FreeIPA 4.12.2

FreeIPA 4.12.2#

The FreeIPA team would like to announce FreeIPA 4.12.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.12.2#

  • 5169: [RFE] Enforce OTP for a subset of scenarios

    When IPA user has an OTP token authentication enabled, it is now possible to enforce LDAP authentication to fail without providing OTP token. This is already the case for Kerberos authentication since 2014; however, some administrators like to enforce it for LDAP-backed applications. The fact that OTP was used for authentication will be recorded in LDAP server logs as MFA note, according to the design described at https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html

  • 9542: Fix replica connection check for use with AD administrator

    Privilege checks in IPA API now support ID overrides, allowing trusted Active Directory users to perform various operations like enrolling a replica.

  • 9594: topologysegment commands cannot be delegated

    RBAC have been added to read, modify, add and remove replication topology segments.

  • 9611: kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica

    The renewal of the PKINIT certficate on hidden replicas were failing because of a test ensuring that the KDC service is either enabled or configured. The test was extended to include hidden as well.

Enhancements#

  • ipa-migrate tool has been improved to handle various migration scenarios. More details are available in design notes page

  • HSM integration got few improvements in validation process

  • Replica can now be promoted when using Active Directory users from trusted Active Directory domains as administrators for FreeIPA deployment

Known Issues#

  • 9641: support for python cryptography 43.0.0

    Added support for python-cryptography up to 43.0.0

Bug fixes#

FreeIPA 4.12.2 is a stabilization release for the features delivered as a part of 4.12 version series.

There are more than 30 bug-fixes since FreeIPA 4.12.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets#

  • #5169 [RFE] Enforce OTP for a subset of scenarios

  • #8080 ipa-server-install –uninstall leaves files

  • #9367 Covscan issues: Resource Leak

  • #9488 Nightly test failure in test_trust.py::TestTrust::test_server_option_with_unreachable_ad

  • #9542 Fix replica connection check for use with AD administrator

  • #9584 Race condition in ipa-backup

  • #9594 topologysegment commands cannot be delegated

  • #9603 ipa-server-install: token_password_file read in kra.install_check after calling hsm_validator in ca.install_check

  • #9606 Nightly test failure (f40+) in test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling

  • #9607 Nightly test failure (f40+) in test_commands.py::TestIPACommand::test_ssh_key_connection

  • #9609 ipa-otptoken-import fails to import encrypted file

  • #9610 ipa-client rpm post script creates always ssh_config.orig even if nothing needs to be changed

  • #9611 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica

  • #9613 After backup/restore of dnssec master, zones are not signed

  • #9615 Nightly test failure (f40+) in test_sssd.py::TestNestedMembers::test_nested_group_members

  • #9616 Nightly test failure in test_backup_and_restore_TestReplicaInstallAfterRestore

  • #9617 The ipa-advise, ipa-backup, and ipa-restore manuals incorrectly show the –v option.

  • #9618 Allow IPA SIDgen task to continue if it finds an entity that SID can’t be assigned to

  • #9619 ipa-migrate starttls does not work

  • #9620 ipa-migrate remove -V option

  • #9621 ipa-migrate should not update mapped attributes in managed entries

  • #9624 A missing cccache prevents Kerberos SSO

  • #9625 Executing the -d option results in an error.

  • #9626 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure.

  • #9629 Syntax error uninstalling the selinux-luna subpackage

  • #9632 Unconditionally add MS-PAC to global config

  • #9633 Remove RC4 and 3DES default encryption types on update

  • #9635 Ignore time skew during CA replica installation

  • #9636 misleading warning for missing ipa-selinux-nfast package on luna hsm

  • #9637 adtrustinstance only prints issues in check_inst() and does not log them

  • #9641 support for python cryptography 43.0.0

  • #9642 ipa-migrate - properly handle invalid certificates

  • #9643 freeipa fails to build with nodejs22 on f39 and f40

  • #9644 Fedora 40 pylint issues with PY2/PY3 compatibility

  • #9648 Nightly test failures in test_hsm_TestHSMNegative

Detailed changelog since 4.12.1#

Alexander Bokovoy (5)#

  • Get rid of unicode and long helpers in ipa-otptoken-import commit #9641

  • ipalib/constants.py: factor out TripleDES use commit #9641

  • ipalib/x509.py: get rid of unicode helper commit #9644

  • ipalib/x509.py: support Cryptography 43 commit #9641

  • ipa-pwd-extop: differentiate OTP requirements in LDAP binds commit #5169

Anuja More (1)#

  • ipatests: Test replica installation using AD admin. commit #9542

Antonio Torres (2)#

  • Bump minor version number commit

  • Back to git snapshots commit

Florence Blanc-Renaud (20)#

  • trust-add: handle unavailable domain commit #9488

  • HSM: fix the module name commit #9636

  • ipatests: skip HSM test if pki < 11.5.9 commit #9648

  • ipatests: increase the timeout for test_hsm.py::TestHSMInstall commit

  • Replica CA installation: ignore time skew during initial replication commit #9635

  • spec file: do not use nodejs-22 on f39 and f40 commit #9643

  • ipatests: remove xfail for test_ipa_migrate_stage_mode commit #9621

  • ipatests: remove xfail for test_ipa_migrate_version_option commit #9620

  • test_replica_install_after_restore: kinit after restore commit #9613

  • Uninstall: stop sssd-kcm before removing KCM ccaches database commit #9616

  • ipa-ods-enforcer: stop must also stop the socket commit #9613

  • ipatests: fix / permissions for test_nested_group_members commit #9615

  • ipatests: fix / permissions to allow ssh with private key commit #9607

  • ipatests: mark test_ca_show_error_handling as xfail commit #9606

  • ipatests: configure gating and nightly tests on ipa-4-12 branch commit

  • ipatests: add test for PKINIT renewal on hidden replica commit #9611

  • PKINIT certificate: fix renewal on hidden replica commit #9611

  • ipatests: add test for ticket 9610 commit #9610

  • spec file: do not create /etc/ssh/ssh_config.orig if unchanged commit #9610

  • ipa-otptoken-import: open the key file in binary mode commit #9609

Julien Rische (4)#

  • Remove RC4 and 3DES default encryption types on update commit #9633

  • Unconditionally add MS-PAC to global config on update commit #9632

  • kdb: apply combinatorial logic for ticket flags commit

  • kdb: fix vulnerability in GCD rules handling commit

TAKAHASHI Masatsuna (1)#

  • ipa-advise ipa-backup ipa-restore: Fix –v option of the manual. commit #9617

Shunsuke matsumoto (1)#

  • The -d option of the ipa-advise command was able to used. commit #9625

Mark Reynolds (4)#

  • ipa-migrate - properly handle invalid certificates commit #9642

  • Issue 9621 - ipa-migrate - should not update mapped attributes in managed entries commit #9621

  • ipa-migrate - starttls does not work commit #9619

  • ipa-migrate - remove -V option commit #9620

Mohammad Rizwan (2)#

  • ipatests: Verify that SIDgen task continue even if it fails to assign sid commit #9618

  • ipatests: tests related to –token-password-file commit #9603

Rob Crittenden (14)#

  • Fix some resource leaks identified by a static analyzer commit #9367

  • Ignore TripleDES python-cryptography import warnings commit #9641

  • Correct usage of public_key_algorithm_oid in ipalib/x509 commit #9641

  • Log errors reported by adtrustinstance.check_inst() using logger commit #9637

  • Force a logout in KerberosSession if a login is needed commit #9624

  • Run HSM validation as pkiuser to verify token permissions commit #9626

  • ipatests: Fix usage of token_password_file commit #9603

  • Fix a copy/paste issue when detecting the HSM SELinux subpackage commit #9636

  • Include token password options in ipa-kra-install man page commit #9603

  • Re-organize HSM validation to be more consistent/less duplication commit #9603

  • Fix syntax error in the selinux-luna %postun script commit #9629

  • Clean up more files and directories created by the installer(s) commit #8080

  • Add iparepltopoconf objectclass to topology permissions commit #9594

  • Use a unique task name for each backend in ipa-backup commit #9584

Sudhir Menon (4)#

  • ipatests: Replace ‘usermod -r’ command with ‘gpasswd -d’ in test_hsm.py commit #9626

  • ipatests: ipa-migrate tool with -Z option (CACERTFILE) commit

  • Added new testsuite(ipa_ipa_migration) in prci definitions commit

  • ipatests: Tests for ipa-ipa migration tool commit

Thomas Woerner (1)#

  • ipa_sidgen: Allow sidgen_task to continue after finding issues commit #9618