The FreeIPA team would like to announce FreeIPA v4.4.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.0#

Enhancements:

  • Improved Topology Management

<http://www.freeipa.org/page/V4/Manage_replication_topology_4_4>

  • Added Overview of IPA server roles:

<http://www.freeipa.org/page/V4/Server_Roles>

  • Added support certificates for AD users:

<http://www.freeipa.org/page/V4/Certs_in_ID_overrides>

  • Added support of UPN for trusted domains

<http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains>

  • Added support for Kerberos Authentication Indicators

<http://www.freeipa.org/page/V4/Authentication_Indicators>

  • Added DNS Location Mechanism (Howto)

<http://www.freeipa.org/page/V4/DNS_Location_Mechanism>

  • Several performance improvements

<http://www.freeipa.org/page/V4/Performance_Improvements>

  • Refactored IPA command line tool

<http://www.freeipa.org/page/V4/Thin_Client>

  • Added support for Sub-CAs

<http://www.freeipa.org/page/V4/Sub-CAs>

  • Added support for Kerberos principal aliases

<http://www.freeipa.org/page/V4/Kerberos_principal_aliases>

Known Issues#

Bug fixes#

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets#

  • #433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator

  • #2008 [RFE] IPA should support and manage DNS Locations

  • #2795 Disabling password expiration (–maxlife=0 and –minlife=0) in the default global_policy in IPA sets user’s password expiration (krbPasswordExpiration) to be 90 days

  • #2956 Define missing DNS zone attribute for default TTL value

  • #3197 Use noarch RPMs for Python-only packages

  • #3376 Do not do extra LDAP search for ipasshpubkey to generate fingerprints

  • #3517 Incorrect *.py[co] files placement

  • #3864 Adjust Kerberos Principal Aliases implementation

  • #3961 [RFE] Allow multiple Principals per host entry (Kerberos aliases)

  • #4022 When search hits the size limit, it should explicitly say so or message like # hosts matched suggests there are not other

  • #4235 ipa-replica-manage -H does not delete DNS SRV records

  • #4421 host-mod command prevents creating Kerberos principal aliases

  • #4427 [RFE] New API versioning

  • #4559 [RFE] Support lightweight sub-CAs

  • #4602 [RFE] Offer OTP generation for host enrollment in the UI

  • #4631 Add X-Frame-Options, frame-ancestors to UI webpages

  • #4739 [RFE] Support API clients newer than server

  • #4785 ipa-server-certinstall tracks the 3rd party cert it installs with certmonger

  • #4786 ipa-server-certinstall does not accept certs signed by 3rd party CAs

  • #4844 Principal canonicalization does not work for principals in IPA realm

  • #4942 [RFE] Allow user authentication using cert on smart card against IPA UI

  • #4955 [RFE] Allow managing certificates for AD users in IPA

  • #4987 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend

  • #4995 add finer control of getting members

  • #5001 Make it possible to pre-fill the Username field of /ipa/ui/reset_password.html

  • #5076 [WebUI] General invalid password error message appearing for “Locked user”

  • #5077 [WebUI] UI error message is not appropriate for “Kerberos principal expiration”

  • #5108 webui for {user|service|host}_{add|remove}_cert commands

  • #5115 ipatests: registering plugins via API.register/Registrar class doesn’t work

  • #5168 search by users which don’t have read rights for all attrs in search_attributes fails

  • #5181 [RFE] Expand server-show/find with the list of configured components

  • #5221 Installer adds NTP SRV records into DNS for IPA servers which does not have ntp configured

  • #5281 3 unnecessary search operations for each user in user-find

  • #5294 [tracker] certprofile-import error message is not clear

  • #5307 ipa-replica-manage del –force –clean won’t clean remnant records if there is no RUV with replica ID

  • #5311 Show Certificate displays in useless format

  • #5315 ipa-kra-install prints incorrect errors message when kra is already installed

  • #5354 [RFE] Support of UPN for trusted domains

  • #5369 [UI] Stageuser capabilities - “Activate” option not available for a staged user in detailed info

  • #5370 [UI] Stageuser capabilities - “Delete” option does not offer choice between permanent/preserved in detailed user info

  • #5371 [UI] Stageuser capabilities - Preserved user cannot be converted to staged user - missing option

  • #5376 [tracker] Replica prepare: Certificate issuance failed

  • #5380 ipa-replica-manage: no way to show traceback on unexpected error

  • #5381 [WebUI] Missing UI for working with multiple certificates in User, Host, Service pages

  • #5383 Reduce ioblocktimeout and idletimeout defaults

  • #5396 Cleanallruv task should not wait for cleanallruv result on the others replicas

  • #5413 [RFE] Allow users to authenticate with alternative names

  • #5428 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI

  • #5432 Issue New Certificate dialogs do not validate data

  • #5434 add context to exception on LdapEntry decode error

  • #5443 ipa-server-install dies during pkispawn if /etc/hostname not properly configured

  • #5448 ipa user-add slows down as more users are added

  • #5523 [RFE] Update default profiles to always add SAN dnsName

  • #5534 ipa-client-install fails when the client has active point to point connections

  • #5547 ipa client should configure kpasswd_server directive in krb5.conf

  • #5561 Unable to install replica due error during restarting dirsrv

  • #5588 [RFE] change `ipa-replica-manage del` into an API method for domain level 1

  • #5591 FreeIPA ipa-client-install error: Hostname (computer.company.lan) does not have A/AAAA record.

  • #5599 Kerberos could take advantage of slapi-nis specific control that skip slapi-nis map evaluation

  • #5620 Centralize DNS record creation in IPA services

  • #5627 ipa host-del fails with –updatedns option if ost does not have a dns record

  • #5642 ipa-getkeytab: extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)’ failed.

  • #5643 WebUI: Application crashes if sesssionStorage is not available

  • #5645 [WebUI] Dialog “Issue New Certificate” should mention SAN names

  • #5648 webui: topology graph: add segments by drag and drop

  • #5652 webui: unable to review certificate request if the request is not successful

  • #5656 webui: browser setup page includes instructions for Internet Explorer

  • #5659 typo in service-add

  • #5675 ipa host-del –updatedns should remove related dns entries.

  • #5677 API calls fail on “LimitsExceeded” error

  • #5681 Residual Files After IPA Server Uninstall

  • #5689 move set-renewal-master command to API from ipa-csreplica-manage

  • #5694 update ipa-client-install –request-cert man page with chroot workaround

  • #5702 webui: change dojo’s lang.hitch() to the javascript .bind() method

  • #5703 ipa-client-install should enable ChallengeResponseAuthentication by default

  • #5708 ipa-server-install manpage doesn’t contain info about –domain-level option

  • #5710 Fix forward zone conficts with automatic empty zones from BIND

  • #5717 Consider removing our implementation of CalledProcessError

  • #5721 error installing ca-less replica with valid certificates

  • #5732 Web interface not showing ipa forwarders

  • #5740 ipa-replica-prepare: Traceback if reverse zone does not exists

  • #5741 [tests] Admin is getting Insufficient privileges to promote the server when installing ca-less replica

  • #5743 [RFE] External Trust with Active Directory domain

  • #5751 Error: Unknown warnings category ‘experimental::smartmatch’ at /usr/share/dirsrv/updates/52updateAESplugin.pl line 9.

  • #5757 incorrect SELinux label of second replica’s /var/log/ipareplica-conncheck.log

  • #5758 Replica installation crashes on certmonger timeout

  • #5759 Missing pre_callback in stageuser_add

  • #5761 ipa-client-install throws Python exception on FIPS enabled servers

  • #5762 [RFE] Support IdM Client in a DNS domain controlled by AD

  • #5768 Include description for ‘status’ option in man page for ipactl command.

  • #5772 Failures in topology tests produce unclear error messages

  • #5773 [webui] option –skip-overlap-check cannot be set in DNS zone adder dialog

  • #5774 ipa config-mod allows to set maxusername limit higher than 255 characters

  • #5782 ipa-kdb support for krbPrincipalAuthInd

  • #5783 permission plugin tests fail on 4.3 branch

  • #5787 SchemaCache doesn’t work

  • #5789 “no such entry” error is shown when installer does not receive password from pkcs file

  • #5792 ipa-server-install: report which certificate is missing in external cert trust chain

  • #5794 ipa-server-install does not completely change hostname and named-pkcs11 fails

  • #5796 [webui] IPA Error 3009: Validation error: Invalid ‘ptrrecord’: Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given

  • #5797 host-show, host-find failed when usercertificate in LDAP is invalid

  • #5800 kdestroy command in unapply_fixes function in test_integration/tasks.py causes legacy client tests to fail

  • #5804 Test for “#4986 Web UI misses check box…” and “#5505 Creating a user w/o private group…” needed

  • #5810 batch command can be used to trigger internal errors on server

  • #5811 ipa-client-install failing with SyntaxError: Syntax Error: Unknown line format

  • #5812 always qualify requests for admin

  • #5815 Integrate NTP service into server roles

  • #5819 ipa cert-revoke –help doesn’t provide enough info on revocation reasons

  • #5820 advertise ipactl start –ignore-service-failure option

  • #5826 Integrate NTP service into server roles: upgrade from older IPA versions

  • #5833 cli: “gateway time out” with long running task

  • #5835 ipa-replica-install man page lacks CA less options

  • #5839 Tests: cleanup for host certificate does not work well in test_host_plugin.py

  • #5840 ipa-replica-manage clean-dangling-ruv fails in topologies with only one CA

  • #5841 upgrade: find_hostname() method should be replaced by api.env.host

  • #5842 Replica installation fails with ipa-getkeytab timeouts

  • #5851 DNS upgrade is broken: master zones are not transformed to forward zones properly

  • #5856 ipa-nis-manage command should include status option

  • #5857 ipa-nis-manage enable: change service name from ‘portmap’ to ‘rpcbind’

  • #5865 make rpms does not fail if api does not match API.txt

  • #5866 [RFE] Create guidance how to setup/migrate IPA that contains big amount of data

  • #5867 topology graph: display “autogenerated” placeholder while adding segment

  • #5868 Upgrader sometimes returns PR_ADDRESS_NOT_SUPPORTED_ERROR from dogtag upgrade

  • #5869 ipa-dns-install –auto-forwarders option does not work in unattended mode

  • #5870 [tracker] DNSSEC signing is broken on Fedora 24

  • #5871 ‘man ipa’ should be updated with latest commands

  • #5872 [webui] authentication indicators

  • #5878 Inconsistent UI and CLI options for removing certificate hold

  • #5885 ipa cert-request causes internal server error while requesting certificate

  • #5886 missing dependency: python3-pyusb

  • #5889 Client-only build fails

  • #5892 Unused code in LDAPRemoveReverseMember

  • #5894 makeapi validation fails on architectures where integer is less than 32 bits

  • #5898 CAInstance presented as always running

  • #5899 Remove unused code from automount plugin

  • #5903 always add mapping (my hostname) = (IPA realm) to krb5.conf

  • #5904 [RFE] Add ‘external’ checkbox corresponding to ‘–external’ flag in ‘trust-add’ command

  • #5905 [RFE] Create webui for DNS locations

  • #5906 [RFE] WebUI for server roles

  • #5907 deprecate ‘–domain-level’ option in ipa-server-install

  • #5911 Insufficient ‘write’ privilege on some attributes for the members of the role which has “User Administrators” privilege.

  • #5912 Installing freeipa client breaks crypto-policies for krb5

  • #5914 invalid setting of DS lock table size

  • #5920 automount.py: strings in output_for_cli method should be translated

  • #5926 [RFE] add certificate field into ID Views

  • #5927 Web UI for Kerberos Principal Aliases

  • #5928 topology plugins sigsev when adding a managed host

  • #5931 Add, remove, list hosts allowed to retrieve keytabs in Web UI

  • #5937 [RFE] Support of UPN for trusted domains

  • #5938 otptoken-add is not Python 3 clean

  • #5939 [RFE] WebUI for sub-CA

  • #5942 trusts: make sure child domains are not shown as part of the trust-find command

  • #5943 dogtag-ipa-ca-renew-agent-submit cannot access api.Object.config

  • #5944 ipapwd_extop should take precedence over default DS plugin

  • #5946 Enable password change extop to apply on virtual entry like the entry in compat tree

  • #5947 Missing nsSystemIndex attribute for some entries in index update file

  • #5954 ipa passwd tracebacks

  • #5958 Upgrade is broken on servers without CA

  • #5960 API call dnsconfig_show returns null as value of dnssec_key_master_server

  • #5961 P11 tests breaks environment, which causes changepw tests to fail

  • #5962 Unable to install server without A record even if –setup-dns option is used

  • #5963 Replica installation fails on domain level 0

  • #5965 conncheck in ipa-ca-install running on replica asks for host/principal “password”

  • #5966 Missing ‘ipa-ca’ records for replica installed by replica promotion

  • #5967 “CA” segment can be created for servers without CA suffix

  • #5968 renew_ca_cert helper cannot access config plugin

  • #5973 adtrust-install prints ‘CRITICAL Failed to remove old key’ even during clean install

  • #5975 local variable ‘ipaconf’ referenced before assigment

  • #5976 replica-promotion: is possible to set invalid IPA domain

  • #5977 topology plugins sigsev/heap corruption when adding a managed host

  • #5978 server/client uninstall does not clean krb5.keytab properly

  • #5981 Unhandled PKI error in ca-add

  • #5982 [tracker] KRA: installation of second KRA fails

  • #5983 Ensure that replica promotion deny to install a replica against a server with newer version

  • #5985 Replica install: Failed to load replica-s4u2proxy.ldif

  • #5987 Nonexistent attributes in ValidationError

  • #5988 Don’t connect to memcache in session manager on module import

  • #5991 Principal does not get created when I add a certificate with “Add principal” checkbox checked

  • #5995 full IPA restore fails due to unsuccessful client API initialization

  • #5996 ipa-replica-install failure: Insufficient access: Insufficient ‘add’ privilege to add the entry ‘krbprincipalname=ldap/…

  • #5999 Some cert commands are missing the –ca option

  • #6000 `test_serverroles` suite uses incorrect LDAP uri when ran together with other tests

  • #6003 execution of copy-schema script fails

  • #6004 Fix `Conflicts` with ipa-python

  • #6009 *-show option “–all” newly requires argument

  • #6011 upgrade failed for 4.4 alpha from 4.2.3.?

Detailed Changelog since 4.3.1#

Abhijeet Kasurde (12)#

  • Added kpasswd_server directive in client krb5.conf

  • Fixed login error message box in LoginScreen page

  • Added fix for notifying user about Kerberos principal expiration in WebUI

  • Added description related to ‘status’ in ipactl man page

  • Added warning to user for Internet Explorer

  • Added fix for notifying user about locked user account in WebUI

  • Updated ipa command man page

  • Fix added to ipa-compat-manage command line help

  • Removed custom implementation of CalledProcessError

  • Replaced find_hostname with api.env.host

  • Added exception handling for mal-formatted XML Parsing

  • Added missing translation to automount.py method

Alexander Bokovoy (11)#

  • slapi-nis: update configuration to allow external members of IPA groups

  • extdom: do not fail to process error case when no request is specified

  • otptoken: support Python 3 for the qr code

  • trusts: Add support for an external trust to Active Directory domain

  • adtrust: remove nttrustpartner parameter

  • adtrust: remove nttrustpartner parameter

  • adtrust: support GSSAPI authentication to LDAP as Active Directory user

  • adtrust: support UPNs for trusted domain users

  • webui: show UPN suffixes in trust properties

  • webui: support external flag to trust-add

  • adtrust: optimize forest root LDAP filter

Christian Heimes (3)#

  • Require Dogtag 10.2.6-13 to fix KRA uninstall

  • Modernize mod_nss’s cipher suites

  • Move user/group constants for PKI and DS into ipaplatform

David Kupka (35)#

  • installer: Propagate option values from components instead of copying them.

  • installer: Fix logic of reading option values from cache.

  • ipa-dns-install: Do not check for zone overlap when DNS installed.

  • ipa-replica-prepare: Add ‘–auto-reverse’ and ‘–allow-zone-overlap’ options

  • installer: Change reverse zones question to better reflect reality.

  • Fix: Use unattended parameter instead of options.unattended

  • CI: Add ‘2-connected’ topology generator.

  • CI: Add simple replication test in 2-connected topology.

  • CI: Add test for 2-connected topology generator.

  • CI: Fix pep8 errors in 2-connected topology generator

  • CI: add empty topology test for 2-connected topology generator

  • CI: Add double circle topology.

  • CI: Add replication test utilizing double-circle topology.

  • CI: Add test for double-circle topology generator.

  • CI: Make double circle topology python3 compatible

  • upgrade: Match whole pre/post command not just basename.

  • dsinstance: add start_tracking_certificates method

  • httpinstance: add start_tracking_certificates method

  • Look up HTTPD_USER’s UID and GID during installation.

  • test: test_cli: Do not expect defaults in kwargs.

  • man: Decribe ipa-client-install workaround for broken D-Bus enviroment.

  • installer: positional_arguments must be tuple or list of strings

  • installer: index() raises ValueError

  • Remove unused locking “context manager”

  • schema: Add fingerprint and TTL

  • schema: Add known_fingerprints option to schema command

  • schema: Cache schema in api instance

  • schema: return fingerprint as unicode text

  • env: Add ‘server’ variable to api.env

  • schema: Caching on schema on client

  • test: automember: Fix expected exception message

  • test: cert: Reflect change in behavior in tests

  • schema: Decrease schema TTL to one hour

  • schema: Perform the check for schema update when force_schema_check is True

  • Allow unexpiring passwords

Filip Skola (9)#

  • Refactor test_user_plugin, use UserTracker for tests

  • Refactor test_replace

  • Refactor test_attr

  • Refactor test_sudocmd_plugin

  • Refactor test_sudocmdgroup_plugin

  • Refactor test_group_plugin, use GroupTracker for tests

  • Refactor test_nesting, create HostGroupTracker

  • Refactor test_hostgroup_plugin

  • Refactor test_automember_plugin, create AutomemberTracker

Florence Blanc-Renaud (9)#

  • Add missing CA options to the manpage for ipa-replica-install

  • Add the culprit line when a configuration file has an incorrect format

  • add context to exception on LdapEntry decode error

  • batch command can be used to trigger internal errors on server

  • Always qualify requests for admin in ipa-replica-conncheck

  • Report missing certificate in external trust chain

  • Do not allow installation in FIPS mode

  • Fix ipa-server-certinstall with certs signed by 3rd-party CA

  • Do not log error when removing a non-existing file

Fraser Tweedale (37)#

  • Do not decode HTTP reason phrase from Dogtag

  • Remove workaround for CA running check

  • caacl: correctly handle full user principal name

  • Prevent replica install from overwriting cert profiles

  • Detect and repair incorrect caIPAserviceCert config

  • Remove service and host cert issuer validation

  • Allow CustodiaClient to be used by arbitrary principals

  • Load server plugins in certmonger renewal helper

  • Add ACIs for Dogtag custodia client

  • Optionally add service name to Custodia key DNs

  • Setup lightweight CA key retrieval on install/upgrade

  • Authorise CA Agent to manage lightweight CAs

  • Add custodia store for lightweight CA key replication

  • Add ‘ca’ plugin

  • Add IPA CA entry on install / upgrade

  • Update ‘caacl’ plugin to support lightweight CAs

  • Add CA argument to ra.request_certificate

  • Update cert-request to allow specifying CA

  • Add issuer options to cert-show and cert-find

  • replica-install: configure key retriever before starting Dogtag

  • upgrade: do not try to start CA if not configured

  • restart scripts: bootstrap api with in_server=True

  • Require Dogtag >= 10.3.3

  • Fix IssuerDN presence check in cert search result

  • Set default OCSP URI on install and upgrade

  • ipaldap: turn LDAP filter utility functions into class methods

  • Skip CS.cfg update if cert nickname not known

  • Update lightweight CA serial after renewal

  • ipa-certupdate: track lightweight CA certificates

  • cert-find: fix ‘issuer’ option

  • cert-request: better error msg when ‘add’ not supported

  • Check for CA subject name collision before attempting creation

  • Add –ca option to cert-revoke and cert-remove-hold

  • Split CA replica installation steps for domain level 0

  • Fix migration from pre-lightweight CAs master

  • Add –cn option to cert-status

  • Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3

Gabe Alford (1)#

  • ipa-nis-manage enable: change service name from ‘portmap’ to ‘rpcbind’

Jakub Hrozek (1)#

  • sudo: Fix a typo in the –help output of sudocmdgroup

James Groffen (1)#

  • Set close button type attribute to ‘button’.

Jan Barta (1)#

  • pylint: fix: multiple-statements

Jan Cholasta (139)#

  • ipautil: remove unused import causing cyclic import in tests

  • ipalib: assume version 2.0 when skip_version_check is enabled

  • ipapython: remove default_encoding_utf8

  • ipapython: port p11helper C code to Python

  • ipapython: use python-cryptography instead of libcrypto in p11helper

  • spec file: package python-ipalib as noarch

  • cert renewal: import all external CA certs on IPA CA cert renewal

  • replica install: validate DS and HTTP server certificates

  • replica promotion: fix AVC denials in remote connection check

  • cacert install: fix trust chain validation

  • client: stop using /etc/pki/nssdb

  • ipalib: provide per-call command context

  • ipalib: add convenient Command method for adding messages

  • certdb: never use the -r option of certutil

  • spec file: bump minimum required pki-core version

  • build: fix client-only build

  • makeapi: use the same formatting for `int` and `long` values

  • replica install: do not set CA renewal master flag

  • rpc: do not crash when unable to parse JSON

  • parameters: remove unused ConversionError and ValidationError arguments

  • rpc: include structured error information in responses

  • frontend: re-raise remote RequirementError using CLI name in CLI

  • frontend: remove the unused Command.soft_validate method

  • frontend: perform argument value validation only on server

  • batch: do not crash when no argument is specified

  • ipalib: make optional positional command arguments actually optional

  • frontend: do not forward unspecified positional arguments to server

  • user: do not assume the preserve flags have value in user_del

  • frontend: do not forward argument defaults to server

  • makeapi: optimize API.txt

  • ipalib: remove the unused `csv` argument of Param

  • makeaci: load additional plugins using API.add_module

  • plugable: replace API.import_plugins with new API.add_package

  • ipalib, ipaserver: migrate all plugins to Registry-based registration

  • ipalib, ipaserver: fix incorrect API.register calls in docstrings

  • plugable: remove the unused deprecated API.register method

  • plugable: switch API to Registry-based plugin discovery

  • frontend: merge baseldap.CallbackRegistry into Command

  • frontend: move the interactive_prompt callback type to Command

  • automount: do not inherit automountlocation_import from LDAPQuery

  • dns: move code called on client to the module level

  • dns: do not rely on server data structures in code called on client

  • otptoken: fix import of DN

  • otptoken_yubikey: fix otptoken_add_yubikey arguments

  • vault: move client-side code to the module level

  • vault: copy arguments of client commands from server counterparts

  • ipalib: use relative imports for cross-plugin imports

  • frontend: allow commands to have an argument named `name`

  • cli: make optional positional command arguments actually optional

  • dns: fix dnsrecord interactive mode

  • ipaclient: introduce ipaclient.plugins

  • ipalib: move client-side plugins to ipaclient

  • help, makeapi: allow setting command topic explicitly

  • help, makeapi: specify module topic by name

  • help, makeapi: do not use hardcoded plugin package name

  • plugable: turn Plugin attributes into properties

  • plugable: simplify API plugin initialization code

  • plugable: remember overriden plugins in API

  • frontend: turn Method attributes into properties

  • ipaclient: add client-side command override class

  • dns: move code shared by client and server to separate module

  • ipalib: split off client-side plugin code into ipaclient

  • parameters: introduce cli_metavar keyword argument

  • parameters: introduce no_convert keyword argument

  • ipalib: replace DeprecatedParam with `deprecated` Param argument

  • ipalib: introduce API schema plugins

  • rpc: respect API config in RPCClient.create_connection

  • rpc: allow overriding NSS DB directory in API config

  • rpc: specify connection options in API config

  • rpc: optimize JSON-RPC response handling

  • rpc: do not validate command name in RPCClient.forward

  • client install: finalize API after CA certs are available

  • ipactl: use server API

  • ipalib: move File command arguments to ipaclient

  • misc: hide the unused –all option of `env` and `plugins` in CLI

  • ipaclient: implement thin client

  • ipalib: move server-side plugins to ipaserver

  • frontend: do not check API minor version of the client

  • schema: do not validate unrequested params in command_defaults

  • replica install: use remote server API to create service entries

  • schema: fix topic command output

  • schema: fix typo

  • spec file: require correct packages to get API plugins

  • plugable: allow plugins to be non-classes

  • plugable: initialize plugins on demand

  • schema: generate client-side commands on demand

  • batch, schema: use Dict instead of Any

  • misc: fix empty CLI output of `env` and `plugins` commands

  • dns, passwd: fix outputs of `dns_resolve` and `passwd` commands

  • frontend: call `execute` rather than `forward` in Local

  • schema: exclude local commands

  • schema: fix client-side dynamic defaults

  • makeaci, makeapi: use in-server API

  • frontend: don’t copy command arguments to output params

  • frontend: skip `value` output in output_for_cli

  • frontend: do not crash on missing output in output_for_cli

  • automember: add object plugin for automember_rebuild

  • dns: do not rely on custom param fields in record attributes

  • misc: skip `count` and `total` output in env.output_for_cli

  • passwd: handle sort order of passwd argument on the client

  • permission: handle ipapermright deprecated CLI alias on the client

  • schema: add object class schema

  • schema: remove output_params

  • schema: merge command args and options

  • schema: remove redundant information

  • schema: remove `no_cli` from command schema

  • replica install: fix thin client regression

  • ldap: fix handling of binary data in search filters

  • cert: add object plugin

  • cert: add owner information

  • cert: allow search by certificate

  • dns: fix dns_update_system_records to work with thin client

  • schema: fix param default value handling

  • schema: do not crash in command_defaults if argument is None

  • automember: fix automember to work with thin client

  • schema: client-side code cleanup

  • misc: generate `plugins` result directly in the command

  • plugable: use plugin class as the key in API namespaces

  • plugable: support plugin versioning

  • schema: support plugin versioning

  • frontend: forward command calls using full name

  • schema: fix Flag arguments on the client

  • schema: properly fix Flag arguments on the client

  • backup: use in-server API in ipa-backup and ipa-restore

  • replica install: don’t allow install against a newer server

  • session: move the session module from ipalib to ipaserver

  • session: do not initialize session manager on import

  • xmlserver: initialize RPC server plugins only in server context

  • makeaci, makeapi, oddjob: use the default API context

  • server: define missing virtual attributes

  • user: add object plugin for user_status

  • frontend: do not ignore client-side output params

  • cert: fix CLI output of cert_remove_hold

  • plugable: add option to ignore override errors

  • client: ignore override errors in command overrides

  • client: add placeholders for required remote plugins

  • server: exclude Local commands from RPC

  • client: do not crash when overriding remote command as method

  • client: add support for pre-schema servers

Jérôme Fenal (1)#

  • Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French.

Lenka Doudova (12)#

  • WebUI tests: fix failing of tests due to unclicable label

  • WebUI test: ID views

  • WebUI: Test creating user without private group

  • Test fix: Cleanup for host certificate

  • Test: Maximum username length higher than 255 cannot be set

  • Tests: Fix for failing location tests

  • Tests: Fix ipatests/test_ipaserver/test_rpcserver.py

  • Tests: Make ID views tests reflect new krbcanonicalname attribute

  • Tests: Fix failing ipatests/test_ipalib/test_errors.py

  • Tests: Remove DNS configuration from trust tests

  • Tests: Fix failing tests in ipatests/test_ipalib/test_frontend.py

  • Tests: Fix frontend tests

Ludwig Krispenz (2)#

  • prevent moving of topology entries out of managed scope by modrdn operations

  • v2 - avoid crash in topology plugin when host list contains host with no hostname

Lukáš Slebodník (6)#

  • extdom: Remove unused macro

  • IPA-SAM: Fix build with samba 4.4

  • CONFIGURE: Replace obsolete macros

  • ipa-sam: Do not redefine LDAP_PAGE_SIZE

  • SPEC: Remove unused build dependency on libwbclient

  • BUILD: Remove detection of libcheck

Martin Babinsky (68)#

  • raise more descriptive Backend connection-related exceptions

  • harden domain level 1 topology connectivity checks

  • ipalib/x509.py: revert deletion of ipalib api import

  • prevent crash of CA-less server upgrade due to absent certmonger

  • use FFI call to rpmvercmp function for version comparison

  • tests for package version comparison

  • fix Py3 incompatible exception instantiation in replica install code

  • ipa-csreplica-manage: remove extraneous ldap2 connection

  • IPA upgrade: move replication ACIs to the mapping tree entry

  • uninstallation: more robust check for master removal from topology

  • correctly set LDAP bind related attributes when setting up replication

  • disable RA plugins when promoting a replica from CA-less master

  • fix standalone installation of externally signed CA on IPA master

  • reset ldap.conf to point to newly installer replica after promotion

  • always start certmonger during IPA server configuration upgrade

  • upgrade: unconditional import of certificate profiles into LDAP

  • CI tests: use old schema when testing hostmask-based sudo rules

  • use LDAPS during standalone CA/KRA subsystem deployment

  • test_cert_plugin: use only first part of the hostname to construct short name

  • only search for Kerberos SRV records when autodiscovery was requested

  • spec: add conflict with bind-chroot to freeipa-server-dns

  • spec: require python-cryptography newer than 0.9

  • ipa-replica-manage: print traceback on unexpected error when in verbose mode

  • otptoken-add: improve the robustness of QR code printing

  • differentiate between limit types when LDAP search exceeds configured limits

  • specify type of exceeded limit when warning about truncated search results

  • replica-prepare: do not add PTR records if there is no IPA managed reverse zone

  • Server Roles: definitions of server roles and attributes

  • Server Roles: Backend plugin to query roles and attributes

  • Test suite for `serverroles` backend

  • Server Roles: public API for server roles

  • Server Roles: make server-{show,find} utilize role information

  • Server Roles: make *config-show consume relevant roles/attributes

  • Server Roles: provide an API for setting CA renewal master

  • Add NTP to the list of services stored in IPA masters LDAP subtree

  • Introduce “NTP server” role

  • ipaserver module for working with managed topology

  • delegate removal of master DNS record and replica keys to separate functions

  • server-del: perform full master removal in managed topology

  • CI test suite for `server-del`

  • ipa-replica-manage: use `server_del` when removing domain level 1 replica

  • remove the master from managed topology during uninstallation

  • Fix listing of enabled roles in `server-find`

  • Do not update result of *-config-show with empty server attributes

  • server-del: harden check for last roles

  • perform case-insensitive principal search when canonicalization is requested

  • mark ‘ipaKrbPrincipalAlias’ attribute as deprecated in schema

  • add case-insensitive matching rule to krbprincipalname index

  • add krbCanonicalName to attributes watched by MODRDN plugin

  • ipa-kdb: set krbCanonicalName when creating new principals

  • ipa-enrollment: set krbCanonicalName attribute on enrolled host entry

  • IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities

  • set krbcanonicalname on host entry during krbinstance configuration

  • account for added krbcanonicalname attribute during xmlrpc tests

  • Fix incorrect construction of service principal during replica cleanup

  • keep setting ipakrbprincipal objectclass on new service entries

  • test_serverroles: ensure that test API is initialized with correct ldap_uri

  • test-{service,host}-plugin: only expect krbcanonicalname when all=True

  • ipapython module for Kerberos principal manipulation and parsing

  • Test suite for `ipapython/kerberos.py`

  • ipalib: introduce Principal parameter

  • Migrate management framework plugins to use Principal parameter

  • Add ACI for admins to modify principal attributes

  • replace an ACI relying on presence of deprecated objectclass

  • Allow for commands that use positional parameters to add/remove attributes

  • Make framework consider krbcanonicalname as service primary key

  • Provide API for management of host, service, and user principal aliases

  • Unify display of principal names/aliases across entities

Martin Bašti (162)#

  • Fix DNS tests: dns-resolve returns warning

  • Remove unused code in server installer related to KRA

  • Fix version comparison

  • Fix: replace mkdir with chmod

  • Use module variables for timedate_services

  • Remove empty test file

  • Remove unused imports

  • Remove wildcard imports

  • Enable multiple warnings checks in Pylint

  • Enable pylint lost exception check

  • Enable pylint duplicated-key check

  • Enable pylint trailing-whitespace check

  • Enable pylint missing-final-newline check

  • Enable pylint unused-format-string-key check

  • Enable pylint expression-not-assigned check

  • Enable pylint empty-docstring check

  • Enable pylint unnecessary-pass check

  • update_uniqueness plugin: fix referenced before assigment error

  • Allow to used mixed case for sysrestore

  • Upgrade: Fix upgrade of NIS Server configuration

  • DNSSEC test: fix adding zones with –skip-overlap-check

  • DNSSEC CI: add missing ldns-utils dependency

  • Enable pylint unpacking-non-sequence check

  • Enable pylint unbalanced-tuple-unpacking check

  • CI test: fix regression in task.install_kra

  • Warn about potential loss of CA, KRA, DNSSEC during uninstall

  • Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter

  • Exclude o=ipaca subtree from Retro Changelog (syncrepl)

  • Fix DNSSEC test: add glue record

  • Warn user when ipa *-find reach limit

  • DNSSEC CI: fix zone delegations

  • make lint: use config file and plugin for pylint

  • Upgrade: log to ipaupgrade.log when IPA server is not installed

  • Disable new pylint checks

  • Py3: do not use dict.iteritems()

  • upgrade: fix config of sidgen and extdom plugins

  • trusts: use ipaNTTrustPartner attribute to detect trust entries

  • Warn user if trust is broken

  • fix upgrade: wait for proper DS socket after DS restart

  • Revert “test: Temporarily increase timeout in vault test.”

  • Remove duplicated except

  • Pylint: add missing attributes of errors to definitions

  • fix permission: Read Replication Agreements

  • Make PTR records check optional for IPA installation

  • Fix connections to DS during installation

  • pylint: supress false positive no-member errors

  • CI: allow customized DS install test to work with domain levels

  • fix suspicious except statements

  • Remove unused arguments from update_ssh_keys method

  • Configure 389ds with “default” cipher suite

  • krb5conf: use ‘true’ instead of ‘yes’ for forwardable option

  • stageuser-activate: Normalize manager value

  • Remove redundant parameters from CS.cfg in dogtaginstance

  • Use platform path constant for SSSD log dir

  • Fix broken trust warnings

  • spec: Add missing dependencies to python*-ipalib package

  • client: enable ChallengeResponseAuthentication in sshd_config

  • pylint: remove bare except

  • Pylint: fix definition of global variables

  • Pylint: enable pointless-except check

  • Pylint: enable reimported check

  • Pylint: use list comprehension instead of iteration

  • Pylint: import max one module per line

  • Pylint: remove unnecessary-semicolon

  • Pylint: enable invalid-name check

  • SPEC: do not run upgrade when ipa server is not installed

  • Fix: catch Exception instead of more specific exception types

  • Fix stageuser-activate - managers test

  • Add missing pre_common_callback to stageuser_add

  • host_del: fix removal of host records

  • host_del: replace dns-record find command with show

  • host_del: remove unneeded dnszone-show command call

  • host_del: split removing A/AAAA and PTR records to separate functions

  • host_del: remove only A, AAAA, SSHFP, PTR records

  • host_del: update help for –updatedns option

  • host-del –updatedns: print warnings instead of error

  • Use netifaces module instead of ‘ip’ command

  • Limit max username length to 255 in config-mod

  • Increase API version for ‘ipamaxusernamelength’ attribute change

  • Configure httpd service from installer instead of directly from RPM

  • Performace: don’t download password attributes in host/user-find

  • Do not do extra search for ipasshpubkey to generate fingerprints

  • Always set hostname

  • Remove deprecated hostname restoration from Fedora18

  • Remove unused hostname variables

  • Log errors from backup_and_replace hostname to logger

  • Tasks: raise NotImplementedError for not implemented methods

  • fix stageuser tests (removal of has_keytab and has_password from find)

  • make: fail when ACI.txt or API.txt differs from values in source code

  • ipactl: advertise –ignore-service-failure option

  • Remove unused variable and finally block in SchemaCache

  • Fix referenced before assigment variables in except statements

  • Upgrade: always start CA

  • Remove unused variables in automount plugin

  • fix pylint false positive errors

  • Translations: remove deprecated locale configuration

  • Make option –no-members public in CLI

  • Performance: Find commands: do not process members by default

  • Test: fix failing host_test

  • Fix: replace incorrect no_cli with no_option flag

  • Fix: topologysuffix_find doesn’t have no_members option

  • DNS Locations: Always create DNS related privileges

  • DNS Locations: add new attributes and objectclasses

  • DNS Locations: location-* commands

  • DNS Locations: API tests

  • Allow to use non-Str attributes as keys for members

  • DNS Locations: extend server-* command with locations

  • DNS Location: location-show: return list of servers in location

  • DNS Locations: when removing location remove it from servers first

  • DNS Locations: extend tests with server-* commands

  • Upgrade mod_wsgi socket-timeout on existing installation

  • Exclude unneeded dirs and files from pylint check

  • Fix resolve_rrsets: RRSet is not hashable

  • Revert “adtrust: remove nttrustpartner parameter”

  • Fix: Local variable s_indent might be referenced before defined

  • Revert “Switch /usr/bin/ipa to Python 3”

  • Use python2 for ipa cli

  • DNS Locations: add index for ipalocation attribute

  • DNS Locations: fix location-del

  • DNS Locations: add idnsTemplateObject objectclass

  • DNS Locations: DNS data management

  • DNS Locations: permission: allow to read status of services

  • DNS Locations: add ACI for template attribute

  • DNS Locations: command dns-update-system-records

  • DNS Locations: use dns_update_service_records in installers

  • DNS Locations: adtrustinstance simplify dns management

  • DNS Locations: use automatic records update in ipa-adtrust-install

  • DNS Locations: server-mod: add automatic records update

  • DNS Locations: dnsservers: add required objectclasses

  • DNS Locations: dnsserver-* commands

  • DNS Locations: dnsserver: put server_id option into named.conf

  • DNS Locations: dnsserver: use the newer config way in installer

  • DNS Locations: dnsserver: remove config when replica is removed

  • DNS Locations: set proper substitution variable

  • DNS Locations: require to restart named-pkcs11 affter location change

  • DNS Locations: show warning if there is no DNS servers in location

  • DNS Locations: prevent to remove used locations

  • DNS Locations: do not generate location records for unused locations

  • DNS Locations: location-del: remove location record

  • DNS Locations: Rename ipalocationweight to ipaserviceweight

  • DNS Locations: generate NTP records

  • upgrade: don’t fail if zone does not exists in in find

  • DNS Location: add list of roles and DNS servers to location-show

  • DNS Locations: dnsserver: print specific error when DNS is not installed

  • Fix possibly undefined variable in ipa_smb_conf_exists()

  • Updated IPA translations

  • Replica promotion: use the correct IPA domain for replica

  • Server-del: fix system records removal

  • Increase ipa-getkeytab LDAP timeout to 100sec

  • DNS Locations: server-mod: fix if statement

  • ipa-rmkeytab, ipa-join: don’t fail if init of gettext failed

  • Revert “DNS Locations: do not generate location records for unused locations”

  • DNS Locations: hide option –no-msdcs in adtrust-install

  • DNS Locations: optimization: use server-find to get information

  • DNS Locations: cleanup of bininstance

  • CA replica promotion: add proper CA DNS records

  • Fix replica install with CA

  • cert.py split module docstring to multiple ugetext string

  • Add option –no-log for ipa-replica-conncheck script

  • Do not log to file in remote conncheck side

  • Bump SSSD version in requires

  • IPA 4.4.0 Translations

Martin Košek (2)#

  • Update Developers in Contributors.txt

  • Update Contributors.txt

Matt Rogers (1)#

  • ipa_kdb: add krbPrincipalAuthInd handling

Michael Simacek (1)#

  • Fix bytes/string handling in rpc

Milan Kubík (11)#

  • ipatests: replace the test-example.com domain in tests

  • ipatests: Roll back the forwarder config after a test case

  • ipatests: Fix configuration problems in dns tests

  • ipatests: Make the A record for hosts in topology conditional

  • ipatests: fix the install of external ca

  • ipatests: Add missing certificate profile fixture

  • ipatests: extend permission plugin test with new expected output

  • spec file: rename the python-polib dependency name to python2-polib

  • ipatests: fix for change_principal context manager

  • ipatests: Add test case for requesting a certificate with full principal.

  • spec: Add python-sssdconfig dependency for python-ipatests package

Nathaniel McCallum (8)#

  • Don’t error when find_base() fails if a base is not required

  • Rename syncreq.[ch] to otpctrl.[ch]

  • Ensure that ipa-otpd bind auths validate an OTP

  • Return password-only preauth if passwords are allowed

  • Enable authentication indicators for OTP and RADIUS

  • Migrate from #ifndef guards to #pragma once

  • Enable service authentication indicator management

  • Add authentication indicators support to Host objects

Oleg Fayans (26)#

  • CI tests: Enabled automatic creation of reverse zone during master installation

  • CI tests: Added domain realm as a parameter to master installation in integration tests

  • Fixed install_ca and install_kra under domain level 0

  • fixed an issue with master installation not creating reverse zone

  • Enabled recreation of test directory in apply_common_fixes function

  • Updated connect/disconnect replica to work with both domainlevels

  • Removed –ip-address option from replica installation

  • Removed messing around with resolv.conf

  • Integration tests for replica promotion feature

  • Enabled setting domain level explicitly in test class

  • Removed a constantly failing call to prepare_host

  • Made apply_common_fixes call at replica installation independent on domain_level

  • Workaround for ticket 5627

  • Added copyright info to replica promotion tests

  • rewrite a misprocessed teardown_method method as a custom decorator

  • Reverted changes in mh fixture causing some tests to fail

  • Fixed a bug with prepare_host failing upon existing ipatests folder

  • Added a kdestroy call to clean ccache at master/client uninstallation

  • Added 5 more tests to Replica Promotion testsuite

  • Fixed a failure in legacy_client tests

  • Add test if replica is working after domain upgrade

  • Improve reporting of failed tests in topology test suite

  • Bugfixes in managed topology tests

  • A workaround for ticket N 5348

  • Added necessary A record for the replica to root zone

  • Increased certmonger timeout

Patrice Duc-Jacquet (2)#

  • Incorrect message when KRA already installed

  • Add more information regarding where to find revocation reason in “ipa cert_revoke -h” and “ipa cert_find -h”.

Pavel Vomacka (69)#

  • Add tool tips for Revert, Refresh, Undo, and Undo All

  • Add support for the ‘user’ url parameter for the reset_password.html

  • Add validation to Issue new certificate dialog

  • Add pan and zoom functionality to the topology graph

  • Nodes stay fixed after initial animation.

  • Add field for group id in user add dialog

  • Resize topology graph canvas according to window size

  • Add X-Frame-Options and frame-ancestors options

  • Add activate option to stage user details page

  • Add ‘skip overlap check’ checkbox into add zone dialog

  • Add ‘skip overlap check’ checkbox to the add dns forward zone dialog

  • Add option to show OTP when adding host

  • Update the delete dialog on details user page

  • Add ability to stage multiple users

  • Add option to stage user from details page

  • Change lang.hitch to javascript bind method

  • Change ‘Restore’ to ‘Remove Hold’

  • Extend the certificate request dialog

  • Auth Indicators WebUI part

  • Fix bad searching of reverse DNS zone

  • Add adapter attribute for choosing record

  • DNS Locations: WebUI part

  • Add lists of hosts allowed to create or retrieve keytabs

  • Correct a jslint warning

  • Association table can be read only

  • Extend table facet

  • Add server roles on topology page

  • Search facet can be without search field

  • Add ability to review cert request dialog

  • Add new webui plugin - ca

  • Extend certificate entity page

  • Extend caacl entity

  • Make Actions string translatable

  • Extend DNS config page

  • Extend trust config page

  • Add creating a segment using mouse

  • Add listener which opens add segment dialog

  • Add placeholder to add segment dialog

  • Add DNS default TTL field

  • Allow to set weight of a server without location

  • DNS Servers: Web UI part

  • Add support for custom menu in multivalued widget

  • Extends functionality of DropdownWidget

  • Add working widget

  • Add ability to turn off activity icon

  • Add Object adapter

  • Refactored certificate view and remove hold dialog

  • Changed the way how to handle remove hold and revoke actions

  • Remove old useless actions - get and view

  • Add widget for showing multiple certificates

  • Add certificate widget

  • Add new certificates widget to the user details page

  • Add new certificates widget to the host details page. Also extends evaluator and add support for adapters.

  • Add new certificates widget to the service details page

  • Updated certificates table

  • Add new custom command multivalued widget

  • Add button for dns_update_system_records command

  • Add certificate widget to ID override user details page.

  • Add authentication identificator to host page

  • Change paths of strings in auth indicators widget on service page

  • Simplify the confirmation messages

  • Add support to change button css class on confirm dialog

  • Add button for server-del command

  • Change error handling in custom_command_multivalued_widget

  • Set default confirmation button label to ‘Remove’

  • Add widgets for kerberos aliases

  • Add widget for kerberos aliases to user page

  • Add widget for kerberos aliases to hosts page

  • Add widget for kerberos aliases to service page

Peter Lacko (1)#

  • Ping module tests.

Petr Viktorin (46)#

  • Package ipapython, ipalib, ipaplatform, ipatests for Python 3

  • Use explicit truncating division

  • Don’t index exceptions directly

  • Use print_function future definition wherever print() is used

  • Alias “unicode” to “str” under Python 3

  • Avoid builtins that were removed in Python 3

  • dnsutil: Rename __nonzero__ to __bool__

  • Remove deprecated contrib/RHEL4

  • make-lint: Allow running pylint –py3k to detect Python3 issues

  • Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)

  • test_parameters: Ignore specific error message

  • ipaldap, ldapupdate: Encoding fixes for Python 3

  • ipautil.run, kernel_keyring: Encoding fixes for Python 3

  • tests: Use absolute imports

  • ipautil: Use mode ‘w+’ in write_tmp_file

  • test_util: str/bytes check fixes for Python 3

  • p11helper: Port to Python 3

  • cli: Don’t encode/decode for stdin/stdout on Python 3

  • Package python3-ipaclient

  • Move get_ipa_basedn from ipautil to ipadiscovery

  • ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()

  • ipapython.sysrestore: Use str methods instead of functions from the string module

  • ipalib.x809: Accept bytes for make_pem

  • dns plugin: Fix zone normalization under Python 3

  • sysrestore: Iterate over a list of dict keys

  • test_xmlrpc: Use absolute imports

  • xmlrpc_test: Rename exception instance before working with it

  • radiusproxy plugin: Use str(error) rather than error.message

  • xmlrpc_test: Expect bytes rather than strings for binary attributes

  • ipalib.rpc: Send base64-encoded data as string under Python 3

  • range plugin tests: Use bytes with MockLDAP under Python 3

  • radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret

  • certprofile plugin: Use binary mode for file with binary data

  • test_add_remove_cert_cmd: Use bytes for base64.b64encode()

  • Switch /usr/bin/ipa to Python 3

  • Fix remaining relative import and enable Pylint check

  • ipalib.cli: Improve reporting of binary values in the CLI

  • test_cert_plugin: Encode ‘certificate’ for comparison with ‘usercertificate’

  • ipaldap: Keep attribute names as text, not bytes

  • ipapython.secrets.kem: Use ConfigParser from six.moves

  • test_topology_plugin: Don’t rely on order of an attribute’s values

  • test_rpcserver: Expect updated error message under Python 3

  • ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison

  • test_ipaserver.test_ldap: Use bytestrings for raw LDAP values

  • ipaldap: Convert dict items to list before iterating

  • test_ipaserver.test_ldap: Adjust tests to Python 3’s KeyView

Petr Voborník (19)#

  • Bump 4.4 development version to 4.3.90

  • webui: add examples to network address validator error message

  • webui: pwpolicy cospriority field was marked as required

  • spec: do not require arch specific ipalib package from noarch packages

  • webui: dislay server suffixes in server search page

  • stop installer when setup-ds.pl fail

  • webui: crash nicely if sessionStorage is not available

  • webui: remove moot error from webui build

  • webui: use API call ca_is_enabled instead of enable_ra env variable.

  • webui: fixed showing of success message after password change on login

  • advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins

  • cookie parser: do not fail on cookie with empty value

  • fix incorrect name of ipa-winsync-migrate command in help

  • webui: fail nicely if cookies are disabled

  • ipa-client-install: fix typo in nslcd service name

  • Become IPA 4.4.0 Alpha 1

  • mod_auth_gssapi: enable unique credential caches names

  • webui: prevent infinite reload for users with krbbprincipal alias set

  • Become IPA 4.4.0

Petr Špaček (60)#

  • dns: Handle SERVFAIL in check if domain already exists.

  • DNSSEC: Improve error reporting from ipa-ods-exporter

  • DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP

  • DNSSEC: Make sure that current key state in LDAP matches key state in BIND

  • DNSSEC: remove obsolete TODO note

  • DNSSEC: add debug mode to ldapkeydb.py

  • DNSSEC: logging improvements in ipa-ods-exporter

  • DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP

  • DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP

  • DNSSEC: ipa-ods-exporter: add ldap-cleanup command

  • DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal

  • DNSSEC: Log debug messages at log level DEBUG

  • Fix –auto-reverse option in –unattended mode.

  • Fix dns_is_enabled() API command to throw exceptions as appropriate

  • Fix DNS zone overlap check to allow ipa-replica-install to work

  • Fix ipa-adtrust-install to always generate SRV records with FQDNs

  • Fix URL for reporting bugs in strings

  • Pylint: enable parallelism

  • Makefile: replace perl with sed

  • Remove function ipapython.ipautil.host_exists()

  • Extend installers with –forward-policy option

  • Move automatic empty zone list into ipapython.dnsutil and make it reusable

  • Add assert_absolute_dnsname() helper to ipapython.dnsutil

  • Move function is_auto_empty_zone() into ipapython.dnsutil

  • Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()

  • Add function ipapython.dnsutil.inside_auto_empty_zone()

  • Auto-detect default value for –forward-policy option in installers

  • ipa-nis-manage: Replace text references to compat plugin with NIS

  • ipa-nis-manage: mention return code 3 in man page

  • DNS: Fix upgrade - master to forward zone transformation

  • DNS installer: accept –auto-forwarders option in unattended mode

  • Remove unused file install/share/fedora-ds.init.patch

  • Batch command: avoid accessing potentially undefined context.principal

  • pylint: replace Refactor category with individual check names

  • ipa-nis-manage: add status option

  • DNS: Warn if forwarding policy conflicts with automatic empty zones

  • Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil

  • Use root_logger for verify_host_resolvable()

  • Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil

  • Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil

  • Add ipaDNSVersion option to dnsconfig* commands and use new attribute

  • DNS upgrade: separate backup logic to make it reusable

  • Add function ipapython.dnsutil.related_to_auto_empty_zone()

  • DNS upgrade: change forwarding policy to = only for conflicting forward zones

  • DNS upgrade: change global forwarding policy in LDAP to “only” if private IPs are used

  • DNS upgrade: change global forwarding policy in named.conf to “only” if private IPs are used

  • Require 389-ds-base >= 1.3.5.6

  • DNS Locations: make ipa-ca record generation more robust

  • DNS: Support default TTL setting for master DNS zones

  • DNS: Warn about restart when default TTL setting DNS is changed

  • DNS: Fix realm domains integration with DNS zone add.

  • client: Share validator and domain name normalization with server install

  • DNS: Fix tests for realm domains integration with DNS zone add

  • client-install: do not fail if DNS times out during DNS update generation

  • Use NSS for name->resolution in IPA installer

  • DNS: Remove unnecessary DNS check from installer

  • DNS: Reinitialize DNS resolver after changing resolv.conf

  • Fix `Conflicts` with ipa-python

  • Remove unused is_local(), interface, and defaultnet from CheckedIPAddress

  • Fix internal errors in host-add and other commands caused by DNS resolution

Simo Sorce (6)#

  • Use only AES enctypes by default

  • Always verify we have a valid ldap context.

  • Improve keytab code to select the right principal.

  • Convert ipa-sam to use the new getkeytab control

  • Allow admins to disable preauth for SPNs.

  • Allow to specify Kerberos authz data type per user

Stanislav Laznicka (31)#

  • Listing and cleaning RUV extended for CA suffix

  • Automatically detect and remove dangling RUVs

  • Cosmetic changes to the code

  • Fixes minor issues

  • replica-manage: fail nicely when DM psswd required

  • ipa-replica-manage refactoring

  • abort-clean/list/clean-ruv now work for both suffixes

  • Moved password check from clean_dangling_ruv

  • Fix to clean-dangling-ruv for single CA topologies

  • Added pyusb as a dependency

  • Added some attributes to Modify Users permission

  • Deprecated the domain-level option in ipa-server-install

  • Increased mod_wsgi socket-timeout

  • Added = mapping to krb5.conf

  • Decreased timeout for IO blocking for DS

  • fixes premature sys.exit in ipa-replica-manage del

  • Remove dangling RUVs even if replicas are offline

  • Added krb5.conf.d/ to included dirs in krb5.conf

  • Removed dead code from LDAP{Remove,Add}ReverseMember

  • Fixes CA always being presented as running

  • Increase nsslapd-db-locks to 50000

  • host/service-show/find shouldn’t fail on invalid certificate

  • Fix to ipa-ca-install asking for host principal password

  • Fix topologysuffix-verify failing connections

  • topo segment-add: validate that both masters support target suffix

  • Add missing nsSystemIndex attributes

  • Revert “Removed dead code from LDAP{Remove,Add}ReverseMember”

  • The LDAP*ReverseMember shouldn’t imply –all is always specified

  • Fix wrong imports in copy-schema-to-ca.py

  • host: Added permissions for auth. indicators read/modify

  • service: Added permissions for auth. indicators read/modify

Sumit Bose (3)#

  • ipa-kdb: get_authz_data_types() make sure entry can be NULL

  • ipa-kdb: map_groups() consider all results

  • extdom: add certificate request

Thierry Bordaz (5)#

  • configure DNA plugin shared config entries to allow connection with GSSAPI

  • DS deadlock when memberof scopes topology plugin updates

  • Make sure ipapwd_extop takes precedence over passwd_modify_extop

  • Topology plugins sigsev/heap corruption when adding a managed host

  • ipapwd_extop should use TARGET_DN defined by a pre-extop plugin

Thorsten Scherf (1)#

  • Fixed typo in service-add

Timo Aaltonen (6)#

  • Use HTTPD_USER in dogtaginstance.py

  • Move freeipa certmonger helpers to libexecdir.

  • ipa_restore: Import only FQDN from ipalib.constants

  • ipaplatform: Move remaining user/group constants to ipaplatform.constants.

  • Use ODS_USER/ODS_GROUP in opendnssec_conf.template

  • Fix kdc.conf.template to use ipaplatform.paths.

Tomáš Babej (10)#

  • py3: Remove py3 incompatible exception handling

  • logger: Use warning instead of warn

  • Loggger: Use warning instead of warn - dns plugin

  • ipa-getkeytab: Handle the possibility of not obtaining a result

  • ipa-adtrust-install: Allow dash in the NETBIOS name

  • spec: Bump required sssd version to 1.13.3-5

  • adtrustinstance: Make sure smb.conf exists

  • l10n: Remove Transifex configuration

  • ipalib: Fix user certificate docstrings

  • idviews: Add user certificate attribute to user ID overrides

Yuri Chornoivan (4)#

  • Fix minor typo

  • Fix minor typos

  • Fix minor typos

  • Fix minor typo