freeipa-server package missing from Ubuntu 2x.04

That's because bind 9.16 broke the dns part of it, see bug 1874568.

Bug 1874568 was closed out as fixed. Perhaps we can see this fix percolate to this package freeipa server for 20.04 now?

bind-dyndb-ldap is just a part of the puzzle, I don't think freeipa-server will ever be in 20.04.

Sorry to say that but for an Ubuntu LTS release this is rather disappointing considering that the underlying Bug has been fixed or is irrelevant for people that use FreeIPA Server without the DNS component. There have been bigger changes that have been backported and just work (e.g. TLS1.3).

My organisation was considering FreeIPA (without Bind, we soley use PowerDNS) for our Linux Systems but it seems that we have to postpone the whole thing until at least Ubuntu 22.04 (next LTS), sadly.

Support for bind 9.16 hasn't landed in a freeipa upstream release yet, expected to be in 4.9 some time next year. It would be harsh for folks upgrading from 18.04 to notice that their DNS would break after upgrade. Best to not provide the server at all..

libp11 and softhsm2 both would need fixes backported for the pkcs11 support added in freeipa master

libp11 0.4.11 was recently released, hirsute has that
softhsm 2.6.1 is in groovy and up

Is there any update to this yet?
The current freeipa release is 4.9.1.
I would really need freeipa-server in 20.04.

(Sorry, I posted in wrong issue before)

No, setup still fails due to java/dogtag.

I'm still unable to update production servers from 19.10 (eoan) because of the lack of freeipa-server. Now that 19.10 has been EOL for a while now without resolving this I'll be giving up on Ubuntu and switching these servers to Fedora.

good, threats don't help anyway

Hello team - do you have any news on this - I'm switching from CentOS to Ubuntu LTS and have been using FreeIPA for sometime now. I've chosen 18.04 (LTS) for my ipa servers, but would like to switch to 20.04 (LTS) in the future. Many thanks Luc

Hi guys, I'm also interested in having freeipa-server on 20.04
Thanks

first there would have to be a server on the newer releases, which isn't the case

when this bug will be fix?

We have several FreeIPA servers, currently running CentOS 8.

Because CentOS Streams is unsuitable for a productive environment, we are considering to switch to Ubuntu Server instead.

It would be nice if this package will be re-included in the upcoming 22 release.

yes it would, although there are still issues and it's looking unlikely that a server package will be in 22.04

Since december last year the freeipa-server package is in the debian experimental distribution (https://packages.debian.org/experimental/freeipa-server). Sadly it seems like it will not be included in 22.04 LTS - maybe as a backport if one might hope once it lands in debian.

It's available in experimental to allow easier testing, but there still are places where it fails (setting up a dogtag CA is a hit-or-miss, etc) so unlikely to get in 22.04.

Would it be possible for 22.10 instead?

Are you saying it is in 22.04? I thought I read it was not in it.

Richard Young
Virtualization and Linux Lead
Executive IT Specialist
IBM Systems Lab Services
________________________________
[2D barcode - encoded with contact information] Mobile: 1-262-893-8662<tel:1-262-893-8662>
E-mail:<email address hidden><mailto:<email address hidden>>

777 E Wisconsin Ave<x-apple-data-detectors://10>
Milwaukee, WI 53202-5302<x-apple-data-detectors://10>
United States<x-apple-data-detectors://10>

On May 4, 2022, at 6:51 AM, Frank Heimes <email address hidden> wrote:

Would it be possible for 22.10 instead?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1875114

Title:
 freeipa-server package missing on Ubuntu 20.04

Status in freeipa package in Ubuntu:
 Triaged
Status in libp11 package in Ubuntu:
 Fix Released
Status in softhsm2 package in Ubuntu:
 Fix Released

Bug description:
 previous releases of Ubuntu have freeipa-server package to install freeipa server
 but on 20.04 only client part can be found

 $ apt-cache search freeipa
 libipa-hbac-dev - FreeIPA HBAC Evaluator library -- development files
 libipa-hbac0 - FreeIPA HBAC Evaluator library
 libnss-sss - Nss library for the System Security Services Daemon
 libpam-sss - Pam module for the System Security Services Daemon
 python3-sss - Python3 module for the System Security Services Daemon
 sssd - System Security Services Daemon -- metapackage
 sssd-common - System Security Services Daemon -- common files
 sssd-tools - System Security Services Daemon -- tools
 cockpit-ws - Cockpit Web Service
 freeipa-client - FreeIPA centralized identity framework -- client
 freeipa-client-samba - FreeIPA centralized identity framework -- Samba client
 freeipa-common - FreeIPA centralized identity framework -- common files
 puppet-module-joshuabaird-ipaclient - Puppet module for Joshuabaird IPAclient
 python3-ipaclient - FreeIPA centralized identity framework -- Python3 modules for ipaclient
 python3-ipalib - FreeIPA centralized identity framework -- shared Python3 modules
 python3-libipa-hbac - Python3 bindings for the FreeIPA HBAC Evaluator library

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1875114/+subscriptions

@Richard: Timo meant Debian experimental, and indeed in Debian we have:

freeipa-server | 4.9.8-1+exp1 | experimental

Once included in Ubuntu, inclusion of freeipa-server in 22.04 isn't to be ruled out: it could fall under the "we sometimes want to introduce new features" case of [1], but I didn't investigate the details. Time certainly knows better as he's the maintainer of the freeipa Debian package.

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases

nothing has changed since comment #18

Echoing comment #4. Running it on bionic, which is officially out of support, is just not a good idea.

The current blocker for 24.04 is bind-dyndb-ldap requiring a rebuild every time bind9 is updated. I've proposed merging the packaging to src:bind9, but it was shot down

https://salsa.debian.org/dns-team/bind9/-/merge_requests/21

because updates also include new upstream major releases which frequently break bind-dyndb-ldap and might take a while for upstream to fix. Right now it's broken for bind9 9.19, unfixed for 10 months now likely because Redhat hasn't moved to it yet:

https://pagure.io/bind-dyndb-ldap/issue/222

Sadly this means b-d-l is the loser, and thus freeipa-server as well..

The long term fix for the above would be for b-d-l to get re-licensed so that it could be merged with upstream bind9:

https://pagure.io/bind-dyndb-ldap/issue/225

but that's moving slowly as expected.

Oh and Redhat hasn't migrated to tomcat10 yet, and tomcatjss/dogtag-pki won't build with it. And 24.04 will likely get rid of tomcat9.

https://github.com/dogtagpki/tomcatjss/issues/68
https://github.com/dogtagpki/pki/issues/4551