Jump to: navigation, search

Releases/4.2.0

Release date Released 2015-07-08

The FreeIPA team is proud to announce FreeIPA v4.2.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository.

Highlights in 4.2

Enhancements

  • Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules (ticket, design)
  • Support One-Way Trust to Active Directory (ticket, design)
  • User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - preserved - to special tree and re-activated when user returns, preserving it's UID/GID (ticket, design)
  • Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! (ticket, design, implementation)
  • Datepicker is now used for datetime fields in the Web UI (ticket)
  • Upgrade process was overhauled. There is now single upgrade tool (ipa-server-upgrade) providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. (ticket, design)
  • Service constrained delegation rules can be now added by UI and CLI (ticket, design)
  • FreeIPA Web UI now provides API browser and documentation. See IPA Server - API Browser tab (ticket)
  • Access control instructions were updated so that hosts can create their own services (ticket)
  • FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service (ticket, design)
  • FreeIPA Web Server no longer use deprecated mod_auth_kerb but switched to the modern mod_auth_gssapi (ticket)
  • New automated migration tool from winsync to ID Views (ticket, design)
  • migrate-ds command can now search the migrated users and groups with different scope
  • DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow Deployment Recommendations for DNS.
  • ipa migrate-ds command can now run with different search scopes (ticket)
  • And many other small improvements or bug fixes!

Changes to upgrade

The server still upgrades automatically during RPM update. However, ipactl start now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when ipa-server-upgrade was not run during RPM update (for example during FedUp Fedora upgrade).

Update files (files in /usr/share/ipa/updates/) format was changed. Namely:

  • Updates are not merged, update files are applied one at a time (ticket)
  • Update entries no longer support CSV - commas can be now freely used in the added attributes
  • Update can now use base64 values (ticket)
  • Update plugins are now not run automatically, but when referenced from update files (plugin: <plugin name>)

Upgrading

Upgrade instructions are available on the Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.1

Ade Lee (3)

  • Add a KRA to IPA
  • Add man page for ipa-kra-install
  • Re-enable uninstall feature for ipa-kra-install

Ales 'alich' Marecek (1)

  • Ipatests DNS SOA Record Maintenance

Alexander Bokovoy (21)

  • Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
  • Update slapi-nis dependency to pull 0.54.1
  • AD trust: improve trust validation
  • Support Samba PASSDB 0.2.0 aka interface version 24
  • ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
  • ipa-kdb: when processing transitions, hand over unknown ones to KDC
  • ipa-kdb: reject principals from disabled domains as a KDC policy
  • fix Makefile.am for daemons
  • slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
  • ipaserver/dcerpc: Ensure LSA pipe has session key before using it
  • ipa-kdb: use proper memory chunk size when moving sids
  • ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
  • add one-way trust support to ipasam
  • ipa-adtrust-install: add IPA master host principal to adtrust agents
  • trusts: pass AD DC hostname if specified explicitly
  • ipa-sidgen: reduce log level to normal if domain SID is not available
  • ipa-adtrust-install: allow configuring of trust agents
  • trusts: add support for one-way trust and switch to it by default
  • ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
  • trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
  • trust: support retrieving POSIX IDs with one-way trust during trust-add

Christian Heimes (4)

  • Provide Kerberos over HTTP (MS-KKDCP)
  • Fix removal of ipa-kdc-proxy.conf symlink
  • Fix upgrade of HTTPInstance for KDC Proxy
  • Improve error handling in ipa-httpd-kdcproxy

David Kupka (27)

  • Respect UID and GID soft static allocation.
  • Stop dirsrv last in ipactl stop.
  • Remove unneeded internal methods. Move code to public methods.
  • Remove service file even if it isn't link.
  • Produce better error in group-add command.
  • Fix --{user,group}-ignore-attribute in migration plugin.
  • ipa-restore: Check if directory is provided + better errors.
  • Fix error message for nonexistent members and add tests.
  • Use singular in help metavars + update man pages.
  • Always add /etc/hosts record when DNS is being configured.
  • Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.
  • Abort backup restoration on not matching host.
  • idviews: Allow setting ssh public key on ipauseroverride-add
  • Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
  • Restore default.conf and use it to build API.
  • Always reload StateFile before getting or modifying the stored values.
  • Remove unused part of ipa.conf.
  • Use mod_auth_gssapi instead of mod_auth_kerb.
  • Bump ipa.conf version to 17.
  • Lint: Skip checking of functions stolen by python-nose.
  • Make lint work on Fedora 22.
  • Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1.
  • Do not store state if CA is enabled
  • Move CA installation code into single module.
  • Use 389-ds centralized scripts.
  • upgrade: Raise error when certmonger is not running.
  • ipa-replica-prepare: Do not create DNS zone it automatically.

Drew Erny (1)

  • Migration now accepts scope as argument

Endi Sukma Dewata (8)

  • Fixed KRA backend.
  • Modififed NSSConnection not to shutdown existing database.
  • Added vault plugin.
  • Added vault-archive and vault-retrieve commands.
  • Fixed KRA installation problem.
  • Added symmetric and asymmetric vaults.
  • Added ipaVaultPublicKey attribute.
  • Added vault access control.

Francesco Marella (1)

  • Refactor selinuxenabled check

Fraser Tweedale (25)

  • Support multiple host and service certificates
  • Fix certificate management with service-mod
  • Install CA with LDAP profiles backend
  • Add schema for certificate profiles
  • ipa-pki-proxy: provide access to profiles REST API
  • Add ACL to allow CA agent to modify profiles
  • Add certprofile plugin
  • Enable LDAP-based profiles in CA on upgrade
  • Import included profiles during install or upgrade
  • Add generic split_any_principal method
  • Add profile_id parameter to 'request_certificate'
  • Add usercertificate attribute to user plugin
  • Update cert-request to support user certs and profiles
  • Fix certificate subject base
  • Import profiles earlier during install
  • ipa-pki-proxy: allow certificate and password authentication
  • Add CA ACL plugin
  • Enforce CA ACLs in cert-request command
  • certprofile: fix doc error
  • Upgrade CA schema during upgrade
  • Migrate CA profiles after enabling LDAPProfileSubsystem
  • certprofile: add option to export profile config
  • certprofile: add ability to update profile config in Dogtag
  • caacl: fix incorrect construction of HbacRequest for hosts
  • cert-request: enforce caacl for principals in SAN

Gabe Alford (17)

  • Remove trivial path constants from modules
  • ipa-server-install Directory Manager help incorrect
  • ipa-managed-entries requires password with bad password
  • Update default NTP configuration
  • Remove usage of app_PYTHON in ipaserver Makefiles
  • Remove dependency on subscription-manager
  • Typos in ipa-rmkeytab options help and man page
  • permission-add does not prompt for ipapermright in interactive mode
  • ipa-replica-prepare should document ipv6 options
  • ipatests: Add tests for valid and invalid ipa-advise
  • ipa-replica-prepare can only be created on the first master
  • Add message for skipping NTP configuration during client install
  • Remove unneeded ip-address option in ipa-adtrust-install
  • Unsaved changes dialog internally inconsistent
  • Allow ipa help command to run when ipa-client-install is not configured
  • Do not print traceback when pipe is broken
  • Clear SSSD caches when uninstalling the client

Jan Cholasta (109)

  • Do not crash in CAInstance.__init__ when default argument values are used
  • Fix certmonger configuration in installer code
  • Do not check if port 8443 is available in step 2 of external CA install
  • Handle profile changes in dogtag-ipa-ca-renew-agent
  • Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
  • Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
  • Fix possible NULL dereference in ipa-kdb
  • Fix memory leaks in ipa-extdom-extop
  • Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
  • Fix memory leak in ipa-pwd-extop
  • Fix memory leaks in ipa-join
  • Fix various bugs in ipap11helper
  • Fix CA certificate backup and restore
  • Fix wrong expiration date on renewed IPA CA certificates
  • Restore file extended attributes and SELinux context in ipa-restore
  • Use correct service name in cainstance.backup_config
  • Stop tracking certificates before restoring them in ipa-restore
  • Remove redefinition of LOG from ipa-otp-lasttoken
  • Unload P11_Helper object's library when it is finalized in ipap11helper
  • Fix Kerberos error handling in ipa-sam
  • Fix unchecked return value in ipa-kdb
  • Fix unchecked return values in ipa-winsync
  • Fix unchecked return value in ipa-join
  • Fix unchecked return value in krb5 common utils
  • Fix memory leak in GetKeytabControl asn1 code
  • Add TLS 1.2 to the protocol list in mod_nss config
  • Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent
  • Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
  • Improve validation of --instance and --backend options in ipa-restore
  • Check subject name encoding in ipa-cacert-manage renew
  • Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage
  • Fix ipa-restore on systems without IPA installed
  • Remove RUV from LDIF files before using them in ipa-restore
  • Fix CA certificate renewal syslog alert
  • Do not crash on unknown services in installutils.stopped_service
  • Restart dogtag when its server certificate is renewed
  • Make certificate renewal process synchronized
  • Fix validation of ipa-restore options
  • Do not assume certmonger is running in httpinstance
  • Put LDIF files to their original location in ipa-restore
  • Revert "Make all ipatokenTOTP attributes mandatory"
  • Create correct log directories during full restore in ipa-restore
  • Do not crash when replica is unreachable in ipa-restore
  • Bump 389-ds-base and pki-ca dependencies for POODLE fixes
  • ipalib: Allow multiple API instances
  • ipalib: Move plugin package setup to ipalib-specific API subclass
  • advise: Add separate API object for ipa-advise
  • ldap2: Use self API instance instead of ipalib.api
  • replica-install: Use different API instance for the remote server
  • certstore: Make certificate retrieval more robust
  • client-install: Do not crash on invalid CA certificate in LDAP
  • client: Fix ca_is_enabled calls
  • upload_cacrt: Fix empty cACertificate in cn=CAcert
  • ldap: Drop python-ldap tuple compatibility
  • ldap: Remove unused IPAdmin methods
  • ldap: Add connection management to LDAPClient
  • ldap: Use LDAPClient connection management in IPAdmin
  • ldap: Use LDAPClient connection management in ldap2
  • ldap: Add bind and unbind methods to LDAPClient
  • ldap: Use LDAPClient bind and unbind methods in IPAdmin
  • ldap: Use LDAPClient bind and unbind methods in ldap2
  • ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password
  • cainstance: Use LDAPClient instead of IPASimpleLDAPObject
  • makeaci: Use LDAPClient instead of IPASimpleLDAPObject
  • ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient
  • ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntry
  • ldap: Move schema handling from IPASimpleLDAPObject to LDAPClient
  • ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClient
  • ldap: Remove IPASimpleLDAPObject
  • Fix stop_tracking_certificates call in ipa-restore
  • baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry
  • client-install: Fix kinits with non-default Kerberos config file
  • install: Make a package out of ipaserver.install.server
  • install: Move ipa-server-install code into a module
  • install: Move ipa-replica-install code into a module
  • install: Move ipa-server-upgrade code into a module
  • install: Fix missing variable initialization in replica install
  • install: Fix CA-less server install
  • install: Fix external CA server install
  • install: Move private_ccache from ipaserver to ipapython
  • install: Introduce installer framework ipapython.install
  • install: Migrate ipa-server-install to the install framework
  • install: Handle Knob cli_name and cli_aliases values consistently
  • install: Add support for positional arguments in CLI tools
  • install: Allow setting usage in CLI tools
  • install: Migrate ipa-replica-install to the install framework
  • vault: Move vaults to cn=vaults,cn=kra
  • install: Initialize API early in server and replica install
  • vault: Fix ipa-kra-install
  • install: Fix logging setup in server and replica install
  • User life cycle: provide preserved user virtual attribute
  • install: Fix ipa-replica-install not installing RA cert
  • User life cycle: change user-del flags to be CLI-specific
  • plugable: Move plugin base class and override logic to API
  • ipalib: Load ipaserver plugins when api.env.in_server is True
  • ipalib: Move find_modules_in_dir from util to plugable
  • plugable: Specify plugins to import in API by module names
  • plugable: Load plugins only from modules imported by API
  • plugable: Pass API to plugins on initialization rather than using set_api
  • plugable: Do not use DictProxy for API
  • plugable: Lock API on finalization rather than on initialization
  • ipaplatform: Do not use MagicDict for KnownServices
  • plugable: Remove SetProxy, DictProxy and MagicDict
  • plugable: Change is_production_mode to method of API
  • plugable: Specify plugin base classes and modules using API properties
  • plugable: Remove unused call method of Plugin
  • replica prepare: Do not use entry after disconnecting from LDAP
  • ipalib: Fix skip_version_check option
  • spec file: Update minimal versions of required packages

Jan Pazdziora (1)

  • No explicit zone specification.

Lenka Ryznarova (1)

  • Test Objectclass of postdetach group

Ludwig Krispenz (14)

  • ds plugin - manage replication topology in the shared tree
  • install part - manage topology in shared tree
  • replica install fails with domain level 1
  • accept missing binddn group
  • plugin uses 1 as minimum domain level to become active no calculation based on plugin version
  • crash when removing a replica
  • check for existing and self referential segments
  • make sure the agremment rdn match the rdn used in the segment
  • v2-reject modifications of endpoints and connectivity of a segment
  • correct management of one directional segments
  • fix coverity issues
  • v2 clear start attr from segment after initialization
  • v2 improve processing of invalid data.
  • allow deletion of segment if endpoint is not managed

Lukáš Slebodník (2)

  • SPEC: Explicitly requires python-sssdconfig
  • SPEC: Require python2 version of sssd bindings

Martin Babinsky (43)

  • Use 'remove-ds.pl' to remove DS instance
  • Moved dbus-python dependence to freeipa-python package
  • ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message
  • always get PAC for client principal if AS_REQ is true
  • ipa-kdb: more robust handling of principal addition/editing
  • OTP: failed search for the user of last token emits an error message
  • ipa-pwd-extop: added an informational comment about intentional fallthrough
  • ipa-uuid: emit a message when unexpected mod type is encountered
  • OTP: emit a log message when LDAP entry for config record is not found
  • ipa-client-install: put eol character after the last line of altered config file(s)
  • migrate-ds: exit with error message if no users/groups to migrate are found
  • Changing the token owner changes also the manager
  • ipa-dns-install: use STARTTLS to connect to DS
  • ipa-dns-install: use LDAPI to connect to DS
  • migrate-ds: print out failed attempts when no users/groups are migrated
  • show the exception message thrown by dogtag._parse_ca_status during install
  • do not log BINDs to non-existent users as errors
  • fix improper handling of boolean option in
  • proper client host setup/teardown in forced client reenrollment integration test suite
  • do not install CA on replica during integration test if setup_ca=False
  • ipautil: new functions kinit_keytab and kinit_password
  • ipa-client-install: try to get host TGT several times before giving up
  • Adopted kinit_keytab and kinit_password for kerberos auth
  • use separate ccache filename for each IPA DNSSEC daemon
  • point the users to PKI-related logs when CA configuration fails
  • suppress errors arising from deleting non-existent files during client uninstall
  • prevent duplicate IDs when setting up multiple replicas against single master
  • ipa-server-install: deprecate manual setting of master KDC password
  • update 'api.env.ca_host' if a different hostname is used during server install
  • provide dedicated ccache file for httpd
  • move IPA-related http runtime directories to common subdirectory
  • explicitly destroy httpd service ccache file during httpinstance removal
  • do not check for directory manager password during KRA uninstall
  • merge KRA installation machinery to a single module
  • KRA: get the right dogtag version during server uninstall
  • add DS index for userCertificate attribute
  • generalize certificate creation during testing
  • ipa-kdb: common function to get key encodings/salt types
  • increase NSS memcache timeout for IPA server
  • baseldap: add support for API commands managing only a single attribute
  • reworked certificate normalization and revocation
  • new commands to manage user/host/service certificates
  • add option to skip client API version check

Martin Bašti (126)

  • Dogtag 10.2 to spec.file
  • Fix dns zonemgr validation regression
  • Add bind-dyndb-ldap working dir to IPA specfile
  • Fix CI tests: install_adtrust
  • Fix upgrade: do not use invalid ldap connection
  • Fix: DNS installer adds invalid zonemgr email
  • Fix: DNS policy upgrade raises asertion error
  • Fix upgrade referint plugin
  • Upgrade: fix trusts objectclass violationi
  • Fix named working directory permissions
  • Fix: zonemgr must be unicode value
  • Fix warning message should not contain CLI commands
  • Show warning instead of error if CA did not start
  • Raise right exception if domain name is not valid
  • Fix pk11helper module compiler warnings
  • Fix: read_ip_addresses should return ipaddr object
  • Fix detection of encoding in zonemgr option
  • Fix zonemgr option encoding detection
  • Throw zonemgr error message before installation proceeds
  • Upgrade fix: masking named should be executed only once
  • Using wget to get status of CA
  • Show SSHFP record containing space in fingerprint
  • Fix don't check certificate during getting CA status
  • Fix: Upgrade forwardzones zones after adding newer replica
  • Fix zone find during forwardzone upgrade
  • Fix traceback if zonemgr error contains unicode
  • DNS tests: separate current forward zone tests
  • New test cases for Forward_zones
  • Detect and warn about invalid DNS forward zone configuration
  • DNS tests: warning if forward zone is inactive
  • Add debug messages into client autodetection
  • DNSSEC catch ldap exceptions in ipa-dnskeysyncd
  • DNSSEC: fix root zone dns name conversion
  • Always return absolute idnsname in dnszone commands
  • Use dyndns_update instead of deprecated sssd option
  • Fix reference counting in pkcs11 extension
  • Prevent install scripts fail silently if timeout exceeded
  • Fix warning message on client side
  • Fix restoring services status during uninstall
  • Fix do not enable service before storing status
  • Uninstall configured services only
  • Fix saving named restore status
  • Migrate uniquess plugins configuration to new style
  • Fix uniqueness plugins
  • DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
  • Fix memory leaks in ipap11helper
  • Remove unused method from ipap11pkcs helper module
  • Remove unused disable-betxn.ldif file
  • DNS fix: do not traceback if unsupported records are in LDAP
  • DNS fix: do not show part options for unsupported records
  • DNS: remove NSEC3PARAM from records
  • Fix dead code in ipap11helper module
  • Server Upgrade: Remove unused PRE_SCHEMA_UPDATE
  • Server Upgrade: do not sort updates by DN
  • Server Upgrade: Upgrade one file per time
  • Server Upgrade: Set modified to false, before each update
  • Server Upgrade: Update entries in order specified in file
  • Server Upgrade: order update files by default
  • Server Upgrade: respect --test option in plugins
  • Server Upgrade: remove --test option
  • Server Upgrade: Fix comments
  • DNSSEC: Do not log into files
  • Fix ldap2 shared connection
  • Server Upgrade: use only LDAPI connection
  • Server Upgrade: remove unused code in upgrade
  • Server Upgrade: Apply plugin updates immediately
  • Server Upgrade: specify order of plugins in update files
  • Server Upgrade: plugins should use ldapupdater API instance
  • Server Upgrade: Handle connection better in updates_from_dict
  • Server Upgrade: use ldap2 connection in fix_replica_agreements
  • Server Upgrade: restart DS using ipaplatfom service
  • Server Upgrade: only root can run updates
  • DNSSEC CI tests
  • ipa client: make --ntp-server option multivalued
  • ipa client: use NTP servers detected from SRV
  • ipa client: use NTP servers specified by user
  • Server Upgrade: ipa-server-upgrade command
  • Server Upgrade: Verify version and platform
  • Server Upgrade: use ipa-server-upgrade in RPM upgrade
  • Server Upgrade: fix a comment in ldapupdater
  • move realm_to_serverid to installutils module
  • Server Upgrade: use LDIF parser to modify DSE.ldif
  • Server Upgrade: enable DS global lock during upgrade
  • Server Upgrade: remove CSV from upgrade files
  • Server Upgrade: Allow base64 encoded values
  • Server Upgrade: fix memberUid index
  • Dont use the proxy to check CA status
  • Server Upgrade: Do not start DS if it was stopped before upgrade
  • Server Upgrade: raise RuntimeError instead exit()
  • Server Upgrade: do not allow to run upgradeinstace alone
  • Server Upgrade: handle errors better
  • Server Upgrade: ipa-ldap-updater will not do overall upgrade
  • Server Upgrade: Fix uniqueness plugins
  • DNSSEC: FIX Do not re-create kasp.db if already exists
  • DNSSEC: update OpenDNSSEC KASP configuration
  • DNS install: extract DNS installer into one module
  • Pylint: fix false positive warning for domain
  • Uid uniqueness: fix: exclude compat tree from uniqueness
  • Server Upgrade: wait until DS is ready
  • Server Upgrade: Fix: execute schema update
  • Server Upgrade: Move code from ipa-upgradeconfig to separate module
  • Fix: use DS socket check only for upgrade
  • Server Upgrade: fix remove statement
  • Installers fix: remove temporal ccache
  • ULC: fix: upgrade for stage Stage User Admins failed
  • Fix: regression in host and service plugin
  • DNSSEC: Improve global forwarders validation
  • DNSSEC: validate forward zone forwarders
  • Revert 389-DS BuildRequires version to 1.3.3.9
  • DNSSEC: fix traceback during shutdown phase
  • Server Upgrade: disconnect ldap2 connection before DS restart
  • DNS: add UnknownRecord to schema
  • ipa-ca-install fix: reconnect ldap2 after DS restart
  • Server Upgrade: create default config for NIS Server plugin
  • Fix indicies ntUserDomainId, ntUniqueId
  • Sanitize CA replica install
  • DNS: Do not traceback if DNS is not installed
  • KRA Install: check replica file if contains req. certificates
  • Server Upgrade: use debug log level for upgrade instead of info
  • DNSSEC: allow to disable/replace DNSSEC key master
  • DNSSEC: update message
  • Allow to run subprocess with suplementary groups
  • FIX: Clear SSSD caches when uninstalling the client
  • Fix regression: ipa-dns-install will add CA records if required
  • Upgrade: Do not show upgrade failed message when IPA is not installed
  • Fix logging in API

Martin Košek (11)

  • Fix ImportError in ipa-ca-install
  • Bump SSSD Requires to 1.12.3
  • Fix IPA_BACKUP_DIR path name
  • Allow PassSync user to locate and update NT users
  • Allow Replication Administrators manipulate Winsync Agreements
  • Replication Administrators cannot remove replication agreements
  • Add anonymous read ACI for DUA profile
  • Print PublicError traceback when in debug mode
  • group-detach does not add correct objectclasses
  • Remove references to GPL v2.0 license
  • Fix typo in ipa-server-upgrade man page

Milan Kubik (1)

  • ipatests: port of p11helper test from github

Milan Kubík (2)

  • Abstract the HostTracker class from host plugin test
  • Fix for a typo in certprofile mod command.

Nathan Kinder (2)

  • Timeout when performing time sync during client install
  • Skip time sync during client install when using --no-ntp

Nathaniel McCallum (15)

  • Ensure that a password exists after OTP validation
  • Improve otptoken help messages
  • Ensure users exist when assigning tokens to them
  • Enable QR code display by default in otptoken-add
  • Catch USBError during YubiKey location
  • Preliminary refactoring of libotp files
  • Move authentication configuration cache into libotp
  • Enable last token deletion when password auth type is configured
  • Make token auth and sync windows configurable
  • Create an OTP help topic
  • Prefer TCP connections to UDP in krb5 clients
  • Expose the disabled User Auth Type
  • Update python-yubico dependency version
  • Fix a signedness bug in OTP code
  • Fix OTP token URI generation

Petr Viktorin (35)

  • ipa-restore: Don't crash if AD trust is not installed
  • ipaplatform: Use the dirsrv service, not target
  • Do not restore SELinux settings that were not backed up
  • Add additional backup & restore checks
  • tests: Use PEP8-compliant setup/teardown method names
  • tests: Add configuration for pytest
  • ipatests.util.ClassChecker: Raise AttributeError in get_subcls
  • test_automount_plugin: Fix test ordering
  • Use setup_class/teardown_class in Declarative tests
  • dogtag plugin: Don't use doctest syntax for non-doctest examples
  • test_webui: Don't use __init__ for test classes
  • test_ipapython: Use functions instead of classes in test generators
  • Configure pytest to run doctests
  • Declarative tests: Move cleanup to setup_class/teardown_class
  • Declarative tests: Switch to pytest
  • Integration tests: Port the ordering plugin to pytest
  • Switch make-test to pytest
  • Add local pytest plugin for --with-xunit and --logging-level
  • Switch ipa-run-tests to pytest
  • Switch integration testing config to a fixture
  • Integration tests: Port the BeakerLib plugin and log collection to pytest
  • test_integration: Adjust tests for pytest
  • copy_schema_to_ca: Fallback to old import location for ipaplatform.services
  • Ignore ipap11helper/setup.py in doctests
  • test_integration: Use python-pytest-multihost
  • test_integration: Use collect_log from the host, not the testing class
  • test_integration: Parametrize test instead of using a generator
  • ipatests: Use pytest-beakerlib
  • ipatests: Use pytest-sourceorder
  • Run pylint on tests
  • test_host_plugin: Convert tests to imperative style
  • test_host_plugin: Split tests into independent classes
  • test_host_plugin: Use HostTracker fixtures
  • rename_managed: Remove use of EditableDN
  • Remove Editable DN and DN component classes

Petr Voborník (113)

  • build: increase java stack size for all arches
  • ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
  • unittests: baserid for ipa-ad-trust-posix idranges
  • ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges
  • idrange: include raw range type in output
  • webui: prohibit setting rid base with ipa-trust-ad-posix type
  • webui: fix potential XSS vulnerabilities
  • restore: clear httpd ccache after restore
  • webui: use domain name instead of domain SID in idrange adder dialog
  • webui: normalize idview tab labels
  • webui: add radius fields to user page
  • fix indentation in ipa-restore page
  • add --hosts and --hostgroup options to allow/retrieve keytab methods
  • webui: fix service unprovisioning
  • webui: increase duration of notification messages
  • revert removal of cn attribute from idnsRecord
  • migrate-ds: fix compat plugin check
  • rpcclient: use json_encode_binary for verbose output
  • Fix TOTP Synchronization Window label
  • ipatests: add missing ssh object classes to idoverrideuser
  • webui: service: add ipakrbrequirespreauth checkbox
  • webui: unable to select single value in CB by enter key
  • webui: use no_members option in entity select search
  • performance: faster DN implementation
  • speed up convert_attribute_members
  • speed up indirect member processing
  • webui: add pwpolicy link to group details page if group has associated pwpolicy
  • webui-ci: do not open 2 browser windows
  • Update BUILD.txt
  • allow to call ldap2.destroy_connection multiple times
  • use Connectible.disconnect() instead of .destroy_connection()
  • jQuery.ordered_map: faster creation
  • jQuery.ordered_map: remove map attribute
  • migrate-ds: optimize adding users to default group
  • migrate-ds: skip default group option
  • migrate-ds: remove unused def_group_gid context property
  • migrate-ds: optimize gid checks by utilizing dictionary nature of set
  • migrate-ds: log migrated group members only on debug level
  • cli: differentiate Flag a Bool when autofill is set
  • webui-ci: fix type error in host_tasks inicializations
  • webui: update patternfly to v1.1.4
  • webui: rename IPA.user_* to IPA.user.*
  • webui: declare search command options in search facet
  • webui: register construction spec based on existing spec
  • webui: entity facets in facet registry
  • webui: entity menu items navigate to main entity facet
  • webui: prefer entity fallback in menu item select
  • webui: navigation: do not remember selected childs of menu item
  • webui: navigation: unique names on entity facet menu items
  • webui: metadata validator min and max value overrides
  • webui: custom facet groups in a facet
  • webui: facet groups widget
  • webui: allow to replace facet tabs with sidebar
  • webui: allow to hide facet tabs or sidebar
  • webui: facet policies for all facets
  • webui: stageuser plugin
  • webui: extend user deleter dialog with --permanent and --preserve options
  • webui: update stageuser/user pages based on action in diffrent user search page
  • webui: stageusers, display page elements based on user state
  • webui: prefer search facet's deleter dialog
  • webui: fix empty table border in Firefox
  • webui: option to not create user private group
  • webui: add boostrap-datepicker files
  • webui: datetime widget with datepicker
  • git ignore ipaplatform/__init__.py
  • server-find and server-show commands
  • topology: ipa management commands
  • webui: IPA.command_dialog - a new dialog base class
  • webui: use command_dialog as a base class for password dialog
  • webui: make usage of --all in details facet optional
  • webui: topology plugin
  • webui: configurable refresh command
  • webui: don't log in back after logout
  • topology: allow only one node to be specified in topologysegment-refresh
  • topology: hide topologysuffix-add del mod commands
  • move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX
  • add entries required by topology plugin on update
  • webui: make topology suffices UI readonly
  • rename topologysegment_refresh to topologysegment_reinitialize
  • disallow mod of topology segment nodes
  • topology: restrict direction changes
  • topology: fix swapped topologysegment-reinitialize behavior
  • regenerate ACI.txt after stage user permission rename
  • ipa-replica-manage: Do not allow topology altering commands from DL 1
  • server: add "del" command
  • ipa-replica-manage: adjust del to work with managed topology
  • webui: adjust user deleter dialog to new api
  • Become IPA 4.2.0 Alpha 1
  • fix handling of ldap.LDAPError in installer
  • add python-setuptools to requires
  • fix force-sync, re-initialize of replica and a check for replication agreement existence
  • topology: check topology in ipa-replica-manage del
  • Verify replication topology for a suffix
  • replication: fix regression in get_agreement_type
  • ipa-replica-manage del: relax segment deletement check if topology is disconnected
  • ipa-replica-manage del: add timeout to segment removal check
  • topologysegment: hide direction and enable options
  • topology: make cn of new segment consistent with topology plugin
  • include more information in metadata
  • webui: ListViewWidget
  • webui: fix webui specific metadata
  • webui: menu and navigation fixes
  • webui: API browser
  • webui: add mangedby tab to otptoken
  • webui: certificate profiles
  • webui: caacl
  • webui: hide facet tab in certificate details facet
  • move session_logout command to ipalib/plugins directory
  • webui: cert-request improvements
  • webui: show multiple cert
  • webui: remove cert manipulation actions from host and service
  • fix error message when certificate CN is invalid
  • Become IPA 4.2.0

Petr Špaček (28)

  • Fix zone name to directory name conversion in BINDMgr.
  • Fix minimal version of BIND for Fedora 20 and 21
  • Fix default value type for wait_for_dns option
  • p11helper: standardize indentation and other visual aspects of the code
  • p11helper: use sizeof() instead of magic constants
  • p11helper: clarify error message
  • Clarify messages related to adding DNS forwarders
  • Grammar fix in 'Estimated time' messages printed by installer
  • Clarify host name output in ipa-client-install
  • Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.
  • DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures.
  • Bump run-time requires to SoftHSM 2.0.0rc1.
  • Improve error messages about reverse address resolution in ipa-replica-prepare
  • Clarify recommendation about --ip-address option in ipa-replica-prepapre
  • Clarify error messages in ipa-replica-prepare: add_dns_records()
  • Hide traceback in ipa-dnskeysyncd if kinit failed.
  • Bump minimal BIND version for CentOS.
  • Rate-limit while loop in SystemdService.is_active().
  • Add hint how to re-run IPA upgrade.
  • DNSSEC: Detect invalid master keys in LDAP.
  • DNSSEC: Accept ipa-ods-exporter commands from command line.
  • DNSSEC: ipa-ods-exporter: move zone synchronization into separate function
  • DNSSEC: log ipa-ods-exporter file lock operations into debug log
  • DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.
  • DNSSEC: Improve ipa-ods-exporter log messages with key metadata.
  • DNSSEC: Store time & date key metadata in UTC.
  • DNSSEC: ipa-dns-install: Detect existing master server sooner.
  • DNSSEC: Detect attempt to install & disable master at the same time.

Rob Crittenden (5)

  • Search using proper scope when connecting CA instances
  • Use NSS protocol range API to set available TLS protocols
  • Add plugin to manage service constraint delegations
  • Add ACI to allow hosts to add their own services
  • Don't rely on positional arguments for python-kerberos calls

Simo Sorce (14)

  • Add UTC date to GIT snapshot version generation
  • Fix filtering of enctypes in server code.
  • Add asn1c generated code for keytab controls
  • Use asn1c helpers to encode/decode the getkeytab control
  • Stop saving the master key in a stash file
  • Avoid calling ldap functions without a context
  • Remove the removal of the ccache
  • Handle DAL ABI change in MIT 1.13
  • Add a clear OpenSSL exception.
  • Stop including the DES algorythm from openssl.
  • Detect default encsalts kadmin password change
  • Add compatibility function for older libkrb5
  • Fix s4u2proxy README and add warning
  • Replicas cannot define their own master password.

Sumit Bose (16)

  • ipa-range-check: do not treat missing objects as error
  • Add configure check for cwrap libraries
  • extdom: handle ERANGE return code for getXXYYY_r() calls
  • extdom: make nss buffer configurable
  • extdom: return LDAP_NO_SUCH_OBJECT to the client
  • extdom: fix memory leak
  • extdom: add err_msg member to request context
  • extdom: add add_err_msg() with test
  • extdom: add selected error messages
  • extdom: migrate check-based test to cmocka
  • extdom: fix wrong realloc size
  • extdom: add unit-test for get_user_grouplist()
  • ipa-kdb: convert test to cmocka
  • ipa-kdb: add unit-test for filter_logon_info()
  • ipa-kdb: make string_to_sid() and dom_sid_string() more robust
  • ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()

Thierry Bordaz (19)

  • User Life Cycle: create containers and scoping DS plugins
  • User Life Cycle: DNA scopes full SUFFIX
  • Deadlock in schema compat plugin (between automember_update_membership task and dse update)
  • User Life Cycle: Exclude subtree for ipaUniqueID generation
  • User life cycle: stageuser-add verb
  • User life cycle: allows MODRDN from ldap2
  • User life cycle: new stageuser commands del/mod/find/show
  • User life cycle: new stageuser commands activate
  • User life cycle: new stageuser commands activate (provisioning)
  • User life cycle: user-del supports --permanently, --preserve options and ability to delete deleted user
  • User life cycle: user-find support finding delete users
  • User life cycle: support of user-undel
  • User life cycle: DNA DS plugin should exclude provisioning DIT
  • User life cycle: Stage user Administrators permission/priviledge
  • User life cycle: Add 'Stage User Provisioning' permission/priviledge
  • Stage User: Fix permissions naming and split them where apropriate.
  • Display the wrong attribute name when mandatory attribute is missing
  • Limit deadlocks between DS plugin DNA and slapi-nis
  • User life cycle: permission to delete a preserved user

Thorsten Scherf (4)

  • pwpolicy-add: Added better error handling
  • Add help string on how to configure multiple DNS forwards for various cli tools
  • Removed recommendation from ipa-adtrust-install
  • Changed in-tree development setup instructions

Tomáš Babej (52)

  • Bump 4.2 development version to 4.1.99
  • specfile: Add BuildRequires for pki-base 10.2.1-0
  • Re-initialize NSS database after otptoken plugin tests
  • certs: Fix incorrect flag handling in load_cacert
  • hosts: Display assigned ID view by default in host-find and show commands
  • ipatests: Increase required version for pytest-multihost plugin
  • idviews: Complain if host is already assigned the ID View in idview-apply
  • idviews: Ignore host or hostgroup options set to None
  • ipatests: Invoke class install methods properly with respect to pytest-multihost
  • ipatests: Set the correct number of required clients for IntegrationTest
  • ipatests: Refactor and fix docstrings in integration pytest plugin
  • baseldap: Handle missing parent objects properly in *-find commands
  • spec: Add BuildRequires for python-pytest plugins
  • ipatests: Make descriptions sorted according to the order of the tests
  • ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView
  • ipatests: Fix old command references in the ID views tests
  • ipatests: Fix incorrect assumptions in idviews tests
  • ipapython: Fix incorrect python shebangs
  • ipatests: Add coverage for adding and removing sshpubkeys in ID overrides
  • ipalib: Make sure correct attribute name is referenced for fax
  • idviews: Use case-insensitive detection of Default Trust View
  • Revert "Server Upgrade: respect --test option in plugins"
  • replica-manage: Properly delete nested entries
  • Add Domain Level feature
  • idviews: Set dcerpc detection flag properly
  • idviews: Allow users specify the raw anchor directly as identifier
  • idviews: Remove ID overrides for permanently removed users and groups
  • ipaplatform: Remove redundant definitions
  • winsync-migrate: Add initial plumbing
  • winsync-migrate: Add a way to find all winsync users
  • migrate-winsync: Create user ID overrides in place of winsynced user entries
  • migrate-winsync: Add option validation and handling
  • winsync-migrate: Move the api initalization and LDAP connection to the main method
  • dcerpc: Change logging level for debug information
  • dcerpc: Add debugging message to failing kinit as http
  • winsync-migrate: Require root privileges
  • idviews: Do not abort the find & show commands on conversion errors
  • winsync-migrate: Require explicit specification of the target server and validate existing agreement
  • winsync-migrate: Delete winsync agreement prior to migration
  • winsync-migrate: Rename to tool to achive consistency with other tools
  • winsync-migrate: Move the tool under ipaserver.install package
  • winsync-migrate: Include the tool parts in Makefile and friends
  • idviews: Fallback to AD DC LDAP only if specifically allowed
  • man: Add manpage for ipa-winsync-migrate
  • winsync_migrate: Migrate memberships of the winsynced users
  • winsync_migrate: Generalize membership migration
  • l10n: Add configuration file for Zanata
  • l10n: Update translation strings
  • Hide topology and domainlevel features
  • dcerpc: Raise ACIError correctly
  • adtrustinstance: Enable and start oddjobd
  • upgrade: Enable and start oddjobd if adtrust is available