Chef Server 12.9.0 Released

Ohai Chefs!

We’re happy to announce the release of Chef Server 12.9.0. The changes are summarized below
– please see the full release notes[1] and the changelog [2] for more details.

  • General Improvements
    • oc-id will now send confirmation emails on change of email address.
    • chef-server-ctl user-delete will now display a list of which organizations are preventing a user’s deletion. It also now accepts the flag --remove-from-admin-groups to remove the user from organizations’ admin group if doing so would not leave the group empty.
    • Multiple comma-separated host names in an X-Forwarded-Host or X-Forwarded-Server header no longer cause Chef Server to respond to the request with a 500.
  • ACLs
    • It is now possible to update ACLs to include a client that has the same name as a user in the system.
    • Failed ACL updates will now include the name(s) of actors that are rejected as well as the reason.
    • See the ful release notes for additional ACL API enhancements.
  • Security
    • No longer log the user’s password when something goes badly wrong in a login attempt.
    • oc-id now uses secure cookies
  • LDAP
    • It is now possible to include special characters in an LDAP bind password.
    • Fixed crashes that occur during LDAP authentication when user data is not as expected and LDAP auth is bypassed.


All x86_64 builds are currently available. PPC builds will be made available by tomorrow (Friday). Downloads are at the usual location[3].

Important Compatibility Notes

  1. Updating a user’s ACLs via the /users/USER/_acl endpoint will not succeed. This undocumented API is very rarely used and is not supported by tooling provided by Chef Software. If you make internal use of PUTs to this endpoint, please wait until 12.9.1 to upgrade. This issue is being tracked as #938.
  2. Users must be a member of an organization in order to be added to the ACLs of an object in an organization. If a user is an an ACL and is not in the organization, GET of that ACL will work normally, but PUT will be rejected.