Hello, The FreeIPA team would like to announce FreeIPA 4.9.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. Due to the large size of the updates, please see all the details at https://www.freeipa.org/page/Releases/4.9.0. Many of the updates were already seen in FreeIPA 4.8 releases as they were backported there. Nevertheless, the full list of changes can be found at the page linked above. == Highlights in 4.9.0 * 298: [RFE] Add support for cracklib to password policies FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords. * 2445: [RFE] IdM password policy should include checks for repeating characters FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords. * 3299: [RFE] Switch the client to JSON RPC Clients now communicate with FreeIPA server via JSON-RPC instead of XML-RPC by default. The new interface for example allows sending additional information (notices, warnings) when a management operation ends with an error. * 3687: [RFE] IPA user account expiry warning. EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept. * 3827: [RFE] Expose TTL in web UI DNS record time to live (TTL) parameters can be edited in Web UI * 3999: [RFE] Fix and Document how to set up Samba File Server with IPA Samba file server can now be configured on the FreeIPA-enrolled system to provide file services to users in IPA domain and to users from trusted Active Directory forests * 4751: Implement ACME certificate enrolment Configure the Automatic Certificate Management Environment (ACME) protocol support provided by the dogtag CA. * 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI * 5608: [RFE] Add Dogtag configuration extensions * 5662: ID Views: do not allow custom Views for the masters Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects. * 5948: [RFE] Implement pam_pwquality featureset in IPA password policies * 6783: [RFE] Host-group names command rename host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod group-name --rename new-name'. Protected hostgroups ('ipaservers') cannot be renamed. * 7137: [RFE]: Able to browse different links from IPA web gui in new tabs * 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases. * 7522: Disable cert publishing in dogtag Dogtag certificate publishing facility is not configured anymore as it is not used in FreeIPA. * 7577: [RFE] DNS package check should be called earlier in installation routine The ``--setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment. * 7695: ipa service-del should display principal name instead of Invalid 'principal'. When deleting services, report exact name of a system required principal that couldn't be deleted. * 7966: Add support for JSON-RPC in ipa-join ipa-join tool defaults to use of JSON-RPC protocol when communicating to IPA masters by default. The choice of JSON-RPC or XML-RPC is a compile-time setting now. * 7971: [RFE] Include hint for replication_wait_timeout if timeout fails * 8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms. * 8114: [RFE] Delegate group membership management It is now possible to associate group managers with the groups. Group managers have rights to add and remove members of the individual group rather than being administrators for every group. * 8129: Tests: Replace paramiko with OpenSSH Paramiko is not compatible with FIPS mode, therefore convert most tests to using ssh directly. The only non-converted test is the 2-prompt OTP test because sshpass does not support 2-prompt password authentication ( https://pagure.io/freeipa/issue/8431 ). * 8151: test_commands timing-out Re-enable test_sss_ssh_authorizedkeys ; add -v to ssh in order to get debug information if this test fails or stalls again. The test was run 16 times without a failure before re-enabling it. * 8189: NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd Previously, ipa-client-installation saved the pre-install state using "authselect current" command and the uninstallation reverted to the same authselect state. In cases where the system was installed using authconfig instead of authselect, the uninstallation was unable to revert to the same state and picked "sssd"'s authselect profile instead. Now, the client installation relies on the backup functionality of authselect and is able to revert to the exact pre-install state * 8217: RFE: ipa-backup should compare locally and globally installed server roles ipa-backup now checks whether the local replica's roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles. * 8222: Upgrade dojo.js Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2. * 8233: 4.8.5 master Installation error On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn't actually needed and thus was removed. * 8236: Enforce a check to prevent adding objects from IPA as external members of external groups Command 'ipa group-add-member' allowed to specify any user or group for '--external' option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain. * 8239: Actualize Bootstrap version Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1. * 8241: Build fails on Fedora 30 SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions. * 8268: Prevent use of too long passwords Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA. * 8275: Support systemd-resolved FreeIPA DNS servers now detect systemd-resolved and configure it to pass through itself. * 8276: Add default password policy for sysaccounts cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The "Default System Accounts Password Policy" has a minimum password length in case the password is directly modified with LDAP. * 8284: Upgrade jQuery version to actual one Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1. * 8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets service delegation rules and targets now allow to specify hosts as a rule or a target's member principal. * 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines. * 8301: The value of the first character in target* keywords is expected to be a double quote 389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually. * 8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting "ChallengeResponseAuthentication yes" take precedence. * 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings 389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos. * 8322: [RFE] Changing default hostgroup is too easy In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group. * 8325: [WebUI] Fix htmlPrefilter issue in jQuery CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway. * 8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console. * 8348: Allow managed permissions with ldap:///self bind rule Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions. * 8357: Allow managing IPA resources as a user from a trusted Active Directory forest A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA. * 8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings. * 8374: EPN does not ship its default configuration (/etc/ipa/epn.conf) in freeipa-client-epn EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present. * 8391: Remove dnf workaround from test_epn.y The new PR-CI images are cleaner and do not need the *epn* packages to be uninstalled/reinstalled. * 8401: Create platform definitions for freeipa-container ipaplatform now provides container platform flavors for freeipa/freeipa-container * 8404: Detect and fail if not enough memory is available for installation FreeIPA server now requires at least 1.2 GiB RAM for installation to prevent performance degradation. * 8432: test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError Sometimes test_login_wrong_password fails because the log window the string message is searched in is too narrow. Broaden the window by looking at the past 10 seconds. * 8444: EPN: enhance input validation Various input validation checks were added to EPN. * 8445: EPN: '[Errno 111] Connection refused' when the SMTP is down EPN now displays a proper message if the configured SMTP server cannot be contacted. * 8449: EPN: enhance CLI option tests EPN: enhance existing tests for --dry-run, --from-nbdays and --to-nbdays. * 8488: SELinux blocks custodia key replication / retrieval for sub-CAs SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key. * 8490: It is not possible to edit KDC database when the FreeIPA server is running kadmin.local command 'getprincs' is now supported * 8493: Synchronize index LDIF and index update files Configuration of LDAP indices was moved into a single place. New indices were added to attributes related to trusted domains operations. Performance improvement is expected for Kerberos service tickets requested by users from trusted Active Directory domains. * 8503: pkispawn logs files are empty On recent versions of Dogtag PKI, pkispawn does not create logs by default, making debugging failed IPA installs impossible. Invoke pkispawn with --debug to revert to the previous behavior. * 8507: [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0) Support reproducible builds for jQuery library * 8510: create_active_user and kinit_as_user should collect kdcinfo.REALM on failure Sometimes, requesting a TGT after a password reset fails because SSSD seems to select different hosts for these two sequential tasks, leaving no time for replication to replicate the password hashes. Add debug information to the test suites that exhibit the problem and always display the kdcinfo file maintained by SSSD that contains the KRB5KDC IP it should be pinned to. * 8530: Running ipa-server-install fails on machine where libsss_sudo is not installed The FreeIPA client RPM now has a soft dependency on libsss_sudo and sudo itself. * 8536: RFE: ipatests: run healthcheck on hidden replica ipatests: freeipa-healthcheck is now executed on each member of a cluster that contains a hidden replica. === Known Issues * 8240: KRA install fails if all KRA members are Hidden Replicas If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete. === Bug fixes FreeIPA 4.9.0 is the first stable release for the features delivered as a part of 4.9 version series. There are more than 370 bug-fixes since FreeIPA 4.8.10 release. Details of the bug-fixes can be seen in the list of resolved tickets. Due to the large size of the updates, please see all the details at https://www.freeipa.org/page/Releases/4.9.0 == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/[email protected]/) or #freeipa channel on Freenode. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ Freeipa-interest mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-interest
