Jump to: navigation, search

Releases/4.4.0

Release date Released 2016-07-01

The FreeIPA team would like to announce FreeIPA v4.4.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.0

Enhancements:

  • Improved Topology Management

<http://www.freeipa.org/page/V4/Manage_replication_topology_4_4>

  • Added Overview of IPA server roles:

<http://www.freeipa.org/page/V4/Server_Roles>

  • Added support certificates for AD users:

<http://www.freeipa.org/page/V4/Certs_in_ID_overrides>

  • Added support of UPN for trusted domains

<http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains>

  • Added support for Kerberos Authentication Indicators

<http://www.freeipa.org/page/V4/Authentication_Indicators>

  • Added DNS Location Mechanism (Howto)

<http://www.freeipa.org/page/V4/DNS_Location_Mechanism>

  • Several performance improvements

<http://www.freeipa.org/page/V4/Performance_Improvements>

  • Refactored IPA command line tool

<http://www.freeipa.org/page/V4/Thin_Client>

  • Added support for Sub-CAs

<http://www.freeipa.org/page/V4/Sub-CAs>

  • Added support for Kerberos principal aliases

<http://www.freeipa.org/page/V4/Kerberos_principal_aliases>

Known Issues

Bug fixes

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets

  • #433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator
  • #2008 [RFE] IPA should support and manage DNS Locations
  • #2795 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days
  • #2956 Define missing DNS zone attribute for default TTL value
  • #3197 Use noarch RPMs for Python-only packages
  • #3376 Do not do extra LDAP search for ipasshpubkey to generate fingerprints
  • #3517 Incorrect *.py[co] files placement
  • #3864 Adjust Kerberos Principal Aliases implementation
  • #3961 [RFE] Allow multiple Principals per host entry (Kerberos aliases)
  • #4022 When search hits the size limit, it should explicitly say so or message like # hosts matched suggests there are not other
  • #4235 ipa-replica-manage -H does not delete DNS SRV records
  • #4421 host-mod command prevents creating Kerberos principal aliases
  • #4427 [RFE] New API versioning
  • #4559 [RFE] Support lightweight sub-CAs
  • #4602 [RFE] Offer OTP generation for host enrollment in the UI
  • #4631 Add X-Frame-Options, frame-ancestors to UI webpages
  • #4739 [RFE] Support API clients newer than server
  • #4785 ipa-server-certinstall tracks the 3rd party cert it installs with certmonger
  • #4786 ipa-server-certinstall does not accept certs signed by 3rd party CAs
  • #4844 Principal canonicalization does not work for principals in IPA realm
  • #4942 [RFE] Allow user authentication using cert on smart card against IPA UI
  • #4955 [RFE] Allow managing certificates for AD users in IPA
  • #4987 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend
  • #4995 add finer control of getting members
  • #5001 Make it possible to pre-fill the Username field of /ipa/ui/reset_password.html
  • #5076 [WebUI] General invalid password error message appearing for "Locked user"
  • #5077 [WebUI] UI error message is not appropriate for "Kerberos principal expiration"
  • #5108 webui for {user|service|host}_{add|remove}_cert commands
  • #5115 ipatests: registering plugins via API.register/Registrar class doesn't work
  • #5168 search by users which don't have read rights for all attrs in search_attributes fails
  • #5181 [RFE] Expand server-show/find with the list of configured components
  • #5221 Installer adds NTP SRV records into DNS for IPA servers which does not have ntp configured
  • #5281 3 unnecessary search operations for each user in user-find
  • #5294 [tracker] certprofile-import error message is not clear
  • #5307 ipa-replica-manage del --force --clean won't clean remnant records if there is no RUV with replica ID
  • #5311 Show Certificate displays in useless format
  • #5315 ipa-kra-install prints incorrect errors message when kra is already installed
  • #5354 [RFE] Support of UPN for trusted domains
  • #5369 [UI] Stageuser capabilities - "Activate" option not available for a staged user in detailed info
  • #5370 [UI] Stageuser capabilities - "Delete" option does not offer choice between permanent/preserved in detailed user info
  • #5371 [UI] Stageuser capabilities - Preserved user cannot be converted to staged user - missing option
  • #5376 [tracker] Replica prepare: Certificate issuance failed
  • #5380 ipa-replica-manage: no way to show traceback on unexpected error
  • #5381 [WebUI] Missing UI for working with multiple certificates in User, Host, Service pages
  • #5383 Reduce ioblocktimeout and idletimeout defaults
  • #5396 Cleanallruv task should not wait for cleanallruv result on the others replicas
  • #5413 [RFE] Allow users to authenticate with alternative names
  • #5428 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI
  • #5432 Issue New Certificate dialogs do not validate data
  • #5434 add context to exception on LdapEntry decode error
  • #5443 ipa-server-install dies during pkispawn if /etc/hostname not properly configured
  • #5448 ipa user-add slows down as more users are added
  • #5523 [RFE] Update default profiles to always add SAN dnsName
  • #5534 ipa-client-install fails when the client has active point to point connections
  • #5547 ipa client should configure kpasswd_server directive in krb5.conf
  • #5561 Unable to install replica due error during restarting dirsrv
  • #5588 [RFE] change `ipa-replica-manage del` into an API method for domain level 1
  • #5591 FreeIPA ipa-client-install error: Hostname (computer.company.lan) does not have A/AAAA record.
  • #5599 Kerberos could take advantage of slapi-nis specific control that skip slapi-nis map evaluation
  • #5620 Centralize DNS record creation in IPA services
  • #5627 ipa host-del fails with --updatedns option if ost does not have a dns record
  • #5642 ipa-getkeytab: extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
  • #5643 WebUI: Application crashes if sesssionStorage is not available
  • #5645 [WebUI] Dialog "Issue New Certificate" should mention SAN names
  • #5648 webui: topology graph: add segments by drag and drop
  • #5652 webui: unable to review certificate request if the request is not successful
  • #5656 webui: browser setup page includes instructions for Internet Explorer
  • #5659 typo in service-add
  • #5675 ipa host-del --updatedns should remove related dns entries.
  • #5677 API calls fail on "LimitsExceeded" error
  • #5681 Residual Files After IPA Server Uninstall
  • #5689 move set-renewal-master command to API from ipa-csreplica-manage
  • #5694 update ipa-client-install --request-cert man page with chroot workaround
  • #5702 webui: change dojo's lang.hitch() to the javascript .bind() method
  • #5703 ipa-client-install should enable ChallengeResponseAuthentication by default
  • #5708 ipa-server-install manpage doesn't contain info about --domain-level option
  • #5710 Fix forward zone conficts with automatic empty zones from BIND
  • #5717 Consider removing our implementation of CalledProcessError
  • #5721 error installing ca-less replica with valid certificates
  • #5732 Web interface not showing ipa forwarders
  • #5740 ipa-replica-prepare: Traceback if reverse zone does not exists
  • #5741 [tests] Admin is getting Insufficient privileges to promote the server when installing ca-less replica
  • #5743 [RFE] External Trust with Active Directory domain
  • #5751 Error: Unknown warnings category 'experimental::smartmatch' at /usr/share/dirsrv/updates/52updateAESplugin.pl line 9.
  • #5757 incorrect SELinux label of second replica's /var/log/ipareplica-conncheck.log
  • #5758 Replica installation crashes on certmonger timeout
  • #5759 Missing pre_callback in stageuser_add
  • #5761 ipa-client-install throws Python exception on FIPS enabled servers
  • #5762 [RFE] Support IdM Client in a DNS domain controlled by AD
  • #5768 Include description for 'status' option in man page for ipactl command.
  • #5772 Failures in topology tests produce unclear error messages
  • #5773 [webui] option --skip-overlap-check cannot be set in DNS zone adder dialog
  • #5774 ipa config-mod allows to set maxusername limit higher than 255 characters
  • #5782 ipa-kdb support for krbPrincipalAuthInd
  • #5783 permission plugin tests fail on 4.3 branch
  • #5787 SchemaCache doesn't work
  • #5789 "no such entry" error is shown when installer does not receive password from pkcs file
  • #5792 ipa-server-install: report which certificate is missing in external cert trust chain
  • #5794 ipa-server-install does not completely change hostname and named-pkcs11 fails
  • #5796 [webui] IPA Error 3009: Validation error: Invalid 'ptrrecord': Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given
  • #5797 host-show, host-find failed when usercertificate in LDAP is invalid
  • #5800 kdestroy command in unapply_fixes function in test_integration/tasks.py causes legacy client tests to fail
  • #5804 Test for "#4986 Web UI misses check box..." and "#5505 Creating a user w/o private group..." needed
  • #5810 batch command can be used to trigger internal errors on server
  • #5811 ipa-client-install failing with SyntaxError: Syntax Error: Unknown line format
  • #5812 always qualify requests for admin
  • #5815 Integrate NTP service into server roles
  • #5819 ipa cert-revoke --help doesn't provide enough info on revocation reasons
  • #5820 advertise ipactl start --ignore-service-failure option
  • #5826 Integrate NTP service into server roles: upgrade from older IPA versions
  • #5833 cli: "gateway time out" with long running task
  • #5835 ipa-replica-install man page lacks CA less options
  • #5839 Tests: cleanup for host certificate does not work well in test_host_plugin.py
  • #5840 ipa-replica-manage clean-dangling-ruv fails in topologies with only one CA
  • #5841 upgrade: find_hostname() method should be replaced by api.env.host
  • #5842 Replica installation fails with ipa-getkeytab timeouts
  • #5851 DNS upgrade is broken: master zones are not transformed to forward zones properly
  • #5856 ipa-nis-manage command should include status option
  • #5857 ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
  • #5865 make rpms does not fail if api does not match API.txt
  • #5866 [RFE] Create guidance how to setup/migrate IPA that contains big amount of data
  • #5867 topology graph: display "autogenerated" placeholder while adding segment
  • #5868 Upgrader sometimes returns PR_ADDRESS_NOT_SUPPORTED_ERROR from dogtag upgrade
  • #5869 ipa-dns-install --auto-forwarders option does not work in unattended mode
  • #5870 [tracker] DNSSEC signing is broken on Fedora 24
  • #5871 'man ipa' should be updated with latest commands
  • #5872 [webui] authentication indicators
  • #5878 Inconsistent UI and CLI options for removing certificate hold
  • #5885 ipa cert-request causes internal server error while requesting certificate
  • #5886 missing dependency: python3-pyusb
  • #5889 Client-only build fails
  • #5892 Unused code in LDAPRemoveReverseMember
  • #5894 makeapi validation fails on architectures where integer is less than 32 bits
  • #5898 CAInstance presented as always running
  • #5899 Remove unused code from automount plugin
  • #5903 always add mapping (my hostname) = (IPA realm) to krb5.conf
  • #5904 [RFE] Add 'external' checkbox corresponding to '--external' flag in 'trust-add' command
  • #5905 [RFE] Create webui for DNS locations
  • #5906 [RFE] WebUI for server roles
  • #5907 deprecate '--domain-level' option in ipa-server-install
  • #5911 Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege.
  • #5912 Installing freeipa client breaks crypto-policies for krb5
  • #5914 invalid setting of DS lock table size
  • #5920 automount.py: strings in output_for_cli method should be translated
  • #5926 [RFE] add certificate field into ID Views
  • #5927 Web UI for Kerberos Principal Aliases
  • #5928 topology plugins sigsev when adding a managed host
  • #5931 Add, remove, list hosts allowed to retrieve keytabs in Web UI
  • #5937 [RFE] Support of UPN for trusted domains
  • #5938 otptoken-add is not Python 3 clean
  • #5939 [RFE] WebUI for sub-CA
  • #5942 trusts: make sure child domains are not shown as part of the trust-find command
  • #5943 dogtag-ipa-ca-renew-agent-submit cannot access api.Object.config
  • #5944 ipapwd_extop should take precedence over default DS plugin
  • #5946 Enable password change extop to apply on virtual entry like the entry in compat tree
  • #5947 Missing nsSystemIndex attribute for some entries in index update file
  • #5954 ipa passwd tracebacks
  • #5958 Upgrade is broken on servers without CA
  • #5960 API call dnsconfig_show returns null as value of dnssec_key_master_server
  • #5961 P11 tests breaks environment, which causes changepw tests to fail
  • #5962 Unable to install server without A record even if --setup-dns option is used
  • #5963 Replica installation fails on domain level 0
  • #5965 conncheck in ipa-ca-install running on replica asks for host/principal "password"
  • #5966 Missing 'ipa-ca' records for replica installed by replica promotion
  • #5967 "CA" segment can be created for servers without CA suffix
  • #5968 renew_ca_cert helper cannot access config plugin
  • #5973 adtrust-install prints 'CRITICAL Failed to remove old key' even during clean install
  • #5975 local variable 'ipaconf' referenced before assigment
  • #5976 replica-promotion: is possible to set invalid IPA domain
  • #5977 topology plugins sigsev/heap corruption when adding a managed host
  • #5978 server/client uninstall does not clean krb5.keytab properly
  • #5981 Unhandled PKI error in ca-add
  • #5982 [tracker] KRA: installation of second KRA fails
  • #5983 Ensure that replica promotion deny to install a replica against a server with newer version
  • #5985 Replica install: Failed to load replica-s4u2proxy.ldif
  • #5987 Nonexistent attributes in ValidationError
  • #5988 Don't connect to memcache in session manager on module import
  • #5991 Principal does not get created when I add a certificate with "Add principal" checkbox checked
  • #5995 full IPA restore fails due to unsuccessful client API initialization
  • #5996 ipa-replica-install failure: Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=ldap/...
  • #5999 Some cert commands are missing the --ca option
  • #6000 `test_serverroles` suite uses incorrect LDAP uri when ran together with other tests
  • #6003 execution of copy-schema script fails
  • #6004 Fix `Conflicts` with ipa-python
  • #6009 *-show option "--all" newly requires argument
  • #6011 upgrade failed for 4.4 alpha from 4.2.3.?

Detailed Changelog since 4.3.1

Abhijeet Kasurde (12)

  • Added kpasswd_server directive in client krb5.conf
  • Fixed login error message box in LoginScreen page
  • Added fix for notifying user about Kerberos principal expiration in WebUI
  • Added description related to 'status' in ipactl man page
  • Added warning to user for Internet Explorer
  • Added fix for notifying user about locked user account in WebUI
  • Updated ipa command man page
  • Fix added to ipa-compat-manage command line help
  • Removed custom implementation of CalledProcessError
  • Replaced find_hostname with api.env.host
  • Added exception handling for mal-formatted XML Parsing
  • Added missing translation to automount.py method

Alexander Bokovoy (11)

  • slapi-nis: update configuration to allow external members of IPA groups
  • extdom: do not fail to process error case when no request is specified
  • otptoken: support Python 3 for the qr code
  • trusts: Add support for an external trust to Active Directory domain
  • adtrust: remove nttrustpartner parameter
  • adtrust: remove nttrustpartner parameter
  • adtrust: support GSSAPI authentication to LDAP as Active Directory user
  • adtrust: support UPNs for trusted domain users
  • webui: show UPN suffixes in trust properties
  • webui: support external flag to trust-add
  • adtrust: optimize forest root LDAP filter

Christian Heimes (3)

  • Require Dogtag 10.2.6-13 to fix KRA uninstall
  • Modernize mod_nss's cipher suites
  • Move user/group constants for PKI and DS into ipaplatform

David Kupka (35)

  • installer: Propagate option values from components instead of copying them.
  • installer: Fix logic of reading option values from cache.
  • ipa-dns-install: Do not check for zone overlap when DNS installed.
  • ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options
  • installer: Change reverse zones question to better reflect reality.
  • Fix: Use unattended parameter instead of options.unattended
  • CI: Add '2-connected' topology generator.
  • CI: Add simple replication test in 2-connected topology.
  • CI: Add test for 2-connected topology generator.
  • CI: Fix pep8 errors in 2-connected topology generator
  • CI: add empty topology test for 2-connected topology generator
  • CI: Add double circle topology.
  • CI: Add replication test utilizing double-circle topology.
  • CI: Add test for double-circle topology generator.
  • CI: Make double circle topology python3 compatible
  • upgrade: Match whole pre/post command not just basename.
  • dsinstance: add start_tracking_certificates method
  • httpinstance: add start_tracking_certificates method
  • Look up HTTPD_USER's UID and GID during installation.
  • test: test_cli: Do not expect defaults in kwargs.
  • man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
  • installer: positional_arguments must be tuple or list of strings
  • installer: index() raises ValueError
  • Remove unused locking "context manager"
  • schema: Add fingerprint and TTL
  • schema: Add known_fingerprints option to schema command
  • schema: Cache schema in api instance
  • schema: return fingerprint as unicode text
  • env: Add 'server' variable to api.env
  • schema: Caching on schema on client
  • test: automember: Fix expected exception message
  • test: cert: Reflect change in behavior in tests
  • schema: Decrease schema TTL to one hour
  • schema: Perform the check for schema update when force_schema_check is True
  • Allow unexpiring passwords

Filip Skola (9)

  • Refactor test_user_plugin, use UserTracker for tests
  • Refactor test_replace
  • Refactor test_attr
  • Refactor test_sudocmd_plugin
  • Refactor test_sudocmdgroup_plugin
  • Refactor test_group_plugin, use GroupTracker for tests
  • Refactor test_nesting, create HostGroupTracker
  • Refactor test_hostgroup_plugin
  • Refactor test_automember_plugin, create AutomemberTracker

Florence Blanc-Renaud (9)

  • Add missing CA options to the manpage for ipa-replica-install
  • Add the culprit line when a configuration file has an incorrect format
  • add context to exception on LdapEntry decode error
  • batch command can be used to trigger internal errors on server
  • Always qualify requests for admin in ipa-replica-conncheck
  • Report missing certificate in external trust chain
  • Do not allow installation in FIPS mode
  • Fix ipa-server-certinstall with certs signed by 3rd-party CA
  • Do not log error when removing a non-existing file

Fraser Tweedale (37)

  • Do not decode HTTP reason phrase from Dogtag
  • Remove workaround for CA running check
  • caacl: correctly handle full user principal name
  • Prevent replica install from overwriting cert profiles
  • Detect and repair incorrect caIPAserviceCert config
  • Remove service and host cert issuer validation
  • Allow CustodiaClient to be used by arbitrary principals
  • Load server plugins in certmonger renewal helper
  • Add ACIs for Dogtag custodia client
  • Optionally add service name to Custodia key DNs
  • Setup lightweight CA key retrieval on install/upgrade
  • Authorise CA Agent to manage lightweight CAs
  • Add custodia store for lightweight CA key replication
  • Add 'ca' plugin
  • Add IPA CA entry on install / upgrade
  • Update 'caacl' plugin to support lightweight CAs
  • Add CA argument to ra.request_certificate
  • Update cert-request to allow specifying CA
  • Add issuer options to cert-show and cert-find
  • replica-install: configure key retriever before starting Dogtag
  • upgrade: do not try to start CA if not configured
  • restart scripts: bootstrap api with in_server=True
  • Require Dogtag >= 10.3.3
  • Fix IssuerDN presence check in cert search result
  • Set default OCSP URI on install and upgrade
  • ipaldap: turn LDAP filter utility functions into class methods
  • Skip CS.cfg update if cert nickname not known
  • Update lightweight CA serial after renewal
  • ipa-certupdate: track lightweight CA certificates
  • cert-find: fix 'issuer' option
  • cert-request: better error msg when 'add' not supported
  • Check for CA subject name collision before attempting creation
  • Add --ca option to cert-revoke and cert-remove-hold
  • Split CA replica installation steps for domain level 0
  • Fix migration from pre-lightweight CAs master
  • Add --cn option to cert-status
  • Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3

Gabe Alford (1)

  • ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'

Jakub Hrozek (1)

  • sudo: Fix a typo in the --help output of sudocmdgroup

James Groffen (1)

  • Set close button type attribute to 'button'.

Jan Barta (1)

  • pylint: fix: multiple-statements

Jan Cholasta (139)

  • ipautil: remove unused import causing cyclic import in tests
  • ipalib: assume version 2.0 when skip_version_check is enabled
  • ipapython: remove default_encoding_utf8
  • ipapython: port p11helper C code to Python
  • ipapython: use python-cryptography instead of libcrypto in p11helper
  • spec file: package python-ipalib as noarch
  • cert renewal: import all external CA certs on IPA CA cert renewal
  • replica install: validate DS and HTTP server certificates
  • replica promotion: fix AVC denials in remote connection check
  • cacert install: fix trust chain validation
  • client: stop using /etc/pki/nssdb
  • ipalib: provide per-call command context
  • ipalib: add convenient Command method for adding messages
  • certdb: never use the -r option of certutil
  • spec file: bump minimum required pki-core version
  • build: fix client-only build
  • makeapi: use the same formatting for `int` and `long` values
  • replica install: do not set CA renewal master flag
  • rpc: do not crash when unable to parse JSON
  • parameters: remove unused ConversionError and ValidationError arguments
  • rpc: include structured error information in responses
  • frontend: re-raise remote RequirementError using CLI name in CLI
  • frontend: remove the unused Command.soft_validate method
  • frontend: perform argument value validation only on server
  • batch: do not crash when no argument is specified
  • ipalib: make optional positional command arguments actually optional
  • frontend: do not forward unspecified positional arguments to server
  • user: do not assume the preserve flags have value in user_del
  • frontend: do not forward argument defaults to server
  • makeapi: optimize API.txt
  • ipalib: remove the unused `csv` argument of Param
  • makeaci: load additional plugins using API.add_module
  • plugable: replace API.import_plugins with new API.add_package
  • ipalib, ipaserver: migrate all plugins to Registry-based registration
  • ipalib, ipaserver: fix incorrect API.register calls in docstrings
  • plugable: remove the unused deprecated API.register method
  • plugable: switch API to Registry-based plugin discovery
  • frontend: merge baseldap.CallbackRegistry into Command
  • frontend: move the interactive_prompt callback type to Command
  • automount: do not inherit automountlocation_import from LDAPQuery
  • dns: move code called on client to the module level
  • dns: do not rely on server data structures in code called on client
  • otptoken: fix import of DN
  • otptoken_yubikey: fix otptoken_add_yubikey arguments
  • vault: move client-side code to the module level
  • vault: copy arguments of client commands from server counterparts
  • ipalib: use relative imports for cross-plugin imports
  • frontend: allow commands to have an argument named `name`
  • cli: make optional positional command arguments actually optional
  • dns: fix dnsrecord interactive mode
  • ipaclient: introduce ipaclient.plugins
  • ipalib: move client-side plugins to ipaclient
  • help, makeapi: allow setting command topic explicitly
  • help, makeapi: specify module topic by name
  • help, makeapi: do not use hardcoded plugin package name
  • plugable: turn Plugin attributes into properties
  • plugable: simplify API plugin initialization code
  • plugable: remember overriden plugins in API
  • frontend: turn Method attributes into properties
  • ipaclient: add client-side command override class
  • dns: move code shared by client and server to separate module
  • ipalib: split off client-side plugin code into ipaclient
  • parameters: introduce cli_metavar keyword argument
  • parameters: introduce no_convert keyword argument
  • ipalib: replace DeprecatedParam with `deprecated` Param argument
  • ipalib: introduce API schema plugins
  • rpc: respect API config in RPCClient.create_connection
  • rpc: allow overriding NSS DB directory in API config
  • rpc: specify connection options in API config
  • rpc: optimize JSON-RPC response handling
  • rpc: do not validate command name in RPCClient.forward
  • client install: finalize API after CA certs are available
  • ipactl: use server API
  • ipalib: move File command arguments to ipaclient
  • misc: hide the unused --all option of `env` and `plugins` in CLI
  • ipaclient: implement thin client
  • ipalib: move server-side plugins to ipaserver
  • frontend: do not check API minor version of the client
  • schema: do not validate unrequested params in command_defaults
  • replica install: use remote server API to create service entries
  • schema: fix topic command output
  • schema: fix typo
  • spec file: require correct packages to get API plugins
  • plugable: allow plugins to be non-classes
  • plugable: initialize plugins on demand
  • schema: generate client-side commands on demand
  • batch, schema: use Dict instead of Any
  • misc: fix empty CLI output of `env` and `plugins` commands
  • dns, passwd: fix outputs of `dns_resolve` and `passwd` commands
  • frontend: call `execute` rather than `forward` in Local
  • schema: exclude local commands
  • schema: fix client-side dynamic defaults
  • makeaci, makeapi: use in-server API
  • frontend: don't copy command arguments to output params
  • frontend: skip `value` output in output_for_cli
  • frontend: do not crash on missing output in output_for_cli
  • automember: add object plugin for automember_rebuild
  • dns: do not rely on custom param fields in record attributes
  • misc: skip `count` and `total` output in env.output_for_cli
  • passwd: handle sort order of passwd argument on the client
  • permission: handle ipapermright deprecated CLI alias on the client
  • schema: add object class schema
  • schema: remove output_params
  • schema: merge command args and options
  • schema: remove redundant information
  • schema: remove `no_cli` from command schema
  • replica install: fix thin client regression
  • ldap: fix handling of binary data in search filters
  • cert: add object plugin
  • cert: add owner information
  • cert: allow search by certificate
  • dns: fix dns_update_system_records to work with thin client
  • schema: fix param default value handling
  • schema: do not crash in command_defaults if argument is None
  • automember: fix automember to work with thin client
  • schema: client-side code cleanup
  • misc: generate `plugins` result directly in the command
  • plugable: use plugin class as the key in API namespaces
  • plugable: support plugin versioning
  • schema: support plugin versioning
  • frontend: forward command calls using full name
  • schema: fix Flag arguments on the client
  • schema: properly fix Flag arguments on the client
  • backup: use in-server API in ipa-backup and ipa-restore
  • replica install: don't allow install against a newer server
  • session: move the session module from ipalib to ipaserver
  • session: do not initialize session manager on import
  • xmlserver: initialize RPC server plugins only in server context
  • makeaci, makeapi, oddjob: use the default API context
  • server: define missing virtual attributes
  • user: add object plugin for user_status
  • frontend: do not ignore client-side output params
  • cert: fix CLI output of cert_remove_hold
  • plugable: add option to ignore override errors
  • client: ignore override errors in command overrides
  • client: add placeholders for required remote plugins
  • server: exclude Local commands from RPC
  • client: do not crash when overriding remote command as method
  • client: add support for pre-schema servers

Jérôme Fenal (1)

  • Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French.

Lenka Doudova (12)

  • WebUI tests: fix failing of tests due to unclicable label
  • WebUI test: ID views
  • WebUI: Test creating user without private group
  • Test fix: Cleanup for host certificate
  • Test: Maximum username length higher than 255 cannot be set
  • Tests: Fix for failing location tests
  • Tests: Fix ipatests/test_ipaserver/test_rpcserver.py
  • Tests: Make ID views tests reflect new krbcanonicalname attribute
  • Tests: Fix failing ipatests/test_ipalib/test_errors.py
  • Tests: Remove DNS configuration from trust tests
  • Tests: Fix failing tests in ipatests/test_ipalib/test_frontend.py
  • Tests: Fix frontend tests

Ludwig Krispenz (2)

  • prevent moving of topology entries out of managed scope by modrdn operations
  • v2 - avoid crash in topology plugin when host list contains host with no hostname

Lukáš Slebodník (6)

  • extdom: Remove unused macro
  • IPA-SAM: Fix build with samba 4.4
  • CONFIGURE: Replace obsolete macros
  • ipa-sam: Do not redefine LDAP_PAGE_SIZE
  • SPEC: Remove unused build dependency on libwbclient
  • BUILD: Remove detection of libcheck

Martin Babinsky (68)

  • raise more descriptive Backend connection-related exceptions
  • harden domain level 1 topology connectivity checks
  • ipalib/x509.py: revert deletion of ipalib api import
  • prevent crash of CA-less server upgrade due to absent certmonger
  • use FFI call to rpmvercmp function for version comparison
  • tests for package version comparison
  • fix Py3 incompatible exception instantiation in replica install code
  • ipa-csreplica-manage: remove extraneous ldap2 connection
  • IPA upgrade: move replication ACIs to the mapping tree entry
  • uninstallation: more robust check for master removal from topology
  • correctly set LDAP bind related attributes when setting up replication
  • disable RA plugins when promoting a replica from CA-less master
  • fix standalone installation of externally signed CA on IPA master
  • reset ldap.conf to point to newly installer replica after promotion
  • always start certmonger during IPA server configuration upgrade
  • upgrade: unconditional import of certificate profiles into LDAP
  • CI tests: use old schema when testing hostmask-based sudo rules
  • use LDAPS during standalone CA/KRA subsystem deployment
  • test_cert_plugin: use only first part of the hostname to construct short name
  • only search for Kerberos SRV records when autodiscovery was requested
  • spec: add conflict with bind-chroot to freeipa-server-dns
  • spec: require python-cryptography newer than 0.9
  • ipa-replica-manage: print traceback on unexpected error when in verbose mode
  • otptoken-add: improve the robustness of QR code printing
  • differentiate between limit types when LDAP search exceeds configured limits
  • specify type of exceeded limit when warning about truncated search results
  • replica-prepare: do not add PTR records if there is no IPA managed reverse zone
  • Server Roles: definitions of server roles and attributes
  • Server Roles: Backend plugin to query roles and attributes
  • Test suite for `serverroles` backend
  • Server Roles: public API for server roles
  • Server Roles: make server-{show,find} utilize role information
  • Server Roles: make *config-show consume relevant roles/attributes
  • Server Roles: provide an API for setting CA renewal master
  • Add NTP to the list of services stored in IPA masters LDAP subtree
  • Introduce "NTP server" role
  • ipaserver module for working with managed topology
  • delegate removal of master DNS record and replica keys to separate functions
  • server-del: perform full master removal in managed topology
  • CI test suite for `server-del`
  • ipa-replica-manage: use `server_del` when removing domain level 1 replica
  • remove the master from managed topology during uninstallation
  • Fix listing of enabled roles in `server-find`
  • Do not update result of *-config-show with empty server attributes
  • server-del: harden check for last roles
  • perform case-insensitive principal search when canonicalization is requested
  • mark 'ipaKrbPrincipalAlias' attribute as deprecated in schema
  • add case-insensitive matching rule to krbprincipalname index
  • add krbCanonicalName to attributes watched by MODRDN plugin
  • ipa-kdb: set krbCanonicalName when creating new principals
  • ipa-enrollment: set krbCanonicalName attribute on enrolled host entry
  • IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities
  • set krbcanonicalname on host entry during krbinstance configuration
  • account for added krbcanonicalname attribute during xmlrpc tests
  • Fix incorrect construction of service principal during replica cleanup
  • keep setting ipakrbprincipal objectclass on new service entries
  • test_serverroles: ensure that test API is initialized with correct ldap_uri
  • test-{service,host}-plugin: only expect krbcanonicalname when all=True
  • ipapython module for Kerberos principal manipulation and parsing
  • Test suite for `ipapython/kerberos.py`
  • ipalib: introduce Principal parameter
  • Migrate management framework plugins to use Principal parameter
  • Add ACI for admins to modify principal attributes
  • replace an ACI relying on presence of deprecated objectclass
  • Allow for commands that use positional parameters to add/remove attributes
  • Make framework consider krbcanonicalname as service primary key
  • Provide API for management of host, service, and user principal aliases
  • Unify display of principal names/aliases across entities

Martin Bašti (162)

  • Fix DNS tests: dns-resolve returns warning
  • Remove unused code in server installer related to KRA
  • Fix version comparison
  • Fix: replace mkdir with chmod
  • Use module variables for timedate_services
  • Remove empty test file
  • Remove unused imports
  • Remove wildcard imports
  • Enable multiple warnings checks in Pylint
  • Enable pylint lost exception check
  • Enable pylint duplicated-key check
  • Enable pylint trailing-whitespace check
  • Enable pylint missing-final-newline check
  • Enable pylint unused-format-string-key check
  • Enable pylint expression-not-assigned check
  • Enable pylint empty-docstring check
  • Enable pylint unnecessary-pass check
  • update_uniqueness plugin: fix referenced before assigment error
  • Allow to used mixed case for sysrestore
  • Upgrade: Fix upgrade of NIS Server configuration
  • DNSSEC test: fix adding zones with --skip-overlap-check
  • DNSSEC CI: add missing ldns-utils dependency
  • Enable pylint unpacking-non-sequence check
  • Enable pylint unbalanced-tuple-unpacking check
  • CI test: fix regression in task.install_kra
  • Warn about potential loss of CA, KRA, DNSSEC during uninstall
  • Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
  • Exclude o=ipaca subtree from Retro Changelog (syncrepl)
  • Fix DNSSEC test: add glue record
  • Warn user when ipa *-find reach limit
  • DNSSEC CI: fix zone delegations
  • make lint: use config file and plugin for pylint
  • Upgrade: log to ipaupgrade.log when IPA server is not installed
  • Disable new pylint checks
  • Py3: do not use dict.iteritems()
  • upgrade: fix config of sidgen and extdom plugins
  • trusts: use ipaNTTrustPartner attribute to detect trust entries
  • Warn user if trust is broken
  • fix upgrade: wait for proper DS socket after DS restart
  • Revert "test: Temporarily increase timeout in vault test."
  • Remove duplicated except
  • Pylint: add missing attributes of errors to definitions
  • fix permission: Read Replication Agreements
  • Make PTR records check optional for IPA installation
  • Fix connections to DS during installation
  • pylint: supress false positive no-member errors
  • CI: allow customized DS install test to work with domain levels
  • fix suspicious except statements
  • Remove unused arguments from update_ssh_keys method
  • Configure 389ds with "default" cipher suite
  • krb5conf: use 'true' instead of 'yes' for forwardable option
  • stageuser-activate: Normalize manager value
  • Remove redundant parameters from CS.cfg in dogtaginstance
  • Use platform path constant for SSSD log dir
  • Fix broken trust warnings
  • spec: Add missing dependencies to python*-ipalib package
  • client: enable ChallengeResponseAuthentication in sshd_config
  • pylint: remove bare except
  • Pylint: fix definition of global variables
  • Pylint: enable pointless-except check
  • Pylint: enable reimported check
  • Pylint: use list comprehension instead of iteration
  • Pylint: import max one module per line
  • Pylint: remove unnecessary-semicolon
  • Pylint: enable invalid-name check
  • SPEC: do not run upgrade when ipa server is not installed
  • Fix: catch Exception instead of more specific exception types
  • Fix stageuser-activate - managers test
  • Add missing pre_common_callback to stageuser_add
  • host_del: fix removal of host records
  • host_del: replace dns-record find command with show
  • host_del: remove unneeded dnszone-show command call
  • host_del: split removing A/AAAA and PTR records to separate functions
  • host_del: remove only A, AAAA, SSHFP, PTR records
  • host_del: update help for --updatedns option
  • host-del --updatedns: print warnings instead of error
  • Use netifaces module instead of 'ip' command
  • Limit max username length to 255 in config-mod
  • Increase API version for 'ipamaxusernamelength' attribute change
  • Configure httpd service from installer instead of directly from RPM
  • Performace: don't download password attributes in host/user-find
  • Do not do extra search for ipasshpubkey to generate fingerprints
  • Always set hostname
  • Remove deprecated hostname restoration from Fedora18
  • Remove unused hostname variables
  • Log errors from backup_and_replace hostname to logger
  • Tasks: raise NotImplementedError for not implemented methods
  • fix stageuser tests (removal of has_keytab and has_password from find)
  • make: fail when ACI.txt or API.txt differs from values in source code
  • ipactl: advertise --ignore-service-failure option
  • Remove unused variable and finally block in SchemaCache
  • Fix referenced before assigment variables in except statements
  • Upgrade: always start CA
  • Remove unused variables in automount plugin
  • fix pylint false positive errors
  • Translations: remove deprecated locale configuration
  • Make option --no-members public in CLI
  • Performance: Find commands: do not process members by default
  • Test: fix failing host_test
  • Fix: replace incorrect no_cli with no_option flag
  • Fix: topologysuffix_find doesn't have no_members option
  • DNS Locations: Always create DNS related privileges
  • DNS Locations: add new attributes and objectclasses
  • DNS Locations: location-* commands
  • DNS Locations: API tests
  • Allow to use non-Str attributes as keys for members
  • DNS Locations: extend server-* command with locations
  • DNS Location: location-show: return list of servers in location
  • DNS Locations: when removing location remove it from servers first
  • DNS Locations: extend tests with server-* commands
  • Upgrade mod_wsgi socket-timeout on existing installation
  • Exclude unneeded dirs and files from pylint check
  • Fix resolve_rrsets: RRSet is not hashable
  • Revert "adtrust: remove nttrustpartner parameter"
  • Fix: Local variable s_indent might be referenced before defined
  • Revert "Switch /usr/bin/ipa to Python 3"
  • Use python2 for ipa cli
  • DNS Locations: add index for ipalocation attribute
  • DNS Locations: fix location-del
  • DNS Locations: add idnsTemplateObject objectclass
  • DNS Locations: DNS data management
  • DNS Locations: permission: allow to read status of services
  • DNS Locations: add ACI for template attribute
  • DNS Locations: command dns-update-system-records
  • DNS Locations: use dns_update_service_records in installers
  • DNS Locations: adtrustinstance simplify dns management
  • DNS Locations: use automatic records update in ipa-adtrust-install
  • DNS Locations: server-mod: add automatic records update
  • DNS Locations: dnsservers: add required objectclasses
  • DNS Locations: dnsserver-* commands
  • DNS Locations: dnsserver: put server_id option into named.conf
  • DNS Locations: dnsserver: use the newer config way in installer
  • DNS Locations: dnsserver: remove config when replica is removed
  • DNS Locations: set proper substitution variable
  • DNS Locations: require to restart named-pkcs11 affter location change
  • DNS Locations: show warning if there is no DNS servers in location
  • DNS Locations: prevent to remove used locations
  • DNS Locations: do not generate location records for unused locations
  • DNS Locations: location-del: remove location record
  • DNS Locations: Rename ipalocationweight to ipaserviceweight
  • DNS Locations: generate NTP records
  • upgrade: don't fail if zone does not exists in in find
  • DNS Location: add list of roles and DNS servers to location-show
  • DNS Locations: dnsserver: print specific error when DNS is not installed
  • Fix possibly undefined variable in ipa_smb_conf_exists()
  • Updated IPA translations
  • Replica promotion: use the correct IPA domain for replica
  • Server-del: fix system records removal
  • Increase ipa-getkeytab LDAP timeout to 100sec
  • DNS Locations: server-mod: fix if statement
  • ipa-rmkeytab, ipa-join: don't fail if init of gettext failed
  • Revert "DNS Locations: do not generate location records for unused locations"
  • DNS Locations: hide option --no-msdcs in adtrust-install
  • DNS Locations: optimization: use server-find to get information
  • DNS Locations: cleanup of bininstance
  • CA replica promotion: add proper CA DNS records
  • Fix replica install with CA
  • cert.py split module docstring to multiple ugetext string
  • Add option --no-log for ipa-replica-conncheck script
  • Do not log to file in remote conncheck side
  • Bump SSSD version in requires
  • IPA 4.4.0 Translations

Martin Košek (2)

  • Update Developers in Contributors.txt
  • Update Contributors.txt

Matt Rogers (1)

  • ipa_kdb: add krbPrincipalAuthInd handling

Michael Simacek (1)

  • Fix bytes/string handling in rpc

Milan Kubík (11)

  • ipatests: replace the test-example.com domain in tests
  • ipatests: Roll back the forwarder config after a test case
  • ipatests: Fix configuration problems in dns tests
  • ipatests: Make the A record for hosts in topology conditional
  • ipatests: fix the install of external ca
  • ipatests: Add missing certificate profile fixture
  • ipatests: extend permission plugin test with new expected output
  • spec file: rename the python-polib dependency name to python2-polib
  • ipatests: fix for change_principal context manager
  • ipatests: Add test case for requesting a certificate with full principal.
  • spec: Add python-sssdconfig dependency for python-ipatests package

Nathaniel McCallum (8)

  • Don't error when find_base() fails if a base is not required
  • Rename syncreq.[ch] to otpctrl.[ch]
  • Ensure that ipa-otpd bind auths validate an OTP
  • Return password-only preauth if passwords are allowed
  • Enable authentication indicators for OTP and RADIUS
  • Migrate from #ifndef guards to #pragma once
  • Enable service authentication indicator management
  • Add authentication indicators support to Host objects

Oleg Fayans (26)

  • CI tests: Enabled automatic creation of reverse zone during master installation
  • CI tests: Added domain realm as a parameter to master installation in integration tests
  • Fixed install_ca and install_kra under domain level 0
  • fixed an issue with master installation not creating reverse zone
  • Enabled recreation of test directory in apply_common_fixes function
  • Updated connect/disconnect replica to work with both domainlevels
  • Removed --ip-address option from replica installation
  • Removed messing around with resolv.conf
  • Integration tests for replica promotion feature
  • Enabled setting domain level explicitly in test class
  • Removed a constantly failing call to prepare_host
  • Made apply_common_fixes call at replica installation independent on domain_level
  • Workaround for ticket 5627
  • Added copyright info to replica promotion tests
  • rewrite a misprocessed teardown_method method as a custom decorator
  • Reverted changes in mh fixture causing some tests to fail
  • Fixed a bug with prepare_host failing upon existing ipatests folder
  • Added a kdestroy call to clean ccache at master/client uninstallation
  • Added 5 more tests to Replica Promotion testsuite
  • Fixed a failure in legacy_client tests
  • Add test if replica is working after domain upgrade
  • Improve reporting of failed tests in topology test suite
  • Bugfixes in managed topology tests
  • A workaround for ticket N 5348
  • Added necessary A record for the replica to root zone
  • Increased certmonger timeout

Patrice Duc-Jacquet (2)

  • Incorrect message when KRA already installed
  • Add more information regarding where to find revocation reason in "ipa cert_revoke -h" and "ipa cert_find -h".

Pavel Vomacka (69)

  • Add tool tips for Revert, Refresh, Undo, and Undo All
  • Add support for the 'user' url parameter for the reset_password.html
  • Add validation to Issue new certificate dialog
  • Add pan and zoom functionality to the topology graph
  • Nodes stay fixed after initial animation.
  • Add field for group id in user add dialog
  • Resize topology graph canvas according to window size
  • Add X-Frame-Options and frame-ancestors options
  • Add activate option to stage user details page
  • Add 'skip overlap check' checkbox into add zone dialog
  • Add 'skip overlap check' checkbox to the add dns forward zone dialog
  • Add option to show OTP when adding host
  • Update the delete dialog on details user page
  • Add ability to stage multiple users
  • Add option to stage user from details page
  • Change lang.hitch to javascript bind method
  • Change 'Restore' to 'Remove Hold'
  • Extend the certificate request dialog
  • Auth Indicators WebUI part
  • Fix bad searching of reverse DNS zone
  • Add adapter attribute for choosing record
  • DNS Locations: WebUI part
  • Add lists of hosts allowed to create or retrieve keytabs
  • Correct a jslint warning
  • Association table can be read only
  • Extend table facet
  • Add server roles on topology page
  • Search facet can be without search field
  • Add ability to review cert request dialog
  • Add new webui plugin - ca
  • Extend certificate entity page
  • Extend caacl entity
  • Make Actions string translatable
  • Extend DNS config page
  • Extend trust config page
  • Add creating a segment using mouse
  • Add listener which opens add segment dialog
  • Add placeholder to add segment dialog
  • Add DNS default TTL field
  • Allow to set weight of a server without location
  • DNS Servers: Web UI part
  • Add support for custom menu in multivalued widget
  • Extends functionality of DropdownWidget
  • Add working widget
  • Add ability to turn off activity icon
  • Add Object adapter
  • Refactored certificate view and remove hold dialog
  • Changed the way how to handle remove hold and revoke actions
  • Remove old useless actions - get and view
  • Add widget for showing multiple certificates
  • Add certificate widget
  • Add new certificates widget to the user details page
  • Add new certificates widget to the host details page. Also extends evaluator and add support for adapters.
  • Add new certificates widget to the service details page
  • Updated certificates table
  • Add new custom command multivalued widget
  • Add button for dns_update_system_records command
  • Add certificate widget to ID override user details page.
  • Add authentication identificator to host page
  • Change paths of strings in auth indicators widget on service page
  • Simplify the confirmation messages
  • Add support to change button css class on confirm dialog
  • Add button for server-del command
  • Change error handling in custom_command_multivalued_widget
  • Set default confirmation button label to 'Remove'
  • Add widgets for kerberos aliases
  • Add widget for kerberos aliases to user page
  • Add widget for kerberos aliases to hosts page
  • Add widget for kerberos aliases to service page

Peter Lacko (1)

  • Ping module tests.

Petr Viktorin (46)

  • Package ipapython, ipalib, ipaplatform, ipatests for Python 3
  • Use explicit truncating division
  • Don't index exceptions directly
  • Use print_function future definition wherever print() is used
  • Alias "unicode" to "str" under Python 3
  • Avoid builtins that were removed in Python 3
  • dnsutil: Rename __nonzero__ to __bool__
  • Remove deprecated contrib/RHEL4
  • make-lint: Allow running pylint --py3k to detect Python3 issues
  • Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)
  • test_parameters: Ignore specific error message
  • ipaldap, ldapupdate: Encoding fixes for Python 3
  • ipautil.run, kernel_keyring: Encoding fixes for Python 3
  • tests: Use absolute imports
  • ipautil: Use mode 'w+' in write_tmp_file
  • test_util: str/bytes check fixes for Python 3
  • p11helper: Port to Python 3
  • cli: Don't encode/decode for stdin/stdout on Python 3
  • Package python3-ipaclient
  • Move get_ipa_basedn from ipautil to ipadiscovery
  • ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
  • ipapython.sysrestore: Use str methods instead of functions from the string module
  • ipalib.x809: Accept bytes for make_pem
  • dns plugin: Fix zone normalization under Python 3
  • sysrestore: Iterate over a list of dict keys
  • test_xmlrpc: Use absolute imports
  • xmlrpc_test: Rename exception instance before working with it
  • radiusproxy plugin: Use str(error) rather than error.message
  • xmlrpc_test: Expect bytes rather than strings for binary attributes
  • ipalib.rpc: Send base64-encoded data as string under Python 3
  • range plugin tests: Use bytes with MockLDAP under Python 3
  • radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret
  • certprofile plugin: Use binary mode for file with binary data
  • test_add_remove_cert_cmd: Use bytes for base64.b64encode()
  • Switch /usr/bin/ipa to Python 3
  • Fix remaining relative import and enable Pylint check
  • ipalib.cli: Improve reporting of binary values in the CLI
  • test_cert_plugin: Encode 'certificate' for comparison with 'usercertificate'
  • ipaldap: Keep attribute names as text, not bytes
  • ipapython.secrets.kem: Use ConfigParser from six.moves
  • test_topology_plugin: Don't rely on order of an attribute's values
  • test_rpcserver: Expect updated error message under Python 3
  • ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison
  • test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
  • ipaldap: Convert dict items to list before iterating
  • test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView

Petr Voborník (19)

  • Bump 4.4 development version to 4.3.90
  • webui: add examples to network address validator error message
  • webui: pwpolicy cospriority field was marked as required
  • spec: do not require arch specific ipalib package from noarch packages
  • webui: dislay server suffixes in server search page
  • stop installer when setup-ds.pl fail
  • webui: crash nicely if sessionStorage is not available
  • webui: remove moot error from webui build
  • webui: use API call ca_is_enabled instead of enable_ra env variable.
  • webui: fixed showing of success message after password change on login
  • advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
  • cookie parser: do not fail on cookie with empty value
  • fix incorrect name of ipa-winsync-migrate command in help
  • webui: fail nicely if cookies are disabled
  • ipa-client-install: fix typo in nslcd service name
  • Become IPA 4.4.0 Alpha 1
  • mod_auth_gssapi: enable unique credential caches names
  • webui: prevent infinite reload for users with krbbprincipal alias set
  • Become IPA 4.4.0

Petr Špaček (60)

  • dns: Handle SERVFAIL in check if domain already exists.
  • DNSSEC: Improve error reporting from ipa-ods-exporter
  • DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
  • DNSSEC: Make sure that current key state in LDAP matches key state in BIND
  • DNSSEC: remove obsolete TODO note
  • DNSSEC: add debug mode to ldapkeydb.py
  • DNSSEC: logging improvements in ipa-ods-exporter
  • DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
  • DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
  • DNSSEC: ipa-ods-exporter: add ldap-cleanup command
  • DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
  • DNSSEC: Log debug messages at log level DEBUG
  • Fix --auto-reverse option in --unattended mode.
  • Fix dns_is_enabled() API command to throw exceptions as appropriate
  • Fix DNS zone overlap check to allow ipa-replica-install to work
  • Fix ipa-adtrust-install to always generate SRV records with FQDNs
  • Fix URL for reporting bugs in strings
  • Pylint: enable parallelism
  • Makefile: replace perl with sed
  • Remove function ipapython.ipautil.host_exists()
  • Extend installers with --forward-policy option
  • Move automatic empty zone list into ipapython.dnsutil and make it reusable
  • Add assert_absolute_dnsname() helper to ipapython.dnsutil
  • Move function is_auto_empty_zone() into ipapython.dnsutil
  • Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()
  • Add function ipapython.dnsutil.inside_auto_empty_zone()
  • Auto-detect default value for --forward-policy option in installers
  • ipa-nis-manage: Replace text references to compat plugin with NIS
  • ipa-nis-manage: mention return code 3 in man page
  • DNS: Fix upgrade - master to forward zone transformation
  • DNS installer: accept --auto-forwarders option in unattended mode
  • Remove unused file install/share/fedora-ds.init.patch
  • Batch command: avoid accessing potentially undefined context.principal
  • pylint: replace Refactor category with individual check names
  • ipa-nis-manage: add status option
  • DNS: Warn if forwarding policy conflicts with automatic empty zones
  • Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
  • Use root_logger for verify_host_resolvable()
  • Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil
  • Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
  • Add ipaDNSVersion option to dnsconfig* commands and use new attribute
  • DNS upgrade: separate backup logic to make it reusable
  • Add function ipapython.dnsutil.related_to_auto_empty_zone()
  • DNS upgrade: change forwarding policy to = only for conflicting forward zones
  • DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used
  • DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used
  • Require 389-ds-base >= 1.3.5.6
  • DNS Locations: make ipa-ca record generation more robust
  • DNS: Support default TTL setting for master DNS zones
  • DNS: Warn about restart when default TTL setting DNS is changed
  • DNS: Fix realm domains integration with DNS zone add.
  • client: Share validator and domain name normalization with server install
  • DNS: Fix tests for realm domains integration with DNS zone add
  • client-install: do not fail if DNS times out during DNS update generation
  • Use NSS for name->resolution in IPA installer
  • DNS: Remove unnecessary DNS check from installer
  • DNS: Reinitialize DNS resolver after changing resolv.conf
  • Fix `Conflicts` with ipa-python
  • Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
  • Fix internal errors in host-add and other commands caused by DNS resolution

Simo Sorce (6)

  • Use only AES enctypes by default
  • Always verify we have a valid ldap context.
  • Improve keytab code to select the right principal.
  • Convert ipa-sam to use the new getkeytab control
  • Allow admins to disable preauth for SPNs.
  • Allow to specify Kerberos authz data type per user

Stanislav Laznicka (31)

  • Listing and cleaning RUV extended for CA suffix
  • Automatically detect and remove dangling RUVs
  • Cosmetic changes to the code
  • Fixes minor issues
  • replica-manage: fail nicely when DM psswd required
  • ipa-replica-manage refactoring
  • abort-clean/list/clean-ruv now work for both suffixes
  • Moved password check from clean_dangling_ruv
  • Fix to clean-dangling-ruv for single CA topologies
  • Added pyusb as a dependency
  • Added some attributes to Modify Users permission
  • Deprecated the domain-level option in ipa-server-install
  • Increased mod_wsgi socket-timeout
  • Added <my_hostname>=<IPA REALM> mapping to krb5.conf
  • Decreased timeout for IO blocking for DS
  • fixes premature sys.exit in ipa-replica-manage del
  • Remove dangling RUVs even if replicas are offline
  • Added krb5.conf.d/ to included dirs in krb5.conf
  • Removed dead code from LDAP{Remove,Add}ReverseMember
  • Fixes CA always being presented as running
  • Increase nsslapd-db-locks to 50000
  • host/service-show/find shouldn't fail on invalid certificate
  • Fix to ipa-ca-install asking for host principal password
  • Fix topologysuffix-verify failing connections
  • topo segment-add: validate that both masters support target suffix
  • Add missing nsSystemIndex attributes
  • Revert "Removed dead code from LDAP{Remove,Add}ReverseMember"
  • The LDAP*ReverseMember shouldn't imply --all is always specified
  • Fix wrong imports in copy-schema-to-ca.py
  • host: Added permissions for auth. indicators read/modify
  • service: Added permissions for auth. indicators read/modify

Sumit Bose (3)

  • ipa-kdb: get_authz_data_types() make sure entry can be NULL
  • ipa-kdb: map_groups() consider all results
  • extdom: add certificate request

Thierry Bordaz (5)

  • configure DNA plugin shared config entries to allow connection with GSSAPI
  • DS deadlock when memberof scopes topology plugin updates
  • Make sure ipapwd_extop takes precedence over passwd_modify_extop
  • Topology plugins sigsev/heap corruption when adding a managed host
  • ipapwd_extop should use TARGET_DN defined by a pre-extop plugin

Thorsten Scherf (1)

  • Fixed typo in service-add

Timo Aaltonen (6)

  • Use HTTPD_USER in dogtaginstance.py
  • Move freeipa certmonger helpers to libexecdir.
  • ipa_restore: Import only FQDN from ipalib.constants
  • ipaplatform: Move remaining user/group constants to ipaplatform.constants.
  • Use ODS_USER/ODS_GROUP in opendnssec_conf.template
  • Fix kdc.conf.template to use ipaplatform.paths.

Tomáš Babej (10)

  • py3: Remove py3 incompatible exception handling
  • logger: Use warning instead of warn
  • Loggger: Use warning instead of warn - dns plugin
  • ipa-getkeytab: Handle the possibility of not obtaining a result
  • ipa-adtrust-install: Allow dash in the NETBIOS name
  • spec: Bump required sssd version to 1.13.3-5
  • adtrustinstance: Make sure smb.conf exists
  • l10n: Remove Transifex configuration
  • ipalib: Fix user certificate docstrings
  • idviews: Add user certificate attribute to user ID overrides

Yuri Chornoivan (4)

  • Fix minor typo
  • Fix minor typos
  • Fix minor typos
  • Fix minor typo