The FreeIPA team would like to announce FreeIPA 4.6.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 26 and 27 will be available in the official [https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ COPR repository].
== Highlights in 4.6.2 == === Enhancements === === Known Issues ===
=== Bug fixes === FreeIPA 4.6.2 is a stabilization release for the features delivered as a part of 4.6.0. There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.
== Upgrading == Upgrade instructions are available on [[Upgrade]] page.
== Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list ( https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... ) or #freeipa channel on Freenode.
== Resolved tickets == * 7275 Viewing DNS Records with WebUI fails * 7254 test_caless: fix http.p12 is not valid and provide domain_level for replica tests * 7226 Remove remaining references to Firefox configuration extension * 7213 Increase dbus client timeouts during CA install * 7210 Firefox reports insecure TLS configuration when visiting FreeIPA web UI after standard server deployment * 7208 freeipa: binary RPMs require both Python 2 and Python 3 * 7190 Wrong info message from tasks.py * 7189 make check is failed * 7187 ipa-replica-manage should provide a debug option * 7186 testing: get back command outputs when running tests * 7155 test_caless: add caless to external CA test * 7154 test_external_ca: switch to python-cryptography * 7153 Switch "ipa-run-tests" symlink to "ipa-run-tests-3.6" * 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start tracking certs * 7148 py3: ipa cert-request --principal --database fails with BytesWarning: str() on a bytes instance * 7142 py3: ipa ca-add fails with 'an internal error has occurred' * 7134 ipa param-find: command displays internal error * 7133 tox -e pylint3 fails under Python 3.6 * 7132 [4.6] PyPI packages are broken * 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails due to missing dns records * 7033 vault: TypeError: ... is not JSON serializable * 6994 RFE: Remove 389-ds tuning step * 6858 RFE - Option to add custom OID or display name in IPA Cert * 6844 ipa-restore fails when umask is set to 0027 * 6702 Update Dogtag to 10.4 * 5887 IDNA domains does not work under py3 * 5442 [tracker] SELinux 'execmem' denials == Detailed changelog since 4.6.1 == === Alexander Bokovoy (10) === * ipaserver/plugins/trust.py: pep8 compliance * trust: detect and error out when non-AD trust with IPA domain name exists * ipaserver/plugins/trust.py; fix some indenting issues * ipa-extdom-extop: refactor nsswitch operations * test_dns_plugin: cope with missing IPv6 in Travis * travis-ci: collect logs from cmocka tests * ipa-kdb: override krb5.conf when testing KDC code in cmocka * adtrust: filter out subdomains when defining our topology to AD * ipa-replica-manage: implicitly ignore initial time skew in force-sync * ds: ignore time skew during initial replication step
=== Abhijeet Kasurde (3) === * Trivial typo fix. * ipatests: Fix interactive prompt in ca_less tests * tests: correct usage of hostname in logger in tasks
=== Alexander Koksharov (1) === * kra-install: better warning message
=== Aleksei Slaikovskii (6) === * ipa-restore: Set umask to 0022 while restoring * View plugin/command help in pager * Add a notice to restart ipa services after certs are installed * Fix TypeError while ipa-restore is restoring a backup * ipaclient.plugins.dns: Cast DNS name to unicode * Less confusing message for PKINIT configuration during install
=== Christian Heimes (23) === * Update IPA_GIT_BRANCH to ipa-4-6 * Add make targets for fast linting and testing * Add marker needs_ipaapi and option to skip tests * Add python_requires to Python package metadata * Remove Custodia keys on uninstall * Update to python-ldap 3.0.0 * Update builddep command to install Python 3 and tox deps * Add workaround for pytest 3.3.0 bug * Fix dict iteration bug in dnsrecord_show * Reproducer for bug in structured dnsrecord_show * Use Python 3 on Travis * Prevent installation of Py2 and Py3 mod_wsgi * libotp: add libraries after objects * Require UTF-8 fs encoding * Run tox tests for PyPI packages on Travis * Py3: Fix vault tests * Use namespace-aware meta importer for ipaplatform * Test script for ipa-custodia * Remove ignore_import_errors * Backup ipa-custodia conf and keys * Py3: fix fetching of tar files * Use os.path.isfile() and isdir() * Block PyOpenSSL to prevent SELinux execmem in wsgi
=== David Kupka (2) === * schema: Fix internal error in param-{find,show} with nonexistent object * tests: Add LDAP URI to ldappasswd explicitly
=== Felipe Barreto (6) === * Warning the user when using a loopback IP as forwarder * Removing replica-s4u2proxy.ldif since it's not used anymore * Fix log capture when running pytests_multihosts commands * Checks if replica-s4u2proxy.ldif should be applied * Fixing tox and pylint errors * Fixing param-{find,show} and output-{find,show} commands
=== Florence Blanc-Renaud (10) === * Improve help message for ipa trust-add --range-type * Fix ca less IPA install on fips mode * Fix ipa-restore (python2) * ipa-getkeytab man page: add more details about the -r option * Py3: fix ipa-replica-conncheck * Fix ipa-replica-conncheck when called with --principal * py3: fix ipa cert-request --database ... * ipa-cacert-manage renew: switch from ext-signed CA to self-signed * ipa-server-upgrade: do not add untracked certs to the request list * ipa-server-upgrade: fix the logic for tracking certs
=== Fraser Tweedale (22) === * ipa_certupdate: avoid classmethod and staticmethod * Run certupdate after promoting to CA-ful deployment * ipa-ca-install: run certupdate as initial step * CertUpdate: make it easy to invoke from other programs * renew_ra_cert: fix update of IPA RA user entry * Use correct version of Python in RPM scripts * Re-enable some KRA installation tests * Remove caJarSigningCert profile and related code * CertDB: remove unused method issue_signing_cert * Remove XPI and JAR MIME types from httpd config * Remove mention of firefox plugin after CA-less install * ipa-cacert-manage: avoid some duplicate string definitions * ipa-cacert-manage: handle alternative tracking request CA name * Add tests for external CA profile specifiers * ipa-cacert-manage: support MS V2 template extension * certmonger: add support for MS V2 template * certmonger: refactor 'resubmit_request' and 'modify' * ipa-ca-install: add --external-ca-profile option * install: allow specifying external CA template * Remove duplicate references to external CA type * cli: simplify parsing of arbitrary types * py3: fix pkcs7 file processing
=== John Morris (1) === * Increase dbus client timeouts during CA install
=== Michal Reznik (12) === * test_batch_plugin: fix py2/3 failing assertion * test_vault: increase WAIT_AFTER_ARCHIVE * test_caless: fix http.p12 is not valid * test_caless: fix TypeError on domain_level compare * manpage: ipa-replica-conncheck - fix minor typo * test_forced_client: decode get_file_contents() result * test_external_dns: add missing test cases * test_caless: open CA cert in binary mode * tests: add host zone with overlap * tests_py3: decode get_file_contents() result * test_caless: add caless to external CA test * test_external_ca: switch to python-cryptography
=== Mohammad Rizwan Yusuf (1) === * ipatest: replica install with existing entry on master
=== Petr Čech (2) === * tests: Mark failing tests as failing * ipatests: Fix on logs collection
=== Pavel Vomacka (1) === * WebUI: make Domain Resolution Order writable
=== Rob Crittenden (7) === * Run server upgrade in ipactl start/restart * If the cafile is not present or readable then raise an exception * Add test to ensure that properties are being set in rpcclient * Use the CA chain file from the RPC context * Fix cert-find for CA-less installations * Use 389-ds provided method for file limits tuning * Collect group membership without a size limit
=== Rishabh Dave (1) === * ipa-ca-install: mention REPLICA_FILE as optional in help
=== Sumit Bose (1) === * ipa-kdb: reinit trusted domain data for enterprise principals
=== Stanislav Laznicka (22) === * Don't allow OTP or RADIUS in FIPS mode * caless tests: decode cert bytes in debug log * caless tests: make debug log of certificates sensible * Add indexing to improve host-find performance * Add the sub operation for fqdn index config * x509: remove subject_base() function * x509: remove the strip_header() function * py3: pass raw entries to LDIFWriter * ipatests: use python3 if built with python3 * PRCI: use a new template for py3 testing * csrgen_ffi: cast the DN value to unsigned char * * Remove pkcs10 module contents * Add tests for CertificateSigningRequest * parameters: introduce CertificateSigningRequest * parameters: relax type checks * csrgen: update docstring for py3 * csrgen: accept public key info as Bytes * csrgen_ffi: pass bytes where "char *" is required * travis: pep8 changes to pycodestyle * p11-kit: add serial number in DER format * travis: make tests fail if pep8 does not pass * Remove the `message` attribute from exceptions
=== Thierry Bordaz (1) === * 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
=== Tibor Dudlák (3) === * Become IPA 4.6.2 * Update Contributors.txt * Update zanata translations
=== Tomas Krizek (13) === * prci: define testing topologies * prci: start testing PRs on fedora 27 * py3 spec: remove python2 dependencies from server-trust-ad * py3 spec: remove python2 dependencies from freeipa-server * py3 spec: use proper python2 package names * ipatests: fix circular import for collect_logs * ipatests: collect logs for external_ca test suite * prci: add external_ca test * ldap: limit the retro changelog to dns subtree * spec: bump 389-ds-base to 1.3.7.6-1 * ipatests: set default 389-ds log level to 0 * prci: update F26 template * 4.6 set back to git snapshot
=== Thorsten Scherf (1) === * Add debug option to ipa-replica-manage and remove references to api_env var.
freeipa-users@lists.fedorahosted.org