The FreeIPA team would like to announce FreeIPA v4.4.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.
Highlights in 4.4.0#
Enhancements:
Improved Topology Management
<http://www.freeipa.org/page/V4/Manage_replication_topology_4_4>
Added Overview of IPA server roles:
<http://www.freeipa.org/page/V4/Server_Roles>
Added support certificates for AD users:
<http://www.freeipa.org/page/V4/Certs_in_ID_overrides>
Added support of UPN for trusted domains
<http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains>
Added support for Kerberos Authentication Indicators
<http://www.freeipa.org/page/V4/Authentication_Indicators>
Added DNS Location Mechanism (Howto)
<http://www.freeipa.org/page/V4/DNS_Location_Mechanism>
Several performance improvements
<http://www.freeipa.org/page/V4/Performance_Improvements>
Refactored IPA command line tool
<http://www.freeipa.org/page/V4/Thin_Client>
Added support for Sub-CAs
<http://www.freeipa.org/page/V4/Sub-CAs>
Added support for Kerberos principal aliases
Known Issues#
Bug fixes#
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Resolved tickets#
#433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator
#2008 [RFE] IPA should support and manage DNS Locations
#2795 Disabling password expiration (–maxlife=0 and –minlife=0) in the default global_policy in IPA sets user’s password expiration (krbPasswordExpiration) to be 90 days
#2956 Define missing DNS zone attribute for default TTL value
#3197 Use noarch RPMs for Python-only packages
#3376 Do not do extra LDAP search for ipasshpubkey to generate fingerprints
#3517 Incorrect *.py[co] files placement
#3864 Adjust Kerberos Principal Aliases implementation
#3961 [RFE] Allow multiple Principals per host entry (Kerberos aliases)
#4022 When search hits the size limit, it should explicitly say so or message like # hosts matched suggests there are not other
#4235 ipa-replica-manage -H does not delete DNS SRV records
#4421 host-mod command prevents creating Kerberos principal aliases
#4427 [RFE] New API versioning
#4559 [RFE] Support lightweight sub-CAs
#4602 [RFE] Offer OTP generation for host enrollment in the UI
#4631 Add X-Frame-Options, frame-ancestors to UI webpages
#4739 [RFE] Support API clients newer than server
#4785 ipa-server-certinstall tracks the 3rd party cert it installs with certmonger
#4786 ipa-server-certinstall does not accept certs signed by 3rd party CAs
#4844 Principal canonicalization does not work for principals in IPA realm
#4942 [RFE] Allow user authentication using cert on smart card against IPA UI
#4955 [RFE] Allow managing certificates for AD users in IPA
#4987 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend
#4995 add finer control of getting members
#5001 Make it possible to pre-fill the Username field of /ipa/ui/reset_password.html
#5076 [WebUI] General invalid password error message appearing for “Locked user”
#5077 [WebUI] UI error message is not appropriate for “Kerberos principal expiration”
#5108 webui for {user|service|host}_{add|remove}_cert commands
#5115 ipatests: registering plugins via API.register/Registrar class doesn’t work
#5168 search by users which don’t have read rights for all attrs in search_attributes fails
#5181 [RFE] Expand server-show/find with the list of configured components
#5221 Installer adds NTP SRV records into DNS for IPA servers which does not have ntp configured
#5281 3 unnecessary search operations for each user in user-find
#5294 [tracker] certprofile-import error message is not clear
#5307 ipa-replica-manage del –force –clean won’t clean remnant records if there is no RUV with replica ID
#5311 Show Certificate displays in useless format
#5315 ipa-kra-install prints incorrect errors message when kra is already installed
#5354 [RFE] Support of UPN for trusted domains
#5369 [UI] Stageuser capabilities - “Activate” option not available for a staged user in detailed info
#5370 [UI] Stageuser capabilities - “Delete” option does not offer choice between permanent/preserved in detailed user info
#5371 [UI] Stageuser capabilities - Preserved user cannot be converted to staged user - missing option
#5376 [tracker] Replica prepare: Certificate issuance failed
#5380 ipa-replica-manage: no way to show traceback on unexpected error
#5381 [WebUI] Missing UI for working with multiple certificates in User, Host, Service pages
#5383 Reduce ioblocktimeout and idletimeout defaults
#5396 Cleanallruv task should not wait for cleanallruv result on the others replicas
#5413 [RFE] Allow users to authenticate with alternative names
#5428 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI
#5432 Issue New Certificate dialogs do not validate data
#5434 add context to exception on LdapEntry decode error
#5443 ipa-server-install dies during pkispawn if /etc/hostname not properly configured
#5448 ipa user-add slows down as more users are added
#5523 [RFE] Update default profiles to always add SAN dnsName
#5534 ipa-client-install fails when the client has active point to point connections
#5547 ipa client should configure kpasswd_server directive in krb5.conf
#5561 Unable to install replica due error during restarting dirsrv
#5588 [RFE] change `ipa-replica-manage del` into an API method for domain level 1
#5591 FreeIPA ipa-client-install error: Hostname (computer.company.lan) does not have A/AAAA record.
#5599 Kerberos could take advantage of slapi-nis specific control that skip slapi-nis map evaluation
#5620 Centralize DNS record creation in IPA services
#5627 ipa host-del fails with –updatedns option if ost does not have a dns record
#5642 ipa-getkeytab: extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)’ failed.
#5643 WebUI: Application crashes if sesssionStorage is not available
#5645 [WebUI] Dialog “Issue New Certificate” should mention SAN names
#5648 webui: topology graph: add segments by drag and drop
#5652 webui: unable to review certificate request if the request is not successful
#5656 webui: browser setup page includes instructions for Internet Explorer
#5659 typo in service-add
#5675 ipa host-del –updatedns should remove related dns entries.
#5677 API calls fail on “LimitsExceeded” error
#5681 Residual Files After IPA Server Uninstall
#5689 move set-renewal-master command to API from ipa-csreplica-manage
#5694 update ipa-client-install –request-cert man page with chroot workaround
#5702 webui: change dojo’s lang.hitch() to the javascript .bind() method
#5703 ipa-client-install should enable ChallengeResponseAuthentication by default
#5708 ipa-server-install manpage doesn’t contain info about –domain-level option
#5710 Fix forward zone conficts with automatic empty zones from BIND
#5717 Consider removing our implementation of CalledProcessError
#5721 error installing ca-less replica with valid certificates
#5732 Web interface not showing ipa forwarders
#5740 ipa-replica-prepare: Traceback if reverse zone does not exists
#5741 [tests] Admin is getting Insufficient privileges to promote the server when installing ca-less replica
#5743 [RFE] External Trust with Active Directory domain
#5751 Error: Unknown warnings category ‘experimental::smartmatch’ at /usr/share/dirsrv/updates/52updateAESplugin.pl line 9.
#5757 incorrect SELinux label of second replica’s /var/log/ipareplica-conncheck.log
#5758 Replica installation crashes on certmonger timeout
#5759 Missing pre_callback in stageuser_add
#5761 ipa-client-install throws Python exception on FIPS enabled servers
#5762 [RFE] Support IdM Client in a DNS domain controlled by AD
#5768 Include description for ‘status’ option in man page for ipactl command.
#5772 Failures in topology tests produce unclear error messages
#5773 [webui] option –skip-overlap-check cannot be set in DNS zone adder dialog
#5774 ipa config-mod allows to set maxusername limit higher than 255 characters
#5782 ipa-kdb support for krbPrincipalAuthInd
#5783 permission plugin tests fail on 4.3 branch
#5787 SchemaCache doesn’t work
#5789 “no such entry” error is shown when installer does not receive password from pkcs file
#5792 ipa-server-install: report which certificate is missing in external cert trust chain
#5794 ipa-server-install does not completely change hostname and named-pkcs11 fails
#5796 [webui] IPA Error 3009: Validation error: Invalid ‘ptrrecord’: Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given
#5797 host-show, host-find failed when usercertificate in LDAP is invalid
#5800 kdestroy command in unapply_fixes function in test_integration/tasks.py causes legacy client tests to fail
#5804 Test for “#4986 Web UI misses check box…” and “#5505 Creating a user w/o private group…” needed
#5810 batch command can be used to trigger internal errors on server
#5811 ipa-client-install failing with SyntaxError: Syntax Error: Unknown line format
#5812 always qualify requests for admin
#5815 Integrate NTP service into server roles
#5819 ipa cert-revoke –help doesn’t provide enough info on revocation reasons
#5820 advertise ipactl start –ignore-service-failure option
#5826 Integrate NTP service into server roles: upgrade from older IPA versions
#5833 cli: “gateway time out” with long running task
#5835 ipa-replica-install man page lacks CA less options
#5839 Tests: cleanup for host certificate does not work well in test_host_plugin.py
#5840 ipa-replica-manage clean-dangling-ruv fails in topologies with only one CA
#5841 upgrade: find_hostname() method should be replaced by api.env.host
#5842 Replica installation fails with ipa-getkeytab timeouts
#5851 DNS upgrade is broken: master zones are not transformed to forward zones properly
#5856 ipa-nis-manage command should include status option
#5857 ipa-nis-manage enable: change service name from ‘portmap’ to ‘rpcbind’
#5865 make rpms does not fail if api does not match API.txt
#5866 [RFE] Create guidance how to setup/migrate IPA that contains big amount of data
#5867 topology graph: display “autogenerated” placeholder while adding segment
#5868 Upgrader sometimes returns PR_ADDRESS_NOT_SUPPORTED_ERROR from dogtag upgrade
#5869 ipa-dns-install –auto-forwarders option does not work in unattended mode
#5870 [tracker] DNSSEC signing is broken on Fedora 24
#5871 ‘man ipa’ should be updated with latest commands
#5872 [webui] authentication indicators
#5878 Inconsistent UI and CLI options for removing certificate hold
#5885 ipa cert-request causes internal server error while requesting certificate
#5886 missing dependency: python3-pyusb
#5889 Client-only build fails
#5892 Unused code in LDAPRemoveReverseMember
#5894 makeapi validation fails on architectures where integer is less than 32 bits
#5898 CAInstance presented as always running
#5899 Remove unused code from automount plugin
#5903 always add mapping (my hostname) = (IPA realm) to krb5.conf
#5904 [RFE] Add ‘external’ checkbox corresponding to ‘–external’ flag in ‘trust-add’ command
#5905 [RFE] Create webui for DNS locations
#5906 [RFE] WebUI for server roles
#5907 deprecate ‘–domain-level’ option in ipa-server-install
#5911 Insufficient ‘write’ privilege on some attributes for the members of the role which has “User Administrators” privilege.
#5912 Installing freeipa client breaks crypto-policies for krb5
#5914 invalid setting of DS lock table size
#5920 automount.py: strings in output_for_cli method should be translated
#5926 [RFE] add certificate field into ID Views
#5927 Web UI for Kerberos Principal Aliases
#5928 topology plugins sigsev when adding a managed host
#5931 Add, remove, list hosts allowed to retrieve keytabs in Web UI
#5937 [RFE] Support of UPN for trusted domains
#5938 otptoken-add is not Python 3 clean
#5939 [RFE] WebUI for sub-CA
#5942 trusts: make sure child domains are not shown as part of the trust-find command
#5943 dogtag-ipa-ca-renew-agent-submit cannot access api.Object.config
#5944 ipapwd_extop should take precedence over default DS plugin
#5946 Enable password change extop to apply on virtual entry like the entry in compat tree
#5947 Missing nsSystemIndex attribute for some entries in index update file
#5954 ipa passwd tracebacks
#5958 Upgrade is broken on servers without CA
#5960 API call dnsconfig_show returns null as value of dnssec_key_master_server
#5961 P11 tests breaks environment, which causes changepw tests to fail
#5962 Unable to install server without A record even if –setup-dns option is used
#5963 Replica installation fails on domain level 0
#5965 conncheck in ipa-ca-install running on replica asks for host/principal “password”
#5966 Missing ‘ipa-ca’ records for replica installed by replica promotion
#5967 “CA” segment can be created for servers without CA suffix
#5968 renew_ca_cert helper cannot access config plugin
#5973 adtrust-install prints ‘CRITICAL Failed to remove old key’ even during clean install
#5975 local variable ‘ipaconf’ referenced before assigment
#5976 replica-promotion: is possible to set invalid IPA domain
#5977 topology plugins sigsev/heap corruption when adding a managed host
#5978 server/client uninstall does not clean krb5.keytab properly
#5981 Unhandled PKI error in ca-add
#5982 [tracker] KRA: installation of second KRA fails
#5983 Ensure that replica promotion deny to install a replica against a server with newer version
#5985 Replica install: Failed to load replica-s4u2proxy.ldif
#5987 Nonexistent attributes in ValidationError
#5988 Don’t connect to memcache in session manager on module import
#5991 Principal does not get created when I add a certificate with “Add principal” checkbox checked
#5995 full IPA restore fails due to unsuccessful client API initialization
#5996 ipa-replica-install failure: Insufficient access: Insufficient ‘add’ privilege to add the entry ‘krbprincipalname=ldap/…
#5999 Some cert commands are missing the –ca option
#6000 `test_serverroles` suite uses incorrect LDAP uri when ran together with other tests
#6003 execution of copy-schema script fails
#6004 Fix `Conflicts` with ipa-python
#6009 *-show option “–all” newly requires argument
#6011 upgrade failed for 4.4 alpha from 4.2.3.?
Detailed Changelog since 4.3.1#
Abhijeet Kasurde (12)#
Added kpasswd_server directive in client krb5.conf
Fixed login error message box in LoginScreen page
Added fix for notifying user about Kerberos principal expiration in WebUI
Added description related to ‘status’ in ipactl man page
Added warning to user for Internet Explorer
Added fix for notifying user about locked user account in WebUI
Updated ipa command man page
Fix added to ipa-compat-manage command line help
Removed custom implementation of CalledProcessError
Replaced find_hostname with api.env.host
Added exception handling for mal-formatted XML Parsing
Added missing translation to automount.py method
Alexander Bokovoy (11)#
slapi-nis: update configuration to allow external members of IPA groups
extdom: do not fail to process error case when no request is specified
otptoken: support Python 3 for the qr code
trusts: Add support for an external trust to Active Directory domain
adtrust: remove nttrustpartner parameter
adtrust: remove nttrustpartner parameter
adtrust: support GSSAPI authentication to LDAP as Active Directory user
adtrust: support UPNs for trusted domain users
webui: show UPN suffixes in trust properties
webui: support external flag to trust-add
adtrust: optimize forest root LDAP filter
Christian Heimes (3)#
Require Dogtag 10.2.6-13 to fix KRA uninstall
Modernize mod_nss’s cipher suites
Move user/group constants for PKI and DS into ipaplatform
David Kupka (35)#
installer: Propagate option values from components instead of copying them.
installer: Fix logic of reading option values from cache.
ipa-dns-install: Do not check for zone overlap when DNS installed.
ipa-replica-prepare: Add ‘–auto-reverse’ and ‘–allow-zone-overlap’ options
installer: Change reverse zones question to better reflect reality.
Fix: Use unattended parameter instead of options.unattended
CI: Add ‘2-connected’ topology generator.
CI: Add simple replication test in 2-connected topology.
CI: Add test for 2-connected topology generator.
CI: Fix pep8 errors in 2-connected topology generator
CI: add empty topology test for 2-connected topology generator
CI: Add double circle topology.
CI: Add replication test utilizing double-circle topology.
CI: Add test for double-circle topology generator.
CI: Make double circle topology python3 compatible
upgrade: Match whole pre/post command not just basename.
dsinstance: add start_tracking_certificates method
httpinstance: add start_tracking_certificates method
Look up HTTPD_USER’s UID and GID during installation.
test: test_cli: Do not expect defaults in kwargs.
man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
installer: positional_arguments must be tuple or list of strings
installer: index() raises ValueError
Remove unused locking “context manager”
schema: Add fingerprint and TTL
schema: Add known_fingerprints option to schema command
schema: Cache schema in api instance
schema: return fingerprint as unicode text
env: Add ‘server’ variable to api.env
schema: Caching on schema on client
test: automember: Fix expected exception message
test: cert: Reflect change in behavior in tests
schema: Decrease schema TTL to one hour
schema: Perform the check for schema update when force_schema_check is True
Allow unexpiring passwords
Filip Skola (9)#
Refactor test_user_plugin, use UserTracker for tests
Refactor test_replace
Refactor test_attr
Refactor test_sudocmd_plugin
Refactor test_sudocmdgroup_plugin
Refactor test_group_plugin, use GroupTracker for tests
Refactor test_nesting, create HostGroupTracker
Refactor test_hostgroup_plugin
Refactor test_automember_plugin, create AutomemberTracker
Florence Blanc-Renaud (9)#
Add missing CA options to the manpage for ipa-replica-install
Add the culprit line when a configuration file has an incorrect format
add context to exception on LdapEntry decode error
batch command can be used to trigger internal errors on server
Always qualify requests for admin in ipa-replica-conncheck
Report missing certificate in external trust chain
Do not allow installation in FIPS mode
Fix ipa-server-certinstall with certs signed by 3rd-party CA
Do not log error when removing a non-existing file
Fraser Tweedale (37)#
Do not decode HTTP reason phrase from Dogtag
Remove workaround for CA running check
caacl: correctly handle full user principal name
Prevent replica install from overwriting cert profiles
Detect and repair incorrect caIPAserviceCert config
Remove service and host cert issuer validation
Allow CustodiaClient to be used by arbitrary principals
Load server plugins in certmonger renewal helper
Add ACIs for Dogtag custodia client
Optionally add service name to Custodia key DNs
Setup lightweight CA key retrieval on install/upgrade
Authorise CA Agent to manage lightweight CAs
Add custodia store for lightweight CA key replication
Add ‘ca’ plugin
Add IPA CA entry on install / upgrade
Update ‘caacl’ plugin to support lightweight CAs
Add CA argument to ra.request_certificate
Update cert-request to allow specifying CA
Add issuer options to cert-show and cert-find
replica-install: configure key retriever before starting Dogtag
upgrade: do not try to start CA if not configured
restart scripts: bootstrap api with in_server=True
Require Dogtag >= 10.3.3
Fix IssuerDN presence check in cert search result
Set default OCSP URI on install and upgrade
ipaldap: turn LDAP filter utility functions into class methods
Skip CS.cfg update if cert nickname not known
Update lightweight CA serial after renewal
ipa-certupdate: track lightweight CA certificates
cert-find: fix ‘issuer’ option
cert-request: better error msg when ‘add’ not supported
Check for CA subject name collision before attempting creation
Add –ca option to cert-revoke and cert-remove-hold
Split CA replica installation steps for domain level 0
Fix migration from pre-lightweight CAs master
Add –cn option to cert-status
Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3
Gabe Alford (1)#
ipa-nis-manage enable: change service name from ‘portmap’ to ‘rpcbind’
Jakub Hrozek (1)#
sudo: Fix a typo in the –help output of sudocmdgroup
James Groffen (1)#
Set close button type attribute to ‘button’.
Jan Barta (1)#
pylint: fix: multiple-statements
Jan Cholasta (139)#
ipautil: remove unused import causing cyclic import in tests
ipalib: assume version 2.0 when skip_version_check is enabled
ipapython: remove default_encoding_utf8
ipapython: port p11helper C code to Python
ipapython: use python-cryptography instead of libcrypto in p11helper
spec file: package python-ipalib as noarch
cert renewal: import all external CA certs on IPA CA cert renewal
replica install: validate DS and HTTP server certificates
replica promotion: fix AVC denials in remote connection check
cacert install: fix trust chain validation
client: stop using /etc/pki/nssdb
ipalib: provide per-call command context
ipalib: add convenient Command method for adding messages
certdb: never use the -r option of certutil
spec file: bump minimum required pki-core version
build: fix client-only build
makeapi: use the same formatting for `int` and `long` values
replica install: do not set CA renewal master flag
rpc: do not crash when unable to parse JSON
parameters: remove unused ConversionError and ValidationError arguments
rpc: include structured error information in responses
frontend: re-raise remote RequirementError using CLI name in CLI
frontend: remove the unused Command.soft_validate method
frontend: perform argument value validation only on server
batch: do not crash when no argument is specified
ipalib: make optional positional command arguments actually optional
frontend: do not forward unspecified positional arguments to server
user: do not assume the preserve flags have value in user_del
frontend: do not forward argument defaults to server
makeapi: optimize API.txt
ipalib: remove the unused `csv` argument of Param
makeaci: load additional plugins using API.add_module
plugable: replace API.import_plugins with new API.add_package
ipalib, ipaserver: migrate all plugins to Registry-based registration
ipalib, ipaserver: fix incorrect API.register calls in docstrings
plugable: remove the unused deprecated API.register method
plugable: switch API to Registry-based plugin discovery
frontend: merge baseldap.CallbackRegistry into Command
frontend: move the interactive_prompt callback type to Command
automount: do not inherit automountlocation_import from LDAPQuery
dns: move code called on client to the module level
dns: do not rely on server data structures in code called on client
otptoken: fix import of DN
otptoken_yubikey: fix otptoken_add_yubikey arguments
vault: move client-side code to the module level
vault: copy arguments of client commands from server counterparts
ipalib: use relative imports for cross-plugin imports
frontend: allow commands to have an argument named `name`
cli: make optional positional command arguments actually optional
dns: fix dnsrecord interactive mode
ipaclient: introduce ipaclient.plugins
ipalib: move client-side plugins to ipaclient
help, makeapi: allow setting command topic explicitly
help, makeapi: specify module topic by name
help, makeapi: do not use hardcoded plugin package name
plugable: turn Plugin attributes into properties
plugable: simplify API plugin initialization code
plugable: remember overriden plugins in API
frontend: turn Method attributes into properties
ipaclient: add client-side command override class
dns: move code shared by client and server to separate module
ipalib: split off client-side plugin code into ipaclient
parameters: introduce cli_metavar keyword argument
parameters: introduce no_convert keyword argument
ipalib: replace DeprecatedParam with `deprecated` Param argument
ipalib: introduce API schema plugins
rpc: respect API config in RPCClient.create_connection
rpc: allow overriding NSS DB directory in API config
rpc: specify connection options in API config
rpc: optimize JSON-RPC response handling
rpc: do not validate command name in RPCClient.forward
client install: finalize API after CA certs are available
ipactl: use server API
ipalib: move File command arguments to ipaclient
misc: hide the unused –all option of `env` and `plugins` in CLI
ipaclient: implement thin client
ipalib: move server-side plugins to ipaserver
frontend: do not check API minor version of the client
schema: do not validate unrequested params in command_defaults
replica install: use remote server API to create service entries
schema: fix topic command output
schema: fix typo
spec file: require correct packages to get API plugins
plugable: allow plugins to be non-classes
plugable: initialize plugins on demand
schema: generate client-side commands on demand
batch, schema: use Dict instead of Any
misc: fix empty CLI output of `env` and `plugins` commands
dns, passwd: fix outputs of `dns_resolve` and `passwd` commands
frontend: call `execute` rather than `forward` in Local
schema: exclude local commands
schema: fix client-side dynamic defaults
makeaci, makeapi: use in-server API
frontend: don’t copy command arguments to output params
frontend: skip `value` output in output_for_cli
frontend: do not crash on missing output in output_for_cli
automember: add object plugin for automember_rebuild
dns: do not rely on custom param fields in record attributes
misc: skip `count` and `total` output in env.output_for_cli
passwd: handle sort order of passwd argument on the client
permission: handle ipapermright deprecated CLI alias on the client
schema: add object class schema
schema: remove output_params
schema: merge command args and options
schema: remove redundant information
schema: remove `no_cli` from command schema
replica install: fix thin client regression
ldap: fix handling of binary data in search filters
cert: add object plugin
cert: add owner information
cert: allow search by certificate
dns: fix dns_update_system_records to work with thin client
schema: fix param default value handling
schema: do not crash in command_defaults if argument is None
automember: fix automember to work with thin client
schema: client-side code cleanup
misc: generate `plugins` result directly in the command
plugable: use plugin class as the key in API namespaces
plugable: support plugin versioning
schema: support plugin versioning
frontend: forward command calls using full name
schema: fix Flag arguments on the client
schema: properly fix Flag arguments on the client
backup: use in-server API in ipa-backup and ipa-restore
replica install: don’t allow install against a newer server
session: move the session module from ipalib to ipaserver
session: do not initialize session manager on import
xmlserver: initialize RPC server plugins only in server context
makeaci, makeapi, oddjob: use the default API context
server: define missing virtual attributes
user: add object plugin for user_status
frontend: do not ignore client-side output params
cert: fix CLI output of cert_remove_hold
plugable: add option to ignore override errors
client: ignore override errors in command overrides
client: add placeholders for required remote plugins
server: exclude Local commands from RPC
client: do not crash when overriding remote command as method
client: add support for pre-schema servers
Jérôme Fenal (1)#
Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French.
Lenka Doudova (12)#
WebUI tests: fix failing of tests due to unclicable label
WebUI test: ID views
WebUI: Test creating user without private group
Test fix: Cleanup for host certificate
Test: Maximum username length higher than 255 cannot be set
Tests: Fix for failing location tests
Tests: Fix ipatests/test_ipaserver/test_rpcserver.py
Tests: Make ID views tests reflect new krbcanonicalname attribute
Tests: Fix failing ipatests/test_ipalib/test_errors.py
Tests: Remove DNS configuration from trust tests
Tests: Fix failing tests in ipatests/test_ipalib/test_frontend.py
Tests: Fix frontend tests
Ludwig Krispenz (2)#
prevent moving of topology entries out of managed scope by modrdn operations
v2 - avoid crash in topology plugin when host list contains host with no hostname
Lukáš Slebodník (6)#
extdom: Remove unused macro
IPA-SAM: Fix build with samba 4.4
CONFIGURE: Replace obsolete macros
ipa-sam: Do not redefine LDAP_PAGE_SIZE
SPEC: Remove unused build dependency on libwbclient
BUILD: Remove detection of libcheck
Martin Babinsky (68)#
raise more descriptive Backend connection-related exceptions
harden domain level 1 topology connectivity checks
ipalib/x509.py: revert deletion of ipalib api import
prevent crash of CA-less server upgrade due to absent certmonger
use FFI call to rpmvercmp function for version comparison
tests for package version comparison
fix Py3 incompatible exception instantiation in replica install code
ipa-csreplica-manage: remove extraneous ldap2 connection
IPA upgrade: move replication ACIs to the mapping tree entry
uninstallation: more robust check for master removal from topology
correctly set LDAP bind related attributes when setting up replication
disable RA plugins when promoting a replica from CA-less master
fix standalone installation of externally signed CA on IPA master
reset ldap.conf to point to newly installer replica after promotion
always start certmonger during IPA server configuration upgrade
upgrade: unconditional import of certificate profiles into LDAP
CI tests: use old schema when testing hostmask-based sudo rules
use LDAPS during standalone CA/KRA subsystem deployment
test_cert_plugin: use only first part of the hostname to construct short name
only search for Kerberos SRV records when autodiscovery was requested
spec: add conflict with bind-chroot to freeipa-server-dns
spec: require python-cryptography newer than 0.9
ipa-replica-manage: print traceback on unexpected error when in verbose mode
otptoken-add: improve the robustness of QR code printing
differentiate between limit types when LDAP search exceeds configured limits
specify type of exceeded limit when warning about truncated search results
replica-prepare: do not add PTR records if there is no IPA managed reverse zone
Server Roles: definitions of server roles and attributes
Server Roles: Backend plugin to query roles and attributes
Test suite for `serverroles` backend
Server Roles: public API for server roles
Server Roles: make server-{show,find} utilize role information
Server Roles: make *config-show consume relevant roles/attributes
Server Roles: provide an API for setting CA renewal master
Add NTP to the list of services stored in IPA masters LDAP subtree
Introduce “NTP server” role
ipaserver module for working with managed topology
delegate removal of master DNS record and replica keys to separate functions
server-del: perform full master removal in managed topology
CI test suite for `server-del`
ipa-replica-manage: use `server_del` when removing domain level 1 replica
remove the master from managed topology during uninstallation
Fix listing of enabled roles in `server-find`
Do not update result of *-config-show with empty server attributes
server-del: harden check for last roles
perform case-insensitive principal search when canonicalization is requested
mark ‘ipaKrbPrincipalAlias’ attribute as deprecated in schema
add case-insensitive matching rule to krbprincipalname index
add krbCanonicalName to attributes watched by MODRDN plugin
ipa-kdb: set krbCanonicalName when creating new principals
ipa-enrollment: set krbCanonicalName attribute on enrolled host entry
IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities
set krbcanonicalname on host entry during krbinstance configuration
account for added krbcanonicalname attribute during xmlrpc tests
Fix incorrect construction of service principal during replica cleanup
keep setting ipakrbprincipal objectclass on new service entries
test_serverroles: ensure that test API is initialized with correct ldap_uri
test-{service,host}-plugin: only expect krbcanonicalname when all=True
ipapython module for Kerberos principal manipulation and parsing
Test suite for `ipapython/kerberos.py`
ipalib: introduce Principal parameter
Migrate management framework plugins to use Principal parameter
Add ACI for admins to modify principal attributes
replace an ACI relying on presence of deprecated objectclass
Allow for commands that use positional parameters to add/remove attributes
Make framework consider krbcanonicalname as service primary key
Provide API for management of host, service, and user principal aliases
Unify display of principal names/aliases across entities
Martin Bašti (162)#
Fix DNS tests: dns-resolve returns warning
Remove unused code in server installer related to KRA
Fix version comparison
Fix: replace mkdir with chmod
Use module variables for timedate_services
Remove empty test file
Remove unused imports
Remove wildcard imports
Enable multiple warnings checks in Pylint
Enable pylint lost exception check
Enable pylint duplicated-key check
Enable pylint trailing-whitespace check
Enable pylint missing-final-newline check
Enable pylint unused-format-string-key check
Enable pylint expression-not-assigned check
Enable pylint empty-docstring check
Enable pylint unnecessary-pass check
update_uniqueness plugin: fix referenced before assigment error
Allow to used mixed case for sysrestore
Upgrade: Fix upgrade of NIS Server configuration
DNSSEC test: fix adding zones with –skip-overlap-check
DNSSEC CI: add missing ldns-utils dependency
Enable pylint unpacking-non-sequence check
Enable pylint unbalanced-tuple-unpacking check
CI test: fix regression in task.install_kra
Warn about potential loss of CA, KRA, DNSSEC during uninstall
Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
Exclude o=ipaca subtree from Retro Changelog (syncrepl)
Fix DNSSEC test: add glue record
Warn user when ipa *-find reach limit
DNSSEC CI: fix zone delegations
make lint: use config file and plugin for pylint
Upgrade: log to ipaupgrade.log when IPA server is not installed
Disable new pylint checks
Py3: do not use dict.iteritems()
upgrade: fix config of sidgen and extdom plugins
trusts: use ipaNTTrustPartner attribute to detect trust entries
Warn user if trust is broken
fix upgrade: wait for proper DS socket after DS restart
Revert “test: Temporarily increase timeout in vault test.”
Remove duplicated except
Pylint: add missing attributes of errors to definitions
fix permission: Read Replication Agreements
Make PTR records check optional for IPA installation
Fix connections to DS during installation
pylint: supress false positive no-member errors
CI: allow customized DS install test to work with domain levels
fix suspicious except statements
Remove unused arguments from update_ssh_keys method
Configure 389ds with “default” cipher suite
krb5conf: use ‘true’ instead of ‘yes’ for forwardable option
stageuser-activate: Normalize manager value
Remove redundant parameters from CS.cfg in dogtaginstance
Use platform path constant for SSSD log dir
Fix broken trust warnings
spec: Add missing dependencies to python*-ipalib package
client: enable ChallengeResponseAuthentication in sshd_config
pylint: remove bare except
Pylint: fix definition of global variables
Pylint: enable pointless-except check
Pylint: enable reimported check
Pylint: use list comprehension instead of iteration
Pylint: import max one module per line
Pylint: remove unnecessary-semicolon
Pylint: enable invalid-name check
SPEC: do not run upgrade when ipa server is not installed
Fix: catch Exception instead of more specific exception types
Fix stageuser-activate - managers test
Add missing pre_common_callback to stageuser_add
host_del: fix removal of host records
host_del: replace dns-record find command with show
host_del: remove unneeded dnszone-show command call
host_del: split removing A/AAAA and PTR records to separate functions
host_del: remove only A, AAAA, SSHFP, PTR records
host_del: update help for –updatedns option
host-del –updatedns: print warnings instead of error
Use netifaces module instead of ‘ip’ command
Limit max username length to 255 in config-mod
Increase API version for ‘ipamaxusernamelength’ attribute change
Configure httpd service from installer instead of directly from RPM
Performace: don’t download password attributes in host/user-find
Do not do extra search for ipasshpubkey to generate fingerprints
Always set hostname
Remove deprecated hostname restoration from Fedora18
Remove unused hostname variables
Log errors from backup_and_replace hostname to logger
Tasks: raise NotImplementedError for not implemented methods
fix stageuser tests (removal of has_keytab and has_password from find)
make: fail when ACI.txt or API.txt differs from values in source code
ipactl: advertise –ignore-service-failure option
Remove unused variable and finally block in SchemaCache
Fix referenced before assigment variables in except statements
Upgrade: always start CA
Remove unused variables in automount plugin
fix pylint false positive errors
Translations: remove deprecated locale configuration
Make option –no-members public in CLI
Performance: Find commands: do not process members by default
Test: fix failing host_test
Fix: replace incorrect no_cli with no_option flag
Fix: topologysuffix_find doesn’t have no_members option
DNS Locations: Always create DNS related privileges
DNS Locations: add new attributes and objectclasses
DNS Locations: location-* commands
DNS Locations: API tests
Allow to use non-Str attributes as keys for members
DNS Locations: extend server-* command with locations
DNS Location: location-show: return list of servers in location
DNS Locations: when removing location remove it from servers first
DNS Locations: extend tests with server-* commands
Upgrade mod_wsgi socket-timeout on existing installation
Exclude unneeded dirs and files from pylint check
Fix resolve_rrsets: RRSet is not hashable
Revert “adtrust: remove nttrustpartner parameter”
Fix: Local variable s_indent might be referenced before defined
Revert “Switch /usr/bin/ipa to Python 3”
Use python2 for ipa cli
DNS Locations: add index for ipalocation attribute
DNS Locations: fix location-del
DNS Locations: add idnsTemplateObject objectclass
DNS Locations: DNS data management
DNS Locations: permission: allow to read status of services
DNS Locations: add ACI for template attribute
DNS Locations: command dns-update-system-records
DNS Locations: use dns_update_service_records in installers
DNS Locations: adtrustinstance simplify dns management
DNS Locations: use automatic records update in ipa-adtrust-install
DNS Locations: server-mod: add automatic records update
DNS Locations: dnsservers: add required objectclasses
DNS Locations: dnsserver-* commands
DNS Locations: dnsserver: put server_id option into named.conf
DNS Locations: dnsserver: use the newer config way in installer
DNS Locations: dnsserver: remove config when replica is removed
DNS Locations: set proper substitution variable
DNS Locations: require to restart named-pkcs11 affter location change
DNS Locations: show warning if there is no DNS servers in location
DNS Locations: prevent to remove used locations
DNS Locations: do not generate location records for unused locations
DNS Locations: location-del: remove location record
DNS Locations: Rename ipalocationweight to ipaserviceweight
DNS Locations: generate NTP records
upgrade: don’t fail if zone does not exists in in find
DNS Location: add list of roles and DNS servers to location-show
DNS Locations: dnsserver: print specific error when DNS is not installed
Fix possibly undefined variable in ipa_smb_conf_exists()
Updated IPA translations
Replica promotion: use the correct IPA domain for replica
Server-del: fix system records removal
Increase ipa-getkeytab LDAP timeout to 100sec
DNS Locations: server-mod: fix if statement
ipa-rmkeytab, ipa-join: don’t fail if init of gettext failed
Revert “DNS Locations: do not generate location records for unused locations”
DNS Locations: hide option –no-msdcs in adtrust-install
DNS Locations: optimization: use server-find to get information
DNS Locations: cleanup of bininstance
CA replica promotion: add proper CA DNS records
Fix replica install with CA
cert.py split module docstring to multiple ugetext string
Add option –no-log for ipa-replica-conncheck script
Do not log to file in remote conncheck side
Bump SSSD version in requires
IPA 4.4.0 Translations
Martin Košek (2)#
Update Developers in Contributors.txt
Update Contributors.txt
Matt Rogers (1)#
ipa_kdb: add krbPrincipalAuthInd handling
Michael Simacek (1)#
Fix bytes/string handling in rpc
Milan Kubík (11)#
ipatests: replace the test-example.com domain in tests
ipatests: Roll back the forwarder config after a test case
ipatests: Fix configuration problems in dns tests
ipatests: Make the A record for hosts in topology conditional
ipatests: fix the install of external ca
ipatests: Add missing certificate profile fixture
ipatests: extend permission plugin test with new expected output
spec file: rename the python-polib dependency name to python2-polib
ipatests: fix for change_principal context manager
ipatests: Add test case for requesting a certificate with full principal.
spec: Add python-sssdconfig dependency for python-ipatests package
Nathaniel McCallum (8)#
Don’t error when find_base() fails if a base is not required
Rename syncreq.[ch] to otpctrl.[ch]
Ensure that ipa-otpd bind auths validate an OTP
Return password-only preauth if passwords are allowed
Enable authentication indicators for OTP and RADIUS
Migrate from #ifndef guards to #pragma once
Enable service authentication indicator management
Add authentication indicators support to Host objects
Oleg Fayans (26)#
CI tests: Enabled automatic creation of reverse zone during master installation
CI tests: Added domain realm as a parameter to master installation in integration tests
Fixed install_ca and install_kra under domain level 0
fixed an issue with master installation not creating reverse zone
Enabled recreation of test directory in apply_common_fixes function
Updated connect/disconnect replica to work with both domainlevels
Removed –ip-address option from replica installation
Removed messing around with resolv.conf
Integration tests for replica promotion feature
Enabled setting domain level explicitly in test class
Removed a constantly failing call to prepare_host
Made apply_common_fixes call at replica installation independent on domain_level
Workaround for ticket 5627
Added copyright info to replica promotion tests
rewrite a misprocessed teardown_method method as a custom decorator
Reverted changes in mh fixture causing some tests to fail
Fixed a bug with prepare_host failing upon existing ipatests folder
Added a kdestroy call to clean ccache at master/client uninstallation
Added 5 more tests to Replica Promotion testsuite
Fixed a failure in legacy_client tests
Add test if replica is working after domain upgrade
Improve reporting of failed tests in topology test suite
Bugfixes in managed topology tests
A workaround for ticket N 5348
Added necessary A record for the replica to root zone
Increased certmonger timeout
Patrice Duc-Jacquet (2)#
Incorrect message when KRA already installed
Add more information regarding where to find revocation reason in “ipa cert_revoke -h” and “ipa cert_find -h”.
Pavel Vomacka (69)#
Add tool tips for Revert, Refresh, Undo, and Undo All
Add support for the ‘user’ url parameter for the reset_password.html
Add validation to Issue new certificate dialog
Add pan and zoom functionality to the topology graph
Nodes stay fixed after initial animation.
Add field for group id in user add dialog
Resize topology graph canvas according to window size
Add X-Frame-Options and frame-ancestors options
Add activate option to stage user details page
Add ‘skip overlap check’ checkbox into add zone dialog
Add ‘skip overlap check’ checkbox to the add dns forward zone dialog
Add option to show OTP when adding host
Update the delete dialog on details user page
Add ability to stage multiple users
Add option to stage user from details page
Change lang.hitch to javascript bind method
Change ‘Restore’ to ‘Remove Hold’
Extend the certificate request dialog
Auth Indicators WebUI part
Fix bad searching of reverse DNS zone
Add adapter attribute for choosing record
DNS Locations: WebUI part
Add lists of hosts allowed to create or retrieve keytabs
Correct a jslint warning
Association table can be read only
Extend table facet
Add server roles on topology page
Search facet can be without search field
Add ability to review cert request dialog
Add new webui plugin - ca
Extend certificate entity page
Extend caacl entity
Make Actions string translatable
Extend DNS config page
Extend trust config page
Add creating a segment using mouse
Add listener which opens add segment dialog
Add placeholder to add segment dialog
Add DNS default TTL field
Allow to set weight of a server without location
DNS Servers: Web UI part
Add support for custom menu in multivalued widget
Extends functionality of DropdownWidget
Add working widget
Add ability to turn off activity icon
Add Object adapter
Refactored certificate view and remove hold dialog
Changed the way how to handle remove hold and revoke actions
Remove old useless actions - get and view
Add widget for showing multiple certificates
Add certificate widget
Add new certificates widget to the user details page
Add new certificates widget to the host details page. Also extends evaluator and add support for adapters.
Add new certificates widget to the service details page
Updated certificates table
Add new custom command multivalued widget
Add button for dns_update_system_records command
Add certificate widget to ID override user details page.
Add authentication identificator to host page
Change paths of strings in auth indicators widget on service page
Simplify the confirmation messages
Add support to change button css class on confirm dialog
Add button for server-del command
Change error handling in custom_command_multivalued_widget
Set default confirmation button label to ‘Remove’
Add widgets for kerberos aliases
Add widget for kerberos aliases to user page
Add widget for kerberos aliases to hosts page
Add widget for kerberos aliases to service page
Peter Lacko (1)#
Ping module tests.
Petr Viktorin (46)#
Package ipapython, ipalib, ipaplatform, ipatests for Python 3
Use explicit truncating division
Don’t index exceptions directly
Use print_function future definition wherever print() is used
Alias “unicode” to “str” under Python 3
Avoid builtins that were removed in Python 3
dnsutil: Rename __nonzero__ to __bool__
Remove deprecated contrib/RHEL4
make-lint: Allow running pylint –py3k to detect Python3 issues
Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)
test_parameters: Ignore specific error message
ipaldap, ldapupdate: Encoding fixes for Python 3
ipautil.run, kernel_keyring: Encoding fixes for Python 3
tests: Use absolute imports
ipautil: Use mode ‘w+’ in write_tmp_file
test_util: str/bytes check fixes for Python 3
p11helper: Port to Python 3
cli: Don’t encode/decode for stdin/stdout on Python 3
Package python3-ipaclient
Move get_ipa_basedn from ipautil to ipadiscovery
ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
ipapython.sysrestore: Use str methods instead of functions from the string module
ipalib.x809: Accept bytes for make_pem
dns plugin: Fix zone normalization under Python 3
sysrestore: Iterate over a list of dict keys
test_xmlrpc: Use absolute imports
xmlrpc_test: Rename exception instance before working with it
radiusproxy plugin: Use str(error) rather than error.message
xmlrpc_test: Expect bytes rather than strings for binary attributes
ipalib.rpc: Send base64-encoded data as string under Python 3
range plugin tests: Use bytes with MockLDAP under Python 3
radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret
certprofile plugin: Use binary mode for file with binary data
test_add_remove_cert_cmd: Use bytes for base64.b64encode()
Switch /usr/bin/ipa to Python 3
Fix remaining relative import and enable Pylint check
ipalib.cli: Improve reporting of binary values in the CLI
test_cert_plugin: Encode ‘certificate’ for comparison with ‘usercertificate’
ipaldap: Keep attribute names as text, not bytes
ipapython.secrets.kem: Use ConfigParser from six.moves
test_topology_plugin: Don’t rely on order of an attribute’s values
test_rpcserver: Expect updated error message under Python 3
ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison
test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
ipaldap: Convert dict items to list before iterating
test_ipaserver.test_ldap: Adjust tests to Python 3’s KeyView
Petr Voborník (19)#
Bump 4.4 development version to 4.3.90
webui: add examples to network address validator error message
webui: pwpolicy cospriority field was marked as required
spec: do not require arch specific ipalib package from noarch packages
webui: dislay server suffixes in server search page
stop installer when setup-ds.pl fail
webui: crash nicely if sessionStorage is not available
webui: remove moot error from webui build
webui: use API call ca_is_enabled instead of enable_ra env variable.
webui: fixed showing of success message after password change on login
advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
cookie parser: do not fail on cookie with empty value
fix incorrect name of ipa-winsync-migrate command in help
webui: fail nicely if cookies are disabled
ipa-client-install: fix typo in nslcd service name
Become IPA 4.4.0 Alpha 1
mod_auth_gssapi: enable unique credential caches names
webui: prevent infinite reload for users with krbbprincipal alias set
Become IPA 4.4.0
Petr Špaček (60)#
dns: Handle SERVFAIL in check if domain already exists.
DNSSEC: Improve error reporting from ipa-ods-exporter
DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
DNSSEC: Make sure that current key state in LDAP matches key state in BIND
DNSSEC: remove obsolete TODO note
DNSSEC: add debug mode to ldapkeydb.py
DNSSEC: logging improvements in ipa-ods-exporter
DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
DNSSEC: ipa-ods-exporter: add ldap-cleanup command
DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
DNSSEC: Log debug messages at log level DEBUG
Fix –auto-reverse option in –unattended mode.
Fix dns_is_enabled() API command to throw exceptions as appropriate
Fix DNS zone overlap check to allow ipa-replica-install to work
Fix ipa-adtrust-install to always generate SRV records with FQDNs
Fix URL for reporting bugs in strings
Pylint: enable parallelism
Makefile: replace perl with sed
Remove function ipapython.ipautil.host_exists()
Extend installers with –forward-policy option
Move automatic empty zone list into ipapython.dnsutil and make it reusable
Add assert_absolute_dnsname() helper to ipapython.dnsutil
Move function is_auto_empty_zone() into ipapython.dnsutil
Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()
Add function ipapython.dnsutil.inside_auto_empty_zone()
Auto-detect default value for –forward-policy option in installers
ipa-nis-manage: Replace text references to compat plugin with NIS
ipa-nis-manage: mention return code 3 in man page
DNS: Fix upgrade - master to forward zone transformation
DNS installer: accept –auto-forwarders option in unattended mode
Remove unused file install/share/fedora-ds.init.patch
Batch command: avoid accessing potentially undefined context.principal
pylint: replace Refactor category with individual check names
ipa-nis-manage: add status option
DNS: Warn if forwarding policy conflicts with automatic empty zones
Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
Use root_logger for verify_host_resolvable()
Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil
Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
Add ipaDNSVersion option to dnsconfig* commands and use new attribute
DNS upgrade: separate backup logic to make it reusable
Add function ipapython.dnsutil.related_to_auto_empty_zone()
DNS upgrade: change forwarding policy to = only for conflicting forward zones
DNS upgrade: change global forwarding policy in LDAP to “only” if private IPs are used
DNS upgrade: change global forwarding policy in named.conf to “only” if private IPs are used
Require 389-ds-base >= 1.3.5.6
DNS Locations: make ipa-ca record generation more robust
DNS: Support default TTL setting for master DNS zones
DNS: Warn about restart when default TTL setting DNS is changed
DNS: Fix realm domains integration with DNS zone add.
client: Share validator and domain name normalization with server install
DNS: Fix tests for realm domains integration with DNS zone add
client-install: do not fail if DNS times out during DNS update generation
Use NSS for name->resolution in IPA installer
DNS: Remove unnecessary DNS check from installer
DNS: Reinitialize DNS resolver after changing resolv.conf
Fix `Conflicts` with ipa-python
Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
Fix internal errors in host-add and other commands caused by DNS resolution
Simo Sorce (6)#
Use only AES enctypes by default
Always verify we have a valid ldap context.
Improve keytab code to select the right principal.
Convert ipa-sam to use the new getkeytab control
Allow admins to disable preauth for SPNs.
Allow to specify Kerberos authz data type per user
Stanislav Laznicka (31)#
Listing and cleaning RUV extended for CA suffix
Automatically detect and remove dangling RUVs
Cosmetic changes to the code
Fixes minor issues
replica-manage: fail nicely when DM psswd required
ipa-replica-manage refactoring
abort-clean/list/clean-ruv now work for both suffixes
Moved password check from clean_dangling_ruv
Fix to clean-dangling-ruv for single CA topologies
Added pyusb as a dependency
Added some attributes to Modify Users permission
Deprecated the domain-level option in ipa-server-install
Increased mod_wsgi socket-timeout
Added = mapping to krb5.conf
Decreased timeout for IO blocking for DS
fixes premature sys.exit in ipa-replica-manage del
Remove dangling RUVs even if replicas are offline
Added krb5.conf.d/ to included dirs in krb5.conf
Removed dead code from LDAP{Remove,Add}ReverseMember
Fixes CA always being presented as running
Increase nsslapd-db-locks to 50000
host/service-show/find shouldn’t fail on invalid certificate
Fix to ipa-ca-install asking for host principal password
Fix topologysuffix-verify failing connections
topo segment-add: validate that both masters support target suffix
Add missing nsSystemIndex attributes
Revert “Removed dead code from LDAP{Remove,Add}ReverseMember”
The LDAP*ReverseMember shouldn’t imply –all is always specified
Fix wrong imports in copy-schema-to-ca.py
host: Added permissions for auth. indicators read/modify
service: Added permissions for auth. indicators read/modify
Sumit Bose (3)#
ipa-kdb: get_authz_data_types() make sure entry can be NULL
ipa-kdb: map_groups() consider all results
extdom: add certificate request
Thierry Bordaz (5)#
configure DNA plugin shared config entries to allow connection with GSSAPI
DS deadlock when memberof scopes topology plugin updates
Make sure ipapwd_extop takes precedence over passwd_modify_extop
Topology plugins sigsev/heap corruption when adding a managed host
ipapwd_extop should use TARGET_DN defined by a pre-extop plugin
Thorsten Scherf (1)#
Fixed typo in service-add
Timo Aaltonen (6)#
Use HTTPD_USER in dogtaginstance.py
Move freeipa certmonger helpers to libexecdir.
ipa_restore: Import only FQDN from ipalib.constants
ipaplatform: Move remaining user/group constants to ipaplatform.constants.
Use ODS_USER/ODS_GROUP in opendnssec_conf.template
Fix kdc.conf.template to use ipaplatform.paths.
Tomáš Babej (10)#
py3: Remove py3 incompatible exception handling
logger: Use warning instead of warn
Loggger: Use warning instead of warn - dns plugin
ipa-getkeytab: Handle the possibility of not obtaining a result
ipa-adtrust-install: Allow dash in the NETBIOS name
spec: Bump required sssd version to 1.13.3-5
adtrustinstance: Make sure smb.conf exists
l10n: Remove Transifex configuration
ipalib: Fix user certificate docstrings
idviews: Add user certificate attribute to user ID overrides
Yuri Chornoivan (4)#
Fix minor typo
Fix minor typos
Fix minor typos
Fix minor typo