[Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-13 Thread Petr Vobornik 
The FreeIPA team would like to announce FreeIPA 4.4.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 24 will be available in the official COPR repository
.

This announcement is also available on
http://www.freeipa.org/page/Releases/4.4.2

Fedora 25 update:
https://bodhi.fedoraproject.org/updates/freeipa-4.4.2-1.fc25

== Highlights in 4.4.2 ==
=== Known Issues ===
* ipa-ca-install fails on replica when master is CA-less #6226
* ipa cert-find command doesn't return revocation reason in output, Web
UI then cannot display proper state of a certificate #6269

=== Bug fixes ===
FreeIPA 4.4.2 is a stabilization release for the features delivered as a
part of 4.4.0. There are more than 40 bug-fixes which details can be
seen in the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on upgrade page
.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or
#freeipa channel on Freenode.

== Resolved tickets ==
* 4802 Investigate & document if TLS 1.2 is properly supported
* 5557 Strict dependency of optional package pam_krb5
* 5644 dnsrecord-del incompatible with admintools < ver 3.2 and server
>= ver 3.2
* 5725 failed ipa-server-install --uninstall returns exit code 0
* 5754 ipa-client-install man page has incorrect data on hostname
* 5755 test_0006_service_show  in test_cert_plugin uses global variable
wrong
* 5809 ipa-server-install fails when using external certificates that
encapsulate RDN components in double quotes
* 5814 Change IP address validation errors to warnings [support for
cloud environments]
* 5818 webui: "Restore" option is not available for a preserved user in
detailed info
* 5822 Cannot create user with username exactly 255 charaters long
* 5855 method get_primary_key_from_dn does not work for netgroups properly
* 6057 adding two way non transitive(external) trust displays internal
error on the console
* 6095 ipa command stuck forever on higher versioned client with lower
versioned server
* 6155 [tracker] Failed to configure CA instance
* 6190 Regressions found by test: ipa.test_ipalib.test_parameters
* 6203 dnsrecord-add does not prompt for missing record parts internactively
* 6212 Pretty-print mismatches in tests
* 6216 webui: cert_revoke should use --cacn to set correct CA when
revoking certificate
* 6221 Certificate revocation in service-del and host-del isn't aware of
Sub CAs
* 6230 installer: external CA step 1 successful but reports ScriptError
* 6238 Unable to view certificates issued by Sub CA in Web UI
* 6256 [tracker] Revoke certificate on lightweight CA deletion
* 6257 Implement ca-enable/disable commands.
* 6260 cert-request: use better error message when CA is disabled
* 6273 Command autocompletion without installed server prints an error
message
* 6279 CLI always sends default command version
* 6285 Tests: Regex errors in trust tests
* 6288 ipa-certupdate fails with "CA is not configured"
* 6294 TypeError in installer
* 6296 client-install with IPv6 address fails on link-local address (always)
* 6300 Remove the assertion of incorrect return code from
replica_promotion tests
* 6301 Fix replica_promotion tests
* 6304 cert-find --certificate does not work for certificates not in LDAP
* 6306 Add cleanup to integration trust tests
* 6309 cert-request does not raise error when CSR does not match profile
pattern
* 6312 Failing ldap backend test because service not found
* 6313 Failing test in test_ipalib/test_plugable
* 6322 Add krb5kdc restart to integration trust tests
* 6323 Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
* 6326 Update host test with ipa-join
* 6327 regression in `ipa cert-revoke --help`
* 6328 ipa trust-fetch-domains throws internal error
* 6329 WinSync users who have First.Last casing creates users who can
have their password set
* 6330 Invalid description for --hostname option in ipa-server-install
man page
* 6333 Skipped test_ipalib/test_text::test_TestLang::test_test_lang in
outoftree suite
* 6338 [Tests] Remove SSSD restart from integration tests
* 6341 Certificate UI on details page shows add button even if user
doesn't have write right
* 6349 Tests: incomplete cleanup of CA plugin XMLRPC tests
* 6366 Extend CA ACL tests for test cases with CSR containing Subject
Alt Name
* 6368 otpd doesn't properly handle closing of ldap connection
* 6373 test_util.test_assert_deepequal fails
* 6382 Test: disable test for wrong client domain in domain level 0
* 6385 ipa-server-install --external-ca fails with AttributeError
* 6390 python-dns 1.15.0 breaks FreeIPA
* 6391 make FreeIPA codebase ready for pylint in Fedora rawhide
* 5791 CA fails to start after doing ipa-ca-install --external-ca
== Detailed changelog since 4.4.1 ==
=== Christian Heimes (1) ===
* Use RSA-OAEP instead of RS

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-14 Thread Martin Kosek 
On 10/13/2016 09:17 PM, Petr Vobornik wrote:
> The FreeIPA team would like to announce FreeIPA 4.4.2 release!
> 
> It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
> for Fedora 24 will be available in the official COPR repository
> .
> 
> This announcement is also available on
> http://www.freeipa.org/page/Releases/4.4.2
> 
> Fedora 25 update:
> https://bodhi.fedoraproject.org/updates/freeipa-4.4.2-1.fc25

Please note that the FreeIPA Public demo was also upgraded to the version
4.4.2, if you want to try it out!

Demo location: https://ipa.demo1.freeipa.org/ipa/ui/

The selected new features that may be best exhibited in the FreeIPA Web UI:

* Improved Topology Management:
  - IPA Server -> Topology -> Graph
  - https://ipa.demo1.freeipa.org/ipa/ui/#/p/topology-graph

* Added Overview of IPA server roles:
  - IPA Server -> Topology -> Server Roles
  - https://ipa.demo1.freeipa.org/ipa/ui/#/e/server_role/search
  - You can click on a role

  - You can also see roles of a server:
  - 
https://ipa.demo1.freeipa.org/ipa/ui/#/e/server/details/ipa.demo1.freeipa.org

* Added DNS Location Mechanism:
  - IPA Server -> Topology -> IPA Locations
  - You can add a location
  - In the location details, you can add the servers to it (you can only test
UI as changing a location of IPA server requires DNS server restart)

* Added support for Sub-CAs
  - Open Authentication -> Certificate Authorities
  - Add new CA Authority, with subject like "CN=Certificate
Authority,O=VPN,O=DEMO1.FREEIPA.ORG"
  - Set ACL for authority in "CA ACLs" so that Admin can use this CA
  - Generate new certificate:
 - Open for example a test Service
 - Click Options -> New Certificate
 - Follow the steps (and use the new Sub-CA). I typed these options to get
the CSR:
   - cd /tmp/
   - mkdir test
   - cd test/
   - certutil -N -d .
   - certutil -R -d . -a -g 2048 -s
'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 'ipa.demo1.freeipa.org'
 - Paste the CSR blob to FreeIPA, it should pass
 - It will show that Issuer is "CN = Certificate Authority,O = VPN,O =
DEMO1.FREEIPA.ORG", i.e. our new Sub-CA

Enjoy!
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-14 Thread Coy Hile 



Will there be builds in a COPR for rhel/cents 7?


Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone

 Original message 
From: Martin Kosek 
Date: 10/14/16  3:58 AM  (GMT-05:00)
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Announcing FreeIPA 4.4.2


On 10/13/2016 09:17 PM, Petr Vobornik wrote:

The FreeIPA team would like to announce FreeIPA 4.4.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 24 will be available in the official COPR repository
<https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/>.

This announcement is also available on
http://www.freeipa.org/page/Releases/4.4.2

Fedora 25 update:
https://bodhi.fedoraproject.org/updates/freeipa-4.4.2-1.fc25


Please note that the FreeIPA Public demo was also upgraded to the version
4.4.2, if you want to try it out!

Demo location: https://ipa.demo1.freeipa.org/ipa/ui/

The selected new features that may be best exhibited in the FreeIPA Web UI:

* Improved Topology Management:
  - IPA Server -> Topology -> Graph
  - https://ipa.demo1.freeipa.org/ipa/ui/#/p/topology-graph

* Added Overview of IPA server roles:
  - IPA Server -> Topology -> Server Roles
  - https://ipa.demo1.freeipa.org/ipa/ui/#/e/server_role/search
  - You can click on a role

  - You can also see roles of a server:
  -  
https://ipa.demo1.freeipa.org/ipa/ui/#/e/server/details/ipa.demo1.freeipa.org


* Added DNS Location Mechanism:
  - IPA Server -> Topology -> IPA Locations
  - You can add a location
  - In the location details, you can add the servers to it (you can only test
UI as changing a location of IPA server requires DNS server restart)

* Added support for Sub-CAs
  - Open Authentication -> Certificate Authorities
  - Add new CA Authority, with subject like "CN=Certificate
Authority,O=VPN,O=DEMO1.FREEIPA.ORG"
  - Set ACL for authority in "CA ACLs" so that Admin can use this CA
  - Generate new certificate:
 - Open for example a test Service
 - Click Options -> New Certificate
 - Follow the steps (and use the new Sub-CA). I typed these  
options to get

the CSR:
   - cd /tmp/
   - mkdir test
   - cd test/
   - certutil -N -d .
   - certutil -R -d . -a -g 2048 -s
'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8  
'ipa.demo1.freeipa.org'

 - Paste the CSR blob to FreeIPA, it should pass
 - It will show that Issuer is "CN = Certificate Authority,O = VPN,O =
DEMO1.FREEIPA.ORG", i.e. our new Sub-CA

Enjoy!
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-17 Thread Martin Kosek 
On 10/14/2016 03:29 PM, Coy Hile wrote:
> 
> 
> Will there be builds in a COPR for rhel/cents 7?

I would recommend waiting on RHEL-7.3, which should be released soon enough.
RHEL-7.3 contains an IdM/FreeIPA version that is very close to upstream version
4.4.2.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project