[Freeipa-users] Announcing FreeIPA 3.2.0 Prerelease 1

Wed Apr 3 08:36:21 UTC 2013

hi all,

what minimal OS is targeted for freeipa 3.2: FC19 or FC18?

stijn

On 04/02/2013 06:32 PM, Martin Kosek wrote:
> The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We
> would like to welcome any early testers of this prerelase to provide us
> feedback and help us stabilize this feature release which we plan to release as
> final in the beginning of May 2013.
>
> It can be downloaded from http://www.freeipa.org/page/Downloads. The new
> version has also been built for Fedora 19 Alpha, if it does not appear in your
> Fedora 19 yet, you can download the build from koji:
>
> http://koji.fedoraproject.org/koji/buildinfo?buildID=408311
>
> == Highlights in 3.2.0 Prerelease 1 ==
>
> === New features ===
> * Support installing FreeIPA without an embedded Certificate Authority, with
> user-provided SSL certificates for the HTTP and Directory servers. [1]
> * New cert-find command. Search certificates in the Dogtag database based on
> their serial number, validity or revocation details. This feature is available
> both as a CLI command and Web UI page. [2]
> * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust
> settings generated during AD Trust installation (ipa-adtrust-install) [3]
> * Multiple FreeIPA servers can now be designated as Domain Controllers for
> trusts with Active Directory [12]
> * New realmdomains-show and realmdomains-mod command. Manage list of DNS
> domains associated with FreeIPA realm (realmdomains sommand). This list is
> primarily used by AD, which can pull all domains managed by FreeIPA and use
> that list for routing authentication requests for domains which do not match
> FreeIPA realm name. [4]
> * Support trusted domain users in HBAC test command (hbactest command).
> * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). [5]
> * Configurable PAC type for services. Service commands can now configure a set
> of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the service.
> * Faster UI loading. FreeIPA Web UI application is now packaged in minimalized
> format. FreeIPA web server is now also able to transmit data in compressed
> format. [6] [7]
> * UI now accepts confirmation of cancel of its dialogs via keyboard [11]
> * Client reenrollment. A host that has been recreated can now be reenrolled to
> FreeIPA server using a backed up host keytab or admin credentials [8]
> * Service and Host commands now provide options to add or remove selected
> Kerberos flags [9]
>
> === Prerelease 1 limitations ===
>
> * List of DNS domains associated with FreeIPA realm currently only works with a
> special Samba build available for Fedora 18:
> http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to
> rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get
> it working.
> * Test of trusted domain users in HBAC rules is accessible to only to members
> of 'Trust Admins' group due to privilege limitations
> * Same applies to any other trust-specific operations that require translation
> between user/group name and its security identifier (SID)
>
> === Bug fixes ===
>
> * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and
> groups from OpenLDAP database instances.
> * Migration process is now also a lot faster and provides more debug output (to
> httpd error log).
> * SUDO rules disabled by sudorule-disable command are now removed from
> ou=sudoers compat tree without a need to restart 389 Directory Server instance.
> * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release
> * Fixed server installation with external CA (--external-ca)
> * Consolidate on-line help system, show help without need of valid Kerberos
> credentials (ipa help)
> * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial
> attribute for replicas which either do not have integrated DNS service enabled
> to which have disabled SOA serial autoincrement
> * LDAP lockout plugin has been fixed so that lockout policies are applied
> consistently both for LDAP binds and Kerberos authentication
> * ... and many others stabilization fixes, see Detailed changelog for full details
>
> == Changes in API or CLI ==
> === Dropped --selfsign option ===
> FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This
> configured the server with a NSS database based Certificate Authority with a
> selfsigned CA certificate and limited certificate operation support.
>
> This option was always intended for development or testing purposes only and
> was not intended for use in production. This release drops this option and
> deprecates the functionality. Current FreeIPA servers installed with
> --selfsigned option will still work, instructions on how to migrate to
> supported certificate options will be provided.
>
> FreeIPA servers version 3.2.0 and later supports the following 2 flavors of
> certificate management:
> * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a
> certificate signed by external CA (--external-ca option)
> * FreeIPA with no pki-ca installed with certificates signed and provided by an
> external CA [1]
>
> === Dropped CSV support ===
> FreeIPA client CLI supported CSV in some arguments so that multiple values
> could be added with just one convenient option:
>
>   ipa permission-add some-perm --permissions=read,write --attrs=sn,cn
>   ipa dnsrecord-add example.com --a-rec=10.0.0.1,10.0.0.2
>
> CSV parsing however introduces great difficulty when trying to include a value
> with an embedded space in it. Escaping these values is not intuitive and made
> it very difficult to add such values. The level of effort in working around the
> CSV problems has come to the point where the benefits of it are outweighed by
> the problems which lead to decision to drop CSV support in CLI altogether [10].
>
> There are several ways to workaround lack of CSV:
>
> Provide an argument multiple times on the command-line:
>
>   ipa permission-add some-perm --permissions=read --permissions=write --attrs=sn
> --attrs=cn
>   ipa dnsrecord-add example.com --a-rec=10.0.0.1 --a-rec=10.0.0.2
>
> Let BASH do the expansion for you:
>
>   ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn}
>   ipa dnsrecord-add example.com --a-rec={10.0.0.1,10.0.0.2}
>
> == Upgrading ==
>
> An IPA server can be upgraded simply by installing updated rpms. The server
> does not need to be shut down in advance.
>
> Please note, that the referential integrity extension requires an extended set
> of indexes to be configured. RPM update for an IPA server with a excessive
> number of hosts, SUDO or HBAC entries may require several minutes to finish.
>
> If you have multiple servers you may upgrade them one at a time. It is expected
> that all servers will be upgraded in a relatively short period (days or weeks
> not months). They should be able to co-exist peacefully but new features will
> not be available on old servers and enrolling a new client against an old
> server will result in the SSH keys not being uploaded.
>
> Downgrading a server once upgraded is not supported.
>
> Upgrading from 2.2.0 and later versions is supported. Upgrading from previous
> versions is not supported and has not been tested.
>
> An enrolled client does not need the new packages installed unless you want to
> re-enroll it. SSH keys for already installed clients are not uploaded, you will
> have to re-enroll the client or manually upload the keys.
>
> == Feedback ==
>
> Please provide comments, bugs and other feedback via the freeipa-users mailing
> list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel
> on Freenode.
>
> == Documentation ==
> * [1] http://www.freeipa.org/page/V3/CA-less_install
> * [2] http://www.freeipa.org/page/V3/Cert_find
> * [3] http://www.freeipa.org/page/V3/Trust_config_command
> * [4] http://www.freeipa.org/page/V3/Realm_Domains
> * [5] http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
> * [6] http://www.freeipa.org/page/V3/WebUI_gzip_compression
> * [7] http://www.freeipa.org/page/V3/WebUI_build
> * [8] http://www.freeipa.org/page/V3/Forced_client_re-enrollment
> * [9] http://www.freeipa.org/page/V3/Kerberos_Flags
> * [10] http://www.freeipa.org/page/V3/Drop_CSV
> * [11] http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation
> * [12] http://www.freeipa.org/page/V3/MultipleTrustServers
>
> == Detailed Changelog since 3.1.0 ==
> Alexander Bokovoy (7):
> * Update plugin to upload CA certificate to LDAP
> * ipasam: use base scope when fetching domain information about own domain
> * ipaserver/dcerpc: enforce search_s without schema checks for GC searching
> * ipa-replica-manage: migrate to single_value after LDAPEntry updates
> * Process exceptions when talking to Dogtag
> * ipasam: add enumeration of UPN suffixes based on the realm domains
> * Enhance ipa-adtrust-install for domains with multiple IPA server
>
> Ana Krivokapic (10):
> * Raise ValidationError for incorrect subtree option.
> * Add crond as a default HBAC service
> * Take into consideration services when deleting replicas
> * Add list of domains associated to our realm to cn=etc
> * Improve error messages for external group members
> * Remove check for alphabetic only characters from domain name validation
> * Fix internal error for ipa show-mappings
> * Realm Domains page
> * Use default NETBIOS name in unattended ipa-adtrust-install
> * Add mkhomedir option to ipa-server-install and ipa-replica-install
>
> Brian Cook (1):
> * Add DNS Setup Prompt to Install
>
> JR Aquino (1):
> * Allow PKI-CA Replica Installs when CRL exceeds default maxber value
>
> Jakub Hrozek (1):
> * Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir
>
> Jan Cholasta (24):
> * Pylint cleanup.
> * Drop ipapython.compat.
> * Add support for RFC 6594 SSHFP DNS records.
> * Raise ValidationError on invalid CSV values.
> * Run interactive_prompt callbacks after CSV values are split.
> * Add custom mapping object for LDAP entry data.
> * Add make_entry factory method to LDAPConnection.
> * Remove the Entity class.
> * Remove the Entry class.
> * Use the dn attribute of LDAPEntry to set/get DNs of entries.
> * Preserve case of attribute names in LDAPEntry.
> * Aggregate IPASimpleLDAPObject in LDAPEntry.
> * Support attributes with multiple names in LDAPEntry.
> * Use full DNs in plugin code.
> * Remove DN normalization from the baseldap plugin.
> * Remove support for DN normalization from LDAPClient.
> * Fix remove while iterating in suppress_netgroup_memberof.
> * Remove disabled entries from sudoers compat tree.
> * Fix internal error in output_for_cli method of sudorule_{enable,disable}.
> * Do not fail if schema cannot be retrieved from LDAP server.
> * Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin.
> * Allow disabling attribute decoding in LDAPClient and IPAdmin.
> * Disable schema retrieval and attribute decoding when talking to AD GC.
> * Add Kerberos ticket flags management to service and host plugins.
>
> John Dennis (2):
> * Cookie Expires date should be locale insensitive
> * Use secure method to acquire IPA CA certificate
>
> Lynn Root (4):
> * Switch %r specifiers to '%s' in Public errors
> * Added the ability to do Beta versioning
> * Fixed the catch of the hostname option during ipa-server-install
> * Raise ValidationError when CSR does not have a subject hostname
>
> Martin Kosek (58):
> * Add Lynn Root to Contributors.txt
> * Enable SSSD on client install
> * Fix delegation-find command --group handling
> * Do not crash when Kerberos SRV record is not found
> * permission-find no longer crashes with --targetgroup
> * Avoid CRL migration error message
> * Sort LDAP updates properly
> * Upgrade process should not crash on named restart
> * Installer should not connect to 127.0.0.1
> * Fix migration for openldap DS
> * Remove unused krbV imports
> * Use fully qualified CCACHE names
> * Fix permission_find test error
> * Add trusconfig-show and trustconfig-mod commands
> * ipa-kdb: add sentinel for LDAPDerefSpec allocation
> * ipa-kdb: avoid ENOMEM when all SIDs are filtered out
> * ipa-kdb: reinitialize LDAP configuration for known realms
> * Add SID blacklist attributes
> * ipa-kdb: read SID blacklist from LDAP
> * ipa-sam: Fill SID blacklist when trust is added
> * ipa-adtrust-install should ask for SID generation
> * Test NetBIOS name clash before creating a trust
> * Generalize AD GC search
> * Do not hide SID resolver error in group-add-member
> * Add support for AD users to hbactest command
> * Fix hbachelp examples formatting
> * ipa-kdb: remove memory leaks
> * ipa-kdb: fix retry logic in ipadb_deref_search
> * Add autodiscovery section in ipa-client-install man pages
> * Avoid internal error when user is not Trust admin
> * Use fixed test domain in realmdomains test
> * Bump FreeIPA version for development branch
> * Remove ORDERING for IA5 attributeTypes
> * Fix includedir directive in krb5.conf template
> * Use new 389-ds-base cleartext password API
> * Do not hide idrange-add errors when adding trust
> * Preserve order of servers in ipa-client-install
> * Avoid multiple client discovery with fixed server list
> * Update named.conf parser
> * Use tkey-gssapi-keytab in named.conf
> * Do not force named connections on upgrades
> * ipa-client discovery with anonymous access off
> * Use temporary CCACHE in ipa-client-install
> * Improve client install LDAP cert retrieval fallback
> * Configure ipa_dns DS plugin on install and upgrade
> * Fix structured DNS record output
> * Bump selinux-policy requires
> * Clean spec file for Fedora 19
> * Remove build warnings
> * Remove syslog.target from ipa.server
> * Put pid-file to named.conf
> * Update mod_wsgi socket directory
> * Normalize RA agent certificate
> * Require 389-base-base 1.3.0.5
> * Change CNAME and DNAME attributes to single valued
> * Improve CNAME record validation
> * Improve DNAME record validation
> * Become 3.2.0 Prerelease 1
>
> Petr Spacek (1):
> * Add 389 DS plugin for special idnsSOASerial attribute handling
>
> Petr Viktorin (101):
> * Sort Options and Outputs in API.txt
> * Add the CA cert to LDAP after the CA install
> * Better logging for AdminTool and ipa-ldap-updater
> * Port ipa-replica-prepare to the admintool framework
> * Make ipapython.dogtag log requests at debug level, not info
> * Don't add another nsDS5ReplicaId on updates if one already exists
> * Improve `ipa --help` output
> * Print help to stderr on error
> * Store the OptionParser in the API, use it to print unified help messages
> * Simplify `ipa help topics` output
> * Add command summary to `ipa COMMAND --help` output
> * Mention `ipa COMMAND --help` as the preferred way to get command help
> * Parse command arguments before creating a context
> * Add tests for the help command & --help options
> * In topic help text, mention how to get help for commands
> * Check SSH connection in ipa-replica-conncheck
> * Use ipauniqueid for the RDN of sudo commands
> * Prevent a sudo command from being deleted if it is a member of a sudo rule
> * Update sudocmd ACIs to use targetfilter
> * Add the version option to all Commands
> * Add ipalib.messages
> * Add client capabilities, enable messages
> * Rename the "messages" Output of the i18n_messages command to "texts"
> * Fix permission validation and normalization in aci.py
> * Remove csv_separator and csv_skipspace Param arguments
> * Drop support for CSV in the CLI client
> * Update argument docs to reflect dropped CSV support
> * Update plugin docstrings (topic help) to reflect dropped CSV support
> * cli: Do interactive prompting after a context is created
> * Remove some unused imports
> * Remove unused methods from Entry, Entity, and IPAdmin
> * Derive Entity class from Entry, and move it to ldapupdate
> * Use explicit loggers in ldap2 code
> * Move LDAPEntry to ipaserver.ipaldap and derive Entry from it
> * Remove connection-creating code from ShemaCache
> * Move the decision to force schema updates out of IPASimpleLDAPObject
> * Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap
> * Start LDAPConnection, a common base for ldap2 and IPAdmin
> * Make IPAdmin not inherit from IPASimpleLDAPObject
> * Move schema-related methods to LDAPConnection
> * Move DN handling methods to LDAPConnection
> * Move filter making methods to LDAPConnection
> * Move entry finding methods to LDAPConnection
> * Remove unused proxydn functionality from IPAdmin
> * Move entry add, update, remove, rename to LDAPConnection
> * Implement some of IPAdmin's legacy methods in terms of LDAPConnection methods
> * Replace setValue by keyword arguments when creating entries
> * Use update_entry with a single entry in adtrustinstance
> * Replace entry.getValues() by entry.get()
> * Replace entry.setValue/setValues by item assignment
> * Replace add_s and delete_s by their newer equivalents
> * Change {add,update,delete}_entry to take LDAPEntries
> * Remove unused imports from ipaserver/install
> * Remove unused bindcert and bindkey arguments to IPAdmin
> * Turn the LDAPError handler into a context manager
> * Remove dbdir, binddn, bindpwd from IPAdmin
> * Remove IPAdmin.updateEntry calls from fix_replica_agreements
> * Remove IPAdmin.get_dns_sorted_by_length
> * Replace IPAdmin.checkTask by replication.wait_for_task
> * Introduce LDAPEntry.single_value for getting single-valued attributes
> * Remove special-casing for missing and single-valued attributes in
> LDAPUpdate._entry_to_entity
> * Replace entry.getValue by entry.single_value
> * Replace getList by a get_entries method
> * Remove toTupleList and attrList from LDAPEntry
> * Rename LDAPConnection to LDAPClient
> * Replace addEntry with add_entry
> * Replace deleteEntry with delete_entry
> * Fix typo and traceback suppression in replication.py
> * replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)
> * Inline inactivateEntry in its only caller
> * Inline waitForEntry in its only caller
> * Proxy LDAP methods explicitly rather than using __getattr__
> * Remove search_s and search_ext_s from IPAdmin
> * Replace IPAdmin.start_tls_s by an __init__ argument
> * Remove IPAdmin.sasl_interactive_bind_s
> * Remove IPAdmin.simple_bind_s
> * Remove IPAdmin.unbind_s(), keep unbind()
> * Use ldap instead of _ldap in ipaldap
> * Do not use global variables in migration.py
> * Use IPAdmin rather than raw python-ldap in migration.bind
> * Use IPAdmin rather than raw python-ldap in ipactl
> * Remove some uses of raw python-ldap
> * Improve LDAPEntry tests
> * Fix installing server with external CA
> * Change DNA magic value to -1 to make UID 999 usable
> * Move ipaldap to ipapython
> * Remove ipaserver/ipaldap.py
> * Use IPAdmin rather than raw python-ldap in ipa-client-install
> * Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
> * Remove unneeded python-ldap imports
> * Don't download the schema in ipadiscovery
> * ipa-server-install: Make temporary pin files available for the whole installation
> * ipa-server-install: Remove the --selfsign option
> * Remove unused ipapython.certdb.CertDB class
> * ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper
> * Trust CAs from PKCS#12 files even if they don't have Friendly Names
> * dsinstance, httpinstance: Don't hardcode 'Server-Cert'
> * Support installing with custom SSL certs, without a CA
> * Load the CA cert into server NSS databases
> * Do not call cert-* commands in host plugin if a RA is not available
> * ipa-client-install: Do not request host certificate if server is CA-less
>
> Petr Vobornik (38):
> * Make confirm_dialog a base class of revoke and restore certificate dialogs
> * Make confirm_dialog a base class for deleter dialog
> * Make confirm_dialog a base class for message_dialog
> * Confirm mixin
> * Confirm adder dialog by enter
> * Confirm error dialog by enter
> * Focus last dialog when some is closed
> * Confirm association dialogs by enter
> * Standardize login password reset, user reset password and host set OTP dialogs
> * Focus first input element after 'Add and Add another'
> * Enable mod_deflate
> * Use Uglify.js for JS optimization
> * Dojo Builder
> * Config files for builder of FreeIPA UI layer
> * Minimal Dojo layer
> * Web UI development environment directory structure and configuration
> * Web UI Sync development utility
> * Move of Web UI non AMD dep. libs to libs subdirectory
> * Move of core Web UI files to AMD directory
> * Update JavaScript Lint configuration file
> * AMD config file
> * Change Web UI sources to simple AMD modules
> * Updated makefiles to build FreeIPA Web UI layer
> * Change tests to use AMD loader
> * Fix BuildRequires: rhino replaced with java-1.7.0-openjdk
> * Develop.js extended
> * Allow to specify modules for which builder doesn't raise dependency error
> * Web UI build profile updated
> * Combobox keyboard support
> * Fix dirty state update of editable combobox
> * Fix handling of no_update flag in Web UI
> * Web UI: configurable SID blacklists
> * Web UI:Certificate pages
> * Web UI:Choose different search option for cert-find
> * Fixed Web UI build error caused by rhino changes in F19
> * Nestable checkbox/radio widget
> * Added Web UI support for service PAC type option: NONE
> * Web UI: Disable cert functionality if a CA is not available
>
> Rob Crittenden (16):
> * Convert uniqueMember members into DN objects.
> * Add Ana Krivokapic to Contributors.txt
> * Do SSL CA verification and hostname validation.
> * Don't initialize NSS if we don't have to, clean up unused cert refs
> * Update anonymous access ACI to protect secret attributes.
> * Make certmonger a (pre) requires on server, restart it before upgrading
> * Use new certmonger locking to prevent NSS database corruption.
> * Improve migration performance
> * Add LDAP server fallback to client installer
> * Prevent a crash when no entries are successfully migrated.
> * Implement the cert-find command for the dogtag CA backend.
> * Add missing v3 schema on upgrades, fix typo in schema.
> * Don't base64-encode the CA cert when uploading it during an upgrade.
> * Extend ipa-replica-manage to be able to manage DNA ranges.
> * Improve some error handling in ipa-replica-manage
> * Fix lockout of LDAP bind.
>
> Simo Sorce (2):
> * Log info on failure to connect
> * Upload CA cert in the directory on install
>
> Sumit Bose (17):
> * ipa-kdb: remove unused variable
> * ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()
> * ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()
> * ipa-kdb: Dereference after null check in ipa_kdb_mspac.c
> * ipa-lockout: Wrong sizeof argument in ipa_lockout.c
> * ipa-extdom: Double-free in ipa_extdom_common.c
> * ipa-pwd: Unchecked return value ipapwd_chpwop()
> * Revert "MS-PAC: Special case NFS services"
> * Add NFS specific default for authorization data type
> * ipa-kdb: Read global defaul ipaKrbAuthzData
> * ipa-kdb: Read ipaKrbAuthzData with other principal data
> * ipa-kdb: add PAC only if requested
> * Add unit test for get_authz_data_types()
> * Mention PAC issue with NFS in service plugin doc
> * Allow 'nfs:NONE' in global configuration
> * Add support for cmocka C-Unit Test framework
> * ipa-pwd-extop: do not use dn until it is really set
>
> Timo Aaltonen (1):
> * convert the base platform modules into packages
>
> Tomas Babej (18):
> * Relax restriction for leading/trailing whitespaces in *-find commands
> * Forbid overlapping rid ranges for the same id range
> * Fix a typo in ipa-adtrust-install help
> * Prevent integer overflow when setting krbPasswordExpiration
> * Add option to specify SID using domain name to idrange-add/mod
> * Prevent changing protected group's name using --setattr
> * Use default.conf as flag of IPA client being installed
> * Make sure appropriate exit status is returned in make-test
> * Make options checks in idrange-add/mod consistent
> * Add trusted domain range objectclass when using idrange-mod
> * Perform secondary rid range overlap check for local ranges only
> * Add support for re-enrolling hosts using keytab
> * Make sure uninstall script prompts for reboot as last
> * Remove implicit Str to DN conversion using *-attr
> * Enforce exact SID match when adding or modifying a ID range
> * Allow host re-enrollment using delegation
> * Add logging to join command
> * Properly handle ipa-replica-install when its zone is not managed by IPA
>
> sbose (1):
> * ipa-kdb: Free talloc autofree context when module is closed
>