Jump to: navigation, search

IPAv2 210

Release date Released Aug 17 2011

August 17, 2011

The FreeIPA project team is pleased to announce the availability of the freeIPA 2.1.0 server.

It is available in Fedora 15.

Known Issues

  • The OCSP URL encoded in dogtag certificates is by default the CA machine that issued the certificate.

Changelog since 2.0.1

Adam Young (62):

  • Fixed labels for sudo and hbac rules
  • update metadata with label changes
  • define entities using builder and more declarative syntax
  • default all false no longer default to all: true for searches, only specify it for user searches
  • code review fixes
  • make use of new user-find columns.
  • fix JSL error
  • Upgrade to jquery 1.5.2
  • action panel to top tabs
  • remove jquery-cookie library
  • update ipa init a simple script to update the metatdate et alles that comes from the ipa_init batch call
  • whitespace and -x removal
  • create entities on demand. fixed changes from code review
  • automount UI
  • redirect on show error.
  • redirect on error Code for redirecting on error has been moved to IPA.facet so it can be called from both details and assocaiton facets.
  • automount delete key indirect automount maps
  • scrollable content areas
  • dialog scrolling table
  • JSON marshalling list
  • dns multiple records show multiple records that share the same dnsname
  • no redirect on search
  • test for dirty
  • test dirty textarea runs the testdirty check before setting the undo tag for a textarea
  • test dirty multivalue test the multivalue widgets for changes before showing the undo link.
  • test dirty onchange
  • entity select widget for manager
  • hide automount tabs.
  • service host entity select Use the entity select widget for add service
  • entity select undo
  • no redirect on unknown error If the error name is indicates a server wide error, do not attempt to redirect.
  • editable entity_select
  • ipaddress for host add
  • entity select for password policy
  • tooltips for host add
  • automountkey details
  • identify target as section for permissions
  • optional uid
  • validate required fields
  • Generate record type list from metadata
  • shorten url cache state in a javascript variable, and leave on information about the current entity in the URL hash params
  • containing entity pkeys
  • undefined pkeys
  • config fields
  • ipadefaultemaildomain
  • config widgets entity select default group checkbox for migration
  • entity link for password policy
  • validate ints
  • password expiration label
  • HBAC deny warning
  • check required on add
  • clear errors on reset
  • indirect admins
  • entity_select naming
  • remove HBAC warning from static UI
  • dnsrecord-mod ui
  • no dns
  • remove hardcoded DNS label for record name.
  • move dns to identity tab
  • removing setters setup and init
  • dns section header i18n.
  • use other_entity for adder columns

Alexander Bokovoy (10):

  • Convert Bool to TRUE/FALSE when working with LDAP backend
  • Minor typos in the examples
  • Convert nsaccountlock to always work as bool towards Python code
  • Rearrange logging for NSCD daemon.
  • Fix sssd.conf to always have IPA certificate for the domain.
  • Add hbactest command.
  • Modify /etc/sysconfig/network on a client when IPA manages hostname
  • Make proper LDAP configuration reporting for ipa-client-install
  • Ensure network configuration file has proper permissions
  • Pass empty options as empty arrays for supported dns record types.

Endi S. Dewata (114):

  • Fixed undefined label in permission adder dialog box.
  • Initial Selenium test cases.
  • Added functional test runner.
  • Refactored action panel and client area.
  • Refactored builder interface.
  • Refactored search facet.
  • Entitlements.
  • Updated Selenium tests.
  • Merged IPA.cmd() into IPA.command().
  • Entitlement registration.
  • Entitlement import.
  • Entitlement download.
  • Moved adder dialog box into entity.
  • Standardized action panel buttons creation.
  • Entitlement quantity validation.
  • Refactored navigation.
  • Use entity names for tab state.
  • Moved entity contents outside navigation.
  • Added facet container.
  • Fixed self-service UI.
  • Updated Selenium tests.
  • Updated Selenium tests.
  • Updated DNS interface.
  • Added Selenium tests for DNS.
  • Added UUID field for entitlement registration.
  • Added Self-Service and Delegation tests.
  • Customizable facet groups.
  • Read-only association facet.
  • jQuery ordered map.
  • Fixed problem disabling HBAC and SUDO rules.
  • Fixed Ajax error handling.
  • Fixed details tests.
  • Fixed adder dialog title.
  • Fixed Add and Edit without primary key.
  • Fixed Selenium tests.
  • Fixed URL parameter parsing.
  • Added Update and Reset buttons into Dirty dialog.
  • Fixed problem deleting value in text field.
  • Added pagination for associations.
  • Fixed pagination problem.
  • Temporary fix for indirect member tabs.
  • Fixed blank dialog box on internal error.
  • Fixed resizing issues.
  • Added selectable option for table widget.
  • Entitlement status.
  • Fixed tab navigation.
  • Fixed build break.
  • Fixed paging for indirect members.
  • Renamed associate.js to association.js.
  • Fixed self-service links.
  • Merged direct and indirect association facets
  • Storing page number in URL.
  • Removed FreeWay font files.
  • Fixed problem with navigation tabs on reload.
  • Converted entity header into facet header.
  • Added navigation breadcrumb.
  • Added record count into association facet tabs.
  • Added singular entity labels.
  • Fixed entity labels.
  • Fixed DNS records page title.
  • Fixed undo all problem.
  • Removed unused images.
  • Fixed hard-coded messages.
  • Added confirmation dialog for user activation.
  • Fixed button style in Entitlements
  • Removed invalid associations.
  • Added arrow icons for details sections.
  • Fixed object_name usage.
  • Fixed HBAC/Sudo rules associations.
  • Fixed blank self-service page.
  • Fixed dirty dialog problems in HBAC/Sudo rules.
  • Fixed test fixture file name.
  • Fixed missing entitlement import button label
  • Added sudo options.
  • Fixed collapsed table in Chrome.
  • Fixed object_name and object_name_plural internationalization
  • Fixed label capitalization
  • Entity select widget improvements
  • Removed reverse zones from host adder dialog.
  • Fixed host details fields.
  • Added checkbox to remove hosts from DNS.
  • Creating reverse zones from IP address.
  • Removed entitlement registration UUID field.
  • Fixed problem loading data in HBAC/sudo details page.
  • Removed HBAC access time code.
  • Removed custom layouts using HTML templates.
  • Refactored IPA.current_facet().
  • Fixed problem with navigation state loading.
  • Fixed navigation problems.
  • Fixed navigation unit test.
  • Fixed click handlers on certificate buttons.
  • New icons for entitlement buttons
  • Fixed problem bookmarking Policy/IPA Server tabs
  • Fixed problem setting host OTP.
  • Fixed hard-coded labels in sudo rules.
  • Fixed hard-coded label in Find button.
  • Fixed missing section header in sudo command group.
  • Fixed problem unprovisioning service.
  • Fixed missing memberof definition in HBAC service.
  • Added association facets for HBAC and sudo.
  • Fixed certificate buttons.
  • Fixed missing icons.
  • Fixed misaligned search icon.
  • Resizable adder dialog box.
  • Linked entries in HBAC/sudo details page.
  • Fixed 3rd level tab style.
  • Fixed facet group labels.
  • Fixed error after login on IE
  • Fixed host adder dialog.
  • Fixed DNS zone adder dialog.
  • Fixed broken links in ipa_error.css and ipa_migration.css.
  • Fixed problem clicking 3rd level tabs.
  • Fixed link style in dialog box.
  • Fixed problem with buttons in enrollment dialog.

Jakub Hrozek (1):

  • Remove wrong kpasswd sysconfig

Jan Cholasta (34):

  • Fix wording of error message.
  • Add note about ipa-dns-install to ipa-server-install man page.
  • Fix typo in ipa-server-install.
  • Fix uninitialized variables.
  • Fix double definition of output_for_cli.
  • Add lint script for static code analysis.
  • Fix lint false positives.
  • Remove unused classes.
  • Fix some minor issues uncovered by pylint.
  • Fix uninitialized attributes.
  • Run lint during each build.
  • Several improvements of the lint script.
  • Fix issues found by Coverity.
  • Fix regressions introduced by pylint false positive fixes.
  • Assume ipa help for plugins.
  • Parse netmasks in IP addresses passed to server install.
  • Honor netmask in DNS reverse zone setup.
  • Do stricter checking of IP addressed passed to server install.
  • Fix directory manager password validation in ipa-nis-manage.
  • Improve IP address handling in the host-add command.
  • Verify that the hostname is fully-qualified before accessing the service information in ipactl.
  • Remove redundant configuration values from krb5.conf.
  • Replace the 'private' option in netgroup-find with 'managed'.
  • Configure SSSD to store user password if offline.
  • Fix creation of reverse DNS zones.
  • Add ability to specify DNS reverse zone name by IP network address.
  • Fix exit status of ipa-nis-manage enable.
  • Update minimum required version of python-netaddr.
  • Clean up of IP address checks in install scripts.
  • Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'.
  • Fix ipa-compat-manage not working after recent ipa-nis-manage change.
  • Make sure that hostname specified by user is not an IP address.
  • Fix external CA install.
  • Ask for reverse DNS zone information in attended install right after asking for DNS forwarders, so that DNS configuration is done in one place.

John Dennis (9):

  • Module for DN objects plus unit test
  • assert_deepequal supports callback for equality testing
  • Add backslash escape support for cvs reader
  • Use DN class in get_primary_key_from_dn to return decoded value
  • Update test_role_plugin test to include a comma in a privilege
  • Ticket 1485 - DN pairwise grouping
  • Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization.
  • Clean up existing DN object usage
  • transifex translation adjustment

Jr Aquino (15):

  • Escape LDAP characters in member and memberof searches
  • Add memberHost and memberUser to default indexes
  • Optimize and dynamically verify group membership
  • Delete the sudoers entry when disabling Schema Compat
  • Return copy of config from ipa_get_config()
  • Typo in host_nis_groups has been creating 2 CN's
  • Add sudorule and hbacrule to memberof and indirectmemberof attributes
  • Display remaining external hosts when removing from sudorule
  • Raise DuplicateEntry Error when adding a duplicate sudo option
  • Don't add empty tuple to entry_attrs['externalhost']
  • oneliner correct typo in ipasudorunas_group
  • Return correct "RunAs External Group" when removing members
  • remove escapes from the cvs parser in ipaserver/install/ldapupdate
  • Correct behavior for sudorunasgroup vs sudorunasuser
  • Correct sudo runasuser and runasgroup attributes in schema

Martin Kosek (68):

  • Inconsistent error message for duplicate user
  • Replica installation fails for self-signed server
  • Remove doc from API.txt
  • Revert "Remove doc from API.txt"
  • Password policy commands do not include cospriority
  • Improve DNS PTR record validation
  • Remove unwanted trimming in text fields
  • Need force option in DNS zone adder dialog
  • IPA replica is not started after the reboot
  • Improve Directory Service open port checker
  • Log temporary files in ipa-client-install
  • Prevent uninstalling client on the IPA server
  • pwpolicy-mod doesn't accept old attribute values
  • Forbid reinstallation in ipa-client-install
  • ipa-client-install uninstall does not work on IPA server
  • LDAP Updater may crash IPA installer
  • NS records not updated by replica
  • Bad return values for ipa-rmkeytab command
  • Update spec with missing BuildRequires for pylint check
  • Let selinux-policy handle port 7390
  • Limit passwd plugin to user container
  • Consolidate man pages and IPA tools help
  • Remove doc from API.txt
  • Improve service manipulation in client install
  • Running ipa-replica-manage as non-root cause errors
  • KDC autodiscovery may fail when domain is not realm
  • A new flag to disable creation of UPG
  • Fix reverse zone creation in ipa-replica-prepare
  • Improve interactive mode for DNS plugin
  • Localization fails for MaxArgumentError
  • Fix forward zone creation in ipa-replica-prepare
  • Connection check program for replica installation
  • Fix support for nss-pam-ldapd
  • Skip know_host check for ipa-replica-conncheck
  • IPA installation with --no-host-dns fails
  • Handle LDAP search references
  • Add ignore lists to migrate-ds command
  • Improve DNS zone creation
  • Add a list of managed hosts
  • Missing krbprincipalname when uid is not set
  • Add port 9443 to replica port checking
  • Fix doc for sudorule runasuser commands
  • Improve IP address handling in IPA option parser
  • Multi-process build problems
  • DNS installation fails when domain and host domain mismatch
  • Fix IPA install for secure umask
  • Allow recursion by default
  • Add DNS record modification command
  • Filter reverse zones in dnszone-find
  • Remove sensitive information from logs
  • Fix ipa-dns-install
  • Fix self-signed replica installation
  • Check IPA configuration in install tools
  • Add new dnszone-find test
  • Fix typo in ipa-replica-prepare
  • Improve long integer type validation
  • Fix sudorule-remove-user
  • Add missing automount summaries
  • Fix man page ipa-csreplica-manage
  • Fix automountkey commands summary
  • Fix invalid issuer in unit tests
  • Hide continue option from automountkey-del
  • Improve error message in ipactl
  • Improve dnszone-add error message
  • Fix idnsUpdatePolicy for reverse zone record
  • Fix client enrollment
  • Update 389-ds-base version
  • Update pki-ca version

Nalin Dahyabhai (1):

  • Select a server with a CA on it when submitting signing requests.

Pavel Zuna (1):

  • Fix gidnumber option of user-add command.

Petr Vobornik (3):

  • fixed empty dns record update
  • Fixed adding host without DNS reverse zone
  • Redirection after changing browser configuration

Rich Megginson (3):

  • winsync enables disabled users in AD
  • modify user deleted in AD crashes winsync
  • memory leak in ipa_winsync_get_new_ds_user_dn_cb

Rob Crittenden (90):

  • Allow a client to enroll using principal when the host has a OTP
  • Make retrieval of the CA during DNS discovery non-fatal.
  • Cache the value of get_ipa_config() in the request context.
  • Change default gecos from uid to first and last name.
  • Fix ORDERING in some attributetypes and remove other unnecessary elements.
  • postalCode should be a string not an integer.
  • Fix traceback in ipa-nis-manage.
  • Suppress --on-master from ipa-client-install command-line and man page.
  • Sort entries returned by *-find by the primary key (if any).
  • The default groups we create should have ipaUniqueId set
  • Always ask members in LDAP*ReverseMember commands.
  • Provide attributelevelrights for the aci components in permission_show.
  • Wait for memberof task and DS to start before proceeding in installation.
  • Convert manager from userid to dn for storage and back for displaying.
  • Modify the default attributes shown in user-find to match the UI design.
  • Ensure that the zonemgr passed to the installer conforms to IA5String.
  • Handle principal not found errors when converting replication a greements
  • Bump version to 2.0.90 to distinguish between 2.0.x
  • Properly handle --no-reverse being passed on the CLI in interactive mode
  • Update min nvr for selinux-policy and pki-ca for F-15+
  • Test for forwarded Kerberos credentials cache in wsgi code.
  • Properly configure nsswitch.conf when using the --no-sssd option.
  • Enable 389-ds SSL host checking by defauilt
  • Configure Managed Entries on replicas.
  • Document that deleting and re-adding a replica requires a dirsrv restart.
  • Fix migration to work between v2 servers and remove search/size limits.
  • Add option to limit the attributes allowed in an entry.
  • Include the word 'member' with autogenerated optional member labels.
  • Do a lazy retrieval of the LDAP schema rather than at module load.
  • Add UID, GID and e-mail to the user default attributes.
  • Fix external CA installation
  • Remove root autobind search restriction, fix upgrade logging & error handling
  • Support initializing memberof during replication re-init using GSSAPI
  • Do better detection on status of CA DS instance when installing.
  • Fix indirect member calculation
  • Remove automountinformation as part of the DN for automount.
  • Don't let a JSON error get lost in cascading errors.
  • Add message output summary to sudorule del, mod and find.
  • Return an error message when revocation reason 7 is used
  • Require an imported certificate's issuer to match our issuer.
  • On a master configure sssd to only talk to the local master.
  • The IP address provided to ipa-server-install must be local
  • Do lazy LDAP schema retrieval in json handler.
  • Make data type of certificates more obvious/predictable internally.
  • Update translation files
  • Let the framework be able to override the hostname.
  • Make dogtag an optional (and default un-) installed component in a replica.
  • Slight performance improvement by not doing some checking in production mode
  • Set the client auth callback after creating the SSL connection.
  • Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def attr list
  • Enforce class rules when query=True, continue to not run validators.
  • find_entry_by_attr() should fail if multiple entries are found
  • Fix error in AttrValueNotFound exception example
  • Fix test failure in updater when adding values to a single-value attr
  • Reset failed login count to 0 when admin resets password.
  • Disallow direct modifications to enrolledBy.
  • Document registering to an entitlement server with a UUID as not implemented.
  • In sudo labels we should use RunAs and not Run As.
  • Remove the ability to create new HBAC deny rules.
  • Validate that the certificate subject base is in valid DN format.
  • Use information from the certificate subject when setting the NSS nickname.
  • Create tool to manage dogtag replication agreements
  • Fix failing tests due to object name changes
  • Set nickname of the RA to 'IPA RA' to avoid confusion with dogtag RA
  • Set the ipa-modrdn plugin precedence to 60 so it runs last
  • Generate a database password by default in all cases.
  • Specify the package name when the replication plugin is missing.
  • Change client enrollment principal prompt to hopefully be clearer.
  • Optionally wait for 389-ds postop plugins to complete
  • A removed external host is shown in output when removing external hosts.
  • Don't set krbLastPwdChange when setting a host OTP password.
  • Fix regression when calculating external groups.
  • With the external user/group management fixed, correct the unit tests.
  • Set a default minimum value for class Int, handle long values better.
  • Make ipa-client-install error messages more understandable and relevant.
  • Add Alexander Bokovoy and Jan Cholasta to contributors file
  • Only call entry_from_entry() after waiting for the new entry.
  • Hide the HBAC access type attribute now that deny is deprecated.
  • Autofill the default revocation reason
  • Don't check for leading/trailing spaces in a File parameter
  • Add an arch-specific Requires on cyrus-sasl-gssapi
  • Revert use of 'can be at least' to 'must be at least' in minvalue validator
  • Don't leave dangling map if adding an indirect map fails
  • Fix message in test case for checking minimum values
  • When setting a host password don't set krbPasswordExpiration.
  • Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile
  • Deprecated managing users and runas user/group in sudorule add/mod
  • Fix date order in changelog.
  • Re-arrange CA configuration code to reduce the number of restarts.

Simo Sorce (4):

  • Fix resource leaks.
  • ipautil: Preserve environment unless explicitly overridden by caller.
  • install-scripts: avoid using --list with chkconfig
  • Don't set the password expiration to the current time

Yuri Chornoivan (1):

  • Typos in freeIPA messages and man page

Kyle Baker (5):

  • Background images and tab hover
  • Search bar style and positioning changes
  • List page spacing changes
  • Tab and spacing on list
  • Facet icon swap and tab sizing