Discussion:
[Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0
Martin Basti
2017-03-14 12:51:19 UTC
Permalink
Hello,

DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0

Please update/let me know what is missing, what is extra.


Martin^2
Jakub Hrozek
2017-03-14 13:50:37 UTC
Permalink
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
Please update this paragraph:
````
AD User Short Names

Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.
````

With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Luc de Louw
2017-03-14 13:56:46 UTC
Permalink
My 3 cents...

"Please note that FIPS 140-2 support may not work on some platforms"

-> Does is work in Fedora? Should be worth mention it so people are more
encouraged to test it in Fedora before its getting to RHEL 7.4

Thanks,

Luc
Post by Jakub Hrozek
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
````
AD User Short Names
Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.
````
With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210
--
Luc de Louw
Senior Linux Consultant
Red Hat GmbH
Am Treptower Park 75, 2nd floor
D-12435 Berlin

Email: ***@redhat.com
Cell Germany: +49 162 413 29 64
Cell Bahrain +973 33 54 79 77
Cell UAE +971 50 95 86 406
Cell Saudi Arabia +966 5540 98 525
Cell Austria: +43 66 47 96 90 47
Cell Switzerland: +41 78 664 58 13
Cell France: +33 609 18 57 09
Cell Netherlands: +31 6 21 48 18 67
Cell Uganda: +256 71 39 14 337
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-14 14:06:54 UTC
Permalink
Post by Luc de Louw
My 3 cents...
"Please note that FIPS 140-2 support may not work on some platforms"
-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4
I think we should actually add an explicit statement for trust to AD not
currently supporting FIPS 140-2 mode.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Basti
2017-03-14 14:15:03 UTC
Permalink
Post by Alexander Bokovoy
Post by Luc de Louw
My 3 cents...
"Please note that FIPS 140-2 support may not work on some platforms"
-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4
I think we should actually add an explicit statement for trust to AD not
currently supporting FIPS 140-2 mode.
I will add it to known issues
Martin Basti
2017-03-14 14:14:46 UTC
Permalink
Post by Luc de Louw
My 3 cents...
"Please note that FIPS 140-2 support may not work on some platforms"
-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4
Thanks,
Luc
We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Post by Luc de Louw
Post by Jakub Hrozek
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
````
AD User Short Names
Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.
````
With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210
Standa Laznicka
2017-03-14 15:07:21 UTC
Permalink
Post by Martin Basti
Post by Luc de Louw
My 3 cents...
"Please note that FIPS 140-2 support may not work on some platforms"
-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4
Thanks,
Luc
We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Fedora itself is not capable of running in FIPS mode so there's no point
adding it there.
Post by Martin Basti
Post by Luc de Louw
Post by Jakub Hrozek
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
````
AD User Short Names
Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.
````
With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Rob Crittenden
2017-03-14 15:21:20 UTC
Permalink
Post by Standa Laznicka
Post by Martin Basti
Post by Luc de Louw
My 3 cents...
"Please note that FIPS 140-2 support may not work on some platforms"
-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4
Thanks,
Luc
We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Fedora itself is not capable of running in FIPS mode so there's no point
adding it there.
I can't believe this is correct. Did you try it and it failed? Did you
file bugs?

The dracut-fips and dracut-fips-aesni packages are both available.

# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0

So the basic stuff is there and the kernel knows what FIPS is.

Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).

rob
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Standa Laznicka
2017-03-14 15:37:32 UTC
Permalink
Post by Rob Crittenden
Post by Standa Laznicka
Post by Martin Basti
Post by Luc de Louw
My 3 cents...
"Please note that FIPS 140-2 support may not work on some platforms"
-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4
Thanks,
Luc
We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Fedora itself is not capable of running in FIPS mode so there's no point
adding it there.
I can't believe this is correct. Did you try it and it failed? Did you
file bugs?
Yes, yes and no. Please see the header at this page:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation

We tried to set up Fedora for FIPS in RHEV but the machine would not
even start.
Post by Rob Crittenden
The dracut-fips and dracut-fips-aesni packages are both available.
# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
So the basic stuff is there and the kernel knows what FIPS is.
Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).
rob
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Rob Crittenden
2017-03-14 19:42:27 UTC
Permalink
Post by Standa Laznicka
Post by Rob Crittenden
Post by Standa Laznicka
Post by Martin Basti
Post by Luc de Louw
My 3 cents...
"Please note that FIPS 140-2 support may not work on some platforms"
-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4
Thanks,
Luc
We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Fedora itself is not capable of running in FIPS mode so there's no point
adding it there.
I can't believe this is correct. Did you try it and it failed? Did you
file bugs?
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
Um, ok? What do shared certs and centralized crypto policies have to do
with FIPS not working in Fedora?
Post by Standa Laznicka
We tried to set up Fedora for FIPS in RHEV but the machine would not
even start.
Fedora 25 works for me in libvirt.

crypto.fips_enabled is 1.

It is enforcing it too, md5sum fails because FIPS is enabled.

So if it isn't working for you then bugs are required.

rob
Post by Standa Laznicka
Post by Rob Crittenden
The dracut-fips and dracut-fips-aesni packages are both available.
# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
So the basic stuff is there and the kernel knows what FIPS is.
Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).
rob
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Standa Laznicka
2017-03-15 07:19:51 UTC
Permalink
Post by Rob Crittenden
Post by Standa Laznicka
Post by Rob Crittenden
Post by Standa Laznicka
Post by Martin Basti
Post by Luc de Louw
My 3 cents...
"Please note that FIPS 140-2 support may not work on some platforms"
-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4
Thanks,
Luc
We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Fedora itself is not capable of running in FIPS mode so there's no point
adding it there.
I can't believe this is correct. Did you try it and it failed? Did you
file bugs?
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
Um, ok? What do shared certs and centralized crypto policies have to do
with FIPS not working in Fedora?
It was the only document I found really mentioning FIPS by the time.
There are no instructions how to set Fedora to FIPS mode so we used the
RHEL guidelines and the boot failed but the instructions do not
necessarily have to work for Fedora.
Post by Rob Crittenden
Post by Standa Laznicka
We tried to set up Fedora for FIPS in RHEV but the machine would not
even start.
Fedora 25 works for me in libvirt.
crypto.fips_enabled is 1.
It is enforcing it too, md5sum fails because FIPS is enabled.
So if it isn't working for you then bugs are required.
rob
Post by Standa Laznicka
Post by Rob Crittenden
The dracut-fips and dracut-fips-aesni packages are both available.
I will check dracut-fips on my earliest convenience, I did not notice it
when we started working on FIPS for FreeIPA, thanks.
Post by Rob Crittenden
Post by Standa Laznicka
Post by Rob Crittenden
# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
So the basic stuff is there and the kernel knows what FIPS is.
Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).
rob
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Basti
2017-03-14 15:24:59 UTC
Permalink
Post by Jakub Hrozek
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
````
AD User Short Names
Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.
````
With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210
I updated that section. Shouldn't we remove it completely from release
notes because it will not work until new SSSD is released?
Petr Vobornik
2017-03-14 15:52:01 UTC
Permalink
Post by Martin Basti
Post by Jakub Hrozek
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
````
AD User Short Names
Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.
````
With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210
I updated that section. Shouldn't we remove it completely from release
notes because it will not work until new SSSD is released?
I'd keep it there and add Jakub's comment. It will be useful when SSSD
with the support is released.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Florence Blanc-Renaud
2017-03-14 14:08:19 UTC
Permalink
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
Martin^2
Hi Martin,

thank you for the release notes. Could you update the section about
Certificate Identity Mapping?
'''
Certificate Identity Mapping

Support for multiple certificates on Smart cards has been added. User
can choose which certificate is used to authenticate. This allows to
define multiple certificates per user.
The same certificate can be used by different accounts, and the mapping
between a certificate and an account can be done through binary match of
the whole certificate or a match on custom certificate attributes (such
as Subject + Issuer).
'''

I also noted a typo:
'''
Bug fixes
Contains all bugfixes and enhacements
'''
should be enhancements.

Thank you,
Flo
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Basti
2017-03-14 14:12:38 UTC
Permalink
Post by Florence Blanc-Renaud
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
Martin^2
Hi Martin,
thank you for the release notes. Could you update the section about
Certificate Identity Mapping?
'''
Certificate Identity Mapping
Support for multiple certificates on Smart cards has been added. User
can choose which certificate is used to authenticate. This allows to
define multiple certificates per user.
The same certificate can be used by different accounts, and the
mapping between a certificate and an account can be done through
binary match of the whole certificate or a match on custom certificate
attributes (such as Subject + Issuer).
'''
'''
Bug fixes
Contains all bugfixes and enhacements
'''
should be enhancements.
Thank you,
Flo
Thank you, updated
Fraser Tweedale
2017-03-14 23:49:14 UTC
Permalink
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
Martin^2
I think we should add https://pagure.io/freeipa/issue/2614 to the
`Enhancements' section. There is no design page for it but it was a
big effort and it gives the deployer complete control over the IPA
CA subject DN (previously this was very restricted).

Thanks,
Fraser
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Martin Basti
2017-03-15 08:13:35 UTC
Permalink
Post by Fraser Tweedale
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
Martin^2
I think we should add https://pagure.io/freeipa/issue/2614 to the
`Enhancements' section. There is no design page for it but it was a
big effort and it gives the deployer complete control over the IPA
CA subject DN (previously this was very restricted).
Thanks,
Fraser
Can you suggest what to write to release notes (preferably in copy paste
form)

thank you :)
Fraser Tweedale
2017-03-15 10:32:32 UTC
Permalink
Post by Martin Basti
Post by Fraser Tweedale
Post by Martin Basti
Hello,
DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0
Please update/let me know what is missing, what is extra.
Martin^2
I think we should add https://pagure.io/freeipa/issue/2614 to the
`Enhancements' section. There is no design page for it but it was a
big effort and it gives the deployer complete control over the IPA
CA subject DN (previously this was very restricted).
Thanks,
Fraser
Can you suggest what to write to release notes (preferably in copy paste
form)
thank you :)
Here you go:

== Fully customisable CA name ==

The CA subject name is now fully customisable, and is no longer
required to be related to the certificate subject base. The
*ipa-server-install* and *ipa-ca-install* commands learned the
*--ca-subject* and *--subject-base* options for configuring these
values.

https://pagure.io/freeipa/issue/2614

Cheers,
Fraser
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Loading...