---------------------------------------------------------------------------=
-----
Fedora Update Notification
FEDORA-2011-14639
2011-10-20 09:34:15
---------------------------------------------------------------------------=
-----
Name : freeipa
Product : Fedora 15
Version : 2.1.3
Release : 2.fc15
URL :
http://www.freeipa.org/
Summary : The Identity, Policy and Audit system
Description :
IPA is an integrated solution to provide centrally managed Identity (machin=
e,
user, virtual machines, groups, authentication credentials), Policy
(configuration settings, access control information) and Audit (events,
logs, analysis thereof).
---------------------------------------------------------------------------=
-----
Update Information:
2011-10-21: Added selinux-policy and updated SSSD with explicit Requires
2011-10-23: Changed Requires: to Conflicts: for selinux-policy in sssd
FreeIPA:
=3D=3D What happened to 2.1.2!? =3D=3D
Right after tagging 2.1.2 we found an upgrade issue that would have =
affected any users using the selfsign CA (installed with --selfsign). We =
decided to hold back the release, fix a few more bugs, and just push out =
2.1.3 instead about a week later. So here we are.
=3D=3D Highlights in 2.1.3 =3D=3D
* Enforce that system hostname matches hostname of IPA server.
* Require that /etc/hosts is sane even when configuring DNS.
* Increase default server-side LDAP search limits.
* Client enrollment improvements including longer wait for sssd to =
start, recovery if discovered IPA server is not responsive and when =
anonymous bind is disabled in 389-ds.
=3D=3D Highlights in 2.1.2 =3D=3D
* Upgrade older dogtag installs to use new PKI proxy configuration
* hbactest improvements
* Added platform-independent code to make ipa-client-install more portable
* Make client uninstaller more robust, should restore state more completely.
* UI usability improvements
* Tool for Enabling/Disabling Managed Entry Plugins
* Managed Entries configuration is now replicated
* IPv6 client enrollment improvements
* Man page improvements
* Performance improvements when calculating indirect membership
* Improved handling of disabled anonymous binds in 389-ds
* user is now prompted to enter current password when changing to a new
password
* ipa server now support multiple namingContexts. ipa-client-install and
password migration were fixed
=3D=3D Upgrading =3D=3D
=3D=3D=3D Server =3D=3D=3D
To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
# yum update freeipa-server --enablerepo=3Dupdates-testing
This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c =
packages (and perhaps some others). A script will be executed in the rpm =
postinstall phase to update the IPA LDAP server with any required changes.
There is a bug reported against 389-ds, =
https://bugzilla.redhat.com/show_bug.cgi?id=3D730387, related to =
read-write locks. The NSPR RW lock implementation does not safely allow =
re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During =
testing one user experienced this and the upgrade hung. To break the =
hang kill the ns-slapd process for your realm, wait for the yum =
transaction to complete, then restart 389-ds and manually run the update =
process:
# service dirsrv start
# ipa-ldap-updater --update
=3D=3D=3D Client =3D=3D=3D
The ipa-client-install tool in the ipa-client package is just a =
configuration tool. There should be no need to re-run this on every =
client already enrolled.
SSSD:
=3D=3D Highlights =3D=3D
* Improved handling of users and groups with multi-valued name
attributes (aliases)
* Performance enhancements
* Initgroups on RFC2307bis/FreeIPA
* HBAC rule processing
* Improved process-hang detection and restarting
* Enabled the midpoint cache refresh by default (fewer cache misses on
commonly-used entries)
* Cleaned up the example configuration
389-ds-base:
* fix config del/add mods
* memberof is transaction aware resource
* limits for simple paged results
* Native systemd support
* Fix for managed entry
* Fixed source tarball
* fix transaction support in ldbm_delete
---------------------------------------------------------------------------=
-----
ChangeLog:
* Wed Oct 19 2011 Rob Crittenden <rcritten(a)redhat.com> - 2.1.3-2
- Set minimum nvr of sssd to 1.5.14
* Tue Oct 18 2011 Rob Crittenden <rcritten(a)redhat.com> - 2.1.3-1
- Update to upstream 2.1.3
* Wed Sep 7 2011 Rob Crittenden <rcritten(a)redhat.com> - 2.1.1-1
- Update to upstream 2.1.1
* Mon Aug 29 2011 Rob Crittenden <rcritten(a)redhat.com> - 2.1.0-2
- Update minimum pki-ca and pki-selinux to 9.0.11 to fix BZ 700505
* Tue Aug 16 2011 Rob Crittenden <rcritten(a)redhat.com> - 2.1.0-1
- Update to upstream 2.1.0
---------------------------------------------------------------------------=
-----
References:
[ 1 ] Bug #743035 - HBAC processing is very slow when dealing with FreeIP=
A deployments with large numbers of hosts.
https://bugzilla.redhat.com/show_bug.cgi?id=3D743035
[ 2 ] Bug #741744 - MOD operations with chained delete/add get back error=
53 on backend config
https://bugzilla.redhat.com/show_bug.cgi?id=3D741744
[ 3 ] Bug #743966 - Compiler warnings in account usability plugin
https://bugzilla.redhat.com/show_bug.cgi?id=3D743966
[ 4 ] Bug #740942 - allow resource limits to be set for paged searches in=
dependently of limits for other searches/operations
https://bugzilla.redhat.com/show_bug.cgi?id=3D740942
[ 5 ] Bug #742324 - allow nsslapd-idlistscanlimit to be set dynamically a=
nd per-user
https://bugzilla.redhat.com/show_bug.cgi?id=3D742324
[ 6 ] Bug #739172 - Allow separate fractional attrs to be defined for inc=
remental and total protocols
https://bugzilla.redhat.com/show_bug.cgi?id=3D739172
[ 7 ] Bug #736712 - Modifying ruv entry deadlocks server
https://bugzilla.redhat.com/show_bug.cgi?id=3D736712
[ 8 ] Bug #590826 - Reloading database from ldif causes changelog to emit=
"data no longer matches" errors
https://bugzilla.redhat.com/show_bug.cgi?id=3D590826
[ 9 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation
https://bugzilla.redhat.com/show_bug.cgi?id=3D730387
[ 10 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Co=
ntrol '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS
https://bugzilla.redhat.com/show_bug.cgi?id=3D611438
[ 11 ] Bug #735114 - renaming a managed entry does not update mepmanagedby
https://bugzilla.redhat.com/show_bug.cgi?id=3D735114
---------------------------------------------------------------------------=
-----
This update can be installed with the "yum" update program. Use =
su -c 'yum update freeipa' at the command line.
For more information, refer to "Managing Software with yum",
available at
http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on t=
he
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
---------------------------------------------------------------------------=
-----