[Freeipa-devel] [Announce] FreeIPA 4.7.90.pre1 released

The FreeIPA team would like to announce the first release candidate of FreeIPA 4.8.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora releases will be available in the official [https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-8/ COPR repository]. A full release notes version can be read at https://www.freeipa.org/page/Releases/4.7.90.pre1 This mail only contains highlights and generic links due to large size of the pre-release changes: there are more than 220 bug-fixes. == Highlights in 4.7.90.pre1 == * 4580: FreeIPA's LDAP server requires SASL security strength factor of >= 56 FreeIPA LDAP server default configuration is improved to require SASL security strength factor higher than 56 bit. -------- * 4491: Use lib389 to install 389-ds instead of setup-ds.pl FreeIPA now utilizes Python-based installer of 389-ds directory server -------- * 4440: Add support for bounce_url to /ipa/ui/reset_password.html The /ipa/ui/reset_password.html page accepts url parameter to provide the user with a back link after successful password reset, to support resets initiated by external web applications. Additional parameter delay automatically redirects back after the specified number of seconds has elapsed. -------- * 5608: Tech preview: add Dogtag configuration extensions FreeIPA team started rewrite of the Certificate Authority configuration to make possible passing additional options when configuring Dogtag. This is required to allow use of hardware secure (HSM) modules within FreeIPA CA but also to allow tuning CA defaults. HSM configuration is not yet fully available due to a number of open issues in Dogtag itself. -------- * 5803: Add utility to promote CA replica to CRL master New utility was added to promote a CA replica to be the CRL master. [https://www.freeipa.org/page/V4/Promotion_to_CRL_generation_master Design page] provides more details and use examples. -------- * 6077: Support One-Way Trust authenticated by trust secret Samba integration was updated to allow establishing trust to Active Directory from Windows side using a Trust wizard. This allows to establish a one-way trust authenticated by a shared trust secret. Additionally, it allows to establish a trust with Samba AD DC 4.7 or later, initiated from Samba AD DC side. -------- * 6790: Allow creating IPA CA with 3084-bit key. CA key size default is raised to 3072 instead of 2048 because it's the recommended size by NIST. An extensibility feature added with ticket 5608 allows increasing the CA key size further buta 4096-bit key is considerably slower. The change only affects new deployments. There is no way to upgrade existing CA infrastructure other than issuing a new CA key and re-issuing new certificates to all existing users of the old root CA. In addition, lightweight sub-CAs are currently hard-coded to 2048 bit key size. All relevant public root CAs in the CA/B forum use 2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures. -------- * 7193: Warn or adjust umask if it is too restrictive to break installation FreeIPA deployment now enforces own umask settings where required to allow deployment at hardened sites which follow some of STIG recommendations. -------- * 7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT cert is not re-issued. The command triggers the request of a new certificate (signed by IPA CA when state=enable, selfsigned when disabled), but as the cert file is still present, certmonger does not create a new request and the existing certificate is kept. The fix consists in deleting the cert and key file before calling certmonger to request a new cert. -------- * 7206: Provide an option to include FQDN in IDM topology graph In the replication topology graph visualization, it is now possible to see a fully qualified name of the server. This change helps to reduce confusion when managing complex multi-datacenter topologies. -------- * 7365: make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable Log level for technical messages of a KDC proxy was reduced to keep logs clean. -------- * 7451: Allow issuing certificates with IP addresses in subjectAltName FreeIPA now allows issuing certificates with IP addresses in the subject alternative name (SAN), if all of the following are true: ** One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME). ** All of the DNS entries in the resolution chain are managed by this IPA instance. ** The IP address has a (correct) reverse DNS entry that is managed by this IPA instance -------- * 7568: FreeIPA no longer supports Python 2 Removed Python 2 related code and configuration from spec file, autoconf and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python 3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are no longer available. PR-CI, lint, and tox aren't testing Python 2 compatibility anymore. -------- * 7632: Allow IPA Services to Start After the IPA Backup Has Completed ipa-backup gathers all the files needed for the backup, then compresses the file and finally restarts the IPA services. When the backup is a large file, the compression may take time and widen the unavailabity window. This fix restarts the services as soon as all the required files are gathered, and compresses after services are restarted. -------- * 7619, 7640, 7641: UI migration, password reset and configuration pages support translations Static pages in FreeIPA web UI now allow translated content -------- * 7658: sysadm_r should be included in default SELinux user map order sysadm_r is a standard SELinux user role included in Red Hat Enterprise Linux. -------- * 7689: Domain Level 0 is no longer supported Code to support operation on Domain Level 0 is removed. In order to upgrade to FreeIPA 4.8.0 via replication, an existing deployment must first be brought up to Domain Level 1. -------- * 7747: Support interactive prompt for NTP options for FreeIPA FreeIPA now asks user for NTP source server or pool address in interactive mode if there is no server nor pool specified and autodiscovery has not found any NTP source in DNS records. -------- * 7892: Tech preview: hidden / unadvertised IPA replica A hidden replica is an IPA master server that is not advertised to clients or other masters. Hidden replicas have all services running and available, but none of the services has any DNS SRV records or enabled LDAP server roles. This makes hidden replicas invisible for service discovery. [https://pagure.io/freeipa/blob/master/f/doc/designs/hidden-replicas.md Design document] provides more details on use cases and management of hidden replicas. -------- * PyPI packages have fewer dependencies The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient no longer depend on the binary extensions netifaces and python-ldap by default. -------- === Bug fixes === There are more than 220 bug-fixes details of which can be seen in the list of resolved tickets at https://www.freeipa.org/page/Releases/4.7.90.pre1 == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on Freenode. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland