The FreeIPA team would like to announce the first release candidate of
FreeIPA 4.8.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads
. Builds for
Fedora releases will be available in the official
A full release notes version can be read at
This mail only contains highlights and generic links due to large size
of the pre-release changes: there are more than 220 bug-fixes.
== Highlights in 4.7.90.pre1 ==
* 4580: FreeIPA's LDAP server requires SASL security strength factor of >= 56
FreeIPA LDAP server default configuration is improved to require SASL
security strength factor higher than 56 bit.
* 4491: Use lib389 to install 389-ds instead of setup-ds.pl
FreeIPA now utilizes Python-based installer of 389-ds directory server
* 4440: Add support for bounce_url to /ipa/ui/reset_password.html
The /ipa/ui/reset_password.html page accepts url parameter to provide
the user with a back link after successful password reset, to support
resets initiated by external web applications. Additional parameter
delay automatically redirects back after the specified number of seconds
* 5608: Tech preview: add Dogtag configuration extensions
FreeIPA team started rewrite of the Certificate Authority configuration
to make possible passing additional options when configuring Dogtag.
This is required to allow use of hardware secure (HSM) modules within
FreeIPA CA but also to allow tuning CA defaults. HSM configuration is
not yet fully available due to a number of open issues in Dogtag itself.
* 5803: Add utility to promote CA replica to CRL master
New utility was added to promote a CA replica to be the CRL master.
Design page] provides more details and use examples.
* 6077: Support One-Way Trust authenticated by trust secret
Samba integration was updated to allow establishing trust to Active
Directory from Windows side using a Trust wizard. This allows to
establish a one-way trust authenticated by a shared trust secret.
Additionally, it allows to establish a trust with Samba AD DC 4.7 or
later, initiated from Samba AD DC side.
* 6790: Allow creating IPA CA with 3084-bit key.
CA key size default is raised to 3072 instead of 2048 because it's the
recommended size by NIST. An extensibility feature added with ticket
5608 allows increasing the CA key size further buta 4096-bit key is
considerably slower. The change only affects new deployments. There is
no way to upgrade existing CA infrastructure other than issuing a new CA
key and re-issuing new certificates to all existing users of the old
root CA. In addition, lightweight sub-CAs are currently hard-coded to
2048 bit key size. All relevant public root CAs in the CA/B forum use
2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.
* 7193: Warn or adjust umask if it is too restrictive to break installation
FreeIPA deployment now enforces own umask settings where required to
allow deployment at hardened sites which follow some of STIG
* 7200 ipa-pkinit-manage reports a switch from local pkinit to full
pkinit configuration was successful although it was not
The command ipa-pkinit-manage enable|disable is reporting success even
though the PKINIT cert is not re-issued. The command triggers the
request of a new certificate (signed by IPA CA when state=enable,
selfsigned when disabled), but as the cert file is still present,
certmonger does not create a new request and the existing certificate is
The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.
* 7206: Provide an option to include FQDN in IDM topology graph
In the replication topology graph visualization, it is now possible to
see a fully qualified name of the server. This change helps to reduce
confusion when managing complex multi-datacenter topologies.
* 7365: make kdcproxy errors in httpd error log less annoying in case AD
KDCs are not reachable
Log level for technical messages of a KDC proxy was reduced to keep logs clean.
* 7451: Allow issuing certificates with IP addresses in subjectAltName
FreeIPA now allows issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true:
** One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).
** All of the DNS entries in the resolution chain are managed by this IPA instance.
** The IP address has a (correct) reverse DNS entry that is managed by this IPA instance
* 7568: FreeIPA no longer supports Python 2
Removed Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
* 7632: Allow IPA Services to Start After the IPA Backup Has Completed
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window. This fix restarts the services as soon as all the required files
are gathered, and compresses after services are restarted.
* 7619, 7640, 7641: UI migration, password reset and configuration pages
Static pages in FreeIPA web UI now allow translated content
* 7658: sysadm_r should be included in default SELinux user map order
sysadm_r is a standard SELinux user role included in Red Hat Enterprise Linux.
* 7689: Domain Level 0 is no longer supported
Code to support operation on Domain Level 0 is removed. In order to
upgrade to FreeIPA 4.8.0 via replication, an existing deployment must
first be brought up to Domain Level 1.
* 7747: Support interactive prompt for NTP options for FreeIPA
FreeIPA now asks user for NTP source server or pool address in
interactive mode if there is no server nor pool specified and
autodiscovery has not found any NTP source in DNS records.
* 7892: Tech preview: hidden / unadvertised IPA replica
A hidden replica is an IPA master server that is not advertised to
clients or other masters. Hidden replicas have all services running and
available, but none of the services has any DNS SRV records or enabled
LDAP server roles. This makes hidden replicas invisible for service
Design document] provides more details on use cases and management of
* PyPI packages have fewer dependencies
The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient
no longer depend on the binary extensions netifaces and python-ldap by
=== Bug fixes ===
There are more than 220 bug-fixes details of which can be seen in
the list of resolved tickets at https://www.freeipa.org/page/Releases/4.7.90.pre1
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
or #freeipa channel on Freenode.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland