[Freeipa-interest] Announcing FreeIPA v3.0.0 Release

Rob Crittenden rcritten at redhat.com
Fri Oct 12 18:06:54 UTC 2012 

The FreeIPA team is proud to announce version FreeIPA v3.0.0.

It can be downloaded from http://www.freeipa.org/Downloads.

A build is on the way to updates-testing for Fedora 18. FreeIPA 3.0.0 
works well in Fedora 17 but we will not be providing a build in the 
Fedora 17 following Fedora's policy of not moving forward with releases.

There is a known issue installing a replica with a dogtag CA in Fedora 
18. We are continuing to investigate. Non-CA replica installation is 
fine, and upgrading a replica with a CA is unaffected.

FreeIPA will be participating in a Fedora 18 Test Day next Monday, 
October 15. For details see 
http://fedoraproject.org/wiki/Test_Day:2012-10-15_FreeIPA

== Highlights in 3.0.0 ==

* Support for AD Trust
* Per-domain DNS permissions
* DNS persistent search enabled by default, new zones are seen immediately
* New DNS resolver library
* Migration improvements
* The last administrator cannot be removed or disabled
* Forms-based password reset
* Redesigned action panels in UI
* Sessions for command-line users
* Tool to configure automount client, ipa-client-automount
* NTLM password hash is generated for existing users on first use
   of IPA cross-realm environment based on their Kerberos keys without
   requiring a password change.
* Secure identifiers compatible with Active Directory are generated
   automatically for existing users upon set up of IPA cross-realm
   environment.
* Use certmonger to renew CA subsystem certificates
* Support for DNS zone transfers to non-IPA slaves
* Internal change to LDAP Distinguished Name handling to be more robust
* Better support for Internet Explorer 9 in the UI
* Allow multiple servers on client install command-line and configuring 
without DNS discovery.
* Cooperate with new 389-ds-base winsync POSIX plugin so that AD POSIX 
attribute can be synced with IPA.
* Improvements to schema upgrade process.
* Exclude some attributes from replication.
* Notify success on add, delete and update in UI.
* Set the e-mail attribute on new users by default.
* SSH public key format has been changed to OpenSSH-style public keys.
* Support for the Dogtag CA version 10
* New ipa-client-install option to disable OpenSSH client configuration.
* Expand Referential Integrity checks on hosts, SUDO and HBAC rule 
referential attributes
* Run the CLEANALLRUV task when deleting a replication agreement to 
remove replication meta-data about removed master. See the 
ipa-replica-manage man page for the list of new commands related to 
CLEANALLRUV command.
* Try to prevent orphaning other servers when deleting a master.
* Add missing indices for automount and principal aliases which will 
improve performance.
* Provide a new Firefox extension for configuring the browser. Firefox 
15 deprecated the interface we used in the past to set the Kerberos 
negotiation directives. This new extension will be used on Firefox 15 
and beyond, and the older interface for older browsers.
* Man page improvements
* A SID can be created as the last step of ipa-adtrust-install.
* Create a default fallback group for AD trust users.
* Support for 389-ds-base 1.3.0.
* Move CRL publish directory to IPA owned directory
* Add uniqueness plugin configuration for sudorule names.
* The initial IPA server with a dogtag CA is configured to generate 
CRLs. Subsequent masters are configured to not generate CRLs. The CRL is 
available on a non-generating master at 
http://fqdn.example.com/ipa/crl/MasterCRL.bin.

== Upgrading ==

An IPA server can be upgraded simply by installing updated rpms. The 
server does not need to be shut down in advance.

Please note, that the referential integrity extension requires an 
extended set of indexes to be configured. RPM update for an IPA server 
with a excessive number of hosts, SUDO or HBAC entries may require 
several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is 
expected that all servers will be upgraded in a relatively short period 
(days or weeks not months). They should be able to co-exist peacefully 
but new features will not be available on old servers and enrolling a 
new client against an old server will result in the SSH keys not being 
uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 is supported. Upgrading from previous versions is 
not supported and has not been tested.

An enrolled client does not need the new packages installed unless you 
want to re-enroll it. SSH keys for already installed clients are not 
uploaded, you will have to re-enroll the client or manually upload the keys.

== Feedback ==

Please provide comments, bugs and other feedback via the freeipa-devel 
mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel

== Detailed Changelog since 3.0.0 rc2 ==

Alexander Bokovoy (7):
* support multi-line error messages in exceptions
* Handle NotFound exception when establishing trust
* Fix wrong RID for Domain Admins in the examples of trust commands
* Add cifs principal to S4U2Proxy targets only when running 
ipa-adtrust-install
* Make sure samba{,4}-winbind-krb5-locator package is not used with trusts
* Add instructions support to PublicError
* Use PublicError instructions support for trust-add case when domain is 
not found

Jan Cholasta (1):
* Do not show full SSH public keys in command output by default.

Martin Kosek (3):
* Minor fixes for default SMB group
* Move CRL publish directory to IPA owned directory
* Fix CA CRL migration crash in ipa-upgradeconfig

Petr Viktorin (4):
* ipa-upgradeconfig: Remove the upgrade_httpd_selinux function
* replica-install: Don't copy Firefox config extension files if they're 
not in the replica file
* Create Firefox extension on upgrade and replica-install
* Pull translation files from Transifex

Petr Vobornik (1):
* Add mime type to httpd ipa.conf for xpi exetension

Rob Crittenden (6):
* Add uniqueness plugin configuration for sudorule cn
* Set renewal time for the CA audit certificate to 720 days.
* Fix CS replication management.
* Configure the initial CA as the CRL generator.
* Explicitly disable betxn plugins for the time being.
* Become IPA 3.0.0

Simo Sorce (2):
* Fix trust attributes for ipa trust-add
* Use stricter requirement for krb5-server

Sumit Bose (2):
* ipa-adtrust-install: create fallback group with ldif file
* ipadb: reload trust information if domain is not known

Tomas Babej (1):
* Notify user about necessary ports in ipa-client-install

More information about the Freeipa-interest mailing list