Full upstream release notes: https://www.freeipa.org/page/Releases/4.8.1
It is now possible to tune Dogtag configuration when creating a CA by passing an overlay configuration file with --pki-config-override option. Not all options are supported yet and documentation is being worked on.
FreeIPA 4.8.0 release tarball did lack two update files. This release adds them back. The files existed in git but weren't installed when building distribution packages.
FreeIPA 4.8.0 tightened access to LDAP connections to disallow passing plainttext credentials over an insecure connection. This broke 'ipa migrate-ds' functionality where in order to migrate to FreeIPA one often needs to connect to a legacy LDAP server which might not be using TLS certificates.
FreeIPA 4.8.1 restores ability to use insecure LDAP connections in 'ipa migrate-ds' for migration purposes only.
For certificate mapping operations it is possible to specify altSecurityIdentities in the certification mapping filters. The filter is applied by SSSD at both FreeIPA and Active Directory LDAP servers. While nothing is using altSecurityIdentities in FreeIPA now, the schema allows to optimize queries better at LDAP server side. Additionally, other certificate mapping attributes are now indexed to allow faster operations for environments with a large set of mapping rules.
FreeIPA-specific certificates tracked by certmonger can now be renewed with preservation of a certificate profile used to issue them. It is also possible to change the certificate profile during update. This is required to allow updating certain profile-specific attributes of the system certificates in future.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2019-d95d1971b2
Please login to add feedback.