Jump to: navigation, search

Releases/4.6.0

Release date Released 2017-09-01

The FreeIPA team would like to announce FreeIPA 4.6.0 release!

It can be downloaded from https://releases.pagure.org/freeipa/. Builds for Fedora 26 and 27 are available in the official COPR repository https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ .

Highlights in 4.6.0

Enhancements

  • Python 3 is now supported.

Known Issues

  • WebUI may not work in some configurations [#7126, #7127]
  • Attempting to uninstall when IPA isn't installed prints confusing strings [#7063]

Bug fixes

Contains all bugfixes and enhancements of 4.5.1, 4.5.2 and 4.5.3 releases.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.


Resolved tickets

  • #7123 External CA renewal fails when IPA CA subject DN does not match "CN=Certificate Authority, {subject-base}"
  • #7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
  • #7108 ipa-backup broken because of cyclic import
  • #7086 [ipatests] - add caless to cafull tests
  • #7066 WebUI: All columns of user in group table are clickable
  • #7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!
  • #7017 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com
  • #6605 make lint + make modifies PO files in place
  • #6582 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and "Role-Based"
  • #6447 [WebUI] Remove offline version of WebUI
  • #6261 Replace ERROR: cannot connect to 'http://localhost:8888/ipa/json': [Errno 111] Connection refused with 'IPA is not configured on this system'
  • #6176 Updating of dns system records rapidly slowdown uninstallation
  • #7121 ipa otptoken-add-yubikey fails with python3
  • #7118 Fix CA-less installation due to incorrect with statement
  • #7110 Missing requirement in freeipa 4.5.90.dev201708161122+git799551892-0
  • #7100 test_caless: add SAN dNSName extensions for wildcard tests
  • #7088 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR
  • #7076 Adjust to CURL whichs started to use OpenSSL - ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE)
  • #7053 Replica install fails to configure IPA-specific temporary files/directories
  • #7052 WebUI: search facet spec actions contains 'undefined' item
  • #7051 ipapython/graph.py complexity optimization
  • #7050 Type error when running tests for whoami command.
  • #7046 missing default basedn causes failure during initialization of multi host tests
  • #7030 tests: CA-less test suite broken due to missing subject key identifier extension
  • #7011 --force-join option is not mentioned in ipa-replica-install man page
  • #7010 ipa-backup fails silently
  • #7002 adtrustinstance: broken ID range assessment
  • #6987 ca-add: invalid X.509 DN fails ungracefully
  • #6986 make pylint is not working on F26
  • #6980 Pagination Size under Customization in IPA WebUI accepts negative values
  • #6976 External CA: check that IPA CA certificate contains Subject Key Identifier
  • #6974 WebUI: Fix unit webUI tests
  • #6971 ipatests: collect systemd journal
  • #6956 Backup and restore tests faliling
  • #6946 ipa-replica-manage del (dl 0) doesn't remove server from defaultServerList
  • #6945 Bring back error messages from certificate validation
  • #6943 server-del doesn't remove server from defaultServerList in cn=default,ou=profile,$BASE
  • #6940 installer should indicate that it is waiting for keys
  • #6939 ipaserver.plugins.host.get_dn timeout due to unindexed search
  • #6928 ipa-managed-entries incorrectly states server not installed
  • #6865 minor spelling mistake in ipa-adtrust-install.1
  • #6863 minor spelling mistake
  • #6852 [RFE] Create client enrollment role
  • #6849 Priority field missing in required field incicator - *
  • #6845 ipa-otpd.socket.in has wrong kdc service name for Debian
  • #6834 ipa-kdc-proxy.conf.template hardcodes python module directory
  • #6822 git-commit-template: update ticket URL to use pagure.io instead of fedorahosted.org
  • #6818 Update asn1c code in /asn1/asn1c
  • #6809 Failed to write schema: b'sudo/1' is not JSON serializable
  • #6745 [test] ipa whoami command
  • #6725 No page for information on build from source
  • #6642 Py3: test_serverroles: use ldap2/ldapclient instead of MockLDAP
  • #6591 pytest 3.0: yield tests are deprecated
  • #5990 Py3: zonemgr_callback: expected unicode, got bytes
  • #5919 cert-request rfc822Name check compares whole email address case-sensitively
  • #4985 [RFE] Support Python 3

Detailed changelog since 4.5.3

Alexander Bokovoy (13)

  • csrgen: support openssl 1.0 and 1.1 commit #7110
  • dcerpc: support Python 3 commit #4985
  • ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later commit #6877
  • ipa-sam: use own private structure, not ldapsam_privates commit #6877
  • trust-mod: allow modifying list of UPNs of a trusted forest commit #7015
  • ipa-kdb: add pkinit authentication indicator in case of a successful certauth commit #6736
  • Fix index definition for ipaAnchorUUID commit #6975
  • krb5: make sure KDC certificate is readable commit #6973
  • trust: always use oddjobd helper for fetching trust information commit
  • ipaserver/dcerpc: unify error processing commit #6859
  • adtrust: make sure that runtime hostname result is consistent with the configuration commit #6786
  • server: make sure we test for sss_nss_getlistbycert commit #6828
  • ldap2: use LDAP whoami operation to retrieve bind DN for current connection commit #6797

Abhijeet Kasurde (6)

Alex Zeleznikov (1)

  • Sort SRV records by priority commit

Aleksei Slaikovskii (3)

  • ipapython/graph.py redundant variable fix commit
  • ipapython/graph.py String formatting commit
  • ipapython/graph.py complexity optimization commit #7051

Ben Lipton (4)

  • csrgen: Beginnings of NSS database support commit #4899
  • csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo commit #4899
  • csrgen: Change to pure openssl config format (no script) commit #4899
  • csrgen: Remove helper abstraction commit #4899

Christian Heimes (40)

  • Misc Python 3 fixes for ipaserver.secrets commit #4985
  • Reimplement yield tests are parametrized tests commit #6591
  • Silence pytest.yield_fixture deprecation warning commit #6591
  • Slim down dependencies commit
  • Vault: Explicitly default to 3DES CBC commit #6899
  • Band-aid for pip dependency bug commit
  • Correct PyPI package dependencies commit #6875
  • tox: use pylint 1.6.x for now commit #6874
  • Replace _BSD_SOURCE with _DEFAULT_SOURCE commit #6818
  • Regenerate ASN.1 code with asn1c 0.9.28 commit #6818
  • tox testing support for client wheel packages commit
  • Stabilize make pypi_packages commit
  • Replace hard-coded kdcproxy path with WSGI script commit #6834
  • Use entry_points for ipa CLI commit #6653, #6850
  • Don't hard-code with_wheels commit
  • Add an option to build ipaserver wheels commit
  • Add extra_requires for additional dependencies commit
  • Conditionally import pyhbac commit
  • Skip test_session_storage in ipaclient unittest mode commit
  • Add make devcheck for developers commit #6604
  • session storage parameters must be bytes commit
  • Fix ipatests.util doc tests commit
  • Use Custodia 0.3.1 features commit
  • Simplify KRA transport cert cache commit #6787
  • pytest 3.x compatibility commit
  • Constrain wheel package versions commit #6468
  • Move remaining util functions to tasks module commit #6798
  • Ship ipatests.pytest_plugins.integration commit #6798
  • Move function run_repeatedly to tasks module commit #6798
  • Move hosts module to ipatests.pytest_plugins.integration.hosts commit #6798
  • Move tasks module to ipatests.pytest_plugins.integration.tasks commit #6798
  • Move env_config module to ipatests.pytest_plugins.integration.env_config commit #6798
  • Move config module to ipatests.pytest_plugins.integration.config commit #6798
  • Move helper code for integration plugin commit #6798
  • Increase Apache HTTPD's default keep alive timeout commit
  • Add debug logging for keep-alive commit
  • Use connection keep-alive commit #6641
  • Add options to run only ipaclient unittests commit #6517
  • Python 3: Fix session storage commit
  • Fix Python 3 pylint errors commit

David Kreitschmann (4)

  • Disable pylint in get_help function because of type confusion. commit
  • Store help in Schema before writing to disk commit
  • Use os.fsync instead of os.fdatasync because macOS doesn't support fdatasync commit
  • Fix libkrb5 filename for macOS commit

David Kupka (22)

  • tests: certmap: Add test for user-{add,remove}-certmap commit #7105
  • tests: tracker: Add CertmapdataMixin tracker commit #7105
  • tests: certmap: Add test for certmapconfig-{mod,show} commit #7105
  • tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands commit #7105
  • tests: certmap: Test permissions for certmap commit #7105
  • tests: certmap: Add basic tests for certmaprule commands commit #7105
  • tests: tracker: Add CertmapTracker for testing certmap-* commands commit #7105
  • tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands commit #7105
  • tests: tracker: Add EnableTracker to test *-{enable,disable} commands commit #7105
  • tests: tracker: Split Tracker into one-purpose Trackers commit #7105
  • install: replica: Show message about key synchronization commit #6940
  • kra: promote: Get ticket before calling custodia commit #7020
  • ipapython.ipautil.run: Add option to set umask before executing command commit #6831
  • otptoken-add-yubikey: When --digits not provided use default value commit #6900
  • Bump version of ipa.conf file commit #6860
  • Create system users for FreeIPA services during package installation commit #6743
  • WebUI: cert login: Configure name of parameter used to pass username commit #6860
  • httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available commit #6803
  • spec file: Bump requires to make Certificate Login in WebUI work commit #6823
  • rpcserver.login_x509: Actually return reply from __call__ method commit #6819
  • Create temporaty directories at the begining of uninstall commit #6715
  • ipapython.ipautil.nolog_replace: Do not replace empty value commit #6738

felipe (1)

  • Fixing replica install: fix ldap connection in domlvl 0 commit #6549

Felipe Volpone (3)

  • Removing part of circular dependency of ipalib in ipaplaform commit #7108
  • Changing how commands handles error when it can't connect to IPA server commit #6261
  • py3: fixing zonemgr_callback commit #5990

Felipe Volpone (5)

  • Adding section "Building FreeIPA from source" on README commit #6725
  • Changing cert-find to go through the proxy instead of using the port 8080 commit #6966
  • Changing cert-find to do not use only primary key to search in LDAP. commit #6948
  • Fixing adding authenticator indicators to host commit #6911
  • Fixing the cert-request comparing whole email address case-sensitively. commit #5919

Fabiano Fidêncio (1)

  • Allow erasing ipaDomainResolutionOrder attribute commit #6825

Florence Blanc-Renaud (22)

  • Fix Certificate renewal (with ext ca) commit #7106
  • Fix ipa-server-upgrade: This entry already exists commit #7125
  • ipa-replica-conncheck: handle ssh not installed commit #6935
  • ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt commit #6925
  • ipa-replica-manage del (dl 0): remove server from defaultServerList commit #6946
  • server-del: update defaultServerList in cn=default,ou=profile,$BASE commit #6943
  • ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname commit #6895
  • ipa-server-install: fix uninstall commit #6950
  • ipa-kra-install manpage: document domain-level 1 commit #6922
  • ipa-kra-install: fix check_host_keys commit #6934
  • ipa-server-install with external CA: fix pkinit cert issuance commit #6921
  • ipa-client-install: remove extra space in pkinit_anchors definition commit #6916
  • vault: piped input for ipa vault-add fails commit #6907
  • upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed commit #6881
  • tests: add non-reg for idrange-add commit #6404
  • Upgrade: add gidnumber to trusted domain entry commit #6827
  • ipa-sam: create the gidNumber attribute in the trusted domain entry commit #6827
  • idrange-add: properly handle empty --dom-name option commit #6404
  • ipa-ca-install man page: Add domain level 1 help commit #5831
  • git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org commit #6822
  • dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function commit #6813
  • man ipa-cacert-manage install needs clarification commit #6795

Fraser Tweedale (14)

  • Fix external renewal for CA with non-default subject DN commit #7123
  • py3: handle bytes in schema response commit #6809
  • py3: fix vault public key decoding commit #7033
  • cert: fix application of 'str' to bytes when formatting otherName commit #4985
  • py3: fix schema response for py2 server with py3 client commit #4985
  • Fix incorrect 'with' statement in CA-less installation commit #7118
  • Restore old version of caIPAserviceCert for upgrade only commit #7097
  • cert-request: simplify request processing commit #6531
  • Add CommonNameToSANDefault to default cert profile commit #7007
  • Add a README to certificate profile templates directory commit #7014
  • py3: fix regression in schemaupdate commit #4985
  • ca-add: validate Subject DN name attributes commit #6987
  • Add Subject Key Identifier to CA cert validity check commit #6976
  • Support 8192-bit RSA keys in default cert profile commit #6319

Jan Cholasta (61)

  • pylint: enable logging checks commit
  • logging: do not use `ipa_log_manager` to create module-level loggers commit
  • logging: do not log into the root logger commit
  • logging: do not reference loggers in arguments and attributes commit
  • doc: sync guide.org with cli.py commit
  • logging: remove object-specific loggers commit
  • logging: use the actual root logger as the root logger commit
  • logging: port to standard Python logging commit
  • logging: do not configure any handlers by default commit
  • wsgi, oddjob: remove needless uses of Env commit
  • config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn` commit
  • ldap2: remove URI argument from ldap2 constructor commit
  • test_ldap: drop redundant URI argument commit
  • {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections commit
  • user, migration: use LDAPClient for ad-hoc LDAP connections commit
  • install: do not assume /etc/krb5.conf.d exists commit #6589
  • server upgrade: do not enable PKINIT by default commit #7000
  • pkinit manage: introduce ipa-pkinit-manage commit #7000
  • server certinstall: update KDC master entry commit #7000
  • httpinstance: wait until the service entry is replicated commit #6867
  • server certinstall: support PKINIT commit #6831
  • cacert manage: support PKINIT commit #6831
  • replica install: respect --pkinit-cert-file commit #6831
  • server install: fix KDC certificate validation in CA-less commit #6831, #6869
  • certs: do not export CA certs in install_pem_from_p12 commit #6831, #6869
  • certs: do not export keys world-readable in install_key_from_p12 commit #6831
  • server install: fix KDC PKINIT configuration commit #6831
  • install: introduce generic Kerberos Augeas lens commit #6831
  • client install: fix client PKINIT configuration commit #6831
  • install: trust IPA CA for PKINIT commit #6831
  • certdb: use custom object for trust flags commit #6831
  • certdb, certs: make trust flags argument mandatory commit #6831
  • certdb: add named trust flag constants commit #6831
  • ipa-cacert-manage: add --external-ca-type commit #5799
  • renew agent: get rid of virtual profiles commit #5799
  • renew agent: always export CSR on IPA CA certificate renewal commit #5799
  • renew agent: allow reusing existing certs commit #5799
  • cainstance: use correct profile for lightweight CA certificates commit #5799
  • server upgrade: always fix certmonger tracking request commit #5799
  • renew agent: respect CA renewal master setting commit #5799
  • spec file: bump krb5 Requires for certauth fixes commit #4905
  • spec file: bump python-netaddr Requires commit #6894
  • configure: fix AC_CHECK_LIB usage commit #6846
  • cert: defer cert-find result post-processing commit #6808
  • renew agent, restart scripts: connect to LDAP after kinit commit #6757
  • renew agent: revert to host keytab authentication commit #6757
  • install: request service certs after host keytab is set up commit #6757
  • dsinstance, httpinstance: consolidate certificate request code commit #6757
  • httpinstance: avoid httpd restart during certificate request commit #6757
  • dsinstance: reconnect ldap2 after DS is restarted by certmonger commit #6757
  • httpinstance: make sure NSS database is backed up commit #4639
  • certdb: fix `AttributeError` in `verify_ca_cert_validity` commit
  • setup, pylint, spec file: drop python-nss dependency commit
  • certdb: use certutil and match_hostname for cert verification commit
  • spec file: bump libsss_nss_idmap-devel BuildRequires commit #6828
  • spec file: bump krb5-devel BuildRequires for certauth commit #4905
  • cert: do not limit internal searches in cert-find commit #6716
  • replica prepare: fix wrong IPA CA nickname in replica file commit #6777
  • httpinstance: clean up /etc/httpd/alias on uninstall commit #4639
  • certs: do not implicitly create DS pin.txt commit #4639
  • tasks: run `systemctl daemon-reload` after httpd.service.d updates commit #6773

René Genz (3)

  • fix minor spelling mistakes commit
  • fix spelling mistake; minor rewording commit
  • fix minor typos in ipa-adtrust-install.1 commit

Martin Babinsky (45)

  • Move tmpfiles.d configuration handling back to spec file commit #7053
  • Do not remove the old masters when setting the attribute fails commit #7029
  • *config-show: Do not show empty roles/attributes commit #7029
  • smart-card-advises: ensure that krb5-pkinit is installed on client commit #7036
  • smart card advise: use password when changing trust flags on HTTP cert commit #7036
  • smart card advises: use a wrapper around Bash `for` loops commit #7036
  • Use the compound statement formatting API for configuring PKINIT commit #7036
  • Fix indentation of statements in Smart card advises commit #7036
  • delegate formatting of compound Bash statements to dedicated classes commit #7036
  • advise: add an infrastructure for formatting Bash compound statements commit #7036
  • delegate the indentation handling in advises to dedicated class commit #7036
  • add a class that tracks the indentation in the generated advises commit #7036
  • Allow to pass in multiple CA cert paths to the smart card advises commit #7036
  • smart-card advises: add steps to store smart card signing CA cert commit #7036
  • smart-card advises: configure systemwide NSS DB also on master commit #7036
  • Prepare advise plugin for smart card auth configuration commit #6982
  • Extend the advice printing code by some useful abstractions commit #6982
  • fix incorrect suffix handling in topology checks commit #6965
  • Do not delete DS and PKI users during backup/restore tests commit #6956
  • test_backup_restore: do not fail on missing KrbLastSuccessfulAuth commit #6956
  • only stop/disable simple service if it is installed commit #6977
  • test_serverroles: Get rid of MockLDAP and use ldap2 instead commit #6937
  • Add `pkinit-status` command commit #6937
  • Add the list of PKINIT servers as a virtual attribute to global config commit #6937
  • Add an attribute reporting client PKINIT-capable servers commit #6937
  • Refactor the role/attribute member reporting code commit #6937
  • Allow for multivalued server attributes commit #6937
  • Travis CI: Add the server uninstaller as a last step of tests commit #6950
  • Travis CI: explicitly update pip before running the builds commit
  • Do not test anonymous PKINIT after install/upgrade commit #6830
  • Upgrade: configure local/full PKINIT depending on the master status commit #6830
  • Use local anchor when armoring password requests commit #6830
  • Stop requesting anonymous keytab and purge all references of it commit #6830
  • Use only anonymous PKINIT to fetch armor ccache commit #6830
  • API for retrieval of master's PKINIT status and publishing it in LDAP commit #6830
  • Allow for configuration of all three PKINIT variants when deploying KDC commit #6830
  • separate function to set ipaConfigString values on service entry commit #6830
  • Revert "Store GSSAPI session key in /var/run/ipa" commit #6880
  • Remove duplicate functionality in upgrade commit #6799
  • Always check and create anonymous principal during KDC install commit #6799
  • Ensure KDC is propery configured after upgrade commit #6792
  • Split out anonymous PKINIT test to a separate method commit #6792
  • Remove unused variable from failed anonymous PKINIT handling commit #6792
  • Upgrade: configure PKINIT after adding anonymous principal commit #6792
  • Travis CI: invoke integration test helper scripts before test execution commit

Martin Basti (63)

  • DNS update: reduce timeout for CA records commit #6176
  • baseldap: fix format string commit
  • IPAOptionParser: fix dict comprehension commit
  • py3: run already ported scripts under py3 by default commit #4985
  • py3: temporary set dependencies to both py2 and py3 packages commit #4985
  • py3: test_otptoken_import: fix bytes usage commit #4985
  • py3: ipa_otptoken_import: fix hex decoding commit #4985
  • py3: ipa_otptoken_import: fix calling unicode on bytes commit #4985
  • py3: ipa_otptoken_import: fix lamba code inspection commit #4985
  • py3: Remove comparison >=2 of debnug log level commit #4985
  • py3: vault: data must be bytes commit #4985
  • py3: test_location_plugin: fix iteration over changed dict commit #4985
  • py3: test_kerberos_principal_aliases: fix code scope commit #4985
  • py3: dogtag.py: fix bytes warnings commit #4985
  • py3: travis: enable tests for plugins that are aleready working commit #4985
  • py3: secrets: remove iteritems usage commit #4985
  • Travis: check for BytesWarnings in httpd error_log commit
  • py3: ipaldap: fix encoding of datetime objects commit #4985
  • py3: LDAPClient: remove __del__ method commit
  • LDAPEntry: rename _orig to _orig_raw commit #4985
  • python-netifaces: update to reflect upstream changes commit #7021
  • Travis: enable temporary Py3 testing commit
  • Travis: build only py2 packages for py2 testing commit
  • Build: allow to build only py2 rpms for fedora commit
  • Remove network and broadcast address warnings commit #4317
  • replica install: add missing check for non-local IP address commit #4317
  • Remove ip_netmask from option parser commit #4317
  • CheckedIPAddress: remove match_local param commit #4317
  • refactor CheckedIPAddress class commit #4317
  • ipa-dns-install: remove check for local ip address commit #4317
  • Fix local IP address validation commit #4317
  • Explicitly ask for py2 dependencies in py2 packages commit #4985
  • Only warn when specified server IP addresses don't match intf commit #2715, #4317
  • pylint: explicitly depends on python2-pylint commit #6986
  • py3: update_mod_nss_cipher_suite: ordering doesn't work with None commit #4985
  • py3: urlfetch: use "file://" prefix with filenames commit #4985
  • py3: cainstance: fix BytesWarning commit #4985
  • py3: schemaupdate: fix BytesWarning commit #4985
  • py3: LDAP updates: use only bytes/raw values commit #4985
  • py3: softhsm key_id must be bytes commit #4985
  • py3: ipaldap: encode Boolean as bytes commit #4985
  • py3: ConfigParser: replace deprecated readfd with read commit #4985
  • py3: use ConfigParser instead of SafeConfigParser commit #4985
  • Add remote_plugins subdirectories to RPM commit #6927
  • custodia dep: require explictly python2 version commit #6962
  • pylint: ignore new checks added in 1.7 commit #6874
  • Pylint: fix ipa_forbidden_import checker commit #6874
  • travis: fix pylint execution with py3 commit #4985
  • py3: add missing py3 pylint depedencies commit #4985, #6874
  • adtrust: move SELinux settings to constants commit
  • httpd: move SELinux settings to constants commit
  • ipasetup: fix dependencies handling based on python version commit #6875
  • ipaclient: fix missing RPM ownership commit #6927
  • tests: add missing dependency iptables commit
  • ca_status: add HTTP timeout 30 seconds commit #6766
  • http_request: add timeout option commit #6766
  • Use proper SELinux context with http.keytab commit #6924
  • Store GSSAPI session key in /var/run/ipa commit #6880
  • Fix PKCS11 helper commit #6692
  • Remove surplus 'the' in output of ipa-adtrust-install commit #6864
  • collect audit.log for easier selinux investigation commit
  • Set "KDC:Disable Last Success" by default commit #5313
  • Set development version to 4.5.90 commit

Lewis Eason (1)

  • Correct typo estabilish->establish in the install scripts commit

Michal Reznik (9)

  • test_caless: add SAN dNSName extensions for wildcard tests commit #7100
  • test_caless: add replica ca-less to ca-full test (master caless) commit #6226, #7086
  • test_caless: add server_replica ca-less to ca-full test commit #7086
  • tests: fix external_ca test suite failing due to missing SKI commit #7099
  • test_caless: remove xfail in wildcard certificate tests commit #5603
  • test_caless: introduce new python makepki + fix SKI extension issue commit #7030
  • test_caless: mark TestCertinstall intermediate CA tests as xfail commit #6959
  • test_caless: add pkinit option and test it commit #6854
  • - added krb5kdc.log to pytest logging commit

Nathaniel McCallum (1)

  • ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace commit #7035

Oliver Gutierrez (1)

  • Added plugins directory to paclient subpackages commit

Petr Spacek (1)

  • ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri commit

Petr Vobornik (5)

  • log progress of wait_for_open_ports commit #7083
  • control logging of host_port_open from caller commit #7083
  • kerberos session: use CA cert with full cert chain for obtaining cookie commit #6876
  • restore: restart/reload gssproxy after restore commit #6902
  • automount install: fix checking of SSSD functionality on uninstall commit #6861

Pavel Vomacka (34)

  • Fixes bug in actions creating for search facet commit #7052
  • WebUI: fix showing required asterisk '*' commit #6849
  • WebUI: Update unit test README commit #6974
  • Fixes details_test.js commit #6974
  • Fixes for widget_tests.js commit #6974
  • Fixes for aci_tests.js commit #6974
  • Fixes for entity_tests.js commit #6974
  • Fixes for ipa_test.js commit #6974
  • Add up to date JSON files commit #6974
  • Add loader.js into requirements of all HTML unit test files commit #6974
  • WebUI: remove creating js/libs symlink from makefile commit #6447
  • WebUI: Remove plugins symlink as it is unused commit #6447
  • Remove all old JSON files commit #6447
  • Revert "Web UI: Remove offline version of Web UI" commit
  • WebUI: Add hyphenate versions of Host(Role) Based strings commit #6582
  • WebUI: fix incorrectly shown links in association tables commit #7066
  • WebUI: fix jslint error commit
  • WebUI: change validator of page size settings commit #6980
  • WebUI: Add positive number validator commit #6980
  • WebUI: add support for changing trust UPN suffixes commit #7015
  • Bump version of python-gssapi commit #6796
  • Turn off OCSP check commit #6981, #6982
  • Change python-cryptography to python2-cryptography commit #6749
  • Turn on NSSOCSP check in mod_nss conf commit #6370
  • WebUI - Coverity: fix identical branches of if statement commit
  • WebUI - Coverity: fixed null pointer exception commit
  • WebUI: Coverity - add explicit window object to alert methods commit
  • WebUI: Allow to add certs to certmapping with CERT LINES around commit #6772
  • WebUI: Fix showing vault in selfservice view commit #6812
  • WebUI: suppress truncation warning in select widget commit #6618
  • WebUI: Add support for suppressing warnings commit #6618
  • WebUI: Add support for login for AD users commit #3242
  • WebUI: add method for disabling item in user dropdown menu commit #3242
  • WebUI: check principals in lowercase commit #3242

Rob Crittenden (2)

  • Include the CA basic constraint in CSRs when renewing a CA commit #7088
  • Pass ipa-ca-agent credentials as PEM files commit #7076

Gabe (2)

  • Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches commit #6896
  • Add --password-expiration to allow admin to force user password expiration commit

Sumit Bose (11)

  • ipa_pwd_extop: do not generate NT hashes in FIPS mode commit #7026
  • ipa-sam: replace encode_nt_key() with E_md4hash() commit #7026
  • ipa-kdb: use canonical principal in certauth plugin commit #6993
  • ipa-kdb: reload certificate mapping rules periodically commit #6963
  • IPA-KDB: use relative path in ipa-certmap config snippet commit #6833
  • extdom: improve cert request commit #6826
  • extdom: do reverse search for domain separator commit
  • ipa-kdb: do not depend on certauth_plugin.h commit #4905
  • configure: fix --disable-server with certauth plugin commit #6816
  • IPA certauth plugin commit #4905
  • ipa-kdb: add ipadb_fetch_principals_with_extra_filter() commit #4905

Simo Sorce (12)

  • Always check peer has keys before connecting commit
  • Make sure we check ccaches in all rpcserver paths commit
  • Revert setting sessionMaxAge for old clients commit #7001
  • Add code to be able to set default kinit lifetime commit #7001
  • Fix rare race condition with missing ccache file commit
  • Make sure remote hosts have our keys commit #6838
  • Fix s4u2self with adtrust commit #6862
  • Prevent churn on ccaches commit #6775
  • Work around issues fetching session data commit #6775
  • Handle failed authentication via cookie commit #6775
  • Avoid growing FILE ccaches unnecessarily commit #6775
  • Add options to allow ticket caching commit #6771

Stanislav Laznicka (97)

  • spec: remove strict options from shebangs commit #4985
  • spec: have the scripts depend on py3 packages commit #4985
  • spec: remove python3 workaround commit #4985
  • Remove unused variable commit
  • certmonger: remove temporary workaround commit
  • cert: fix wrong assumption of cert-show result type commit #4985
  • rpc: don't encode bytes commit #4985
  • py3: Fix searching for yubikeys commit #7121
  • py3: remove relative import commit #4985, #6874
  • py3: remove Exception.message appearances commit #4985, #6874
  • Fix cert file creation during CA-less installation commit #7118
  • Uninstall: fix BytesWarning exception commit #4985
  • Unify storing certificates in LDAP commit #4985
  • py3: fix caless to CA promotion on replica commit #4985
  • cacert_manage: fix CA cert renewal commit #4985
  • python3: port certmonger requests script commit #4985
  • crtmgr: fix bug if CERTMONGER_CERTIFICATE not set commit #4985
  • certmonger: finish refactoring for request script commit #4985
  • certmonger: fix storing retrieved certificates commit #4985
  • Make the IPA server run under Python 3 by default commit #4985
  • Turn IPA scripts to python3 -bb for testing commit #4985
  • py3: Depend on newer pyldap for server-upgrade commit #4985
  • ipautil: port host_port_open() to python 3 commit #4985
  • conncheck: fix progression on failure commit #4985
  • kerberos: fix sorting Principal objects commit #4985
  • host, service: fix adding host/svc with a cert commit #7077
  • server plugin: pass bytes to ldap.modify_s commit #4985
  • replica: fix SetuptoolsVersion comparison commit #4985
  • replica-prepare: run the script in py3 by default commit #4985
  • certs: write and read bytes as such commit #4985
  • client: make ipa-client-install py3 compatible commit #4985
  • cainstance: read cert file as bytes commit #4985
  • ca: TypeError fix commit #4985
  • krainstance: fix writing str to file commit #4985
  • replica-conncheck: log when failed to RPC connect commit
  • Fixup of not-so-good PEM certs commit #4985
  • x509,certdb: handle certificates as bytes commit #4985
  • Create a Certificate parameter commit #4985
  • parameters: relax type checks commit #4985
  • tests: fix failing HTTPS connection commit #4985
  • Introduce load_unknown_x509_certificate() commit #4985
  • x509: Make certificates represented as objects commit #4985
  • Split x509.load_certificate() into PEM/DER functions commit #4985
  • README: Fix trailing whitespace commit
  • Ensure network is online prior to an upgrade commit #7039
  • rpcserver: remove addition of str and bytes commit #4985
  • wsgi plugins: mod_wsgi expects bytes as an output commit #4985
  • adtrustinstance: write the conf as a string commit #4985
  • adtrustinstance: pep8 fix commit
  • More verbose error message on kdc cert validation commit #6945
  • cert-validate: keep all messages in cert validation commit #6945
  • adtrustinstance: fix ID range comparison commit #7002
  • Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm() commit
  • ipadiscovery: Return realm as a string commit #4985
  • session_storage: Correctly handle string/byte types commit #4985
  • rpc: avoid possible recursion in create_connection commit #6796
  • rpc: preparations for recursion fix commit #6796
  • Avoid possible endless recursion in RPC call commit #6796
  • kdc.key should not be visible to all commit #6973
  • Change ConfigParser to RawConfigParser commit #4985
  • ca/cert-show: check certificate_out in options commit #6885
  • Remove pkinit-anonymous command commit #6936
  • Make a doctext more clear commit
  • Provide useful messages during cert validation commit #6945
  • cert-show: writable files does not mean dirs commit #6883
  • fix managed-entries printing IPA not installed commit #6928
  • Fix wrong message on Dogtag instances stop commit #6766
  • Make CA/KRA fail when they don't start commit #6766
  • Remove the cachedproperty class commit #6878
  • Refresh Dogtag RestClient.ca_host property commit #6878
  • compat plugin: Update link to slapi-nis project commit
  • compat: ignore cn=topology,cn=ipa,cn=etc subtree commit #6821
  • Move the compat plugin setup at the end of install commit #6821
  • compat-manage: behave the same for all users commit #6821
  • Fix CAInstance.import_ra_cert for empty passwords commit #6878
  • Fix RA cert import during DL0 replication commit #6878
  • ext. CA: correctly write the cert chain commit #6872
  • server-install: No double Kerberos install commit #6757
  • Fix CA-less to CA-full upgrade commit #6853
  • replicainstall: better client install exception handling commit #6183
  • Add the force-join option to replica install commit #6183
  • server-install: remove broken no-pkinit check commit #6807
  • Add pki_pin only when needed commit #6839
  • Remove publish_ca_cert() method from NSSDatabase commit #6806
  • Get correct CA cert nickname in CA-less commit #6806
  • Remove redundant option check for cert files commit #6801
  • replica-prepare man: remove pkinit option refs commit #6801
  • Don't allow setting pkinit-related options on DL0 commit #6801
  • Fix the order of cert-files check commit #6801
  • Generate PIN for PKI to help Dogtag in FIPS commit #6824
  • Backup CA cert from kerberos folder commit #6748
  • Allow renaming of the sudorule objects commit #2466
  • Allow renaming of the HBAC rule objects commit #6784
  • Reworked the renaming mechanism commit #2466, #6784
  • Bump samba version for FIPS and priv. separation commit #6671, #6697
  • Backup ipa-specific httpd unit-file commit #6748
  • Add debug log in case cookie retrieval went wrong commit #6774

Thierry Bordaz (1)

  • NULL LDAP context in call to ldap_search_ext_s during search commit #7017

Tibor Dudlák (11)

  • otptoken_yubikey.py: Removed traceback when package missing. commit #6979
  • topology.py: Removes error message from dictionary. commit #6533
  • Add test: test_xmlrpc/test_whoami_plugin.py commit #6745
  • whoami.py: Type error when running tests commit #7050
  • Create indexes for 'serverhostname' attribute commit #6939
  • Add --force-join into ipa-replica-install manpage commit #7011
  • dnsserver.py: dnsserver-find no longer returns internal server error commit #6571
  • Add Role 'Enrollment Administrator' commit #6852
  • server.py: Removes dns-server configuration from ldap commit #6572
  • sssd.py: Deprecating no-sssd option. commit #5860
  • client.py: Replace hardcoded 'admin' with options.principal commit #5406

Tibor Dudlák (2)

  • user.py: replace user_mod with ldap.update_entry() commit #5788
  • Add 'TIP' to enable copr repo. commit

Timo Aaltonen (2)

  • ipa-otpd.socket.in: Use a platform specific value for KDC service file commit #6845
  • configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in commit

Tomas Krizek (25)

  • Become IPA 4.6.0 commit
  • Contributors.txt: update commit
  • zanata: update translations for ipa-4-6 commit
  • zanata: set project version to ipa-4-6 commit
  • dnssec: keep dnssec daemons in Python2 commit #4985
  • ipatests: collect log after ipa-ca-install commit #7060
  • dnssec: fix localhsm.py utility script commit #7116
  • prci: add caless tests commit
  • makerpms.sh: make git checkout optional commit #6605
  • build: checkout *.po files at the end of makerpms.sh commit #6605
  • freeipa-pr-ci: enable pull-request CI commit
  • ipactl: log check_version exception commit
  • logging: make sure logging level is set to proper value commit
  • ipatests: do not finalize api when IPA is not configured commit #7046
  • ipatests: do not collect systemd journal when logfile_dir is missing commit #6971
  • ipatests: add systemd journal collection for multihost tests commit #6971
  • ipatests: change logdir naming pattern for multihost tests commit #6971
  • named.conf template: add modification warning commit
  • ca, kra install: validate DM password commit #6892
  • installutils: add DM password validator commit #6892
  • ca install: merge duplicated code for DM password commit #6892
  • upgrade: add missing suffix to http instance commit #6920
  • installer service: fix typo in service entry commit #6920
  • python2-ipalib: add missing python dependency commit #6920
  • kra install: update installation failure message commit #6923

Thorsten Scherf (2)

  • Changed ownership of ldiffile to DS_USER commit #7010
  • Fixed typo in ipa-client-install output commit