Menü Schließen

FreeIPA 4.12.2 Bugfix Release

FreeIPA Logo

FreeIPA ist ein von RedHat unterstütztes Open-Source Softwareprojekt, dass als Ziel hat ein Identität-, Policy- und Auditsystem zur Verfügung zu stellen. Dabei geht FreeIPA weiter als vergleichsweise das Active Directory von Microsoft oder eDirectory von Novell und vereint viele Open-Source Technologien zu einem System. Die Entwickler haben Ende August 2024 das Update 4.12.2 veröffentlicht.

FreeIPA 4.12.2 Release Notes

Highlights in 4.12.2

  • 5169: [RFE] Enforce OTP for a subset of scenarios When IPA user has an OTP token authentication enabled, it is now possible to enforce LDAP authentication to fail without providing OTP token. This is already the case for Kerberos authentication since 2014; however, some administrators like to enforce it for LDAP-backed applications. The fact that OTP was used for authentication will be recorded in LDAP server logs as MFA note, according to the design described at https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
  • 9542: Fix replica connection check for use with AD administrator Privilege checks in IPA API now support ID overrides, allowing trusted Active Directory users to perform various operations like enrolling a replica.
  • 9594: topologysegment commands cannot be delegated RBAC have been added to read, modify, add and remove replication topology segments.
  • 9611: kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica The renewal of the PKINIT certficate on hidden replicas were failing because of a test ensuring that the KDC service is either enabled or configured. The test was extended to include hidden as well.

Enhancements

  • ipa-migrate tool has been improved to handle various migration scenarios. More details are available in design notes page
  • HSM integration got few improvements in validation process
  • Replica can now be promoted when using Active Directory users from trusted Active Directory domains as administrators for FreeIPA deployment

Known Issues

  • 9641: support for python cryptography 43.0.0 Added support for python-cryptography up to 43.0.0

Bug fixes

FreeIPA 4.12.2 is a stabilization release for the features delivered as a part of 4.12 version series.

There are more than 30 bug-fixes since FreeIPA 4.12.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Resolved tickets

  • 5169 [RFE] Enforce OTP for a subset of scenarios
  • 8080 ipa-server-install –uninstall leaves files
  • 9367 Covscan issues: Resource Leak
  • 9488 Nightly test failure in test_trust.py::TestTrust::test_server_option_with_unreachable_ad
  • 9542 Fix replica connection check for use with AD administrator
  • 9584 Race condition in ipa-backup
  • 9594 topologysegment commands cannot be delegated
  • 9603 ipa-server-install: token_password_file read in kra.install_check after calling hsm_validator in ca.install_check
  • 9606 Nightly test failure (f40+) in test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling
  • 9607 Nightly test failure (f40+) in test_commands.py::TestIPACommand::test_ssh_key_connection
  • 9609 ipa-otptoken-import fails to import encrypted file
  • 9610 ipa-client rpm post script creates always ssh_config.orig even if nothing needs to be changed
  • 9611 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica
  • 9613 After backup/restore of dnssec master, zones are not signed
  • 9615 Nightly test failure (f40+) in test_sssd.py::TestNestedMembers::test_nested_group_members
  • 9616 Nightly test failure in test_backup_and_restore_TestReplicaInstallAfterRestore
  • 9617 The ipa-advise, ipa-backup, and ipa-restore manuals incorrectly show the –v option.
  • 9618 Allow IPA SIDgen task to continue if it finds an entity that SID can’t be assigned to
  • 9619 ipa-migrate starttls does not work
  • 9620 ipa-migrate remove -V option
  • 9621 ipa-migrate should not update mapped attributes in managed entries
  • 9624 A missing cccache prevents Kerberos SSO
  • 9625 Executing the -d option results in an error.
  • 9626 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure.
  • 9629 Syntax error uninstalling the selinux-luna subpackage
  • 9632 Unconditionally add MS-PAC to global config
  • 9633 Remove RC4 and 3DES default encryption types on update
  • 9635 Ignore time skew during CA replica installation
  • 9636 misleading warning for missing ipa-selinux-nfast package on luna hsm
  • 9637 adtrustinstance only prints issues in check_inst() and does not log them
  • 9641 support for python cryptography 43.0.0
  • 9642 ipa-migrate – properly handle invalid certificates
  • 9643 freeipa fails to build with nodejs22 on f39 and f40
  • 9644 Fedora 40 pylint issues with PY2/PY3 compatibility
  • 9648 Nightly test failures in test_hsm_TestHSMNegative

Quelle: https://www.freeipa.org/release-notes/4-12-2.html

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert