Changelog

Contents

Changelog#

__NOTOC__

This isn’t every single check-in between versions but will hopefully will provide the highlights of the changes.

Version 3.3.3 (11/01/2013)#

Ana Krivokapic (4):#

  • Add ipa-advise plugins for nss-pam-ldapd legacy clients

  • Do not roll back failed client installation on server

  • Make sure nsds5ReplicaStripAttrs is set on agreements

  • Add test for external CA installation

Jakub Hrozek (1):#

  • trusts: combine filters with AND to make sure only the intended domain matches

Jan Cholasta (1):#

  • Track DS certificate with certmonger on replicas.

Martin Kosek (14):#

  • Do not allow ‘%’ in DM password

  • Remove –no-serial-autoincrement

  • PKI installation on replica failing due to missing proxy conf

  • Use consistent realm name in cainstance and dsinstance

  • Winsync re-initialize should not run memberOf fixup task

  • Installer should always wait until CA starts up

  • Administrative password change does not respect password policy

  • Do not add kadmin/changepw ACIs on new installs

  • Make set_directive and get_directive more strict

  • Remove mod_ssl conflict

  • Add nsswitch.conf to FILES section of ipa-client-install man page

  • Remove ipa-pwd-extop and ipa-enrollment duplicate error strings

  • Remove deprecated AllowLMhash config

  • Become IPA 3.3.3

Petr Viktorin (6):#

  • test_caless.TestCertInstall: Fix ‘test_no_ds_password’ test case

  • Use new CLI options in certinstall tests

  • test_simple_replication: Fix waiting for replication

  • freeipa.spec: Fix changelog dates

  • Tests: mkdir_recursive: Don’t fail when top-level directory doesn’t exist

  • beakerlib plugin: Don’t try to submit logs if they are missing

Petr Vobornik (1):#

  • Fix password expiration notification

Sumit Bose (3):#

  • Use the right attribute with ipapwd_entry_checks for MagicRegen

  • Remove AllowLMhash from the allowed IPA config strings

  • Remove generation and handling of LM hashes

Tomas Babej (23):#

  • trusts: Do not create ranges for subdomains in case of POSIX trust

  • ipa-upgradeconfig: Remove backed up smb.conf

  • ipa-adtrust-install: Add warning that we will break existing samba configuration

  • adtrustinstance: Properly handle uninstall of AD trust instance

  • adtrustinstance: Move attribute definitions from setup to init method

  • ipatests: Extend the order plugin to properly handle inheritance

  • Get the created range type in case of re-establishing trust

  • ipatests: Add Active Directory support to configuration

  • ipatests: Extend domain object with ‘ad’ role support and WinHosts

  • ipatests: Extend IntegrationTest with multiple AD domain support

  • ipatests: Create util module for ipatests

  • ipatests: Add WinHost class

  • ipatests: Add AD-integration related tasks

  • ipatests: Add AD integration test case

  • trusts: Fix typo in error message for realm-domain mismatch

  • advice: Add legacy client configuration script using nss-ldap

  • ipatests: Extend clear_sssd_cache to support non-systemd platforms

  • ipatests: Restore SELinux context after restoring files from backup

  • ipatests: Do not use /usr/bin hardcoded paths

  • ipatests: Add support for extra roles referenced by a keyword

  • ipatests: Use command -v instead of which in legacy client advice

  • ipatests: Add integration tests for legacy clients

  • ipatests: test_trust: use domain name instead of realm for user lookups

Version 3.3.2 (10/04/2013)#

Alexander Bokovoy (11):#

  • ipa-sam: do not modify objectclass when trust object already created

  • ipa-sam: do not leak LDAPMessage on ipa-sam initialization

  • ipa-sam: report supported enctypes based on Kerberos realm configuration

  • ipaserver/dcerpc.py: populate forest trust information using realmdomains

  • trusts: support subdomains in a forest

  • frontend: report arguments errors with better detail

  • ipaserver/dcerpc: remove use of trust account authentication

  • trust: integrate subdomains support into trust-add

  • ipasam: for subdomains pick up defaults for missing values

  • KDC: implement transition check for trusted domains

  • ipa-kdb: Handle parent-child relationship for subdomains

Ana Krivokapic (5):#

  • Add integration tests for forced client re-enrollment

  • Create DS user and group during ipa-restore

  • Add warning when uninstalling active replica

  • Do not crash if DS is down during server uninstall

  • Follow tmpfiles.d packaging guidelines

Jan Cholasta (3):#

  • Fix nsslapdPlugin object class after initial replication.

  • Read passwords from stdin when importing PKCS#12 files with pk12util.

  • Allow PKCS#12 files with empty password in install tools.

Martin Kosek (5):#

  • Use FQDN when creating MSDCS SRV records

  • Do not set DNS discovery domain in server mode

  • Require new SSSD to pull required AD subdomain fixes

  • Remove faulty DNS memberOf Task

  • Become IPA 3.3.2

Nathaniel McCallum (1):#

  • Ensure credentials structure is initialized

Petr Spacek (1):#

  • Add timestamps to named debug logs in /var/named/data/named.run

Petr Viktorin (15):#

  • Remove __all__ specifications in ipaclient and ipaserver.install

  • Make make-lint compatible with Pylint 1.0

  • test_integration.host: Move transport-related functionality to a new module

  • test_integration: Add OpenSSHTransport, used if paramiko is not available

  • ipatests.test_integration.test_caless: Fix mkdir_recursive call

  • ipatests.beakerlib_plugin: Warn instead of failing when some logs are missing

  • ipatests.order_plugin: Exclude test generators from the order

  • ipatests.beakerlib_plugin: Add argument of generated tests to test captions

  • ipatests.test_cmdline.test_help: Re-raise unexpected exceptions on failure

  • Add tests for installing with empty PKCS#12 password

  • Update translations from Transifex

  • ipa-client-install: Use direct RPC instead of api.Command

  • ipa-client-install: Verify RPC connection with a ping

  • Do not fail upgrade if the global anonymous read ACI is not found

  • ipapython.nsslib: Name arguments to NSPRError

Petr Vobornik (5):#

  • Fix RUV search scope in ipa-replica-manage

  • Fix redirection on deletion of last dns record entry

  • Allow edit of ipakrbokasdelegate in Web UI when attrlevelrights are unknown

  • Fix enablement of automount map type selector

  • ipatests.test_integration.host: Add logging to ldap_connect()

Simo Sorce (1):#

  • Add Delegation Info to MS-PAC

Sumit Bose (1):#

  • CLDAP: do not read IPA domain from hostname

Tomas Babej (3):#

  • Use getent admin@domain for nss check in ipa-client-install

  • Do not add trust to AD in case of IPA realm-domain mismatch

  • Warn user about realm-domain mismatch in install scripts

Version 3.3.1 (08/29/2013)#

Alexander Bokovoy (1):#

  • Remove systemd upgrader as it is not used anymore

Ana Krivokapic (4):#

  • Handle –subject option in ipa-server-install

  • Fix broken replica installation

  • Add integration tests for Kerberos Flags

  • Fix tests which fail after ipa-adtrust-install

Jakub Hrozek (1):#

  • EXTDOM: Do not overwrite domain_name for INP_SID

Jan Cholasta (12):#

  • Make PKCS#12 handling in ipa-server-certinstall closer to what other tools do.

  • Port ipa-server-certinstall to the admintool framework.

  • Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12.

  • Ignore empty mod error when updating DS SSL config in ipa-server-certinstall.

  • Replace only the cert instead of the whole NSS DB in ipa-server-certinstall.

  • Untrack old and track new cert with certmonger in ipa-server-certinstall.

  • Add –pin option to ipa-server-certinstall.

  • Ask for PKCS#12 password interactively in ipa-server-certinstall.

  • Fix nsSaslMapping object class before configuring SASL mappings.

  • Add –dirman-password option to ipa-server-certinstall.

  • Fix ipa-server-certinstall usage string.

  • Fix service-disable in CA-less install.

Martin Kosek (3):#

  • Prevent *.pyo and *.pyc multilib problems

  • Remove rpmlint warnings in spec file

  • Fix selected minor issues in the spec file and license

Nathaniel McCallum (1):#

  • Bypass ipa-replica-conncheck ssh tests when ssh is not installed

Petr Viktorin (4):#

  • Allow freeipa-tests to work with older paramiko versions

  • Add missing license header to ipa-test-config

  • Add CA-less install tests

  • Add man pages for testing tools

Petr Vobornik (7):#

  • Removal of deprecated selenium tests

  • Add base-id, range-size and range-type options to trust-add dialog

  • Hide ‘New Certificate’ action on CA-less install

  • Web UI integration tests: CA-less

  • Web UI Integration tests: Kerberos Flags

  • Web UI integration tests: ID range types

  • Update idrange search facet after trust creation

Rob Crittenden (1):#

  • Re-order NULL check in ipa_lockout.

Simo Sorce (3):#

  • pwd-plugin: Fix ignored return error

  • kdb-mspac: Fix out of bounds memset

  • kdb-princ: Fix memory leak

Sumit Bose (1):#

  • CLDAP: make sure an empty reply is returned on any error

Tomas Babej (6):#

  • Remove support for IPA deployments with no persistent search

  • Remove redundant shebangs

  • Perform dirsrv tuning at platform level

  • Make CS.cfg edits with CA instance stopped

  • Fix incorrect error message occurence when re-adding the trust

  • Log proper error message when defaultNamingContext not found

Version 3.3.0 (08/08/2013)#

Alexander Bokovoy (9):#

  • Fix cldap parser to work with a single equality filter (NtVer=…)

  • Make sure domain_name is also set when processing INP_NAME requests

  • Fix extdom plugin to provide unqualified name in response as sssd expects

  • Generate syntethic MS-PAC for all services running on IPA master

  • ipa-adtrust-install: configure compatibility tree to serve trusted domain users

  • ipa-kdb: cache KDC hostname on startup

  • ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case

  • ipaserver/dcerpc: attempt to resolve SIDs through SSSD first

  • Rename slapi-nis configuration variable

Ana Krivokapic (26):#

  • Prompt for nameserver IP address in dnszone-add

  • Do not display success message on failure in web UI

  • Ignore files generated by build

  • Deprecate options –dom-sid and –dom-name in idrange-mod

  • Prevent error when running IPA commands with su/sudo

  • Fix displaying of success message

  • Fix location of service.crt in .gitignore

  • Improve handling of options in ipa-client-install

  • Fail when adding a trust with a different range

  • Do not display traceback to user

  • Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-install

  • Fix bug in adtrustinstance

  • Use correct DS instance in ipactl status

  • Avoid systemd service deadlock during shutdown

  • Make sure replication works after DM password is changed

  • Use –ignore-dependencies only when necessary

  • Properly handle non-existent cert files

  • Add ‘ipa_server_mode’ option to SSSD configuration

  • Bump version of sssd in spec file

  • Use admin@REALM when testing if SSSD is ready

  • Fix internal error in idrange-add

  • Honor ‘enabled’ option for widgets.

  • Expose ipaRangeType in Web UI

  • Add ipa-advise plugins for legacy clients

  • Enable running API commands in ipa-advise plugins

  • Add new command compat-is-enabled

Diane Trout (1):#

  • Fix log format not a string literal.

Jakub Hrozek (3):#

  • Remove unused variable

  • IPA KDB MS-PAC: return ENOMEM if allocation fails

  • IPA KDB MS-PAC: remove unused variable

Jan Cholasta (21):#

  • Use the correct PKCS#12 file for HTTP server.

  • Remove stray error condition in ipa-server-install.

  • Handle exceptions gracefully when verifying PKCS#12 files.

  • Skip empty lines when parsing pk12util output.

  • Do not allow installing CA replicas in CA-less setup.

  • Do not track DS certificate in CA-less setup.

  • Fix CA-less check in ipa-replica-install and ipa-ca-install.

  • Do not skip SSSD known hosts in ipa-client-install –ssh-trust-dns.

  • Enable SASL mapping fallback.

  • Skip cert issuer validation in service and host commands in CA-less install.

  • Check trust chain length in CA-less install.

  • Use LDAP search instead of *group_show to check if a group exists.

  • Use LDAP search instead of *group_show to check for a group objectclass.

  • Use LDAP modify operation directly to add/remove group members.

  • Add missing substring indices for attributes managed by the referint plugin.

  • Add missing equality index for ipaUniqueId.

  • Run gpg-agent explicitly when encrypting/decrypting files.

  • Add new hidden command option to suppress processing of membership attributes.

  • Ask for PKCS#12 password interactively in ipa-server-install.

  • Ask for PKCS#12 password interactively in ipa-replica-prepare.

  • Print newline after receiving EOF in installutils.read_password.

Lukas Slebodnik (4):#

  • Use pkg-config to detect cmocka

  • Use right function prototype for thread function

  • Remove unused variable

  • Remove unused variable

Martin Kosek (17):#

  • Set KRB5CCNAME so that dirsrv can work with newer krb5-server

  • Handle DIR type CCACHEs in test_cmdline properly

  • Avoid exporting KRB5_KTNAME in dirsrv env

  • Remove redundant u’’ character

  • Drop SELinux subpackage

  • Drop redundant directory /var/cache/ipa/sessions

  • Remove entitlement support

  • Run server upgrade and restart in posttrans

  • Require new selinux-policy replacing old server-selinux subpackage

  • Bump minimum SSSD version

  • Become 3.3.0 Beta 1

  • Free NSS objects in –external-ca scenario

  • Use valid LDAP search base in migration plugin

  • Increase default SASL buffer size

  • Become 3.3.0 Beta 2

  • Add requires for slapi-nis and SSSD

  • Become 3.3.0

Nathaniel McCallum (10):#

  • Add ipaUserAuthType and ipaUserAuthTypeClass

  • Add IPA OTP schema and ACLs

  • ipa-kdb: Add OTP support

  • Add the krb5/FreeIPA RADIUS companion daemon

  • Remove unnecessary prefixes from ipa-pwd-extop files

  • Add OTP support to ipa-pwd-extop

  • Fix client install exception if /etc/ssh is missing

  • Permit reads to ipatokenRadiusProxyUser objects

  • Fix for small syntax error in OTP schema

  • Use libunistring ulc_casecmp() on unicode strings

Petr Spacek (1):#

  • ipa-client-install: Add ‘debug’ and ‘show’ statements to nsupdate commands

Petr Viktorin (33):#

  • Remove leading zero from IPA_NUM_VERSION

  • Relax getkeytab test to allow additional messages on stderr

  • Remove code to install Dogtag 9

  • Flush stream after writing service messages

  • Make an ipa-tests package

  • Add ipa-run-tests command

  • Add Nose plugin for BeakerLib integration

  • Add a plugin for test ordering

  • Add a framework for integration test configuration

  • Add a framework for integration testing

  • Introduce a class for remote commands

  • Collect logs from tests

  • Show logs in failed tests

  • tests: Allow public keys for authentication to the remote machines

  • tests: Configure/unconfigure remote hosts

  • Host class improvements

  • Use dosctrings in BeakerLib phase descriptions

  • Make BeakerLib logging less verbose

  • BeakerLib plugin: Log http links in test docstrings

  • Integration test config: Make it possible to specify host IP

  • ipa-client: Use “ipa” as the package name for i18n

  • Move BeakerLibProcess out of BeakerLibPlugin

  • test_integration: Add log collection to Host

  • test_integration: Set up CA on replicas by default

  • Add more test tasks

  • Add install_topo to test tasks

  • Add the ipa-test-task tool

  • Add tar and xz dependencies to the freeipa-tests package

  • Correct default value of LDAPClient.get_entries scope argument

  • test_simple_replication: Wait for replication to finish before checking

  • Add the new no_member option to CLI tests

  • Update translations

  • Fix installutils.get_password without a TTY

Petr Vobornik (24):#

  • Fix: HBAC Test tab is missing

  • Move spec modifications from facet factories to pre_ops

  • Unite and move facet pre_ops to related modules

  • Web UI: move ./_base/metadata_provider.js to ./metadata.js

  • Regression fix: missing control buttons in nested search facets

  • Make ssbrowser.html work in IE 10

  • Fix regression: missing facet tab group labels

  • Regression fix: rule table with ext. member support doesn’t offer any items

  • Fix default value selection in radio widget

  • Do not redirect to https in /ipa/ui on non-HTML files

  • Create Firefox configuration extension on CA-less install

  • Disable checkboxes and radios for readonly attributes

  • Better automated test support

  • Fix container element in adder dialogs

  • Upstream Web UI tests

  • Web UI search optimization

  • Break long words in notification area

  • Remove word ‘field’ from GECOS param label

  • Web UI integration tests: Add trust tests

  • Web UI integration tests: Add ui_driver method descriptions

  • Web UI integration tests: Verify data after add and mod

  • Web UI integration tests: Compute range sizes to avoid overlaps

  • Web UI integration tests: PEP8 fixes

  • Web UI integration tests: Code quality fixes

Rob Crittenden (4):#

  • Bump version for development branch to 3.2.99

  • Return the correct Content-type on negotiated XML-RPC requests.

  • Add Camellia ciphers to allowed list.

  • Hide sensitive attributes in LDAP updater logging and output

Simo Sorce (2):#

  • CLDAP: Fix domain handling in netlogon requests

  • CLDAP: Return empty reply on non-fatal errors

Sumit Bose (5):#

  • Fix format string typo

  • Fix type of printf argument

  • Add PAC to master host TGTs

  • extdom: replace winbind calls with POSIX/SSSD calls

  • Remove winbind client configure check

Tomas Babej (32):#

  • Remove redundancy from hbactest help text

  • Do not translate trust type and direction with –raw in trust_show and trust-find

  • Support multiple local domain ranges with RID base set

  • Do not allow removal of ID range of an active trust

  • Use private ccache in ipa install tools

  • Remove redundant check for env.interactive

  • Add prompt_param method to avoid code duplication

  • Incorporate interactive prompts in idrange-add

  • Do not check userPassword with 7-bit plugin

  • Manage ipa-otpd.socket by IPA

  • Add ipaRangeType attribute to LDAP Schema

  • Add update plugin to fill in ipaRangeType attribute

  • Extend idrange commands to support new range origin types

  • PEP8 fixes in idrange.py

  • Remove hardcoded values from idrange plugin tests

  • Return ipaRangeType as a list in idrange commands

  • Do not redirect ipa/crl to HTTPS

  • Add –range-type option that forces range type of the trusted domain

  • Add libsss_nss_idmap-devel to BuildRequires

  • Change group ownership of CRL publish directory

  • Provide ipa-advise tool

  • Use AD LDAP probing to create trusted domain ID range

  • Move requirement for keyutils to freeipa-python package

  • Change shebang to absolute path in ipa-client-automount

  • Skip referrals when converting LDAP result to LDAPEntry

  • Refactor the interactive prompt logic in idrange_add

  • Limit pwpolicy maxlife to 20000 days

  • Use case-insensitive dict for trusted domain info

  • Improve help entry for ipa host

  • Remove overlapping use-cases of the same result variable

  • Add a word wrapping for comment log messages to AdviceLogger

  • Wrap lines in the list of available advices

Version 3.3.0 Beta 1 (07/24/2013)#

Alexander Bokovoy (8):#

  • Fix cldap parser to work with a single equality filter (NtVer=…)

  • Make sure domain_name is also set when processing INP_NAME requests

  • Fix extdom plugin to provide unqualified name in response as sssd expects

  • Generate syntethic MS-PAC for all services running on IPA master

  • ipa-adtrust-install: configure compatibility tree to serve trusted domain users

  • ipa-kdb: cache KDC hostname on startup

  • ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case

  • ipaserver/dcerpc: attempt to resolve SIDs through SSSD first

Ana Krivokapic (21):#

  • Prompt for nameserver IP address in dnszone-add

  • Do not display success message on failure in web UI

  • Ignore files generated by build

  • Deprecate options –dom-sid and –dom-name in idrange-mod

  • Prevent error when running IPA commands with su/sudo

  • Fix displaying of success message

  • Fix location of service.crt in .gitignore

  • Improve handling of options in ipa-client-install

  • Fail when adding a trust with a different range

  • Do not display traceback to user

  • Require rid-base and secondary-rid-base in idrange-add after ipa-adtrust-install

  • Fix bug in adtrustinstance

  • Use correct DS instance in ipactl status

  • Avoid systemd service deadlock during shutdown

  • Make sure replication works after DM password is changed

  • Use –ignore-dependencies only when necessary

  • Properly handle non-existent cert files

  • Add ‘ipa_server_mode’ option to SSSD configuration

  • Bump version of sssd in spec file

  • Use admin@REALM when testing if SSSD is ready

  • Fix internal error in idrange-add

Diane Trout (1):#

  • Fix log format not a string literal.

Jakub Hrozek (3):#

  • Remove unused variable

  • IPA KDB MS-PAC: return ENOMEM if allocation fails

  • IPA KDB MS-PAC: remove unused variable

Jan Cholasta (21):#

  • Use the correct PKCS#12 file for HTTP server.

  • Remove stray error condition in ipa-server-install.

  • Handle exceptions gracefully when verifying PKCS#12 files.

  • Skip empty lines when parsing pk12util output.

  • Do not allow installing CA replicas in CA-less setup.

  • Do not track DS certificate in CA-less setup.

  • Fix CA-less check in ipa-replica-install and ipa-ca-install.

  • Do not skip SSSD known hosts in ipa-client-install –ssh-trust-dns.

  • Enable SASL mapping fallback.

  • Skip cert issuer validation in service and host commands in CA-less install.

  • Check trust chain length in CA-less install.

  • Use LDAP search instead of *group_show to check if a group exists.

  • Use LDAP search instead of *group_show to check for a group objectclass.

  • Use LDAP modify operation directly to add/remove group members.

  • Add missing substring indices for attributes managed by the referint plugin.

  • Add missing equality index for ipaUniqueId.

  • Run gpg-agent explicitly when encrypting/decrypting files.

  • Add new hidden command option to suppress processing of membership attributes.

  • Ask for PKCS#12 password interactively in ipa-server-install.

  • Ask for PKCS#12 password interactively in ipa-replica-prepare.

  • Print newline after receiving EOF in installutils.read_password.

Lukas Slebodnik (1):#

  • Use pkg-config to detect cmocka

Martin Kosek (11):#

  • Set KRB5CCNAME so that dirsrv can work with newer krb5-server

  • Handle DIR type CCACHEs in test_cmdline properly

  • Avoid exporting KRB5_KTNAME in dirsrv env

  • Remove redundant u’’ character

  • Drop SELinux subpackage

  • Drop redundant directory /var/cache/ipa/sessions

  • Remove entitlement support

  • Run server upgrade and restart in posttrans

  • Require new selinux-policy replacing old server-selinux subpackage

  • Bump minimum SSSD version

  • Become 3.3.0 Beta 1

Nathaniel McCallum (10):#

  • Add ipaUserAuthType and ipaUserAuthTypeClass

  • Add IPA OTP schema and ACLs

  • ipa-kdb: Add OTP support

  • Add the krb5/FreeIPA RADIUS companion daemon

  • Remove unnecessary prefixes from ipa-pwd-extop files

  • Add OTP support to ipa-pwd-extop

  • Fix client install exception if /etc/ssh is missing

  • Permit reads to ipatokenRadiusProxyUser objects

  • Fix for small syntax error in OTP schema

  • Use libunistring ulc_casecmp() on unicode strings

Petr Spacek (1):#

  • ipa-client-install: Add ‘debug’ and ‘show’ statements to nsupdate commands

Petr Viktorin (21):#

  • Remove leading zero from IPA_NUM_VERSION

  • Relax getkeytab test to allow additional messages on stderr

  • Remove code to install Dogtag 9

  • Flush stream after writing service messages

  • Make an ipa-tests package

  • Add ipa-run-tests command

  • Add Nose plugin for BeakerLib integration

  • Add a plugin for test ordering

  • Add a framework for integration test configuration

  • Add a framework for integration testing

  • Introduce a class for remote commands

  • Collect logs from tests

  • Show logs in failed tests

  • tests: Allow public keys for authentication to the remote machines

  • tests: Configure/unconfigure remote hosts

  • Host class improvements

  • Use dosctrings in BeakerLib phase descriptions

  • Make BeakerLib logging less verbose

  • BeakerLib plugin: Log http links in test docstrings

  • Integration test config: Make it possible to specify host IP

  • ipa-client: Use “ipa” as the package name for i18n

Petr Vobornik (18):#

  • Fix: HBAC Test tab is missing

  • Move spec modifications from facet factories to pre_ops

  • Unite and move facet pre_ops to related modules

  • Web UI: move ./_base/metadata_provider.js to ./metadata.js

  • Regression fix: missing control buttons in nested search facets

  • Make ssbrowser.html work in IE 10

  • Fix regression: missing facet tab group labels

  • Regression fix: rule table with ext. member support doesn’t offer any items

  • Fix default value selection in radio widget

  • Do not redirect to https in /ipa/ui on non-HTML files

  • Create Firefox configuration extension on CA-less install

  • Disable checkboxes and radios for readonly attributes

  • Better automated test support

  • Fix container element in adder dialogs

  • Upstream Web UI tests

  • Web UI search optimization

  • Break long words in notification area

  • Remove word ‘field’ from GECOS param label

Rob Crittenden (4):#

  • Bump version for development branch to 3.2.99

  • Return the correct Content-type on negotiated XML-RPC requests.

  • Add Camellia ciphers to allowed list.

  • Hide sensitive attributes in LDAP updater logging and output

Simo Sorce (2):#

  • CLDAP: Fix domain handling in netlogon requests

  • CLDAP: Return empty reply on non-fatal errors

Sumit Bose (5):#

  • Fix format string typo

  • Fix type of printf argument

  • Add PAC to master host TGTs

  • extdom: replace winbind calls with POSIX/SSSD calls

  • Remove winbind client configure check

Tomas Babej (22):#

  • Remove redundancy from hbactest help text

  • Do not translate trust type and direction with –raw in trust_show and trust-find

  • Support multiple local domain ranges with RID base set

  • Do not allow removal of ID range of an active trust

  • Use private ccache in ipa install tools

  • Remove redundant check for env.interactive

  • Add prompt_param method to avoid code duplication

  • Incorporate interactive prompts in idrange-add

  • Do not check userPassword with 7-bit plugin

  • Manage ipa-otpd.socket by IPA

  • Add ipaRangeType attribute to LDAP Schema

  • Add update plugin to fill in ipaRangeType attribute

  • Extend idrange commands to support new range origin types

  • PEP8 fixes in idrange.py

  • Remove hardcoded values from idrange plugin tests

  • Return ipaRangeType as a list in idrange commands

  • Do not redirect ipa/crl to HTTPS

  • Add –range-type option that forces range type of the trusted domain

  • Add libsss_nss_idmap-devel to BuildRequires

  • Change group ownership of CRL publish directory

  • Provide ipa-advise tool

  • Use AD LDAP probing to create trusted domain ID range

Version 3.2.2 (07/17/2013)#

Ana Krivokapic (8):#

  • Fix displaying of success message

  • Improve handling of options in ipa-client-install

  • Do not display traceback to user

  • Fix bug in adtrustinstance

  • Use correct DS instance in ipactl status

  • Avoid systemd service deadlock during shutdown

  • Make sure replication works after DM password is changed

  • Use –ignore-dependencies only when necessary

Jan Cholasta (16):#

  • Use the correct PKCS#12 file for HTTP server.

  • Remove stray error condition in ipa-server-install.

  • Handle exceptions gracefully when verifying PKCS#12 files.

  • Skip empty lines when parsing pk12util output.

  • Do not allow installing CA replicas in CA-less setup.

  • Do not track DS certificate in CA-less setup.

  • Fix CA-less check in ipa-replica-install and ipa-ca-install.

  • Do not skip SSSD known hosts in ipa-client-install –ssh-trust-dns.

  • Skip cert issuer validation in service and host commands in CA-less install.

  • Check trust chain length in CA-less install.

  • Use LDAP search instead of *group_show to check if a group exists.

  • Use LDAP search instead of *group_show to check for a group objectclass.

  • Use LDAP modify operation directly to add/remove group members.

  • Add missing substring indices for attributes managed by the referint plugin.

  • Add missing equality index for ipaUniqueId.

  • Run gpg-agent explicitly when encrypting/decrypting files.

Lukas Slebodnik (1):#

  • Use pkg-config to detect cmocka

Martin Kosek (7):#

  • Remove entitlement support

  • Enable SASL mapping fallback.

  • Drop SELinux subpackage

  • Drop redundant directory /var/cache/ipa/sessions

  • Run server upgrade and restart in posttrans

  • Require new selinux-policy replacing old server-selinux subpackage

  • Become 3.2.2

Nathaniel McCallum (3):#

  • Fix client install exception if /etc/ssh is missing

  • Permit reads to ipatokenRadiusProxyUser objects

  • Fix for small syntax error in OTP schema

Petr Vobornik (5):#

  • Regression fix: rule table with ext. member support doesn’t offer any items

  • Fix default value selection in radio widget

  • Do not redirect to https in /ipa/ui on non-HTML files

  • Create Firefox configuration extension on CA-less install

  • Disable checkboxes and radios for readonly attributes

Rob Crittenden (1):#

  • Return the correct Content-type on negotiated XML-RPC requests.

Sumit Bose (1):#

  • Fix type of printf argument

Tomas Babej (2):#

  • Do not redirect ipa/crl to HTTPS

  • Change group ownership of CRL publish directory

Version 3.2.1 (06/07/2013)#

Alexander Bokovoy (1):#

  • Fix cldap parser to work with a single equality filter (NtVer=…)

Ana Krivokapic (3):#

  • Prompt for nameserver IP address in dnszone-add

  • Do not display success message on failure in web UI

  • Prevent error when running IPA commands with su/sudo

Diane Trout (1):#

  • Fix log format not a string literal.

Martin Kosek (4):#

  • Set KRB5CCNAME so that dirsrv can work with newer krb5-server

  • Avoid exporting KRB5_KTNAME in dirsrv env

  • Remove redundant u’’ character

  • Become 3.2.1

Nathaniel McCallum (6):#

  • Add ipaUserAuthType and ipaUserAuthTypeClass

  • Add IPA OTP schema and ACLs

  • ipa-kdb: Add OTP support

  • Add the krb5/FreeIPA RADIUS companion daemon

  • Remove unnecessary prefixes from ipa-pwd-extop files

  • Add OTP support to ipa-pwd-extop

Petr Spacek (1):#

  • ipa-client-install: Add ‘debug’ and ‘show’ statements to nsupdate commands

Petr Viktorin (1):#

  • Remove leading zero from IPA_NUM_VERSION

Petr Vobornik (7):#

  • Fix: HBAC Test tab is missing

  • Move spec modifications from facet factories to pre_ops

  • Unite and move facet pre_ops to related modules

  • Web UI: move ./_base/metadata_provider.js to ./metadata.js

  • Regression fix: missing control buttons in nested search facets

  • Make ssbrowser.html work in IE 10

  • Fix regression: missing facet tab group labels

Simo Sorce (2):#

  • CLDAP: Fix domain handling in netlogon requests

  • CLDAP: Return empty reply on non-fatal errors

Sumit Bose (1):#

  • Fix format string typo

Tomas Babej (9):#

  • Remove redundancy from hbactest help text

  • Support multiple local domain ranges with RID base set

  • Do not allow removal of ID range of an active trust

  • Use private ccache in ipa install tools

  • Remove redundant check for env.interactive

  • Add prompt_param method to avoid code duplication

  • Incorporate interactive prompts in idrange-add

  • Do not check userPassword with 7-bit plugin

  • Manage ipa-otpd.socket by IPA

Version 3.2.0 (05/10/2013)#

Alexander Bokovoy (9):#

  • Update plugin to upload CA certificate to LDAP

  • ipasam: use base scope when fetching domain information about own domain

  • ipaserver/dcerpc: enforce search_s without schema checks for GC searching

  • ipa-replica-manage: migrate to single_value after LDAPEntry updates

  • Process exceptions when talking to Dogtag

  • ipasam: add enumeration of UPN suffixes based on the realm domains

  • Enhance ipa-adtrust-install for domains with multiple IPA server

  • spec: detect Kerberos DAL driver ABI change from installed krb5-devel

  • Resolve SIDs in Web UI

Ana Krivokapic (24):#

  • Raise ValidationError for incorrect subtree option.

  • Add crond as a default HBAC service

  • Take into consideration services when deleting replicas

  • Add list of domains associated to our realm to cn=etc

  • Improve error messages for external group members

  • Remove check for alphabetic only characters from domain name validation

  • Fix internal error for ipa show-mappings

  • Realm Domains page

  • Use default NETBIOS name in unattended ipa-adtrust-install

  • Add mkhomedir option to ipa-server-install and ipa-replica-install

  • Remove CA cert on client uninstall

  • Fix output for some CLI commands

  • Add missing summary message to dnszone_del

  • Remove HBAC source hosts from web UI

  • Remove any reference to HBAC source hosts from help

  • Deprecate HBAC source hosts from CLI

  • Integrate realmdomains with IPA DNS

  • Improve help text for HBAC service groups

  • Do not sort dictionaries in assert_deepequal utility function

  • Handle missing /etc/ipa in ipa-client-install

  • Fix the spec file

  • Do not display an interactive mode message in unattended mode

  • Add missing permissions to Host Administrators privilege

  • Always stop dirsrv in ‘ipactl stop’

Brian Cook (1):#

  • Add DNS Setup Prompt to Install

JR Aquino (1):#

  • Allow PKI-CA Replica Installs when CRL exceeds default maxber value

Jakub Hrozek (1):#

  • Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir

Jan Cholasta (33):#

  • Pylint cleanup.

  • Drop ipapython.compat.

  • Add support for RFC 6594 SSHFP DNS records.

  • Raise ValidationError on invalid CSV values.

  • Run interactive_prompt callbacks after CSV values are split.

  • Add custom mapping object for LDAP entry data.

  • Add make_entry factory method to LDAPConnection.

  • Remove the Entity class.

  • Remove the Entry class.

  • Use the dn attribute of LDAPEntry to set/get DNs of entries.

  • Preserve case of attribute names in LDAPEntry.

  • Aggregate IPASimpleLDAPObject in LDAPEntry.

  • Support attributes with multiple names in LDAPEntry.

  • Use full DNs in plugin code.

  • Remove DN normalization from the baseldap plugin.

  • Remove support for DN normalization from LDAPClient.

  • Fix remove while iterating in suppress_netgroup_memberof.

  • Remove disabled entries from sudoers compat tree.

  • Fix internal error in output_for_cli method of sudorule_{enable,disable}.

  • Do not fail if schema cannot be retrieved from LDAP server.

  • Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin.

  • Allow disabling attribute decoding in LDAPClient and IPAdmin.

  • Disable schema retrieval and attribute decoding when talking to AD GC.

  • Add Kerberos ticket flags management to service and host plugins.

  • Do actually stop pki_cad in stop_pkicad instead of starting it.

  • Use only one URL for OCSP and CRL in IPA certificate profile.

  • Use A/AAAA records instead of CNAME records in ipa-ca.

  • Delete DNS records in ipa-ca on ipa-csreplica-manage del.

  • Use correct zone when removing DNS records of a master.

  • Add DNS records for existing masters when installing DNS for the first time.

  • Add ipa-ca records for existing CA masters when installing DNS for the first time.

  • Add support for OpenSSH 6.2.

  • Fix normalization of FQDNs in DNS installer code.

John Dennis (2):#

  • Cookie Expires date should be locale insensitive

  • Use secure method to acquire IPA CA certificate

Lynn Root (3):#

  • Added the ability to do Beta versioning

  • Fixed the catch of the hostname option during ipa-server-install

  • Raise ValidationError when CSR does not have a subject hostname

Martin Kosek (65):#

  • Add Lynn Root to Contributors.txt

  • Enable SSSD on client install

  • Fix delegation-find command –group handling

  • Do not crash when Kerberos SRV record is not found

  • permission-find no longer crashes with –targetgroup

  • Avoid CRL migration error message

  • Sort LDAP updates properly

  • Upgrade process should not crash on named restart

  • Installer should not connect to 127.0.0.1

  • Fix migration for openldap DS

  • Remove unused krbV imports

  • Use fully qualified CCACHE names

  • Fix permission_find test error

  • Add trusconfig-show and trustconfig-mod commands

  • ipa-kdb: add sentinel for LDAPDerefSpec allocation

  • ipa-kdb: avoid ENOMEM when all SIDs are filtered out

  • ipa-kdb: reinitialize LDAP configuration for known realms

  • Add SID blacklist attributes

  • ipa-kdb: read SID blacklist from LDAP

  • ipa-sam: Fill SID blacklist when trust is added

  • ipa-adtrust-install should ask for SID generation

  • Test NetBIOS name clash before creating a trust

  • Generalize AD GC search

  • Do not hide SID resolver error in group-add-member

  • Add support for AD users to hbactest command

  • Fix hbachelp examples formatting

  • ipa-kdb: remove memory leaks

  • ipa-kdb: fix retry logic in ipadb_deref_search

  • Add autodiscovery section in ipa-client-install man pages

  • Avoid internal error when user is not Trust admin

  • Use fixed test domain in realmdomains test

  • Bump FreeIPA version for development branch

  • Remove ORDERING for IA5 attributeTypes

  • Fix includedir directive in krb5.conf template

  • Use new 389-ds-base cleartext password API

  • Do not hide idrange-add errors when adding trust

  • Preserve order of servers in ipa-client-install

  • Avoid multiple client discovery with fixed server list

  • Update named.conf parser

  • Use tkey-gssapi-keytab in named.conf

  • Do not force named connections on upgrades

  • ipa-client discovery with anonymous access off

  • Use temporary CCACHE in ipa-client-install

  • Improve client install LDAP cert retrieval fallback

  • Configure ipa_dns DS plugin on install and upgrade

  • Fix structured DNS record output

  • Bump selinux-policy requires

  • Clean spec file for Fedora 19

  • Remove build warnings

  • Remove syslog.target from ipa.server

  • Put pid-file to named.conf

  • Update mod_wsgi socket directory

  • Normalize RA agent certificate

  • Require 389-base-base 1.3.0.5

  • Change CNAME and DNAME attributes to single valued

  • Improve CNAME record validation

  • Improve DNAME record validation

  • Become 3.2.0 Prerelease 1

  • Fix trustconfig-mod primary group error

  • Require new samba and krb5

  • Add userClass attribute for hosts

  • Update pki proxy configuration

  • Do not add ipa-ca records on CA-less installs

  • Fix ipa-ca DNS name creation

  • Fix SASL_NOCANON behavior for LDAPI

Nathaniel McCallum (1):#

  • Ignore log files from automake tests

Petr Spacek (1):#

  • Add 389 DS plugin for special idnsSOASerial attribute handling

Petr Viktorin (113):#

  • Sort Options and Outputs in API.txt

  • Add the CA cert to LDAP after the CA install

  • Better logging for AdminTool and ipa-ldap-updater

  • Port ipa-replica-prepare to the admintool framework

  • Make ipapython.dogtag log requests at debug level, not info

  • Don’t add another nsDS5ReplicaId on updates if one already exists

  • Improve `ipa –help` output

  • Print help to stderr on error

  • Store the OptionParser in the API, use it to print unified help messages

  • Simplify `ipa help topics` output

  • Add command summary to `ipa COMMAND –help` output

  • Mention `ipa COMMAND –help` as the preferred way to get command help

  • Parse command arguments before creating a context

  • Add tests for the help command & –help options

  • In topic help text, mention how to get help for commands

  • Check SSH connection in ipa-replica-conncheck

  • Use ipauniqueid for the RDN of sudo commands

  • Prevent a sudo command from being deleted if it is a member of a sudo rule

  • Update sudocmd ACIs to use targetfilter

  • Add the version option to all Commands

  • Add ipalib.messages

  • Add client capabilities, enable messages

  • Rename the “messages” Output of the i18n_messages command to “texts”

  • Fix permission validation and normalization in aci.py

  • Remove csv_separator and csv_skipspace Param arguments

  • Drop support for CSV in the CLI client

  • Update argument docs to reflect dropped CSV support

  • Update plugin docstrings (topic help) to reflect dropped CSV support

  • cli: Do interactive prompting after a context is created

  • Remove some unused imports

  • Remove unused methods from Entry, Entity, and IPAdmin

  • Derive Entity class from Entry, and move it to ldapupdate

  • Use explicit loggers in ldap2 code

  • Move LDAPEntry to ipaserver.ipaldap and derive Entry from it

  • Remove connection-creating code from ShemaCache

  • Move the decision to force schema updates out of IPASimpleLDAPObject

  • Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap

  • Start LDAPConnection, a common base for ldap2 and IPAdmin

  • Make IPAdmin not inherit from IPASimpleLDAPObject

  • Move schema-related methods to LDAPConnection

  • Move DN handling methods to LDAPConnection

  • Move filter making methods to LDAPConnection

  • Move entry finding methods to LDAPConnection

  • Remove unused proxydn functionality from IPAdmin

  • Move entry add, update, remove, rename to LDAPConnection

  • Implement some of IPAdmin’s legacy methods in terms of LDAPConnection methods

  • Replace setValue by keyword arguments when creating entries

  • Use update_entry with a single entry in adtrustinstance

  • Replace entry.getValues() by entry.get()

  • Replace entry.setValue/setValues by item assignment

  • Replace add_s and delete_s by their newer equivalents

  • Change {add,update,delete}_entry to take LDAPEntries

  • Remove unused imports from ipaserver/install

  • Remove unused bindcert and bindkey arguments to IPAdmin

  • Turn the LDAPError handler into a context manager

  • Remove dbdir, binddn, bindpwd from IPAdmin

  • Remove IPAdmin.updateEntry calls from fix_replica_agreements

  • Remove IPAdmin.get_dns_sorted_by_length

  • Replace IPAdmin.checkTask by replication.wait_for_task

  • Introduce LDAPEntry.single_value for getting single-valued attributes

  • Remove special-casing for missing and single-valued attributes in LDAPUpdate._entry_to_entity

  • Replace entry.getValue by entry.single_value

  • Replace getList by a get_entries method

  • Remove toTupleList and attrList from LDAPEntry

  • Rename LDAPConnection to LDAPClient

  • Replace addEntry with add_entry

  • Replace deleteEntry with delete_entry

  • Fix typo and traceback suppression in replication.py

  • replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)

  • Inline inactivateEntry in its only caller

  • Inline waitForEntry in its only caller

  • Proxy LDAP methods explicitly rather than using __getattr__

  • Remove search_s and search_ext_s from IPAdmin

  • Replace IPAdmin.start_tls_s by an __init__ argument

  • Remove IPAdmin.sasl_interactive_bind_s

  • Remove IPAdmin.simple_bind_s

  • Remove IPAdmin.unbind_s(), keep unbind()

  • Use ldap instead of _ldap in ipaldap

  • Do not use global variables in migration.py

  • Use IPAdmin rather than raw python-ldap in migration.bind

  • Use IPAdmin rather than raw python-ldap in ipactl

  • Remove some uses of raw python-ldap

  • Improve LDAPEntry tests

  • Fix installing server with external CA

  • Change DNA magic value to -1 to make UID 999 usable

  • Move ipaldap to ipapython

  • Remove ipaserver/ipaldap.py

  • Use IPAdmin rather than raw python-ldap in ipa-client-install

  • Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py

  • Remove unneeded python-ldap imports

  • Don’t download the schema in ipadiscovery

  • ipa-server-install: Make temporary pin files available for the whole installation

  • ipa-server-install: Remove the –selfsign option

  • Remove unused ipapython.certdb.CertDB class

  • ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper

  • Trust CAs from PKCS#12 files even if they don’t have Friendly Names

  • dsinstance, httpinstance: Don’t hardcode ‘Server-Cert’

  • Support installing with custom SSL certs, without a CA

  • Load the CA cert into server NSS databases

  • Do not call cert-* commands in host plugin if a RA is not available

  • ipa-client-install: Do not request host certificate if server is CA-less

  • Display full command documentation in online help

  • Remove ‘cn’ attribute from idnsRecord and idnsZone objectClasses

  • ipa-server-install: correct help text for –external_{cert,ca}_file

  • Update translations from Transifex

  • Uninstall selfsign CA on upgrade

  • Remove obsolete self-sign references from man pages, docstrings, comments

  • Drop –selfsign server functionality

  • Use two digits for each part of NUM_VERSION

  • Fix syntax of the dc attributeType

  • Fix syntax errors in schema files

  • Only require libsss_nss_idmap-python in Fedora 19+

  • Update translations from Transifex

Petr Vobornik (181):#

  • Make confirm_dialog a base class of revoke and restore certificate dialogs

  • Make confirm_dialog a base class for deleter dialog

  • Make confirm_dialog a base class for message_dialog

  • Confirm mixin

  • Confirm adder dialog by enter

  • Confirm error dialog by enter

  • Focus last dialog when some is closed

  • Confirm association dialogs by enter

  • Standardize login password reset, user reset password and host set OTP dialogs

  • Focus first input element after ‘Add and Add another’

  • Enable mod_deflate

  • Use Uglify.js for JS optimization

  • Dojo Builder

  • Config files for builder of FreeIPA UI layer

  • Minimal Dojo layer

  • Web UI development environment directory structure and configuration

  • Web UI Sync development utility

  • Move of Web UI non AMD dep. libs to libs subdirectory

  • Move of core Web UI files to AMD directory

  • Update JavaScript Lint configuration file

  • AMD config file

  • Change Web UI sources to simple AMD modules

  • Updated makefiles to build FreeIPA Web UI layer

  • Change tests to use AMD loader

  • Fix BuildRequires: rhino replaced with java-1.7.0-openjdk

  • Develop.js extended

  • Allow to specify modules for which builder doesn’t raise dependency error

  • Web UI build profile updated

  • Combobox keyboard support

  • Fix dirty state update of editable combobox

  • Fix handling of no_update flag in Web UI

  • Web UI: configurable SID blacklists

  • Web UI:Certificate pages

  • Web UI:Choose different search option for cert-find

  • Fixed Web UI build error caused by rhino changes in F19

  • Nestable checkbox/radio widget

  • Added Web UI support for service PAC type option: NONE

  • Web UI: Disable cert functionality if a CA is not available

  • Add ipakrbokasdelegate option to service and host Web UI pages

  • Run permission target switch action only for visible widgets

  • Filter groups by type (POSIX, non-POSIX, external)

  • Global trust config page

  • Don’t show trusts pages when trust is not configured

  • Fix regression in group type selection in group adder dialog

  • Fix: Certificate status is not visible in Service and Host page

  • jsl update

  • Update of Dojo build

  • Basic implementation of registers

  • i18n - internationalized text provider

  • Phases - application lifecycle

  • Config.js

  • Menu and application controller refactoring

  • Removed old navigation code

  • Remove IPA.nav usage, obsolete entity.get_primary_key

  • Fix nested facet search

  • Remove IPA.current_entity usage

  • Set pkeys to add,remove dialog

  • File dependencies added to Web UI Makefile

  • Add menu memory

  • Rename path array from hash to path in hash generation

  • Fix selection of menu in automember

  • Fix facet needs_update behavior

  • Removed incorrect success message when adding of external member failed

  • Removed entity.get_primary from association facet

  • get_primary_key function usages removed

  • DNS menu fixed

  • Certificates, Realm domains added to navigation

  • Remove old navigation code in certificates

  • Fix needs_update on object change

  • Don’t expect key for singleton objects (dnsconfig, config, realmdomains)

  • Raise only one “set” event on facet.state.set

  • Fix dirty dialog behavior

  • Add handling of runtime and shutdown phase. App-init renamed to init.

  • Fix unit tests

  • Web UI plugin loader

  • Fix hbactest styles

  • Menu proxy

  • Proper removal of dns menu item when dns is not installed

  • Fixed errors in DNS pages

  • Fix in state change handling and reporting

  • Fix tab switching for nested entities

  • Fix add/deletion of automember rule - caused by not setting facet for entity adder dialog

  • Use dojo/on instead of dojo/topic for facet-xxx events’

  • Rename alternation phase to customization

  • Replace id usage in App widget by class

  • Add phase on exact position

  • Metadata and text providers

  • Limit Provider reporting

  • Use text.get for transforming values supplied by spec

  • Replace IPA.get_message with text.get

  • Replace IPA.messages with @i18n definition in spec objects

  • Replace IPA.messages with @i18n definition for label specs

  • Replace IPA.messages with @i18n definition for add_title specs

  • Replace IPA.messages with @i18n definition for remove_title specs

  • Replace IPA.messages with @i18n definition for message specs

  • Replace IPA.messages with @i18n definition for title specs

  • Use text.get in IPA.notify_success

  • Replace remaining IPA.messages with text.get calls

  • Fix facet section labels

  • Remove invalid label definition from cert search facet

  • Replace IPA.get_message with text.get

  • Remove text.get usage from spec

  • Add pre and post build operations

  • Spec modification by diff object

  • Builder: added pre_ops and post_ops

  • Modularize group.js

  • Modularize details.js

  • Builder: factory,ctor overrides, mass build

  • Replace old builder by new implementation

  • Rename build constructor to ctor

  • Spec utils

  • Basic build tests

  • Rename factory to $factory in spec objects

  • Builder: return null if no spec supplied

  • Builder: fix overrides names - add $

  • Builder: fix infinite loop when using spec with circular dependency

  • Rename factory to $factory in spec objects modifications

  • Builder: return object when it’s already built

  • Use IPA.object() as a base factory for framework objects

  • Handle built object in spec

  • Report phase errors

  • Builder: allow to use custom factory/ctor when using type

  • Fix construct registry map reference

  • Replace IPA.facet_builder with facets.builder

  • Builder: do not break on expected errors

  • Builder: remove item from singleton registry

  • Builder: fix inner array and obj references

  • Use entities module for entity registration, build and holding

  • Builder: add set method to Singleton_registry

  • Builder: build type without prior registration

  • Phases: warn when adding task for nonexistent phase

  • Builder: create Construct_registry by default in builder

  • Builder: global builder and registry

  • Replace IPA.widget_factories and IPA_field_factories with registry

  • Builder: allow string spec as spec property instead of type

  • Replace build logic in widget and field builder by new builder

  • Registry and builder for formatters

  • Builder: return null if no spec supplied - fix

  • Replace formatter creation with definition in specs

  • Builder and registry for validators

  • Change widget.build_child interface to the builder’s

  • Builder and registry for actions

  • Replace usage of action factories with types

  • Fix incorrect type -> $type conversion

  • Make facet and entity policies declarative

  • Make summary conditions declarative

  • Allow metadata provider format for field metadata declaration

  • Replace IPA.get_entity_param calls in specs with provider strings

  • Replace IPA.get_command_option calls in specs with provider strings

  • Replace IPA.get_command_arg calls in specs with provider strings

  • Builders: allow pre_ops and post_ops in build overrides

  • Use builder for entity dialogs

  • Builder: allow registration without factory or ctor

  • Fix hbactest after rebase

  • Fix trustconfig after rebase

  • Entity registry and builder which allow definition by spec

  • Entity: allow definition of facet_groups in entity specs

  • Builder: handle expected errors in post_ops

  • Entity build: test for enabled in post_op

  • Convert definitions of entities to spec objects

  • Replace IPA.metadata.objects… with declarative definitions

  • Remove cert menu item when disabled

  • Don’t automatically refresh facet after action success

  • Move spec creations of sudorule, hbacrule, netgroup and selinuxusermap details facet from their factories

  • Removal of IPA.metadata usages

  • Add widget updated event

  • Fix rule table add/delete button enablement

  • Replace ./facets with reg.facet

  • Remove entities.js, facets.js

  • Generate plugin index dynamically

  • Switch customization and registration phase

  • Do not offer already added members in association dialogs when different casing

  • Builder: fix join of pre_ops and post_ops arrays

  • Fix: make association facets in selfservice readonly

  • Builder: Singleton_registry: return null when construction spec not available

  • Navigation: handle invalid routes

  • Fix trustconfig specification

  • Fix WebUI crash when server installed as CA-less

  • Fix crash on ssh key add

  • Fix crash on host deleletion

  • Enable standalone facets in menu.add_item

Rob Crittenden (29):#

  • Convert uniqueMember members into DN objects.

  • Add ====Ana Krivokapic to Contributors.txt

  • Do SSL CA verification and hostname validation.

  • Don’t initialize NSS if we don’t have to, clean up unused cert refs

  • Update anonymous access ACI to protect secret attributes.

  • Make certmonger a (pre) requires on server, restart it before upgrading

  • Use new certmonger locking to prevent NSS database corruption.

  • Improve migration performance

  • Add LDAP server fallback to client installer

  • Prevent a crash when no entries are successfully migrated.

  • Implement the cert-find command for the dogtag CA backend.

  • Add missing v3 schema on upgrades, fix typo in schema.

  • Don’t base64-encode the CA cert when uploading it during an upgrade.

  • Extend ipa-replica-manage to be able to manage DNA ranges.

  • Improve some error handling in ipa-replica-manage

  • Fix lockout of LDAP bind.

  • Fix two failing tests due to missing krb ticket flags

  • Full system backup and restore

  • Apply LDAP update files in blocks of 10, as originally designed.

  • Revert “Fix permission_find test error”

  • Become 3.2.0 Beta 1

  • Handle socket.gethostbyaddr() exceptions when verifying hostnames.

  • Require version of NSS that properly parses base64-encoded certs

  • Drop uniqueMember mapping with nss-pam-ldapd.

  • Add Nathaniel McCallum to Contributors.txt

  • Handle a 501 in cert-find from dogtag as a “not supported”

  • Specify the location for the agent PKCS#12 file so we don’t have to move it.

  • Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-server

  • Become 3.2.0

Simo Sorce (2):#

  • Log info on failure to connect

  • Upload CA cert in the directory on install

Sumit Bose (21):#

  • ipa-kdb: remove unused variable

  • ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()

  • ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()

  • ipa-kdb: Dereference after null check in ipa_kdb_mspac.c

  • ipa-lockout: Wrong sizeof argument in ipa_lockout.c

  • ipa-extdom: Double-free in ipa_extdom_common.c

  • ipa-pwd: Unchecked return value ipapwd_chpwop()

  • Revert “MS-PAC: Special case NFS services”

  • Add NFS specific default for authorization data type

  • ipa-kdb: Read global defaul ipaKrbAuthzData

  • ipa-kdb: Read ipaKrbAuthzData with other principal data

  • ipa-kdb: add PAC only if requested

  • Add unit test for get_authz_data_types()

  • Mention PAC issue with NFS in service plugin doc

  • Allow ‘nfs:NONE’ in global configuration

  • Add support for cmocka C-Unit Test framework

  • ipa-pwd-extop: do not use dn until it is really set

  • Do not lookup up the domain too early if only the SID is known

  • Do not store SID string in a local buffer

  • Allow ID-to-SID mappings in the extdom plugin

  • ipa-kdb: Free talloc autofree context when module is closed

Timo Aaltonen (1):#

  • convert the base platform modules into packages

Tomas Babej (27):#

  • Relax restriction for leading/trailing whitespaces in *-find commands

  • Forbid overlapping rid ranges for the same id range

  • Fix a typo in ipa-adtrust-install help

  • Prevent integer overflow when setting krbPasswordExpiration

  • Add option to specify SID using domain name to idrange-add/mod

  • Prevent changing protected group’s name using –setattr

  • Use default.conf as flag of IPA client being installed

  • Make sure appropriate exit status is returned in make-test

  • Make options checks in idrange-add/mod consistent

  • Add trusted domain range objectclass when using idrange-mod

  • Perform secondary rid range overlap check for local ranges only

  • Add support for re-enrolling hosts using keytab

  • Make sure uninstall script prompts for reboot as last

  • Remove implicit Str to DN conversion using *-attr

  • Enforce exact SID match when adding or modifying a ID range

  • Allow host re-enrollment using delegation

  • Add logging to join command

  • Properly handle ipa-replica-install when its zone is not managed by IPA

  • Add nfs:NONE to default PAC types only when needed

  • Update only selected attributes for winsync agreement

  • Add hint message about –force-join option when enrollment fails

  • Avoid removing sss from nssswitch.conf during client uninstall

  • Allow underscore in record targets

  • Make gecos field editable in Web UI

  • Preserve already configured options in openldap conf

  • Enforce host existence only where needed in ipa-replica-manage

  • Handle connection timeout in ipa-replica-manage

Version 3.2.0 Beta 1 (04/16/2013)#

Alexander Bokovoy (1):#

  • spec: detect Kerberos DAL driver ABI change from installed krb5-devel

Ana Krivokapic (7):#

  • Remove CA cert on client uninstall

  • Fix output for some CLI commands

  • Add missing summary message to dnszone_del

  • Remove HBAC source hosts from web UI

  • Remove any reference to HBAC source hosts from help

  • Deprecate HBAC source hosts from CLI

  • Integrate realmdomains with IPA DNS

Jan Cholasta (4):#

  • Do actually stop pki_cad in stop_pkicad instead of starting it.

  • Use only one URL for OCSP and CRL in IPA certificate profile.

  • Use A/AAAA records instead of CNAME records in ipa-ca.

  • Delete DNS records in ipa-ca on ipa-csreplica-manage del.

Martin Kosek (2):#

  • Fix trustconfig-mod primary group error

  • Require new samba and krb5

Petr Viktorin (7):#

  • Display full command documentation in online help

  • Remove ‘cn’ attribute from idnsRecord and idnsZone objectClasses

  • ipa-server-install: correct help text for –external_{cert,ca}_file

  • Update translations from Transifex

  • Uninstall selfsign CA on upgrade

  • Remove obsolete self-sign references from man pages, docstrings, comments

  • Drop –selfsign server functionality

Petr Vobornik (6):#

  • Add ipakrbokasdelegate option to service and host Web UI pages

  • Run permission target switch action only for visible widgets

  • Filter groups by type (POSIX, non-POSIX, external)

  • Global trust config page

  • Don’t show trusts pages when trust is not configured

  • Fix regression in group type selection in group adder dialog

Rob Crittenden (5):#

  • Fix two failing tests due to missing krb ticket flags

  • Full system backup and restore

  • Apply LDAP update files in blocks of 10, as originally designed.

  • Revert “Fix permission_find test error”

  • Become 3.2.0 Beta 1

Tomas Babej (2):#

  • Add nfs:NONE to default PAC types only when needed

  • Update only selected attributes for winsync agreement

Version 3.2.0 Prerelease 1 (04/02/2013)#

Alexander Bokovoy (7):#

  • Update plugin to upload CA certificate to LDAP

  • ipasam: use base scope when fetching domain information about own domain

  • ipaserver/dcerpc: enforce search_s without schema checks for GC searching

  • ipa-replica-manage: migrate to single_value after LDAPEntry updates

  • Process exceptions when talking to Dogtag

  • ipasam: add enumeration of UPN suffixes based on the realm domains

  • Enhance ipa-adtrust-install for domains with multiple IPA server

Ana Krivokapic (10):#

  • Raise ValidationError for incorrect subtree option.

  • Add crond as a default HBAC service

  • Take into consideration services when deleting replicas

  • Add list of domains associated to our realm to cn=etc

  • Improve error messages for external group members

  • Remove check for alphabetic only characters from domain name validation

  • Fix internal error for ipa show-mappings

  • Realm Domains page

  • Use default NETBIOS name in unattended ipa-adtrust-install

  • Add mkhomedir option to ipa-server-install and ipa-replica-install

Brian Cook (1):#

  • Add DNS Setup Prompt to Install

JR Aquino (1):#

  • Allow PKI-CA Replica Installs when CRL exceeds default maxber value

Jakub Hrozek (1):#

  • Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir

Jan Cholasta (24):#

  • Pylint cleanup.

  • Drop ipapython.compat.

  • Add support for RFC 6594 SSHFP DNS records.

  • Raise ValidationError on invalid CSV values.

  • Run interactive_prompt callbacks after CSV values are split.

  • Add custom mapping object for LDAP entry data.

  • Add make_entry factory method to LDAPConnection.

  • Remove the Entity class.

  • Remove the Entry class.

  • Use the dn attribute of LDAPEntry to set/get DNs of entries.

  • Preserve case of attribute names in LDAPEntry.

  • Aggregate IPASimpleLDAPObject in LDAPEntry.

  • Support attributes with multiple names in LDAPEntry.

  • Use full DNs in plugin code.

  • Remove DN normalization from the baseldap plugin.

  • Remove support for DN normalization from LDAPClient.

  • Fix remove while iterating in suppress_netgroup_memberof.

  • Remove disabled entries from sudoers compat tree.

  • Fix internal error in output_for_cli method of sudorule_{enable,disable}.

  • Do not fail if schema cannot be retrieved from LDAP server.

  • Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin.

  • Allow disabling attribute decoding in LDAPClient and IPAdmin.

  • Disable schema retrieval and attribute decoding when talking to AD GC.

  • Add Kerberos ticket flags management to service and host plugins.

John Dennis (2):#

  • Cookie Expires date should be locale insensitive

  • Use secure method to acquire IPA CA certificate

Lynn Root (4):#

  • Switch %r specifiers to ‘%s’ in Public errors

  • Added the ability to do Beta versioning

  • Fixed the catch of the hostname option during ipa-server-install

  • Raise ValidationError when CSR does not have a subject hostname

Martin Kosek (58):#

  • Add Lynn Root to Contributors.txt

  • Enable SSSD on client install

  • Fix delegation-find command –group handling

  • Do not crash when Kerberos SRV record is not found

  • permission-find no longer crashes with –targetgroup

  • Avoid CRL migration error message

  • Sort LDAP updates properly

  • Upgrade process should not crash on named restart

  • Installer should not connect to 127.0.0.1

  • Fix migration for openldap DS

  • Remove unused krbV imports

  • Use fully qualified CCACHE names

  • Fix permission_find test error

  • Add trusconfig-show and trustconfig-mod commands

  • ipa-kdb: add sentinel for LDAPDerefSpec allocation

  • ipa-kdb: avoid ENOMEM when all SIDs are filtered out

  • ipa-kdb: reinitialize LDAP configuration for known realms

  • Add SID blacklist attributes

  • ipa-kdb: read SID blacklist from LDAP

  • ipa-sam: Fill SID blacklist when trust is added

  • ipa-adtrust-install should ask for SID generation

  • Test NetBIOS name clash before creating a trust

  • Generalize AD GC search

  • Do not hide SID resolver error in group-add-member

  • Add support for AD users to hbactest command

  • Fix hbachelp examples formatting

  • ipa-kdb: remove memory leaks

  • ipa-kdb: fix retry logic in ipadb_deref_search

  • Add autodiscovery section in ipa-client-install man pages

  • Avoid internal error when user is not Trust admin

  • Use fixed test domain in realmdomains test

  • Bump FreeIPA version for development branch

  • Remove ORDERING for IA5 attributeTypes

  • Fix includedir directive in krb5.conf template

  • Use new 389-ds-base cleartext password API

  • Do not hide idrange-add errors when adding trust

  • Preserve order of servers in ipa-client-install

  • Avoid multiple client discovery with fixed server list

  • Update named.conf parser

  • Use tkey-gssapi-keytab in named.conf

  • Do not force named connections on upgrades

  • ipa-client discovery with anonymous access off

  • Use temporary CCACHE in ipa-client-install

  • Improve client install LDAP cert retrieval fallback

  • Configure ipa_dns DS plugin on install and upgrade

  • Fix structured DNS record output

  • Bump selinux-policy requires

  • Clean spec file for Fedora 19

  • Remove build warnings

  • Remove syslog.target from ipa.server

  • Put pid-file to named.conf

  • Update mod_wsgi socket directory

  • Normalize RA agent certificate

  • Require 389-base-base 1.3.0.5

  • Change CNAME and DNAME attributes to single valued

  • Improve CNAME record validation

  • Improve DNAME record validation

  • Become 3.2.0 Prerelease 1

Petr Spacek (1):#

  • Add 389 DS plugin for special idnsSOASerial attribute handling

Petr Viktorin (101):#

  • Sort Options and Outputs in API.txt

  • Add the CA cert to LDAP after the CA install

  • Better logging for AdminTool and ipa-ldap-updater

  • Port ipa-replica-prepare to the admintool framework

  • Make ipapython.dogtag log requests at debug level, not info

  • Don’t add another nsDS5ReplicaId on updates if one already exists

  • Improve `ipa –help` output

  • Print help to stderr on error

  • Store the OptionParser in the API, use it to print unified help messages

  • Simplify `ipa help topics` output

  • Add command summary to `ipa COMMAND –help` output

  • Mention `ipa COMMAND –help` as the preferred way to get command help

  • Parse command arguments before creating a context

  • Add tests for the help command & –help options

  • In topic help text, mention how to get help for commands

  • Check SSH connection in ipa-replica-conncheck

  • Use ipauniqueid for the RDN of sudo commands

  • Prevent a sudo command from being deleted if it is a member of a sudo rule

  • Update sudocmd ACIs to use targetfilter

  • Add the version option to all Commands

  • Add ipalib.messages

  • Add client capabilities, enable messages

  • Rename the “messages” Output of the i18n_messages command to “texts”

  • Fix permission validation and normalization in aci.py

  • Remove csv_separator and csv_skipspace Param arguments

  • Drop support for CSV in the CLI client

  • Update argument docs to reflect dropped CSV support

  • Update plugin docstrings (topic help) to reflect dropped CSV support

  • cli: Do interactive prompting after a context is created

  • Remove some unused imports

  • Remove unused methods from Entry, Entity, and IPAdmin

  • Derive Entity class from Entry, and move it to ldapupdate

  • Use explicit loggers in ldap2 code

  • Move LDAPEntry to ipaserver.ipaldap and derive Entry from it

  • Remove connection-creating code from ShemaCache

  • Move the decision to force schema updates out of IPASimpleLDAPObject

  • Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap

  • Start LDAPConnection, a common base for ldap2 and IPAdmin

  • Make IPAdmin not inherit from IPASimpleLDAPObject

  • Move schema-related methods to LDAPConnection

  • Move DN handling methods to LDAPConnection

  • Move filter making methods to LDAPConnection

  • Move entry finding methods to LDAPConnection

  • Remove unused proxydn functionality from IPAdmin

  • Move entry add, update, remove, rename to LDAPConnection

  • Implement some of IPAdmin’s legacy methods in terms of LDAPConnection methods

  • Replace setValue by keyword arguments when creating entries

  • Use update_entry with a single entry in adtrustinstance

  • Replace entry.getValues() by entry.get()

  • Replace entry.setValue/setValues by item assignment

  • Replace add_s and delete_s by their newer equivalents

  • Change {add,update,delete}_entry to take LDAPEntries

  • Remove unused imports from ipaserver/install

  • Remove unused bindcert and bindkey arguments to IPAdmin

  • Turn the LDAPError handler into a context manager

  • Remove dbdir, binddn, bindpwd from IPAdmin

  • Remove IPAdmin.updateEntry calls from fix_replica_agreements

  • Remove IPAdmin.get_dns_sorted_by_length

  • Replace IPAdmin.checkTask by replication.wait_for_task

  • Introduce LDAPEntry.single_value for getting single-valued attributes

  • Remove special-casing for missing and single-valued attributes in LDAPUpdate._entry_to_entity

  • Replace entry.getValue by entry.single_value

  • Replace getList by a get_entries method

  • Remove toTupleList and attrList from LDAPEntry

  • Rename LDAPConnection to LDAPClient

  • Replace addEntry with add_entry

  • Replace deleteEntry with delete_entry

  • Fix typo and traceback suppression in replication.py

  • replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)

  • Inline inactivateEntry in its only caller

  • Inline waitForEntry in its only caller

  • Proxy LDAP methods explicitly rather than using __getattr__

  • Remove search_s and search_ext_s from IPAdmin

  • Replace IPAdmin.start_tls_s by an __init__ argument

  • Remove IPAdmin.sasl_interactive_bind_s

  • Remove IPAdmin.simple_bind_s

  • Remove IPAdmin.unbind_s(), keep unbind()

  • Use ldap instead of _ldap in ipaldap

  • Do not use global variables in migration.py

  • Use IPAdmin rather than raw python-ldap in migration.bind

  • Use IPAdmin rather than raw python-ldap in ipactl

  • Remove some uses of raw python-ldap

  • Improve LDAPEntry tests

  • Fix installing server with external CA

  • Change DNA magic value to -1 to make UID 999 usable

  • Move ipaldap to ipapython

  • Remove ipaserver/ipaldap.py

  • Use IPAdmin rather than raw python-ldap in ipa-client-install

  • Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py

  • Remove unneeded python-ldap imports

  • Don’t download the schema in ipadiscovery

  • ipa-server-install: Make temporary pin files available for the whole installation

  • ipa-server-install: Remove the –selfsign option

  • Remove unused ipapython.certdb.CertDB class

  • ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper

  • Trust CAs from PKCS#12 files even if they don’t have Friendly Names

  • dsinstance, httpinstance: Don’t hardcode ‘Server-Cert’

  • Support installing with custom SSL certs, without a CA

  • Load the CA cert into server NSS databases

  • Do not call cert-* commands in host plugin if a RA is not available

  • ipa-client-install: Do not request host certificate if server is CA-less

Petr Vobornik (38):#

  • Make confirm_dialog a base class of revoke and restore certificate dialogs

  • Make confirm_dialog a base class for deleter dialog

  • Make confirm_dialog a base class for message_dialog

  • Confirm mixin

  • Confirm adder dialog by enter

  • Confirm error dialog by enter

  • Focus last dialog when some is closed

  • Confirm association dialogs by enter

  • Standardize login password reset, user reset password and host set OTP dialogs

  • Focus first input element after ‘Add and Add another’

  • Enable mod_deflate

  • Use Uglify.js for JS optimization

  • Dojo Builder

  • Config files for builder of FreeIPA UI layer

  • Minimal Dojo layer

  • Web UI development environment directory structure and configuration

  • Web UI Sync development utility

  • Move of Web UI non AMD dep. libs to libs subdirectory

  • Move of core Web UI files to AMD directory

  • Update JavaScript Lint configuration file

  • AMD config file

  • Change Web UI sources to simple AMD modules

  • Updated makefiles to build FreeIPA Web UI layer

  • Change tests to use AMD loader

  • Fix BuildRequires: rhino replaced with java-1.7.0-openjdk

  • Develop.js extended

  • Allow to specify modules for which builder doesn’t raise dependency error

  • Web UI build profile updated

  • Combobox keyboard support

  • Fix dirty state update of editable combobox

  • Fix handling of no_update flag in Web UI

  • Web UI: configurable SID blacklists

  • Web UI:Certificate pages

  • Web UI:Choose different search option for cert-find

  • Fixed Web UI build error caused by rhino changes in F19

  • Nestable checkbox/radio widget

  • Added Web UI support for service PAC type option: NONE

  • Web UI: Disable cert functionality if a CA is not available

Rob Crittenden (16):#

  • Convert uniqueMember members into DN objects.

  • Add Ana Krivokapic to Contributors.txt

  • Do SSL CA verification and hostname validation.

  • Don’t initialize NSS if we don’t have to, clean up unused cert refs

  • Update anonymous access ACI to protect secret attributes.

  • Make certmonger a (pre) requires on server, restart it before upgrading

  • Use new certmonger locking to prevent NSS database corruption.

  • Improve migration performance

  • Add LDAP server fallback to client installer

  • Prevent a crash when no entries are successfully migrated.

  • Implement the cert-find command for the dogtag CA backend.

  • Add missing v3 schema on upgrades, fix typo in schema.

  • Don’t base64-encode the CA cert when uploading it during an upgrade.

  • Extend ipa-replica-manage to be able to manage DNA ranges.

  • Improve some error handling in ipa-replica-manage

  • Fix lockout of LDAP bind.

Simo Sorce (2):#

  • Log info on failure to connect

  • Upload CA cert in the directory on install

Sumit Bose (17):#

  • ipa-kdb: remove unused variable

  • ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()

  • ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()

  • ipa-kdb: Dereference after null check in ipa_kdb_mspac.c

  • ipa-lockout: Wrong sizeof argument in ipa_lockout.c

  • ipa-extdom: Double-free in ipa_extdom_common.c

  • ipa-pwd: Unchecked return value ipapwd_chpwop()

  • Revert “MS-PAC: Special case NFS services”

  • Add NFS specific default for authorization data type

  • ipa-kdb: Read global defaul ipaKrbAuthzData

  • ipa-kdb: Read ipaKrbAuthzData with other principal data

  • ipa-kdb: add PAC only if requested

  • Add unit test for get_authz_data_types()

  • Mention PAC issue with NFS in service plugin doc

  • Allow ‘nfs:NONE’ in global configuration

  • Add support for cmocka C-Unit Test framework

  • ipa-pwd-extop: do not use dn until it is really set

Timo Aaltonen (1):#

  • convert the base platform modules into packages

Tomas Babej (18):#

  • Relax restriction for leading/trailing whitespaces in *-find commands

  • Forbid overlapping rid ranges for the same id range

  • Fix a typo in ipa-adtrust-install help

  • Prevent integer overflow when setting krbPasswordExpiration

  • Add option to specify SID using domain name to idrange-add/mod

  • Prevent changing protected group’s name using –setattr

  • Use default.conf as flag of IPA client being installed

  • Make sure appropriate exit status is returned in make-test

  • Make options checks in idrange-add/mod consistent

  • Add trusted domain range objectclass when using idrange-mod

  • Perform secondary rid range overlap check for local ranges only

  • Add support for re-enrolling hosts using keytab

  • Make sure uninstall script prompts for reboot as last

  • Remove implicit Str to DN conversion using *-attr

  • Enforce exact SID match when adding or modifying a ID range

  • Allow host re-enrollment using delegation

  • Add logging to join command

  • Properly handle ipa-replica-install when its zone is not managed by IPA

Sumit Bose (1):#

  • ipa-kdb: Free talloc autofree context when module is closed

Version 3.1.5 (06/03/2013)#

====Alexander Bokovoy (1)

  • Fix cldap parser to work with a single equality filter (NtVer=…)

Martin Kosek (1):#

  • Become IPA 3.1.5

Petr Viktorin (1):#

  • Remove leading zero from IPA_NUM_VERSION

Simo Sorce (2):#

  • CLDAP: Fix domain handling in netlogon requests

  • CLDAP: Return empty reply on non-fatal errors

Version 3.1.4 (05/07/2013)#

Alexander Bokovoy (1):#

  • Enhance ipa-adtrust-install for domains with multiple IPA server

Ana Krivokapic (8):#

  • Add mkhomedir option to ipa-server-install and ipa-replica-install

  • Remove CA cert on client uninstall

  • Remove HBAC source hosts from web UI

  • Remove any reference to HBAC source hosts from help

  • Deprecate HBAC source hosts from CLI

  • Handle missing /etc/ipa in ipa-client-install

  • Fix the spec file

  • Add missing permissions to Host Administrators privilege

Jan Cholasta (7):#

  • Do actually stop pki_cad in stop_pkicad instead of starting it.

  • Use only one URL for OCSP and CRL in IPA certificate profile.

  • Use A/AAAA records instead of CNAME records in ipa-ca.

  • Delete DNS records in ipa-ca on ipa-csreplica-manage del.

  • Do not use new LDAP API in old code.

  • Use correct zone when removing DNS records of a master.

  • Add support for OpenSSH 6.2.

Martin Kosek (4):#

  • Require 389-base-base 1.3.0.5

  • Add userClass attribute for hosts

  • Update pki proxy configuration

  • Become IPA 3.1.4

Petr Viktorin (2):#

  • Display full command documentation in online help

  • Use two digits for each part of NUM_VERSION

Rob Crittenden (3):#

  • Handle socket.gethostbyaddr() exceptions when verifying hostnames.

  • Drop uniqueMember mapping with nss-pam-ldapd.

  • Specify the location for the agent PKCS#12 file so we don’t have to move it.

Sumit Bose (1):#

  • ipa-pwd-extop: do not use dn until it is really set

Tomas Babej (2):#

  • Properly handle ipa-replica-install when its zone is not managed by IPA

  • Allow underscore in record targets

Version 3.1.3 (03/26/2013)#

Alexander Bokovoy (2):#

  • ipasam: use base scope when fetching domain information about own domain

  • Process exceptions when talking to Dogtag

Ana Krivokapic (6):#

  • Take into consideration services when deleting replicas

  • Add list of domains associated to our realm to cn=etc

  • Remove check for alphabetic only characters from domain name validation

  • Fix internal error for ipa show-mappings

  • Realm Domains page

  • Use default NETBIOS name in unattended ipa-adtrust-install

Jakub Hrozek (1):#

  • Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir

Jan Cholasta (6):#

  • Pylint cleanup.

  • Raise ValidationError on invalid CSV values.

  • Run interactive_prompt callbacks after CSV values are split.

  • Fix remove while iterating in suppress_netgroup_memberof.

  • Remove disabled entries from sudoers compat tree.

  • Fix internal error in output_for_cli method of sudorule_{enable,disable}.

Martin Kosek (33):#

  • Fix migration for openldap DS

  • Remove unused krbV imports

  • Use fully qualified CCACHE names

  • Fix permission_find test error

  • Add trusconfig-show and trustconfig-mod commands

  • ipa-kdb: add sentinel for LDAPDerefSpec allocation

  • ipa-kdb: avoid ENOMEM when all SIDs are filtered out

  • ipa-kdb: reinitialize LDAP configuration for known realms

  • Add SID blacklist attributes

  • ipa-kdb: read SID blacklist from LDAP

  • ipa-sam: Fill SID blacklist when trust is added

  • ipa-adtrust-install should ask for SID generation

  • Test NetBIOS name clash before creating a trust

  • Generalize AD GC search

  • Do not hide SID resolver error in group-add-member

  • Add support for AD users to hbactest command

  • Fix hbachelp examples formatting

  • ipa-kdb: remove memory leaks

  • ipa-kdb: fix retry logic in ipadb_deref_search

  • Add autodiscovery section in ipa-client-install man pages

  • Avoid internal error when user is not Trust admin

  • Use fixed test domain in realmdomains test

  • Remove ORDERING for IA5 attributeTypes

  • Fix includedir directive in krb5.conf template

  • Preserve order of servers in ipa-client-install

  • Avoid multiple client discovery with fixed server list

  • Fix client discovery crash

  • ipa-client discovery with anonymous access off

  • Use temporary CCACHE in ipa-client-install

  • Improve client install LDAP cert retrieval fallback

  • Configure ipa_dns DS plugin on install and upgrade

  • Bump selinux-policy requires

  • Become 3.1.3

Petr Spacek (1):#

  • Add 389 DS plugin for special idnsSOASerial attribute handling

Petr Viktorin (23):#

  • Add the CA cert to LDAP after the CA install

  • Port ipa-replica-prepare to the admintool framework

  • Don’t add another nsDS5ReplicaId on updates if one already exists

  • Improve `ipa –help` output

  • Print help to stderr on error

  • Store the OptionParser in the API, use it to print unified help messages

  • Simplify `ipa help topics` output

  • Add command summary to `ipa COMMAND –help` output

  • Mention `ipa COMMAND –help` as the preferred way to get command help

  • Parse command arguments before creating a context

  • Add tests for the help command & –help options

  • In topic help text, mention how to get help for commands

  • Check SSH connection in ipa-replica-conncheck

  • Use ipauniqueid for the RDN of sudo commands

  • Prevent a sudo command from being deleted if it is a member of a sudo rule

  • Update sudocmd ACIs to use targetfilter

  • Add the version option to all Commands

  • Add ipalib.messages

  • Add client capabilities, enable messages

  • Rename the “messages” Output of the i18n_messages command to “texts”

  • Fix permission validation and normalization in aci.py

  • cli: Do interactive prompting after a context is created

  • Fix installing server with external CA

Petr Vobornik (36):#

  • Make confirm_dialog a base class of revoke and restore certificate dialogs

  • Make confirm_dialog a base class for deleter dialog

  • Make confirm_dialog a base class for message_dialog

  • Confirm mixin

  • Confirm adder dialog by enter

  • Confirm error dialog by enter

  • Focus last dialog when some is closed

  • Confirm association dialogs by enter

  • Standardize login password reset, user reset password and host set OTP dialogs

  • Focus first input element after ‘Add and Add another’

  • Enable mod_deflate

  • Use Uglify.js for JS optimization

  • Dojo Builder

  • Config files for builder of FreeIPA UI layer

  • Minimal Dojo layer

  • Web UI development environment directory structure and configuration

  • Web UI Sync development utility

  • Move of Web UI non AMD dep. libs to libs subdirectory

  • Move of core Web UI files to AMD directory

  • Update JavaScript Lint configuration file

  • AMD config file

  • Change Web UI sources to simple AMD modules

  • Updated makefiles to build FreeIPA Web UI layer

  • Change tests to use AMD loader

  • Fix BuildRequires: rhino replaced with java-1.7.0-openjdk

  • Develop.js extended

  • Allow to specify modules for which builder doesn’t raise dependency error

  • Web UI build profile updated

  • Combobox keyboard support

  • Fix dirty state update of editable combobox

  • Fix handling of no_update flag in Web UI

  • Web UI: configurable SID blacklists

  • Web UI:Certificate pages

  • Web UI:Choose different search option for cert-find

  • Added Web UI support for service PAC type option: NONE

  • Load extension.js after UI AMD modules.

Rob Crittenden (10):#

  • Make certmonger a (pre) requires on server, restart it before upgrading

  • Use new certmonger locking to prevent NSS database corruption.

  • Better logging for AdminTool and ipa-ldap-updater

  • Improve migration performance

  • Add LDAP server fallback to client installer

  • Prevent a crash when no entries are successfully migrated.

  • Implement the cert-find command for the dogtag CA backend.

  • Add missing v3 schema on upgrades, fix typo in schema.

  • Don’t base64-encode the CA cert when uploading it during an upgrade.

  • Improve some error handling in ipa-replica-manage

Sumit Bose (7):#

  • ipa-kdb: remove unused variable

  • ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()

  • ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()

  • ipa-kdb: Dereference after null check in ipa_kdb_mspac.c

  • ipa-lockout: Wrong sizeof argument in ipa_lockout.c

  • ipa-extdom: Double-free in ipa_extdom_common.c

  • ipa-pwd: Unchecked return value ipapwd_chpwop()

Tomas Babej (13):#

  • Fix a typo in ipa-adtrust-install help

  • Prevent integer overflow when setting krbPasswordExpiration

  • Add option to specify SID using domain name to idrange-add/mod

  • Prevent changing protected group’s name using –setattr

  • Use default.conf as flag of IPA client being installed

  • Make sure appropriate exit status is returned in make-test

  • Make options checks in idrange-add/mod consistent

  • Add trusted domain range objectclass when using idrange-mod

  • Perform secondary rid range overlap check for local ranges only

  • Make sure uninstall script prompts for reboot as last

  • Remove implicit Str to DN conversion using *-attr

  • Enforce exact SID match when adding or modifying a ID range

  • Add logging to join command

Sumit Bose (1):#

  • ipa-kdb: Free talloc autofree context when module is closed

Version 3.1.2 (01/23/2013)#

Alexander Bokovoy (1):#

  • Update plugin to upload CA certificate to LDAP

Ana Krivokapic (1):#

  • Raise ValidationError for incorrect subtree option.

John Dennis (1):#

  • Use secure method to acquire IPA CA certificate

Martin Kosek (5):#

  • permission-find no longer crashes with –targetgroup

  • Avoid CRL migration error message

  • Sort LDAP updates properly

  • Upgrade process should not crash on named restart

  • Installer should not connect to 127.0.0.1

Rob Crittenden (5):#

  • Convert uniqueMember members into DN objects.

  • Do SSL CA verification and hostname validation.

  • Don’t initialize NSS if we don’t have to, clean up unused cert refs

  • Update anonymous access ACI to protect secret attributes.

  • Become IPA 3.1.2

Simo Sorce (1):#

  • Upload CA cert in the directory on install

Version 3.1.1 (01/08/2013)#

JR Aquino (1):#

  • Allow PKI-CA Replica Installs when CRL exceeds default maxber value

John Dennis (1):#

  • Cookie Expires date should be locale insensitive

Lynn Root (2):#

  • Fixed the catch of the hostname option during ipa-server-install

  • Raise ValidationError when CSR does not have a subject hostname

Martin Kosek (4):#

  • Add Lynn Root to Contributors.txt

  • Enable SSSD on client install

  • Fix delegation-find command –group handling

  • Do not crash when Kerberos SRV record is not found

Rob Crittenden (1):#

  • Become IPA 3.1.1

Simo Sorce (1):#

  • Log info on failure to connect

Tomas Babej (2):#

  • Relax restriction for leading/trailing whitespaces in *-find commands

  • Forbid overlapping rid ranges for the same id range

Version 3.0.2 (12/11/2012)#

Alexander Bokovoy (3):#

  • ipasam: better Kerberos error handling in ipasam

  • trusts: replace use of python-crypto by m2crypto

  • Propagate kinit errors with trust account

Jakub Hrozek (4):#

  • Make enabling the autofs service more robust

  • ipachangeconf: allow specifying non-default delimeter for options

  • Specify includedir in krb5.conf on new installs

  • Add the includedir to krb5.conf on upgrades

John Dennis (1):#

  • Compliant client side session cookie behavior

Lubomir Rintel (1):#

  • Drop unused readline import

Martin Kosek (5):#

  • Prepare spec file for Fedora 18

  • Filter suffix in replication management tools

  • Change network configuration file

  • Improve ipa-replica-prepare error message

  • Fix sshd feature check

Petr Viktorin (2):#

  • Provide explicit user name for Dogtag installation scripts

  • Add Lubomir Rintel to Contributors.txt

Petr Vobornik (4):#

  • WebUI: Change of default value of type of new group back to POSIX

  • Editable sshkey, mac address field after upgrade

  • Better licensing information of 3rd party code

  • Better error message for login of users from other realms

Rob Crittenden (5):#

  • Honor the kdb options disabling KDC writes in ipa_lockout plugin

  • Only update the list of running services in the installer or ipactl.

  • Set min for selinux-policy to 3.11.1-60

  • Reorder XML-RPC initialization in ipa-join to avoid segfault.

  • Become IPA 3.0.2

Simo Sorce (1):#

  • MS-PAC: Special case NFS services

Sumit Bose (3):#

  • Lookup the user SID in external group as well

  • Restart sssd after authconfig update

  • Do not recommend how to configure DNS in error message

Tomas Babej (1):#

  • Add detection for users from trusted/invalid realms

Version 3.1.0 (12/10/2012)#

Ade Lee (1):#

  • Changes to use a single database for dogtag and IPA

Alexander Bokovoy (8):#

  • ipa-kdb: Support Windows 2012 Server

  • Remove bogus check for smbpasswd

  • Warn about DNA plugin configuration when working with local ID ranges

  • Resolve external members from trusted domain via Global Catalog

  • Clarify trust-add help regarding multiple runs against the same domain

  • ipasam: better Kerberos error handling in ipasam

  • trusts: replace use of python-crypto by m2crypto

  • Propagate kinit errors with trust account

Endi Sukma Dewata (1):#

  • Configuring CA with ConfigParser.

Jakub Hrozek (5):#

  • ipa-client-automount: Add the autofs service if it doesn’t exist yet

  • Make enabling the autofs service more robust

  • ipachangeconf: allow specifying non-default delimeter for options

  • Specify includedir in krb5.conf on new installs

  • Add the includedir to krb5.conf on upgrades

Jan Cholasta (1):#

  • Reword description of the –passsync option of ipa-replica-manage.

John Dennis (2):#

  • log dogtag errors

  • Compliant client side session cookie behavior

Lubomir Rintel (1):#

  • Drop unused readline import

Martin Kosek (18):#

  • Update SELinux policy for dogtag10

  • Bump 389-ds-base minimum in our spec file

  • Add OCSP and CRL URIs to certificates

  • Stop and disable conflicting time&date services

  • Create reverse zone in unattended mode

  • Add fallback for httpd restarts on sysV platforms

  • Report ipa-upgradeconfig errors during RPM upgrade

  • Avoid uninstalling dependencies during package lifetime

  • Remove servertrls and clientctrls options from rename_s

  • Use common encoding in modlist generation

  • Process relative nameserver DNS record correctly

  • Do not require resolvable nameserver in DNS install

  • Disable global forwarding per-zone

  • Prepare spec file for Fedora 18

  • Filter suffix in replication management tools

  • Change network configuration file

  • Improve ipa-replica-prepare error message

  • Fix sshd feature check

Nikolai Kondrashov (1):#

  • Add uninstall command hints to ipa-*-instal

Petr Viktorin (12):#

  • Fix schema replication from old masters

  • Use correct Dogtag configuration in get_pin and get_ca_certchain

  • Update certmap.conf on IPA upgrades

  • Properly stop tracking certificates on uninstall

  • Provide ‘protocol’ argument to IPAdmin

  • Make ipa-csreplica-manage work with both merged and non-merged DBs

  • Use DN objects for Dogtag configuration

  • ipautil.run: Log the command line before running the command

  • ipa-replica-install: Use configured IPA DNS servers in forward/reverse resolution check

  • Make sure the CA is running when starting services

  • Provide explicit user name for Dogtag installation scripts

  • Add Lubomir Rintel to Contributors.txt

Petr Vobornik (7):#

  • Simpler instructions to generate certificate

  • Fixed incorrect link to browser config after session expiration

  • Web UI: disable global forwarding per zone

  • WebUI: Change of default value of type of new group back to POSIX

  • Editable sshkey, mac address field after upgrade

  • Better licensing information of 3rd party code

  • Better error message for login of users from other realms

Rob Crittenden (16):#

  • Enable transactions by default, make password and modrdn TXN-aware

  • Become IPA 3.1.0

  • Password change in a transaction, ensure passwords are truly expired

  • Don’t configure a reverse zone if not desired in interactive installer.

  • Fix requesting certificates that contain subject altnames.

  • Improve error messages in ipa-replica-manage.

  • Close connection after each request, avoid NSS shutdown problem.

  • The SECURE_NFS value needs to be lower-case yes on SysV systems.

  • After unininstall see if certmonger is still tracking any of our certs.

  • Wait for the directory server to come up when updating the agent certificate.

  • Set MLS/MCS for user_u context to what will be on remote systems.

  • Handle the case where there are no replicas with list-ruv

  • Honor the kdb options disabling KDC writes in ipa_lockout plugin

  • Only update the list of running services in the installer or ipactl.

  • Set min for selinux-policy to 3.11.1-60

  • Reorder XML-RPC initialization in ipa-join to avoid segfault.

Simo Sorce (7):#

  • Add support for using AES for cross-realm TGTs

  • Preserve original service_name in services

  • Save service name on service startup

  • Get list of service from LDAP only at startup

  • Revert “Save service name on service startup”

  • Save service name on service startup/shutdown

  • MS-PAC: Special case NFS services

Sumit Bose (7):#

  • Fix various issues found by Coverity

  • extdom: handle INP_POSIX_UID and INP_POSIX_GID requests

  • Restart httpd if ipa-server-trust-ad is installed or updated

  • ipa-adtrust-install: allow to reset te NetBIOS domain name

  • Lookup the user SID in external group as well

  • Restart sssd after authconfig update

  • Do not recommend how to configure DNS in error message

Tomas Babej (5):#

  • Forbid overlapping primary and secondary rid ranges

  • Refactoring of default.conf man page

  • Make service naming in ipa-server-install consistent

  • IPA Server check in ipa-replica-manage

  • Add detection for users from trusted/invalid realms

Version 3.0.1 (11/09/2012)#

Alexander Bokovoy (4):#

  • Remove bogus check for smbpasswd

  • Warn about DNA plugin configuration when working with local ID ranges

  • Resolve external members from trusted domain via Global Catalog

  • Clarify trust-add help regarding multiple runs against the same domain

Jakub Hrozek (1):#

  • ipa-client-automount: Add the autofs service if it doesn’t exist yet

Jan Cholasta (1):#

  • Reword description of the –passsync option of ipa-replica-manage.

John Dennis (1):#

  • log dogtag errors

Martin Kosek (9):#

  • Create reverse zone in unattended mode

  • Add fallback for httpd restarts on sysV platforms

  • Report ipa-upgradeconfig errors during RPM upgrade

  • Avoid uninstalling dependencies during package lifetime

  • Remove servertrls and clientctrls options from rename_s

  • Use common encoding in modlist generation

  • Process relative nameserver DNS record correctly

  • Do not require resolvable nameserver in DNS install

  • Disable global forwarding per-zone

Nikolai Kondrashov (1):#

  • Add uninstall command hints to ipa-*-install

Petr Viktorin (3):#

  • ipautil.run: Log the command line before running the command

  • ipa-replica-install: Use configured IPA DNS servers in forward/reverse resolution check

  • Make sure the CA is running when starting services

Petr Vobornik (2):#

  • Simpler instructions to generate certificate

  • Fixed incorrect link to browser config after session expiration

Rob Crittenden (11):#

  • Use TLS for CA replication

  • Don’t configure a reverse zone if not desired in interactive installer.

  • Fix requesting certificates that contain subject altnames.

  • Improve error messages in ipa-replica-manage.

  • Close connection after each request, avoid NSS shutdown problem.

  • The SECURE_NFS value needs to be lower-case yes on SysV systems.

  • After unininstall see if certmonger is still tracking any of our certs.

  • Wait for the directory server to come up when updating the agent certificate.

  • Set MLS/MCS for user_u context to what will be on remote systems.

  • Handle the case where there are no replicas with list-ruv

  • Become IPA 3.0.1

Simo Sorce (6):#

  • Add support for using AES fo cross-realm TGTs

  • Preserve original service_name in services

  • Save service name on service startup

  • Get list of service from LDAP only at startup

  • Revert “Save service name on service startup”

  • Save service name on service startup/shutdown

Sumit Bose (4):#

  • Fix various issues found by Coverity

  • extdom: handle INP_POSIX_UID and INP_POSIX_GID requests

  • Restart httpd if ipa-server-trust-ad is installed or updated

  • ipa-adtrust-install: allow to reset te NetBIOS domain name

Tomas Babej (4):#

  • Forbid overlapping primary and secondary rid ranges

  • Refactoring of default.conf man page

  • Make service naming in ipa-server-install consistent

  • IPA Server check in ipa-replica-manage

Version 3.0.0 GA (10/15/2012)#

Alexander Bokovoy (7):#

  • support multi-line error messages in exceptions

  • Handle NotFound exception when establishing trust

  • Fix wrong RID for Domain Admins in the examples of trust commands

  • Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install

  • Make sure samba{,4}-winbind-krb5-locator package is not used with trusts

  • Add instructions support to PublicError

  • Use PublicError instructions support for trust-add case when domain is not found

Jan Cholasta (1):#

  • Do not show full SSH public keys in command output by default.

Martin Kosek (3):#

  • Minor fixes for default SMB group

  • Move CRL publish directory to IPA owned directory

  • Fix CA CRL migration crash in ipa-upgradeconfig

Petr Viktorin (4):#

  • ipa-upgradeconfig: Remove the upgrade_httpd_selinux function

  • replica-install: Don’t copy Firefox config extension files if they’re not in the replica file

  • Create Firefox extension on upgrade and replica-install

  • Pull translation files from Transifex

Petr Vobornik (1):#

  • Add mime type to httpd ipa.conf for xpi exetension

Rob Crittenden (6):#

  • Add uniqueness plugin configuration for sudorule cn

  • Set renewal time for the CA audit certificate to 720 days.

  • Fix CS replication management.

  • Configure the initial CA as the CRL generator.

  • Explicitly disable betxn plugins for the time being.

  • Become IPA 3.0.0

Simo Sorce (2):#

  • Fix trust attributes for ipa trust-add

  • Use stricter requirement for krb5-server

Sumit Bose (2):#

  • ipa-adtrust-install: create fallback group with ldif file

  • ipadb: reload trust information if domain is not known

Tomas Babej (1):#

  • Notify user about necessary ports in ipa-client-install

Version 3.0.0 RC 2 (10/08/2012)#

Alexander Bokovoy (3):#

  • Make sure external group members are listed for the external group

  • Change the way SID comparison is done for belonging to trusted domain

  • Support python-ldap 2.3 way of making LDAP control

Martin Kosek (9):#

  • Use custom zonemgr for reverse zones

  • Validate SELinux users in config-mod

  • Improve StrEnum validation error message

  • Add support for unified samba packages

  • Improve DN usage in ipa-client-install

  • Index ipakrbprincipalalias and ipaautomountkey attributes

  • Do not produce unindexed search on every DEL command

  • Only use service PAC type as an override

  • Fill ipakrbprincipalalias on upgrades

Petr Viktorin (4):#

  • Always handle NotFound error in dnsrecord-mod

  • Don’t use bare except: clauses in ipa-client-install

  • Fix NS records in installation

  • Wait for secure Dogtag ports when starting the pki services

Petr Vobornik (5):#

  • Kerberos authentication extension

  • Kerberos authentication extension makefiles

  • Build and installation of Kerberos authentication extension

  • Configuration pages changed to use new FF extension

  • Removal of delegation-uris instruction from browser config

Rob Crittenden (3):#

  • Fix python syntax in ipa-client-automount

  • Clear kernel keyring in client installer, save dbdir on new connections

  • Become IPA v3 RC 2 (3.0.0.rc2)

Sumit Bose (12):#

  • Add man page paragraph about running ipa-adtrust-install multiple times

  • Enhance description of –no-msdcs in man page

  • Add –rid-base and –secondary-rid-base to ipa-adtrust-install man page

  • ipa-adtrust-install: remove wrong check for dm_password

  • ipa-adtrust-install: Add fallback group

  • ipa-adtrust-install: replace print with self.print_msg

  • ipasam: add fallback primary group

  • Add SIDs for existing users and groups at the end of ipa-adtrust-install

  • Avoid ldapmodify error messages during ipa-adtrust-install

  • ipa-adtrust-install: print list of needed SRV records

  • Add new ipaIDobject to DNA plugin configuraton

  • ipasam: generate proper SID for trusted domain object

Tomas Babej (2):#

  • Improve user addition to default group in user-add

  • Restrict admins group modifications

Version 3.0.0 RC 1 (09/26/2012)#

Ade Lee (1):#

  • Modifications to install scripts for dogtag 10

Alexander Bokovoy (5):#

  • Add verification of the AD trust

  • validate SID for trusted domain when adding/modifying ID range

  • Fix error messages and use proper ImportError for dcerpc import

  • Add documentation for ‘ipa trust’ set of commands

  • Document use of external group membership

Jan Cholasta (3):#

  • Add the SSH service to SSSD config file before trying to activate it.

  • Add –no-ssh option to ipa-client-install to disable OpenSSH client configuration.

  • SSHPublicKey.fingerprint_dns_sha1 should return unicode value.

Martin Kosek (8):#

  • Fix addattr internal error

  • Add attributeTypes to safe schema updater

  • Amend memberAllowCmd and memberDenyCmd attribute types

  • Run index task in ldap updater only when needed

  • Expand Referential Integrity checks

  • Properly convert DN in ipa-client-install

  • Use default reverse zone consistently

  • Fix idrange plugin help

Petr Viktorin (7):#

  • ipa-client-install: Obtain host TGT from one specific KDC

  • Fix server installation

  • Use temporary key cache for host key in server installation

  • Update the pot file (translation source)

  • Use Dogtag 10 only when it is available

  • Only stop the main DS instance when upgrading it

  • Use correct Dogtag port in ipaserver.install.certs

Petr Vobornik (4):#

  • Prevent opening of multiple dirty dialogs on navigation

  • JSON serialization of long type

  • Show trust status in add success notification

  • Fix integer validation when boundary value is empty string

Rob Crittenden (3):#

  • Set SELinux default context to unconfined_u:s0-s0:c0.c1023

  • Run the CLEANALLRUV task when deleting a replication agreement.

  • When deleting a master, try to prevent orphaning other servers.

Sumit Bose (3):#

  • ipasam: Fixes build with samba4 rc1

  • Set master_kdc and dns_lookup_kdc to true

  • Update krb5.conf during ipa-adtrust-install

Tomas Babej (2):#

  • Make sure selinuxusemap behaves consistently to HBAC rule

  • Improves sssd.conf handling during ipa-client uninstall

Yuri Chornoivan (1):#

  • Fix various typos.

Version 3.0.0 Beta 3 (09/10/2012)#

Alexander Bokovoy (4):#

  • Recover from invalid cached kerberos credentials in ipasam

  • Fix ipasam ipaNThash magic regen to actually fetch updated password

  • Add ACI to allow regenerating ipaNTHash from ipasam

  • Ask for admin password in ipa-adtrust-install

Jan Cholasta (1):#

  • Use OpenSSH-style public keys as the preferred format of SSH public keys.

John Dennis (4):#

  • DN objects hash differently depending on case

  • ipactl exception not handled well

  • ipa user-find –manager does not find matches

  • prevent last admin from being disabled

Martin Kosek (12):#

  • Read DM password from option in external CA install

  • Fix client-only build

  • Fix managedBy label for DNS zone

  • Update Contributors.txt file

  • Make replica install more robust

  • Add safe updates for objectClasses

  • Allow localhost in zone ACIs

  • Transfer long numbers over XMLRPC

  • Fix DNS SOA serial parameters boundaries

  • Add range safety check for range_mod and range_del

  • Update DNS zone allow-query validation test

  • Cast DNS SOA serial maximum boundary to long

Petr Viktorin (3):#

  • Internationalization for public errors

  • Run ntpdate in verbose mode, not debug (i.e. no-op) mode

  • Add nsds5ReplicaStripAttrs to replica agreements

Petr Vobornik (15):#

  • Range Web UI

  • Revert change causing failure in test automation

  • Fix issue which broke setup of Web UI unit tests

  • Successful action notification

  • Password policy paging with proper sorting

  • Fixed search in HBAC test

  • Permissions: select only applicable options on type change

  • Notify success on add, delete and update

  • Fixed metadata serialization of Numbers and DNs

  • Added decimal checks to metadata validator

  • Generated metadata for testing updated

  • Fixed problem while deleting entry with unsaved changes

  • Allow localhost in zone ACIs - Web UI

  • Update of confirmation of actions

  • Reflect API change of SSH store in Web UI

Rob Crittenden (8):#

  • Don’t generate password history error if history is set to 0.

  • Restrict the SELinux user map user MLS value to 0-1023

  • Support the new Winsync POSIX API.

  • Set minimum of 389-ds-base to 1.2.11.8 to pick up cache warning.

  • Add version to replica prepare file, prevent installing to older version

  • Set the e-mail attribute using the default domain name by default

  • Fix some restart script issues found with certificate renewal.

  • Become IPA v3 beta 3 (3.0.0.pre3)

Sumit Bose (27):#

  • Use libsamba-security instead of libsecurity

  • ipadb_iterate(): handle match_entry == NULL

  • ipasam: cleanup explicit dependencies to samba libs

  • Make encode_ntlm_keys() public

  • ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.so

  • ipasam: remove sid_peek_rid()

  • ipasam: replace strnequal()

  • ipasam: remove strlower_m()

  • ipasam: remove talloc_asprintf_strupper_m()

  • ipasam: replace sid_copy()

  • ipasam: replace sid_compose()

  • ipasam: Replace is_null_sid()

  • ipasam: Replace dom_sid_compare_domain()

  • ipasam: Replace sid_check_is_our_sam()

  • ipasam: Replace sid_peek_check_rid()

  • ipasam: Replace global_sid_Builtin

  • ipasam: add libsss_idmap context and replace string_to_sid()

  • ipasam: replace get_global_sam_sid()

  • ipasam: remove fetch_ldap_pw()

  • ipasam: replace trim_char() with trim_string()

  • Rename range CLI to idrange

  • IDRange CLI: allow to work without arguments

  • IDRange CLI: Add documentation

  • Do not create trust if murmur hash is not available and base-id not given

  • Trust CLI: Return more details when searching trusts

  • Trust CLI: return more details of added trust

  • Trust CLI: mark trust-mod for future use

Tomas Babej (5):#

  • Adds dependency on samba4-winbind.

  • Improves deletion of PTR records in ipa host-del

  • Fixes different behaviour of permission-mod and show.

  • Change slapi_mods_init in ipa_winsync_pre_ad_mod_user_mods_cb

  • Sort policies numerically in pwpolicy-find

Version 3.0.0 Beta 2 (08/17/2012)#

Alexander Bokovoy (11):#

  • ipasam: improve SASL bind callback

  • Use smb.conf ‘dedicated keytab file’ parameter instead of hard-coded value

  • reduce redundant checks in ldapsam_search_users() to a single statement

  • ipalib/plugins/trust.py: ValidationError takes ‘error’ named argument, not ‘reason’

  • Handle various forms of admin accounts when establishing trusts

  • Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_sam

  • Rework task naming in LDAP updates to avoid conflicting names in certain cases

  • When ipaNTHash is missing, ask IPA to generate it from kerberos keys

  • Ensure ipa-adtrust-install is run with Kerberos ticket for admin user

  • Handle exceptions when establishing trusts

  • Add internationalization to DCE RPC code

David Spångberg (1):#

  • Indirect roles in WebUI

Gowrishankar Rajaiyan (1):#

  • Adding exit status 3 & 4 to ipa-client-install man page

Jan Cholasta (2):#

  • Add –{set,add,del}attr options to commands which are missing them.

  • Raise Base64DecodeError instead of ConversionError when base64 decoding fails in Bytes parameters.

John Dennis (2):#

  • Use DN objects instead of strings

  • Installation fails when CN is set in certificate subject base

Martin Kosek (12):#

  • Do not change LDAPObject objectclass list

  • Add automount map/key update permissions

  • Fix ipa-managed-entries man page typo

  • Improve address family handling in sockets

  • Enable SOA serial autoincrement

  • Add range-mod command

  • Warn user if an ID range with incorrect size was created

  • Print ipa-ldap-updater errors during RPM upgrade

  • Enforce CNAME constrains for DNS commands

  • Avoid redundant info message during RPM update

  • Bump bind-dyndb-ldap version for F18

  • Fix winsync agreements creation

Petr Viktorin (7):#

  • Fix batch command error reporting

  • Fix wrong option name in ipa-managed-entries man page

  • Fix updating minimum_connections in ipa-upgradeconfig

  • Framework for admin/install tools, with ipa-ldap-updater

  • Arrange stripping .po files

  • Update translations

  • Create /etc/sysconfig/network if it doesn’t exist

Petr Vobornik (31):#

  • Moved configuration to last position in navigation

  • Display loginas information only after login

  • Password policy measurement units.

  • Web UI: kerberos ticket policy measurement units

  • Add and remove dns per-domain permission in Web UI

  • Differentiation of widget type and text_widget input type

  • Fixed display of attributes_widget in IE9

  • Bigger textarea for permission type=subtree

  • IDs and names for dialogs

  • Fix autoscroll to top in tables in IE

  • Fixed: Unable to select option in combobox in IE and Chrome

  • Fixed: Unable to select option in combobox in IE and Chrome

  • Fixed: combobox stacking in service adder dialog

  • PAC Type options for services in Web UI

  • Update to jquery.1.7.2.min

  • Update to jquery-ui-1.8.21.custom

  • Fix for incorrect event handler definition

  • Removal of unnecessary overrides of jquery-ui styles

  • Unified buttons

  • Web UI tests fix

  • Fixed incorrect use of jQuery.attr for setting disabled attribute

  • Replace use of attr with prop for booleans

  • Add external group

  • Make group external

  • Make group posix

  • Display group type

  • Attribute facet

  • Group external member facet

  • Read-only external facet for non-external groups

  • Handle case when trusted domain user access the Web UI

  • Disable caching of Web UI login_kerberos request

  • Update other facets on delete from search page

Rob Crittenden (12):#

  • Centralize timeout for waiting for servers to start.

  • Make client server option multi-valued, allow disabling DNS discovery

  • Don’t hardcode serial_autoincrement to True.

  • Support per-principal sessions and handle session update failures

  • Default to no when trying trying to install a replica on wrong server.

  • Fix validator for SELinux user map settings in config plugin.

  • Use certmonger to renew CA subsystem certificates

  • Add per-service option to store the types of PAC it supports

  • Convert PKCS#11 subject to string before passing to ipapython.DN

  • Use DN object for Directory Manager in ipa-replica-manage connect command

  • Raise proper exception when given a bad DN attribute.

  • Validate default user in ordered list when using setattr, require MLS

Simo Sorce (14):#

  • Fix wrong check after allocation.

  • Fix safety checks to prevent orphaning replicas

  • Fix detection of deleted masters

  • Add libtalloc-devel as spec file BuildRequire

  • Add all external samba libraries to BuildRequires

  • Do not check for DNA magic values

  • Move code into common krb5 utils

  • Improve loops around slapi mods

  • Add special modify op to regen ipaNTHash

  • Move mspac structure to be a private pointer

  • Load list of trusted domain on connecting to ldap

  • Properly name function to add ipa external groups

  • Split out manipulation of logon_info blob

  • Add PAC filtering

Sumit Bose (4):#

  • Allow silent build if available

  • ipasam: fixes for clang warnings

  • ipasam: replace testing code

  • Fix typo

Tomas Babej (5):#

  • Adds check for ipa-join.

  • Permissions of replica files changed to 0600.

  • Handle SSSD restart crash more gently.

  • Corrects help description of selinuxusermap.

  • Improves exception handling in ipa-replica-prepare.

Version 3.0.0 Beta 1 (07/02/2012)#

The development of 3.0 occurred simultaneously with 2.2.0 so there is some overlap.

Adam Young (10):#

  • enable proxy for dogtag

  • split metadata call

  • Make mod_nss renegotiation configuration a public function

  • Execute pki proxy setup when server is upgraded if needed

  • Force the upgrade of pki-setup when upgrading the RPMS

  • Fix dynamic display of UI tabs based on rights

  • remove enrolled column

  • Add priority to pwpolicy list

  • Remove delegation from browser config

  • ignore generated services file.

Alexander Bokovoy (61):#

  • Propagate environment when it is required.

  • Incorrect name in examples of ipa help hbactest

  • Unroll groups when testing HBAC rules

  • Convert server install code to platform-independent access to system services

  • Convert client-side tools to platform-independent access to system services

  • Convert installation tools to platform-independent access to system services

  • Cleanup whitespace

  • Introduce platform-specific adaptation for services used by FreeIPA.

  • When external host is specified in HBAC rule, allow its use in simulation

  • Unroll StrEnum values when displaying help

  • Configure pam_krb5 on the client only if sssd is not configured

  • Setup and restore ntp configuration on the client side properly

  • Fix ‘referenced before assignment’ warning

  • Before kinit, try to sync time with the NTP servers of the domain we are joining

  • Increase number of ‘getent passwd attempts’ to 10

  • Force kerberos realm to be a string

  • Include indirect membership and canonicalize hosts during HBAC rules testing

  • Refactor backup_and_replace_hostname() into a flexible config modification tool

  • Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool

  • Refactor authconfig use in ipa-client-install

  • Document –preserve-sssd option of ipa-client-install

  • Use set class instead of dictview class as set is wider supported

  • hbactest fails while you have svcgroup in hbacrule

  • Add support for systemd environments and use it to support Fedora 16

  • Spin for connection success also when socket is not (yet) available

  • Update spec file to use systemd on Fedora 16 and above

  • Quote multiple workers option

  • Check for Python.h during build of py_default_encoding extension

  • Add configure check for libintl.h

  • Create directories for client install

  • Add “Extending FreeIPA” developer guide

  • Small fix to the guide CSS: enable vertical scroll bar

  • Rename included snippets to avoid problems with pylint

  • Fix dependency for samba4-devel package

  • Merge branch ‘master’ of git+ssh://git.fedorahosted.org/git/freeipa

  • Check through all LDAP servers in the domain during IPA discovery

  • Validate sudo RunAsUser/RunAsGroup arguments

  • Allow hbactest to work with HBAC rules exceeding default IPA limits

  • Add management of inifiles to allow manipulation of systemd units

  • Handle upgrade issues with systemd in Fedora 16 and above

  • Adopt to python-ldap 2.4.6 by removing unused references which are not available in python-ldap anymore

  • When changing multiple booleans with setsebool, pass each of them separately.

  • Add separate attribute to store trusted domain SID

  • Use dedicated keytab for Samba

  • Add trust management for Active Directory trusts

  • Use fully qualified PDC name when contacting for extended DN information

  • Perform case-insensitive searches for principals on TGS requests

  • Properly handle multiple IP addresses per host when installing trust support

  • Restart KDC after installing trust support to allow MS PAC generation

  • Add trust-related ACIs

  • get_fqdn() moved to ipaserver.installutils

  • ipa-sam: update sid_to_id() interface to follow passdb API changes in Samba

  • Add python-crypto to build requires for AD server-side code

  • Move AD trust support code to freeipa-server-trust-ad subpackage

  • restart dirsrv as part of ipa-adtrust-install

  • Re-format ipa-adtrust-install final message to be within 80 characters wide

  • Use correct SID attribute for trusted domains

  • Rename ‘ipa trust-add-ad’ to ‘ipa trust-add –type=ad’

  • Support requests for DOMAIN$ account for trusted domains in ipasam module

  • Add error condition handling to the SASL bind callback in ipasam

  • Add support for external group members

Endi S. Dewata (105):#

  • Fixed browser configuration pages

  • Hide activation/deactivation link from regular users.

  • Fixed problem selecting value from combobox

  • Fixed inconsistent layout for password reset dialog.

  • Removed ‘Hide already enrolled’ checkbox.

  • Replaced page dirty dialog title.

  • Updated add and delete association dialog titles.

  • Removed unnecessary HBAC/sudo rule category modification.

  • Fixed command partial failure handling.

  • Fixed default map type in automount map adder dialog.

  • Fixed host OTP status.

  • Fixed host keytab status after setting OTP.

  • Fixed host adder dialog to show default DNS zone.

  • Fixed hard-coded UI messages.

  • Fixed problem adding hostgroup into netgroup.

  • Fixed problem with combobox.

  • Fixed hard-coded UI message in entity.js.

  • Fixed missing permission filter field.

  • Fixed problem with combobox using Sahi

  • Fixed unit test for entity select widget.

  • Fixed layout problem in permission adder dialog.

  • Fixed sudo rule association dialogs.

  • Fixed missing optional field.

  • Fixed labels for run-as users and groups.

  • Fixed problem opening host adder dialog.

  • Removed entitlement menu.

  • Fixed posix group checkbox.

  • Fixed columns in HBAC/sudo rules list pages.

  • Removed HBAC rule type.

  • Fixed missing cancel button in unprovisioning dialog.

  • Fixed problem enabling/disabling DNS zone.

  • Fixed problem enrolling member with the same name.

  • Modified dialog to use sections.

  • Removed undo flags from dialog field specs.

  • Fixed problem on combobox with search limit.

  • Fixed problem displaying special characters.

  • Updated DNS zone details page.

  • Replaced description text fields with text areas.

  • Fixed add/delete arrows position.

  • Fixed duplicate entries in enrollment dialog.

  • Updated color scheme.

  • Fixed tab and dialog widths.

  • Use editable combobox for service type.

  • Disable enroll button if nothing selected.

  • Fixed missing default shell field.

  • I18n clean-up.

  • Disable sudo options Delete button if nothing selected.

  • Added confirmation when adding multiple entries.

  • Added selectable labels for radio buttons.

  • Fixed dependency problem in UI test.

  • Fixed inconsistent required/optional attributes.

  • Removed HBAC deny rule warning.

  • Fixed host Enrolled column.

  • Fixed problem clearing validation error on checkboxes.

  • Fixed “enroll” labels.

  • Merged widget’s metadata and param_info.

  • Refactored validation code.

  • Fixed inconsistent image names.

  • Fixed inconsistent details facet validation.

  • Added password field in user adder dialog.

  • Fixed blank krbtpolicy and config pages.

  • Moved facet code into facet.js.

  • Added extensible UI framework.

  • Added current password field.

  • Fixed problem changing page in association facet.

  • Updated sample data.

  • Added paging on search facet.

  • Refactored permission target section.

  • Removed develop.js.

  • Added commands into metadata.

  • Refactored entity object resolution.

  • Fixed ipa.js for sessions.

  • Fixed entity definition in test cases.

  • Added support for radio buttons in table widget.

  • Fixed entity metadata resolution.

  • Refactored facet.load().

  • Added HBAC Test page.

  • Fixed navigation buttons for HBAC Test.

  • Fixed search filter in HBAC Test.

  • Added external fields for HBAC Test.

  • Fixed CSS for HBAC Test

  • Fixed I18n labels for HBAC Test

  • Fixed matched/unmatched checkboxes in HBAC Test

  • Added HBAC Test input validation.

  • Fixed problem loading DNS records.

  • Fixed unmatched checkbox name.

  • Fixed combobox icon position.

  • Fixed combobox search icon position.

  • Reload UI when the user changes.

  • Reload UI on server upgrade.

  • Added account status into user search facet.

  • Added policies into user details page.

  • Load user data and policies in a single batch.

  • Added instructions to generate CSR.

  • Fixed problem removing automount keys and DNS records.

  • Enabled paging on self-service permissions and delegations.

  • Enabled paging on automount keys.

  • Show disabled entries in gray.

  • Fixed inconsistent status labels.

  • Fixed host managed-by adder dialog.

  • Added icons for status column.

  • Hide Add/Delete buttons in self-service mode.

  • Use fixed font when displaying certificate.

  • Show password expiration date.

  • Fixed boot.ldif permission.

JR Aquino (5):#

  • Create Tool for Enabling/Disabling Managed Entry Plugins

  • Replication: Adjust replica installation to omit processing memberof computations

  • Improve sudorule documentation

  • Create FreeIPA CLI Plugin for the 389 Auto Membership plugin

  • Move Managed Entries into their own container in the replicated space.

Jan Cholasta (42):#

  • Make sure messagebus is running prior to starting certmonger.

  • Verify that passwords specified through command line options of ipa-server-install meet the length requirement.

  • Add option to install without the automatic redirect to the Web UI.

  • Search for users in all the naming contexts present on the directory server.

  • Add subscription-manager dependency for RHEL.

  • Verify that the external CA certificate files are correct.

  • Check that install hostname matches the server hostname.

  • Fix client install on IPv6 machines.

  • Fix ipa-replica-prepare always warning the user about not using the system hostname.

  • Validate name_from_ip parameter of dnszone.

  • Add a function for formatting network locations of the form host:port for use in URLs.

  • Work around pkisilent bugs.

  • Disallow deletion of global password policy.

  • Don’t leak passwords through kdb5_ldap_util command line arguments.

  • Remove more redundant configuration values from krb5.conf.

  • Finalize plugin initialization on demand.

  • Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the “csv” option to True.

  • Fix make-lint crash under certain circumstances.

  • Fix attempted write to attribute of read-only object.

  • Add LDAP schema for SSH public keys.

  • Add LDAP ACIs for SSH public key schema.

  • Add support for SSH public keys to user and host objects.

  • Add API initialization to ipa-client-install.

  • Move the nsupdate functionality to separate function in ipa-client-install.

  • Update host SSH public keys on the server during client install.

  • Configure ssh and sshd during ipa-client-install.

  • Base64-decode unicode values in Bytes parameters.

  • Add SSH service to platform-specific services.

  • Move the compat module from ipalib to ipapython.

  • Configure SSH features of SSSD in ipa-client-install.

  • Wait for child process to terminate after receiving SIGINT in ipautil.run.

  • Parse zone indices in IPv6 addresses in CheckedIPAddress.

  • Fix uses of O=REALM instead of the configured certificate subject base.

  • Fix the procedure for getting default values of command parameters.

  • Change parameters to use only default_from for dynamic default values.

  • Check whether the default user group is POSIX when adding new user with –noprivate.

  • Check configured maximum user login length on user rename.

  • Fix internal error when renaming user with an empty string.

  • Refactor exc_callback invocation.

  • Set the “KerberosAuthentication” option in sshd_config to “no” instead of “yes”.

  • Redo boolean value encoding.

  • SSH configuration fixes.

John Dennis (38):#

  • DN objects should support the insert method

  • Test DN object non-latin Unicode support

  • convert unittests to use DN objects

  • invalid i18n string in dns.py

  • update LINGUAS file, add missing po files

  • Update all po files

  • compute accurate translation statistics

  • add documentation validation to makeapi tool

  • internationalize help topics

  • internationalize cli help framework

  • improve i18n docstring extraction

  • Fix Spanish po translation file

  • Unable to Download Certificate with Browser

  • Add log manager module

  • modify codebase to utilize IPALogManager, obsoletes logging

  • IPAdmin undefined anonymous parameter lists

  • subclass SimpleLDAPObject

  • Restore default log level in server to INFO

  • If “make rpms” fails so will the next make

  • Remove old RPMROOT contents before it is used for rpmbuild

  • update i18n pot file for branch master

  • Add ipa_memcached service

  • add session manager and cache krb auth

  • Update pot file and list of explicit Python files needing translation

  • pulled new po files from Transifex

  • update translation pot file

  • Tweak the session auth to reflect developer consensus.

  • Implement session activity timeout

  • Implement password based session login

  • Log a message when returning non-success HTTP result

  • Replace broken i18n shell test with Python test

  • improve handling of ds instances during uninstall

  • Use indexed format specifiers in i18n strings

  • text unit test should validate using installed mo file

  • Validate DN & RDN parameters for migrate command

  • don’t append basedn to container if it is included

  • Fix name error in hbactest

  • validate i18n strings when running “make lint”

Lars Sjostrom (1):#

  • Add disovery domain if client domain is different from server domain

Marko Myllynen (2):#

  • include <stdint.h> for uintptr_t

  • Don’t remove /tmp when removing temp cert dir

Martin Kosek (171):#

  • Add missing attribute labels for sudorule

  • Fix automountkey-mod

  • Fix automountlocation-import conflicts

  • ipa-client-install breaks network configuration

  • Fix sudo help and summaries

  • Let Bind track data changes

  • Improve man pages structure

  • Improve ipa-join man page

  • Fix permissions in installers

  • Fix configure.jar permissions

  • Set bind and bind-dyndb-ldap min nvr

  • Fix pylint false positive in hbactest module

  • ipactl does not stop dirsrv

  • dirsrv is not stopped correctly in the fallback

  • Remove checks for ds-replication plugin

  • Fix /usr/bin/ipa dupled server list

  • Revert “Always require SSL in the Kerberos authorization block.”

  • Fix error messages in hbacrule

  • Fix LDAPCreate search failure

  • Fix HBAC tests hostnames

  • ipa-client assumes a single namingcontext

  • migrate process cannot handle multivalued pkey attribute

  • Be more clear about selfsign option

  • Install tools crash when password prompt is interrupted

  • Improve ipa-replica-prepare DNS check

  • Prevent collisions of hostgroup and netgroup

  • Make sure ipa-client-install returns correct error code

  • Improve default user/group object class validation

  • Fix i18n in config plugin

  • Fix dnszone-add name_from_ip server validation

  • Improve handling of GIDs when migrating groups

  • ipa-client-install hangs if the discovered server is unresponsive

  • Optimize member/memberof searches in LDAP

  • Make IPv4 address parsing more strict

  • Check hostname resolution sanity

  • Hostname used by IPA must be a system hostname

  • Check /etc/hosts file in ipa-server-install

  • Fix ipa-client-install -U option alignment

  • Improve hostgroup/netgroup collision checks

  • Fix client krb5 domain mapping and DNS

  • Add –zonemgr/–admin-mail validator

  • Fix ipa-managed-entries password option long form

  • Create pkey-only option for find commands

  • Fix ipa-server-install answer cache

  • Fix ipa-replica-conncheck port labels

  • Allow custom server backend encoding

  • Fix DNS zone –allow-dynupdate option behavior

  • Improve DNS record data validation

  • Polish ipa config help

  • Hosts file not updated when IP is passed as option

  • Fix API.txt

  • Fix LDAP object parameter encoding

  • Remove redundant information from API.txt

  • Fix ipa-managed-entries bind procedure

  • Let PublicError accept Gettext objects

  • Fix coverity issues in client CLI tools

  • Enable automember for upgraded servers

  • Make ipa-server-install clean after itself

  • Add –delattr option to complement –setattr/–addattr

  • Revert “Add DNS service records for Windows”

  • Improve zonemgr validator and normalizer

  • Change default DNS zone manager to hostmaster

  • Fix config migration option

  • Ask for user confirmation in ipa-server-install

  • Add connection failure recovery to IPAdmin

  • Add DNS check to conncheck port probe

  • Refactor dnsrecord processing

  • Fix Parameter csv parsing

  • Improve CLI output for complex commands

  • Create per-type DNS API

  • Fix maxvalue in DNS plugin

  • Fix LDAP add calls in replication module

  • Prevent service restart failures in ipa-replica-install

  • Fix LDAP updates in ipa-replica-install

  • Let replicas install without DNS

  • Restore ACI when aci_mod fails

  • Add missing –pkey-only option for selfservice and delegation

  • Replace float with Decimal

  • Improve host-add error message

  • Fix ipa-server-install for dual NICs

  • Fix selfservice-find crashes

  • Mark optional DNS record parts

  • Fix ldap2 combine_filters for ldap2.MATCH_NONE

  • Add missing managing hosts filtering options

  • Improve netgroup-add error messages

  • Fix TXT record parsing

  • Fix NSEC record conversion

  • Add SRV record target validator

  • Add data field for A6 record

  • Improve dnszone-add error message

  • Improve migration help

  • Fix raw format for ACI commands

  • Improve password change error message

  • Remove debug messages

  • Add argument help to CLI

  • Return proper DN in netgroup-add

  • Remove unused options from ipa-managed-entries

  • Add Petr Viktorín to Contributors.txt

  • Ease zonemgr restrictions

  • Update schema for bind-dyndb-ldap

  • Global DNS options

  • Query and transfer ACLs for DNS zones

  • Add DNS conditional forwarding

  • Add API for PTR sync control

  • Add gidnumber minvalue

  • Add reverse DNS record when forward is created

  • Sanitize UDP checks in conncheck

  • Add client hostname requirements to man

  • Add SSHFP update policy for existing zones

  • Improve dns error message

  • Improve dnsrecord-add interactive mode

  • Improve hostname and domain name validation

  • Improve FQDN handling in DNS and host plugins

  • Improve hostname verification in install tools

  • Fix typos in ipa-replica-manage man page

  • Remove memberPrincipal for deleted replicas

  • Fix encoding for setattr/addattr/delattr

  • Add help for new structured DNS framework

  • Improve dnsrecord interactive help

  • Ignore case in yes/no prompts

  • Refresh resolvers after DNS install

  • Fix migration plugin compat check

  • Fix ipa-replica-manage TLS connection error

  • Treat UPGs correctly in winsync replication

  • Allow port numbers for idnsForwarders

  • Add missing global options in dnsconfig

  • Fix precallback validators in DNS plugin

  • Harden raw record processing in DNS plugin

  • Fix LDAP effective rights control with python-ldap 2.4.x

  • Avoid deleting DNS zone when a context is reused

  • Fix default SOA serial format

  • Amend permissions for new DNS attributes

  • Improve user awareness about dnsconfig

  • Fix dnsrecord-del interactive mode

  • Tolerate UDP port failures in conncheck

  • Improve automount indirect map error message

  • Forbid public access to DNS tree

  • Configure SELinux for httpd during upgrades

  • Fix installation when server hostname is not in a default domain

  • Return correct record name in DNS plugin

  • Fix dnsrecord_add interactive mode

  • Fix DNS and permissions unit tests

  • Raise proper exception when LDAP limits are exceeded

  • Do not fail migration because of duplicate groups

  • Fix help of –hostname option in ipa-client-install

  • Sort password policies properly with –pkey-only

  • Improve error message in zonemgr validator

  • Make ipa 2.2 client capable of joining an older server

  • Fix python Requires in Fedora 17 build

  • Remove ipa-server-install LDAP update errors

  • Remove LDAP limits from DNS service

  • Replace DNS client based on acutil with python-dns

  • Fix default_server configuration in ipapython.config

  • Reset krbtpolicy when a unit test is finished

  • Add rename option for DNS records

  • permission-find missed some results with –pkey-only option

  • Allow relative DNS name in NS validator

  • Fill new DNS zone update policy by default

  • Improve migration NotFound error

  • Fix dnszone-mod –forwader option help string

  • Add sysupgrade state file

  • Enable persistent search by default

  • Enable psearch on upgrades

  • Only set sebools when necessary

  • Password change capability for form-based auth

  • Remove trust work unit test failures

  • Decimal parameter conversion and normalization

  • Remove ipaNTHash from global allow ACI

  • Add missing libsss_idmap Requires on freeipa-server-trust-ad

  • Per-domain DNS record permissions

  • Create default range entry after upgrade

Nalin Dahyabhai (5):#

  • list users from nested groups, too

  • note that PKCS#12 files also contain private keys, and that the “pkinit” options refer to the KDC’s credentials

  • index the fqdn and macAddress attributes for the sake of the compat plugin

  • create a “cn=computers” compat area populated with ieee802Device entries corresponding to computers with fqdn and macAddress attributes

  • add a pair of ethers maps for computers with hardware addresses on file

Ondrej Hamada (26):#

  • Misleading Keytab field

  • Client install root privileges check

  • Sort password policy by priority

  • Client install checks for nss_ldap

  • User-add random password support

  • HBAC test optional sourcehost option

  • localhost.localdomain clients refused to join

  • Leave nsds5replicaupdateschedule parameter unset

  • Fix ‘no-reverse’ option description

  • Memberof attribute control and update

  • Validate attributes in permission-add

  • Migration warning when compat enabled

  • ipa-client-install not calling authconfig

  • More exception handlers in ipa-client-install

  • Search allowed attributes in superior objectclasses

  • Typos in FreeIPA messages

  • Netgroup nisdomain and hosts validation

  • Confusing default user groups

  • Unable to rename permission object

  • Fix empty external member processing

  • Allow one letter net/hostgroups names

  • permission-mod prompts for all parameters

  • ipa-server-install reword message

  • Always set ipa_hostname for sssd.conf

  • Case sensitive renaming of objects

  • Change random passwords behaviour

Petr Viktorin (60):#

  • Switch –group and –membergroup in example for delegation

  • Fix/add options in ipa-managed-entries man page

  • Honor default home directory and login shell in user_add

  • Clean up i18n strings

  • Internationalization for HBAC and ipalib.output

  • Make ipausers a non-posix group on new installs

  • Add extra checking function to XMLRPC test framework

  • Add common helper for interactive prompts

  • Make sure the nolog argument to ipautil.run is not a bare string

  • Use stricter semantics when checking IP address for DNS records

  • Use reboot from /sbin

  • Allow removing sudo commands with special characters from command groups

  • Enforce that required attributes can’t be set to None in CRUD Update

  • Mark most config options as required

  • Don’t crash when searching with empty relationship options

  • Remove ipausers’ gidnumber from tests

  • Use nose tools to check for exceptions

  • Only split CSV in the client, quote instead of escaping

  • Add missing BuildRequires

  • Use valid argument names in tests

  • Add CLI parsing tests

  • Allow multi-line CSV parameters

  • Move test skipping to class setup

  • Fix little test errors

  • Test the batch plugin

  • Defer conversion and validation until after –{add,del,set}attr are handled

  • Limit permission and selfservice names to alphanumerics, -, _, space

  • Convert –setattr values for attributes marked no_update

  • Fix expected error messages in tests

  • Remove pattern_errmsg from API.txt

  • Pass make-test arguments through to Nose

  • Document the ‘nonempty’ flag

  • Additional tests for pwpolicy

  • Update hostname validator error messages in tests

  • Do not use extra command options in the automount plugin

  • Do not crash on empty reverse member options

  • Do not crash on empty –setattr, –getattr, –addattr

  • Don’t fail when adding default objectclasses using config-mod

  • Remove duplicate and unused utility code

  • Validate externalhost (when added by –addattr/–setattr)

  • Do not use extra command options in ACI, permission, selfservice

  • Check for empty/single value parameters before calling callbacks

  • Disallow ‘<’ and non-ASCII characters in the DM password

  • Fix the pwpolicy_find post_callback

  • Disallow setattr on no_update/no_create params

  • Provide a better error message when deleting nonexistent attributes

  • Move install script error handling to a common function

  • Add more automount tests

  • Add samba4-python to BuildRequires

  • Prevent deletion of the last admin

  • Only allow root to run update plugins

  • Clean keytabs before installing new keys into them

  • Fix update plugin order

  • Rework the CallbackInterface

  • Improve ipa-client-install debug output

  • Improve autodiscovery logging

  • Fail on unknown Command options

  • Typo fixes

  • Improve output validation

  • Explicitly filter options that permission-{add,mod} passes to aci-{add,mod}

Petr Vobornik (158):#

  • error dialog for batch command

  • Uncheck checkboxes in association after deletion

  • Show error in adding associations

  • Validation of details facet before update https://fedorahosted.org/freeipa/ticket/1676 The ticket is a duplicate of server error, but it revealed few UI errors.

  • Modify serial associator to use batch

  • Modifying sudo options refreshes the whole page

  • Enable update and reset button only if dirty

  • Attributes table not scrollable

  • Fixed: JavaScript type error in entitlement page

  • Fixed inconsistency in enabling delete buttons

  • Code cleanup: widget creation

  • Fixed: Column header for attributes table should be full width

  • Fixed: Enrolment dialog offers to add entity to reflexive association.

  • Fixed: Some widgets do not have space for validation error message

  • Disables gid field if not posix group in group adder dialog

  • Fixed links to images in config and migration pages

  • Split Web UI initialization to several smaller calls #2

  • Split Web UI initialization to several smaller calls

  • Added missing fields to password policy page

  • Fixed: Unable to add external user for RunAs User for Sudo rules

  • Circular entity dependency

  • Fixed: Duplicate CSS definitions

  • Fixing infinite loop in UI navigation unit test.

  • Minor visual enhancement of required indicator

  • Page is cleared before it is visible

  • Field for DNS SOA class changed to combobox with options

  • Extending facet’s mechanism of gathering changes

  • Added cross browser support of Array.indexOf method

  • Splitting widget into widget and field

  • Splitting basic widgets into visual widgets and fields

  • Improved fields dirty status detection logic

  • Builders and collections for fields and widgets

  • Removing sections as special type of object

  • Added possibility to define facet/dialog specific policies

  • Modifying users to work with new concept

  • Modifying hosts to work with new concept

  • Modifying dns to work with new concept

  • Modifying services to work with new concept

  • Separation of writable update from field load method

  • Modifying ACI to work with new concept

  • Modifying groups to work with new concept

  • Code cleanup of HBAC, Sudo rules

  • Changing definition of basic fields in section from factory to type

  • Modifying automount to work with new concept

  • Fixed unit tests after widget refactoring

  • Removed usage of bitwise assignment operators in logical operations

  • Search facets show translated boolean values

  • Better displaying of long names in tables and facet headers

  • Additional better displaying of long names

  • Reordered facets in ACI

  • Association facets are read only in self service

  • Added facet tabs coloring

  • Fixed displaying of external records in rule association widgets

  • Distinguishing of external values in association tables

  • Better table column width computing

  • Fixed labels in Sudo, HBAC rules

  • Parsing of IPv4 and IPv6 addresses

  • Added support of custom field validators

  • Added validation logic to multivalued text field

  • Added client-side validation of A and AAAA DNS records

  • Fixed IPv6 validation special case: single colon

  • Added support for memberof attribute in permission

  • Added IP address validator to Host and DNS record adder dialog

  • Fixed entity link disabling

  • Fixed content type check in login_password

  • Improved usability of login dialog

  • Removed CSV creation from UI

  • Fixed mask validation in network_validator

  • Fixed checkbox value in table without pkey

  • Certificate serial number in hex format - ui testing data

  • Fixed evaluating checkbox dirty status

  • Better hbactest validation message

  • Content is no more overwritten by error message

  • Show_content on refresh success

  • Fixed rpm build warning - extension.js listed twice

  • Add support of new options in dnsconfig

  • DNS forwarder validator

  • Added mac address to host page

  • Facet expiration flag

  • Inter-facet expiration

  • Reworked netgroup Web UI to allow setting user/host category

  • Fixed: permission attrs table didn’t update its available options on load

  • Added attrs field to permission for target=subtree

  • DNS forward policy: checkboxes changed to radio buttons

  • Removed mutex option from checkboxes

  • Removal of memberofindirect_permissons from privileges

  • User is notified that password needs to be reset in forms-based login

  • Added permission field to delegation

  • Paging disable for password policies

  • General builder support

  • Action lists

  • Control buttons

  • Redefined details control buttons

  • Redefined search control buttons

  • Hide search facet add/delete buttons in self-service

  • Batch action for search page control buttons

  • General details facet actions

  • Consistent change of entry status.

  • Instructions to generate cert use certutil instead of openssl

  • Host page fixed to work with disabled DNS support

  • Improved calculation of max pkey length in facet header

  • Correction of nested search facets tab labels

  • Refactored action list and control buttons to use shared list of actions

  • Refactored entities to use changed actions concept

  • Action panel

  • User password widget modified.

  • Action panel for user

  • Added missing i18n in action list and action panel

  • Add shadow to dialog

  • Enable reset password action according to attribute perrmission

  • Added cancel button to service unprovision dialog

  • Removal of illegal options in JSON-RPC calls

  • Added links to netgroup member tables

  • Text widget’s dirty state is changed on various input methods

  • Change json serialization to serialize useful data

  • Removal of illegal options in association dialog

  • Update of serverconfig ipaconfigstring options

  • Action panel for host enrollment

  • Action panel for service provisioning

  • Separate reset password page

  • Added password reset capabilities to unauthorized dialog

  • Set network.http.sendRefererHeader to 2 on browser config

  • Custom Web UI error message for IPA error 911

  • Trust Web UI

  • Same password validator

  • Action panel for certificates

  • Web UI password is going to expire in n days notification

  • Refactored associatin facet to use facet buttons with actions

  • Continuation of removing of not supported command options from Web UI

  • UI for SELinux user mapping

  • Added refresh button for UI

  • Modifying DNS UI to benefit from new DNS API

  • Added paging to DNS record search facet

  • Navigation and redirection to various facets

  • Automember UI

  • Automember UI - default groups

  • Automember UI - Fixed I18n labels

  • Removed question marks from field labels

  • UI support for ssh keys

  • Redirection to PTR records from A,AAAA records

  • Fixed problem when attributes_widget was displaying empty option

  • Added missing configuration options

  • Static metadata update - new DNS options

  • New checkboxes option: Mutual exclusive

  • DNS Zone UI: added new attributes

  • DNS UI: added A,AAAA create reverse options to adder dialog

  • Fixed displaying of A6 Record

  • New UI for DNS global configuration

  • Moved is_empty method from field to IPA object

  • Making validators to return true result if empty

  • Fixed DNS record add handling of 4304 error

  • Added unsupported_validator

  • Fixed redirection in Add and edit in automember hostgroup.

  • Fixed selection of single value in combobox

  • Multiple fields for one attribute

  • Added attrs to permission when target is group or filter

  • Added logout button

  • Forms based authentication UI

Rob Crittenden (191):#

  • Add information on setting api.env.host in the ipactl.8 man page

  • Log each command in a batch separately.

  • Do batch logging on successful commands too, not just failures.

  • Fix wording in examples of delegation plugin.

  • Suppress 389-ds debug output when starting services

  • Fix thread deadlock by using pthreads library instead of NSPR.

  • Change the way has_keytab is determined, also check for password.

  • Add additional pam ftp services to HBAC, and a ftp HBAC service group

  • Add label for HBAC services to show as members

  • Add option to only prompt once for passwords, use in entitle_register

  • Retrieve password/keytab state when modifying a host.

  • Disable reverse lookups in ipa-join and ipa-getkeytab

  • Remove more 389-ds files/directories on uninstallation.

  • Remove 389-ds upgrade state during uninstall

  • Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505

  • Add common is_installed() fn, better uninstall logging, check for errors.

  • Add external source hosts to HBAC.

  • Roll back changes if client installation fails.

  • Add netgroup as possible memberOf for hostgroups

  • Sort lists so order is predictable and tests pass as expected.

  • Suppress managed netgroups from showing as memberof hostgroups.

  • Use the IPA server cert profile in the installer.

  • Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605

  • Don’t allow a OTP to be set on an enrolled host

  • Remove normalizer that made role, privilege and permission names lower-case

  • Improved handling for ipa-pki-proxy.conf

  • The precendence on the modrdn plugin was set in the wrong location.

  • Update ipa-ldap-updater man page saying it is not an end-user utility

  • Skip the cert validator if the csr we are passed in is a valid filename

  • Change the Requires for the server and server-selinux for proper order

  • Suppress managed netgroups as indirect members of hosts.

  • The return value of restorecon is not reliable, ignore it.

  • Normalize uid in user principal to lower-case and do validation

  • Shut down duplicated file handle when HTTP response code is not 200.

  • Don’t log one-time password in logs when configuring client.

  • Always require SSL in the Kerberos authorization block.

  • Include failed service and service groups in hbac rule management

  • Add regular expression pattern to host names.

  • Detect CA installation type in ipa-replica-prepare and ipa-ca-install.

  • Require current password when using passwd to change your own password.

  • Migration: don’t assume there is only one naming context, add logging.

  • When calculating indirect membership don’t test nesting on users and hosts.

  • Fix DNS permissions and membership in privileges

  • Fix upgrades of selfsign server

  • Make ipa-join work against an LDAP server that disallows anon binds

  • Fix has_upg() to work with relocated managed entries configuration.

  • Work around limits not being updatable in 389-ds.

  • Save the value of hostname even if it doesn’t appear in /etc/sysconfig/network

  • Add explicit instructions to ipa-replica-manage for winsync replication

  • Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324)

  • Handle an empty value in a name/value pair in config_replace_variables()

  • Update all LDAP configuration files that we can.

  • If our domain is already configured in sssd.conf start with a new config.

  • Fix typo in invalid PTR record error message

  • Fix problems in help system

  • Fix nis netgroup config entry so users appear in netgroup triple.

  • Don’t allow default objectclass list to be empty.

  • Remove calls to has_managed_entries()

  • Fix copy/paste error in parameter description.

  • Add Ondrej Hamada to Contributors.txt

  • Don’t check for 389-instances.

  • Clarify usage of –posix argument in group plugin.

  • Add plugin framework to LDAP updates.

  • Fix some issues introduced when rebasing update patch

  • Remove extraneous trailing single quote in nis.uldif

  • Mark some attributes required to match the schema.

  • Use absolute paths when trying to find certmonger request id.

  • Reorder privileges so that memberof for permissions are generated properly

  • Add SELinux user mapping framework.

  • Require an HTTP Referer header in the server. Send one in ipa tools.

  • Display the value of memberOf ACIs in permission plugin.

  • Fix two typos in role help.

  • Configure s4u2proxy during installation.

  • Document the ping plugin.

  • Catch exception when trying to list missing managed entries definitions

  • Fix some typos in automember help and paramters.

  • Add labels so HBAC and Sudo rules show under hosts/hostgroups.

  • Use correct template variable for hosts, FQDN.

  • In sudo when the category is all do not allow members, and vice versa.

  • Update and package ipa-upgradeconfig man page.

  • Fix deletion of HBAC Rules when there are SELinux user maps defined

  • Add support for storing MAC address in host entries.

  • Don’t try to bind on TLS failure

  • Check for the existence of a replication agreement before deleting it.

  • %ghost the UI files that we install/create on the fly

  • Make submount automount maps work.

  • Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.

  • Consolidate external member code into two functions in baseldap.py

  • Make ipaconfigstring modifiable by users.

  • Don’t use sets when calculating the modlist so order is preserved.

  • Add update files for SELinuxUserMap

  • Add update file for new schema in v2.2/3.0

  • Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf

  • Don’t set delegation flag in client, we’re using S4U2Proxy now

  • Update S4U2proxy delegation list when creating replicas

  • Correct update syntax in 30-s4u2proxy.update

  • Remove Apache ccache on upgrade.

  • Add S4U2Proxy delegation permissions on upgrades

  • Disable false pylint error in freeipa-systemd-upgrade

  • Enable ipa_memcached when upgrading

  • Configure ipa_memcached when a replica is installed.

  • Use FQDN in place of FQHN for consistency in sub_dict.

  • Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication.

  • Limit the change password permission so it can’t change admin passwords

  • Don’t allow “Modify Group membership” permission to manage admins

  • Add the -v option to sslget to provide more verbose errors

  • Make sure memberof is in replication attribute exclusion list.

  • Don’t check for schema uniqueness when comparing in ldapupdate.

  • Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtag

  • Don’t allow IPA master hosts or important services be deleted.

  • Catch public exceptions when creating the LDAP context in WSGI.

  • Don’t consider virtual attributes when validating custom objectclasses

  • Add Requires to ipa-client on oddjob-mkhomedir

  • Fix managing winsync replication agreements with ipa-replica-manage

  • Check for duplicate winsync agreement before trying to set one up.

  • Remove unused kpasswd.keytab and ldappwd files if they exist.

  • Make sure 389-ds is running when adding memcache service in upgrade.

  • Don’t run restorecon if SELinux is disabled or not present.

  • Limit allowed characters in a netgroup name to alpha, digit, -, _ and .

  • Don’t call memberof task when re-initializing a replica.

  • Fix bad merge of not calling memberof task when re-initializing a replica

  • Add support defaultNamingContext and add –basedn to migrate-ds

  • Fix nested netgroups in NIS.

  • Warn that deleting replica is irreversible, try to detect reconnection.

  • Don’t set migrated user’s GID to that of default users group.

  • Don’t delete system users that are added during installation.

  • Only apply validation rules when adding and updating.

  • subclass HTTP_Status from plugable.Plugin, fix not_found tests

  • Make hostnames adhere to new standards in HBAC tests

  • Fix WSGI error handling

  • Add status command to retrieve user lockout status

  • Add support for sudoOrder

  • Make hostnames adhere to new standards in hbactest plugin tests

  • Fix API.txt and VERSION to reflect new sudoOrder option.

  • Add –noac option to ipa-client-install man page

  • Do kinit in client before connecting to backend

  • Only warn if ipa-getkeytab doesn’t get all requested enctypes.

  • Fix NSS no_init in the NSSHTTPS class

  • Set minimum version of selinux-policy to pick up memcached fix

  • Fix nsslapd-anonlimitsdn dn in cn=config

  • Set SELinux boolean httpd_manage_ipa so ipa_memcached will work.

  • Don’t set dbdir in the connection until after the connection is created.

  • Display serial number as HEX (DECIMAL) when showing certificates.

  • Add subject key identifier to the dogtag server cert profile.

  • Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf

  • Import the ipaserver plugins based on context, not env.in_server.

  • Don’t allow hosts and services of IPA masters to be disabled.

  • Use a consistent parameter name in errors, defaulting to cli_name.

  • No longer shell escape the DM password when calling pkisilent.

  • Fix test failure testing rename with an invalid hostname.

  • Fix attributes that contain DNs when migrating.

  • Normalize the primary key value to lowercase during migration.

  • Fix unit tests to work with new comma-support, validation requirements

  • Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue

  • Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.

  • Add requires on python-krbV to client subpackage

  • Fix failure count interval attribute name in query for password policy.

  • Handle updating replication agreements that lack nsDS5ReplicatedAttributeList

  • Don’t create private groups for migrated users, check for valid gidnumber

  • Add updated Output format for batch to API.txt

  • Make revocation_reason required when revoking a certificate.

  • Add missing comma to list of services that cannot be disabled.

  • Return consistent value when hostcat and usercat is all.

  • Dereference pointer when comparing password history in qsort compare.

  • Configure certmonger to execute restart scripts on renewal.

  • Remove the running state when uninstalling DS instances.

  • Return consistent expiration message for forms-based login

  • Use mixed-case for Read DNS Entries permission

  • Update docs for user-status, always show disabled, time for each server.

  • Revert “Search allowed attributes in superior objectclasses”

  • Revert “Validate attributes in permission-add”

  • Return LDAP_SUCCESS on mods on a referral entry.

  • Fix overlapping cn param/option issue, pass cn as aciname in find

  • Implement permission/aci find by subtree

  • Include more information when IP address is not local during installation.

  • Validate on the user-provided domain name in the installer.

  • During replication installation see if an agreement already exists.

  • Check for locked-out user before incrementing lastfail.

  • Retry retrieving ldap principals when setting up replication.

  • Normalize uid to lower case in winsync.

  • Enforce sizelimit in permission-find, post_callback returns truncated

  • If SELinux is enabled ensure we also have restorecon.

  • Store session cookie in ccache for cli users

  • Add flag to ipa-client-install to managed order of ipa_server in sssd

  • Increase LimitRequestFieldSize in Apache config to support a 64KiB PAC

  • Add logging to ipa-upgradeconfig

  • Configure automount using autofs or sssd.

  • Defer adding ipa-cifs-delegation-targets until the Updates phase.

  • Add missing option to range_add in API.txt

  • Fix compatibility with Fedora 18.

  • Become IPA v3 beta 1 (3.0.0.pre1)

Simo Sorce (104):#

  • Set VERSION to 2.99.0 on the 3.0 development branch

  • Fix build warnings

  • ipa-pwd_extop: use endian.h instead of nih function

  • krbinstance: use helper function to get realm suffix

  • ipa-pwd-extop: Remove unused variables and code to set them

  • ipa-pwd-extop: do not append mkvno to krbExtraData

  • ipa-pwd-extop: Use the proper mkvno number in keys

  • ipa-pwd-extop: re-indent code using old style

  • ipa-pwd-extop: Use common krb5 structs from kdb.h

  • ipa-pwd-extop: Move encryption of keys in common

  • ipa-pwd-extop: Move encoding in common too

  • ipa-pwd-extop: make encsalt parsing function common

  • ipa-kdb: Initial plugin skeleton

  • ipa-kdb: add exports file

  • ipa-kdb: initialize module functions

  • ipa-kdb: implement get_time function

  • ipa-kdb: add common utility ldap wrapper functions

  • ipa-kdb: functions to get principal

  • ipa-kdb: add function to free principals

  • ipa-kdb: add functions to delete principals

  • ipa-kdb: add function to iterate over principals

  • ipa-kdb: add functions to change principals

  • ipa-kdb: Get/Store Master Key directly from LDAP

  • ipa-kdb: implement function to retrieve password policies

  • ipa-kdb: implement change_pwd function

  • util: add password policy manipulation functions

  • ipa-pwd-extop: Use common password policy code

  • ipa-kdb: add password policy support

  • ipa-pwd-extop: Allow kadmin to set krb keys

  • ipa-kdb: Change install to use the new ipa-kdb kdc backend

  • install: Remove uid=kdc user

  • ipa-kdb: Be flexible

  • install: Use proper case for boolean values

  • daemons: Remove ipa_kpasswd

  • schema: Split ipadns definitions from basev2 ones

  • v3-schema: Add new ipaExternalGroup objectclass

  • install: We do not need a ldap password anymore

  • install: We do not need a kpasswd keytab anymore

  • conncheck: Fix List of ports to check

  • ipa-kdb: Properly set password expiration time.

  • schema: Add new attributes and objectclasses for AD Trusts

  • conncheck: Additional check to verify the admin password is ok

  • ipa-pwd-extop: Fix segfault in password change.

  • ipa-pwd-extop: Enforce old password checks

  • ipa-kdb: Fix expiration time calculation

  • ipa-client-install: Fix joining when LDAP access is restricted

  • replica-prepare: anonymous binds may be disallowed

  • ipa-kdb: Fix legacy password hashes generation

  • updates: Change default limits on ldap searches

  • ipa-kdb: Fix memory leak

  • Modify random salt creation for interoperability

  • Amend #2038 fix

  • Fix CID 10742: Unchecked return value

  • Fix CID 10743: Unchecked return value

  • Fix CID 10745: Unchecked return value

  • Fix CID 11019: Resource leak

  • Fix CID 11020: Resource leak

  • Fix CID 11021: Resource leak

  • Fix CID 11022: Resource leak

  • Fix CID 11023: Resource leak

  • Fix CID 11024: Resource leak

  • Fix CID 11025: Resource leak

  • Fix CID 11026: Resource leak

  • Fix CID 11027: Wrong sizeof argument

  • Add support for generating PAC for AS requests for user principals

  • MS-PAC: Add support for verifying PAC in TGS requests

  • Add missing copyright header

  • Add NT domain GUID attribute.

  • Create skeleton CLDAP server as a DS plugin

  • ipa-cldap: Implement worker thread.

  • ipa-cldap: Decode CLDAP request.

  • ipa-cldap: Create netlogon blob

  • ipa-cldap: send cldap reply

  • ipa-kdb: Support re-signing PAC with different checksum

  • spec: We do not need krb5-server-ldap anymore

  • ipa-kdb: fix free() of uninitialized var

  • ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles

  • ipa-kdb: fix memleaks in ipa_kdb_mspac.c

  • ipa-kdb: Fix copy and paste typo

  • ipa-kdb: Delegation ACL schema

  • ipa-kdb: enhance deref searches

  • ipa-kdb: Add delgation access control support

  • ipa-kdb: return properly when no PAC is available

  • ipa-cldap: Support clients asking for default domain

  • ipa-kdb: Verify the correct checksum in PAC validation

  • ipa-kdb: Create PAC’s KDC checksum with right key

  • Fix replication setup

  • slapi-plugins: use thread-safe ldap library

  • ipa-kdb: add AS auditing support

  • ipa-kdb: Avoid lookup on modify if possible

  • ipa-kdb: set krblastpwdchange only when keys have been effectively changed

  • Remove compat defines

  • Require krb5 1.10

  • ipa-kdb: Fix ACL evaluator

  • policy: add function to check lockout policy

  • ipa-kdb: fix delegation acl check

  • Fix ticket checks when using either s4u2proxy or a delegated krbtgt

  • Fix memleak and silence Coverity defects

  • Fix MS-PAC checks when using s4u2proxy

  • Fix theoretical leak discovered by coverity

  • Fix migration code password setting.

  • Fix setting domain_sid

  • ipa-kdb: Add MS-PAC on constrained delegation.

  • Add support for disabling KDC writes

Sumit Bose (32):#

  • Call standard_logging_setup() before any logging is done

  • Add ipa-adtrust-install utility

  • Fix ACIs in ipa-adtrust-install

  • Update samba LDAP schema

  • Fix typo in v3 base schema

  • Add admin SIDs

  • ipa-pwd-extop: allow password change on all connections with SSF>1

  • Add DNS service records for Windows

  • Add DNS service records for Windows

  • Move our own domain info into cn=etc

  • Add trust objectclass and attributes to v3 schema

  • Use new objectclasses and attributes for trust

  • Fix some pylint warnings

  • Add ipasam samba passdb backend

  • activate CLDAP

  • Make pwd-extop aware of new ipaNTHash attribute

  • Add a second module init call for newer samba versions

  • Use exop instead of kadmin.local

  • ipasam: remove unused struct elements

  • Move some krb5 keys related functions from ipa-client to util

  • Add sidgen postop and task

  • Filter groups in the PAC

  • Add configure check for C Unit-Test framework check

  • Add external domain extop DS plugin

  • Use lower case names in LDAP to meet freeIPA convention

  • Extend LDAP schema

  • Add objects for initial ID range

  • Set RID bases for local domain during ipa-adtrust-install

  • Add CLI for ID ranges

  • Add range check preop plugin

  • Use DN objects instead of strings in adtrustinstance

  • Set samba_portmapper SELinux boolean during ipa-adtrust-install

Yuri Chornoivan (1):#

  • Fix typos

Version 2.2.2 (02/13/2013)#

Alexander Bokovoy (1):#

  • Update plugin to upload CA certificate to LDAP

Jan Cholasta (1):#

  • Pylint cleanup

John Dennis (1):#

  • Use secure method to acquire IPA CA certificate

Martin Kosek (3):#

  • Run index task for new indexes

  • Filter suffix in replication management tools

  • Become IPA 2.2.2

Rob Crittenden (1):#

  • Do SSL CA verification and hostname validation.

Simo Sorce (1):#

  • Upload CA cert in the directory on install

Version 2.2.1 (10/23/2012)#

Endi Sukma Dewata (1):#

  • Fixed boot.ldif permission.

Jan Cholasta (1):#

  • SSH configuration fixes.

Martin Kosek (1):#

  • Become IPA 2.2.1

Petr Viktorin (2):#

  • replica-install: Don’t copy Firefox config extension files if they’re not in the replica file

  • Create Firefox extension on upgrade and replica-install

Petr Vobornik (8):#

  • Host page fixed to work with disabled DNS support

  • Fix jquery error when using ‘??’ in a pkey

  • Kerberos authentication extension

  • Kerberos authentication extension makefiles

  • Build and installation of Kerberos authentication extension

  • Configuration pages changed to use new FF extension

  • Add mime type to httpd ipa.conf for xpi extension

  • RPM spec fix for ffconfig.js and ffconfig_page.js

Rob Crittenden (2):#

  • Check for locked-out user before incrementing lastfail.

  • Index the fqdn attribute.

Simo Sorce (2):#

  • Fix migration code password setting.

  • Add support for disabling KDC writes

Version 2.2.0 (05/03/2012)#

Alexander Bokovoy (1):#

  • When changing multiple booleans with setsebool, pass each of them separately.

Jan Cholasta (9):#

  • Wait for child process to terminate after receiving SIGINT in ipautil.run.

  • Parse zone indices in IPv6 addresses in CheckedIPAddress.

  • Fix uses of O=REALM instead of the configured certificate subject base.

  • Fix the procedure for getting default values of command parameters.

  • Change parameters to use only default_from for dynamic default values.

  • Check whether the default user group is POSIX when adding new user with –noprivate.

  • Check configured maximum user login length on user rename.

  • Fix internal error when renaming user with an empty string.

  • Set the “KerberosAuthentication” option in sshd_config to “no” instead of “yes”.

John Dennis (7):#

  • Replace broken i18n shell test with Python test

  • improve handling of ds instances during uninstall

  • Use indexed format specifiers in i18n strings

  • text unit test should validate using installed mo file

  • Validate DN & RDN parameters for migrate command

  • don’t append basedn to container if it is included

  • Fix name error in hbactest

Lars Sjostrom (1):#

  • Add disovery domain if client domain is different from server domain

Martin Kosek (29):#

  • Ignore case in yes/no prompts

  • Refresh resolvers after DNS install

  • Fix migration plugin compat check

  • Fix ipa-replica-manage TLS connection error

  • Treat UPGs correctly in winsync replication

  • Allow port numbers for idnsForwarders

  • Add missing global options in dnsconfig

  • Fix precallback validators in DNS plugin

  • Harden raw record processing in DNS plugin

  • Fix LDAP effective rights control with python-ldap 2.4.x

  • Avoid deleting DNS zone when a context is reused

  • Fix default SOA serial format

  • Amend permissions for new DNS attributes

  • Improve user awareness about dnsconfig

  • Fix dnsrecord-del interactive mode

  • Tolerate UDP port failures in conncheck

  • Improve automount indirect map error message

  • Forbid public access to DNS tree

  • Configure SELinux for httpd during upgrades

  • Fix installation when server hostname is not in a default domain

  • Return correct record name in DNS plugin

  • Fix dnsrecord_add interactive mode

  • Fix DNS and permissions unit tests

  • Raise proper exception when LDAP limits are exceeded

  • Do not fail migration because of duplicate groups

  • Fix help of –hostname option in ipa-client-install

  • Sort password policies properly with –pkey-only

  • Improve error message in zonemgr validator

  • Make ipa 2.2 client capable of joining an older server

Ondrej Hamada (7):#

  • More exception handlers in ipa-client-install

  • Search allowed attributes in superior objectclasses

  • Typos in FreeIPA messages

  • Netgroup nisdomain and hosts validation

  • Confusing default user groups

  • Unable to rename permission object

  • Fix empty external member processing

Petr Viktorin (22):#

  • Allow removing sudo commands with special characters from command groups

  • Enforce that required attributes can’t be set to None in CRUD Update

  • Mark most config options as required

  • Don’t crash when searching with empty relationship options

  • Remove ipausers’ gidnumber from tests

  • Use nose tools to check for exceptions

  • Only split CSV in the client, quote instead of escaping

  • Add missing BuildRequires

  • Use valid argument names in tests

  • Add CLI parsing tests

  • Allow multi-line CSV parameters

  • Move test skipping to class setup

  • Fix little test errors

  • Test the batch plugin

  • Defer conversion and validation until after –{add,del,set}attr are handled

  • Limit permission and selfservice names to alphanumerics, -, _, space

  • Convert –setattr values for attributes marked no_update

  • Fix expected error messages in tests

  • Remove pattern_errmsg from API.txt

  • Pass make-test arguments through to Nose

  • Document the ‘nonempty’ flag

  • Additional tests for pwpolicy

Petr Vobornik (22):#

  • Fixed mask validation in network_validator

  • Fixed checkbox value in table without pkey

  • Certificate serial number in hex format - ui testing data

  • Fixed evaluating checkbox dirty status

  • Better hbactest validation message

  • Content is no more overwritten by error message

  • Show_content on refresh success

  • Fixed rpm build warning - extension.js listed twice

  • Add support of new options in dnsconfig

  • DNS forwarder validator

  • Added mac address to host page

  • Facet expiration flag

  • Inter-facet expiration

  • Reworked netgroup Web UI to allow setting user/host category

  • Fixed: permission attrs table didn’t update its available options on load

  • Added attrs field to permission for target=subtree

  • DNS forward policy: checkboxes changed to radio buttons

  • Removed mutex option from checkboxes

  • Removal of memberofindirect_permissons from privileges

  • User is notified that password needs to be reset in forms-based login

  • Added permission field to delegation

  • Paging disable for password policies

Rob Crittenden (34):#

  • Fix NSS no_init in the NSSHTTPS class

  • Set minimum version of selinux-policy to pick up memcached fix

  • Fix nsslapd-anonlimitsdn dn in cn=config

  • Set SELinux boolean httpd_manage_ipa so ipa_memcached will work.

  • Don’t set dbdir in the connection until after the connection is created.

  • Display serial number as HEX (DECIMAL) when showing certificates.

  • Add subject key identifier to the dogtag server cert profile.

  • Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf

  • Import the ipaserver plugins based on context, not env.in_server.

  • Don’t allow hosts and services of IPA masters to be disabled.

  • Use a consistent parameter name in errors, defaulting to cli_name.

  • No longer shell escape the DM password when calling pkisilent.

  • Fix test failure testing rename with an invalid hostname.

  • Fix attributes that contain DNs when migrating.

  • Normalize the primary key value to lowercase during migration.

  • Fix unit tests to work with new comma-support, validation requirements

  • Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue

  • Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.

  • Add requires on python-krbV to client subpackage

  • Fix failure count interval attribute name in query for password policy.

  • Handle updating replication agreements that lack nsDS5ReplicatedAttributeList

  • Don’t create private groups for migrated users, check for valid gidnumber

  • Add updated Output format for batch to API.txt

  • Make revocation_reason required when revoking a certificate.

  • Add missing comma to list of services that cannot be disabled.

  • Return consistent value when hostcat and usercat is all.

  • Dereference pointer when comparing password history in qsort compare.

  • Configure certmonger to execute restart scripts on renewal.

  • Remove the running state when uninstalling DS instances.

  • Return consistent expiration message for forms-based login

  • Use mixed-case for Read DNS Entries permission

  • Update docs for user-status, always show disabled, time for each server.

Simo Sorce (1):#

  • Fix memleak and silence Coverity defects

Version 2.1.90 Beta 1 (03/05/2012)#

Jan Cholasta (1):#

  • Configure SSH features of SSSD in ipa-client-install.

John Dennis (8):#

  • update translation pot file and PY_EXPLICIT_FILES list

  • update po files

  • created Transifex resource, adjust tx config file to point to it.

  • Tweak the session auth to reflect developer consensus.

  • Implement session activity timeout

  • Implement password based session login

  • Log a message when returning non-success HTTP result

Martin Kosek (21):#

  • Ease zonemgr restrictions

  • Update schema for bind-dyndb-ldap

  • Global DNS options

  • Query and transfer ACLs for DNS zones

  • Add DNS conditional forwarding

  • Add API for PTR sync control

  • Add gidnumber minvalue

  • Add reverse DNS record when forward is created

  • Sanitize UDP checks in conncheck

  • Add client hostname requirements to man page

  • Add SSHFP update policy for existing zones

  • Improve dns error message

  • Improve dnsrecord-add interactive mode

  • Improve hostname and domain name validation

  • Improve FQDN handling in DNS and host plugins

  • Improve hostname verification in install tools

  • Fix typos in ipa-replica-manage man page

  • Remove memberPrincipal for deleted replicas

  • Fix encoding for setattr/addattr/delattr

  • Add help for new structured DNS framework

  • Improve dnsrecord interactive help

Ondrej Hamada (3):#

  • Validate attributes in permission-add

  • Migration warning when compat enabled

  • ipa-client-install not calling authconfig

Petr Viktorin (6):#

  • Make ipausers a non-posix group on new installs

  • Add extra checking function to XMLRPC test framework

  • Add common helper for interactive prompts

  • Make sure the nolog argument to ipautil.run is not a bare string

  • Use stricter semantics when checking IP address for DNS records

  • Use stricter semantics when checking IP address for DNS records

  • Use reboot from /sbin

Petr Voborník (18):#

  • Fixed content type check in login_password

  • Improved usability of login dialog

  • Removed CSV creation from UI

  • Fixed problem when attributes_widget was displaying empty option

  • Added missing configuration options

  • Static metadata update - new DNS options

  • New checkboxes option: Mutual exclusive

  • DNS Zone UI: added new attributes

  • DNS UI: added A,AAAA create reverse options to adder dialog

  • Fixed displaying of A6 Record

  • New UI for DNS global configuration

  • Multiple fields for one attribute

  • Added attrs to permission when target is group or filter

  • Moved is_empty method from field to IPA object

  • Making validators to return true result if empty

  • Fixed DNS record add handling of 4304 error

  • Added unsupported_validator

  • Fixed redirection in Add and edit in automember hostgroup.

  • Fixed selection of single value in combobox

  • Added logout button

  • Forms based authentication UI

Rob Crittenden (37):#

  • Limit the change password permission so it can’t change admin passwords

  • Don’t allow “Modify Group membership” permission to manage admins

  • Add the -v option to sslget to provide more verbose errors

  • Make sure memberof is in replication attribute exclusion list.

  • Don’t check for schema uniqueness when comparing in ldapupdate.

  • Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtag

  • Don’t allow IPA master hosts or important services be deleted.

  • Catch public exceptions when creating the LDAP context in WSGI.

  • Don’t consider virtual attributes when validating custom objectclasses

  • Add Requires to ipa-client on oddjob-mkhomedir

  • Fix managing winsync replication agreements with ipa-replica-manage

  • Check for duplicate winsync agreement before trying to set one up.

  • Remove unused kpasswd.keytab and ldappwd files if they exist.

  • Make sure 389-ds is running when adding memcache service in upgrade.

  • Don’t run restorecon if SELinux is disabled or not present.

  • Limit allowed characters in a netgroup name to alpha, digit, -, _ and .

  • Don’t call memberof task when re-initializing a replica.

  • Fix bad merge of not calling memberof task when re-initializing a replica

  • Add support defaultNamingContext and add –basedn to migrate-ds

  • Fix nested netgroups in NIS.

  • Warn that deleting replica is irreversible, try to detect reconnection.

  • Don’t set migrated user’s GID to that of default users group.

  • Don’t delete system users that are added during installation.

  • Only apply validation rules when adding and updating.

  • subclass HTTP_Status from plugable.Plugin, fix not_found tests

  • Make hostnames adhere to new standards in HBAC tests

  • Fix WSGI error handling

  • Add status command to retrieve user lockout status

  • Add support for sudoOrder

  • Make hostnames adhere to new standards in hbactest plugin tests

  • Fix API.txt and VERSION to reflect new sudoOrder option.

  • Add –noac option to ipa-client-install man page

  • Do kinit in client before connecting to backend

  • Only warn if ipa-getkeytab doesn’t get all requested enctypes.

  • Fix NSS no_init in the NSSHTTPS class

Simo Sorce (4):#

  • ipa-kdb: Fix ACL evaluator

  • policy: add function to check lockout policy

  • ipa-kdb: fix delegation acl check

  • Fix ticket checks when using either s4u2proxy or a delegated krbtgt

Version 2.1.90 Alpha 2 (02/17/2012)#

Adam Young (4):#

  • remove enrolled column

  • Add priority to pwpolicy list

  • Remove delegation from browser config

  • ignore generated services file.

Alexander Bokovoy (14):#

  • Re-enable web password migration on Fedora 16 after SE Linux policy restrictions

  • Check for Python.h during build of py_default_encoding extension

  • Add configure check for libintl.h

  • Create directories for client install

  • Add “Extending FreeIPA” developer guide

  • Small fix to the guide CSS: enable vertical scroll bar

  • Rename included snippets to avoid problems with pylint

  • Fix dependency for samba4-devel package

  • Check through all LDAP servers in the domain during IPA discovery

  • Validate sudo RunAsUser/RunAsGroup arguments

  • Allow hbactest to work with HBAC rules exceeding default IPA limits

  • Add management of inifiles to allow manipulation of systemd units

  • Handle upgrade issues with systemd in Fedora 16 and above

  • Adopt to python-ldap 2.4.6 by removing unused references which are not available in python-ldap anymore

Endi S. Dewata (60):#

  • Updated DNS zone details page.

  • Replaced description text fields with text areas.

  • Use editable combobox for service type.

  • Added confirmation when adding multiple entries.

  • Added selectable labels for radio buttons.

  • Fixed dependency problem in UI test.

  • Fixed inconsistent required/optional attributes.

  • Fixed host Enrolled column.

  • Fixed problem clearing validation error on checkboxes.

  • Fixed “enroll” labels.

  • Merged widget’s metadata and param_info.

  • Refactored validation code.

  • Fixed inconsistent image names.

  • Fixed inconsistent details facet validation.

  • Added password field in user adder dialog.

  • Fixed blank krbtpolicy and config pages.

  • Moved facet code into facet.js.

  • Added extensible UI framework.

  • Fixed problem changing page in association facet.

  • Updated sample data.

  • Added paging on search facet.

  • Refactored permission target section.

  • Removed develop.js.

  • Added commands into metadata.

  • Removed HBAC rule type.

  • Removed HBAC deny rule warning.

  • Refactored entity object resolution.

  • Fixed ipa.js for sessions.

  • Fixed entity definition in test cases.

  • Added support for radio buttons in table widget.

  • Fixed entity metadata resolution.

  • Refactored facet.load().

  • Added HBAC Test page.

  • Fixed navigation buttons for HBAC Test.

  • Fixed search filter in HBAC Test.

  • Added external fields for HBAC Test.

  • Fixed CSS for HBAC Test

  • Fixed I18n labels for HBAC Test

  • Fixed matched/unmatched checkboxes in HBAC Test

  • Added HBAC Test input validation.

  • Fixed problem loading DNS records.

  • Fixed unmatched checkbox name.

  • Fixed combobox icon position.

  • Fixed combobox search icon position.

  • Reload UI when the user changes.

  • Reload UI on server upgrade.

  • Added account status into user search facet.

  • Added policies into user details page.

  • Load user data and policies in a single batch.

  • Added instructions to generate CSR.

  • Fixed problem removing automount keys and DNS records.

  • Enabled paging on self-service permissions and delegations.

  • Enabled paging on automount keys.

  • Show disabled entries in gray.

  • Fixed inconsistent status labels.

  • Fixed host managed-by adder dialog.

  • Added icons for status column.

  • Hide Add/Delete buttons in self-service mode.

  • Use fixed font when displaying certificate.

  • Show password expiration date.

JR Aquino (1):#

  • Replication: Adjust replica installation to omit processing memberof computations

Jan Cholasta (15):#

  • Finalize plugin initialization on demand.

  • Don’t leak passwords through kdb5_ldap_util command line arguments.

  • Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the “csv” option to True.

  • Fix make-lint crash under certain circumstances.

  • Fix attempted write to attribute of read-only object.

  • Add LDAP schema for SSH public keys.

  • Add LDAP ACIs for SSH public key schema.

  • Add support for SSH public keys to user and host objects.

  • Add API initialization to ipa-client-install.

  • Move the nsupdate functionality to separate function in ipa-client-install.

  • Update host SSH public keys on the server during client install.

  • Configure ssh and sshd during ipa-client-install.

  • Base64-decode unicode values in Bytes parameters.

  • Add SSH service to platform-specific services.

  • Move the compat module from ipalib to ipapython.

John Dennis (10):#

  • If “make rpms” fails so will the next make

  • Remove old RPMROOT contents before it is used for rpmbuild

  • update i18n pot file for branch ipa-2-1

  • Add log manager module

  • modify codebase to utilize IPALogManager, obsoletes logging

  • IPAdmin undefined anonymous parameter lists

  • subclass SimpleLDAPObject

  • Restore default log level in server to INFO

  • Add ipa_memcached service

  • add session manager and cache krb auth

Marko Myllynen (1):#

  • include <stdint.h> for uintptr_t

Martin Kosek (52):#

  • Add connection failure recovery to IPAdmin

  • Make sure that install tools log

  • Add –zonemgr/–admin-mail validator

  • Create pkey-only option for find commands

  • Allow custom server backend encoding

  • Fix DNS zone –allow-dynupdate option behavior

  • Improve DNS record data validation

  • Polish ipa config help

  • Hosts file not updated when IP is passed as option

  • Fix API.txt

  • Fix LDAP object parameter encoding

  • Remove redundant information from API.txt

  • Fix coverity issues in client CLI tools

  • Make ipa-server-install clean after itself

  • Add –delattr option to complement –setattr/–addattr

  • Improve zonemgr validator and normalizer

  • Change default DNS zone manager to hostmaster

  • Fix config migration option

  • Ask for user confirmation in ipa-server-install

  • Add DNS check to conncheck port probe

  • Refactor dnsrecord processing

  • Fix Parameter csv parsing

  • Improve CLI output for complex commands

  • Create per-type DNS API

  • Fix maxvalue in DNS plugin

  • Fix LDAP add calls in replication module

  • Prevent service restart failures in ipa-replica-install

  • Fix LDAP updates in ipa-replica-install

  • Let replicas install without DNS

  • Restore ACI when aci_mod fails

  • Add missing –pkey-only option for selfservice and delegation

  • Replace float with Decimal

  • Improve host-add error message

  • Fix ipa-server-install for dual NICs

  • Fix selfservice-find crashes

  • Mark optional DNS record parts

  • Fix ldap2 combine_filters for ldap2.MATCH_NONE

  • Add missing managing hosts filtering options

  • Improve netgroup-add error messages

  • Fix TXT record parsing

  • Fix NSEC record conversion

  • Add SRV record target validator

  • Add data field for A6 record

  • Improve dnszone-add error message

  • Improve migration help

  • Fix raw format for ACI commands

  • Improve password change error message

  • Remove debug messages

  • Add argument help to CLI

  • Return proper DN in netgroup-add

  • Remove unused options from ipa-managed-entries

  • Add Petr Viktorín to Contributors.txt

Ondrej Hamada (9):#

  • Misleading Keytab field

  • Sort password policy by priority

  • Client install checks for nss_ldap

  • User-add random password support

  • HBAC test optional sourcehost option

  • localhost.localdomain clients refused to join

  • Leave nsds5replicaupdateschedule parameter unset

  • Fix ‘no-reverse’ option description

  • Memberof attribute control and update

Petr Viktorin (5):#

  • Switch –group and –membergroup in example for delegation

  • Fix/add options in ipa-managed-entries man page

  • Honor default home directory and login shell in user_add

  • Clean up i18n strings

  • Internationalization for HBAC and ipalib.output

Petr Voborník (55):#

  • Circular entity dependency

  • Fixed: Duplicate CSS definitions

  • Fixing infinite loop in UI navigation unit test.

  • Minor visual enhancement of required indicator

  • Page is cleared before it is visible

  • Field for DNS SOA class changed to combobox with options

  • Extending facet’s mechanism of gathering changes

  • Added cross browser support of Array.indexOf method

  • Splitting widget into widget and field

  • Splitting basic widgets into visual widgets and fields

  • Improved fields dirty status detection logic

  • Builders and collections for fields and widgets

  • Removing sections as special type of object

  • Added possibility to define facet/dialog specific policies

  • Modifying users to work with new concept

  • Modifying hosts to work with new concept

  • Modifying dns to work with new concept

  • Modifying services to work with new concept

  • Separation of writable update from field load method

  • Modifying ACI to work with new concept

  • Modifying groups to work with new concept

  • Code cleanup of HBAC, Sudo rules

  • Changing definition of basic fields in section from factory to type

  • Modifying automount to work with new concept

  • Fixed unit tests after widget refactoring

  • Removed usage of bitwise assignment operators in logical operations

  • Search facets show translated boolean values

  • Better displaying of long names in tables and facet headers

  • Additional better displaying of long names

  • Reordered facets in ACI

  • Association facets are read only in self service

  • Added facet tabs coloring

  • Fixed displaying of external records in rule association widgets

  • Distinguishing of external values in association tables

  • Better table column width computing

  • Fixed labels in Sudo, HBAC rules

  • Parsing of IPv4 and IPv6 addresses

  • Added support of custom field validators

  • Added validation logic to multivalued text field

  • Added client-side validation of A and AAAA DNS records

  • Fixed IPv6 validation special case: single colon

  • Added support for memberof attribute in permission

  • Added IP address validator to Host and DNS record adder dialog

  • Fixed entity link disabling

  • UI for SELinux user mapping

  • Added refresh button for UI

  • Modifying DNS UI to benefit from new DNS API

  • Added paging to DNS record search facet

  • Navigation and redirection to various facets

  • Automember UI

  • Automember UI - default groups

  • Automember UI - Fixed I18n labels

  • Removed question marks from field labels

  • UI support for ssh keys

  • Redirection to PTR records from A,AAAA records

Rob Crittenden (54):#

  • Use absolute paths when trying to find certmonger request id.

  • Reorder privileges so that memberof for permissions are generated properly.

  • Fix some pylint issues found in F-16

  • Fix two typos in role help.

  • Move ONLY_CLIENT in spec so services.py always gets generated in %install

  • Remove calls to has_managed_entries()

  • Fix copy/paste error in parameter description.

  • Add Ondrej Hamada to Contributors.txt

  • Don’t check for 389-instances.

  • Clarify usage of –posix argument in group plugin.

  • Add plugin framework to LDAP updates.

  • Fix some issues introduced when rebasing update patch

  • Mark some attributes required to match the schema.

  • Add SELinux user mapping framework.

  • Display the value of memberOf ACIs in permission plugin.

  • Set minimum version of 389-ds to 1.2.10-0.5.a5

  • Fix typos in in 60basev3.ldif

  • Remove include for errno.h that was specific to 2.1 branch

  • Remove ipa_get_random_salt() from ipapwd_encoding.c

  • update i18n pot file for branch ipa-2-2

  • Remove buffer log handling.

  • Configure s4u2proxy during installation.

  • Document the ping plugin.

  • Catch exception when trying to list missing managed entries definitions

  • Fix some typos in automember help and paramters.

  • Add labels so HBAC and Sudo rules show under hosts/hostgroups.

  • Use correct template variable for hosts, FQDN.

  • In sudo when the category is all do not allow members, and vice versa.

  • Update and package ipa-upgradeconfig man page.

  • Fix deletion of HBAC Rules when there are SELinux user maps defined

  • Add support for storing MAC address in host entries.

  • Don’t try to bind on TLS failure

  • Check for the existence of a replication agreement before deleting it.

  • %ghost the UI files that we install/create on the fly

  • Make submount automount maps work.

  • Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.

  • Consolidate external member code into two functions in baseldap.py

  • Make ipaconfigstring modifiable by users.

  • Don’t use sets when calculating the modlist so order is preserved.

  • Add update files for SELinuxUserMap

  • Add update file for new schema in v2.2/3.0

  • Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf

  • Don’t set delegation flag in client, we’re using S4U2Proxy now

  • Update S4U2proxy delegation list when creating replicas

  • Correct update syntax in 30-s4u2proxy.update

  • Remove Apache ccache on upgrade.

  • Add S4U2Proxy delegation permissions on upgrades

  • Disable false pylint error in freeipa-systemd-upgrade

  • Enable ipa_memcached when upgrading

  • Configure ipa_memcached when a replica is installed.

  • Use FQDN in place of FQHN for consistency in sub_dict.

  • Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication.

Simo Sorce (77):#

  • Fix build warnings

  • ipa-pwd_extop: use endian.h instead of nih function

  • krbinstance: use helper function to get realm suffix

  • ipa-pwd-extop: Remove unused variables and code to set them

  • ipa-pwd-extop: do not append mkvno to krbExtraData

  • ipa-pwd-extop: Use the proper mkvno number in keys

  • ipa-pwd-extop: re-indent code using old style

  • ipa-pwd-extop: Use common krb5 structs from kdb.h

  • ipa-pwd-extop: Move encryption of keys in common

  • ipa-pwd-extop: Move encoding in common too

  • ipa-pwd-extop: make encsalt parsing function common

  • ipa-kdb: Initial plugin skeleton

  • ipa-kdb: add exports file

  • ipa-kdb: initialize module functions

  • ipa-kdb: implement get_time function

  • ipa-kdb: add common utility ldap wrapper functions

  • ipa-kdb: functions to get principal

  • ipa-kdb: add function to free principals

  • ipa-kdb: add functions to delete principals

  • ipa-kdb: add function to iterate over principals

  • ipa-kdb: add functions to change principals

  • ipa-kdb: Get/Store Master Key directly from LDAP

  • ipa-kdb: implement function to retrieve password policies

  • ipa-kdb: implement change_pwd function

  • util: add password policy manipulation functions

  • ipa-pwd-extop: Use common password policy code

  • ipa-kdb: add password policy support

  • ipa-pwd-extop: Allow kadmin to set krb keys

  • ipa-kdb: Change install to use the new ipa-kdb kdc backend

  • install: Remove uid=kdc user

  • ipa-kdb: Be flexible

  • install: Use proper case for boolean values

  • daemons: Remove ipa_kpasswd

  • schema: Split ipadns definitions from basev2 ones

  • v3-schema: Add new ipaExternalGroup objectclass

  • install: We do not need a ldap password anymore

  • install: We do not need a kpasswd keytab anymore

  • ipa-kdb: Properly set password expiration time.

  • conncheck: Additional check to verify the admin password is ok

  • ipa-kdb: Fix expiration time calculation

  • ipa-kdb: Fix legacy password hashes generation

  • ipa-kdb: Fix memory leak

  • Fix CID 10742: Unchecked return value

  • Fix CID 10743: Unchecked return value

  • Fix CID 10745: Unchecked return value

  • Fix CID 11019: Resource leak

  • Fix CID 11020: Resource leak

  • Fix CID 11021: Resource leak

  • Fix CID 11022: Resource leak

  • Fix CID 11023: Resource leak

  • Fix CID 11024: Resource leak

  • Fix CID 11025: Resource leak

  • Fix CID 11026: Resource leak

  • Fix CID 11027: Wrong sizeof argument

  • Add support for generating PAC for AS requests for user principals

  • MS-PAC: Add support for verifying PAC in TGS requests

  • Modify random salt creation for interoperability

  • Amend #2038 fix

  • Add missing copyright header

  • ipa-kdb: Support re-signing PAC with different checksum

  • spec: We do not need krb5-server-ldap anymore

  • ipa-kdb: fix free() of uninitialized var

  • ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles

  • ipa-kdb: fix memleaks in ipa_kdb_mspac.c

  • ipa-kdb: Fix copy and paste typo

  • ipa-kdb: enhance deref searches

  • ipa-kdb: Add delgation access control support

  • ipa-kdb: return properly when no PAC is available

  • ipa-kdb: Verify the correct checksum in PAC validation

  • ipa-kdb: Create PAC’s KDC checksum with right key

  • Disable MS-PAC handling in 2.2

  • Fix replication setup

  • slapi-plugins: use thread-safe ldap library

  • ipa-kdb: add AS auditing support

  • ipa-kdb: Avoid lookup on modify if possible

  • ipa-kdb: set krblastpwdchange only when keys have been effectively changed

Version 2.1.90 Alpha 1 (02/07/2012)#

This was an unannounced release that formed the basis of the first Fedora 17 package. It was not well-tested, particularly for upgrades, which is why it wasn’t announced at the time. It was released to meet Fedora 17 package deadlines.

The changelog is included in the public alpha 2 entry.

Version 2.1.4 (12/06/2011)#

Alexander Bokovoy (4):#

  • hbactest fails while you have svcgroup in hbacrule

  • Add support for systemd environments and use it to support Fedora 16

  • Spin for connection success also when socket is not (yet) available

  • Quote multiple workers option

Endi S. Dewata (1):#

  • Added current password field.

Evgeny Sinelnikov (1):#

  • ipa_kpasswd: Update selinux policies for ldap and urandom

John Dennis (1):#

  • Unable to Download Certificate with Browser

Martin Kosek (8):#

  • Fix client krb5 domain mapping and DNS

  • Fix ipa-managed-entries password option long form

  • Fix ipa-server-install answer cache

  • Fix ipa-replica-conncheck port labels

  • Fix ipa-managed-entries bind procedure

  • Let PublicError accept Gettext objects

  • Enable automember for upgraded servers

  • Make ipa-server-install clean after itself

Ondrej Hamada (1):#

  • Client install root privileges check

Rob Crittenden (4):#

  • Fix problems in help system

  • Fix nis netgroup config entry so users appear in netgroup triple.

  • Don’t allow default objectclass list to be empty.

  • Require an HTTP Referer header in the server. Send one in ipa tools. (CVE-2011-3636)

Simo Sorce (1):#

  • Modify random salt creation for interoperability

Version 2.1.3 (10/19/2011)#

Adam Young (1):#

  • Fix dynamic display of UI tabs based on rights

Alexander Bokovoy (8):#

  • Increase number of ‘getent passwd attempts’ to 10

  • Force kerberos realm to be a string

  • Include indirect membership and canonicalize hosts during HBAC rules testing

  • Refactor backup_and_replace_hostname() into a flexible config modification tool

  • Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool

  • Refactor authconfig use in ipa-client-install

  • Document –preserve-sssd option of ipa-client-install

  • Use set class instead of dictview class as set is wider supported

Jan Cholasta (3):#

  • Disallow deletion of global password policy.

  • Don’t leak passwords through kdb5_ldap_util command line arguments.

  • Remove more redundant configuration values from krb5.conf.

John Dennis (1):#

  • Fix Spanish po translation file

Martin Kosek (12):#

  • Improve default user/group object class validation

  • Fix i18n in config plugin

  • Fix dnszone-add name_from_ip server validation

  • Improve handling of GIDs when migrating groups

  • ipa-client-install hangs if the discovered server is unresponsive

  • Optimize member/memberof searches in LDAP

  • Make IPv4 address parsing more strict

  • Check hostname resolution sanity

  • Hostname used by IPA must be a system hostname

  • Check /etc/hosts file in ipa-server-install

  • Fix ipa-client-install -U option alignment

  • Improve hostgroup/netgroup collision checks

Petr Vobornik (2):#

  • Added missing fields to password policy page

  • Fixed: Unable to add external user for RunAs User for Sudo rules

Rob Crittenden (12):#

  • Fix DNS permissions and membership in privileges

  • Fix upgrades of selfsign server

  • Make ipa-join work against an LDAP server that disallows anon binds

  • Fix has_upg() to work with relocated managed entries configuration.

  • Work around limits not being updatable in 389-ds.

  • Save the value of hostname even if it doesn’t appear in /etc/sysconfig/network

  • Add explicit instructions to ipa-replica-manage for winsync replication

  • Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324)

  • Handle an empty value in a name/value pair in config_replace_variables()

  • Update all LDAP configuration files that we can.

  • If our domain is already configured in sssd.conf start with a new config.

  • Fix typo in invalid PTR record error message

Simo Sorce (1):#

  • updates: Change default limits on ldap searches

Version 2.1.2 (not publicly released, ~ 10/07/2011)#

Adam Young (4):#

  • split metadata call

  • Make mod_nss renegotiation configuration a public function

  • Execute pki proxy setup when server is upgraded if needed

  • Force the upgrade of pki-setup when upgrading the RPMS

Alexander Bokovoy (13):#

  • Incorrect name in examples of ipa help hbactest

  • Unroll groups when testing HBAC rules

  • Introduce platform-specific adaptation for services used by FreeIPA.

  • Convert server install code to platform-independent access to system services

  • Convert client-side tools to platform-independent access to system services

  • Convert installation tools to platform-independent access to system services

  • Cleanup whitespace

  • When external host is specified in HBAC rule, allow its use in simulation

  • Unroll StrEnum values when displaying help

  • Configure pam_krb5 on the client only if sssd is not configured

  • Setup and restore ntp configuration on the client side properly

  • Fix ‘referenced before assignment’ warning

  • Before kinit, try to sync time with the NTP servers of the domain we are joining

Endi S. Dewata (24):#

  • Fixed unit test for entity select widget.

  • Fixed layout problem in permission adder dialog.

  • Fixed sudo rule association dialogs.

  • Fixed missing optional field.

  • Fixed labels for run-as users and groups.

  • Fixed problem opening host adder dialog.

  • Removed entitlement menu.

  • Fixed posix group checkbox.

  • Fixed columns in HBAC/sudo rules list pages.

  • Fixed missing cancel button in unprovisioning dialog.

  • Fixed problem enabling/disabling DNS zone.

  • Fixed problem enrolling member with the same name.

  • Modified dialog to use sections.

  • Removed undo flags from dialog field specs.

  • Fixed problem on combobox with search limit.

  • Fixed problem displaying special characters.

  • Fixed add/delete arrows position.

  • Fixed duplicate entries in enrollment dialog.

  • Updated color scheme.

  • Fixed tab and dialog widths.

  • Disable enroll button if nothing selected.

  • Fixed missing default shell field.

  • I18n clean-up.

  • Disable sudo options Delete button if nothing selected.

JR Aquino (1):#

  • 25 Create Tool for Enabling/Disabling Managed Entry Plugins

Jakub Hrozek (1):#

  • Silence a compilation warning in ipa_kpasswd

Jan Cholasta (6):#

  • Check that install hostname matches the server hostname.

  • Fix client install on IPv6 machines.

  • Fix ipa-replica-prepare always warning the user about not using the system hostname.

  • Validate name_from_ip parameter of dnszone.

  • Add a function for formatting network locations of the form host:port for use in URLs.

  • Work around pkisilent bugs.

JR Aquino (1):#

  • Move Managed Entries into their own container in the replicated space.

Marko Myllynen (1):#

  • Don’t remove /tmp when removing temp cert dir

Martin Kosek (21):#

  • Improve man pages structure

  • Improve ipa-join man page

  • Fix permissions in installers

  • Fix configure.jar permissions

  • Set bind and bind-dyndb-ldap min nvr

  • Fix pylint false positive in hbactest module

  • ipactl does not stop dirsrv

  • dirsrv is not stopped correctly in the fallback

  • Remove checks for ds-replication plugin

  • Fix /usr/bin/ipa dupled server list

  • Revert “Always require SSL in the Kerberos authorization block.”

  • Fix error messages in hbacrule

  • Fix LDAPCreate search failure

  • Fix HBAC tests hostnames

  • ipa-client assumes a single namingcontext

  • migrate process cannot handle multivalued pkey attribute

  • Be more clear about selfsign option

  • Install tools crash when password prompt is interrupted

  • Improve ipa-replica-prepare DNS check

  • Prevent collisions of hostgroup and netgroup

  • Make sure ipa-client-install returns correct error code

Nalin Dahyabhai (2):#

  • list users from nested groups, too

  • Update man pages to note that PKCS#12 files also contain private keys, and that the “pkinit” options refer to the KDC’s credentials

Petr Vobornik (10):#

  • Fixed: JavaScript type error in entitlement page

  • Fixed inconsistency in enabling delete buttons

  • Code cleanup: widget creation

  • Fixed: Column header for attributes table should be full width

  • Fixed: Enrolment dialog offers to add entity to reflexive association.

  • Fixed: Some widgets do not have space for validation error message

  • Disables gid field if not posix group in group adder dialog

  • Fixed links to images in config and migration pages

  • Split Web UI initialization to several smaller calls #2

  • Split Web UI initialization to several smaller calls

Rob Crittenden (20):#

  • Don’t allow a OTP to be set on an enrolled host

  • Remove normalizer that made role, privilege and permission names lower-case

  • Improved handling for ipa-pki-proxy.conf

  • The precendence on the modrdn plugin was set in the wrong location.

  • Update ipa-ldap-updater man page saying it is not an end-user utility

  • Skip the cert validator if the csr we are passed in is a valid filename

  • Change the Requires for the server and server-selinux for proper order

  • Suppress managed netgroups as indirect members of hosts.

  • The return value of restorecon is not reliable, ignore it.

  • Normalize uid in user principal to lower-case and do validation

  • Shut down duplicated file handle when HTTP response code is not 200.

  • Don’t log one-time password in logs when configuring client.

  • Always require SSL in the Kerberos authorization block.

  • Include failed service and service groups in hbac rule management

  • Add regular expression pattern to host names.

  • Detect CA installation type in ipa-replica-prepare and ipa-ca-install.

  • Require current password when using passwd to change your own password.

  • Migration: don’t assume there is only one naming context, add logging.

  • When calculating indirect membership don’t test nesting on users and hosts.

Simo Sorce (4):#

  • ipa-pwd-extop: Fix segfault in password change.

  • ipa-pwd-extop: Enforce old password checks

  • ipa-client-install: Fix joining when LDAP access is restricted

  • replica-prepare: anonymous binds may be disallowed

Sumit Bose (2):#

  • Call standard_logging_setup() before any logging is done

  • ipa-pwd-extop: allow password change on all connections with SSF>1

Yuri Chornoivan (1):#

  • Fix typos

Version 2.1.1 (09/08/2011)#

Adam Young (1):#

  • enable proxy for dogtag

Alexander Bokovoy (1):#

  • Propagate environment when it is required.

Endi S. Dewata (19):#

  • Fixed browser configuration pages

  • Hide activation/deactivation link from regular users.

  • Fixed problem selecting value from combobox

  • Fixed inconsistent layout for password reset dialog.

  • Removed ‘Hide already enrolled’ checkbox.

  • Replaced page dirty dialog title.

  • Updated add and delete association dialog titles.

  • Removed unnecessary HBAC/sudo rule category modification.

  • Fixed command partial failure handling.

  • Fixed default map type in automount map adder dialog.

  • Fixed host OTP status.

  • Fixed host keytab status after setting OTP.

  • Fixed host adder dialog to show default DNS zone.

  • Fixed hard-coded UI messages.

  • Fixed problem adding hostgroup into netgroup.

  • Fixed problem with combobox.

  • Fixed hard-coded UI message in entity.js.

  • Fixed missing permission filter field.

  • Fixed problem with combobox using Sahi

Jan Cholasta (6):#

  • Make sure messagebus is running prior to starting certmonger.

  • Verify that passwords specified through command line options of ipa-server-install meet the length requirement.

  • Add option to install without the automatic redirect to the Web UI.

  • Search for users in all the naming contexts present on the directory server.

  • Add subscription-manager dependency for RHEL.

  • Verify that the external CA certificate files are correct.

John Dennis (11):#

  • DN objects should support the insert method

  • Test DN object non-latin Unicode support

  • convert unittests to use DN objects

  • invalid i18n string in dns.py

  • update LINGUAS file, add missing po files

  • Update all po files

  • compute accurate translation statistics

  • add documentation validation to makeapi tool

  • internationalize help topics

  • internationalize cli help framework

  • improve i18n docstring extraction

JR Aquino (2):#

  • Improve sudorule documentation

  • Create FreeIPA CLI Plugin for the 389 Auto Membership plugin

Martin Kosek (6):#

  • Add missing attribute labels for sudorule

  • Fix automountkey-mod

  • Fix automountlocation-import conflicts

  • ipa-client-install breaks network configuration

  • Fix sudo help and summaries

  • Let Bind track data changes

Petr Vobornik (8):#

  • error dialog for batch command

  • Uncheck checkboxes in association after deletion

  • Show error in adding associations

  • Validation of details facet before update

  • Modify serial associator to use batch

  • Modifying sudo options refreshes the whole page

  • Enable update and reset button only if dirty

  • Attributes table not scrollable

Rob Crittenden (24):#

  • Add information on setting api.env.host in the ipactl.8 man page

  • Log each command in a batch separately.

  • Do batch logging on successful commands too, not just failures.

  • Fix wording in examples of delegation plugin.

  • Suppress 389-ds debug output when starting services

  • Fix thread deadlock by using pthreads library instead of NSPR.

  • Change the way has_keytab is determined, also check for password.

  • Add additional pam ftp services to HBAC, and a ftp HBAC service group

  • Add label for HBAC services to show as members

  • Add option to only prompt once for passwords, use in entitle_register

  • Retrieve password/keytab state when modifying a host.

  • Disable reverse lookups in ipa-join and ipa-getkeytab

  • Remove more 389-ds files/directories on uninstallation.

  • Remove 389-ds upgrade state during uninstall

  • Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505

  • Add common is_installed() fn, better uninstall logging, check for errors.

  • Add external source hosts to HBAC.

  • Roll back changes if client installation fails.

  • Add netgroup as possible memberOf for hostgroups

  • Sort lists so order is predictable and tests pass as expected.

  • Suppress managed netgroups from showing as memberof hostgroups.

  • Use the IPA server cert profile in the installer.

  • Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605

  • Become IPA 2.1.1

Simo Sorce (1):#

  • conncheck: Fix List of ports to check

Version 2.1.0 (08/17/2011)#

Adam Young (62):#

  • Fixed labels for sudo and hbac rules

  • update metadata with label changes

  • define entities using builder and more declarative syntax

  • default all false no longer default to all: true for searches, only specify it for user searches

  • code review fixes

  • make use of new user-find columns.

  • fix JSL error

  • Upgrade to jquery 1.5.2

  • action panel to top tabs

  • remove jquery-cookie library

  • update ipa init a simple script to update the metatdate et alles that comes from the ipa_init batch call

  • whitespace and -x removal

  • create entities on demand. fixed changes from code review

  • automount UI

  • redirect on show error.

  • redirect on error Code for redirecting on error has been moved to IPA.facet so it can be called from both details and assocaiton facets.

  • automount delete key indirect automount maps

  • scrollable content areas

  • dialog scrolling table

  • JSON marshalling list

  • dns multiple records show multiple records that share the same dnsname

  • no redirect on search

  • test for dirty

  • test dirty textarea runs the testdirty check before setting the undo tag for a textarea

  • test dirty multivalue test the multivalue widgets for changes before showing the undo link.

  • test dirty onchange

  • entity select widget for manager

  • hide automount tabs.

  • service host entity select Use the entity select widget for add service

  • entity select undo

  • no redirect on unknown error If the error name is indicates a server wide error, do not attempt to redirect.

  • editable entity_select

  • ipaddress for host add

  • entity select for password policy

  • tooltips for host add

  • automountkey details

  • identify target as section for permissions

  • optional uid

  • validate required fields

  • Generate record type list from metadata

  • shorten url cache state in a javascript variable, and leave on information about the current entity in the URL hash params

  • containing entity pkeys

  • undefined pkeys

  • config fields

  • ipadefaultemaildomain

  • config widgets entity select default group checkbox for migration

  • entity link for password policy

  • validate ints

  • password expiration label

  • HBAC deny warning

  • check required on add

  • clear errors on reset

  • indirect admins

  • entity_select naming

  • remove HBAC warning from static UI

  • dnsrecord-mod ui

  • no dns

  • remove hardcoded DNS label for record name.

  • move dns to identity tab

  • removing setters setup and init

  • dns section header i18n.

  • use other_entity for adder columns

Alexander Bokovoy (10):#

  • Convert Bool to TRUE/FALSE when working with LDAP backend

  • Minor typos in the examples

  • Convert nsaccountlock to always work as bool towards Python code

  • Rearrange logging for NSCD daemon.

  • Fix sssd.conf to always have IPA certificate for the domain.

  • Add hbactest command.

  • Modify /etc/sysconfig/network on a client when IPA manages hostname

  • Make proper LDAP configuration reporting for ipa-client-install

  • Ensure network configuration file has proper permissions

  • Pass empty options as empty arrays for supported dns record types.

Endi S. Dewata (114):#

  • Fixed undefined label in permission adder dialog box.

  • Initial Selenium test cases.

  • Added functional test runner.

  • Refactored action panel and client area.

  • Refactored builder interface.

  • Refactored search facet.

  • Entitlements.

  • Updated Selenium tests.

  • Merged IPA.cmd() into IPA.command().

  • Entitlement registration.

  • Entitlement import.

  • Entitlement download.

  • Moved adder dialog box into entity.

  • Standardized action panel buttons creation.

  • Entitlement quantity validation.

  • Refactored navigation.

  • Use entity names for tab state.

  • Moved entity contents outside navigation.

  • Added facet container.

  • Fixed self-service UI.

  • Updated Selenium tests.

  • Updated Selenium tests.

  • Updated DNS interface.

  • Added Selenium tests for DNS.

  • Added UUID field for entitlement registration.

  • Added Self-Service and Delegation tests.

  • Customizable facet groups.

  • Read-only association facet.

  • jQuery ordered map.

  • Fixed problem disabling HBAC and SUDO rules.

  • Fixed Ajax error handling.

  • Fixed details tests.

  • Fixed adder dialog title.

  • Fixed Add and Edit without primary key.

  • Fixed Selenium tests.

  • Fixed URL parameter parsing.

  • Added Update and Reset buttons into Dirty dialog.

  • Fixed problem deleting value in text field.

  • Added pagination for associations.

  • Fixed pagination problem.

  • Temporary fix for indirect member tabs.

  • Fixed blank dialog box on internal error.

  • Fixed resizing issues.

  • Added selectable option for table widget.

  • Entitlement status.

  • Fixed tab navigation.

  • Fixed build break.

  • Fixed paging for indirect members.

  • Renamed associate.js to association.js.

  • Fixed self-service links.

  • Merged direct and indirect association facets

  • Storing page number in URL.

  • Removed FreeWay font files.

  • Fixed problem with navigation tabs on reload.

  • Converted entity header into facet header.

  • Added navigation breadcrumb.

  • Added record count into association facet tabs.

  • Added singular entity labels.

  • Fixed entity labels.

  • Fixed DNS records page title.

  • Fixed undo all problem.

  • Removed unused images.

  • Fixed hard-coded messages.

  • Added confirmation dialog for user activation.

  • Fixed button style in Entitlements

  • Removed invalid associations.

  • Added arrow icons for details sections.

  • Fixed object_name usage.

  • Fixed HBAC/Sudo rules associations.

  • Fixed blank self-service page.

  • Fixed dirty dialog problems in HBAC/Sudo rules.

  • Fixed test fixture file name.

  • Fixed missing entitlement import button label

  • Added sudo options.

  • Fixed collapsed table in Chrome.

  • Fixed object_name and object_name_plural internationalization

  • Fixed label capitalization

  • Entity select widget improvements

  • Removed reverse zones from host adder dialog.

  • Fixed host details fields.

  • Added checkbox to remove hosts from DNS.

  • Creating reverse zones from IP address.

  • Removed entitlement registration UUID field.

  • Fixed problem loading data in HBAC/sudo details page.

  • Removed HBAC access time code.

  • Removed custom layouts using HTML templates.

  • Refactored IPA.current_facet().

  • Fixed problem with navigation state loading.

  • Fixed navigation problems.

  • Fixed navigation unit test.

  • Fixed click handlers on certificate buttons.

  • New icons for entitlement buttons

  • Fixed problem bookmarking Policy/IPA Server tabs

  • Fixed problem setting host OTP.

  • Fixed hard-coded labels in sudo rules.

  • Fixed hard-coded label in Find button.

  • Fixed missing section header in sudo command group.

  • Fixed problem unprovisioning service.

  • Fixed missing memberof definition in HBAC service.

  • Added association facets for HBAC and sudo.

  • Fixed certificate buttons.

  • Fixed missing icons.

  • Fixed misaligned search icon.

  • Resizable adder dialog box.

  • Linked entries in HBAC/sudo details page.

  • Fixed 3rd level tab style.

  • Fixed facet group labels.

  • Fixed error after login on IE

  • Fixed host adder dialog.

  • Fixed DNS zone adder dialog.

  • Fixed broken links in ipa_error.css and ipa_migration.css.

  • Fixed problem clicking 3rd level tabs.

  • Fixed link style in dialog box.

  • Fixed problem with buttons in enrollment dialog.

Jakub Hrozek (1):#

  • Remove wrong kpasswd sysconfig

Jan Cholasta (34):#

  • Fix wording of error message.

  • Add note about ipa-dns-install to ipa-server-install man page.

  • Fix typo in ipa-server-install.

  • Fix uninitialized variables.

  • Fix double definition of output_for_cli.

  • Add lint script for static code analysis.

  • Fix lint false positives.

  • Remove unused classes.

  • Fix some minor issues uncovered by pylint.

  • Fix uninitialized attributes.

  • Run lint during each build.

  • Several improvements of the lint script.

  • Fix issues found by Coverity.

  • Fix regressions introduced by pylint false positive fixes.

  • Assume ipa help for plugins.

  • Parse netmasks in IP addresses passed to server install.

  • Honor netmask in DNS reverse zone setup.

  • Do stricter checking of IP addressed passed to server install.

  • Fix directory manager password validation in ipa-nis-manage.

  • Improve IP address handling in the host-add command.

  • Verify that the hostname is fully-qualified before accessing the service information in ipactl.

  • Remove redundant configuration values from krb5.conf.

  • Replace the ‘private’ option in netgroup-find with ‘managed’.

  • Configure SSSD to store user password if offline.

  • Fix creation of reverse DNS zones.

  • Add ability to specify DNS reverse zone name by IP network address.

  • Fix exit status of ipa-nis-manage enable.

  • Update minimum required version of python-netaddr.

  • Clean up of IP address checks in install scripts.

  • Don’t delete NIS netgroup compat suffix on ‘ipa-nis-manage disable’.

  • Fix ipa-compat-manage not working after recent ipa-nis-manage change.

  • Make sure that hostname specified by user is not an IP address.

  • Fix external CA install.

  • Ask for reverse DNS zone information in attended install right after asking for DNS forwarders, so that DNS configuration is done in one place.

John Dennis (9):#

  • Module for DN objects plus unit test

  • assert_deepequal supports callback for equality testing

  • Add backslash escape support for cvs reader

  • Use DN class in get_primary_key_from_dn to return decoded value

  • Update test_role_plugin test to include a comma in a privilege

  • Ticket 1485 - DN pairwise grouping

  • Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization.

  • Clean up existing DN object usage

  • transifex translation adjustment

JR Aquino (15):#

  • Escape LDAP characters in member and memberof searches

  • Add memberHost and memberUser to default indexes

  • Optimize and dynamically verify group membership

  • Delete the sudoers entry when disabling Schema Compat

  • Return copy of config from ipa_get_config()

  • Typo in host_nis_groups has been creating 2 CN’s

  • Add sudorule and hbacrule to memberof and indirectmemberof attributes

  • Display remaining external hosts when removing from sudorule

  • Raise DuplicateEntry Error when adding a duplicate sudo option

  • Don’t add empty tuple to entry_attrs[‘externalhost’]

  • oneliner correct typo in ipasudorunas_group

  • Return correct “RunAs External Group” when removing members

  • remove escapes from the cvs parser in ipaserver/install/ldapupdate

  • Correct behavior for sudorunasgroup vs sudorunasuser

  • Correct sudo runasuser and runasgroup attributes in schema

Martin Kosek (68):#

  • Inconsistent error message for duplicate user

  • Replica installation fails for self-signed server

  • Remove doc from API.txt

  • Revert “Remove doc from API.txt”

  • Password policy commands do not include cospriority

  • Improve DNS PTR record validation

  • Remove unwanted trimming in text fields

  • Need force option in DNS zone adder dialog

  • IPA replica is not started after the reboot

  • Improve Directory Service open port checker

  • Log temporary files in ipa-client-install

  • Prevent uninstalling client on the IPA server

  • pwpolicy-mod doesn’t accept old attribute values

  • Forbid reinstallation in ipa-client-install

  • ipa-client-install uninstall does not work on IPA server

  • LDAP Updater may crash IPA installer

  • NS records not updated by replica

  • Bad return values for ipa-rmkeytab command

  • Update spec with missing BuildRequires for pylint check

  • Let selinux-policy handle port 7390

  • Limit passwd plugin to user container

  • Consolidate man pages and IPA tools help

  • Remove doc from API.txt

  • Improve service manipulation in client install

  • Running ipa-replica-manage as non-root cause errors

  • KDC autodiscovery may fail when domain is not realm

  • A new flag to disable creation of UPG

  • Fix reverse zone creation in ipa-replica-prepare

  • Improve interactive mode for DNS plugin

  • Localization fails for MaxArgumentError

  • Fix forward zone creation in ipa-replica-prepare

  • Connection check program for replica installation

  • Fix support for nss-pam-ldapd

  • Skip know_host check for ipa-replica-conncheck

  • IPA installation with –no-host-dns fails

  • Handle LDAP search references

  • Add ignore lists to migrate-ds command

  • Improve DNS zone creation

  • Add a list of managed hosts

  • Missing krbprincipalname when uid is not set

  • Add port 9443 to replica port checking

  • Fix doc for sudorule runasuser commands

  • Improve IP address handling in IPA option parser

  • Multi-process build problems

  • DNS installation fails when domain and host domain mismatch

  • Fix IPA install for secure umask

  • Allow recursion by default

  • Add DNS record modification command

  • Filter reverse zones in dnszone-find

  • Remove sensitive information from logs

  • Fix ipa-dns-install

  • Fix self-signed replica installation

  • Check IPA configuration in install tools

  • Add new dnszone-find test

  • Fix typo in ipa-replica-prepare

  • Improve long integer type validation

  • Fix sudorule-remove-user

  • Add missing automount summaries

  • Fix man page ipa-csreplica-manage

  • Fix automountkey commands summary

  • Fix invalid issuer in unit tests

  • Hide continue option from automountkey-del

  • Improve error message in ipactl

  • Improve dnszone-add error message

  • Fix idnsUpdatePolicy for reverse zone record

  • Fix client enrollment

  • Update 389-ds-base version

  • Update pki-ca version

Nalin Dahyabhai (1):#

  • Select a server with a CA on it when submitting signing requests.

Pavel Zuna (1):#

  • Fix gidnumber option of user-add command.

Petr Vobornik (3):#

  • fixed empty dns record update

  • Fixed adding host without DNS reverse zone

  • Redirection after changing browser configuration

Rich Megginson (3):#

  • winsync enables disabled users in AD

  • modify user deleted in AD crashes winsync

  • memory leak in ipa_winsync_get_new_ds_user_dn_cb

Rob Crittenden (90):#

  • Allow a client to enroll using principal when the host has a OTP

  • Make retrieval of the CA during DNS discovery non-fatal.

  • Cache the value of get_ipa_config() in the request context.

  • Change default gecos from uid to first and last name.

  • Fix ORDERING in some attributetypes and remove other unnecessary elements.

  • postalCode should be a string not an integer.

  • Fix traceback in ipa-nis-manage.

  • Suppress –on-master from ipa-client-install command-line and man page.

  • Sort entries returned by *-find by the primary key (if any).

  • The default groups we create should have ipaUniqueId set

  • Always ask members in LDAP*ReverseMember commands.

  • Provide attributelevelrights for the aci components in permission_show.

  • Wait for memberof task and DS to start before proceeding in installation.

  • Convert manager from userid to dn for storage and back for displaying.

  • Modify the default attributes shown in user-find to match the UI design.

  • Ensure that the zonemgr passed to the installer conforms to IA5String.

  • Handle principal not found errors when converting replication a greements

  • Bump version to 2.0.90 to distinguish between 2.0.x

  • Properly handle –no-reverse being passed on the CLI in interactive mode

  • Update min nvr for selinux-policy and pki-ca for F-15+

  • Test for forwarded Kerberos credentials cache in wsgi code.

  • Properly configure nsswitch.conf when using the –no-sssd option.

  • Enable 389-ds SSL host checking by default

  • Configure Managed Entries on replicas.

  • Document that deleting and re-adding a replica requires a dirsrv restart.

  • Fix migration to work between v2 servers and remove search/size limits.

  • Add option to limit the attributes allowed in an entry.

  • Include the word ‘member’ with autogenerated optional member labels.

  • Do a lazy retrieval of the LDAP schema rather than at module load.

  • Add UID, GID and e-mail to the user default attributes.

  • Fix external CA installation

  • Remove root autobind search restriction, fix upgrade logging & error handling

  • Support initializing memberof during replication re-init using GSSAPI

  • Do better detection on status of CA DS instance when installing.

  • Fix indirect member calculation

  • Remove automountinformation as part of the DN for automount.

  • Don’t let a JSON error get lost in cascading errors.

  • Add message output summary to sudorule del, mod and find.

  • Return an error message when revocation reason 7 is used

  • Require an imported certificate’s issuer to match our issuer.

  • On a master configure sssd to only talk to the local master.

  • The IP address provided to ipa-server-install must be local

  • Do lazy LDAP schema retrieval in json handler.

  • Make data type of certificates more obvious/predictable internally.

  • Update translation files

  • Let the framework be able to override the hostname.

  • Make dogtag an optional (and default un-) installed component in a replica.

  • Slight performance improvement by not doing some checking in production mode

  • Set the client auth callback after creating the SSL connection.

  • Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def attr list

  • Enforce class rules when query=True, continue to not run validators.

  • find_entry_by_attr() should fail if multiple entries are found

  • Fix error in AttrValueNotFound exception example

  • Fix test failure in updater when adding values to a single-value attr

  • Reset failed login count to 0 when admin resets password.

  • Disallow direct modifications to enrolledBy.

  • Document registering to an entitlement server with a UUID as not implemented.

  • In sudo labels we should use RunAs and not Run As.

  • Remove the ability to create new HBAC deny rules.

  • Validate that the certificate subject base is in valid DN format.

  • Use information from the certificate subject when setting the NSS nickname.

  • Create tool to manage dogtag replication agreements

  • Fix failing tests due to object name changes

  • Set nickname of the RA to ‘IPA RA’ to avoid confusion with dogtag RA

  • Set the ipa-modrdn plugin precedence to 60 so it runs last

  • Generate a database password by default in all cases.

  • Specify the package name when the replication plugin is missing.

  • Change client enrollment principal prompt to hopefully be clearer.

  • Optionally wait for 389-ds postop plugins to complete

  • A removed external host is shown in output when removing external hosts.

  • Don’t set krbLastPwdChange when setting a host OTP password.

  • Fix regression when calculating external groups.

  • With the external user/group management fixed, correct the unit tests.

  • Set a default minimum value for class Int, handle long values better.

  • Make ipa-client-install error messages more understandable and relevant.

  • Add Alexander Bokovoy and Jan Cholasta to contributors file

  • Only call entry_from_entry() after waiting for the new entry.

  • Hide the HBAC access type attribute now that deny is deprecated.

  • Autofill the default revocation reason

  • Don’t check for leading/trailing spaces in a File parameter

  • Add an arch-specific Requires on cyrus-sasl-gssapi

  • Revert use of ‘can be at least’ to ‘must be at least’ in minvalue validator

  • Don’t leave dangling map if adding an indirect map fails

  • Fix message in test case for checking minimum values

  • When setting a host password don’t set krbPasswordExpiration.

  • Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile

  • Deprecated managing users and runas user/group in sudorule add/mod

  • Fix date order in changelog.

  • Re-arrange CA configuration code to reduce the number of restarts.

Simo Sorce (4):#

  • Fix resource leaks.

  • ipautil: Preserve environment unless explicitly overridden by caller.

  • install-scripts: avoid using –list with chkconfig

  • Don’t set the password expiration to the current time

Yuri Chornoivan (1):#

  • Typos in freeIPA messages and man page

Kyle Baker (5):#

  • Background images and tab hover

  • Search bar style and positioning changes

  • List page spacing changes

  • Tab and spacing on list

  • Facet icon swap and tab sizing

Version 2.0.1 (05/02/2011)#

  • Fixed undefined label in permission adder dialog box.

  • Add note about ipa-dns-install to ipa-server-install man page.

  • Fix typo in ipa-server-install.

  • Add lint script for static code analysis.

  • Fix lint false positives.

  • Escape LDAP characters in member and memberof searches

  • Add memberHost and memberUser to default indexes

  • Optimize and dynamically verify group membership

  • Delete the sudoers entry when disabling Schema Compat

  • Inconsistent error message for duplicate user

  • Replica installation fails for self-signed server

  • Password policy commands do not include cospriority

  • Improve DNS PTR record validation

  • IPA replica is not started after the reboot

  • Improve Directory Service open port checker

  • Log temporary files in ipa-client-install

  • Prevent uninstalling client on the IPA server

  • pwpolicy-mod doesn’t accept old attribute values

  • Fix gidnumber option of user-add command.

  • Allow a client to enroll using principal when the host has a OTP

  • Make retrieval of the CA during DNS discovery non-fatal.

  • Cache the value of get_ipa_config() in the request context.

  • Change default gecos from uid to first and last name.

  • Fix ORDERING in some attributetypes and remove other unnecessary elements.

  • postalCode should be a string not an integer.

  • Fix traceback in ipa-nis-manage.

  • Sort entries returned by *-find by the primary key (if any).

  • The default groups we create should have ipaUniqueId set

  • Provide attributelevelrights for the aci components in permission_show.

  • Wait for memberof task and DS to start before proceeding in installation.

  • Convert manager from userid to dn for storage and back for displaying.

  • Modify the default attributes shown in user-find to match the UI design.

  • Ensure that the zonemgr passed to the installer conforms to IA5String.

  • Handle principal not found errors when converting replication agreements

  • Fix resource leaks.

  • ipautil: Preserve environment unless explicitly overridden by caller.

Version 2.0.0 GA (03/25/2011)#

  • pwpolicy priority Priority is now a required field in order to add a new password policy.

  • Removed nested role from UI.

  • Wait for Directory Server ports to open

  • Prevent stacktrace when DNS AAAA record is added

  • Update translation file (ipa.pot).

  • Always consider domain and server when doing DNS discovery in client.

  • Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.

  • Ensure that the system hostname is lower-case.

  • Automatically update IPA LDAP on rpm upgrades

  • Domain to Realm Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same.

  • Fix uninitialized variable.

Version 2.0.0 RC 3 (03/10/2011)#

  • i18n improvements

  • Fixed the self-service page in the WebUI

  • Use TLS for CA replication

  • Setting up Winsync agreements has been fixed

Version 2.0.0 RC 2 (02/28/2011)#

  • Make Indirect membership clearer.

  • Input validation fixes.

  • WebUI improvements.

  • Created default Roles.

  • IPv6 support

  • Documentation updates

Version 2.0.0 RC 1 (02/14/2011)#

  • Installation fixes.

  • DNS improvements.

  • WebUI improvements.

Version 2.0.0 Beta 2 (02/03/2011)#

  • Support of the latest Dogtag packages.

  • Installation fixes.

  • Changes in the DIT structure.

  • New permissions defined against different elements of the tree.

  • Better startup and shutdown handling.

  • Replication improvements.

  • Incremental improvements in IPv6 support.

  • DNS improvements.

  • The package name has been changed to “freeipa” to avoid

collision with IPA v1.x and many others.

Version 2.0.0 Beta 1 (12/23/2010)#

  • FreeIPA has changed its license to GPLv3+

  • Having IPA manage the reverse zone is optional.

  • The access control subsystem was re-written to be more understandable. For details see ttp://freeipa.org/page/Permissions

  • Support for SUDO rules

  • There is now a distinction between replicas and their replication agreements in the ipa-replica-manage command. It is now much easier to manage the replication toplogy.

  • Renaming entries is easier with the –rename option of the mod commands.

  • Fix special character handling in passwords, ensure that passwords are not logged.

  • Certificates can be saved as PEM files in service-show and host-show commands.

  • All IPA services are now started/stopped using the ipactl command. This gives us better control over the start/stop order during reboot/shutdown.

  • Set up ntpd first so the time is sane.

  • Better multi-valued value handle with –setattr and –addattr.

  • Add support for both RFC2307 and RFC2307bis to migration.

  • UID ranges were reduced by default from 1M to 200k.

  • Add ability to add/remove DNS records when adding/removing a host entry.

  • A number of i18n issues have been addressed.

Version 2.0.0 Alpha 5 (11/11/2010)#

  • Dropped our PKCS#10 parser to use the one provided by python-nss

  • Started enforcing that hosts must be resolvable before adding them (use –force if you really want to add them).

  • Provide a reason when adding members to a group fails.

  • Allow de-coupling of user private groups (group-detach).

  • Support for ipa tool failover.

  • Hosts are allowed to retrieve keytabs for their services.

  • More configurable logging, see http://freeipa.org/page/IPAv2_config_files

  • Add support for ldap:///self aci rules

  • Use global time and size limit values when searching.

  • Don’t include passwords in log files.

  • Make ipactl a lot smarter and add a man page for it.

  • Have certmonger track the IPA service certificates.

  • Initial support for SUDO. You can create the objects but the client-side is not done yet.

  • The delete commands now take multiple arguments: ipa user-del user1 user2 user3 … usern

  • Remove reliance on ‘admin’ as a special user. All access control now granted via groups.

  • Groups are now created as POSIX by default.

  • Add options to control NTLM hashes. By default LM hash is disabled.

  • Remove the correct password from the history. We were mistakenly removing the latest password from the history instead of the oldest.

  • Rename user-lock and user-unlock to user-enable user-disable.

  • The ipa command should return non-zero when something fails.

  • Add gettext support for the C utilities.

  • Add capability to import automount files.

  • Add basic support for user and group renames (more work is needed). For now use ipa user-mod –setattr uid=newuser olduser

  • Add flag to group-find to only search on private groups.

  • Set default python encoding to utf-8. This should resolve a number of i18n problems.

  • Show indirect members (of groups, hostgroups, netgroups, etc).

  • Remove group nesting from the HBAC service groups.

  • Implement nested netgroups.

  • Add basic support for kerberos lockout policy. You can control how many failed attempts are allowed before lockout. What is missing is a way to unlock a user. This depends on fixes from MIT Kerberos 1.9.

  • Correct handling of userCategory and hostCategory in netgroups.

  • Updated a lot of man pages.

  • Support Fedora 14.

Version 2.0.0 Alpha 4 (07/15/2010)#

  • Moved our dogtag SELinux to be installed with the rpm instead of during configuration.

  • Fedora 13 moved to gpg2 and dropped gpg. Fix our invocation so we work with either (this was preventing replica installations).

  • Query remote server during replica installation to see if the replica already exists. This prevents lots of really strange errors during replica installation.

  • Fixed SSL error in client enrollment.

  • Changed the way services are handled in HBAC. There is now a separate service and servicegroup object that you associate with HBAC rules. sssd is already using this new mechanism.

  • First pass at per-command documentation. It still needs a lot of work.

  • Fix aci-mod command. It wasn’t really working well in almost all cases.

  • Add replication version checking. This is one step in better control during updates.

  • Don’t try to convert a host’s password into a keytab with bulk enrollment (this was causing krbPasswordExpiration to be set).

  • Add support for User-Private Groups.

  • Worked on error handling in mod_wsgi. Now hopefully a shorter and less scary backtrace will be thrown when things go bump in the night.

  • Add new API to disable service and host principals.

  • Significant cleanup of crypto code. Using python-nss for a lot more (and more to come).

  • Fixed some errors in and made ipa-compat-manage and ipa-nis-manage more bullet-proof.

  • Fixed netgroups plugin, it was generating the wrong attributes.

  • Other minor polish and bug fixes.

Version 2.0.0 Alpha 3 (05/07/2010)#

  • better i18n support including a few translations

  • use mod_wsgi instead of mod_python

  • the CA is a required component and is now configured by default. Pass –selfsign to the installer to use the old self-signed CA

  • A default Host-Based Access Control (HBAC) rule is created that grants all users the ability to log into any host from any host. This was done to simplify initial testing, it is expected this rule, allow_all, will be removed before you deploy.

  • We no longer enable nscd, sssd handles caching now

Version 2.0.0 Alpha 2 (02/18/2010)#

  • Draft Web-based UI

  • Simplified migration of the users from IPA v1 or external LDAP server

  • IPA client component to configure SSSD to integrate with IPA

  • Integration with “certmonger” certificate tracking utility. The utility allows automatic provisioning, tracking and renewal of certificates on a member server.

  • General improvements and enhancements across the whole project.

Version 2.0.0 Alpha 1 (10/28/2009)#

  • Pluggable and extensible framework for UI/CLI

  • Optionally installable DNS server

  • Optionally installable Certificate Authority to manage server certificates

  • NIS compatibility plug-in

Version 1.2.1#

  • Add ipa-compat-manage utility

  • Ensure the CA cert is always included when preparing a replica

  • Fix error in validation when editing new groups via the UI 471808

  • Fixed some crash conditions in the password plugin

Version 1.2.0#

  • Active Directory User Synchronization

  • Schema Compatibility Plug-in (native Solaris nss_ldap now works)

  • Fix group mapping /etc/ldap.conf so getent works 431603

  • The ipa-addservice command failed if the realm name was included in the principal name. 437566

  • The ipa_webgui service did not start after the initial installation. 440475

  • IPA does not handle group names with spaces properly. 450613

  • The ipa-moduser -f command may not change the appearance of the user’s first name when shown as the full name. 451318

  • The potential existed for Directory Server to crash if you nested groups too deeply. 451358

  • IPA replicas did not fully synchronize in single-master, dual-replica topology environments. 468732

  • Fix error in validation when adding new groups via the UI

  • Add list of DNs that are not controlled by password policy. 471130

Version 1.1.0#

  • Ensure that the realm name is upper-case.

  • When an LDAP connection fails, display the host one is trying to connect to. 450111

  • Add our own SIGTERM handler to ipa_webgui so we can do clean shutdowns. 450211

  • Make it clear which packages are being configured and which aren’t. 450175

  • Add -p/–password option so the DM password can be passed on the command-line.

  • Don’t make the search criteria lower-case so one can do case-sensitive searches (such as looking for HTTP principals). 449975

  • Man page improvements.

  • Fix issue of double logging in ipa_error.log.

  • Add a Not Found (404) template

  • Only print a traceback on 500 errors.

  • Don’t prompt regarding previous DS installations in unattended mode.

  • Add two new options, –addattr and –setattr, to allow arbitrary attributes to be added and set when a new user or group is created. 449006

  • Make password not mandatory in ipa-adduser

  • Make ipa_kpasswd listen on each single interface explicitly instead of 0.0.0.0.

  • Fix the case where domain != lower(REALM) add the domain to the ipa.conf file for apps that need to know. This should fix a bug in the replica setup.

  • Move admin into cn=users,cn=accounts

  • Move non-user-configurable configuration elements to TurboGears app.cfg file. 432908

  • Change file mode of log files to 600. 446869

  • Ensure hostnames are lower during installation and when adding service princs. 447381

  • Remove broken link for IE configuration and replace sample domain/realm. Also fix some HTML errors. 447445

  • Do uniqueness check on phone numbers and cn entered via the UI. 445286

  • Don’t pass the Directory Manager password on the command-line to ldapmodify. 446865

  • Use split instead of find as split does not fail to provide a complete component if no ‘.’ is found. This should better handle a realm with no periods in it.

  • Improve DNA plugin and ensure that the numbers it hands out are unique.

  • Don’t ask the user again if he wants to replace bind configuration files if he specified –setup-bind. 430090

  • Make sure all services are stopped during uninstall. 440322

  • Hack to not require a First Name in the UI for the admin user since it lacks the inetOrgPerson objectclass.

  • Display information on how to uninstall a partially installed server. 442454

  • Include information on where to look if a hostname resolves to localhost. 442812

  • On IPA Servers configure PAM and nss_ldap to connect to ourselves using localhost.

  • Detect existing DS instances and prompt for removal during replica install.

  • Don’t allow the IPA server service principals to be removed.

  • Move entire web space to be rooted in /ipa

  • Add –verbose option so the HTTP headers and XML request/response can be seen in the ipa-* tools. 443987

  • Fixed various memory leaks in memberOf plug-in.

  • Make sure we always have the [domain-realm] section or kerberos libs misbehave.

Version 1.0.0#

Lots of bug fixes

Version 0.99#

Feature complete

Category:Documentation Category:Features