Here are the draft release notes for the second pre-release of 4.7.0. Let me know if I've missed anything. {{ReleaseDate|2018-05-14}} The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and rawhide will be available in the Fedora repositories. == Highlights in 4.6.90.pre2 == The major new features of this release are: * Switch from using mod_nss for the Apache TLS engine to using mod_ssl. Upgrading will move the certificates and keys from /etc/httpd/alias to /var/lib/ipa/certs/. * Switch time client and server from ntp to chrony. * Switch from using authconfig to authselect to configure the PAM stack. === Known Issues === === Bug fixes === FreeIPA 4.6.90.pre2 is a preview release for the features delivered as a part of 4.7.0. There are more than 70 bug-fixes details of which can be seen ina the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on Freenode. == Resolved tickets == * 7530 external CA replica installation fails with CA_UNREACHABLE * 7529 AVC denials and errors for IPA server installed on Fedora28 * 7524 ipa-client-install fails because of missing file /usr/share/ipa/freeipa.template * 7523 external CA installation: step two reports self-signed configuration * 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has occurred" * 7519 Adding SSH keys for AD users as I created overrides * 7518 Improve Custodia client and key distribution handling * 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf despite the migration to ssl.conf * 7514 Allow to create Kerberos services without a corresponding host object * 7513 Allow Kerberos services to be members of IPA groups * 7512 Missing dependency for freeipa-client: python3-augeas * 7510 validate_selinuxuser does not allow a period in selinux user identifier * 7508 Trust tests for Posix support are failing with Assertion Error None on Windows Server 2016 * 7507 ui_tests: extend test_user suite * 7505 WebUI tests: Extend netgroup tests * 7503 multiple occurrences of profileId in certprofile causes incorrect behaviour * 7499 Integration tests dns_location in regards of check NTP records failing * 7498 [F28] CA replica fails with could not find certificate named "caSigningCert cert-pki-ca" * 7496 csrgen fails if subject base contains lower-case attribute names * 7490 installutils.set_directive doesn't handle debian ssl.conf properly * 7489 Test test_caless_TestCertInstall is failing in nightly * 7488 Set nsds5ReplicaReleaseTimeout on all replicas and databases * 7486 Allow hosts to delete their own services * 7485 Extending webui user group test * 7484 Load ipaclient.csrgen on demand to speed up CLI * 7478 [F28] ipa-backup fails with "Failed to execute authconfig command" * 7474 ipa-server-install --uninstall on replica fails with "NoOptionError: No option 'ldap_uri' in section: 'global'" * 7473 ERROR: No valid Negotiate header in server response * 7470 TestBasicADTrust.test_ipauser_authentication is failing with error "Confidentiality required" * 7469 ipa-replica-prepare fail with "stat: path should be string, bytes, os.PathLike or integer, not NoneType" * 7468 test_host.py::test_host::test_crud is failing in nightly tests * 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError * 7463 test_webui: add user life-cycles tests * 7461 Hardening of topology plugin to prevent erronous deletion of a replica agreement * 7459 [RFE] replica-install: warn when only one CA exists in topology * 7458 ui_tests: extend test_hostgroup.py suite * 7456 ipa otptoken-add should use LDAP Whoami call * 7454 Upgrade from F27 to F28 produces an error while updating ipa.conf.template * 7450 "This entry already exists" error when upgrading on IPA 4.5 * 7442 Replication agreement status incorrectly checked * 7441 ui_tests: extend test_service.py suite * 7436 ipa: Please log something after restarting the KDC * 7427 User Administrator doesn't have enough privileges to edit homeDirectory attribute * 7426 DogtagInstance.backup_config creates backup with wrong owner * 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA * 7424 Improve Realm Domains doc text * 7421 Store HTTPD private keys encrypted * 7415 CA installer need to check availability of port 8080 * 7410 ipa-replica-install --add-agents option doesn't install trust-agent on replica * 7377 Investigate and define plan of authconfig replacement in FreeIPA * 7376 clear sssd cache when uninstalling client * 7366 RFE: ipa client should setup openldap for GSSAPI * 7330 ipa-server-install --uninstall does not return error code on error * 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall * 7095 [tracker] please rotate & compress /var/lib/pki/pki-tomcat/logs/ca/debug * 7041 [ipa-replica-install] - KDC has no support for encryption type - reoccurence in multireplica scenario * 7024 freeipa depends on ntp * 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group * 6843 ipa-backup does not create log file at /var/log/ * 5776 webui: some data disappear from user details page after the save action is performed * 5673 contrib/nssciphersuite/nssciphersuite.py raising error in tests * 4853 Utilize system-wide crypto-policies == Detailed changelog since 4.6.90.pre1 == === Alexander Bokovoy (13) === * group: allow services as members of groups * service: allow creating services without a host to manage them * group-del: add a warning to logs when password policy could not be removed * idoverrideuser-add: allow adding ssh key in web ui * ACL: Allow hosts to remove services they manage * install: validate AD trust-related options in installers * replication: support error messages from 389-ds 1.3.5 or later * upgrade: treat duplicate entry when updating as not an error * Allow anonymous access to parentID attribute * upgrade: Run configuration upgrade under empty ccache collection * use LDAP Whoami command when creating an OTP token * Update template directory with new variables when upgrading ipa.conf.template * Processing of server roles should ignore errors.EmptyResult === Alexey Slaykovsky (1) === * Make tox tests to generate results in JUnit XML === amitkuma (5) === * RFE: ipa client should setup openldap for GSSAPI * Correcting detect typo in server.m4 * Correction of management spelling. * clear sssd cache when uninstalling client * clear sssd cache when uninstalling client === Anuja More (2) === * Adding test-cases for ipa-cacert-manage * Adding test-cases for ipa-cacert-manage === Christian Heimes (32) === * Revert "Validate the Directory Manager password" * Create missing /etc/httpd/alias for ipasession.key * Only run subset of external CA tests * Require Dogtag 10.6.1 * Require nss with fix for nickname bug * ipa-client package needs sssd-tool * Make ipatests' create_external_ca a script * Load certificate files as binary data * Remove contrib/nssciphersuite * Compatibility with pytest 3.4 * Use shutil to copy file * Use single Custodia instance in installers * Add augeas dependency to client package * Create users in server-common pre hook * Require 389-ds-base >= 1.4.0.8-1 * CA replica PKCS12 workaround for SQL NSSDB * Add nsds5ReplicaReleaseTimeout to replica config * Fix Python dependencies * Remove os.chdir() from test_ipap11helper * certdb: Move chdir into subprocess call * Provide ldap_uri in Custodia uninstaller * Defer import of ipaclient.csrgen * Require more recent glibc on F27 * Load librpm on demand for IPAVersion * Fix installer CA port check for port 8080 * Temporarily disable authconfig backup and restore * Cleanup and remove more files on uninstall * Fix compatibility with latest pytest * More cleanup after uninstall * Require Dogtag PKI >= 10.6 * Keep owner when backing up CA.cfg * Pylint 1.8.3 fixes === Felipe Barreto (10) === * Fixing tests on TestReplicaManageDel * Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs * Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users * Adding GSSPROXY_CONF to be backed up on ipa-backup * Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09 * Fix TestSubCAkeyReplication providing the right path to pki log * temp commit: adding test to PR CI run * Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder * Changing Django's CoC to reflect FreeIPA CoC * Adding Django's Code of Conduct === Florence Blanc-Renaud (8) === * authselect migration: use stable interface to query current config * authselect test: skip test if authselect is not available * ipa-advise: adapt config-client-for-smart-card-auth to authselect * Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a * New tests for authselect migration * Migration from authconfig to authselect * ipa-advise config-server-for-smart-card-auth: use mod-ssl * ipa-replica-install: make sure that certmonger picks the right master === Fraser Tweedale (12) === * install: fix reported external CA configuration * csrgen: fix when attribute shortname is lower case * csrgen: drive-by docstring * csrgen: support initialising OpenSSL adaptor with key object * py3: fix csrgen error handling * certprofile: add tests for config profileId scenarios * certprofile: reject config with multiple profileIds * Fix upgrade (update_replica_config) in single master mode * Add commentary about PKI admin password * Fix upgrade when named.conf does not exist * replica-install: warn when there is only one CA in topology * install: configure dogtag status request timeout === Ganna Kaihorodova (5) === * Fix trust tests for Posix Support * Fix for integration tests dns_locations * Fix in IPA's multihost fixture * TestBasicADTrust.test_ipauser_authentication * Fix for test TestInstallMasterReservedIPasForwarder === Takeshi MIZUTA (1) === * Fix some typos in man page === Michal Reznik (18) === * ui_tests: introduce new test_misc cases file * ui_driver: extension and modifications related to test_user * ui_tests: extend test_user suite * test_web_ui: extend ui_driver methods * test_webui: add user life-cycles tests * ui_tests: run ipa-get/rmkeytab command on UI host * ui_tests: select_combobox() fixes * ui_tests: test cancel and delete without button * ui_tests: make associations cancelable * ui_tests: add function to run cmd on UI host * ui_tests: add funcs to add/remove users public SSH key * ui_tests: add assert_field_required() * ui_tests: add assert_notification() * ui_tests: add more test cases * ui_tests: add more test cases to test_certification * ui_tests: add_service() support func in test_service * ui_tests: add_host() support func in test_service * ui_tests: change get_http_pkey() function === Varun Mylaraiah (3) === * WebUI tests: Extend netgroup tests with more scenarios * Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags * WebUI tests: Extend user group tests with more scenarios === Pavel Picka (1) === * WebUI Hostgroups tests cases added === Petr Vobornik (4) === * webui: refresh complex pages after modification * Fix order of commands in test for removing topology segments * webui tests: fix test_host:test_crud failure * realm domains: improve doc text === Rob Crittenden (16) === * Fix certificate retrieval in ipa-replica-prepare for DL0 * Disable message about log in ipa-backup if IPA is not configured * Use a regex in installutils.get_directive instead of line splitting * Handle whitespace, add separator to regex in set_directive_lines * Validate the Directory Manager password before starting restore * Log service start/stop/restart message * Update project metadata in ipasetup.py.in * Allow dot as a valid character in an selinux identity name * Remove xfail from CALes test test_http_intermediate_ca * Some PKCS#12 errors are reported with full path names * ipa-server-certinstall failing, unknown option realm * Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c * Break out of teardown in test_replica_promotion.py if no config * Remove the Continuous installer class, it is unused * Return a value if exceptions are raised in server uninstall * VERSION.m4: Set back to git snapshot === Robbie Harwood (2) === * Move krb5 snippet into freeipa-client-common * Enable SPAKE support using krb5.conf.d snippet === Stanislav Laznicka (11) === * Allow user administrator to change user homedir * mod_ssl: add SSLVerifyDepth for external CA installs * Add absolute_import to test_authselect * Fix typo in ipa-getkeytab --help * Add absolute_import future imports * replica-install: pass --ip-address to client install * ipa_backup: Backup the password to HTTPD priv key * Fix upgrading of FreeIPA HTTPD * Remove py35 env from tox testing * Encrypt httpd key stored on disk * Dogtag configs: rename deprecated options === Thierry Bordaz (1) === * Hardening of topology plugin to prevent erronous deletion of a replica agreement === Tibor Dudlák (14) === * Use temporary pid file for chronyd -q task * Fix format string passed to pytest-multihost * Configure chrony with pool when server not set * Add enabling chrony daemon when not configured * Remove unnecessary option --force-chrony * Remove NTP server role while upgrading * Removes NTP server role from servroles and description * Update man pages for FreeIPA client, replica and server install * Adding method to ipa-server-upgrade to cleanup ntpd * Add --ntp-pool option to installers * FreeIPA server is time synchronization client only * Replace ntpd with chronyd in installation * Add dependency and paths for chrony * Removes ntp from dependencies and behave as there is always -N option