Hello Stijn, We plan to release FreeIPA 3.2.0 to Fedora 19 only (the Prerelease 1 should be already in its repos).
Fedora 18 should receive only stabilization releases of FreeIPA 3.1 branch (FreeIPA 3.1.3 build is currently in Fedora 18 updates-testing repo). HTH, Martin On 04/03/2013 10:36 AM, Stijn De Weirdt wrote: > hi all, > > what minimal OS is targeted for freeipa 3.2: FC19 or FC18? > > > stijn > > On 04/02/2013 06:32 PM, Martin Kosek wrote: >> The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. >> We >> would like to welcome any early testers of this prerelase to provide us >> feedback and help us stabilize this feature release which we plan to release >> as >> final in the beginning of May 2013. >> >> It can be downloaded from http://www.freeipa.org/page/Downloads. The new >> version has also been built for Fedora 19 Alpha, if it does not appear in >> your >> Fedora 19 yet, you can download the build from koji: >> >> http://koji.fedoraproject.org/koji/buildinfo?buildID=408311 >> >> == Highlights in 3.2.0 Prerelease 1 == >> >> === New features === >> * Support installing FreeIPA without an embedded Certificate Authority, with >> user-provided SSL certificates for the HTTP and Directory servers. [1] >> * New cert-find command. Search certificates in the Dogtag database based on >> their serial number, validity or revocation details. This feature is >> available >> both as a CLI command and Web UI page. [2] >> * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust >> settings generated during AD Trust installation (ipa-adtrust-install) [3] >> * Multiple FreeIPA servers can now be designated as Domain Controllers for >> trusts with Active Directory [12] >> * New realmdomains-show and realmdomains-mod command. Manage list of DNS >> domains associated with FreeIPA realm (realmdomains sommand). This list is >> primarily used by AD, which can pull all domains managed by FreeIPA and use >> that list for routing authentication requests for domains which do not match >> FreeIPA realm name. [4] >> * Support trusted domain users in HBAC test command (hbactest command). >> * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). >> [5] >> * Configurable PAC type for services. Service commands can now configure a >> set >> of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the >> service. >> * Faster UI loading. FreeIPA Web UI application is now packaged in >> minimalized >> format. FreeIPA web server is now also able to transmit data in compressed >> format. [6] [7] >> * UI now accepts confirmation of cancel of its dialogs via keyboard [11] >> * Client reenrollment. A host that has been recreated can now be reenrolled >> to >> FreeIPA server using a backed up host keytab or admin credentials [8] >> * Service and Host commands now provide options to add or remove selected >> Kerberos flags [9] >> >> === Prerelease 1 limitations === >> >> * List of DNS domains associated with FreeIPA realm currently only works >> with a >> special Samba build available for Fedora 18: >> http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to >> rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get >> it working. >> * Test of trusted domain users in HBAC rules is accessible to only to members >> of 'Trust Admins' group due to privilege limitations >> * Same applies to any other trust-specific operations that require >> translation >> between user/group name and its security identifier (SID) >> >> === Bug fixes === >> >> * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and >> groups from OpenLDAP database instances. >> * Migration process is now also a lot faster and provides more debug output >> (to >> httpd error log). >> * SUDO rules disabled by sudorule-disable command are now removed from >> ou=sudoers compat tree without a need to restart 389 Directory Server >> instance. >> * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release >> * Fixed server installation with external CA (--external-ca) >> * Consolidate on-line help system, show help without need of valid Kerberos >> credentials (ipa help) >> * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial >> attribute for replicas which either do not have integrated DNS service >> enabled >> to which have disabled SOA serial autoincrement >> * LDAP lockout plugin has been fixed so that lockout policies are applied >> consistently both for LDAP binds and Kerberos authentication >> * ... and many others stabilization fixes, see Detailed changelog for full >> details >> >> == Changes in API or CLI == >> === Dropped --selfsign option === >> FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. >> This >> configured the server with a NSS database based Certificate Authority with a >> selfsigned CA certificate and limited certificate operation support. >> >> This option was always intended for development or testing purposes only and >> was not intended for use in production. This release drops this option and >> deprecates the functionality. Current FreeIPA servers installed with >> --selfsigned option will still work, instructions on how to migrate to >> supported certificate options will be provided. >> >> FreeIPA servers version 3.2.0 and later supports the following 2 flavors of >> certificate management: >> * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with >> a >> certificate signed by external CA (--external-ca option) >> * FreeIPA with no pki-ca installed with certificates signed and provided by >> an >> external CA [1] >> >> === Dropped CSV support === >> FreeIPA client CLI supported CSV in some arguments so that multiple values >> could be added with just one convenient option: >> >> ipa permission-add some-perm --permissions=read,write --attrs=sn,cn >> ipa dnsrecord-add example.com --a-rec=10.0.0.1,10.0.0.2 >> >> CSV parsing however introduces great difficulty when trying to include a >> value >> with an embedded space in it. Escaping these values is not intuitive and made >> it very difficult to add such values. The level of effort in working around >> the >> CSV problems has come to the point where the benefits of it are outweighed by >> the problems which lead to decision to drop CSV support in CLI altogether >> [10]. >> >> There are several ways to workaround lack of CSV: >> >> Provide an argument multiple times on the command-line: >> >> ipa permission-add some-perm --permissions=read --permissions=write >> --attrs=sn >> --attrs=cn >> ipa dnsrecord-add example.com --a-rec=10.0.0.1 --a-rec=10.0.0.2 >> >> Let BASH do the expansion for you: >> >> ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn} >> ipa dnsrecord-add example.com --a-rec={10.0.0.1,10.0.0.2} >> >> == Upgrading == >> >> An IPA server can be upgraded simply by installing updated rpms. The server >> does not need to be shut down in advance. >> >> Please note, that the referential integrity extension requires an extended >> set >> of indexes to be configured. RPM update for an IPA server with a excessive >> number of hosts, SUDO or HBAC entries may require several minutes to finish. >> >> If you have multiple servers you may upgrade them one at a time. It is >> expected >> that all servers will be upgraded in a relatively short period (days or weeks >> not months). They should be able to co-exist peacefully but new features will >> not be available on old servers and enrolling a new client against an old >> server will result in the SSH keys not being uploaded. >> >> Downgrading a server once upgraded is not supported. >> >> Upgrading from 2.2.0 and later versions is supported. Upgrading from previous >> versions is not supported and has not been tested. >> >> An enrolled client does not need the new packages installed unless you want >> to >> re-enroll it. SSH keys for already installed clients are not uploaded, you >> will >> have to re-enroll the client or manually upload the keys. >> >> == Feedback == >> >> Please provide comments, bugs and other feedback via the freeipa-users >> mailing >> list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa >> channel >> on Freenode. >> >> == Documentation == >> * [1] http://www.freeipa.org/page/V3/CA-less_install >> * [2] http://www.freeipa.org/page/V3/Cert_find >> * [3] http://www.freeipa.org/page/V3/Trust_config_command >> * [4] http://www.freeipa.org/page/V3/Realm_Domains >> * [5] http://www.freeipa.org/page/V3/Configurable_SID_Blacklists >> * [6] http://www.freeipa.org/page/V3/WebUI_gzip_compression >> * [7] http://www.freeipa.org/page/V3/WebUI_build >> * [8] http://www.freeipa.org/page/V3/Forced_client_re-enrollment >> * [9] http://www.freeipa.org/page/V3/Kerberos_Flags >> * [10] http://www.freeipa.org/page/V3/Drop_CSV >> * [11] http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation >> * [12] http://www.freeipa.org/page/V3/MultipleTrustServers >> >> == Detailed Changelog since 3.1.0 == >> Alexander Bokovoy (7): >> * Update plugin to upload CA certificate to LDAP >> * ipasam: use base scope when fetching domain information about own domain >> * ipaserver/dcerpc: enforce search_s without schema checks for GC searching >> * ipa-replica-manage: migrate to single_value after LDAPEntry updates >> * Process exceptions when talking to Dogtag >> * ipasam: add enumeration of UPN suffixes based on the realm domains >> * Enhance ipa-adtrust-install for domains with multiple IPA server >> >> Ana Krivokapic (10): >> * Raise ValidationError for incorrect subtree option. >> * Add crond as a default HBAC service >> * Take into consideration services when deleting replicas >> * Add list of domains associated to our realm to cn=etc >> * Improve error messages for external group members >> * Remove check for alphabetic only characters from domain name validation >> * Fix internal error for ipa show-mappings >> * Realm Domains page >> * Use default NETBIOS name in unattended ipa-adtrust-install >> * Add mkhomedir option to ipa-server-install and ipa-replica-install >> >> Brian Cook (1): >> * Add DNS Setup Prompt to Install >> >> JR Aquino (1): >> * Allow PKI-CA Replica Installs when CRL exceeds default maxber value >> >> Jakub Hrozek (1): >> * Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir >> >> Jan Cholasta (24): >> * Pylint cleanup. >> * Drop ipapython.compat. >> * Add support for RFC 6594 SSHFP DNS records. >> * Raise ValidationError on invalid CSV values. >> * Run interactive_prompt callbacks after CSV values are split. >> * Add custom mapping object for LDAP entry data. >> * Add make_entry factory method to LDAPConnection. >> * Remove the Entity class. >> * Remove the Entry class. >> * Use the dn attribute of LDAPEntry to set/get DNs of entries. >> * Preserve case of attribute names in LDAPEntry. >> * Aggregate IPASimpleLDAPObject in LDAPEntry. >> * Support attributes with multiple names in LDAPEntry. >> * Use full DNs in plugin code. >> * Remove DN normalization from the baseldap plugin. >> * Remove support for DN normalization from LDAPClient. >> * Fix remove while iterating in suppress_netgroup_memberof. >> * Remove disabled entries from sudoers compat tree. >> * Fix internal error in output_for_cli method of sudorule_{enable,disable}. >> * Do not fail if schema cannot be retrieved from LDAP server. >> * Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin. >> * Allow disabling attribute decoding in LDAPClient and IPAdmin. >> * Disable schema retrieval and attribute decoding when talking to AD GC. >> * Add Kerberos ticket flags management to service and host plugins. >> >> John Dennis (2): >> * Cookie Expires date should be locale insensitive >> * Use secure method to acquire IPA CA certificate >> >> Lynn Root (4): >> * Switch %r specifiers to '%s' in Public errors >> * Added the ability to do Beta versioning >> * Fixed the catch of the hostname option during ipa-server-install >> * Raise ValidationError when CSR does not have a subject hostname >> >> Martin Kosek (58): >> * Add Lynn Root to Contributors.txt >> * Enable SSSD on client install >> * Fix delegation-find command --group handling >> * Do not crash when Kerberos SRV record is not found >> * permission-find no longer crashes with --targetgroup >> * Avoid CRL migration error message >> * Sort LDAP updates properly >> * Upgrade process should not crash on named restart >> * Installer should not connect to 127.0.0.1 >> * Fix migration for openldap DS >> * Remove unused krbV imports >> * Use fully qualified CCACHE names >> * Fix permission_find test error >> * Add trusconfig-show and trustconfig-mod commands >> * ipa-kdb: add sentinel for LDAPDerefSpec allocation >> * ipa-kdb: avoid ENOMEM when all SIDs are filtered out >> * ipa-kdb: reinitialize LDAP configuration for known realms >> * Add SID blacklist attributes >> * ipa-kdb: read SID blacklist from LDAP >> * ipa-sam: Fill SID blacklist when trust is added >> * ipa-adtrust-install should ask for SID generation >> * Test NetBIOS name clash before creating a trust >> * Generalize AD GC search >> * Do not hide SID resolver error in group-add-member >> * Add support for AD users to hbactest command >> * Fix hbachelp examples formatting >> * ipa-kdb: remove memory leaks >> * ipa-kdb: fix retry logic in ipadb_deref_search >> * Add autodiscovery section in ipa-client-install man pages >> * Avoid internal error when user is not Trust admin >> * Use fixed test domain in realmdomains test >> * Bump FreeIPA version for development branch >> * Remove ORDERING for IA5 attributeTypes >> * Fix includedir directive in krb5.conf template >> * Use new 389-ds-base cleartext password API >> * Do not hide idrange-add errors when adding trust >> * Preserve order of servers in ipa-client-install >> * Avoid multiple client discovery with fixed server list >> * Update named.conf parser >> * Use tkey-gssapi-keytab in named.conf >> * Do not force named connections on upgrades >> * ipa-client discovery with anonymous access off >> * Use temporary CCACHE in ipa-client-install >> * Improve client install LDAP cert retrieval fallback >> * Configure ipa_dns DS plugin on install and upgrade >> * Fix structured DNS record output >> * Bump selinux-policy requires >> * Clean spec file for Fedora 19 >> * Remove build warnings >> * Remove syslog.target from ipa.server >> * Put pid-file to named.conf >> * Update mod_wsgi socket directory >> * Normalize RA agent certificate >> * Require 389-base-base 1.3.0.5 >> * Change CNAME and DNAME attributes to single valued >> * Improve CNAME record validation >> * Improve DNAME record validation >> * Become 3.2.0 Prerelease 1 >> >> Petr Spacek (1): >> * Add 389 DS plugin for special idnsSOASerial attribute handling >> >> Petr Viktorin (101): >> * Sort Options and Outputs in API.txt >> * Add the CA cert to LDAP after the CA install >> * Better logging for AdminTool and ipa-ldap-updater >> * Port ipa-replica-prepare to the admintool framework >> * Make ipapython.dogtag log requests at debug level, not info >> * Don't add another nsDS5ReplicaId on updates if one already exists >> * Improve `ipa --help` output >> * Print help to stderr on error >> * Store the OptionParser in the API, use it to print unified help messages >> * Simplify `ipa help topics` output >> * Add command summary to `ipa COMMAND --help` output >> * Mention `ipa COMMAND --help` as the preferred way to get command help >> * Parse command arguments before creating a context >> * Add tests for the help command & --help options >> * In topic help text, mention how to get help for commands >> * Check SSH connection in ipa-replica-conncheck >> * Use ipauniqueid for the RDN of sudo commands >> * Prevent a sudo command from being deleted if it is a member of a sudo rule >> * Update sudocmd ACIs to use targetfilter >> * Add the version option to all Commands >> * Add ipalib.messages >> * Add client capabilities, enable messages >> * Rename the "messages" Output of the i18n_messages command to "texts" >> * Fix permission validation and normalization in aci.py >> * Remove csv_separator and csv_skipspace Param arguments >> * Drop support for CSV in the CLI client >> * Update argument docs to reflect dropped CSV support >> * Update plugin docstrings (topic help) to reflect dropped CSV support >> * cli: Do interactive prompting after a context is created >> * Remove some unused imports >> * Remove unused methods from Entry, Entity, and IPAdmin >> * Derive Entity class from Entry, and move it to ldapupdate >> * Use explicit loggers in ldap2 code >> * Move LDAPEntry to ipaserver.ipaldap and derive Entry from it >> * Remove connection-creating code from ShemaCache >> * Move the decision to force schema updates out of IPASimpleLDAPObject >> * Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap >> * Start LDAPConnection, a common base for ldap2 and IPAdmin >> * Make IPAdmin not inherit from IPASimpleLDAPObject >> * Move schema-related methods to LDAPConnection >> * Move DN handling methods to LDAPConnection >> * Move filter making methods to LDAPConnection >> * Move entry finding methods to LDAPConnection >> * Remove unused proxydn functionality from IPAdmin >> * Move entry add, update, remove, rename to LDAPConnection >> * Implement some of IPAdmin's legacy methods in terms of LDAPConnection >> methods >> * Replace setValue by keyword arguments when creating entries >> * Use update_entry with a single entry in adtrustinstance >> * Replace entry.getValues() by entry.get() >> * Replace entry.setValue/setValues by item assignment >> * Replace add_s and delete_s by their newer equivalents >> * Change {add,update,delete}_entry to take LDAPEntries >> * Remove unused imports from ipaserver/install >> * Remove unused bindcert and bindkey arguments to IPAdmin >> * Turn the LDAPError handler into a context manager >> * Remove dbdir, binddn, bindpwd from IPAdmin >> * Remove IPAdmin.updateEntry calls from fix_replica_agreements >> * Remove IPAdmin.get_dns_sorted_by_length >> * Replace IPAdmin.checkTask by replication.wait_for_task >> * Introduce LDAPEntry.single_value for getting single-valued attributes >> * Remove special-casing for missing and single-valued attributes in >> LDAPUpdate._entry_to_entity >> * Replace entry.getValue by entry.single_value >> * Replace getList by a get_entries method >> * Remove toTupleList and attrList from LDAPEntry >> * Rename LDAPConnection to LDAPClient >> * Replace addEntry with add_entry >> * Replace deleteEntry with delete_entry >> * Fix typo and traceback suppression in replication.py >> * replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE) >> * Inline inactivateEntry in its only caller >> * Inline waitForEntry in its only caller >> * Proxy LDAP methods explicitly rather than using __getattr__ >> * Remove search_s and search_ext_s from IPAdmin >> * Replace IPAdmin.start_tls_s by an __init__ argument >> * Remove IPAdmin.sasl_interactive_bind_s >> * Remove IPAdmin.simple_bind_s >> * Remove IPAdmin.unbind_s(), keep unbind() >> * Use ldap instead of _ldap in ipaldap >> * Do not use global variables in migration.py >> * Use IPAdmin rather than raw python-ldap in migration.bind >> * Use IPAdmin rather than raw python-ldap in ipactl >> * Remove some uses of raw python-ldap >> * Improve LDAPEntry tests >> * Fix installing server with external CA >> * Change DNA magic value to -1 to make UID 999 usable >> * Move ipaldap to ipapython >> * Remove ipaserver/ipaldap.py >> * Use IPAdmin rather than raw python-ldap in ipa-client-install >> * Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py >> * Remove unneeded python-ldap imports >> * Don't download the schema in ipadiscovery >> * ipa-server-install: Make temporary pin files available for the whole >> installation >> * ipa-server-install: Remove the --selfsign option >> * Remove unused ipapython.certdb.CertDB class >> * ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil >> wrapper >> * Trust CAs from PKCS#12 files even if they don't have Friendly Names >> * dsinstance, httpinstance: Don't hardcode 'Server-Cert' >> * Support installing with custom SSL certs, without a CA >> * Load the CA cert into server NSS databases >> * Do not call cert-* commands in host plugin if a RA is not available >> * ipa-client-install: Do not request host certificate if server is CA-less >> >> Petr Vobornik (38): >> * Make confirm_dialog a base class of revoke and restore certificate dialogs >> * Make confirm_dialog a base class for deleter dialog >> * Make confirm_dialog a base class for message_dialog >> * Confirm mixin >> * Confirm adder dialog by enter >> * Confirm error dialog by enter >> * Focus last dialog when some is closed >> * Confirm association dialogs by enter >> * Standardize login password reset, user reset password and host set OTP >> dialogs >> * Focus first input element after 'Add and Add another' >> * Enable mod_deflate >> * Use Uglify.js for JS optimization >> * Dojo Builder >> * Config files for builder of FreeIPA UI layer >> * Minimal Dojo layer >> * Web UI development environment directory structure and configuration >> * Web UI Sync development utility >> * Move of Web UI non AMD dep. libs to libs subdirectory >> * Move of core Web UI files to AMD directory >> * Update JavaScript Lint configuration file >> * AMD config file >> * Change Web UI sources to simple AMD modules >> * Updated makefiles to build FreeIPA Web UI layer >> * Change tests to use AMD loader >> * Fix BuildRequires: rhino replaced with java-1.7.0-openjdk >> * Develop.js extended >> * Allow to specify modules for which builder doesn't raise dependency error >> * Web UI build profile updated >> * Combobox keyboard support >> * Fix dirty state update of editable combobox >> * Fix handling of no_update flag in Web UI >> * Web UI: configurable SID blacklists >> * Web UI:Certificate pages >> * Web UI:Choose different search option for cert-find >> * Fixed Web UI build error caused by rhino changes in F19 >> * Nestable checkbox/radio widget >> * Added Web UI support for service PAC type option: NONE >> * Web UI: Disable cert functionality if a CA is not available >> >> Rob Crittenden (16): >> * Convert uniqueMember members into DN objects. >> * Add Ana Krivokapic to Contributors.txt >> * Do SSL CA verification and hostname validation. >> * Don't initialize NSS if we don't have to, clean up unused cert refs >> * Update anonymous access ACI to protect secret attributes. >> * Make certmonger a (pre) requires on server, restart it before upgrading >> * Use new certmonger locking to prevent NSS database corruption. >> * Improve migration performance >> * Add LDAP server fallback to client installer >> * Prevent a crash when no entries are successfully migrated. >> * Implement the cert-find command for the dogtag CA backend. >> * Add missing v3 schema on upgrades, fix typo in schema. >> * Don't base64-encode the CA cert when uploading it during an upgrade. >> * Extend ipa-replica-manage to be able to manage DNA ranges. >> * Improve some error handling in ipa-replica-manage >> * Fix lockout of LDAP bind. >> >> Simo Sorce (2): >> * Log info on failure to connect >> * Upload CA cert in the directory on install >> >> Sumit Bose (17): >> * ipa-kdb: remove unused variable >> * ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac() >> * ipa-sam: Array compared against 0 in ipasam_set_trusted_domain() >> * ipa-kdb: Dereference after null check in ipa_kdb_mspac.c >> * ipa-lockout: Wrong sizeof argument in ipa_lockout.c >> * ipa-extdom: Double-free in ipa_extdom_common.c >> * ipa-pwd: Unchecked return value ipapwd_chpwop() >> * Revert "MS-PAC: Special case NFS services" >> * Add NFS specific default for authorization data type >> * ipa-kdb: Read global defaul ipaKrbAuthzData >> * ipa-kdb: Read ipaKrbAuthzData with other principal data >> * ipa-kdb: add PAC only if requested >> * Add unit test for get_authz_data_types() >> * Mention PAC issue with NFS in service plugin doc >> * Allow 'nfs:NONE' in global configuration >> * Add support for cmocka C-Unit Test framework >> * ipa-pwd-extop: do not use dn until it is really set >> >> Timo Aaltonen (1): >> * convert the base platform modules into packages >> >> Tomas Babej (18): >> * Relax restriction for leading/trailing whitespaces in *-find commands >> * Forbid overlapping rid ranges for the same id range >> * Fix a typo in ipa-adtrust-install help >> * Prevent integer overflow when setting krbPasswordExpiration >> * Add option to specify SID using domain name to idrange-add/mod >> * Prevent changing protected group's name using --setattr >> * Use default.conf as flag of IPA client being installed >> * Make sure appropriate exit status is returned in make-test >> * Make options checks in idrange-add/mod consistent >> * Add trusted domain range objectclass when using idrange-mod >> * Perform secondary rid range overlap check for local ranges only >> * Add support for re-enrolling hosts using keytab >> * Make sure uninstall script prompts for reboot as last >> * Remove implicit Str to DN conversion using *-attr >> * Enforce exact SID match when adding or modifying a ID range >> * Allow host re-enrollment using delegation >> * Add logging to join command >> * Properly handle ipa-replica-install when its zone is not managed by IPA >> >> sbose (1): >> * ipa-kdb: Free talloc autofree context when module is closed >> > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
