Petr Vobornik
2014-10-23 10:19:18 UTC
The FreeIPA team is proud to announce FreeIPA v4.1.0!
It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds will be available for Fedora 21. Builds for Fedora 20 are
available in the official COPR repository
[https://copr.fedoraproject.org/coprs/mkosek/freeipa/].
== Highlights in 4.1 ==
=== Enhancements ===
* New concept of 'ID Views' allowing FreeIPA administrator to define or
override POSIX attributes for users/groups coming from trusted domains.
Such users then do not need to have POSIX attributes defined in the
Active Directory to authenticate to FreeIPA clients. It also allows to
assign particular view to selected hosts or hostgroups, thus allowing
having a user / group with different POSIX attributes on different
hosts. Per-host overrides should be used with extreme care!
[http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust]
* New tool ipa-cacert-manage to manually renew or change FreeIPA PKI CA
certificate [http://www.freeipa.org/page/V4/CA_certificate_renewal]
* DNSSEC Support
* OTP authentication plugin now prevents multiple usage of token codes
on a single FreeIPA server
* DNS interface now supports adding DNS root zone (".") allowing admin
to for example centrally override DNS root hints.
* DNS zone adding interface was simplified - name server and it's IP
address is no longer required. The list of authoritative name servers
are read from LDAP
* Seamless signing of FreeIPA CA us a subCA in Windows Certificate
Services [https://fedorahosted.org/freeipa/ticket/4496]
* New option --request-cert to optionally request host certificates on
FreeIPA clients (to /etc/ipa/nssdb/)
* CLI and Web UI for 'retrive keytab' and 'create keytab' authorization
[http://www.freeipa.org/page/V4/Keytab_Retrieval_Management]
* Services can now be assigned as members of RBAC roles
* `ipa` command run with `-vv` option now prints JSON request and reply
exchanged with the FreeIPA server. `-vvv` also prints HTTP communication.
* Description attribute is no longer required (e.g. in groups, sudo
command groups or others) given that it is also not required in schema.
* Packages can be now built and installed on RHEL/CentOS 7.0
* ipa-replica-prepare now waits for the replica DNS record to be
available to fix race conditions in automated test environments
* Port 8443 is now checked before server installation to prevent
failures in configuring PKI which uses the port
=== Bug fixes ===
* Server installers can now handle hosts with multiple IPv4 or IPv6
addresses
* DNS zone interface no longer accepts `--class` option as it had no
effect as FreeIPA DNS only supports 'IN' class.
* ipa-ldap-upgrade restores Directory Server settings when upgrade fails
* SSLv3.0 (CVE-2014-3566) ciphers are now disabled on new installations
=== DNSSEC Support ===
FreeIPA now automates basic key management for Domain Name System
Security Extensions (DNSSEC)
[http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Overview].
Before you start signing you DNS zones you have to install DNSSEC key
master role to an existing FreeIPA DNS server using command:
ipa-dns-install --dnssec-master
It allows you to enable DNSSEC for particular DNS zone using command:
ipa dnszone-mod zone.name.example. --dnssec=true
This command will generate new zone keys, distribute keys to all FreeIPA
DNS servers and configure all servers to independently sign the zone.
Please keep in mind that it can take few minutes before all servers sign
the zone.
==== Known Limitations ====
* User has to manually upload Delegation Signer (DS) record
[http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Records]
to parent DNS zone to establish chain of trust.
* User has to manually confirm that DS record in parent zone was
published otherwise Key Signing Key (KSK)
[http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Key_management]
will not be rotated. This confirmation has to be done on FreeIPA server
with key master role using following command:
sudo -u ods ods-ksmutil key ds-seen --zone zone.name.example.
--keytag 12345
* Keytag can be obtained from dig output:
dig +dnssec zone.name.example. DS
* User is not notified about automated key rotation. This does not lower
stability of the system because of `ds-seen` logic mentioned above.
* Key and signing policy cannot be changed using FreeIPA tools.
Currently it is stored in `/etc/opendnssec/kasp.xml` file on DNSSEC key
master server. Manual changes to `kasp.xml` will be lost during next
FreeIPA upgrade.
* Only one FreeIPA server can have DNSSEC key master role:
** *Please plan carefully, current version does not allow you to easily
move DNSSEC master role to a different server.*
** DNSSEC key management will not work when the key master is not
running, i.e. DNSSEC keys will not be rotated according to the policy
and keys for new zones will not be generated.
== Known Issues ==
* Directory Server may deadlock in some situations (tracked in upstream
ticket [https://fedorahosted.org/freeipa/ticket/4635]).
* SSLv3.0 (CVE-2014-3566) ciphers are not disabled on upgrades. See
CVE-2014-3566 and referred external articles on advise how to deal with
this vulnerability.
== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The
server does not need to be shut down in advance.
Please note that if you are doing the upgrade in special environment
(e.g. FedUp) which does not allow running the LDAP server during upgrade
process, upgrade scripts need to be run manually after the first boot:
# ipa-ldap-updater --upgrade
# ipa-upgradeconfig
Also note that the performance improvements require an extended set of
indexes to be configured. RPM update for an IPA server with a excessive
number of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is
expected that all servers will be upgraded in a relatively short period
(days or weeks, not months). They should be able to co-exist peacefully
but new features will not be available on old servers and enrolling a
new client against an old server will result in the SSH keys not being
uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 3.3.0 and later versions is supported. Upgrading from
previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you
want to re-enroll it. SSH keys for already installed clients are not
uploaded, you will have to re-enroll the client or manually upload the keys.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or
#freeipa channel on Freenode.
== Detailed Changelog since 4.0.0 ==
Alexander Bokovoy (15):
ipaserver/dcerpc.py: if search of a closest GC failed, try to
find any GC
ipaserver/dcerpc.py: make PDC discovery more robust
ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts
on Windows Server prior to 2012
ipaserver/dcerpc.py: be more open to what domains can be seen
through the forest trust
ipaserver/dcerpc.py: Make sure trust is established only to
forest root domain
Support overridding user shell in ID views
Allow user overrides to specify SSH public keys
Allow user overrides to specify GID of the user
Allow override of gecos field in ID views
Update API version for ID views support
Require slapi-nis 0.54 or later for ID views support
Support idviews in compat tree
Change ipaOverrideTarget OID to avoid conflict with DNSSEC feature
updater: enable uid uniqueness plugin for posixAccounts
Default to use TLSv1.0 and TLSv1.1 on the IPA server side
Ana Krivokapić (1):
Remove internaldb password from password.conf
David Kupka (20):
Fix ipa-client-install --uninstall crash
Always record that pkicreate has been executed.
Improve password validity check.
Fix group-remove-member crash when group is removed from a
protected group
test group: remove group from protected group.
Verify otptoken timespan is valid
Add record(s) to /etc/host when IPA is configured as DNS server.
Use certmonger D-Bus API instead of messing with its files.
Do not restart apache server when not necessary.
Allow user to force Kerberos realm during installation.
Fix typo causing ipa-upgradeconfig to fail.
Add 'host' setting into default.conf configuration file on
client. Fix description in man page.
Detect and configure all usable IP addresses.
Do not require description in UI.
Fix example usage in ipa man page.
Check that port 8443 is available when installing PKI.
Set IPA CA for freeipa certificates.
Stop dogtag when updating its configuration in ipa-upgradeconfig.
Fix printing of reverse zones in ipa-dns-install.
Fix typo causing certmonger is provided with wrong path to
ipa-submit.
Gabe Alford (5):
Fix typos in dns.py
Enable debug pid in smb.conf
ipa trust-add command should be interactive
Fix hardcoded lib dir in freeipa.spec
Missing requires on python-dns in spec file
Jakub Hrozek (1):
CLIENT: Explicitly require python-backports-ssl_match_hostname
Jan Cholasta (100):
Check if /root/ipa.csr exists when installing server with
external CA.
Exclude attributelevelrights from --raw result processing in
baseldap.
Add function for checking if certificate is self-signed to
ipalib.x509.
Support CA certificate renewal in dogtag-ipa-ca-renew-agent.
Allow IPA master hosts to update CA certificate in LDAP.
Automatically update CA certificate in LDAP on renewal.
Track CA certificate using dogtag-ipa-ca-renew-agent.
Add method for setting CA renewal master in LDAP to CAInstance.
Provide additional functions to ipapython.certmonger.
Move external cert validation from ipa-server-install to
installutils.
Add method for verifying CA certificates to NSSDatabase.
Add permissions for CA certificate renewal.
Add CA certificate management tool ipa-cacert-manage.
Alert user when externally signed CA is about to expire.
Load sysupgrade.state on demand.
Pick new CA renewal master when deleting a replica.
Remove master ACIs when deleting a replica.
Do not use ldapi in certificate renewal scripts.
Check that renewed certificates coming from LDAP are actually
renewed.
Allow IPA master hosts to read and update IPA master information.
Do not treat the IPA RA cert as CA cert in DS NSS database.
Remove certificate "External CA cert" from /etc/pki/nssdb on
client uninstall.
Allow specifying trust flags in NSSDatabase and CertDB method
trust_root_cert.
Fix trust flags in HTTP and DS NSS databases.
Add LDAP schema for wrapped cryptographic keys.
Add LDAP schema for certificate store.
Add container for certificate store.
Configure attribute uniqueness for certificate store.
Add permissions for certificate store.
Add functions for extracting certificates fields in DER to
ipalib.x509.
Add function for extracting extended key usage from certs to
ipalib.x509.
Add certificate store module ipalib.certstore.
Upload CA chain from DS NSS database to certificate store on
server install.
Upload CA chain from DS NSS database to certificate store on
server update.
Rename CertDB method add_cert to import_cert.
Add new add_cert method for adding certificates to NSSDatabase
and CertDB.
Import CA certs from certificate store to DS NSS database on
replica install.
Import CA certs from certificate store to HTTP NSS database on
server install.
Upload renewed CA cert to certificate store on renewal.
Refactor CA certificate fetching code in ipa-client-install.
Support multiple CA certificates in /etc/ipa/ca.crt in
ipa-client-install.
Add function for writing list of certificates to a PEM file to
ipalib.x509.
Get CA certs for /etc/ipa/ca.crt from certificate store in
ipa-client-install.
Allow overriding NSS database path in RPCClient.
Get CA certs for /etc/pki/nssdb from certificate store in
ipa-client-install.
Add functions for DER encoding certificate extensions to ipalib.x509.
Get CA certs for system-wide store from cert store in
ipa-client-install.
Get up-to-date CA certificates from certificate store in
ipa-replica-install.
Add client certificate update tool ipa-certupdate.
Export full CA chain to /etc/ipa/ca.crt in ipa-server-install.
Allow multiple CA certificates in replica info files.
Add new NSSDatabase method get_cert for getting certs from NSS
databases.
Allow changing chaining of the IPA CA certificate in
ipa-cacert-manage.
Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert.
Allow adding CA certificates to certificate store in
ipa-cacert-manage.
Allow upgrading CA-less to CA-full using ipa-ca-install.
Update external CA cert in Dogtag NSS DB on IPA CA cert renewal.
Enable NSS PKIX certificate path discovery and validation for Dogtag.
Add test for baseldap.entry_to_dict.
Fix parsing of long nicknames in certutil -L output.
Convert external CA chain to PKCS#7 before passing it to pkispawn.
Allow changing CA renewal master in ipa-csreplica-manage.
Normalize external CA cert before passing it to pkispawn
Make CA-less ipa-server-install option --root-ca-file optional.
Backup CS.cfg before modifying it
Use autobind when updating CA people entries during certificate
renewal
Fix certmonger code causing the ca_renewal_master update plugin
to fail
Allow RPM upgrade from ipa-* packages
Include ipaplatform in client-only build
Include the ipa command in client-only build
Allow specifying signing algorithm of the IPA CA cert in
ipa-server-install.
Add NSSDatabase.import_files method for importing files in
various formats
External CA installer options usability fixes
CA-less installer options usability fixes
Allow choosing CA-less server certificates by name
Do stricter validation of CA certificates
Introduce NSS database /etc/ipa/nssdb
Move NSSDatabase from ipaserver.certs to ipapython.certdb
Add NSSDatabase.has_nickname for checking nickname presence in a
NSS DB
Use NSSDatabase instead of direct certutil calls in client code
Use /etc/ipa/nssdb to get nicknames of IPA certs installed in
/etc/pki/nssdb
Check if IPA client is configured in ipa-certupdate
Get server hostname from jsonrpc_uri in ipa-certupdate
Remove ipa-ca.crt from systemwide CA store on client uninstall
and cert update
Fix certmonger.wait_for_request
Fix certmonger search for the CA cert in ipa-certupdate and
ipa-cacert-manage
Add missing imports to ipapython.certdb
Remove misleading authorization error message in cert-request
with --add
Split off generic Red Hat-like platform code from Fedora platform
code
Add RHEL platform module
Support building RPMs for RHEL/CentOS 7.0
Support MS CS as the external CA in ipa-server-install and
ipa-ca-install
Allow specifying signing algorithm of the IPA CA cert in
ipa-ca-install
Fix CA cert validity check for CA-less and external CA installer
options
Fix certmonger.request_cert
Add ipa-client-install switch --request-cert to request cert for
the host
Do not create ipa-pki-proxy.conf if CA is not configured in
ipa-upgradeconfig
Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig
Check LDAP instead of local configuration to see if IPA CA is enabled
DNSSEC: remove container_dnssec_keys
Ludwig Krispenz (2):
Update SSL ciphers configured in 389-ds-base
Ignore irrelevant subtrees in schema compat plugin
Lukáš Slebodník (2):
Fix warning: Using uninitialized value ld.
Add missing break
Martin Bašti (48):
Fix DNS upgrade plugin should check if DNS container exists
FIX: named_enable_dnssec should verify if DNS is installed
Allow to add host if AAAA record exists
Tests: host tests with dns
Fix dnsrecord-mod raise error if last record attr is removed
DNSSEC: fix DS record validation
Tests: DNS dsrecord validation
DNS fix NS record coexistence validator
Test: DNS NS validation
Fix DNS record rename test
FIX DNS wildcard records (RFC4592)
Tests: DNS wildcard records
dnszone-remove-permission should raise error
DNS: remove --class option
WebUI: DNS: remove --class option
FIX: ldap schmema updater needs correct ordering of the updates
Fix DNS plugin to allow to add root zone
DNS test: allow '.' as zone name
Deprecation of --name-server and --ip-address option in DNS
Add correct NS records during installation
DNS: autofill admin email
WebUI: DNS: Remove ip-address, admin-email options
DNS tests: tests update to due to change in options
Remove --ip-address, --name-server otpions from DNS help
Refactoring of autobind, object_exists
LDAP disable service
DNS missing tests
Fix ipactl service ordering
Add missing attributes to named.conf
Make named.conf template platform independent
Remove ipaContainer, ipaOrderedContainer objectclass
Add mask, unmask methods for service
DNSSEC: dependencies
DNSSEC: schema
DNSSEC: add ipapk11helper module
DNSSEC: DNS key synchronization daemon
DNSSEC: opendnssec services
DNSSEC: platform paths and services
DNSSEC: validate forwarders
DNSSEC: modify named service to support dnssec
DNSSEC: installation
DNSSEC: uninstallation
DNSSEC: upgrading
DNSSEC: ACI
DNSSEC: add files to backup
DNSSEC: change link to ipa page
fix DNSSEC restore named state
fix forwarder validation errors
Martin Košek (8):
Do not require dogtag-pki-server-theme
Allow hashed passwords in DS
Do not crash client basedn discovery when SSF not met
ipa-adtrust-install does not re-add member in adtrust agents group
Sudorule RunAsUser should work with external groups
Raise better error message for permission added to generated tree
Remove changetype attribute from update plugin
Update contributors
Nathaniel McCallum (13):
Fix login password expiration detection with OTP
Update freeipa-server krb5-server dependency to 1.11.5-5
Fix ipa-getkeytab for pre-4.0 servers
Add TOTP watermark support
Ensure ipaUserAuthTypeClass when needed on user creation
Update qrcode support for newer python-qrcode
Use stack allocation when writing values during otp auth
Move OTP synchronization step to after counter writeback
Remove token ID from self-service UI
Remove token vendor, model and serial defaults
Display token type when viewing token
Create ipa-otp-counter 389DS plugin
Configure IPA OTP Last Token plugin on upgrade
Petr Viktorin (34):
baseldap: Return empty string when no effective rights are found
ldap2 indirect membership processing: Use global limits if
greater than per-query ones
test_xmlrpc: Update tests
Update API.txt
test_ipagetkeytab: Fix assertion in negative test
Support delegating RBAC roles to service principals
service: Normalize service principal in get_dn
freeipa.spec.in: Add python-backports-ssl_match_hostname to
BuildRequires
permission plugin: Make --target available in the CLI
permission plugin: Improve description of the target option
Add managed read permissions for compat tree
Fix: Add managed read permissions for compat tree and operational
attrs
Update referential integrity config for DS 1.3.3
permission plugin: Auto-add operational atttributes to read
permissions
Allow deleting obsolete permissions; remove operational attribute
permissions
ipaserver.install: Consolidate system user creation
ipa_restore: Split the services list
backup,restore: Don't overwrite /etc/{passwd,group}
ipa_backup: Log where the backup is be stored
Add basic test for backup & restore
Add test for backup/delete system users/restore
JSON client: Log pretty-printed request and response with -vv or
above
test_permission_plugin: Check legacy permissions
upgradeinstance: Restore listeners on failure
ipa-replica-prepare: Wait for the DNS entry to be resolvable
Move setting SELinux booleans to platform code
ipa-restore: Set SELinux booleans when restoring
ipaserver.install.service: Don't show error message on SystemExit(0)
VERSION,Makefile: Rename "pre" to "alpha"
Become IPA 4.1.0 Alpha 1
test_service_plugin: Do not lowercase memberof_role
test_forced_client_reenrollment: Don't check for host certificates
backup/restore: Add files from /etc/ipa/nssdb
sudo integration test: Remove the local user test
Petr Voborník (81):
webui: capitalize labels of undo and undo all buttons
webui: improve usability of attributes widget
webui: add filter to attributes widget
webui: optimize (re)creation of option widget
webui: custom attr in attributes widget
webui: attr widget: get list of possible attrs from
ipapermdefaultattr
webui: option_widget_base: sort options
webui: reflect readonly state
webui: fix add of input group class
webui: show managed fields as readonly and not disabled
webui: fix selection of empty value in a select widget
webui: disable ipapermbindruletype if permission in a privilege
webui: fix disabled state of service's PAC type
baseldap: return 'none' attr level right as unicode string
webui: support wildcard attribute level rights
webui: fix nested items creation in dropdown list
webui: internet explorer fixes
webui: detach facet nodes
webui: replace action_buttons with action_widget
webui: remove remaining action-button-disabled occurrences
webui: add bounce url to reset_password.html
webui-ci: fix reset password check
webui: better error reporting
webui-ci: fix table widget add
webui: display expired session notification in a more visible area
webui: improved info msgs on login/token sync/reset pwd pages
webui: login screen - improved button switching
webui: rename tooltip to title
webui: tooltip support
webui: better authentication types description
webui: convert widget.less indentation to spaces
webui: improve rule table css
webui: sshkey widget - usability fixes
webui: disable batch action buttons by default
webui: fix group type padding
webui: extract complex pkey on Add and Edit
webui: adjust behavior of bounce url
webui: do not show login error when switching back from otp sync
screen
webui: switch associators if default doesn't work
webui: notify psw change success only once
webui: append network.negotiate-auth.trusted-uris
install: create ff krb extension on every install, replica
install and upgrade
webui: add measurement unit to otp token time fields
webui: better otp token type label
webui: add token from user page
webui: add i18n for the rest of QR code strings
webui: display fields based on otp token type
webui: better value-change reporting
webui: widget initialization
webui: hide empty fields and sections
webui: hide non-readable fields
webui: hide otp fields based on token type
webui: fix regression in association facet preop
webui-ci: case-insensitive record check
webui: do not offer ipa-ad-winsync and ipa-ipa-trust range types
webui: improve breadcrumb navigation
webui: treat value as pkey in link widget
webui: do not show internal facet name to user
webui: allow to skip link widget link validation
webui: add simple link column support
webui: new ID views section
webui: facet group labels for idview's facets
webui: list only not-applied hosts in "apply to host" dialog
webui: add link from host to idview
webui-ci: adjust dnszone-add test to recent DNS changes
dns: fix privileges' memberof during dns install
keytab manipulation permission management
tests: management of keytab permissions
idviews: error out if appling Default Trust View on hosts
webui: add link to OTP token app
webui: add new iduseroverride fields
webui: management of keytab permissions
webui: allow --force in dnszone-mod and dnsrecord-add
webui: make Evented a part of base IPA.object
webui: change order of idview's facet groups
webui: hide applied to hosts tab for Default Trust View
webui: hide (un)apply buttons for Default Trust View
webui: do not offer ipa users to Default Trust View
webui: do not show closed dialog
webui: update combobox input on list click
Become IPA 4.1.0
Petr Špaček (1):
DNSSEC: add ipa dnssec daemons
Rob Crittenden (1):
No longer generate a machine certificate on client installs
Stephen Gallagher (1):
Change BuildRequires for Java
Sumit Bose (4):
ipa-kdb: fix unit tests
extdom: add support for new version
extdom: add support for sss_nss_getorigbyname()
extdom: remove unused dependency to libsss_idmap
Tomáš Babej (44):
trusts: Validate missing trust secret properly
ipatests: tasks: Fix dns configuration for trusts
trusts: Make cn=adtrust agents sysaccount nestedgroup
baseldap: Remove redundant search from LDAPAddReverseMember and
LDAPRemoveReverseMember
ipalib: idrange: Make non-implemented range types fail the validation
ipatests: test_trust: Add test to cover lookup of trusdomains
ipa-client-install: Do not add already configured sources to
nsswitch.conf entries
ipalib: host_del: Extend LDAPDelete's takes_options instead of
overriding
Set the default attributes for RootDSE
baseldap: Properly handle the case of renaming object to the same
name
idviews: Add necessary schema for the ID views
idviews: Create container for ID views under cn=accounts
idviews: Add ipaAssignedIDVIew reference to the host object
ipalib: Remove redundant and star imports from host plugin
ipalib: PEP8 fixes for host plugin
idviews: Create basic idview plugin structure
idvies: Add managed permissions for idview and idoverride objects
hostgroup: Add helper that returns all members of a hostgroup
hostgroup: Remove redundant and star imports
hostgroup: Selected PEP8 fixes for the hostgroup plugin
idviews: Add ipa idview-apply and idview-unapply commands
idviews: Extend idview-show command to display assigned
idoverrides and hosts
trusts: Add conversion from SID to object name
idviews: Support specifying object names instead of raw anchors only
idviews: Split the idoverride object into iduseroverride and
idgroupoverride
idviews: Split the idoverride commands into iduseroverride and
idgroupoverride
idviews: Alter idoverride methods to work with splitted objects
idviews: Change format of IPA anchor to include domain
idviews: Raise NotFound errors if object to override could not be
found
idviews: Resolve anchors to object names in idview-show
ipatests: Add xmlrpc tests for idviews plugin
idviews: Add ipaOriginalUid
idviews: Update the referential plugin config to watch for
ipaAssignedIDView
idviews: Fix casing of ID Views to be consistent
idviews: Make description optional for the ID View object
idviews: Add Default Trust View as part of adtrustinstall
idviews: Handle Default Trust View properly in the framework
idviews: Make sure the dict.get method is not abused for MUST
attributes
idviews: Catch errors on unsuccessful AD object lookup when
resolving object name to anchor
idviews: Display the list of hosts when using --all
idviews: Make sure only regular IPA objects are allowed to be
overriden
idviews: Create Default Trust View for upgraded servers
idviews: Fix typo in upgrade handling of the Default Trust View
spec: Bump SSSD requires to 1.12.2
It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds will be available for Fedora 21. Builds for Fedora 20 are
available in the official COPR repository
[https://copr.fedoraproject.org/coprs/mkosek/freeipa/].
== Highlights in 4.1 ==
=== Enhancements ===
* New concept of 'ID Views' allowing FreeIPA administrator to define or
override POSIX attributes for users/groups coming from trusted domains.
Such users then do not need to have POSIX attributes defined in the
Active Directory to authenticate to FreeIPA clients. It also allows to
assign particular view to selected hosts or hostgroups, thus allowing
having a user / group with different POSIX attributes on different
hosts. Per-host overrides should be used with extreme care!
[http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust]
* New tool ipa-cacert-manage to manually renew or change FreeIPA PKI CA
certificate [http://www.freeipa.org/page/V4/CA_certificate_renewal]
* DNSSEC Support
* OTP authentication plugin now prevents multiple usage of token codes
on a single FreeIPA server
* DNS interface now supports adding DNS root zone (".") allowing admin
to for example centrally override DNS root hints.
* DNS zone adding interface was simplified - name server and it's IP
address is no longer required. The list of authoritative name servers
are read from LDAP
* Seamless signing of FreeIPA CA us a subCA in Windows Certificate
Services [https://fedorahosted.org/freeipa/ticket/4496]
* New option --request-cert to optionally request host certificates on
FreeIPA clients (to /etc/ipa/nssdb/)
* CLI and Web UI for 'retrive keytab' and 'create keytab' authorization
[http://www.freeipa.org/page/V4/Keytab_Retrieval_Management]
* Services can now be assigned as members of RBAC roles
* `ipa` command run with `-vv` option now prints JSON request and reply
exchanged with the FreeIPA server. `-vvv` also prints HTTP communication.
* Description attribute is no longer required (e.g. in groups, sudo
command groups or others) given that it is also not required in schema.
* Packages can be now built and installed on RHEL/CentOS 7.0
* ipa-replica-prepare now waits for the replica DNS record to be
available to fix race conditions in automated test environments
* Port 8443 is now checked before server installation to prevent
failures in configuring PKI which uses the port
=== Bug fixes ===
* Server installers can now handle hosts with multiple IPv4 or IPv6
addresses
* DNS zone interface no longer accepts `--class` option as it had no
effect as FreeIPA DNS only supports 'IN' class.
* ipa-ldap-upgrade restores Directory Server settings when upgrade fails
* SSLv3.0 (CVE-2014-3566) ciphers are now disabled on new installations
=== DNSSEC Support ===
FreeIPA now automates basic key management for Domain Name System
Security Extensions (DNSSEC)
[http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Overview].
Before you start signing you DNS zones you have to install DNSSEC key
master role to an existing FreeIPA DNS server using command:
ipa-dns-install --dnssec-master
It allows you to enable DNSSEC for particular DNS zone using command:
ipa dnszone-mod zone.name.example. --dnssec=true
This command will generate new zone keys, distribute keys to all FreeIPA
DNS servers and configure all servers to independently sign the zone.
Please keep in mind that it can take few minutes before all servers sign
the zone.
==== Known Limitations ====
* User has to manually upload Delegation Signer (DS) record
[http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Records]
to parent DNS zone to establish chain of trust.
* User has to manually confirm that DS record in parent zone was
published otherwise Key Signing Key (KSK)
[http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Key_management]
will not be rotated. This confirmation has to be done on FreeIPA server
with key master role using following command:
sudo -u ods ods-ksmutil key ds-seen --zone zone.name.example.
--keytag 12345
* Keytag can be obtained from dig output:
dig +dnssec zone.name.example. DS
* User is not notified about automated key rotation. This does not lower
stability of the system because of `ds-seen` logic mentioned above.
* Key and signing policy cannot be changed using FreeIPA tools.
Currently it is stored in `/etc/opendnssec/kasp.xml` file on DNSSEC key
master server. Manual changes to `kasp.xml` will be lost during next
FreeIPA upgrade.
* Only one FreeIPA server can have DNSSEC key master role:
** *Please plan carefully, current version does not allow you to easily
move DNSSEC master role to a different server.*
** DNSSEC key management will not work when the key master is not
running, i.e. DNSSEC keys will not be rotated according to the policy
and keys for new zones will not be generated.
== Known Issues ==
* Directory Server may deadlock in some situations (tracked in upstream
ticket [https://fedorahosted.org/freeipa/ticket/4635]).
* SSLv3.0 (CVE-2014-3566) ciphers are not disabled on upgrades. See
CVE-2014-3566 and referred external articles on advise how to deal with
this vulnerability.
== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The
server does not need to be shut down in advance.
Please note that if you are doing the upgrade in special environment
(e.g. FedUp) which does not allow running the LDAP server during upgrade
process, upgrade scripts need to be run manually after the first boot:
# ipa-ldap-updater --upgrade
# ipa-upgradeconfig
Also note that the performance improvements require an extended set of
indexes to be configured. RPM update for an IPA server with a excessive
number of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is
expected that all servers will be upgraded in a relatively short period
(days or weeks, not months). They should be able to co-exist peacefully
but new features will not be available on old servers and enrolling a
new client against an old server will result in the SSH keys not being
uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 3.3.0 and later versions is supported. Upgrading from
previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you
want to re-enroll it. SSH keys for already installed clients are not
uploaded, you will have to re-enroll the client or manually upload the keys.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or
#freeipa channel on Freenode.
== Detailed Changelog since 4.0.0 ==
Alexander Bokovoy (15):
ipaserver/dcerpc.py: if search of a closest GC failed, try to
find any GC
ipaserver/dcerpc.py: make PDC discovery more robust
ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts
on Windows Server prior to 2012
ipaserver/dcerpc.py: be more open to what domains can be seen
through the forest trust
ipaserver/dcerpc.py: Make sure trust is established only to
forest root domain
Support overridding user shell in ID views
Allow user overrides to specify SSH public keys
Allow user overrides to specify GID of the user
Allow override of gecos field in ID views
Update API version for ID views support
Require slapi-nis 0.54 or later for ID views support
Support idviews in compat tree
Change ipaOverrideTarget OID to avoid conflict with DNSSEC feature
updater: enable uid uniqueness plugin for posixAccounts
Default to use TLSv1.0 and TLSv1.1 on the IPA server side
Ana Krivokapić (1):
Remove internaldb password from password.conf
David Kupka (20):
Fix ipa-client-install --uninstall crash
Always record that pkicreate has been executed.
Improve password validity check.
Fix group-remove-member crash when group is removed from a
protected group
test group: remove group from protected group.
Verify otptoken timespan is valid
Add record(s) to /etc/host when IPA is configured as DNS server.
Use certmonger D-Bus API instead of messing with its files.
Do not restart apache server when not necessary.
Allow user to force Kerberos realm during installation.
Fix typo causing ipa-upgradeconfig to fail.
Add 'host' setting into default.conf configuration file on
client. Fix description in man page.
Detect and configure all usable IP addresses.
Do not require description in UI.
Fix example usage in ipa man page.
Check that port 8443 is available when installing PKI.
Set IPA CA for freeipa certificates.
Stop dogtag when updating its configuration in ipa-upgradeconfig.
Fix printing of reverse zones in ipa-dns-install.
Fix typo causing certmonger is provided with wrong path to
ipa-submit.
Gabe Alford (5):
Fix typos in dns.py
Enable debug pid in smb.conf
ipa trust-add command should be interactive
Fix hardcoded lib dir in freeipa.spec
Missing requires on python-dns in spec file
Jakub Hrozek (1):
CLIENT: Explicitly require python-backports-ssl_match_hostname
Jan Cholasta (100):
Check if /root/ipa.csr exists when installing server with
external CA.
Exclude attributelevelrights from --raw result processing in
baseldap.
Add function for checking if certificate is self-signed to
ipalib.x509.
Support CA certificate renewal in dogtag-ipa-ca-renew-agent.
Allow IPA master hosts to update CA certificate in LDAP.
Automatically update CA certificate in LDAP on renewal.
Track CA certificate using dogtag-ipa-ca-renew-agent.
Add method for setting CA renewal master in LDAP to CAInstance.
Provide additional functions to ipapython.certmonger.
Move external cert validation from ipa-server-install to
installutils.
Add method for verifying CA certificates to NSSDatabase.
Add permissions for CA certificate renewal.
Add CA certificate management tool ipa-cacert-manage.
Alert user when externally signed CA is about to expire.
Load sysupgrade.state on demand.
Pick new CA renewal master when deleting a replica.
Remove master ACIs when deleting a replica.
Do not use ldapi in certificate renewal scripts.
Check that renewed certificates coming from LDAP are actually
renewed.
Allow IPA master hosts to read and update IPA master information.
Do not treat the IPA RA cert as CA cert in DS NSS database.
Remove certificate "External CA cert" from /etc/pki/nssdb on
client uninstall.
Allow specifying trust flags in NSSDatabase and CertDB method
trust_root_cert.
Fix trust flags in HTTP and DS NSS databases.
Add LDAP schema for wrapped cryptographic keys.
Add LDAP schema for certificate store.
Add container for certificate store.
Configure attribute uniqueness for certificate store.
Add permissions for certificate store.
Add functions for extracting certificates fields in DER to
ipalib.x509.
Add function for extracting extended key usage from certs to
ipalib.x509.
Add certificate store module ipalib.certstore.
Upload CA chain from DS NSS database to certificate store on
server install.
Upload CA chain from DS NSS database to certificate store on
server update.
Rename CertDB method add_cert to import_cert.
Add new add_cert method for adding certificates to NSSDatabase
and CertDB.
Import CA certs from certificate store to DS NSS database on
replica install.
Import CA certs from certificate store to HTTP NSS database on
server install.
Upload renewed CA cert to certificate store on renewal.
Refactor CA certificate fetching code in ipa-client-install.
Support multiple CA certificates in /etc/ipa/ca.crt in
ipa-client-install.
Add function for writing list of certificates to a PEM file to
ipalib.x509.
Get CA certs for /etc/ipa/ca.crt from certificate store in
ipa-client-install.
Allow overriding NSS database path in RPCClient.
Get CA certs for /etc/pki/nssdb from certificate store in
ipa-client-install.
Add functions for DER encoding certificate extensions to ipalib.x509.
Get CA certs for system-wide store from cert store in
ipa-client-install.
Get up-to-date CA certificates from certificate store in
ipa-replica-install.
Add client certificate update tool ipa-certupdate.
Export full CA chain to /etc/ipa/ca.crt in ipa-server-install.
Allow multiple CA certificates in replica info files.
Add new NSSDatabase method get_cert for getting certs from NSS
databases.
Allow changing chaining of the IPA CA certificate in
ipa-cacert-manage.
Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert.
Allow adding CA certificates to certificate store in
ipa-cacert-manage.
Allow upgrading CA-less to CA-full using ipa-ca-install.
Update external CA cert in Dogtag NSS DB on IPA CA cert renewal.
Enable NSS PKIX certificate path discovery and validation for Dogtag.
Add test for baseldap.entry_to_dict.
Fix parsing of long nicknames in certutil -L output.
Convert external CA chain to PKCS#7 before passing it to pkispawn.
Allow changing CA renewal master in ipa-csreplica-manage.
Normalize external CA cert before passing it to pkispawn
Make CA-less ipa-server-install option --root-ca-file optional.
Backup CS.cfg before modifying it
Use autobind when updating CA people entries during certificate
renewal
Fix certmonger code causing the ca_renewal_master update plugin
to fail
Allow RPM upgrade from ipa-* packages
Include ipaplatform in client-only build
Include the ipa command in client-only build
Allow specifying signing algorithm of the IPA CA cert in
ipa-server-install.
Add NSSDatabase.import_files method for importing files in
various formats
External CA installer options usability fixes
CA-less installer options usability fixes
Allow choosing CA-less server certificates by name
Do stricter validation of CA certificates
Introduce NSS database /etc/ipa/nssdb
Move NSSDatabase from ipaserver.certs to ipapython.certdb
Add NSSDatabase.has_nickname for checking nickname presence in a
NSS DB
Use NSSDatabase instead of direct certutil calls in client code
Use /etc/ipa/nssdb to get nicknames of IPA certs installed in
/etc/pki/nssdb
Check if IPA client is configured in ipa-certupdate
Get server hostname from jsonrpc_uri in ipa-certupdate
Remove ipa-ca.crt from systemwide CA store on client uninstall
and cert update
Fix certmonger.wait_for_request
Fix certmonger search for the CA cert in ipa-certupdate and
ipa-cacert-manage
Add missing imports to ipapython.certdb
Remove misleading authorization error message in cert-request
with --add
Split off generic Red Hat-like platform code from Fedora platform
code
Add RHEL platform module
Support building RPMs for RHEL/CentOS 7.0
Support MS CS as the external CA in ipa-server-install and
ipa-ca-install
Allow specifying signing algorithm of the IPA CA cert in
ipa-ca-install
Fix CA cert validity check for CA-less and external CA installer
options
Fix certmonger.request_cert
Add ipa-client-install switch --request-cert to request cert for
the host
Do not create ipa-pki-proxy.conf if CA is not configured in
ipa-upgradeconfig
Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig
Check LDAP instead of local configuration to see if IPA CA is enabled
DNSSEC: remove container_dnssec_keys
Ludwig Krispenz (2):
Update SSL ciphers configured in 389-ds-base
Ignore irrelevant subtrees in schema compat plugin
Lukáš Slebodník (2):
Fix warning: Using uninitialized value ld.
Add missing break
Martin Bašti (48):
Fix DNS upgrade plugin should check if DNS container exists
FIX: named_enable_dnssec should verify if DNS is installed
Allow to add host if AAAA record exists
Tests: host tests with dns
Fix dnsrecord-mod raise error if last record attr is removed
DNSSEC: fix DS record validation
Tests: DNS dsrecord validation
DNS fix NS record coexistence validator
Test: DNS NS validation
Fix DNS record rename test
FIX DNS wildcard records (RFC4592)
Tests: DNS wildcard records
dnszone-remove-permission should raise error
DNS: remove --class option
WebUI: DNS: remove --class option
FIX: ldap schmema updater needs correct ordering of the updates
Fix DNS plugin to allow to add root zone
DNS test: allow '.' as zone name
Deprecation of --name-server and --ip-address option in DNS
Add correct NS records during installation
DNS: autofill admin email
WebUI: DNS: Remove ip-address, admin-email options
DNS tests: tests update to due to change in options
Remove --ip-address, --name-server otpions from DNS help
Refactoring of autobind, object_exists
LDAP disable service
DNS missing tests
Fix ipactl service ordering
Add missing attributes to named.conf
Make named.conf template platform independent
Remove ipaContainer, ipaOrderedContainer objectclass
Add mask, unmask methods for service
DNSSEC: dependencies
DNSSEC: schema
DNSSEC: add ipapk11helper module
DNSSEC: DNS key synchronization daemon
DNSSEC: opendnssec services
DNSSEC: platform paths and services
DNSSEC: validate forwarders
DNSSEC: modify named service to support dnssec
DNSSEC: installation
DNSSEC: uninstallation
DNSSEC: upgrading
DNSSEC: ACI
DNSSEC: add files to backup
DNSSEC: change link to ipa page
fix DNSSEC restore named state
fix forwarder validation errors
Martin Košek (8):
Do not require dogtag-pki-server-theme
Allow hashed passwords in DS
Do not crash client basedn discovery when SSF not met
ipa-adtrust-install does not re-add member in adtrust agents group
Sudorule RunAsUser should work with external groups
Raise better error message for permission added to generated tree
Remove changetype attribute from update plugin
Update contributors
Nathaniel McCallum (13):
Fix login password expiration detection with OTP
Update freeipa-server krb5-server dependency to 1.11.5-5
Fix ipa-getkeytab for pre-4.0 servers
Add TOTP watermark support
Ensure ipaUserAuthTypeClass when needed on user creation
Update qrcode support for newer python-qrcode
Use stack allocation when writing values during otp auth
Move OTP synchronization step to after counter writeback
Remove token ID from self-service UI
Remove token vendor, model and serial defaults
Display token type when viewing token
Create ipa-otp-counter 389DS plugin
Configure IPA OTP Last Token plugin on upgrade
Petr Viktorin (34):
baseldap: Return empty string when no effective rights are found
ldap2 indirect membership processing: Use global limits if
greater than per-query ones
test_xmlrpc: Update tests
Update API.txt
test_ipagetkeytab: Fix assertion in negative test
Support delegating RBAC roles to service principals
service: Normalize service principal in get_dn
freeipa.spec.in: Add python-backports-ssl_match_hostname to
BuildRequires
permission plugin: Make --target available in the CLI
permission plugin: Improve description of the target option
Add managed read permissions for compat tree
Fix: Add managed read permissions for compat tree and operational
attrs
Update referential integrity config for DS 1.3.3
permission plugin: Auto-add operational atttributes to read
permissions
Allow deleting obsolete permissions; remove operational attribute
permissions
ipaserver.install: Consolidate system user creation
ipa_restore: Split the services list
backup,restore: Don't overwrite /etc/{passwd,group}
ipa_backup: Log where the backup is be stored
Add basic test for backup & restore
Add test for backup/delete system users/restore
JSON client: Log pretty-printed request and response with -vv or
above
test_permission_plugin: Check legacy permissions
upgradeinstance: Restore listeners on failure
ipa-replica-prepare: Wait for the DNS entry to be resolvable
Move setting SELinux booleans to platform code
ipa-restore: Set SELinux booleans when restoring
ipaserver.install.service: Don't show error message on SystemExit(0)
VERSION,Makefile: Rename "pre" to "alpha"
Become IPA 4.1.0 Alpha 1
test_service_plugin: Do not lowercase memberof_role
test_forced_client_reenrollment: Don't check for host certificates
backup/restore: Add files from /etc/ipa/nssdb
sudo integration test: Remove the local user test
Petr Voborník (81):
webui: capitalize labels of undo and undo all buttons
webui: improve usability of attributes widget
webui: add filter to attributes widget
webui: optimize (re)creation of option widget
webui: custom attr in attributes widget
webui: attr widget: get list of possible attrs from
ipapermdefaultattr
webui: option_widget_base: sort options
webui: reflect readonly state
webui: fix add of input group class
webui: show managed fields as readonly and not disabled
webui: fix selection of empty value in a select widget
webui: disable ipapermbindruletype if permission in a privilege
webui: fix disabled state of service's PAC type
baseldap: return 'none' attr level right as unicode string
webui: support wildcard attribute level rights
webui: fix nested items creation in dropdown list
webui: internet explorer fixes
webui: detach facet nodes
webui: replace action_buttons with action_widget
webui: remove remaining action-button-disabled occurrences
webui: add bounce url to reset_password.html
webui-ci: fix reset password check
webui: better error reporting
webui-ci: fix table widget add
webui: display expired session notification in a more visible area
webui: improved info msgs on login/token sync/reset pwd pages
webui: login screen - improved button switching
webui: rename tooltip to title
webui: tooltip support
webui: better authentication types description
webui: convert widget.less indentation to spaces
webui: improve rule table css
webui: sshkey widget - usability fixes
webui: disable batch action buttons by default
webui: fix group type padding
webui: extract complex pkey on Add and Edit
webui: adjust behavior of bounce url
webui: do not show login error when switching back from otp sync
screen
webui: switch associators if default doesn't work
webui: notify psw change success only once
webui: append network.negotiate-auth.trusted-uris
install: create ff krb extension on every install, replica
install and upgrade
webui: add measurement unit to otp token time fields
webui: better otp token type label
webui: add token from user page
webui: add i18n for the rest of QR code strings
webui: display fields based on otp token type
webui: better value-change reporting
webui: widget initialization
webui: hide empty fields and sections
webui: hide non-readable fields
webui: hide otp fields based on token type
webui: fix regression in association facet preop
webui-ci: case-insensitive record check
webui: do not offer ipa-ad-winsync and ipa-ipa-trust range types
webui: improve breadcrumb navigation
webui: treat value as pkey in link widget
webui: do not show internal facet name to user
webui: allow to skip link widget link validation
webui: add simple link column support
webui: new ID views section
webui: facet group labels for idview's facets
webui: list only not-applied hosts in "apply to host" dialog
webui: add link from host to idview
webui-ci: adjust dnszone-add test to recent DNS changes
dns: fix privileges' memberof during dns install
keytab manipulation permission management
tests: management of keytab permissions
idviews: error out if appling Default Trust View on hosts
webui: add link to OTP token app
webui: add new iduseroverride fields
webui: management of keytab permissions
webui: allow --force in dnszone-mod and dnsrecord-add
webui: make Evented a part of base IPA.object
webui: change order of idview's facet groups
webui: hide applied to hosts tab for Default Trust View
webui: hide (un)apply buttons for Default Trust View
webui: do not offer ipa users to Default Trust View
webui: do not show closed dialog
webui: update combobox input on list click
Become IPA 4.1.0
Petr Špaček (1):
DNSSEC: add ipa dnssec daemons
Rob Crittenden (1):
No longer generate a machine certificate on client installs
Stephen Gallagher (1):
Change BuildRequires for Java
Sumit Bose (4):
ipa-kdb: fix unit tests
extdom: add support for new version
extdom: add support for sss_nss_getorigbyname()
extdom: remove unused dependency to libsss_idmap
Tomáš Babej (44):
trusts: Validate missing trust secret properly
ipatests: tasks: Fix dns configuration for trusts
trusts: Make cn=adtrust agents sysaccount nestedgroup
baseldap: Remove redundant search from LDAPAddReverseMember and
LDAPRemoveReverseMember
ipalib: idrange: Make non-implemented range types fail the validation
ipatests: test_trust: Add test to cover lookup of trusdomains
ipa-client-install: Do not add already configured sources to
nsswitch.conf entries
ipalib: host_del: Extend LDAPDelete's takes_options instead of
overriding
Set the default attributes for RootDSE
baseldap: Properly handle the case of renaming object to the same
name
idviews: Add necessary schema for the ID views
idviews: Create container for ID views under cn=accounts
idviews: Add ipaAssignedIDVIew reference to the host object
ipalib: Remove redundant and star imports from host plugin
ipalib: PEP8 fixes for host plugin
idviews: Create basic idview plugin structure
idvies: Add managed permissions for idview and idoverride objects
hostgroup: Add helper that returns all members of a hostgroup
hostgroup: Remove redundant and star imports
hostgroup: Selected PEP8 fixes for the hostgroup plugin
idviews: Add ipa idview-apply and idview-unapply commands
idviews: Extend idview-show command to display assigned
idoverrides and hosts
trusts: Add conversion from SID to object name
idviews: Support specifying object names instead of raw anchors only
idviews: Split the idoverride object into iduseroverride and
idgroupoverride
idviews: Split the idoverride commands into iduseroverride and
idgroupoverride
idviews: Alter idoverride methods to work with splitted objects
idviews: Change format of IPA anchor to include domain
idviews: Raise NotFound errors if object to override could not be
found
idviews: Resolve anchors to object names in idview-show
ipatests: Add xmlrpc tests for idviews plugin
idviews: Add ipaOriginalUid
idviews: Update the referential plugin config to watch for
ipaAssignedIDView
idviews: Fix casing of ID Views to be consistent
idviews: Make description optional for the ID View object
idviews: Add Default Trust View as part of adtrustinstall
idviews: Handle Default Trust View properly in the framework
idviews: Make sure the dict.get method is not abused for MUST
attributes
idviews: Catch errors on unsuccessful AD object lookup when
resolving object name to anchor
idviews: Display the list of hosts when using --all
idviews: Make sure only regular IPA objects are allowed to be
overriden
idviews: Create Default Trust View for upgraded servers
idviews: Fix typo in upgrade handling of the Default Trust View
spec: Bump SSSD requires to 1.12.2
--
Petr Vobornik
Petr Vobornik