diff --git a/website/docs/releases/2025/v2025.4.md b/website/docs/releases/2025/v2025.4.md index 03da72186c..24fbcc47ab 100644 --- a/website/docs/releases/2025/v2025.4.md +++ b/website/docs/releases/2025/v2025.4.md @@ -9,9 +9,50 @@ slug: "/releases/2025.4" To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.4.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet. ::::: +## Highlights + +- **Improve membership resolution for the LDAP Source**: Allow lookups of LDAP group memberships from user attributes as an alternative to lookups from group attributes. This also allows for nested group lookups in Active Directory. + +- **Support for PostgreSQL Connection Pools**: PostgreSQL Connection Pools provides a set of open connections in order to reduce latency. + +- **RBAC: Initial Permissions** (Preview): Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use **Initial Permissions** as a pragmatic way to implement the principle of least privilege. + +- **Password History Policy** (Enterprise): A new policy can prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for fedRAMP compliance. + +- **Source Sync Dry Run** (:ak-preview): Add the option for dry-run syncs for SCIM, Google Workspace, and Entra to preview the results of a sync without affecting live accounts. + ## Breaking changes -### Manual action may be required +- **Reputation score limit**: The default value for the new limits on Reputation score is between `-5` and `5`. This might break some current setups which count on the possibility of scores decreasing or increasing beyond these limits. You can set your custom limits under **System > Settings**. + +- **Deprecated and frozen `:latest` container image tag after 2025.2** + + Using the `:latest` tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. + + The tag will not be removed, however it will also not be updated past 2025.2. + + We strongly recommended the use of a specific version tag for authentik instances' container images like `:2025.4`. + +- **Helm chart dependencies update**: Following [Bitnami's changes to only publish latest version of containers](https://github.com/bitnami/containers/issues/75671), the Helm chart dependencies (PostgreSQL and Redis) will now be updated with each release. + +For this release: + +- The Redis chart will be upgraded to the latest version. As the image is not pinned, it will also get upgraded. +- The PostgreSQL chart will be upgraded to the latest version, but the image will remain pinned to `15.8.0-debian-12-r18`. + +For the next release: + +- The Redis chart will be upgraded to the latest version again. +- The PostgreSQL chart will be upgraded to the latest version again, and the image will no longer be pinned, which will bring it to PostgreSQL major version `17`. This will require following PostgreSQL major upgrade steps, for which we provide [documentation](../../troubleshooting/postgres/upgrade_kubernetes.md). + +For subsequent releases: + +- The Redis chart will be upgraded to the latest version. +- The PostgreSQL chart will be upgraded to the latest version, with major upgrades being called out in authentik release notes. + +We encourage users to pin their PostgreSQL image version. + +### Manual action might be required #### Sessions are now stored in the database @@ -19,7 +60,38 @@ Previously, sessions were stored by default in the cache. Now, they are stored i ## New features -### Postgres pool +- **Remember me**: Users can now choose to skip entering their usernames after their first login on the same device. This feature is optional and admins can enable it in the [Identification stage](https://TODO). + +- **RBAC: Initial Permissions** + + In hardened authentik installations, it is possible for a user to have permission to create an object type, but not to view/change/delete(/etc) objects of that type. Previously, this could result in a user creating an object and then not having any access to that object. `InitialPermissions` is a mechanism to automatically add permissions to any object on creation. + +- **Reputation score limit** + + Reputation scores now have a configurable numerical limit in addition to the [already existing temporal limit](https://docs.goauthentik.io/docs/install-config/configuration/#authentik_reputation__expiry). + +- **Support for PostgreSQL Connection Pools**: See [description](#highlights) under Highlights. Refer to our [documentation](https://TODO). + +- **Password History Policy**: See [description](#highlights) under Highlights. Refer to our [documentation](https://TODO). + +## New integration guides + +An integration is a how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. + +- [Apple Business Manager](../../../integrations/services/apple/) +- [FleetDM](../../../integrations/services/fleet/) +- [Gravity](../../../integrations/services/gravity/) +- [Homarr](../../../integrations/services/homarr/) +- [KnocKnoc](../../../integrations/services/knocknoc) +- [Mautic](../../../integrations/services/mautic/) +- [Mailcow](../../../integrations/services/mailcow/) +- [Mealie](../../../integrations/services/mealie/) +- [OpenProject](../../../integrations/services/openproject) +- [Sidero Omni](../../../integrations/services/omni) +- [Tandoor](../../../integrations/services/tandoor/) +- [Wazuh](../../../integrations/services/wazuh) +- [XCreds](../../../integrations/services/xcreds) +- [Zipline](../../../integrations/services/zipline/) ## Upgrading @@ -51,8 +123,8 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.4 ## Minor changes/fixes - - ## API Changes - +#### What's New + +---