Use OpenSSL instead of NSS for hashing * https://pagure.io/freeipa/issue/6884%5B#6884] (https://bugzilla.redhat.com/show_bug.cgi?id=1441262%5Brhbz#1441262]) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group * https://pagure.io/freeipa/issue/7255%5B#7255] baseidoverride.get_dn() does not default to a default ID view when resolving user IDs * https://pagure.io/freeipa/issue/7577%5B#7577] (https://bugzilla.redhat.com/show_bug.cgi?id=1579296%5Brhbz#1579296]) [RFE] DNS package check should be called earlier in installation routine * https://pagure.io/freeipa/issue/7695%5B#7695] (https://bugzilla.redhat.com/show_bug.cgi?id=1623763%5Brhbz#1623763]) ipa service-del should display principal name instead of Invalid 'principal'. * https://pagure.io/freeipa/issue/8017%5B#8017] (https://bugzilla.redhat.com/show_bug.cgi?id=1817927%5Brhbz#1817927]) host-add --password logs cleartext userpassword to Apache error log * https://pagure.io/freeipa/issue/8064%5B#8064] Request for IPA CI to enable DS audit/auditfail logging * https://pagure.io/freeipa/issue/8066%5B#8066] (https://bugzilla.redhat.com/show_bug.cgi?id=1750242%5Brhbz#1750242]) Don't use -t option to klist in adtrust code when timestamp is not needed * https://pagure.io/freeipa/issue/8082%5B#8082] (https://bugzilla.redhat.com/show_bug.cgi?id=1756432%5Brhbz#1756432]) Default client configuration breaks ssh in FIPS mode. * https://pagure.io/freeipa/issue/8101%5B#8101] Wrong pytest requirement in specfile * https://pagure.io/freeipa/issue/8106%5B#8106] ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install * https://pagure.io/freeipa/issue/8120%5B#8120] (https://bugzilla.redhat.com/show_bug.cgi?id=1769791%5Brhbz#1769791]) Invisible part of notification area in Web UI intercepts clicks of some page elements * https://pagure.io/freeipa/issue/8159%5B#8159] please migrate to the new Fedora translation platform * https://pagure.io/freeipa/issue/8163%5B#8163] (https://bugzilla.redhat.com/show_bug.cgi?id=1782572%5Brhbz#1782572]) "Internal Server Error" reported for minor issues implies IPA is broken [IdmHackfest2019] * https://pagure.io/freeipa/issue/8164%5B#8164] (https://bugzilla.redhat.com/show_bug.cgi?id=1788907%5Brhbz#1788907]) Renewed certs are not picked up by IPA CAs * https://pagure.io/freeipa/issue/8186%5B#8186] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates * https://pagure.io/freeipa/issue/8217%5B#8217] (https://bugzilla.redhat.com/show_bug.cgi?id=1810154%5Brhbz#1810154]) RFE: ipa-backup should compare locally and globally installed server roles * https://pagure.io/freeipa/issue/8222%5B#8222] Upgrade dojo.js * https://pagure.io/freeipa/issue/8247%5B#8247] test_fips PR-CI templates have a too-short timeout * https://pagure.io/freeipa/issue/8251%5B#8251] [Azure] Catch coredumps * https://pagure.io/freeipa/issue/8254%5B#8254] [Azure] 'Tox' task fails against Python3.8 * https://pagure.io/freeipa/issue/8261%5B#8261] [ipatests] Integration tests fail on non-firewalld distros * https://pagure.io/freeipa/issue/8262%5B#8262] test_ipahealthcheck needs a higher timeout than 3600 * https://pagure.io/freeipa/issue/8264%5B#8264] Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user * https://pagure.io/freeipa/issue/8265%5B#8265] [ipatests] `/var/log/ipaupgrade.log` is not collected * https://pagure.io/freeipa/issue/8266%5B#8266] test_webui_server requires a higher timeout than 3600 * https://pagure.io/freeipa/issue/8268%5B#8268] Prevent use of too long passwords * https://pagure.io/freeipa/issue/8272%5B#8272] Use /run instead of /var/run * https://pagure.io/freeipa/issue/8273%5B#8273] (https://bugzilla.redhat.com/show_bug.cgi?id=1834385%5Brhbz#1834385]) Man page syntax issue detected by rpminspect * https://pagure.io/freeipa/issue/8276%5B#8276] Add default password policy for sysaccounts * https://pagure.io/freeipa/issue/8283%5B#8283] Failures and AVCs with OpenDNSSEC 2.1 * https://pagure.io/freeipa/issue/8284%5B#8284] Upgrade jQuery version to actual one * https://pagure.io/freeipa/issue/8287%5B#8287] named not starting after #8079, ipa-ext.conf breaks bind * https://pagure.io/freeipa/issue/8289%5B#8289] ipa servicedelegationtarget-add-member does not allow to add hosts as targets * https://pagure.io/freeipa/issue/8290%5B#8290] API inconsistencies * https://pagure.io/freeipa/issue/8291%5B#8291] krb5kdc crashes in IPA plugin on use of IPA Windows principal alias * https://pagure.io/freeipa/issue/8297%5B#8297] Fix new pylint 2.5.0 warnings and errors * https://pagure.io/freeipa/issue/8298%5B#8298] [WebUI] Cover membership management with UI tests * https://pagure.io/freeipa/issue/8300%5B#8300] Replace uglify-js with python3-rjsmin * https://pagure.io/freeipa/issue/8301%5B#8301] The value of the first character in target* keywords is expected to be a double quote * https://pagure.io/freeipa/issue/8306%5B#8306] Adopt Black code style * https://pagure.io/freeipa/issue/8307%5B#8307] make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py * https://pagure.io/freeipa/issue/8308%5B#8308] (https://bugzilla.redhat.com/show_bug.cgi?id=1829787%5Brhbz#1829787]) ipa service-del deletes the required principal when specified in lower/upper case * https://pagure.io/freeipa/issue/8309%5B#8309] Convert ipaplatform from namespace package to regular package * https://pagure.io/freeipa/issue/8311%5B#8311] (https://bugzilla.redhat.com/show_bug.cgi?id=1825829%5Brhbz#1825829]) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3 * https://pagure.io/freeipa/issue/8312%5B#8312] Fix api.env.in_tree detection logic * https://pagure.io/freeipa/issue/8313%5B#8313] Values of api.env.mode are inconsistent * https://pagure.io/freeipa/issue/8315%5B#8315] (https://bugzilla.redhat.com/show_bug.cgi?id=1833266%5Brhbz#1833266]) [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings * https://pagure.io/freeipa/issue/8316%5B#8316] [Azure] Whitelist clock_adjtime syscall * https://pagure.io/freeipa/issue/8317%5B#8317] XML-RCP and CLI tests depend on internal --force option * https://pagure.io/freeipa/issue/8319%5B#8319] Support server referrals for enterprise principals * https://pagure.io/freeipa/issue/8322%5B#8322] [RFE] Changing default hostgroup is too easy * https://pagure.io/freeipa/issue/8323%5B#8323] [Build failure] Race: make po fails on parallel build * https://pagure.io/freeipa/issue/8325%5B#8325] [WebUI] Fix htmlPrefilter issue in jQuery * https://pagure.io/freeipa/issue/8328%5B#8328] krbtpolicy-mod cannot handle two auth ind options of the same type at the same time * https://pagure.io/freeipa/issue/8330%5B#8330] [Azure] Build job fails on `tests` container preparation * https://pagure.io/freeipa/issue/8335%5B#8335] [WebUI] manage IPA resources as a user from a trusted Active Directory domain * https://pagure.io/freeipa/issue/8338%5B#8338] [WebUI] Host detail with no assigned ID view makes invalid RPC call * https://pagure.io/freeipa/issue/8339%5B#8339] [WebUI] User details tab headers don't show member count when on settings tab * https://pagure.io/freeipa/issue/8348%5B#8348] Allow managed permissions with ldap:///self bind rule * https://pagure.io/freeipa/issue/8349%5B#8349] bind-9.16 and dnssec-enable * https://pagure.io/freeipa/issue/8350%5B#8350] bind-9.16 and DLV * https://pagure.io/freeipa/issue/8352%5B#8352] RPC API crashes when a user is disabled while a session exists * https://pagure.io/freeipa/issue/8357%5B#8357] Allow managing IPA resources as a user from a trusted Active Directory forest * https://pagure.io/freeipa/issue/8358%5B#8358] TTL of DNS record can be set to negative value * https://pagure.io/freeipa/issue/8359%5B#8359] [WebUI] dnsrecord_mod results in JS error * https://pagure.io/freeipa/issue/8362%5B#8362] (https://bugzilla.redhat.com/show_bug.cgi?id=1826659%5Brhbz#1826659]) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp * https://pagure.io/freeipa/issue/8363%5B#8363] DNS config upgrade code fails
== Detailed changelog since 4.8.6
Detailed changelog can be found at https://www.freeipa.org/page/Releases/4.8.7
freeipa-users@lists.fedorahosted.org