FreeIPA 4.8.1

Full upstream release notes: https://www.freeipa.org/page/Releases/4.8.1

Highlights in 4.8.1

• 5608: [RFE] Add Dogtag configuration extensions

It is now possible to tune Dogtag configuration when creating a CA by passing an overlay configuration file with --pki-config-override option. Not all options are supported yet and documentation is being worked on.

• Release tarball corrections

FreeIPA 4.8.0 release tarball did lack two update files. This release adds them back. The files existed in git but weren't installed when building distribution packages.

• 8040: ipa migrade-ds regression

FreeIPA 4.8.0 tightened access to LDAP connections to disallow passing plainttext credentials over an insecure connection. This broke 'ipa migrate-ds' functionality where in order to migrate to FreeIPA one often needs to connect to a legacy LDAP server which might not be using TLS certificates.

FreeIPA 4.8.1 restores ability to use insecure LDAP connections in 'ipa migrate-ds' for migration purposes only.

Enhancements

• 7932 and 7933: index certmap attributes and allow altSecurityIdentities in schema

For certificate mapping operations it is possible to specify altSecurityIdentities in the certification mapping filters. The filter is applied by SSSD at both FreeIPA and Active Directory LDAP servers. While nothing is using altSecurityIdentities in FreeIPA now, the schema allows to optimize queries better at LDAP server side. Additionally, other certificate mapping attributes are now indexed to allow faster operations for environments with a large set of mapping rules.

• 7991: Profile-based renewal of system certificates

FreeIPA-specific certificates tracked by certmonger can now be renewed with preservation of a certificate profile used to issue them. It is also possible to change the certificate profile during update. This is required to allow updating certain profile-specific attributes of the system certificates in future.