The FreeIPA team would like to announce FreeIPA 4.9.10 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.9.10
* 1539: [RFE] Add code to check password expiration on ldap bind
User can no longer do LDAP BIND operation with expired password.
* 8803: Add support for managing IdP references
FreeIPA can now authenticate users with the help of OAuth 2.0 identity providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use Keycloak can be found in FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.ht...
* 8977: subid: subid-match displays the DN of the owner, not its UID.
subid: subid-match now displays the UID of the range owner, not its DN.
* 9128: Turn down debug from ipa-dnskeysyncd
ipa-dnskeysyncd and ipa-ods-exporter daemons used to log all debug messages in the journal. The log level can now be configured by setting debug=True in /etc/ipa/dns.conf. For more information refer to default.conf(5).
* 9147: ipa-server-install --uninstall fails on Fedora 33, returned non-zero exit status 2: Unable to disable feature: No such file or directory
The uninstaller is now able to properly handle configurations originally done with authconfig instead of authselect.
* 9150: Remove 'Remove' button from subid page
subid ranges cannot be removed. A button in Web UI subid management page to remove the range was removed to not confuse users
* 9159: [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf
IPA installers now provide the ability to configure SSSD as datasource for subid
* 9171: Boolean value not mapped on WebUI checkbox
FreeIPA now properly exposes boolean LDAP values at IPA API Python and JSON-RPC levels. External IPA API consumers might need to switch from using "TRUE" and "FALSE" strings to True and False boolean values.
* 9174: Update Suse support in freeipa
FreeIPA client installer should now configure openSUSE 15.3 to Thumbleweed versions
=== Bug fixes
FreeIPA 4.9.10 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 20 bug-fixes since FreeIPA 4.9.9 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...) or #freeipa channel on libera.chat.
== Resolved tickets
* https://pagure.io/freeipa/issue/1539%5B#1539] (https://bugzilla.redhat.com/show_bug.cgi?id=782917%5Brhbz#782917]) [RFE] Add code to check password expiration on ldap bind * https://pagure.io/freeipa/issue/8582%5B#8582] Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck * https://pagure.io/freeipa/issue/8803%5B#8803] Add support for managing IdP references * https://pagure.io/freeipa/issue/8804%5B#8804] Extend supported user authentication methods in IPA to allow IdP auth * https://pagure.io/freeipa/issue/8805%5B#8805] Extend `ipa-otpd` daemon to recognize IdP references * https://pagure.io/freeipa/issue/8977%5B#8977] (https://bugzilla.redhat.com/show_bug.cgi?id=2000947%5Brhbz#2000947]) subid: subid-match displays the DN of the owner, not its UID. * https://pagure.io/freeipa/issue/9121%5B#9121] (https://bugzilla.redhat.com/show_bug.cgi?id=2056508%5Brhbz#2056508]) Ipa server ignores max ticket lifetime when using spake preauth, issues ticket with 24h lifetime * https://pagure.io/freeipa/issue/9128%5B#9128] (https://bugzilla.redhat.com/show_bug.cgi?id=2059396%5Brhbz#2059396]) Turn down debug from ipa-dnskeysyncd * https://pagure.io/freeipa/issue/9136%5B#9136] (https://bugzilla.redhat.com/show_bug.cgi?id=1872467%5Brhbz#1872467]) Add tests for ipa-healthcheck setting command-line options in configuration * https://pagure.io/freeipa/issue/9140%5B#9140] Test test_rekey_keytype_DSA should be disabled * https://pagure.io/freeipa/issue/9145%5B#9145] Configure email subject line for IPA EPN * https://pagure.io/freeipa/issue/9146%5B#9146] Nightly test failure in `test_epn.py::TestEPN::test_EPN_config_file` * https://pagure.io/freeipa/issue/9147%5B#9147] (https://bugzilla.redhat.com/show_bug.cgi?id=1958777%5Brhbz#1958777]) ipa-server-install --uninstall fails on Fedora 33, returned non-zero exit status 2: Unable to disable feature: No such file or directory * https://pagure.io/freeipa/issue/9148%5B#9148] documentation build fails in readthedocs * https://pagure.io/freeipa/issue/9150%5B#9150] (https://bugzilla.redhat.com/show_bug.cgi?id=2063155%5Brhbz#2063155]) Remove 'Remove' button from subid page * https://pagure.io/freeipa/issue/9151%5B#9151] (https://bugzilla.redhat.com/show_bug.cgi?id=2012911%5Brhbz#2012911]) Disable DNSSEC in ipa-healthcheck tests * https://pagure.io/freeipa/issue/9152%5B#9152] Regression in TestIpaHealthCheckWithoutDNS * https://pagure.io/freeipa/issue/9155%5B#9155] Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split * https://pagure.io/freeipa/issue/9157%5B#9157] implement support for bind 9.18+ * https://pagure.io/freeipa/issue/9159%5B#9159] (https://bugzilla.redhat.com/show_bug.cgi?id=2068088%5Brhbz#2068088]) [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf * https://pagure.io/freeipa/issue/9162%5B#9162] (https://bugzilla.redhat.com/show_bug.cgi?id=2004646%5Brhbz#2004646]) RFE: Improve error message with more detail for ipa-replica-install command * https://pagure.io/freeipa/issue/9165%5B#9165] Nightly test failure (rawhide) in test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp * https://pagure.io/freeipa/issue/9167%5B#9167] Nightly test failure in test_graceperiod_not_replicated * https://pagure.io/freeipa/issue/9171%5B#9171] Boolean value not mapped on WebUI checkbox * https://pagure.io/freeipa/issue/9173%5B#9173] Inconsistent ACI before/after running ipa-server-upgrade * https://pagure.io/freeipa/issue/9174%5B#9174] Update Suse support in freeipa * https://pagure.io/freeipa/issue/9175%5B#9175] ipatests: need to update expected output for ipa-healthcheck's DogtagCertsConnectivityCheck * https://pagure.io/freeipa/issue/9176%5B#9176] (https://bugzilla.redhat.com/show_bug.cgi?id=2092015%5Brhbz#2092015]) secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml * https://pagure.io/freeipa/issue/9178%5B#9178] idviews: use cached ipaOriginalUid value when resolving ID override anchor * https://pagure.io/freeipa/issue/9180%5B#9180] Add new config option for LDAP cache debugging
== Detailed changelog since 4.9.9
=== Armando Neto (2)
* ipatests: bump pr-ci templates https://pagure.io/freeipa/c/f3255393188dbfb32f74150243b0e7f2c6ba4dc9%5Bcommi...] * workshop: Update docs and support default cloud image https://pagure.io/freeipa/c/42afcc95be0292dd0dbdf955dbe0e8e3a683782e%5Bcommi...]
=== Alexander Bokovoy (29)
* idviews: use cached ipaOriginalUid value when resolving ID override anchor https://pagure.io/freeipa/c/cfca49c469e822199cbdccd05d4c4a4cbf281448%5Bcommi...] https://pagure.io/freeipa/issue/9178%5B#9178] * ipaldap: fix conversion from boolean OID to Python https://pagure.io/freeipa/c/faeb656c77adf27a49ccaceb57fc1ba44e11cc1d%5Bcommi...] https://pagure.io/freeipa/issue/9171%5B#9171] * ipa-kdb: avoid additional checks for a well-known anonymous principal https://pagure.io/freeipa/c/6c6fc7db61d83e01a4913d22dfb178af43d30d8b%5Bcommi...] https://pagure.io/freeipa/issue/9165%5B#9165] * Ignore dnssec-enable-related named-checkonf errors in test https://pagure.io/freeipa/c/35c720cab0d91e730e94d95abfdd54d7882987d0%5Bcommi...] https://pagure.io/freeipa/issue/9157%5B#9157] * Support dnssec utils from bind 9.17.2+ https://pagure.io/freeipa/c/1c6bdf97598984e74318061449f7906e487cd034%5Bcommi...] https://pagure.io/freeipa/issue/9157%5B#9157] * ipa-kdb: apply per-indicator settings from inherited ticket policy https://pagure.io/freeipa/c/a2baae42f8cff025521df19eed793f8184ce5974%5Bcommi...] https://pagure.io/freeipa/issue/9121%5B#9121] * freeipa.spec.in: Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split https://pagure.io/freeipa/c/979163bff2e689c46ff67d6976f7927f0d81f9cd%5Bcommi...] https://pagure.io/freeipa/issue/9155%5B#9155] * docs: tune RTD to display lists with disc and left margin https://pagure.io/freeipa/c/40a257f1e682616c66c77c86be14437dbcad8a8c%5Bcommi...] * workshop: add chapter 12: External IdP support https://pagure.io/freeipa/c/5f9e0d3ff3bd80b75bc9f5de97e7e086ba0a31e3%5Bcommi...] * freeipa.spec.in: use SSSD 2.7.0 to add IdP pre-auth mechanism https://pagure.io/freeipa/c/d49aa7103bacba60bae28f32bd76d9d35853626b%5Bcommi...] https://pagure.io/freeipa/issue/8805%5B#8805] * doc/workshop: document use of pam_sss_gss PAM module https://pagure.io/freeipa/c/d0eab8fe7609fea0b46ea863db1822eca1daac63%5Bcommi...] * External IdP: initial SELinux policy https://pagure.io/freeipa/c/660c3dc2491fc2ee01031c1c59db6e0bb025bf93%5Bcommi...] * External IdP: add Web UI to manage IdP references https://pagure.io/freeipa/c/51a4e42dd777661addd4f2fed1654ee978e8a4d7%5Bcommi...] * KDB: support external IdP configuration https://pagure.io/freeipa/c/673478b1cf9950aed755a6a9ae8f81cb323932b3%5Bcommi...] https://pagure.io/freeipa/issue/8804%5B#8804] * ipa-otpd: add support for SSSD OIDC helper https://pagure.io/freeipa/c/bf8e2bb99f1c09ced820bd4bf6e9d7832db2caea%5Bcommi...] https://pagure.io/freeipa/issue/8805%5B#8805] * external-idp: add XMLRPC tests for External IdP objects and idp indicator https://pagure.io/freeipa/c/b77015b7a3b627282560253cf2cd579c89f02923%5Bcommi...] https://pagure.io/freeipa/issue/8803%5B#8803], https://pagure.io/freeipa/issue/8804%5B#8804] * external-idp: add support to manage external IdP objects https://pagure.io/freeipa/c/2136bd5d00f7aed5ae722ff8253c2b74ba444972%5Bcommi...] https://pagure.io/freeipa/issue/8803%5B#8803], https://pagure.io/freeipa/issue/8804%5B#8804] * external-idp: add LDAP schema, indices and other LDAP objects https://pagure.io/freeipa/c/1df7b82ac188650775703dc95530017c969d0bff%5Bcommi...] https://pagure.io/freeipa/issue/8803%5B#8803] * doc/designs: add External IdP support design documents https://pagure.io/freeipa/c/8d81338cb94a2d850f53629ebba98a1f1ec90d1e%5Bcommi...] https://pagure.io/freeipa/issue/8803%5B#8803], https://pagure.io/freeipa/issue/8804%5B#8804], https://pagure.io/freeipa/issue/8805%5B#8805] * js tests: use latest grunt https://pagure.io/freeipa/c/ea0275f6113854feb02715265a5a85904023816d%5Bcommi...] * Azure CI: don't force non-existing OpenSSL configuration anymore https://pagure.io/freeipa/c/c2434c4e52fa2121331ab358325345b308fbc3dd%5Bcommi...] * Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use https://pagure.io/freeipa/c/137e62cc2faade831abc4b1955a0c0319f2d8a0f%5Bcommi...] * Switch Azure CI to Fedora 36 pre-release https://pagure.io/freeipa/c/1e882144bb5c5661906eeaefa6ce6f511005bfb2%5Bcommi...] * web ui: do not provide Remove button in subid page https://pagure.io/freeipa/c/59cf9017a009bb5eb4f6ef0ed07aa21e60614ab3%5Bcommi...] https://pagure.io/freeipa/issue/9150%5B#9150] * docs: force sphinx version above 3.0 to avoid caching in RTD https://pagure.io/freeipa/c/5ea1866f1bdea4e20894906e7dbdbde27f9715cd%5Bcommi...] * docs: update Sphinx requirements in ipasphinx package https://pagure.io/freeipa/c/ffd8f14af2a1d2d1bce9011473449706902d884d%5Bcommi...] https://pagure.io/freeipa/issue/9148%5B#9148] * docs: add the readthedocs configuration https://pagure.io/freeipa/c/68c20846cf80eb2d46a05e0f8879ddfbd19fbbec%5Bcommi...] https://pagure.io/freeipa/issue/9148%5B#9148] * docs: add plantuml and use virtual environment to generate docs https://pagure.io/freeipa/c/7ddef72fbbf779da32660d54389d68a7c3b35a1a%5Bcommi...] https://pagure.io/freeipa/issue/9148%5B#9148] * doc: migrate to m2r2 and newer sphinx, add plantuml to venv https://pagure.io/freeipa/c/de918aea190401183da4742fc9d56101a13f1b17%5Bcommi...] https://pagure.io/freeipa/issue/9148%5B#9148]
=== Anuja More (2)
* pr-ci definitions: add external idp related jobs. https://pagure.io/freeipa/c/b39f9336fa12e7f28ce0a5c51677983bc9b72621%5Bcommi...] * ipatests: Add integration tests for External IdP support https://pagure.io/freeipa/c/b979dd91f149fd1f4fc1f48466a26f575eae0ae4%5Bcommi...] https://pagure.io/freeipa/issue/8803%5B#8803], https://pagure.io/freeipa/issue/8804%5B#8804], https://pagure.io/freeipa/issue/8805%5B#8805]
=== Antonio Torres (1)
* Back to git snapshots https://pagure.io/freeipa/c/0cdbe00a72eeb8b1f18a37ca75fb16eea5b25119%5Bcommi...]
=== Matthew Davis (1)
* Create missing SSSD_PUBCONF_KRB5_INCLUDE_D_DIR https://pagure.io/freeipa/c/70d23b225d11a6c8c16bd94faa8891100b83c1ac%5Bcommi...] https://pagure.io/freeipa/issue/9174%5B#9174]
=== Florence Blanc-Renaud (12)
* ACI: define "Read DNS entries from a zone" aci during install https://pagure.io/freeipa/c/4b8b032ed5dd33662032e82ba4e296e7b0700c17%5Bcommi...] https://pagure.io/freeipa/issue/9173%5B#9173] * ipatests: update expected output for boolean attribute https://pagure.io/freeipa/c/c6bc8fd4c80d7ab9cd369ffce521d52c0eabe4cb%5Bcommi...] https://pagure.io/freeipa/issue/9171%5B#9171] * ipa-replica-install: nsds5replicaUpdateInProgress is a Boolean https://pagure.io/freeipa/c/23d56bb95229756054df72de4d50fead8fc6116e%5Bcommi...] https://pagure.io/freeipa/issue/9171%5B#9171] * ipatest: update expected out for ipa-healthcheck's DogtagCertsConnectivityCheck https://pagure.io/freeipa/c/6147f877a57dab33cccea08cc57fcb7b82d4a602%5Bcommi...] https://pagure.io/freeipa/issue/9175%5B#9175] * ipatests: add new test with --subid installer option https://pagure.io/freeipa/c/0193498f682eb3efa9cbdf82af215eaa854f466a%5Bcommi...] https://pagure.io/freeipa/issue/9159%5B#9159] * man pages: document the --subid installer option https://pagure.io/freeipa/c/e10f3385d0bbb4100a8220ce372dc2748f8b329e%5Bcommi...] https://pagure.io/freeipa/issue/9159%5B#9159] * Installer: add --subid option to select the sssd profile with-subid https://pagure.io/freeipa/c/74b2fd06d978d56137ccfde310f9c64187e0a5a3%5Bcommi...] https://pagure.io/freeipa/issue/9159%5B#9159] * client uninstall: handle uninstall with authconfig https://pagure.io/freeipa/c/d39e232e9ee28da5d4488135d264d2d1b9e671ba%5Bcommi...] https://pagure.io/freeipa/issue/9147%5B#9147] * ipatests: --no-dnssec-validation requires --setup-dns https://pagure.io/freeipa/c/7f814d9f54207a53c99155e542cc5b210707d0fd%5Bcommi...] https://pagure.io/freeipa/issue/9152%5B#9152] * ipatests: remove test_rekey_keytype_DSA https://pagure.io/freeipa/c/b3093d9c3990f8e899487087965f008607a519c6%5Bcommi...] https://pagure.io/freeipa/issue/9140%5B#9140] * ipatests: update the expected sha256sum of epn.conf file https://pagure.io/freeipa/c/5877c4e17a92c73aa68b8ba3c7a47555e32a13ca%5Bcommi...] https://pagure.io/freeipa/issue/9146%5B#9146] * EPN: document missing option msg_subject https://pagure.io/freeipa/c/d37d1f717ec725726d770ea73b4ab2e418c485e2%5Bcommi...] https://pagure.io/freeipa/issue/9145%5B#9145]
=== Francisco Trivino (3)
* Update subordinate design doc https://pagure.io/freeipa/c/8abc0a22a8866e82776afbd7c3bc5e3195c43115%5Bcommi...] * Update ipa-replica-install replication agreement error message https://pagure.io/freeipa/c/c03a8c3c06562c128aac6be506274995cea74948%5Bcommi...] https://pagure.io/freeipa/issue/9162%5B#9162] * ipatests: Bump PR-CI latest templates to Fedora 36 https://pagure.io/freeipa/c/9ae6ef549fe51457a6f505f3c0ea6a7804e9bcd2%5Bcommi...]
=== Matthew Davis (1)
* Suse compatibility fix https://pagure.io/freeipa/c/fe048d83cb88593e490af8b95c12917071683b4c%5Bcommi...] https://pagure.io/freeipa/issue/9174%5B#9174]
=== Michal Polovka (4)
* ipatests: xfail for test_ipahealthcheck_hidden_replica to respect pki version https://pagure.io/freeipa/c/60739ce483e897cbd85575304dfb7562066189e4%5Bcommi...] https://pagure.io/freeipa/issue/8582%5B#8582] * ipatests: tasks: add ipactl start, stop and restart https://pagure.io/freeipa/c/58ddcffc412f7dd5cc762bd6f80faa07fcedf7ec%5Bcommi...] * ipatests: RFE: Improve ipa-replica-install error message https://pagure.io/freeipa/c/352b9dfb49bdf1c70a8de9ed7287387417580c86%5Bcommi...] https://pagure.io/freeipa/issue/9162%5B#9162] * ipatests: test_subids: test subid-match shows UID of the owner https://pagure.io/freeipa/c/ab0e67d1f51c2db620de002d5f61425e0a65c9aa%5Bcommi...] https://pagure.io/freeipa/issue/8977%5B#8977]
=== Rob Crittenden (14)
* Add switch for LDAP cache debug output https://pagure.io/freeipa/c/d062dc9da891cbb3b0ab04291d89afddf140c560%5Bcommi...] https://pagure.io/freeipa/issue/9180%5B#9180] * Remove extraneous AJP secret from server.xml on upgrades https://pagure.io/freeipa/c/deaaaaf1492410269c1f66f8d4bb57e41b99d87c%5Bcommi...] https://pagure.io/freeipa/issue/9176%5B#9176] * graceperiod: ignore case when checking for missing objectclass https://pagure.io/freeipa/c/e6cc41094b2bc526e9f8e87229e8f83a74cfc263%5Bcommi...] https://pagure.io/freeipa/issue/1539%5B#1539] * Set default LDAP password grace period to -1 https://pagure.io/freeipa/c/9b0fbdc37b92981d541a4152fdfeb0964692878f%5Bcommi...] https://pagure.io/freeipa/issue/1539%5B#1539] * doc: Design document for LDAP graceperiod https://pagure.io/freeipa/c/d2b296454c57ab639b8e023050dabc193693c42f%5Bcommi...] https://pagure.io/freeipa/issue/1539%5B#1539] * Don't duplicate the LDAP gracelimit set in the previous test https://pagure.io/freeipa/c/8b2edd5b4e13cb7a8b9b9eec4a0e194b4e6ca71b%5Bcommi...] https://pagure.io/freeipa/issue/9167%5B#9167] * Configure and enable the graceperiod plugin on upgrades https://pagure.io/freeipa/c/62bafcc53d4f45b28eb9a541e5385c2f1e7a3f97%5Bcommi...] https://pagure.io/freeipa/issue/1539%5B#1539] * dnssec daemons: read the dns context config file for debug state https://pagure.io/freeipa/c/c00286462196026337600113119eb5522b96141a%5Bcommi...] https://pagure.io/freeipa/issue/9128%5B#9128] * healthcheck: add tests for setting cli options in config file https://pagure.io/freeipa/c/0e8350e0dd8219fd8245f57e0ebc9a096e9be84f%5Bcommi...] https://pagure.io/freeipa/issue/9136%5B#9136] * Exclude passwordgraceusertime from replication https://pagure.io/freeipa/c/87fe3fbba6d2b5bf2a7e9a0fca91c4e588641c9c%5Bcommi...] https://pagure.io/freeipa/issue/1539%5B#1539] * Remove the replicated attribute constants https://pagure.io/freeipa/c/6b3ab98b90686bb41a901af6b1cf5da99b99a148%5Bcommi...] https://pagure.io/freeipa/issue/1539%5B#1539] * Implement LDAP bind grace period 389-ds plugin https://pagure.io/freeipa/c/4fcbf2ded2563ff5151edee9384d793ad38f6dae%5Bcommi...] https://pagure.io/freeipa/issue/1539%5B#1539] * If the password auth type is enabled also enable the hardened policy https://pagure.io/freeipa/c/300f1301bbbe8a62183819f4350f47e3f182b7f1%5Bcommi...] https://pagure.io/freeipa/issue/9121%5B#9121] * kdb: The jitter offset should always be positive https://pagure.io/freeipa/c/ed1447ab612e5445a76e979fb059825bab84d1df%5Bcommi...] https://pagure.io/freeipa/issue/9121%5B#9121]
=== Sudhir Menon (2)
* ipatests: ipahealthcheck tests to check change in permission of ipaserver log files https://pagure.io/freeipa/c/3488276649861563471398b3747224ca54875861%5Bcommi...] * ipatests: Adding --no-dnssec-validation option for healthcheck https://pagure.io/freeipa/c/f11b7b3bf50f7ccf4689b1b0f80894b0b1247983%5Bcommi...] https://pagure.io/freeipa/issue/9151%5B#9151]
=== Thorsten Scherf (2)
* workshop: add freeipa version requirements https://pagure.io/freeipa/c/84c88b69fe250bbff32e2c9abcf1d118e883eb22%5Bcommi...] * workshop: add freeipa version requirements https://pagure.io/freeipa/c/7e596fd16c5056815bce9e7ae15b58dd3fd25e7e%5Bcommi...]
freeipa-devel@lists.fedorahosted.org