The FreeIPA team would like to announce FreeIPA 4.6.0 release!

It can be downloaded from https://releases.pagure.org/freeipa/. Builds for Fedora 26 and 27 are available in the official COPR repository https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ .

Highlights in 4.6.0#

Enhancements#

Python 3 is now supported.

Known Issues#

WebUI may not work in some configurations [#7126, #7127]
Attempting to uninstall when IPA isn’t installed prints confusing strings [#7063]

Bug fixes#

Contains all bugfixes and enhancements of 4.5.1, 4.5.2 and 4.5.3 releases.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

#7123 External CA renewal fails when IPA CA subject DN does not match “CN=Certificate Authority, {subject-base}”
#7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
#7108 ipa-backup broken because of cyclic import
#7086 [ipatests] - add caless to cafull tests
#7066 WebUI: All columns of user in group table are clickable
#7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!
#7017 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com
#6605 make lint + make modifies PO files in place
#6582 Web UI: Change “Host Based” and “Role Based” to “Host-Based” and “Role-Based”
#6447 [WebUI] Remove offline version of WebUI
#6261 Replace ERROR: cannot connect to ‘http://localhost:8888/ipa/json’: [Errno 111] Connection refused with ‘IPA is not configured on this system’
#6176 Updating of dns system records rapidly slowdown uninstallation
#7121 ipa otptoken-add-yubikey fails with python3
#7118 Fix CA-less installation due to incorrect with statement
#7110 Missing requirement in freeipa 4.5.90.dev201708161122+git799551892-0
#7100 test_caless: add SAN dNSName extensions for wildcard tests
#7088 Use X509v3 Basic Constraints “CA:TRUE” instead of “CA:FALSE” IPA CA CSR
#7076 Adjust to CURL whichs started to use OpenSSL - ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE)
#7053 Replica install fails to configure IPA-specific temporary files/directories
#7052 WebUI: search facet spec actions contains ‘undefined’ item
#7051 ipapython/graph.py complexity optimization
#7050 Type error when running tests for whoami command.
#7046 missing default basedn causes failure during initialization of multi host tests
#7030 tests: CA-less test suite broken due to missing subject key identifier extension
#7011 –force-join option is not mentioned in ipa-replica-install man page
#7010 ipa-backup fails silently
#7002 adtrustinstance: broken ID range assessment
#6987 ca-add: invalid X.509 DN fails ungracefully
#6986 make pylint is not working on F26
#6980 Pagination Size under Customization in IPA WebUI accepts negative values
#6976 External CA: check that IPA CA certificate contains Subject Key Identifier
#6974 WebUI: Fix unit webUI tests
#6971 ipatests: collect systemd journal
#6956 Backup and restore tests faliling
#6946 ipa-replica-manage del (dl 0) doesn’t remove server from defaultServerList
#6945 Bring back error messages from certificate validation
#6943 server-del doesn’t remove server from defaultServerList in cn=default,ou=profile,$BASE
#6940 installer should indicate that it is waiting for keys
#6939 ipaserver.plugins.host.get_dn timeout due to unindexed search
#6928 ipa-managed-entries incorrectly states server not installed
#6865 minor spelling mistake in ipa-adtrust-install.1
#6863 minor spelling mistake
#6852 [RFE] Create client enrollment role
#6849 Priority field missing in required field incicator - *
#6845 ipa-otpd.socket.in has wrong kdc service name for Debian
#6834 ipa-kdc-proxy.conf.template hardcodes python module directory
#6822 git-commit-template: update ticket URL to use pagure.io instead of fedorahosted.org
#6818 Update asn1c code in /asn1/asn1c
#6809 Failed to write schema: b’sudo/1’ is not JSON serializable
#6745 [test] ipa whoami command
#6725 No page for information on build from source
#6642 Py3: test_serverroles: use ldap2/ldapclient instead of MockLDAP
#6591 pytest 3.0: yield tests are deprecated
#5990 Py3: zonemgr_callback: expected unicode, got bytes
#5919 cert-request rfc822Name check compares whole email address case-sensitively
#4985 [RFE] Support Python 3

Detailed changelog since 4.5.3#

Alexander Bokovoy (13)#

csrgen: support openssl 1.0 and 1.1 commit #7110
dcerpc: support Python 3 commit #4985
ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later commit #6877
ipa-sam: use own private structure, not ldapsam_privates commit #6877
trust-mod: allow modifying list of UPNs of a trusted forest commit #7015
ipa-kdb: add pkinit authentication indicator in case of a successful certauth commit #6736
Fix index definition for ipaAnchorUUID commit #6975
krb5: make sure KDC certificate is readable commit #6973
trust: always use oddjobd helper for fetching trust information commit
ipaserver/dcerpc: unify error processing commit #6859
adtrust: make sure that runtime hostname result is consistent with the configuration commit #6786
server: make sure we test for sss_nss_getlistbycert commit #6828
ldap2: use LDAP whoami operation to retrieve bind DN for current connection commit #6797

Abhijeet Kasurde (6)#

Vault testcase improvement commit #7098
Minor typo fixes commit #6865
Minor typo in details.js commit #6863
Hide request_type doc string in cert-request help commit #5734, #6494
Hide PKI Client database password in log file commit
Use with statement for opening file commit

Alex Zeleznikov (1)#

Sort SRV records by priority commit

Aleksei Slaikovskii (3)#

ipapython/graph.py redundant variable fix commit
ipapython/graph.py String formatting commit
ipapython/graph.py complexity optimization commit #7051

Ben Lipton (4)#

csrgen: Beginnings of NSS database support commit #4899
csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo commit #4899
csrgen: Change to pure openssl config format (no script) commit #4899
csrgen: Remove helper abstraction commit #4899

Christian Heimes (40)#

Misc Python 3 fixes for ipaserver.secrets commit #4985
Reimplement yield tests are parametrized tests commit #6591
Silence pytest.yield_fixture deprecation warning commit #6591
Slim down dependencies commit
Vault: Explicitly default to 3DES CBC commit #6899
Band-aid for pip dependency bug commit
Correct PyPI package dependencies commit #6875
tox: use pylint 1.6.x for now commit #6874
Replace _BSD_SOURCE with _DEFAULT_SOURCE commit #6818
Regenerate ASN.1 code with asn1c 0.9.28 commit #6818
tox testing support for client wheel packages commit
Stabilize make pypi_packages commit
Replace hard-coded kdcproxy path with WSGI script commit #6834
Use entry_points for ipa CLI commit #6653, #6850
Don’t hard-code with_wheels commit
Add an option to build ipaserver wheels commit
Add extra_requires for additional dependencies commit
Conditionally import pyhbac commit
Skip test_session_storage in ipaclient unittest mode commit
Add make devcheck for developers commit #6604
session storage parameters must be bytes commit
Fix ipatests.util doc tests commit
Use Custodia 0.3.1 features commit
Simplify KRA transport cert cache commit #6787
pytest 3.x compatibility commit
Constrain wheel package versions commit #6468
Move remaining util functions to tasks module commit #6798
Ship ipatests.pytest_plugins.integration commit #6798
Move function run_repeatedly to tasks module commit #6798
Move hosts module to ipatests.pytest_plugins.integration.hosts commit #6798
Move tasks module to ipatests.pytest_plugins.integration.tasks commit #6798
Move env_config module to ipatests.pytest_plugins.integration.env_config commit #6798
Move config module to ipatests.pytest_plugins.integration.config commit #6798
Move helper code for integration plugin commit #6798
Increase Apache HTTPD’s default keep alive timeout commit
Add debug logging for keep-alive commit
Use connection keep-alive commit #6641
Add options to run only ipaclient unittests commit #6517
Python 3: Fix session storage commit
Fix Python 3 pylint errors commit

David Kreitschmann (4)#

Disable pylint in get_help function because of type confusion. commit
Store help in Schema before writing to disk commit
Use os.fsync instead of os.fdatasync because macOS doesn’t support fdatasync commit
Fix libkrb5 filename for macOS commit

David Kupka (22)#

tests: certmap: Add test for user-{add,remove}-certmap commit #7105
tests: tracker: Add CertmapdataMixin tracker commit #7105
tests: certmap: Add test for certmapconfig-{mod,show} commit #7105
tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands commit #7105
tests: certmap: Test permissions for certmap commit #7105
tests: certmap: Add basic tests for certmaprule commands commit #7105
tests: tracker: Add CertmapTracker for testing certmap-* commands commit #7105
tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands commit #7105
tests: tracker: Add EnableTracker to test *-{enable,disable} commands commit #7105
tests: tracker: Split Tracker into one-purpose Trackers commit #7105
install: replica: Show message about key synchronization commit #6940
kra: promote: Get ticket before calling custodia commit #7020
ipapython.ipautil.run: Add option to set umask before executing command commit #6831
otptoken-add-yubikey: When –digits not provided use default value commit #6900
Bump version of ipa.conf file commit #6860
Create system users for FreeIPA services during package installation commit #6743
WebUI: cert login: Configure name of parameter used to pass username commit #6860
httpinstance.disable_system_trust: Don’t fail if module ‘Root Certs’ is not available commit #6803
spec file: Bump requires to make Certificate Login in WebUI work commit #6823
rpcserver.login_x509: Actually return reply from __call__ method commit #6819
Create temporaty directories at the begining of uninstall commit #6715
ipapython.ipautil.nolog_replace: Do not replace empty value commit #6738

felipe (1)#

Fixing replica install: fix ldap connection in domlvl 0 commit #6549

Felipe Volpone (3)#

Removing part of circular dependency of ipalib in ipaplaform commit #7108
Changing how commands handles error when it can’t connect to IPA server commit #6261
py3: fixing zonemgr_callback commit #5990

Felipe Volpone (5)#

Adding section “Building FreeIPA from source” on README commit #6725
Changing cert-find to go through the proxy instead of using the port 8080 commit #6966
Changing cert-find to do not use only primary key to search in LDAP. commit #6948
Fixing adding authenticator indicators to host commit #6911
Fixing the cert-request comparing whole email address case-sensitively. commit #5919

Fabiano Fidêncio (1)#

Allow erasing ipaDomainResolutionOrder attribute commit #6825

Florence Blanc-Renaud (22)#

Fix Certificate renewal (with ext ca) commit #7106
Fix ipa-server-upgrade: This entry already exists commit #7125
ipa-replica-conncheck: handle ssh not installed commit #6935
ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt commit #6925
ipa-replica-manage del (dl 0): remove server from defaultServerList commit #6946
server-del: update defaultServerList in cn=default,ou=profile,$BASE commit #6943
ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname commit #6895
ipa-server-install: fix uninstall commit #6950
ipa-kra-install manpage: document domain-level 1 commit #6922
ipa-kra-install: fix check_host_keys commit #6934
ipa-server-install with external CA: fix pkinit cert issuance commit #6921
ipa-client-install: remove extra space in pkinit_anchors definition commit #6916
vault: piped input for ipa vault-add fails commit #6907
upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed commit #6881
tests: add non-reg for idrange-add commit #6404
Upgrade: add gidnumber to trusted domain entry commit #6827
ipa-sam: create the gidNumber attribute in the trusted domain entry commit #6827
idrange-add: properly handle empty –dom-name option commit #6404
ipa-ca-install man page: Add domain level 1 help commit #5831
git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org commit #6822
dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function commit #6813
man ipa-cacert-manage install needs clarification commit #6795

Fraser Tweedale (14)#

Fix external renewal for CA with non-default subject DN commit #7123
py3: handle bytes in schema response commit #6809
py3: fix vault public key decoding commit #7033
cert: fix application of ‘str’ to bytes when formatting otherName commit #4985
py3: fix schema response for py2 server with py3 client commit #4985
Fix incorrect ‘with’ statement in CA-less installation commit #7118
Restore old version of caIPAserviceCert for upgrade only commit #7097
cert-request: simplify request processing commit #6531
Add CommonNameToSANDefault to default cert profile commit #7007
Add a README to certificate profile templates directory commit #7014
py3: fix regression in schemaupdate commit #4985
ca-add: validate Subject DN name attributes commit #6987
Add Subject Key Identifier to CA cert validity check commit #6976
Support 8192-bit RSA keys in default cert profile commit #6319

Jan Cholasta (61)#

pylint: enable logging checks commit
logging: do not use `ipa_log_manager` to create module-level loggers commit
logging: do not log into the root logger commit
logging: do not reference loggers in arguments and attributes commit
doc: sync guide.org with cli.py commit
logging: remove object-specific loggers commit
logging: use the actual root logger as the root logger commit
logging: port to standard Python logging commit
logging: do not configure any handlers by default commit
wsgi, oddjob: remove needless uses of Env commit
config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn` commit
ldap2: remove URI argument from ldap2 constructor commit
test_ldap: drop redundant URI argument commit
{ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections commit
user, migration: use LDAPClient for ad-hoc LDAP connections commit
install: do not assume /etc/krb5.conf.d exists commit #6589
server upgrade: do not enable PKINIT by default commit #7000
pkinit manage: introduce ipa-pkinit-manage commit #7000
server certinstall: update KDC master entry commit #7000
httpinstance: wait until the service entry is replicated commit #6867
server certinstall: support PKINIT commit #6831
cacert manage: support PKINIT commit #6831
replica install: respect –pkinit-cert-file commit #6831
server install: fix KDC certificate validation in CA-less commit #6831, #6869
certs: do not export CA certs in install_pem_from_p12 commit #6831, #6869
certs: do not export keys world-readable in install_key_from_p12 commit #6831
server install: fix KDC PKINIT configuration commit #6831
install: introduce generic Kerberos Augeas lens commit #6831
client install: fix client PKINIT configuration commit #6831
install: trust IPA CA for PKINIT commit #6831
certdb: use custom object for trust flags commit #6831
certdb, certs: make trust flags argument mandatory commit #6831
certdb: add named trust flag constants commit #6831
ipa-cacert-manage: add –external-ca-type commit #5799
renew agent: get rid of virtual profiles commit #5799
renew agent: always export CSR on IPA CA certificate renewal commit #5799
renew agent: allow reusing existing certs commit #5799
cainstance: use correct profile for lightweight CA certificates commit #5799
server upgrade: always fix certmonger tracking request commit #5799
renew agent: respect CA renewal master setting commit #5799
spec file: bump krb5 Requires for certauth fixes commit #4905
spec file: bump python-netaddr Requires commit #6894
configure: fix AC_CHECK_LIB usage commit #6846
cert: defer cert-find result post-processing commit #6808
renew agent, restart scripts: connect to LDAP after kinit commit #6757
renew agent: revert to host keytab authentication commit #6757
install: request service certs after host keytab is set up commit #6757
dsinstance, httpinstance: consolidate certificate request code commit #6757
httpinstance: avoid httpd restart during certificate request commit #6757
dsinstance: reconnect ldap2 after DS is restarted by certmonger commit #6757
httpinstance: make sure NSS database is backed up commit #4639
certdb: fix `AttributeError` in `verify_ca_cert_validity` commit
setup, pylint, spec file: drop python-nss dependency commit
certdb: use certutil and match_hostname for cert verification commit
spec file: bump libsss_nss_idmap-devel BuildRequires commit #6828
spec file: bump krb5-devel BuildRequires for certauth commit #4905
cert: do not limit internal searches in cert-find commit #6716
replica prepare: fix wrong IPA CA nickname in replica file commit #6777
httpinstance: clean up /etc/httpd/alias on uninstall commit #4639
certs: do not implicitly create DS pin.txt commit #4639
tasks: run `systemctl daemon-reload` after httpd.service.d updates commit #6773

René Genz (3)#

fix minor spelling mistakes commit
fix spelling mistake; minor rewording commit
fix minor typos in ipa-adtrust-install.1 commit

Martin Babinsky (45)#

Move tmpfiles.d configuration handling back to spec file commit #7053
Do not remove the old masters when setting the attribute fails commit #7029
*config-show: Do not show empty roles/attributes commit #7029
smart-card-advises: ensure that krb5-pkinit is installed on client commit #7036
smart card advise: use password when changing trust flags on HTTP cert commit #7036
smart card advises: use a wrapper around Bash `for` loops commit #7036
Use the compound statement formatting API for configuring PKINIT commit #7036
Fix indentation of statements in Smart card advises commit #7036
delegate formatting of compound Bash statements to dedicated classes commit #7036
advise: add an infrastructure for formatting Bash compound statements commit #7036
delegate the indentation handling in advises to dedicated class commit #7036
add a class that tracks the indentation in the generated advises commit #7036
Allow to pass in multiple CA cert paths to the smart card advises commit #7036
smart-card advises: add steps to store smart card signing CA cert commit #7036
smart-card advises: configure systemwide NSS DB also on master commit #7036
Prepare advise plugin for smart card auth configuration commit #6982
Extend the advice printing code by some useful abstractions commit #6982
fix incorrect suffix handling in topology checks commit #6965
Do not delete DS and PKI users during backup/restore tests commit #6956
test_backup_restore: do not fail on missing KrbLastSuccessfulAuth commit #6956
only stop/disable simple service if it is installed commit #6977
test_serverroles: Get rid of MockLDAP and use ldap2 instead commit #6937
Add `pkinit-status` command commit #6937
Add the list of PKINIT servers as a virtual attribute to global config commit #6937
Add an attribute reporting client PKINIT-capable servers commit #6937
Refactor the role/attribute member reporting code commit #6937
Allow for multivalued server attributes commit #6937
Travis CI: Add the server uninstaller as a last step of tests commit #6950
Travis CI: explicitly update pip before running the builds commit
Do not test anonymous PKINIT after install/upgrade commit #6830
Upgrade: configure local/full PKINIT depending on the master status commit #6830
Use local anchor when armoring password requests commit #6830
Stop requesting anonymous keytab and purge all references of it commit #6830
Use only anonymous PKINIT to fetch armor ccache commit #6830
API for retrieval of master’s PKINIT status and publishing it in LDAP commit #6830
Allow for configuration of all three PKINIT variants when deploying KDC commit #6830
separate function to set ipaConfigString values on service entry commit #6830
Revert “Store GSSAPI session key in /var/run/ipa” commit #6880
Remove duplicate functionality in upgrade commit #6799
Always check and create anonymous principal during KDC install commit #6799
Ensure KDC is propery configured after upgrade commit #6792
Split out anonymous PKINIT test to a separate method commit #6792
Remove unused variable from failed anonymous PKINIT handling commit #6792
Upgrade: configure PKINIT after adding anonymous principal commit #6792
Travis CI: invoke integration test helper scripts before test execution commit

Martin Basti (63)#

DNS update: reduce timeout for CA records commit #6176
baseldap: fix format string commit
IPAOptionParser: fix dict comprehension commit
py3: run already ported scripts under py3 by default commit #4985
py3: temporary set dependencies to both py2 and py3 packages commit #4985
py3: test_otptoken_import: fix bytes usage commit #4985
py3: ipa_otptoken_import: fix hex decoding commit #4985
py3: ipa_otptoken_import: fix calling unicode on bytes commit #4985
py3: ipa_otptoken_import: fix lamba code inspection commit #4985
py3: Remove comparison >=2 of debnug log level commit #4985
py3: vault: data must be bytes commit #4985
py3: test_location_plugin: fix iteration over changed dict commit #4985
py3: test_kerberos_principal_aliases: fix code scope commit #4985
py3: dogtag.py: fix bytes warnings commit #4985
py3: travis: enable tests for plugins that are aleready working commit #4985
py3: secrets: remove iteritems usage commit #4985
Travis: check for BytesWarnings in httpd error_log commit
py3: ipaldap: fix encoding of datetime objects commit #4985
py3: LDAPClient: remove __del__ method commit
LDAPEntry: rename _orig to _orig_raw commit #4985
python-netifaces: update to reflect upstream changes commit #7021
Travis: enable temporary Py3 testing commit
Travis: build only py2 packages for py2 testing commit
Build: allow to build only py2 rpms for fedora commit
Remove network and broadcast address warnings commit #4317
replica install: add missing check for non-local IP address commit #4317
Remove ip_netmask from option parser commit #4317
CheckedIPAddress: remove match_local param commit #4317
refactor CheckedIPAddress class commit #4317
ipa-dns-install: remove check for local ip address commit #4317
Fix local IP address validation commit #4317
Explicitly ask for py2 dependencies in py2 packages commit #4985
Only warn when specified server IP addresses don’t match intf commit #2715, #4317
pylint: explicitly depends on python2-pylint commit #6986
py3: update_mod_nss_cipher_suite: ordering doesn’t work with None commit #4985
py3: urlfetch: use “file://” prefix with filenames commit #4985
py3: cainstance: fix BytesWarning commit #4985
py3: schemaupdate: fix BytesWarning commit #4985
py3: LDAP updates: use only bytes/raw values commit #4985
py3: softhsm key_id must be bytes commit #4985
py3: ipaldap: encode Boolean as bytes commit #4985
py3: ConfigParser: replace deprecated readfd with read commit #4985
py3: use ConfigParser instead of SafeConfigParser commit #4985
Add remote_plugins subdirectories to RPM commit #6927
custodia dep: require explictly python2 version commit #6962
pylint: ignore new checks added in 1.7 commit #6874
Pylint: fix ipa_forbidden_import checker commit #6874
travis: fix pylint execution with py3 commit #4985
py3: add missing py3 pylint depedencies commit #4985, #6874
adtrust: move SELinux settings to constants commit
httpd: move SELinux settings to constants commit
ipasetup: fix dependencies handling based on python version commit #6875
ipaclient: fix missing RPM ownership commit #6927
tests: add missing dependency iptables commit
ca_status: add HTTP timeout 30 seconds commit #6766
http_request: add timeout option commit #6766
Use proper SELinux context with http.keytab commit #6924
Store GSSAPI session key in /var/run/ipa commit #6880
Fix PKCS11 helper commit #6692
Remove surplus ‘the’ in output of ipa-adtrust-install commit #6864
collect audit.log for easier selinux investigation commit
Set “KDC:Disable Last Success” by default commit #5313
Set development version to 4.5.90 commit

Lewis Eason (1)#

Correct typo estabilish->establish in the install scripts commit

Michal Reznik (9)#

test_caless: add SAN dNSName extensions for wildcard tests commit #7100
test_caless: add replica ca-less to ca-full test (master caless) commit #6226, #7086
test_caless: add server_replica ca-less to ca-full test commit #7086
tests: fix external_ca test suite failing due to missing SKI commit #7099
test_caless: remove xfail in wildcard certificate tests commit #5603
test_caless: introduce new python makepki + fix SKI extension issue commit #7030
test_caless: mark TestCertinstall intermediate CA tests as xfail commit #6959
test_caless: add pkinit option and test it commit #6854
added krb5kdc.log to pytest logging commit

Nathaniel McCallum (1)#

ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace commit #7035

Oliver Gutierrez (1)#

Added plugins directory to paclient subpackages commit

Petr Spacek (1)#

ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri commit

Petr Vobornik (5)#

log progress of wait_for_open_ports commit #7083
control logging of host_port_open from caller commit #7083
kerberos session: use CA cert with full cert chain for obtaining cookie commit #6876
restore: restart/reload gssproxy after restore commit #6902
automount install: fix checking of SSSD functionality on uninstall commit #6861

Pavel Vomacka (34)#

Fixes bug in actions creating for search facet commit #7052
WebUI: fix showing required asterisk ‘*’ commit #6849
WebUI: Update unit test README commit #6974
Fixes details_test.js commit #6974
Fixes for widget_tests.js commit #6974
Fixes for aci_tests.js commit #6974
Fixes for entity_tests.js commit #6974
Fixes for ipa_test.js commit #6974
Add up to date JSON files commit #6974
Add loader.js into requirements of all HTML unit test files commit #6974
WebUI: remove creating js/libs symlink from makefile commit #6447
WebUI: Remove plugins symlink as it is unused commit #6447
Remove all old JSON files commit #6447
Revert “Web UI: Remove offline version of Web UI” commit
WebUI: Add hyphenate versions of Host(Role) Based strings commit #6582
WebUI: fix incorrectly shown links in association tables commit #7066
WebUI: fix jslint error commit
WebUI: change validator of page size settings commit #6980
WebUI: Add positive number validator commit #6980
WebUI: add support for changing trust UPN suffixes commit #7015
Bump version of python-gssapi commit #6796
Turn off OCSP check commit #6981, #6982
Change python-cryptography to python2-cryptography commit #6749
Turn on NSSOCSP check in mod_nss conf commit #6370
WebUI - Coverity: fix identical branches of if statement commit
WebUI - Coverity: fixed null pointer exception commit
WebUI: Coverity - add explicit window object to alert methods commit
WebUI: Allow to add certs to certmapping with CERT LINES around commit #6772
WebUI: Fix showing vault in selfservice view commit #6812
WebUI: suppress truncation warning in select widget commit #6618
WebUI: Add support for suppressing warnings commit #6618
WebUI: Add support for login for AD users commit #3242
WebUI: add method for disabling item in user dropdown menu commit #3242
WebUI: check principals in lowercase commit #3242

Rob Crittenden (2)#

Include the CA basic constraint in CSRs when renewing a CA commit #7088
Pass ipa-ca-agent credentials as PEM files commit #7076

Gabe (2)#

Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches commit #6896
Add –password-expiration to allow admin to force user password expiration commit

Sumit Bose (11)#

ipa_pwd_extop: do not generate NT hashes in FIPS mode commit #7026
ipa-sam: replace encode_nt_key() with E_md4hash() commit #7026
ipa-kdb: use canonical principal in certauth plugin commit #6993
ipa-kdb: reload certificate mapping rules periodically commit #6963
IPA-KDB: use relative path in ipa-certmap config snippet commit #6833
extdom: improve cert request commit #6826
extdom: do reverse search for domain separator commit
ipa-kdb: do not depend on certauth_plugin.h commit #4905
configure: fix –disable-server with certauth plugin commit #6816
IPA certauth plugin commit #4905
ipa-kdb: add ipadb_fetch_principals_with_extra_filter() commit #4905

Simo Sorce (12)#

Always check peer has keys before connecting commit
Make sure we check ccaches in all rpcserver paths commit
Revert setting sessionMaxAge for old clients commit #7001
Add code to be able to set default kinit lifetime commit #7001
Fix rare race condition with missing ccache file commit
Make sure remote hosts have our keys commit #6838
Fix s4u2self with adtrust commit #6862
Prevent churn on ccaches commit #6775
Work around issues fetching session data commit #6775
Handle failed authentication via cookie commit #6775
Avoid growing FILE ccaches unnecessarily commit #6775
Add options to allow ticket caching commit #6771

Stanislav Laznicka (97)#

spec: remove strict options from shebangs commit #4985
spec: have the scripts depend on py3 packages commit #4985
spec: remove python3 workaround commit #4985
Remove unused variable commit
certmonger: remove temporary workaround commit
cert: fix wrong assumption of cert-show result type commit #4985
rpc: don’t encode bytes commit #4985
py3: Fix searching for yubikeys commit #7121
py3: remove relative import commit #4985, #6874
py3: remove Exception.message appearances commit #4985, #6874
Fix cert file creation during CA-less installation commit #7118
Uninstall: fix BytesWarning exception commit #4985
Unify storing certificates in LDAP commit #4985
py3: fix caless to CA promotion on replica commit #4985
cacert_manage: fix CA cert renewal commit #4985
python3: port certmonger requests script commit #4985
crtmgr: fix bug if CERTMONGER_CERTIFICATE not set commit #4985
certmonger: finish refactoring for request script commit #4985
certmonger: fix storing retrieved certificates commit #4985
Make the IPA server run under Python 3 by default commit #4985
Turn IPA scripts to python3 -bb for testing commit #4985
py3: Depend on newer pyldap for server-upgrade commit #4985
ipautil: port host_port_open() to python 3 commit #4985
conncheck: fix progression on failure commit #4985
kerberos: fix sorting Principal objects commit #4985
host, service: fix adding host/svc with a cert commit #7077
server plugin: pass bytes to ldap.modify_s commit #4985
replica: fix SetuptoolsVersion comparison commit #4985
replica-prepare: run the script in py3 by default commit #4985
certs: write and read bytes as such commit #4985
client: make ipa-client-install py3 compatible commit #4985
cainstance: read cert file as bytes commit #4985
ca: TypeError fix commit #4985
krainstance: fix writing str to file commit #4985
replica-conncheck: log when failed to RPC connect commit
Fixup of not-so-good PEM certs commit #4985
x509,certdb: handle certificates as bytes commit #4985
Create a Certificate parameter commit #4985
parameters: relax type checks commit #4985
tests: fix failing HTTPS connection commit #4985
Introduce load_unknown_x509_certificate() commit #4985
x509: Make certificates represented as objects commit #4985
Split x509.load_certificate() into PEM/DER functions commit #4985
README: Fix trailing whitespace commit
Ensure network is online prior to an upgrade commit #7039
rpcserver: remove addition of str and bytes commit #4985
wsgi plugins: mod_wsgi expects bytes as an output commit #4985
adtrustinstance: write the conf as a string commit #4985
adtrustinstance: pep8 fix commit
More verbose error message on kdc cert validation commit #6945
cert-validate: keep all messages in cert validation commit #6945
adtrustinstance: fix ID range comparison commit #7002
Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm() commit
ipadiscovery: Return realm as a string commit #4985
session_storage: Correctly handle string/byte types commit #4985
rpc: avoid possible recursion in create_connection commit #6796
rpc: preparations for recursion fix commit #6796
Avoid possible endless recursion in RPC call commit #6796
kdc.key should not be visible to all commit #6973
Change ConfigParser to RawConfigParser commit #4985
ca/cert-show: check certificate_out in options commit #6885
Remove pkinit-anonymous command commit #6936
Make a doctext more clear commit
Provide useful messages during cert validation commit #6945
cert-show: writable files does not mean dirs commit #6883
fix managed-entries printing IPA not installed commit #6928
Fix wrong message on Dogtag instances stop commit #6766
Make CA/KRA fail when they don’t start commit #6766
Remove the cachedproperty class commit #6878
Refresh Dogtag RestClient.ca_host property commit #6878
compat plugin: Update link to slapi-nis project commit
compat: ignore cn=topology,cn=ipa,cn=etc subtree commit #6821
Move the compat plugin setup at the end of install commit #6821
compat-manage: behave the same for all users commit #6821
Fix CAInstance.import_ra_cert for empty passwords commit #6878
Fix RA cert import during DL0 replication commit #6878
ext. CA: correctly write the cert chain commit #6872
server-install: No double Kerberos install commit #6757
Fix CA-less to CA-full upgrade commit #6853
replicainstall: better client install exception handling commit #6183
Add the force-join option to replica install commit #6183
server-install: remove broken no-pkinit check commit #6807
Add pki_pin only when needed commit #6839
Remove publish_ca_cert() method from NSSDatabase commit #6806
Get correct CA cert nickname in CA-less commit #6806
Remove redundant option check for cert files commit #6801
replica-prepare man: remove pkinit option refs commit #6801
Don’t allow setting pkinit-related options on DL0 commit #6801
Fix the order of cert-files check commit #6801
Generate PIN for PKI to help Dogtag in FIPS commit #6824
Backup CA cert from kerberos folder commit #6748
Allow renaming of the sudorule objects commit #2466
Allow renaming of the HBAC rule objects commit #6784
Reworked the renaming mechanism commit #2466, #6784
Bump samba version for FIPS and priv. separation commit #6671, #6697
Backup ipa-specific httpd unit-file commit #6748
Add debug log in case cookie retrieval went wrong commit #6774

Thierry Bordaz (1)#

NULL LDAP context in call to ldap_search_ext_s during search commit #7017

Tibor Dudlák (11)#

otptoken_yubikey.py: Removed traceback when package missing. commit #6979
topology.py: Removes error message from dictionary. commit #6533
Add test: test_xmlrpc/test_whoami_plugin.py commit #6745
whoami.py: Type error when running tests commit #7050
Create indexes for ‘serverhostname’ attribute commit #6939
Add –force-join into ipa-replica-install manpage commit #7011
dnsserver.py: dnsserver-find no longer returns internal server error commit #6571
Add Role ‘Enrollment Administrator’ commit #6852
server.py: Removes dns-server configuration from ldap commit #6572
sssd.py: Deprecating no-sssd option. commit #5860
client.py: Replace hardcoded ‘admin’ with options.principal commit #5406

Tibor Dudlák (2)#

user.py: replace user_mod with ldap.update_entry() commit #5788
Add ‘TIP’ to enable copr repo. commit

Timo Aaltonen (2)#

ipa-otpd.socket.in: Use a platform specific value for KDC service file commit #6845
configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in commit

Tomas Krizek (25)#

Become IPA 4.6.0 commit
Contributors.txt: update commit
zanata: update translations for ipa-4-6 commit
zanata: set project version to ipa-4-6 commit
dnssec: keep dnssec daemons in Python2 commit #4985
ipatests: collect log after ipa-ca-install commit #7060
dnssec: fix localhsm.py utility script commit #7116
prci: add caless tests commit
makerpms.sh: make git checkout optional commit #6605
build: checkout *.po files at the end of makerpms.sh commit #6605
freeipa-pr-ci: enable pull-request CI commit
ipactl: log check_version exception commit
logging: make sure logging level is set to proper value commit
ipatests: do not finalize api when IPA is not configured commit #7046
ipatests: do not collect systemd journal when logfile_dir is missing commit #6971
ipatests: add systemd journal collection for multihost tests commit #6971
ipatests: change logdir naming pattern for multihost tests commit #6971
named.conf template: add modification warning commit
ca, kra install: validate DM password commit #6892
installutils: add DM password validator commit #6892
ca install: merge duplicated code for DM password commit #6892
upgrade: add missing suffix to http instance commit #6920
installer service: fix typo in service entry commit #6920
python2-ipalib: add missing python dependency commit #6920
kra install: update installation failure message commit #6923

Thorsten Scherf (2)#

Changed ownership of ldiffile to DS_USER commit #7010
Fixed typo in ipa-client-install output commit

Highlights in 4.6.0

Contents