Hi, thanks for Carl and Brian, yesterday's compose of CentOS 8 Stream now includes RHEL IdM bits slated for RHEL 8.4. Several components were rebased to their upstream versions and are worth noting to those who want to test them in advance of RHEL 8.4. Note that these are not final RHEL IdM updates for RHEL 8.4. While RHEL builds already passed through a comprehensive QA cycle, there are still few improvements that will come during next month or so. Bugs found by CentOS 8 Stream users would in general be seen in the same way as those found by RHEL QE teams during the RHEL minor release development, so it is your opportunity to help. Also improvements in form of upstream patches are welcome too. There are many small and large fixes and improvements in FreeIPA 4.9.0. For more detailed information I'd point to FreeIPA 4.9.0 release notes: https://www.freeipa.org/page/Releases/4.9.0#Highlights_in_4.9.0 Among those changes, we are looking for a feedback to following features of RHEL IdM in CentOS 8 Stream: == ACME CA integration With FreeIPA 4.9 and Dogtag 10.10 it is now possible to deploy ACME support in FreeIPA CA and issue certificates using ACME protocol. For more details please look at https://www.freeipa.org/page/V4/ACME for general design overview and Fraser's blogs around the feature: https://frasertweedale.github.io/blog-redhat/tags/acme.html CentOS 8 Stream includes mod_md Apache module as one of ACME clients. Fedora and EPEL do also have a certbot, so there are multiple clients to use. Interoperability testing with other clients would also be great to see reported. == Active Directory integration improvements There are enhancements for services for user (S4U) feature of Kerberos protocol extensions in Active Directory. In particular, it is now possible to run MS SQL server on a server enrolled into RHEL IdM domain and allow access to it to users of trusted Active Directory forests, along with IPA users. MS SQL does certain operations that required functionality not supported by RHEL IdM. This was fixed in RHEL 8.3. More improvements are available in CentOS 8 Stream, including performance improvements when creating Kerberos tickets for Active Directory users with a large AD group membership. == Non-FQDN host support FreeIPA requires uniform hostname support -- either all systems defined with fully-qualified hostnames or they all are using non-FQDN. In practice, there are checks in the installers to always force FQDN host names. There are many applications that insist on seeing hostnames as non-fully qualified. FreeIPA 4.9.0 adds ability to enroll non-FQDN hosts to otherwise FQDN-based IPA deployment. In addition, this allows to enroll clients with hostnames of total FQDN length longer than 64 characters on Linux. == FIPS support RHEL IdM in CentOS 8 Stream is now capable to be deployed and operated in FIPS mode. One notable omission is the support for trusted Active Directory domains. We are working on FIPS support for trust to AD upstream and already have a good progress. Hopefully, this work will be completed in upcoming weeks and will also land in CentOS 8 Stream. == DNS support improvements PTR records now supported in any zone type to facilitate DNS-SD [RFC6763] operations, for example, publishing printers. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland