Hi Antonio,
the automation for the release notes seems to pick references to issues
fixed in previous releases already (maybe it's considering references to
pagure tickets even if they just mention Related instead of Fixes). I added
some inline comments for the ones I spotted, please see below
On Thu, Nov 3, 2022 at 12:04 PM Antonio Torres via FreeIPA-devel <
freeipa-devel(a)lists.fedorahosted.org> wrote:
{{ReleaseDate|2022-11-03}}
The FreeIPA team would like to announce FreeIPA 4.9.11 release!
It can be downloaded from
http://www.freeipa.org/page/Downloads. Builds
for
Fedora distributions will be available from the official repository soon.
== Highlights in 4.9.11 ==
'''TODO RELEASE NOTES - put release notes (if any) to proper
categories'''
* 1539: [RFE] Add code to check password expiration on ldap bind
:: User can no longer do LDAP BIND operation with expired password.
--------
* 3226: [RFE] ipa sudorule-add-user should accept more types of characters
Already fixed in a long time ago.
--------
* 8361: Add support for managing subuids and subgids in FreeIPA
:: IPA is now able to centrally store ID sub-ranges for users/groups.
More details can be found in the design document:
https://freeipa.readthedocs.io/en/latest/designs/subordinate-ids.html
Already fixed in 4.9.9
--------
* 8404: Detect and fail if not enough memory is available for installation
:: FreeIPA server now requires at least 1.2 GiB RAM for installation
to prevent performance degradation.
In the new update, we updated the man page to mention the option
--skip-mem-check, but the option was also provided with 4.9.2. This one can
be removed.
--------
* 8528: Use separate logs for AD Trust and DNS installer
:: ipa-adtrust-install and ipa-dns-install commands now log their
activity into separate log files.
Already fixed in 4.9.0
--------
* 8655: Allow to establish trust to Active Directory in FIPS mode
:: When IPA is deployed in FIPS mode, it is now possible to establish
trust to Active Directory forest.
Already fixed in 4.9.1
--------
* 8803: Add support for managing IdP references
:: FreeIPA can now authenticate users with the help of OAuth 2.0
identity providers supporting OAuth 2.0 Device Authorization Flow.
IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and
Okta. Details on how to use Keycloak can be found in FreeIPA workshop:
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support...
Already in 4.9.10. 4.9.11 just adds tests.
--------
* 9150: Remove 'Remove' button from subid page
:: subid ranges cannot be removed. A button in Web UI subid management
page to remove the range was removed to not confuse users
Already in 4.9.10. 4.9.11 just adds a test.
--------
* 9159: [RFE] ipa-client-install should provide option to enable
subid: sss in /etc/nsswitch.conf
:: IPA installers now provide the ability to configure SSSD as
datasource for subid
already in 4.9.10, 4.9.11 just adds a test
--------
* 9187: [UX] Preserving a user account produces output saying it was
deleted
:: Previously, the command to preserve a user account used to display
a confusing output "Deleted user: <user>" although the user was
preserved and not deleted. The command now displays "Preserved user:
<user>" for preserved users.
--------
* 9228: ipa-client-install does not maintain server affinity during
installation
:: ipa-client-install will use a single server for the duration of the
installation process, either one discovered or provided on the
command-line. Previously it would use a temporary configuration to do
enrollment, then switch to a final one for the remaining operations.
This could lead to the installer talking with multiple servers. If the
client installer is faster than replication this could lead to errors.
--------
* 9237: Show order in sudo rule list in web interface
:: In the 'sudo rules' page, the WebUI is now displaying a 'sudo
order' column so that the users can easily see which rules override
other rules based on their order.
--------
* 9258: Do not add TLS CA configuration to ldap.conf anymore
:: FreeIPA client installer does not add explicit TLS CA configuration
to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
configuration is not required as OpenLDAP uses the default CA store
provided by OpenSSL and IPA CA is installed in the default store by
the installer already.
--------
'''END TODO'''
=== Enhancements ===
* 8361: Add support for managing subuids and subgids in FreeIPA
:: IPA is now able to centrally store ID sub-ranges for users/groups.
More details can be found in the design document:
https://freeipa.readthedocs.io/en/latest/designs/subordinate-ids.html
--------
to be removed
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.9.11 is a stabilization release for the features delivered as a
part of 4.9 version series.
There are more than 50 bug-fixes since FreeIPA 4.9.10 release.
Details of the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list (
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
)
or #freeipa channel on libera.chat.
== Resolved tickets ==
* [
https://pagure.io/freeipa/issue/1539 #1539]
([
https://bugzilla.redhat.com/show_bug.cgi?id=782917 rhbz#782917])
[RFE] Add code to check password expiration on ldap bind
* [
https://pagure.io/freeipa/issue/3226 #3226]
([
https://bugzilla.redhat.com/show_bug.cgi?id=871208 rhbz#871208])
[RFE] ipa sudorule-add-user should accept more types of characters
to be removed
* [
https://pagure.io/freeipa/issue/8361 #8361] Add support for
managing subuids and subgids in FreeIPA
to be removed
* [
https://pagure.io/freeipa/issue/8404 #8404] Detect and fail if
not
enough memory is available for installation
to be removed
* [
https://pagure.io/freeipa/issue/8452 #8452] update samba
configuration on IPA master to explicitly use 'server role' setting
to be removed
* [
https://pagure.io/freeipa/issue/8501 #8501] Unify how FreeIPA
gets
FQDN of current host
to be removed
* [
https://pagure.io/freeipa/issue/8519 #8519] Fedora container
platform is incomplete
to be removed
* [
https://pagure.io/freeipa/issue/8524 #8524]
([
https://bugzilla.redhat.com/show_bug.cgi?id=1851835 rhbz#1851835])
Deploy & manage the ACME service topology wide from a single system
to be removed
* [
https://pagure.io/freeipa/issue/8528 #8528] Use separate logs for
AD Trust and DNS installer
to be removed
* [
https://pagure.io/freeipa/issue/8584 #8584] ACME communication
with
dogtag REST endpoints should be using the cookie it creates
to be removed
to be removed
to be removed
* [
https://pagure.io/freeipa/issue/8803 #8803] Add support for
managing IdP references
to be removed
* [
https://pagure.io/freeipa/issue/8804 #8804] Extend supported user
authentication methods in IPA to allow IdP auth
to be removed
* [
https://pagure.io/freeipa/issue/8805 #8805] Extend `ipa-otpd`
daemon to recognize IdP references
to be removed
* [
https://pagure.io/freeipa/issue/8832 #8832]
([
https://bugzilla.redhat.com/show_bug.cgi?id=1957768 rhbz#1957768])
ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
to be removed
* [
https://pagure.io/freeipa/issue/8923 #8923]
([
https://bugzilla.redhat.com/show_bug.cgi?id=1970168 rhbz#1970168])
Trust controller role should pull sssd-winbind-idmap package
to be removed
* [
https://pagure.io/freeipa/issue/8951 #8951] Test for RFE
ipa-healthcheck tool can include check to see if the system is FIPS
enabled or not
* [
https://pagure.io/freeipa/issue/8972 #8972]
([
https://bugzilla.redhat.com/show_bug.cgi?id=1998129 rhbz#1998129])
AVC denied { read } comm="ipa-custodia" on aarch64 during installation
of ipa-server
to be removed
* [
https://pagure.io/freeipa/issue/8984 #8984]
([
https://bugzilla.redhat.com/show_bug.cgi?id=1999992 rhbz#1999992])
ipa migrate-ds command fails to warn when compat plugin is enabled
to be removed
* [
https://pagure.io/freeipa/issue/9062 #9062] [ipatests] SID
generation and test_xmlrpc/test_user_plugin.py
* [
https://pagure.io/freeipa/issue/9127 #9127]
([
https://bugzilla.redhat.com/show_bug.cgi?id=2062379 rhbz#2062379])
Use new getorigby{user|group}name() calls in extdom plugin
to be removed
to be removed
* [
https://pagure.io/freeipa/issue/9158 #9158] Internal error when
setting dnsconfig or dnsforwardzone forwarders.
* [
https://pagure.io/freeipa/issue/9159 #9159]
([
https://bugzilla.redhat.com/show_bug.cgi?id=2068088 rhbz#2068088])
[RFE] ipa-client-install should provide option to enable subid: sss in
/etc/nsswitch.conf
to be removed
* [
https://pagure.io/freeipa/issue/9160 #9160]
cryptography.utils.register_interface is scheduled for removal
* [
https://pagure.io/freeipa/issue/9161 #9161] Nightly test failure in
test_selinuxusermap.py::test_selinuxusermap::test_misc
* [
https://pagure.io/freeipa/issue/9178 #9178] idviews: use cached
ipaOriginalUid value when resolving ID override anchor
to be removed
* [
https://pagure.io/freeipa/issue/9183 #9183] Timeout issue in
test_installation.py when using interactive mode
* [
https://pagure.io/freeipa/issue/9185 #9185] Fix missing parameter
for Suse ipaplatform task
* [
https://pagure.io/freeipa/issue/9187 #9187]
([
https://bugzilla.redhat.com/show_bug.cgi?id=2022028 rhbz#2022028])
[UX] Preserving a user account produces output saying it was deleted
* [
https://pagure.io/freeipa/issue/9188 #9188]
([
https://bugzilla.redhat.com/show_bug.cgi?id=2098187 rhbz#2098187])
Add warning for empty targetattr when creating ACI with RBAC
* [
https://pagure.io/freeipa/issue/9189 #9189] ipatests: Fix
test_idp.py for downstream idm-ci
* [
https://pagure.io/freeipa/issue/9190 #9190]
ipatests.test_ipaserver.test_secure_ajp_connector failing with python
3.6.8 with: TypeError: a bytes-like object is required, not 'str'
* [
https://pagure.io/freeipa/issue/9192 #9192]
([
https://bugzilla.redhat.com/show_bug.cgi?id=2094672 rhbz#2094672])
IdM WebUI Pagination Size should not allow empty value
* [
https://pagure.io/freeipa/issue/9198 #9198] [Tracker] nightly
failure: after ipa trust-add, cred cache contains
cifs/master.ipa.test(a)IPA.TEST instead of admin principal
* [
https://pagure.io/freeipa/issue/9204 #9204] [Tracker] In
ipa-server-upgrade ca_upgrade_schema() results in unnecessary pki
restarts
* [
https://pagure.io/freeipa/issue/9206 #9206]
([
https://bugzilla.redhat.com/show_bug.cgi?id=2109236 rhbz#2109236])
ldap bind occurs when admin user changes password with gracelimit=0
* [
https://pagure.io/freeipa/issue/9207 #9207] Failure in
AzurePipeline.freeipa (GATING InstallDNSSECFirst_1_to_5)
* [
https://pagure.io/freeipa/issue/9208 #9208] ap: Doc build fails
against Sphinx 5.1.0
* [
https://pagure.io/freeipa/issue/9211 #9211]
([
https://bugzilla.redhat.com/show_bug.cgi?id=2109243 rhbz#2109243])
RFE: Allow grace login limit to be set in IPA WebUI.
* [
https://pagure.io/freeipa/issue/9212 #9212]
([
https://bugzilla.redhat.com/show_bug.cgi?id=2115475 rhbz#2115475])
Nightly test failure in
test_user.py::test_user::test_password_expiration_notification
* [
https://pagure.io/freeipa/issue/9214 #9214] Nightly failure in
webui test test_subid.py::test_subid::test_subid_range_deletion_not_allowed
* [
https://pagure.io/freeipa/issue/9216 #9216] [Tracker] Nightly
failure: zone not signed
to be removed
flo
* [
https://pagure.io/freeipa/issue/9218 #9218]