Jump to: navigation, search

Releases/4.9.0rc1

Revision as of 17:47, 17 November 2020 by Ab (talk | contribs) (Created page with " {{ReleaseDate|2020-11-17}} The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 1! It can be downloaded from http://www.freeipa.org/page/Downloads. At th...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Release date Released 2020-11-17

The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 1!

It can be downloaded from http://www.freeipa.org/page/Downloads. At this point, we do not plan to provide releases to Fedora 33 or earlier versions due to a large number of changes coming with FreeIPA 4.9 series.

Contents

Highlights in 4.9.0 release candidate 1

  • 298: [RFE] Add support for cracklib to password policies
FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords.

  • 2445: [RFE] IdM password policy should include checks for repeating characters
FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords.

  • 3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.

  • 3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI

  • 3999: [RFE] Fix and Document how to set up Samba File Server with IPA
Samba file server can now be configured on the FreeIPA-enrolled system to provide file services to users in IPA domain and to users from trusted Active Directory forests

  • 4751: Implement ACME certificate enrolment
Configure the Automatic Certificate Management Environment (ACME) protocol support provided by the dogtag CA.

  • 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI



  • 5608: [RFE] Add Dogtag configuration extensions



  • 5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.

  • 5948: [RFE] Implement pam_pwquality featureset in IPA password policies



  • 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod group-name --rename new-name'. Protected hostgroups ('ipaservers') cannot be renamed.

  • 7137: [RFE]: Able to browse different links from IPA web gui in new tabs



  • 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.

  • 7522: Disable cert publishing in dogtag
Dogtag certificate publishing facility is not configured anymore as it is not used in FreeIPA.

  • 7577: [RFE] DNS package check should be called earlier in installation routine
The ``--setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.

  • 7695: ipa service-del <Principal name> should display principal name instead of Invalid 'principal'.
When deleting services, report exact name of a system required principal that couldn't be deleted.

  • 7966: Add support for JSON-RPC in ipa-join
ipa-join tool defaults to use of JSON-RPC protocol when communicating to IPA masters by default. The choice of JSON-RPC or XML-RPC is a compile-time setting now.

  • 7971: [RFE] Include hint for replication_wait_timeout if timeout fails



  • 8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.

  • 8114: [RFE] Delegate group membership management
It is now possible to associate group managers with the groups. Group managers have rights to add and remove members of the individual group rather than being administrators for every group.

  • 8217: RFE: ipa-backup should compare locally and globally installed server roles
ipa-backup now checks whether the local replica's roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.

  • 8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.

  • 8233: 4.8.5 master Installation error
On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn't actually needed and thus was removed.

  • 8236: Enforce a check to prevent adding objects from IPA as external members of external groups
Command 'ipa group-add-member' allowed to specify any user or group for '--external' option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.

  • 8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.

  • 8241: Build fails on Fedora 30
SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions.

  • 8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.

  • 8275: Support systemd-resolved
FreeIPA DNS servers now detect systemd-resolved and configure it to pass through itself.

  • 8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The "Default System Accounts Password Policy" has a minimum password length in case the password is directly modified with LDAP.

  • 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.

  • 8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets
service delegation rules and targets now allow to specify hosts as a rule or a target's member principal.

  • 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.

  • 8301: The value of the first character in target* keywords is expected to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.

  • 8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting "ChallengeResponseAuthentication yes" take precedence.

  • 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.

  • 8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.

  • 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.

  • 8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain
When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.

  • 8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.

  • 8357: Allow managing IPA resources as a user from a trusted Active Directory forest
A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.

  • 8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.

  • 8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present.

  • 8401: Create platform definitions for freeipa-container
ipaplatform now provides container platform flavors for freeipa/freeipa-container

  • 8404: Detect and fail if not enough memory is available for installation
FreeIPA server now requires at least 1.2 GiB RAM for installation to prevent performance degradation.

  • 8444: EPN: enhance input validation
Various input validation checks were added to EPN.

  • 8445: EPN: '[Errno 111] Connection refused' when the SMTP is down
EPN now displays a proper message if the configured SMTP server cannot be contacted.

  • 8449: EPN: enhance CLI option tests
EPN: enhance existing tests for --dry-run, --from-nbdays and --to-nbdays.

  • 8488: SELinux blocks custodia key replication / retrieval for sub-CAs
SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key.

  • 8490: It is not possible to edit KDC database when the FreeIPA server is running
kadmin.local command 'getprincs' is now supported

  • 8493: Synchronize index LDIF and index update files
Configuration of LDAP indices was moved into a single place. New indices were added to attributes related to trusted domains operations. Performance improvement is expected for Kerberos service tickets requested by users from trusted Active Directory domains.

  • 8503: pkispawn logs files are empty
On recent versions of Dogtag PKI, pkispawn does not create logs by default, making debugging failed IPA installs impossible. Invoke pkispawn with --debug to revert to the previous behavior.

  • 8507: [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)
Support reproducible builds for jQuery library

  • 8510: create_active_user and kinit_as_user should collect kdcinfo.REALM on failure
Sometimes, requesting a TGT after a password reset fails because SSSD seems to select different hosts for these two sequential tasks, leaving no time for replication to replicate the password hashes. Add debug information to the test suites that exhibit the problem and always display the kdcinfo file maintained by SSSD that contains the KRB5KDC IP it should be pinned to.

  • 8530: Running ipa-server-install fails on machine where libsss_sudo is not installed
The FreeIPA client RPM now has a soft dependency on libsss_sudo and sudo itself.

Enhancements

Known Issues

  • 8240: KRA install fails if all KRA members are Hidden Replicas
If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete.

Bug fixes

FreeIPA 4.9.0 release candidate 1 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 350 bug-fixes since FreeIPA 4.8.10 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.


Resolved tickets

  • #298 (rhbz#587752) [RFE] Add support for cracklib to password policies
  • #2018 (rhbz#1703564) Change hostname length limit to 64
  • #2445 (rhbz#798359) [RFE] IdM password policy should include checks for repeating characters
  • #3473 Switch to using RESTful interface in dogtag CA interface
  • #3687 (rhbz#913799) [RFE] IPA user account expiry warning.
  • #3827 [RFE] Expose TTL in web UI
  • #3999 (rhbz#837604) [RFE] Fix and Document how to set up Samba File Server with IPA
  • #4751 (rhbz#1851835) Implement ACME certificate enrolment
  • #4972 (rhbz#1206690) check for existence of private group is done even if UPG definition is disabled
  • #5011 (rhbz#1527185) [RFE] Forward CA requests to dogtag or helper by GSSAPI
  • #5062 (rhbz#1229657) [WebUI] Unlock option is enabled for all user.
  • #5566 Permit creation of PTR records in non-.arpa master zones via the DNS UI
  • #5608 (rhbz#1405935) [RFE] Add Dogtag configuration extensions
  • #5628 webui: Unclear(UX) purpose of OTP field in password reset form on login
  • #5662 (rhbz#1404770) ID Views: do not allow custom Views for the masters
  • #5879 (rhbz#1334619) Attempt to fix capitalization fails with ipa: ERROR: Type or value exists:
  • #5914 (rhbz#1298288) invalid setting of DS lock table size
  • #5948 (rhbz#1340463) [RFE] Implement pam_pwquality featureset in IPA password policies
  • #6115 (rhbz#1357495) ipa command provides stack trace when provided with single hypen commands
  • #6210 (rhbz#1364139, rhbz#1751951) When master's IP address does not resolve to its name, ipa-replica-install fails
  • #6423 Validate cert requests in Dogtag
  • #6474 Remove ipaplatform dependency from ipa modules
  • #6708 Unused config options
  • #6783 (rhbz#1430365) [RFE] Host-group names command rename
  • #6843 (rhbz#1428690) ipa-backup does not create log file at /var/log/
  • #6857 ipa_pwd.c: Use OpenSSL instead of NSS for hashing
  • #6884 (rhbz#1441262) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
  • #6891 (rhbz#1461914) Move FreeIPA SELinux policy from system policy to project policy
  • #6951 (rhbz#1449133) Update samba config file and use sss idmap module
  • #6964 (rhbz#1442413) IPA password policy has no password difference checking
  • #7125 (rhbz#1480102) ipa-server-upgrade failes with "This entry already exists"
  • #7137 (rhbz#1484088) [RFE]: Able to browse different links from IPA web gui in new tabs
  • #7181 (rhbz#1545755) ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
  • #7188 Issues after promoting one CA-less IPA server to CA-full
  • #7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
  • #7305 (rhbz#1518153) PKINIT status not displayed in the web UI (IPA Server > Configuration)
  • #7307 (rhbz#1518939) RFE: Extend IPA to support unadvertised replicas
  • #7323 IPv6 hack for Travis CI
  • #7329 update_ra_cert_store does not remove private key from NSSDB
  • #7416 Uninstalling IPA requires on being in a existent working directory
  • #7522 Disable cert publishing in dogtag
  • #7534 (rhbz#1569011) Investigate failures to restore 389-ds attriubtes on upgrade failure
  • #7548 Need integration test for --external-ca-type=ms-cs
  • #7566 (rhbz#1591824) Installation of replica against a specific master
  • #7577 (rhbz#1579296) [RFE] DNS package check should be called earlier in installation routine
  • #7597 (rhbz#1583950) IPA: IDM drops all custom attributes when moving account from preserved to stage
  • #7600 (rhbz#1585020) Enable compat tree to provide information about AD users and groups on trust agents
  • #7610 ldapupdate.py users ldap.LOCAL_ERROR and other direct ldap exceptions while relying on ipaldap
  • #7630 (rhbz#1613015) ipa-restore should check that optional feature packages are installed before restoring a backup using a feature
  • #7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key
  • #7695 (rhbz#1623763) ipa service-del <Principal name> should display principal name instead of Invalid 'principal'.
  • #7725 (rhbz#1636765) ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd-<instance> directory
  • #7804 (rhbz#1777811) `ipa otptoken-sync` fails with stack trace
  • #7810 [F28] Require NSS with fix for p11-kit issue.
  • #7816 (rhbz#1642395) [WebUI] not able to set a password for user as Active Directory Administrator user
  • #7870 (rhbz#1680039) [certmonger][upgrade] "Failed to get request: bus, object_path and dbus_interface must not be None."
  • #7895 (rhbz#1686302) ipa trust fetch-domains, server parameter ignored
  • #7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules
  • #7908 Write tests for interactive prompt for NTP options.
  • #7929 (rhbz#1712794) ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
  • #7932 FreeIPA queries rely on missing attribute altsecurityidentities
  • #7933 FreeIPA must index certmap attributes.
  • #7938 'ipa dnszone-show/find' should display "Dynamic Update" and "Bind update policy" by default
  • #7949 test_integration/test_nfs.py fails at cleanup
  • #7958 (rhbz#1782169) traceback in idview
  • #7961 [WebUI] Identity Manager WebUI requires you to save changes after changing specifications before making other change
  • #7966 Add support for JSON-RPC in ipa-join
  • #7971 (rhbz#1715961) [RFE] Include hint for replication_wait_timeout if timeout fails
  • #7985 test failure in test_dnssec.py::TestInstallDNSSECLast::()::test_disable_reenable_signing_replica::teardown
  • #7987 Python shebang: Use isolated mode
  • #7989 Pytest4.2+ errors
  • #7991 Use profile-based renewal for system certificates
  • #7995 (rhbz#1711172) Removing TLSv1.0, TLSv1.1 from nss.conf
  • #7996 `test_selinuxusermap_plugin` fails against not default SELinux settings
  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
  • #8004 RHEL 8 uses nis-domainname instead of rhel-domainname
  • #8005 (rhbz#1729099) User field separator uses '$$' within ipaSELinuxUserMapOrder
  • #8007 Not stable nodeids within pytest
  • #8008 Azure Pipeline slicing
  • #8009 Missing execution bit on `ipa-run-tests` within virtualenv
  • #8010 Extended Kerberos Ticket Policy
  • #8012 test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure
  • #8013 (rhbz#1731433) ipa service-find does not list cifs service created by ipa-client-samba
  • #8015 p11helper: insufficient logging when loading LIBSOFTHSM2_SO
  • #8017 (rhbz#1817927) host-add --password logs cleartext userpassword to Apache error log
  • #8019 (rhbz#1732524) repeated uninstallation of ipa-client-samba crashes
  • #8020 support AES in LWCA key replication
  • #8021 (rhbz#1732528) ipa-client-samba can not install samba after uninstallation
  • #8022 azure pipeline: fail if dnf builddep exits on failure
  • #8024 [WebUI] test_webui/test_trust.py failed because of request timeout
  • #8026 Update pr-ci definitions with master_3client topology
  • #8027 test_nfs.py: migrate to master_3client
  • #8029 (rhbz#1749788) ipa host-find --pkey-only includes SSH keys in output
  • #8030 azure pipelines fail at "Install prerequisites" of Tox job
  • #8031 (rhbz#1734369) HBAC Test Validation error when running the HBAC test the second time round via the IPA Web GUI
  • #8034 Existing p11-kit config file is not restored on uninstall
  • #8038 (rhbz#1740167) ipa-client-automount --uninstall is not restoring nsswitch.conf
  • #8040 (rhbz#1731963) ipa migrate-ds fails with internal error.
  • #8044 (rhbz#1717008) Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
  • #8048 Travis-CI sometimes fails at dnf
  • #8052 test failure in test_integration/test_sudo.py::TestSudo::()::test_domain_resolution_order on fedora29
  • #8053 [WebUI] Fix login screen loading issue in test_loginscreen
  • #8054 (rhbz#1746557) ipa-client-install calls "authselect select sssd --force" at uninstall time before restoring user-nsswitch.conf
  • #8055 Test for PG6843: ipa-backup does not create log file at /var/log is failing
  • #8056 (rhbz#1746882) BuildRequires is not compatible with %{_libdir}
  • #8057 (rhbz#1747895) Running ipa-server-install produces SyntaxWarning: "is not" with a literal. Did you mean "!="?
  • #8062 Re-add configure_nsswitch_database, configure_nsswitch, ... to ipaclient.install
  • #8063 Nightly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::()::test_nsswitch_backup_restore_sssd
  • #8064 Request for IPA CI to enable DS audit/auditfail logging
  • #8066 (rhbz#1750242) Don't use -t option to klist in adtrust code when timestamp is not needed
  • #8067 (rhbz#1750700) add default access control configuration to trusted domain objects
  • #8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
  • #8073 Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module
  • #8075 Don't create log file for helper scripts
  • #8077 New pylint 2.4.0 errors
  • #8079 (rhbz#1754530) [Security] By default, DNS recursion is open, breaking best practices
  • #8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.
  • #8084 (rhbz#1758406) KRA authentication fails when IPA CA has custom Subject DN
  • #8086 (rhbz#1756568) ipa-server-certinstall man page does not match built-in help.
  • #8094 Allow using of a custom OpenSSL engine for ISC BIND
  • #8097 ipa user-add-certmapdata is not able to add several entries correctly
  • #8098 Host principals lack ACI to look up DNS objects in LDAP
  • #8099 (rhbz#1762317) ipa-backup command is failing on rhel-7.8
  • #8101 Wrong pytest requirement in specfile
  • #8102 Pylint 2.4.3 + Astroid 2.3.2 errors
  • #8104 RFE: Disable Stale/Inactive Users - Upstream Design Document
  • #8105 (rhbz#1759281) getcert with -F option returns before cacert file is created
  • #8106 ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
  • #8110 (rhbz#1768015) Enable AES SHA 256 and 384 Kerberos enctypes
  • #8111 (rhbz#1768959) [FIPS] Don't add camellia KRB5 encsalttypes in FIPS mode
  • #8113 (rhbz#1755535) ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
  • #8114 [RFE] Delegate group membership management
  • #8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb
  • #8116 Pylint parallel execution with custom plugin
  • #8118 Run smoke tests in FIPS mode
  • #8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements
  • #8122 (rhbz#1773528) group-add-member-manager does not report errors
  • #8123 (rhbz#1773528) [WebUI] Finish group membership management UI
  • #8124 Add option to ipa-cacert-manage to delete certificates
  • #8125 (rhbz#1777809) Use default crypto policy for TLS and enable TLS 1.3 support
  • #8129 Tests: Replace paramiko with OpenSSH
  • #8131 (rhbz#1777920) covscan memory leaks report
  • #8133 check_client_configuration() no longer works with IPA_CONFDIR
  • #8134 ipa user-add is inefficient
  • #8135 (rhbz#1777806) When Service weight is set as 0 for server in IPA location "IPA Error 903: InternalError" is displayed
  • #8137 reinstall failed in adding delegation layout
  • #8138 (rhbz#1780548) Man page ipa-cacert-manage does not display correctly on RHEL
  • #8142 check Not Before / Not After in externally signed CA sanity check
  • #8143 service.ldap_disable() does not remove "enabledService"
  • #8144 test_nfs.py: umount.nfs4: /home: device is busy
  • #8148 (rhbz#1782587) add "systemctl restart sssd" to warning message when adding trust agents to replicas
  • #8149 (rhbz#1783046) SIDs of AD domains do not display in ipa-client-samba installer
  • #8150 (rhbz#1784003) IPA Server install fail
  • #8151 test_commands timing-out
  • #8153 (rhbz#1784761) Kerberos ticket policy reset does not reset per-indicator policies
  • #8157 NIghtly test failure in fedora-rawhide/test_webui_network
  • #8159 please migrate to the new Fedora translation platform
  • #8163 (rhbz#1782572) "Internal Server Error" reported for minor issues implies IPA is broken [IdmHackfest2019]
  • #8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs
  • #8169 NIghtly test failure in fedora-rawhide/test_webui_policy
  • #8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
  • #8173 Broken -k argument parsing in ipa-run-tests 4.8.4-1 package
  • #8176 External CA is tracked for renewals and replaced with a self-signed certificate
  • #8179 Tests broken with python version < 3.7 (module 're' has no attribute 'Pattern')
  • #8186 Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
  • #8189 (rhbz#1810179) NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
  • #8190 (rhbz#1790886) ipa-client-automount fails after repeated installation/uninstallation
  • #8192 (rhbz#1665051) ipa-adtrust-install does not list service records for manual addition to DNS zone
  • #8193 (rhbz#1801791) Re-order 50-externalmembers.update to be after 80-schema_compat.update
  • #8196 API: dnsrecord_del failure with empty list aaaarecord
  • #8200 (rhbz#1803786) ipa krb5kdc db: krb5kdc coredump
  • #8201 update ssbrowser.html
  • #8202 Azure: add support for multi-container tests
  • #8204 (rhbz#1810148) ipa-server-certinstall -> certmonger add_subject template-subject dbus 'unable to set arguments' a{sv}
  • #8207 Extend Web UI for Kerberos ticket policy to add authentication indicator support
  • #8214 Support for opendnssec 2.1.6
  • #8217 (rhbz#1810154) RFE: ipa-backup should compare locally and globally installed server roles
  • #8219 ipatests: unify editing of sssd.conf
  • #8221 (rhbz#1812169) Secure AJP connector between Dogtag and Apache proxy
  • #8222 Upgrade dojo.js
  • #8226 (rhbz#1813330) ipa-restore does not restart httpd
  • #8228 Nightly failure in backup/restore while calling 'id admin'
  • #8233 4.8.5 master Installation error
  • #8236 (rhbz#1809835) Enforce a check to prevent adding objects from IPA as external members of external groups
  • #8239 Actualize Bootstrap version
  • #8240 (rhbz#1816784) KRA install fails if all KRA members are Hidden Replicas
  • #8241 Build fails on Fedora 30
  • #8247 test_fips PR-CI templates have a too-short timeout
  • #8248 httpd ccaches created during server upgrade aren't cleaned up on uninstall/install
  • #8251 [Azure] Catch coredumps
  • #8254 [Azure] 'Tox' task fails against Python3.8
  • #8261 [ipatests] Integration tests fail on non-firewalld distros
  • #8262 test_ipahealthcheck needs a higher timeout than 3600
  • #8264 Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
  • #8265 [ipatests] `/var/log/ipaupgrade.log` is not collected
  • #8266 test_webui_server requires a higher timeout than 3600
  • #8268 Prevent use of too long passwords
  • #8272 Use /run instead of /var/run
  • #8273 (rhbz#1834385) Man page syntax issue detected by rpminspect
  • #8275 (rhbz#1880628) Support systemd-resolved
  • #8276 Add default password policy for sysaccounts
  • #8283 Failures and AVCs with OpenDNSSEC 2.1
  • #8284 Upgrade jQuery version to actual one
  • #8287 named not starting after #8079, ipa-ext.conf breaks bind
  • #8289 ipa servicedelegationtarget-add-member does not allow to add hosts as targets
  • #8290 API inconsistencies
  • #8291 krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
  • #8297 Fix new pylint 2.5.0 warnings and errors
  • #8298 [WebUI] Cover membership management with UI tests
  • #8300 Replace uglify-js with python3-rjsmin
  • #8301 The value of the first character in target* keywords is expected to be a double quote
  • #8304 [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
  • #8306 Adopt Black code style
  • #8307 make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py
  • #8308 (rhbz#1829787) ipa service-del deletes the required principal when specified in lower/upper case
  • #8309 Convert ipaplatform from namespace package to regular package
  • #8311 (rhbz#1825829) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
  • #8312 Fix api.env.in_tree detection logic
  • #8313 Values of api.env.mode are inconsistent
  • #8315 (rhbz#1833266) [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
  • #8316 [Azure] Whitelist clock_adjtime syscall
  • #8317 XML-RCP and CLI tests depend on internal --force option
  • #8319 Support server referrals for enterprise principals
  • #8322 [RFE] Changing default hostgroup is too easy
  • #8323 [Build failure] Race: make po fails on parallel build
  • #8325 [WebUI] Fix htmlPrefilter issue in jQuery
  • #8326 CVE-2020-10747
  • #8328 krbtpolicy-mod cannot handle two auth ind options of the same type at the same time
  • #8330 [Azure] Build job fails on `tests` container preparation
  • #8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain
  • #8336 [WebUI] "User attributes for SMB services" section always shown
  • #8338 [WebUI] Host detail with no assigned ID view makes invalid RPC call
  • #8339 [WebUI] User details tab headers don't show member count when on settings tab
  • #8344 Nightly test failure in test_smb.py::TestSMB::test_smb_service_s4u2self
  • #8348 Allow managed permissions with ldap:///self bind rule
  • #8349 bind-9.16 and dnssec-enable
  • #8350 bind-9.16 and DLV
  • #8352 RPC API crashes when a user is disabled while a session exists
  • #8357 Allow managing IPA resources as a user from a trusted Active Directory forest
  • #8358 TTL of DNS record can be set to negative value
  • #8359 [WebUI] dnsrecord_mod results in JS error
  • #8360 lite-server: Werkzeug deprecation warnings
  • #8362 (rhbz#1826659) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
  • #8363 DNS config upgrade code fails
  • #8364 Nightly test failure while establishing trust: Cannot find specified domain or server name
  • #8366 CA-less replica deployment fails with --setup-ca
  • #8367 IPA-EPN fails to build in ONLY_CLIENT mode
  • #8368 (rhbz#1846349) cannot issue certs with multiple IP addresses corresponding to different hosts
  • #8369 cert_find returns "CA not configured" in CA-less install
  • #8370 ipa-join does not set nshardwareplatform and nsosversion
  • #8371 Nightly test failure [testing_master_testing] in test_integration/test_idviews.py::TestCertsInIDOverrides
  • #8372 (rhbz#1849914) FreeIPA - Utilize 256-bit AJP connector passwords
  • #8374 (rhbz#1847999) EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
  • #8377 Nightly test failure (timeout) in test_caless_TestReplicaInstall
  • #8378 CA validity past year 2038 breaks cert.py plugin on 32-bit platform
  • #8379 Nightly test failure [testing_master_pki] while installing CA replica
  • #8381 Nightly test failure in test_webui/test_loginscreen.py::TestLoginScreen::test_login_view
  • #8383 Test with dnspython 2.0
  • #8384 Provide reliable way to know if a server installation is complete
  • #8388 Make help() on plugins more useful
  • #8391 Remove dnf workaround from test_epn.y
  • #8394 Nightly test failure in cert-related tests
  • #8395 selinux don't audit rules deny fetching trust topology
  • #8396 [WebUI] Font type of "Enabled" column in user search facet wrong
  • #8399 certmonger attempts to add LWCA tracking requests on non-CA server.
  • #8400 sshd template file is installed in a wrong (server) location while used by the client side
  • #8401 Create platform definitions for freeipa-container
  • #8403 Add option to add ipaapi user as an allowed uid for ifp in /etc/sssd/sssd.conf when running ipa-replica-install
  • #8404 Detect and fail if not enough memory is available for installation
  • #8405 Don't delegate full TGT in ipa-join
  • #8407 Support changelog integrated into main database
  • #8408 Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_client_enrollment_by_unprivileged_user
  • #8412 (rhbz#1857157) AVC: httpd cannot connect to ipa-custodia.sock
  • #8413 Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp
  • #8414 Nightly test failure in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp
  • #8416 [WebUI] Error while adding user ID overrides to group
  • #8419 Azure is reporting a slew of new no-member lint errors
  • #8425 Nightly test failure in test_cert.test_cert.TestInstallMasterClient (certmonger timeout)
  • #8428 [ipatests] fails due to new python-cryptography 3.0
  • #8429 Add fips-mode-setup to ipaplatform.paths
  • #8432 test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError
  • #8435 [ipatests] failures due to new Pytest6.0 (pypi part)
  • #8437 unit tests for ipa-extdom-extop are failing in Fedora 33
  • #8439 Nightly test failure in test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
  • #8440 (rhbz#1863616) CA-less install does not set required permissions on KDC certificate
  • #8441 (rhbz#1870202) File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
  • #8442 [pylint] warnings/errors against pylint 2.5.3
  • #8443 ipa delegation-add can add permissions and attributes several times
  • #8444 (rhbz#1866291) EPN: enhance input validation
  • #8445 (rhbz#1863079) EPN: '[Errno 111] Connection refused' when the SMTP is down
  • #8446 ipa dnszone-add ignores --name-from-ip option if name is given
  • #8447 Nightly test failure in test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS
  • #8449 (rhbz#1866291) EPN: enhance CLI option tests
  • #8456 Need new aci's for the new replication changelog entries
  • #8458 auto-upgrade will never happen for existing installations
  • #8459 [upgrade] handle missing openssh-clients
  • #8461 [ALTLinux] server uninstall error on missing /var/lib/samba
  • #8463 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
  • #8464 Increase replication changelog trimming interval
  • #8468 [pylint] new warnings on dev branch
  • #8472 [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA
  • #8473 Nightly test failure in all webui tests: Invalid or corrupt jarfile /opt/selenium.jar
  • #8474 Mozilla's NSS without DBM
  • #8475 Azure: tox task and virtualenv 20+
  • #8481 Nightly test failure in rawhide in tasks.configure_dns_for_trust
  • #8482 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_source_ipahealthcheck_meta_services_check
  • #8488 (rhbz#1868432) SELinux blocks custodia key replication / retrieval for sub-CAs
  • #8490 (rhbz#1875001) It is not possible to edit KDC database when the FreeIPA server is running
  • #8491 Unindexed searches in FreeIPA git master
  • #8493 Synchronize index LDIF and index update files
  • #8494 Azure Pipelines are broken due to docker compose tool upgrade
  • #8496 [Tracker] Multiple nightly test failures in test_dnssec
  • #8498 Check 3rd-party IPA server HTTP cert for ipa-ca.$DOMAIN dnsName on CA replicas
  • #8501 Unify how FreeIPA gets FQDN of current host
  • #8502 Don't create DirSRV SSCA
  • #8503 (rhbz#1879604) pkispawn logs files are empty
  • #8505 Nightly failure (fedora31) in test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
  • #8507 [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)
  • #8510 (rhbz#1881630) create_active_user and kinit_as_user should collect kdcinfo.REALM on failure
  • #8511 The selinux subpackage does not have a requirement to match the server install
  • #8512 Import of psutil can trigger SELinux violation
  • #8513 (rhbz#1868432) SELinux module fails to load: Re-declaration of type node_t
  • #8515 (rhbz#1882340) nsslapd-db-locks patching no longer works
  • #8516 Nightly test failure (master) in ipa trust-add
  • #8518 Upgrade F32 to F33 fails in DNS upgrade code
  • #8519 Fedora container platform is incomplete
  • #8521 Speed up ipa-server-install
  • #8522 Remove cainstance.migrate_profiles_to_ldap()
  • #8523 Topology Graph returns Runtime Error
  • #8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
  • #8528 Use separate logs for AD Trust and DNS installer
  • #8529 ipa-ca record incomplete when hostname is not in DNS
  • #8530 (rhbz#1859185) Running ipa-server-install fails on machine where libsss_sudo is not installed
  • #8533 Nightly failure in ipa-replica-install configuring renewals: DBusException: org.freedesktop.DBus.Error.NoReply
  • #8535 (rhbz#1887928) RPM spec moves ssh server config to a snippet but does not ensure sshd_config includes the snippet
  • #8536 RFE: ipatests: run healthcheck on hidden replica
  • #8541 Nightly failure (fed33) in test_installation.py::TestInstallMaster::test_selinux_avcs
  • #8551 (rhbz#1784657) Unlock user accounts after a password reset and replicate that unlock to all IdM servers
  • #8554 (rhbz#1891056) ipa-kdb: support subordinate/superior UPN suffixes
  • #8555 (rhbz#1340463) Nightly test failure in test_pwpolicy.py::test_pwpolicy::test_misc
  • #8558 Create backend entry before creating mapping tree entry for ipaca backend
  • #8559 Nightly test failure in test_trust.py::TestTrust::test_password_login_as_aduser
  • #8560 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
  • #8563 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
  • #8566 Subordinate suffixes aren't treated as subordinate in trust to Active Directory (crash part)
  • #8567 (rhbz#1894800) IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing
  • #8572 Nightly failure in test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica
  • #8573 Nightly failure in test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS::test_ipa_dns_systemrecords_check
  • #8578 EPN: SMTP client downgrade smtp_security from `starttls` to `none`
  • #8579 EPN: SMTP client doesn't validate server certificate
  • #8580 EPN: SMTP client authentication by certificate
  • #8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
  • #8585 Compile warnings on rawhide

Detailed changelog since 4.8.10

Armando Neto (25)

  • ipatests: Update PRCI Fedora 32 templates commit
  • ipatests: Add nightly definitions for enforcing mode commit
  • ipatests: Bump PR-CI templates commit #8473
  • ipatests: Bump PR-CI templates commit
  • ipatests: bump pr-ci templates commit
  • ipatests: bump pr-ci templates commit
  • ipatests: bump prci templates commit
  • ipatests: bump prci templates commit
  • prci: update templates for new Fedora release commit
  • Update instructions for Fedora 28 / FreeIPA 4.6.90 commit
  • prci: bump version for latest and previous templates commit
  • prci: Bump version of all templates commit
  • prci: update packages for rawhide nightly runs commit
  • ipatests: Skip test_sss_ssh_authorizedkeys method commit #8151
  • ipatests: Improve test_commands reliability commit
  • travis: Remove CI integration commit #7323
  • prci: bump template version for temp_commit and nightly_latest commit
  • prci: bump fedora release commit
  • prci: rename definitions files and jobs to change how fedora releases are referenced commit
  • prci: increase timeout argument for test_sssd.py commit
  • prci: increase timeout for jobs that required AD commit
  • prci: update packages for pki and testing nightly runs commit
  • Update definitions for nightly tests commit
  • prci: fix typo on nightly test definitions commit
  • prci: update test definitions commit

Alexander Bokovoy (140)

  • Become FreeIPA 4.9.0 release candidate 1 commit
  • Translations: update translations template commit
  • Add contributors from translations project at Weblate commit
  • Azure CI: mask chronyd in the container commit
  • spec: use pkgconf to find out krb5 version commit
  • Azure CI: use PPA to provide newer libseccomp version commit
  • Azure CI: use Ubuntu-20.04 image by default commit
  • ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints commit #8584
  • ipa-otpd: fix gcc complaints in Rawhide commit #8585
  • ipa-sam: fix gcc complaints on Rawhide commit #8585
  • ipa-kdb: fix gcc complaints in kdb tests commit #8585
  • ipa-kdb: fix gcc complaints commit #8585
  • wgi/plugins.py: ignore empty plugin directories commit #8567
  • ipa-kdb: fix crash in MS-PAC cache init code commit #8566
  • rpcserver: fix exception handling for FAST armor failure commit
  • rpcserver: fallback to non-armored kinit in case of trusted domains commit
  • pylint: remove unused variable commit
  • ipa-kdb: support subordinate/superior UPN suffixes commit #8554
  • Pre-populate IP addresses for the name server upgrades commit #8518
  • Specify memory limits as strings for docker compose commit #8494
  • ipa-kdb: test kadmin.local getprincs command commit #8490
  • ipa-kdb: support getprincs request in kadmin.local commit #8490
  • test_smb: make sure both smbserver and smbclient use IPA master for DNS commit #8344
  • Add new contributors commit
  • Add alternative email to the mailmap for myself commit
  • master: update po/ipa.pot commit
  • extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration commit #8437
  • selinux: support running ipa-custodia with PrivateTmp=yes commit #8395
  • selinux: allow oddjobd to set up ipa_helper_t context for execution commit #8395
  • handle Y2038 in timestamp to datetime conversions commit #8378
  • update list of contributors commit
  • Update translation files commit
  • ipatests: test that adding Active Directory user to a role makes it an administrator commit #8357
  • Web UI: allow users from trusted Active Directory forest manage IPA commit #8335
  • tests: account for ID overrides as members of groups and roles commit #7255
  • Support adding user ID overrides as group and role members commit #7255
  • idviews: handle unqualified ID override lookups from Web UI commit #7255
  • support using trust-related operations in the server console commit
  • Add design page for managing IPA resources as a user from a trusted Active Directory forest commit #7816, #8357
  • kdb: handle enterprise principal lookup in AS_REQ commit #8319
  • ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset commit #8362
  • azure: do not run test_commands due to failures in low memory cases commit
  • test_smb: test S4U2Self operation by IPA service commit #8319
  • ipa-kdb: refactor principal lookup to support S4U2Self correctly commit #8319
  • ipa-kdb: cache local TGS in the driver context commit #8319
  • ipa-kdb: add primary group to list of groups in MS-PAC commit #8319
  • ipa-kdb: Always allow services to get PAC if needed commit #8319
  • ipa-kdb: add asserted identity SIDs commit #8319
  • kdb: add minimal server referrals support for enterprise principals commit #8319
  • ipa-tests: add a test to make sure MS-PAC is produced by KDC commit #8319
  • ipa-print-pac: acquire and print PAC record for a user commit #8319
  • ipa-kdb: add UPN_DNS_INFO PAC structure commit #8319
  • baseldap: de-duplicate passed attributes when checking for limits commit #8328
  • service delegation: allow to add and remove host principals commit #8289
  • WebUI: use python3-rjsmin to minify JavaScript files commit #8300
  • test_smb: test that we can auth as NetBIOS alias commit #8291
  • kdb: fix memory handling in ipadb_find_principal commit #8291
  • kdb: initialize flags in ipadb_delete_principal() commit #8291
  • Azure Pipelines: switch to Fedora 32 commit
  • Azure Pipelines: Override services known to not work in containers commit
  • Add pytest.skip_if_container() commit
  • CVE-2020-1722: prevent use of too long passwords commit #8268
  • Allow rename of a host group commit #6783
  • Add 'api' and 'aci' targets to make commit
  • Remove Fedora repository fastmirror selection commit
  • ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager commit #7181
  • ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN commit #7181
  • ipatests: test sysaccount password change with a password policy applied commit #7181
  • ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181
  • Fix indentation levels commit
  • ipatests: always skip additional input for group-add-member --external commit #8236
  • po: update Chinese (China) translation commit
  • po: update Ukrainian translation commit
  • po: update Tajik translation timestamp commit
  • po: update Slovak translation timestamp commit
  • po: update Russian translation commit
  • po: update Portuguese (Brazil) translation timestamp commit
  • po: update Portuguese translation timestamp commit
  • po: update Polish translation commit
  • po: update Punjabi translation timestamp commit
  • po: update Dutch translation timestamp commit
  • po: update Marathi translation timestamp commit
  • po: update Kannada translation timestamp commit
  • po: update Japanese translation timestamp commit
  • po: update Indonesian translation timestamp commit
  • po: update Hungarian translation timestamp commit
  • po: update Hindi translation timestamp commit
  • po: update French translation commit
  • po: update Basque translation timestamp commit
  • po: update Spanish translation commit
  • po: update English (United Kingdom) translation timestamp commit
  • po: update German translation commit
  • po: update Czech translation timestamp commit
  • po: update Catalan translation timestamp commit
  • po: update Bengali translation timestamp commit
  • po: update ipa.pot template commit
  • Update translation infrastructure commit #8159
  • Keep ipa.pot translation file in git for weblate commit #8159
  • Do not force any particular sphinx theme commit
  • Override master document for ReadTheDocs commit
  • Move workshop documents to doc/workshop commit
  • Add unit 11: Kerberos ticket policy commit
  • Prevent adding IPA objects as external members of external groups commit #8236
  • Secure AJP connector between Dogtag and Apache proxy commit #8221
  • Tighten permissions on PKI proxy configuration commit #8221
  • Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+ commit
  • kdb: make sure audit_as_req callback signature change is preserved commit #8200
  • adtrust: print DNS records for external DNS case after role is enabled commit #8192
  • Update Azure Pipelines to use Fedora 31 commit
  • install/updates: move external members past schema compat update commit #8193
  • Reset per-indicator Kerberos policy commit #8153
  • ipa-client-samba: map domain sid of trust domain properly for display commit #8149
  • DNS install check: allow overlapping zone to be from the master itself commit
  • covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131
  • covscan: free encryption types in case there is an error commit #8131
  • Add Authentication Indicator Kerberos ticket policy options commit #8001
  • Allow presence of LDAP attribute options commit #8001
  • Do not run trust upgrade code if master lacks Samba bindings commit #8001
  • Update contributors commit
  • Update translations commit
  • Add local helpers to handle unixid structure commit
  • adtrust: add default read_keys permission for TDO objects commit #8067
  • add default access control when migrating trust objects commit #8067
  • adtrust: avoid using timestamp in klist output commit #8066
  • Mark failing test as xfail for use of python-dns make_ds method commit
  • ipa-extdom-extop: test timed out getgrgid_r commit #8044
  • Update contributors commit
  • Update translations commit
  • Add Theodor van Nahl to the Contributors.txt commit
  • Restore SELinux context for p11-kit config overrides commit #7810
  • Change RA agent certificate profile to caSubsystemCert commit
  • certmaprule: add negative test for altSecurityIdentities commit #7932
  • certmap rules: altSecurityIdentities should only be used for trusted domains commit #7932
  • Create indexes for altSecurityIdentities and ipaCertmapData attributes commit #7932, #7933
  • Add altSecurityIdentities attribute from MS-WSPP schema definition commit #7932, #7933
  • Use stage and phase attempt counters when saving test artifacts commit
  • Use any nodejs version instead of forcing a version before nodejs 11 commit
  • Fix rpmlint errors for Rawhide commit
  • Set git master to 4.9.0 commit
  • Changing IPA master back to git snapshots commit

Abhijeet (1)

Alexandre Mulatinho (2)

  • ipa-join: allowing call with jsonrpc into freeipa API commit #7966
  • ipa-scripts: fix all ipa command line scripts to operate with -I commit #7987

Anuja More (18)

  • ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn commit
  • ipatests: xfail test with older versions of sssd commit
  • ipatests : Test to verify override_gid works with subdomain. commit
  • ipatests: xfail test with older versions of sssd commit
  • ipatests: Test that trusted AD users should not lose their AD domains. commit
  • Mark test to skip sssd-2.2.2 commit
  • ipatests: User and group with same name should not break reading AD user data. commit
  • ipatests: Added test when 2FA prompting configurations is set. commit
  • ipatests: SSSD should fetch external groups without any limit. commit
  • Update topology for test_integration/test_sssd.py commit
  • ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit
  • After mounting "Unspecified GSS failure" should not be in logs. commit
  • Add xmlrpc test with input validation check for kerberos ticket policy. commit
  • Fix fedora version for xfail for sssd test commit
  • Add integration test for otp kerberos ticket policy. commit #8001
  • ipatests: filter_users should be applied correctly. commit
  • ipatests : Login via ssh using private-key for ipa-user should work. commit
  • Extdom plugin should not return error (32)/'No such object' commit #8044

Andika Triwidada (1)

  • Translated using Weblate (Indonesian) commit

Ariel O. Barria (1)

  • vagrant user does not have permission to write to /etc/resolv.conf commit

Alexander Scheel (3)

  • Specify cert_paths when calling PKIConnection commit #8379
  • Configure PKI AJP Secret with 256-bit secret commit #8372
  • Clarify AJP connector creation process commit

Peter Keresztes Schmidt (33)

  • WebUI: Unify adapter property definition for state evaluators commit #8336
  • WebUI: Make object_class_evaluator evaluator compatible with batch responses commit #8336
  • ipa-backup/restore: remove remaining chdir calls commit #7416
  • ipa-join: handle JSON-RPC error codes commit #8408
  • ipa-join: extract common JSON-RPC response parsing to common function commit #8408
  • ipa-join: Generalize XML-RPC references in man page commit #7966
  • ipa-join: Use bool type where appropriate commit #7966
  • ipa-join: select {JSON,XML}-RPC at build time commit #7966
  • ipa-join: implement JSON-RPC based unenrollment commit #7966
  • ipa-join: extract unenrollment code common to JSON and XML-RPC to separate function commit #7966
  • ipa-join: switch to jansson for json handling commit #7966
  • ipa-join: buffer curl response before parsing json commit #7966
  • ipa-join: improve curl error handling in JSON-RPC code commit #7966
  • ipa-join: don't set TLS related curl options for JSON-RPC commit #7966
  • Populate nshardwareplatform and nsosversion during join operation commit #8370
  • WebUI: Fix rendering of boolean_status_formatter commit #8396
  • Unify spelling of "One-Time Password" commit
  • WebUI: reword OTP info message displayed during PW reset commit #5628
  • WebUI: move OTP to be the last field in the PW reset form commit #5628
  • Split named custom config to allow changes in options stanza commit #8287
  • lite-server: Fix werkzeug deprecation warnings commit #8360
  • util: replace NSS usage with OpenSSL commit #6857
  • util: add unit test for pw hashing commit #6857
  • po: remove zanata config since translation was moved to weblate commit #8159
  • Remove unused support for dm_password arg from ldapupdate.connect commit #7610
  • Use ipaldap exceptions rather than ldap error codes in LDAP updater commit #7610
  • Specify min and max values for TTL of a DNS record commit #8358
  • WebUI: Add units to some DNS zone and IPA config fields commit
  • WebUI: Expose TTL of DNS records commit #3827
  • WebUI: Refresh DNS record data correctly after mod operation commit #8359
  • WebUI: Use data adapter to load facet header data commit #8339
  • WebUI: Fix invalid RPC calls when link widget has no pkey passed commit #8338
  • Remove remains of unused config options commit #6708

Christian Heimes (181)

  • Easier to use ipa_gethostfqdn() commit
  • Update debug strings to reflect new calls commit
  • Remove problematic optimization from gethostfqdn() commit
  • Replace nodename with ipa_gethostfqdn() commit #8501
  • Unify access to FQDN commit #8501
  • Reuse main LDAP connection commit #8521
  • Speed up cainstance.migrate_profiles_to_ldap commit #8521, #8522
  • Lookup ipa-ca record with NSS commit #8501, #8521, #8529
  • Simplify update code commit #8275
  • Don't add 127.0.0.1 to resolv.conf twice commit #8275
  • Require(post) systemd with resolved enabled on F33 commit #8275
  • Replace sudo with runuser commit #8530
  • Use separate install logs for AD and DNS instance commit #8528
  • Spawn PKI: Execute more steps early commit #8521
  • Dogtag: Remove set_audit_renewal step commit #8521
  • Skip offline dse.ldif patching by default commit #8521
  • Remove magic sleep from create_index_task commit #8521
  • Remove root-autobind configuration commit #8521
  • Verify freeipa-selinux's ipa module is loaded commit
  • Check ca_wrapped in ipa-custodia-check commit #8488
  • Retry chronyc waitsync only once commit #8521
  • configure_dns_resolver: call self.restore_context commit #8518
  • Drop unused extended sleep feature from Sleeper commit #8521
  • Faster certmonger wait_for_request() commit #8521
  • Add helper for poll/sleep loops with timeout commit #8521
  • Add missing fedora_container platform members commit #8519
  • Add more indices commit
  • Use single update LDIF for indices commit #8493
  • Also backup DNS config drop-ins commit #8275
  • Ensure that resolved.conf.d is accessible commit #8275
  • Fix compiler warning in ipa-kdb commit
  • Fix compiler warnings in libotp commit
  • Fix compiler warning in ipa-pwd-extop commit
  • trust-add: Catch correct exception when chown SSSD commit #8516
  • Fix nsslapd-db-lock tuning of BDB backend commit #5914, #8515
  • Create systemd-resolved configuration on update commit
  • Configure systemd-resolved to use IPA's BIND commit #8275
  • Use new API for auto-forwarders commit #8275
  • Configure NetworkManager to use systemd-resolved commit #8275
  • Add helpers for resolve1 and nameservers commit #8275
  • Make git a build requirement commit
  • Delay import of psutil to avoid AVC commit #8512
  • Add User and Group to all ipaplatform.constants commit
  • Use new classes for run_command and Service commit
  • Add user and group wrappers commit
  • Simplify LDAPUpdater commit
  • Add ldap_update() helper to service class commit
  • Don't create DS SSCA and self-signed cert commit #8502
  • Duplicate CA CRT: ignore expected cert commit #7125
  • Add krbPrincipalName pres index correctly commit #8491
  • Only restart DS when duplicate cacrt was found commit #7125
  • Treat container subplatforms like main platform commit #8401
  • Don't configure authselect in containers commit #8401
  • Convert ipa-httpd-pwdreader into Python script commit #8401
  • Explicitly pass keytab to ipa-join commit
  • Write state dir to smb.conf commit #8401
  • Add ipaplatform for Fedora and RHEL container commit #8401
  • Allow to override ipaplatform with env var commit #8401
  • Teach pylint how dnspython 2.x works commit #8419
  • Add missing SELinux rule for ipa-custodia.sock commit #8412
  • Make tab completion in console more useful commit
  • Add __signature__ to plugins commit #8388
  • Run test_fips in DS and PKI nightly commit
  • SELinux: Backport dirsrv_systemctl interface commit
  • RHEL 8.3 has KRB5 1.18 with KDB 8.0 commit
  • Terminology improvements: use block list commit
  • Terminology improvements: use allow list commit
  • Grammar: whitespace is a word commit
  • Terminology improvements: CA renewal commit
  • Use old uglifyjs on RHEL 8 commit #8300
  • Build ipa-selinux package on RHEL 8 commit
  • Prevent local account takeover commit #8326
  • Move ipa-epn systemd files and run RPM hooks commit #8367
  • Auto-generated ipa-epn files to gitignore commit
  • Overhaul bind upgrade process commit
  • More upgrade tests commit
  • Fix named.conf named_conf_include_re commit
  • Remove named_validate_dnssec update step commit
  • Fix named.conf update bug NAMED_DNSSEC_VALIDATION commit #8363
  • libotp: Replace NSS with OpenSSL HMAC commit #6857
  • Include named config files in backup commit
  • Handle DatabaseError in RPC-Server connect() commit #8352
  • Allow permissions with 'self' bindruletype commit #8348
  • make: serialize strip-po / strip-pot commit #8323
  • Remove obsolete BIND named.conf options commit #8349, #8350
  • Add ipa-print-pac to gitignore commit
  • Allow dnsrecord-add --force on clients commit #8317
  • Explain the effect of OPT_X_TLS_PROTOCOL_MIN commit
  • Check for freeipa-server-dns package early commit #7577
  • Hard-code in_tree=True for tests commit #8317
  • Fix detection logic for api.env.in_tree commit #8312
  • Make api.env.mode consistent commit #8313
  • Disable password schema update on LDAP bind commit #8315
  • Use httpd 2.4 syntax for access control commit
  • Let GH auto-notify and auto-close stale PRs commit
  • Fix make devcheck commit #8307
  • Simplify pki proxy conf commit
  • Make check_required_principal() case-insensitive commit #8308
  • Make ipaplatform a regular top-level package commit #6474, #8309
  • Reconfigure pycodestyle commit #8306
  • Manually reformat ipapython/version.py.in commit #8306
  • Silence W601 .has_key() is deprecated commit #8306
  • Fix E722 do not use bare 'except' commit #8306
  • Fix E721 do not compare types, use 'isinstance()' commit #8306
  • Fix E714 test for object identity should be 'is not' commit #8306
  • Fix E713 test for membership should be 'not in' commit #8306
  • Fix E712 comparison to True / False commit #8306
  • Fix E711 comparison to None commit #8306
  • Fix E266 too many leading '#' for block comment commit #8306
  • Address issues found by new pylint 2.5.0 commit #8297
  • Require Sphinx >2.1 commit
  • Fix /doc/workshop subtree merge commit
  • Create ipasphinx package for Sphinx plugins commit
  • Add skip_if_platform marker commit
  • Define default password policy for sysaccounts commit #8276
  • Use api.env.container_sysaccounts commit #8276
  • Fix exception escape warning commit
  • Fix APIVersion.__getnewargs__ commit
  • servrole: takes_params must be a tuple commit #8290
  • Improve Sphinx building and linting commit
  • Fix various OpenDNSSEC 2.1 issues commit #8283
  • Use /run and /run/lock instead of /var commit #8272
  • po: fix LINGUAS to use whitespace separation commit #8159
  • SELinux: apache_manage_pid_files for F30 commit #8241
  • Add pytest OpenSSH transport with password commit
  • Add explicit syntax language to code blocks commit
  • Use m2r instead of recommonmark commit
  • Include workshop in sphinx build commit
  • Fix codestyle commit
  • Test documentation builds in Azure commit
  • Include design documentation commit
  • Introduce FreeIPA commit
  • Bootstrap Sphinx documentation commit
  • Move freeipa-selinux dependency to freeipa-common commit #6891
  • Integrate ipa_custodia policy commit #6891
  • Allow hosts to read DNS records for IP SAN commit #8098
  • Cleanup SELinux policy commit #6891
  • Integrate SELinux policy into build system commit
  • dnsrecord: Treat empty list arguments correctly commit #8196
  • Remove dependency on custodia package commit
  • lite-setup: configure lite-server test env commit
  • Add tracemalloc support to profile memory usage commit
  • Make assert_error compatible with Python 3.6 commit #8179
  • Print LDAP diagnostic messages on error commit
  • Fix get_trusted_domain_object_from_sid() commit #7958
  • Check valid before/after of external certs commit #8142
  • Fix service ldap_disable() commit #8143
  • Require idstart to be larger than UID_MAX commit #8137
  • Fix lite-server to work with GSS_NAME commit
  • Fix logic of check_client_configuration commit #8133
  • Optimize user-add by caching ldap2.has_upg() commit #8134
  • Don't run test_smb in gating tests commit
  • Don't hard-code client's TLS versions and ciphers commit #8125
  • Update Apache HTTPd for RHBZ#1775146 commit #8125
  • Enable TLS 1.3 support on the server commit #8125
  • Skip paramiko tests in FIPS mode commit #8129
  • FIPS: server key has different name in FIPS mode commit
  • Remove FIPS noise from SSHd commit
  • Fix otptoken_sync plugin commit #7804
  • Add test case for OTP login commit #7804
  • Show group-add/remove-member-manager failures commit #8122
  • Test installation with (fake) userspace FIPS commit #8118
  • Use default ssh host key algorithms commit #8082
  • Add tests for member management commit
  • Add group membership management commit #8114
  • Skip commented lines after substitution commit #8111
  • Block camellia in krbenctypes update in FIPS commit #8111
  • Don't install a preexec_fn by default commit
  • Don't create log files from help scripts commit #8075
  • Add new env vars to pylint plugin commit #3999
  • Fix wrong use of identity operation commit #8057
  • Enable literal-comparison linter again commit #8057
  • Replace %{_libdir} macro in BuildRequires commit #8056
  • Fix ca_initialize_hsm_state commit #5608
  • Store HSM token and state commit #5608
  • Allow insecure binds for migration commit #8040
  • Don't move keys when key backup is disabled commit #7677
  • Update comments to explain caSubsystemCert switch commit
  • Test external CA with DNS name constraints commit
  • Add PKCS#11 module name to p11helper errors commit #8015
  • Use nis-domainname.service on all RH platforms commit #8004

Cédric Jeanneret (3)

  • Update selinux-policy minimal requirement commit
  • Prevents DNS Amplification Attack and allow to customize named commit #8079
  • Add new tip for dependencies commit

Changmin Teng (5)

  • Add design document commit #8001
  • Modify webUI to adhere to new IPA server API commit #8001
  • Implement user pre-authentication control with kdcpolicy plugin commit #8001
  • Extend the list of supported pre-auth mechanisms in IPA server API commit #8001
  • Add new authentication indicators in kdc.conf.template commit #8001

Daniel Lara Souza (1)

  • Translated using Weblate (Portuguese (Brazil)) commit

Dinesh Prasanth M K (1)

  • Adding auto COPR builds commit

Endi Sukma Dewata (1)

  • Removed hard-coded default profile subsystem class name commit

Emilio Herrera (1)

  • Translated using Weblate (Spanish) commit

François Cami (93)

  • ipatests: run freeipa-healthcheck on hidden replica commit #8536
  • ipatests: tasks: add user_del commit #8536
  • ipatests: kinit_as_user improvements commit #8510
  • ipatests: create_active_user improvements commit #8510
  • ipatests: add get_kdcinfo commit #8510
  • ipatests: add check_if_sssd_is_online commit #8510
  • SELinux: do not double-define node_t and pki_tomcat_cert_t commit #8513
  • SELinux Policy: Allow tomcat_t to read kerberos keytabs commit #8488
  • SELinux Policy: make interfaces for kernel modules non-optional commit #8488
  • SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type commit #8488
  • SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t commit #8488
  • SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t commit #8488
  • SELinux Policy: let custodia_t map custodia_tmp_t commit #8488
  • SELinux: Add dedicated policy for ipa-pki-retrieve-key commit #8488
  • ipatests: enhance TestSubCAkeyReplication commit #8488
  • dogtaginstance.py: add --debug to pkispawn commit #8503
  • ipatests: check that pkispawn log is not empty commit #8503
  • SELinux Policy: let custodia replicate keys commit #8488
  • ipatests: test_epn: update error messages commit #8449
  • IPA-EPN: enhance input validation commit #8444
  • IPA-EPN: Fix SMTP connection error handling commit #8445
  • ipatests: test_epn: add test_EPN_connection_refused commit #8445
  • IPA-EPN: fix configuration file typo commit
  • IPA-EPN: Use a helper to retrieve LDAP attributes from an entry commit
  • ipatests: test_epn: test_EPN_nbdays enhancements commit #8449
  • ipatests: tasks.py: fix ipa-epn invocation commit #8449
  • ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd commit #8129
  • ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd commit #8129
  • ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH commit #8129
  • ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH commit #8129
  • ipatests: test_commands: test_ssh_from_controller: refactor commit #8129
  • ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH commit #8129
  • ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH commit #8129
  • tasks: add run_ssh_cmd commit #8129
  • ipatests: test_sss_ssh_authorizedkeys commit #8151
  • ipatests: re-enable test_sss_ssh_authorizedkeys commit #8151
  • ipatests: test_commands: test_login_wrong_password: look farther in time commit #8432
  • ipatests: xfail TestIpaClientAutomountFileRestore's final test commit #8189
  • ipatests: remove dnf workaround from test_epn.py commit #8391
  • ipatests: display SSSD kdcinfo in test_adtrust_install.py commit
  • ipatests: ipa_epn: uninstall/reinstall ipa-client-epn commit #8374
  • ipatests: check that EPN's configuration file is installed. commit #8374
  • man pages: fix epn.conf.5 and ipa-epn.1 formatting commit
  • EPN: ship the configuration file. commit #8374
  • ipatests: increase test_caless_TestReplicaInstall timeout commit #8377
  • .mailmap: add fcami commit
  • IPA-EPN: Test suite. commit #3687
  • IPA-EPN: First version. commit #3687
  • ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py commit
  • tasks.py: add krb5_trace to create_active_user and kinit_as_user commit
  • tox.ini: switch from W503 to W504 commit
  • IPA-EPN: Add design draft commit #3687
  • doc/Makefile: use sphinx-build -W by default commit
  • Makefile.am: add doclint to fastcheck commit
  • ipatests: increase test_webui_server timeout commit #8266
  • ipatests: increase test_ipahealthcheck timeout commit #8262
  • ipatests: move ipa_backup to tasks commit #8217
  • pr-ci templates: update test_fips timeouts commit #8247
  • ipa-backup: Make sure all roles are installed on the current master. commit #8217
  • test_backup_and_restore: add server role verification steps commit #8217
  • ipatests: test ipa-backup with different role configurations. commit #8217
  • pr-ci templates: update test_fips timeouts commit #8247
  • ipatests: test_replica_promotion.py: test KRA on Hidden Replica commit #8240
  • 8-sudorule.rst: add sudo and su-l as services for bob's HBAC rule. commit
  • ipa-restore: restart services at the end commit #8226
  • ipatests: make sure ipa-client-automount reverts sssd.conf commit #8190
  • ipa-client-automount: call save_domain() for each change commit #8190
  • ipatests: expect "Dynamic Update" and "Bind update policy" in default dnszone* output commit #7938
  • ipaserver/plugins/dns.py: add "Dynamic Update" and "Bind update policy" to default dnszone* output commit #7938
  • ipatests/test_nfs.py: wait before umount commit #8144
  • ipatests: fix pr-ci templates' indentation commit
  • adtrust.py: mention restarting sssd when adding trust agents commit #8148
  • DSU: add Design for Disable Stale Users commit #8104
  • ipatests: nightly_f29: disable TestIpaClientAutomountFileRestore commit #8063
  • ipatests: temporarily remove test_smb from gating commit
  • ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf) commit
  • ipapython/ipachangeconf.py: change "is not 0" for "!= 0" commit #8057
  • authconfig.py: restore user-nsswitch.conf at uninstall time commit #8054
  • ipatests: remove xfail in TestIpaClientAutomountFileRestore commit
  • ipa-client-automount: always restore nsswitch.conf at uninstall time commit #8038
  • ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time commit
  • travis-ci: make dnf invocations more resilient commit #8048
  • azure-pipelines.yml: switch to Python 3.7 commit #8030
  • test_nfs.py: switch to master_3repl commit #8027
  • ipatests: rename config_replica_resolvconf_with_master_data() commit
  • test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data() commit #7949
  • prci_definitions: add master_3client topology commit #8026
  • ipapython/admintool.py: use SERVER_NOT_CONFIGURED commit
  • ipa-client-samba: remove state on uninstall commit #8021
  • ipatests: test ipa-client-samba after --uninstall commit
  • ipa-client-samba: remove and restore smb.conf only on first uninstall commit #8019
  • ipatests: test multiple invocations of ipa-client-samba --uninstall commit
  • ipatests/azure: display actual dnf repo URLs commit

Florence Blanc-Renaud (89)

  • ipatests: temporarily remove test_dnssec.py::TestInstallDNSSECFirst from gating commit #8496
  • ipatests: ipa-acme-manage status returns 3 on a CA-less server commit #8572
  • ipatests: IPADNSSystemRecordsCheck also checks for AAAA records commit #8573
  • ipatests: curl outputs the cookie in stderr and not in sdtout commit #8559
  • ipatests: properly handle journalctl return code commit #8541
  • rpmspec: ensure ipa snippet for sshd is always included commit #8535
  • ipatests: add tests to 389ds regression commit
  • test_smb: skip test_smb_service_s4u2self for fed31 commit #8505
  • dnsforwardzone-add: support dnspython 2.0 commit #8481
  • ipatests: fix bind service name commit #8482
  • ipatests: add missing healthcheck test in PRCI nightlies commit
  • ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately commit #8472
  • ipatests: remove xfail from test_dnssec commit
  • ipatests: fix TestIpaHealthCheckWithoutDNS failure commit #8447
  • ipatests: collect IPA_RENEWAL_LOCK file commit
  • ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck commit #8439
  • ipatests: check KDC cert permissions in CA less install commit #8440
  • CAless installation: set the perms on KDC cert file commit #8440
  • ipatests: increase test_trust timeout commit
  • ipatests: fix test_authselect commit #8189
  • ipatests: remove the xfail for test_nfs.py commit #8189
  • ipa-client-install: use the authselect backup during uninstall commit #8189
  • ipatests: Fix TestReplicaPromotionLevel1 commit #8414
  • ipatests: fix TestUnprivilegedUserPermissions commit #8413
  • sshd template must be part of client package commit #8400
  • Add test_dnssec to 389ds nightly tests commit
  • ipa cert-show: fix the code setting revocation reason commit #8394
  • Bump requires for selinux-policy commit
  • ipatests: fix the method adding ifp to sssd.conf commit #8371
  • Unify spelling of "One-Time Password" (take 2) commit #5628, #8381
  • client install: fix broken sshd config commit #8304
  • ipa-client-install: use sshd drop-in configuration commit #8304
  • ipatests: Update the pki-master-f32 image version commit
  • ipatests: add a test for ipa-replica-install --setup-ca --http-cert-file commit #8366
  • ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive commit #8366
  • ipatests: fix the disable_dnssec_validation method commit #8364
  • ipatests: Check if user with 'User Administrator' role can delete group. commit #6884
  • ipa-advise: fallback to /usr/libexec/platform-python if python3 not found commit #8311
  • Man pages: fix syntax issues commit #8273
  • ipatests: wait for SSSD to become online in backup/restore tests commit #8228
  • xmlrpc tests: add a test for idview-apply on a master commit #5662
  • idviews: prevent applying to a master commit #5662
  • opendnssec2.1 support: move all ods tasks to specific file commit #8214
  • DnsSecMaster migration: move the call to zonelist export later commit #8214
  • Support OpenDNSSEC 2.1: new ods-signer protocol commit #8214
  • With opendnssec 2, read the zone list from file commit #8214
  • Remove the <Interval> from opendnssec conf commit #8214
  • Support opendnssec 2.1.6 commit #8214
  • selinux policy: add the right context for org.freeipa.server.trust-enable-agent commit #7600
  • ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600
  • ipatests: add test for ipa-adtrust-install --add-agents commit #7600
  • ipa-adtrust-install: run remote configuration for new agents commit #7600
  • Privilege: add a helper checking if a principal has a given privilege commit #7600
  • ipatests: fix TestSubCAkeyReplication commit
  • Part2: Don't fully quality the FQDN in ssbrowser.html for Chrome commit #8201
  • ipatests: fix modify_sssd_conf() commit
  • ipatests: update packages for rawhide and updates-testing nightlies commit
  • ipatests: fix backup and restore commit #8170
  • AD user without override receive InternalServerError with API commit #8163
  • ipa-cacert-manage man page: fix indentation commit #8138
  • ipatests: fix TestMigrateDNSSECMaster teardown commit #7985
  • trust upgrade: ensure that host is member of adtrust agents commit
  • ipatests: fix test_crlgen_manage commit
  • ipatests: fix teardown commit
  • ipatests: generic uninstall should call ipa server-del commit #7985
  • Nightly definition: use right template for krbtpolicy commit #8001
  • test_ipalib: add test for DNParam class commit #8097
  • XMLRPCtest: add a test for add-certmapdata with multiple subject/issuer commit #8097
  • DNParam: raise Exception when multiple values provided to a 1-val param commit #8097
  • smartcard: make the ipa-advise script compatible with authselect/authconfig commit #8113
  • ipa-backup: fix python2 issue with os.mkdir commit #8099
  • ipa-server-certinstall manpage: add missing options commit #8086
  • ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion commit #8070
  • ipatests: add XMLRPC test for user-add when UPG plugin is disabled commit #4972
  • ipa user_add: do not check group if UPG is disabled commit #4972
  • ipatests: fix fedora29 nightly definition commit
  • replica install: enforce --server arg commit #7566
  • ipatests: ensure that backup/restore restores pkcs 11 modules config file commit #8073
  • ipa-backup: backup the PKCS module config files setup by IPA commit #8073
  • ipatests: enable 389-ds audit log and collect audit file commit #8064
  • ipatests: add nightly definition for DS integration tests commit
  • config plugin: replace 'is 0' with '== 0' commit #8057
  • ipatests: fix wrong xfail in test_domain_resolution_order commit #8052
  • Nightly test definition: add missing tests commit
  • xmlrpc test: add test for preserved > stage user commit #7597
  • user-stage: transfer all attributes from preserved to stage user commit #7597
  • test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules commit #7902
  • Azure pipeline: report failure in prepare-build step commit #8022
  • upgrade: remove ipaCert and key from /etc/httpd/alias commit #7329

Francisco Trivino (2)

  • prci: bump template version and fix test_smb gating definition commit
  • prci: increase gating tasks priority commit

Fraser Tweedale (141)

  • mailmap: add ftweedal commit
  • dns: allow PTR records in arbitrary zones commit #5566
  • ipa_sam: do not modify static buffer holding fqdn commit #8501
  • spec: require pki-acme if pki-ca >= 10.10 commit
  • install: simplify host name verification commit
  • delete unused subroutine get_host_name() commit
  • certupdate: update config after deployment becomes CA-ful commit #7188
  • cainstance: extract function import_ra_key commit #7188
  • cainstance.update_ipa_conf: allow specifying ca_host commit #7188
  • acme: delete ACME RA account on server uninstall commit #4751
  • acme: enable mod_md tests on Fedora commit #4751
  • acme: add certbot dns-01 test commit #4751
  • acme: add certbot dns script commit #4751
  • acme: add revocation test commit #4751
  • acme: handle alternative schema ldif location commit #4751
  • acme: add mod_md integration test commit #4751
  • acme: add integration tests to gating commit #4751
  • acme: add integration test to nightly CI commit #4751
  • acme: add integration test commit #4751
  • acme: add ipa-acme-manage command commit #4751
  • acme: configure engine.conf and disable by default commit #4751
  • acme: configure ACME service on upgrade commit #4751
  • acme: add certificate profile commit #4751
  • acme: add Dogtag ACL to allow ACME agents to revoke certs commit #4751
  • acme: create ACME RA account commit #4751
  • dogtaginstance: add ensure_group method commit #4751
  • dogtaginstance: extract user creation to subroutine. commit #4751
  • acme: set up ACME service when configuring CA commit #4751
  • acme: ipa-pki-proxy: proxy /acme to Dogtag commit #4751
  • certupdate: only add LWCA tracking requests on CA servers commit #8399
  • tests: fix cleanup for CATracker commit #5011
  • ca plugin: improve doc commit #5011
  • ca-del: require CA to already be disabled commit #5011
  • cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf commit
  • ra.get_certificate: use REST API commit #3473, #5011
  • extract virtual operation access check subroutine commit #5011, #6423
  • Define errors_by_code in ipalib.errors commit #5011
  • fix iPAddress cert issuance for >1 host/service commit #8368
  • fix cert-find errors in CA-less deployment commit #8369
  • upgrade: avoid stopping certmonger when fixing requests commit #8186
  • httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure commit #8186
  • ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname commit #8186
  • upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate commit #8186
  • httpinstance: add ipa-ca.$DOMAIN alias in initial request commit #8186
  • cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers commit #8186
  • httpinstance: add fqdn and ipa-ca alias to Certmonger request commit #8186
  • certmonger: support dnsname as request search criterion commit #8186
  • certmonger: move 'criteria' description to module docstring commit #8186
  • certmonger: avoid mutable default argument commit #8186
  • add resources section commit
  • typospotting commit
  • suggest `ipa help topics` commit
  • lots of minor tweaks and updates commit
  • rename certificates module commit
  • Vagrantfile: set DNS configuration in network-scripts commit
  • add more prerequisites and fix some links commit
  • add inter-module links commit
  • split workshop into separate files commit
  • add sudorule and selinux units to TOC commit
  • add selinuxusermap unit commit
  • add sudorule unit commit
  • minor editoral improvements commit
  • Change workshop "Modules" to "Units" commit
  • prep: updates for f24, box version 0.0.7 commit
  • certs: request SAN DNS name commit
  • updates for FreeIPA 4.3 commit
  • typospotting commit
  • add facilitator notes; remove feedback link commit
  • building: note disk and memory requirements commit
  • bump libvirt vm mem to 1G; other fixes commit
  • update feedback url commit
  • update clone url commit
  • add internal links to modules commit
  • symlink README to workshop.rst commit
  • add replica installation module commit
  • update to f23 commit
  • add vagrant box building instructions commit
  • workshop: remove references to freeipa-workshop-vagrantfile repo commit
  • enable and start httpd on client commit
  • typospotting commit
  • initial commit commit
  • remove proposal commit
  • add copyright notice commit
  • freeipa-workshop: fix mod_authnz_pam link commit
  • merge (most of) zdover's edits commit
  • 20151029-osdc-freeipa-workshop: add app.py commit
  • osdc-freeipa-workshop: add certificate management module commit
  • osdc-freeipa-workshop: add OS X and update Debian/Ubuntu details commit
  • osdc-freeipa-workshop: add debian/ubuntu prep instructions commit
  • osdc-freeipa-workshop: support vagrant-libvirt on Fedora commit
  • osdc-freeipa-workshop: presentation, minor curriculum edits commit
  • osdc-freeipa-workshop: typospotting commit
  • osdc-freeipa-workshop: remove definition list of VMs commit
  • osdc-freeipa-workshop: add missing dnf install vagrant commit
  • osdc-freeipa-workshop: clarify prep goals and VirtualBox version commit
  • osdc-freeipa-workshop: update troubleshooting doc commit
  • osdc-freeipa-workshop: incorporate wibrown\'s feedback commit
  • osdc-freeipa-workshop: update f22 installation steps commit
  • osdc-freeipa-workshop: add Windows prep details commit
  • osdc-freeipa-workshop: add Vagrantfile clone instructions and curriculum overview commit
  • osdc-freeipa-workshop: remove vagrant-hostmanager steps, add editing notes commit
  • osdc-freeipa-workshop: selinux and other minor fixes commit
  • osdc-freeipa-workshop: add mod_lookup_identity and mod_authnz_pam sections commit
  • osdc-freeipa-workshop: add mod_auth_gssapi section commit
  • sudo make me a sandwich commit
  • osdc-freeipa-workshop: add rpmfusion instructions commit
  • osdc-freeipa-workshop: external authnz module (WIP); minor fixes commit
  • osdc-freeipa-workshop: add initial workshop modules commit
  • fix osdc2015 and lca2016 dates commit
  • Do not renew externally-signed CA as self-signed commit #8176
  • ipatests: add test for certinstall with notBefore in the future commit #8142
  • Fix test regressions caused by certificate validation changes commit #8142
  • ipatests: assert_error: allow regexp match commit #8142
  • removed unused function export_pem_p12 commit
  • test_integration: add tests for custom CA subject DN commit #8084
  • upgrade: fix ipakra people entry 'description' attribute commit #8084
  • krainstance: set correct issuer DN in uid=ipakra entry commit #8084
  • Bump Dogtag min version to 10.7.3 commit #8020
  • ipa-pki-retrieve-key: request AES encryption (with fallback) commit #8020
  • NSSWrappedCertDB: accept optional symmetric algorithm commit #8020
  • IPASecStore: support extra key arguments commit #8020
  • dsinstance: add proflie when tracking certificate commit #7991
  • ipatests: test ipa-server-upgrade in CA-less deployment commit #7991
  • Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants commit #7991
  • cainstance: add profile to IPA RA tracking request commit #7991
  • upgrade: fix spurious certmonger re-tracking commit #7991
  • upgrade: log missing/misconfigured tracking requests commit #7991
  • upgrade: update KRA tracking requests commit #7991
  • upgrade: always add profile to tracking requests commit #7991
  • dogtaginstance: avoid special cases for Server-Cert commit #7991
  • dogtag-ipa-ca-renew-agent: always use profile-based renewal commit #7991
  • certmonger: use long options when invoking dogtag-ipa-renew-agent commit #7991
  • upgrade: add profile to Dogtag tracking requests commit #7991
  • dogtaginstance: add profile to tracking requests commit #7991
  • ci: add --external-ca-profile tests to gating commit #7548
  • ci: add --external-ca-profile tests to nightly commit #7548
  • Collapse --external-ca-profile tests into single class commit #7548
  • Add more tests for --external-ca-profile handling commit #7548
  • Fix use of incorrect variable commit #5608, #7548
  • install: fix --external-ca-profile option commit #5608, #7548
  • move MSCSTemplate classes to ipalib commit #7548

Gaurav Talreja (3)

  • Normalize title of test external_ca in prci-definition commit
  • Normalize test definations titles commit
  • prci: bump template version for nightly_rawhide commit

Isaac Boukris (2)

  • Fix legacy S4U2Proxy in DAL v8 support commit
  • Fix DAL v8 support commit

Jeremy Frasier (2)

  • replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas commit #8403
  • replica: Ensure the ipaapi user is allowed to access ifp on replicas commit #8403

Jayesh Garg (4)

  • Nightly definations commit commit
  • Test for ipa-ca-install on replica commit
  • Test ipa-getkeytab quiet mode, encryptons commit
  • Test if ipactl starts services stopped by systemctl commit

Julian Gethmann (1)

  • Fix typo in idrange.py docstring commit

Kaleemullah Siddiqui (4)

  • Tests for fake_mname parameter setup commit
  • Test for check of HostKeyAlgorithms option in ssh_config commit #8082
  • Fix for regression from PR#3962 commit
  • Tests for backup-restore when pkg required is missing commit #7630

Christian Hermann (1)

  • configure.ac: don't rely on bashisms commit

Miro Hrončok (1)

MIZUTA Takeshi (1)

  • Add config that maintains existing content to ipa-client-install manpage commit

Michal Polovka (7)

  • ipatests: test_epn: test_EPN_config_file: Package name fix commit
  • ipatests: test_epn: Fix package installation commit
  • Test for healthcheck being run on replica with stopped master commit
  • Test for output being indented by default value if not stated implicitly. commit
  • ipatests: add tests for ipa host-add with non-default maxhostnamelength commit #2018
  • ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions commit #6843, #8055
  • ipatests: Test for ipa-backup with ipa not configured commit #6843

Mark Reynolds (4)

  • Reorder creation of the CA mapping tree and database backend commit #8558
  • Increase replication changelog trimming to 30 days commit #8464
  • Issue 8456 - Add new aci's for the new replication changelog entries commit #8456
  • Issue 8407 - Support changelog integration into main database commit #8407

Mohammad Rizwan (28)

  • Move acme client installation part to classmethod commit
  • PEP8 fixes for test_acme.py commit
  • External-CA scenarios for ACME service commit #4751
  • ipatests: Check if ACME is enabled on all CA servers commit #8524
  • PEP8 fixes commit
  • ipatests: add --skip-overlap-check option to prepare_reverse_zone() commit
  • ipatests: Add PTR record for IP SAN commit
  • ipatests: Test certmonger rekey command works fine commit
  • Xfail test for sssd < 2.3.0 commit
  • ipatests: Test ipa user login with wrong password commit
  • WebUI tests: fix PEP8 issues in test_webui/test_user.py commit
  • webui: check if notification area doesn't intercept menu button commit #8120
  • ipatests: Test deletion of required principal throws proper error commit #7695
  • Display principal name while del required principal commit #7695
  • ipatests: Test to check password leak in apache error log commit #8017
  • ipatests:Test if proper error thrown when AD user tries to run IPA commands commit #8163
  • ipatests: Skip test using paramiko when FIPS is enabled commit
  • Test if schema-compat-entry-attribute is set commit #8193
  • Test if schema-compat-entry-attribute is set commit #8193
  • Test if getcert creates cacert file with -F option commit #8105
  • Move wait_for_request() method to tasks.py commit
  • Test if server installer lock Bind9 recursion commit #8079
  • Add certmonger wait_for_request that uses run_command commit
  • Test if certmonger reads the token in HSM commit
  • Test AES SHA 256 and 384 Kerberos enctypes enabled commit #8110
  • Add test to nightly yamls commit
  • Installation of replica against a specific server commit #7566
  • Check file ownership and permission for dirsrv log instance commit #7725

ndehadra (1)

  • Hidden Replica: Add a test for Automatic CRL configuration commit #7307

Weblate (4)

  • Update translation files commit
  • Update translation files commit
  • Update translation files commit
  • Update translation files commit

Oğuz Ersen (2)

  • Translated using Weblate (Turkish) commit
  • Translated using Weblate (Turkish) commit

Spencer E. Olson (1)

  • Fixes debian path for IPA_CUSTODIA_HANDLER commit

Piotr Drąg (1)

  • Translated using Weblate (Polish) commit

Petr Voborník (2)

  • baseuser: fix ipanthomedirectorydrive option name commit
  • webui: hide user attributes for SMB services section if empty commit #8336

Rafael Fontenelle (1)

  • Translated using Weblate (Portuguese (Brazil)) commit

Rob Crittenden (116)

  • ipatests: Test that password reset unlocks users too commit #8551
  • On password reset also set krbLastAdminUnlock to unlock account commit #8551
  • Wrap libpwquality PKG_CHECK_MODULES in ENABLE_SERVER test commit #2445, #298, #5948, #6964
  • Catch EmptyResult exception in update_idranges commit #8555
  • Test that ipapwpolicy objectclass is added on upgrade commit #8555
  • Add ipwpwdpolicy objectclass to all policies on upgrade commit #8555
  • ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled commit #8498
  • Change the return codes of ipa-acme-manage commit #8498
  • Require an ipa-ca SAN on 3rd party certs if ACME is enabled commit #8498
  • ipatests: Collect the let's encrypt log commit #8524
  • Add a status option to ipa-acme-manage commit #8524
  • Don't install ACME if full support is not available commit #8524
  • Centralize enable/disable of the ACME service commit #8524
  • Let dogtag.py be imported if the api is not initialized commit #8524
  • Enable importing LDIF files not shipped by IPA commit #8524
  • Use a state to determine if a 389-ds upgrade is in progress commit #7534
  • ipatests: Add test_pwpolicy to nightly runs commit #2445, #298, #5948, #6964
  • Requirements and design for libpwquality integration commit #2445, #298, #5948, #6964
  • Add SELinux policy so kadmind can read the crackdb dictionary commit #2445, #298, #5948, #6964
  • ipatests: add test for password policies commit #2445, #298, #5948, #6964
  • Add a raiseonerr option to ldappasswd_user_change commit #2445, #298, #5948, #6964
  • Pass the user to the password policy check in the kdb driver commit #2445, #298, #5948, #6964
  • Add a unit test for libpwquality-based password policy commit #2445, #298, #5948, #6964
  • Extend password policy to evaluate passwords using libpwpolicy commit #2445, #298, #5948, #6964
  • Require libpwolicy and configure it in the build system commit #2445, #298, #5948, #6964
  • Add new pwpolicy objectclass to test_xmprpc/objectclasses.py commit #2445, #298, #5948, #6964
  • Extend IPA pwquality plugin to include libpwquality support commit #2445, #298, #5948, #6964
  • Add LDAP schema for new libpwquality attributes commit #2445, #298, #5948, #6964
  • Don't restart certmonger after stopping tracking in uninstall commit #8533
  • Reduce the memory requirement from 1.6 to 1.2 GB commit #8404
  • Test that ccaches are cleaned up during installation commit #8248
  • Clean up entire /run/ipa/ccaches directory not just files commit #8248
  • Require a matching server package for the selinux subpackage commit #8511
  • Add index for more trust-related attributes commit #8491
  • ipatests: Add tests for checking available memory commit #8404
  • Require at least 1.6Gb of available RAM to install the server commit #8404
  • ipatests: Add test for ACI attribute and permission uniqueness commit #8443
  • Use ACI class set_permissions() method to set permissions commit #8443
  • De-duplicate ACI attributes and permissions commit #8443
  • ipatests: test that a zone name and name-from-ip will be rejected commit #8446
  • Don't allow both a zone name and --name-from-ip to be provided commit #8446
  • Set the certmonger subject with a string, not an object commit #8204
  • ipatests: test ipa_server_certinstall with an IPA-issued cert commit #8204
  • cli: When parsing options require name/value pairs commit #6115
  • ipatests: Add option/arg parsing tests for the cli commit #6115
  • ipatests: stop the CA during healthcheck expiration test commit #8463
  • Improve performance of ipa-server-guard commit #8425
  • ipatests: Add test for is_ipa_configured commit #8458
  • Use is_ipa_configured from ipalib.facts commit #8458
  • Fall back to old server installation detection when needed commit #8458
  • IPA-EPN: Test that EPN can be install, uninstalled and re-installed commit
  • Added negative test case for --list-sources option commit
  • ipatests: CLI validation of ipa-healthcheck command commit
  • IPA-EPN: Test that users without givenname and/or mail are handled commit
  • Address legacy pylint issues in sysrestore.py commit #8384
  • Update check_client_configuration to use new client fact commit #8384
  • Don't use the has_files() to know if client/server is configured commit #8384
  • Create a common place to retrieve facts about an IPA installation commit #8384
  • Simplify determining if IPA client configuration is complete commit #8384
  • Simplify determining if an IPA server installation is complete commit #8384
  • ipatests: Check permissions of /etc/ipa/ca.crt new installations commit #8441
  • Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations commit #8441
  • ipatests: Test healthcheck revocation checker commit
  • ipatests: Use healthcheck namespacing in stopped server test commit
  • ipatests: lib389 is now providing healthchecks, update naming commit
  • ipatests: verify that all services can be detected by healthcheck commit
  • ipatests: Add healthcheck test for FileSystemSpaceCheck commit
  • ipatests: Test that healthcheck detects and reports expiration commit
  • ipatests: Test cases for healthcheck File checker(s) commit
  • Replace SSLCertVerificationError with CertificateError for py36 commit
  • Add fips-mode-setup to ipaplatform.paths to determine FIPS status commit #8429
  • Don't delegate the TGT in ipa-join commit #8405
  • IPA-EPN: Don't treat givenname differently commit #3687
  • IPA-EPN: add test to validate smtp_delay value commit #3687
  • IPA-EPN: add smtp_delay to limit the velocity of e-mails sent commit #3687
  • IPA-EPN: Add tests for --mail-test option commit #3687
  • IPA-EPN: Add mail-test option for testing sending live email commit #3687
  • IPA-EPN: test using SSL against port 465 commit #3687
  • IPA-EPN: Add test for starttls mode commit #3687
  • IPA-EPN: Add tests for sending real mail with auth and templates commit #3687
  • IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions commit #3687
  • Add index for krbPasswordExpiration for EPN commit #3687
  • Add a jinja2 e-mail template for EPN commit #3687
  • Perform baseline healthcheck commit
  • Test that pwpolicy only applied on Kerberos entries commit
  • Add ability to change a user password as the Directory Manager commit
  • Don't save password history on non-Kerberos accounts commit
  • Test that ipa-healthcheck human output translates error strings commit
  • Move execution of ipa-healthcheck to a separate function commit
  • Fix div-by-zero when svc weight is 0 for all masters in location commit #8135
  • Don't fully quality the FQDN in ssbrowser.html for Chrome commit #8201
  • Add tests for ipa-cacert-manage delete command commit #8124
  • ipa-certupdate removes all CA certs from db before adding new ones commit #8124
  • Add delete option to ipa-cacert-manage to remove CA certificates commit #8124
  • Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164
  • CVE-2019-10195: Don't log passwords embedded in commands in calls using batch commit
  • Add integration test for Kerberos ticket policy commit #8001
  • Conditionally restart certmonger after client installation commit #8105
  • Add conditional restart (try-restart) capability to services commit #8105
  • Enable AES SHA 256 and 384-bit enctypes in Kerberos commit #8110
  • Disable dogtag cert publishing commit #7522
  • ipa-restore: Restore ownership and perms on 389-ds log directory commit #7725
  • Report if a certmonger CA is missing commit #7870
  • Re-order tasks.restore_pkcs11_modules() to run earlier commit #8034
  • Don't log host passwords when they are set/modified commit #8017
  • Skip lock and fork in ipa-server-guard on unsupported ops commit
  • Defer initializing the API in dogtag-ipa-ca-renew-agent-submit commit
  • Add missing timeout option to logging statement commit
  • Log dogtag auth timeout in install, provide hint to increase it commit #7971
  • Log the replication wait timeout for debugging purposes commit #7971
  • Replace replication_wait_timeout with certmonger_wait_timeout commit #7971
  • Use tasks to configure automount nsswitch settings commit
  • Move ipachangeconf from ipaclient.install to ipapython commit
  • Don't return SSH keys with ipa host-find --pkey-only commit #8029
  • httpinstance: add pinfile when tracking certificate commit #7991
  • Remove posixAccount from service_find search filter commit #8013

Robbie Harwood (16)

  • Drop upper bound on krb5 version in freeipa.spec commit
  • ipa-kdb: implement AS-REQ lifetime jitter commit #8010
  • Update kdcpolicy design doc for jitter implementation commit
  • Drop support for DAL version 5.0 commit
  • Support DAL version 8.0 commit
  • Handle the removal of KRB5_KDB_FLAG_ALIAS_OK commit
  • Fix several leaks in ipadb_find_principal commit
  • Use separate variable for client fetch in kdcpolicy commit
  • Make the coding style explicit commit
  • Provide modern example enctypes in ipa-getkeytab(1) commit
  • Fix segfault in ipadb_parse_ldap_entry() commit
  • Add a skeleton kdcpolicy plugin commit
  • Move certauth configuration into a server krb5.conf template commit
  • Enable krb5 snippet updates on client update commit
  • Fix NULL pointer dereference in maybe_require_preauth() commit
  • Log INFO message when LDAP connection fails on startup commit

Rafael Guterres Jeffman (1)

  • Fixes pylint errors introduced by version 2.4.0. commit

Rafael Guterres Jeffman (6)

  • Removed unnecessary imports after code review. commit
  • Removes several pylint warnings. commit
  • Removed unnecessary imports after code review. commit
  • Removes several pylint warnings. commit
  • Removes rpmlint warning on freeipa.spec. commit
  • Re-add function façades removed by commit 2da9088. commit #8062

Robert Collins (1)

Sam Bristow (1)

  • Workaround networking issues with Libvirt commit

Sam Morris (1)

  • Debian: write out only one CA certificate per file commit #8106

Sumit Bose (2)

  • ipa-kdb: Remove keys if password auth is disabled commit #8001
  • extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT commit #8044

Sergio Oliveira Campos (1)

  • Add test for sssd ad trust lookup with dn in certmaprule commit

Stanislav Levin (91)

  • ipatests: Collect EPN log for debugging commit
  • EPN: Allow authentication by SMTP client's certificate commit #8580
  • EPN: Enable certificate validation and hostname checking commit #8579
  • test_epn: Standardize EPN configs for deduplication commit
  • EPN: Don't downgrade security commit #8578
  • ipatests: Respect platform's openssl dir commit
  • dns: Make use of `resolve_address` of a current resolver instead of the global one commit
  • dnspython: Add compatibility shim commit #8383
  • tox: Don't expand symlinks commit #8475
  • Azure: Increase verbosity for Tox task commit
  • deps: Require `nss-tools` for make's fasttest target commit
  • nss: Raise exception earlier on unsupported DB type commit #8474
  • Azure: base: Collect both install and uninstall logs commit
  • Azure: Drop dependency on UsePythonVersion task commit
  • Azure: Add Rawhide definitions commit
  • ipa-dnskeysyncd: Raise loglevel to DEBUG commit #8094
  • named: Include crypto policy in openssl config commit #8094
  • named: Don't override custom command line options for named commit #8094
  • service: Allow service to clean up its state commit #8094
  • spec: Bump required openssl-pkcs11 and softhsm commit #8094
  • named: Make use of 'pkcs11' OpenSSL engine for BIND on Fedora31 commit #8094
  • upgrade: Handle migration of BIND OpenSSL engine commit #8094
  • DNSKeySyncInstance: Populate named/ods uid/gid on instantiation commit #8094
  • named: Allow using of a custom OpenSSL engine for BIND commit #8094
  • named: Remove no longer used paths commit #8094
  • spec: Require ldns-utils commit #8094
  • pylint: Ignore `raise-missing-from` commit #8468
  • pylint: Ignore `super-with-arguments` commit #8468
  • pylint: Fix warning W0612(unused-variable) commit #8468
  • pylint: Teach pylint about more RRs types commit #8468
  • spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package commit
  • uninstall: Clean up no longer used flag commit #8461
  • uninstall: Don't fail on missing /var/lib/samba commit #8461
  • rpm-spec: Don't fail on missing /etc/ssh/ssh_config commit #8459
  • ipatests: Skip keyring tests on containerized platforms commit
  • Azure: Switch to dockerhub provider commit
  • ipatests: Add compatibility against python-cryptography 3.0 commit #8428
  • pylint: Fix warning and error commit #8442
  • ipatests: Don't turn Pytest IPA deprecation warnings into errors commit #8435
  • Azure: Make dnf repos consistent commit #8330
  • Azure: Always update apt cache commit
  • Azure: Allow chronyd to sync time commit #8316
  • Azure: Add custom seccomp profile commit #8316
  • Azure: Increase memory limit commit #8264
  • ipatests: Collect all logs on all Unix hosts commit #8265
  • ipatests: Pretty print multihost config commit #8265
  • ipatests: Cleanup 'collect_logs' decorator commit #8265
  • ipatests: Specify shell implementation commit #8101
  • ipatests: Specify Pytest XML report schema commit #8101
  • ipatests: Remove no longer needed 'skip' compatibility commit #8101
  • ipatests: Remove no longer needed 'capture' compatibility commit #8101
  • ipatests: Remove no longer needed 'get_marker' commit #8101
  • ipatests: Remove deprecated yield_fixture commit #8101
  • ipatests: Bump required Pytest commit #8101
  • ipatests: Mark firewalld commands as no-op on non-firewalld distros commit #8261
  • Azure: Gather coredumps commit #8251
  • Azure: Allow distros to install Python they want commit #8254
  • pki-proxy: Don't rely on running apache until it's configured commit #8233
  • spec: Take the ownership over '/usr/libexec/ipa/custodia' commit
  • Azure: Report elapsed time commit
  • Azure: Rebalance tests commit
  • Azure: Skip tests requiring external DNS commit
  • Azure: Free Docker resources after usage commit
  • Azure: Preliminary check for provided limits commit
  • Azure: Sync Gating definitions to current PR-CI commit
  • pylint: Run Pylint over Azure Python scripts commit #8202
  • Azure: Add support for testing multi IPA environments commit #8202
  • Azure: Don't collect twice systemd_journal.log commit #8202
  • yamllint: Lint all the YAML files commit #8202
  • Azure: Make it possible to configure distro-specific stuff commit #8202
  • Azure: Allow to run integration tests commit #8202
  • Azure: Allow SSH for Docker environments commit #8202
  • Azure: Allow to not provide tests to be ignored commit #8202
  • ipatests: Allow zero-length arguments commit #8173
  • lint: Make Pylint-2.4 happy again commit #8116
  • pylint: Clean up comment commit #8116
  • pylint: Synchronize pylint plugin to ipatests code commit #8116
  • pylint: Teach Pylint how to handle request.context commit #8116
  • ipatests: Properly kill gpg-agent commit #7989
  • pytest: Warn about unittest/nose/xunit tests commit #7989
  • pytest: Migrate unittest/nose to Pytest fixtures commit #7989
  • pytest: Migrate xunit-style setups to Pytest fixtures commit #7989
  • Fix errors found by Pylint-2.4.3 commit #8102
  • Install language packs for tests commit
  • Restore running of 'test_ipaserver' tests on Azure commit
  • Setup DNS for AP Docker container commit #8077
  • Fixed errors newly exposed by pylint 2.4.0 commit #8077
  • Avoid use of '/tmp' for pip operations commit #8009
  • Make use of Azure Pipeline slicing commit #8008
  • Simplify ipa-run-tests script commit #8007
  • Fix `test_webui.test_selinuxusermap` commit #7996, #8005

Sergey Orlov (45)

  • ipatests: simplify fixture commit
  • ipatests: refactor test for login using cifs alias principal commit
  • Fix password file permission commit
  • ipatests: mark test_trustdomain_disable test as expectedly failing commit
  • ipatests: add context manager for declaring part of test as xfail commit
  • ipatests: add utility for getting sssd version on remote host commit
  • update prci definitions for test_sssd.py commit
  • ipatests: add test for sssd behavior with disabled trustdomains commit
  • ipatests: add missing classes from test_nfs in nightly_previous run commit
  • ipatests: add missing classes from test_installation in nightly runs commit
  • ipatests: run test_integration/test_cert.py in PR-CI commit
  • ipatests: run all cases from test_integration/test_idviews.py in nightlies commit
  • ipatests: explicitly save output of certutil commit
  • ipatests: add AD DC as a DNS forwarder before establishing trust commit
  • ipatests: add test_automember to "previous" nightly run commit
  • ipatests: add test_fips to testing-fedora nightly run commit
  • ipatests: provide AD admin password when trying to establish trust commit #7895
  • ipatests: remove test_ordering commit
  • ipatests: add test for SSSD updating expired cache items commit
  • ipatests: provide docstrings instead of imporperly placed comments commit
  • ipatests: remove invalid parameter from sssd.conf commit #8219
  • ipatests: use remote_sssd_config to modify sssd.conf commit #8219
  • ipatests: replace utility for editing sssd.conf commit #8219
  • ipatests: update docstring to reflect changes in FileBackup.restore() commit
  • ipatests: add test_trust suite to nightly runs commit
  • ipatests: add check for output contents of ipa-client-samba commit #8149
  • ipatests: add test_winsyncmigrate suite to nightly runs commit
  • ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951
  • ipatests: enable test_smb.py in gating.yaml commit
  • ipatests: replace ad hoc backup with FileBackup helper commit #8115
  • ipatests: refactor FileBackup helper commit #8115
  • ipatests: in DNS zone file add A record for name server commit
  • ipatests: strip newline character when getting name of temp file commit
  • ipatests: add test to check that only TLS 1.2 is enabled in Apache commit #7995
  • ipatests: fix DNS forwarders setup for AD trust tests with non-root domains commit
  • ipatests: add tests for cached_auth_timeout in sssd.conf commit
  • ipatests: refactoring: use library function to check if selinux is enabled commit
  • ipatests: add new utilities for file management commit
  • ipatests: refactor and extend tests for IPA-Samba integration commit #3999
  • ipatests: modify run_command to allow specify successful return codes commit
  • ipatests: add utility functions related to using and managing user accounts commit
  • ipatests: allow to pass additional options for clients installation commit
  • ipatests: new test for trust with partially unreachable AD topology commit
  • ipatests: mark test_domain_resolution_order as expectedly failing commit
  • ipatests: add test for sudo with runAsUser and domain resolution order. commit

Sumedh Sidhaye (6)

  • test_cert.py is timing out due to newly added test test_cert.py::TestCertmongerRekey which needs more time to execute. Adding additional 30 mins to the timeout in order to complete the test run commit
  • Test for removing a subgroup commit
  • Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state commit #8164
  • Added a test to check if ipa host-find --pkey-only does not return SSH public key commit #8029
  • Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf commit
  • Test: To check ipa replica-manage del <FQDN> does not fail commit #7929

Simo Sorce (1)

  • Make sure to have storage space for tag commit

Stasiek Michalski (1)

  • Support for SUSE/openSUSE ipaplatform commit

Serhii Tsymbaliuk (28)

  • WebUI tests: Add simple test to check topology graph page is available commit #8523
  • WebUI: Fix topology graph navigation crash commit #8523
  • WebUI: Fix jQuery DOM manipulation issues commit #8507
  • WebUI tests: Add test case to cover user ID override feature commit #8416
  • WebUI: Fix error "unknown command 'idoverrideuser_add_member'" commit #8416
  • WebUI tests: Change navigation tests to find menu items using data-name instead of href commit #7137
  • WebUI: Fix issue with opening links in new tab/window commit #7137
  • WebUI: Fix "IPA Error 3007: RequirmentError" while adding idoverrideuser association commit #8335
  • WebUI: Apply jQuery patch to fix htmlPrefilter issue commit #8325
  • WebUI tests: Test all available fields on "Kerberos Ticket Policy" page commit #8207
  • WebUI: Add authentication indicator specific fields to "Kerberos Ticket Policy" page commit #8207
  • WebUI tests: Add confirmation step after changing default group in automember tests commit #8322
  • WebUI: Add confirmation dialog for changing default user/host group commit #8322
  • WebUI tests: cover membership management with UI tests commit #8298
  • Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1 commit #8284
  • Web UI: Upgrade Dojo version 1.13.0 -> 1.16.2 commit #8222
  • Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 commit #8239
  • WebUI tests: Fix broken reference to parent facet in table record check commit #8157
  • WebUI tests: Fix 'Button is not displayed' exception commit #8169
  • WebUI: Fix notification area layout commit #8120
  • WebUI: Fix adding member manager for groups and host groups commit #8123
  • WebUI: Fix new test initialization on "HBAC Test" page commit #8031
  • WebUI: Fix changing category on HBAC/Sudo/etc Rule pages commit #7961
  • WebUI: Make 'Unlock' option is available only on locked user page commit #5062
  • WebUI tests: Fix login screen loading issue commit #8053
  • WebUI tests: Fix request timeout for test_trust commit #8024
  • WebUI: Add PKINIT status field to 'Configuration' page commit #7305
  • WebUI tests: Fix timeout issues for reset password tests commit #8012

Sudhir Menon (32)

  • Added nsslapd-logging-hr-timestamps-enabled attribute in _SINGLE_VALUE_OVERRIDE table commit
  • ipatests: ipa-healthcheck tests for DS checks commit
  • ipatests: Fix for test_ipahealthcheck_ds_riplugincheck commit #8563
  • ipatests: Fix for test_ipahealthcheck_ds_encryption commit #8560
  • ipatests: ipa-healthcheck test for DS RIPluginCheck commit
  • ipatests: ipa-healthcheck test for EncryptionCheck commit
  • ipatests: ipa-healthcheck test for DS BackendsCheck commit
  • ipatests: ipa-healthcheck fixes for tests running on RHEL commit
  • ipatests: ipa-healthcheck test fixes running on RHEL commit
  • ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust commit
  • Modified nightly YAML files to include ipa-healthcheck ExternalCA Tests commit
  • ipatests: Tests for ipahealthcheck tool with IPA external commit
  • ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert commit
  • ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed commit
  • ipatests: Test for ipa-nis-manage CLI tool. commit
  • ipatests: Increase timeout value in test_getcert_list_profile_using_subca commit
  • ipatests: Tests to check profile is displayed for getcert request. commit
  • Modified YAML to include healthcheck AD tests commit
  • ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario commit
  • ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files commit
  • ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck commit
  • ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck commit
  • ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8 commit #8066
  • ipatests: Test for ipahealthcheck tool for IPADomainCheck. commit
  • ipatests: Test for ipahealthcheck.ds.ruv check commit
  • Test for ipahealthcheck.ipa.idns check when integrated DNS is setup commit
  • ipatests: Added testcase to check logrotate is added for healthcheck tool commit
  • ipatests: check that ipa-healthcheck warns if no dna range is set commit
  • Adding back temp config definition removed commit
  • Nightly definition for ipa-healthcheck tool commit
  • Tier-1 test for ipa-healthcheck tool commit
  • Added testcase to check capitalization fix while running ipa user-mod commit #5879

Tibor Dudlák (5)

  • Add container environment check to replicainstall commit #6210
  • Increase ntp_options test timeout commit
  • ipatests: refactor TestNTPoptions commit
  • ipatests: Add tests for interactive chronyd config commit #7908
  • ipatests: Update test tasks for client to be interactive commit #7908

Tomas Halman (4)

  • extdom: add extdom protocol documentation commit
  • extdom: use sss_nss_*_timeout calls commit
  • extdom: plugin doesn't use timeout in blocking call commit
  • extdom: plugin doesn't allow @ in group name commit

Timo Aaltonen (6)

  • ipatests/test_installation: Use knownservices to map the service name. commit
  • ipatests/test_commands: Check sssd version like on test_sssd commit
  • Debian: Use parse_ipa_version from redhat. commit
  • Debian: Use enable/disable_ldap_automount() from base commit
  • Debian: Fix font-awesome path. commit
  • install: Add missing scripts to app_DATA. commit

Thorsten Scherf (5)

  • Corrected some typos and added improvements to some setup instructions commit
  • Module added about ssh pubkey management commit
  • Added bash-completion rpm to build instructions. commit
  • Added --mkhomedir option for server and replica. commit
  • Added vagrant-libvirt-doc rpm and polkit rule commit

Theodor van Nahl (1)

  • Fix UnboundLocalError in ipa-replica-manage on errors commit

Thomas Woerner (4)

  • ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels commit
  • DNS install check: Fix overlapping DNS zone from the master itself commit #8150
  • Enable TestInstallMasterDNSRepeatedly in prci_definitions commit
  • Test repeated installation of the primary with DNS enabled and domain set commit

Viktor Ashirov (1)

Vit Mojzis (4)

  • selinux: disable ipa_custodia when installing custom policy commit #6891
  • selinux: Remove obsolete memcached access commit
  • selinux: move BUILD_SELINUX_POLICY definition commit
  • Add freeipa-selinux subpackage commit

Yuri Chornoivan (2)

  • Translated using Weblate (Ukrainian) commit
  • Translated using Weblate (Ukrainian) commit

zdover (5)

  • 100 percent complete edit commit
  • sixty percent edited commit
  • thirty percent edited commit
  • first tranche of edits commit
  • making a list's items agree with one another commit

Zdenek Pytela (2)

  • Add ipa_pki_retrieve_key_exec() interface commit #8488
  • Allow ipa-adtrust-install restart sssd and dirsrv services commit