FreeIPA 4.11.0#
The FreeIPA team would like to announce FreeIPA 4.11.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
FreeIPA 4.11 series introduce support for FIDO2-based passkeys.
Traditional authentication with a password is not considered secure enough by many companies or government agencies. Alternate and more secure solutions exist, among which the use of passkeys, where the private key is stored on an external device and the server only needs to know the public key.
For the purpose of this feature, passkey is a FIDO2 compatible device supported by the libfido2 library. For more details, refer to https://fidoalliance.org/fido2/
The goal of this feature is to use a passkey to authenticate a user against IPA. FIDO2-based passkeys support is jointly developed by SSSD and IPA:
IPA provides the interface to store the user’s public credentials
IPA provides the interface to configure passkey settings
SSSD performs the actual authentication
Support for passkeys expands FreeIPA passwordless experience. It is already possible to authenticate FreeIPA users with other hardware-based and passwordless authentication mechanisms such as
smartcards, using PKCS#11 tokens
two-factor authentication with HOTP or TOTP tokens
delegating authentication to an external OAuth2 identity provider (IdP) with OAuth2 device authorization flow
delegating authentication to an external RADIUS server
Initial implementation only supports physical FIDO2 devices and requires use of SSSD 2.9.1 or later version, with passkeys support enabled. At the time of FreeIPA 4.11.0 release this version is only available in developing versions of Fedora (39/Rawhide), Debian (testing/sid), Ubuntu (Mantic) and several other distributions.
Two major missing features in passwordless authentication integration in FreeIPA currently are:
ability to use only passwordless authentication to enroll hosts to IPA
ability to login with passwordless authentication methods to FreeIPA Web UI without using Kerberos
We also expect a nicer integration with graphical environments to happen in future releases.
More details on passkeys integration can be found in the FreeIPA design page.
At Flock to Fedora 2023 conference we have also presented “Passwordless Fedora” talk that shows our progress in this journey for the past decade:
Highlights in 4.11.0#
9354: Implement resource-based constrained delegation
FreeIPA provides initial implementation of resource-based constrained delegation (RBCD) for Kerberos services. RBCD and other Kerberos delegation services described in the design document: https://freeipa.readthedocs.io/en/latest/designs/rbcd.html. The initial implementation works for FreeIPA services, work on supporting cross-realm RBCD continues.
9443: Context manager for ipalib.api to automatically configure, connect, and disconnect
ipalib.API instances like ipalib.api now provide a context manager that connects and disconnects the API object. Users no longer have to deal with different types of backends or finalize the API correctly.
import ipalib
- with ipalib.api as api:
api.Commands.ping()
9289: Configure server affinity during replica installation
9326: Add support for passkey authentication type in kdb driver
9262: Add “passkey” authentication type
9261: Add CLI and WebUI to register a passkey for a user
9336: Allow custom real name in IPA-EPN
Bug fixes#
FreeIPA 4.11.0 is a stabilization release for the features delivered as a part of 4.11 version series.
There are more than 10 bug-fixes since FreeIPA 4.11.0-beta release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#9289 (rhbz#2149344) Configure server affinity during replica installation
#9345 Convert PKI API to use JSON instead of XML
#9354 Implement resource-based constrained delegation
#9379 Test failure in test_ipa_cert_fix.py::TestCertFixReplica::test_renew_expired_cert_replica
#9428 Failure in test_integration/test_acme.py::TestACMEPrune::test_prune_cert_manual
#9433 (rhbz#2234480) ipa user-mod –idp-user-id fails with: attribute “ipaIdpSub” not allowed
#9434 Support SELinux booleans in the client installer
#9435 BDB tuning should be applied only when BDB backend is used
#9437 ImportWarning: IpaMetaImporter.find_spec() not found; falling back to find_module()
#9446 (rhbz#2149344) Nightly test failure for replica installation with –setup-ca
#9447 Nightly test failure in test_sso.py
#9431 Covscan issues: deadcode and Use after free
#9443 Context manager for ipalib.api to automatically configure, connect, and disconnect
Detailed changelog since 4.11.0-beta#
Alexander Bokovoy (4)#
Alexandra Nikandrova (1)#
doc: typo in basic_usage.md commit
Antonio Torres (2)#
Christian Heimes (2)#
Florence Blanc-Renaud (1)#
Francisco Trivino (1)#
Workshop: fix broken Sphinx cross-references. commit