Releases/4.0.0

The FreeIPA team is proud to announce FreeIPA v4.0.0!
It can be downloaded from http://www.freeipa.org/page/Downloads. As this is a major release, we did not add it to any stable Fedora release (yet), but we want to first give you a chance to test that yourself with a COPR repository.
Contents
Highlights in 4.0.0
Enhancements
- Support Kerberos-based OTP authentication both natively with tokens managed by FreeIPA server and via Radius proxy (3rd party 2FA authentication server). (ticket, design)
- Access control in FreeIPA server was reworked and a concept of permissions/ACIs managed by FreeIPA plugin was introduced. The plugins have now a way to control which objects and attributes should be visible and to whom. The administrators can now change the default settings and whitelist or blacklist additional attributes or change the entire visibility of a specific FreeIPA function (users, groups, SUDO, ...) to anonymous, authenticated users or just a group of privileged users. (ticket, design)
- Web UI adopted Patternfly open interface project to promote design commonality and improved user experience. Web UI is now responsive and adapts to different screen sizes like mobile or tablets. Additionally, many usability or minor Web UI issues were fixed. (ticket, design)
- Experimental DNSSEC inline-signing support (ticket, design)
- DNS management plugin now allows internationalized domain names. Administrators can now enter the DNS records in unicode and have the management plugin do the conversion to IDN encoding (punycode). The DNS plugin supports the IDNA 2003 standard. (ticket)
- FreeIPA DNS plugin did not distinguish between master and forward zones and both were merged in one type of object. To remove the inconsistency, DNS plugin now distinguishes between these 2 types and separate commands were added for managing forward zones. (ticket, design)
- Support the SubjectAltNames certificate extension in FreeIPA service certificates. Certificates with SAN names are useful for load balancing when a node needs to present itself both with its FQDN and the balanced address. (ticket)
- ipa-client-install now automatically configures SUDO support on client machines, thus making FreeIPA SUDO integration very easy to use. (ticket)
- ipa-getkeytab can now fetch an existent Kerberos keytab for a chosen service. This allows fetching the same keytab on multiple hosts which is useful in cluster deployments. The operation is authorized via the allowedToPerform;read_keys attribute, stored on the target entry, which contains a DN of a user or a group allowed to get the keys without resetting them. (ticket, design)
- ipa-client-install now uploads the FreeIPA CA certificate in a system-wide certificate store, thus making it trusted by all other services on the OS. (ticket)
- Add automember-rebuild command allowing to apply all automember rules to existing objects (users, hosts).(ticket, design)
- ... and many other minor enhancements
Bug fixes
- User and group operations no longer raise internal error when working with large user bases
- ipa-client-install no longer distributes non-working Firefox configuration for the Web UI. Admin can use the new --configure-firefox option to install a fixed configuration file to chosen directory.
- XMLRPC system commands were not implemented. FreeIPA now supports system.listMethods, system.methodSignature and system.methodHelp
- ipa-kdb loaded global configuration only on startup and never changed it until restart. Now, it checks the new configuration every 60 seconds.
- sudo plugin runAsUser option now accepts external group
- sudo plugin runAsGroup option was not generated in the sudoers compat tree correctly
- sudo plugin did not allow host IP address masks
- DNS plugin had a too restrictive zone/record name validator, it is much more relaxed now.
- ipa-backup recursively backed up old backups fron /var/lib/ipa/backup
- /etc/ssh/sshd_config is no longer garbled in case it did not contain a trailing new line
- Server/replica installer now does not crash on systems with low entropy. Warnings are issued when entropy is too low and long installation times are expected
- ... and many other minor bug fixes or bug fixes related to major enhancements in this release
2FA Kerberos Authenication
FreeIPA now provides support for two-factor authentication (2FA) via Kerberos. FreeIPA can integrate into exising OTP systems by proxying requests over RADIUS. FreeIPA also provides integrated support for the open-standard TOTP (RFC 6238) and HOTP (RFC 4226) tokens, including YubiKey and FreeOTP (iOS or Android).
Administrators can configure individual users for RADIUS proxy or HOTP/TOTP. In the latter case, once enabled for HOTP/TOTP, users can provision, manage and synchronize their own tokens via the CLI or UI. Administrators can also create tokens on behalf of users, with the option to grant management permissions to the user. If the user does not have management permissions, the token is read only (except synchronization).
When dealing with hardware tokens, administrators can bulk-import the token metadata using the industry standard Portable Symmetric Key Container XML (RFC 6030) files.
Limitations
As this is our first release, it comes with some limitations.
HOTP has concerns about scalability in large replication environments due to the frequent need to replicate the token counter across the cluster. For this reason, FreeIPA defaults to TOTP tokens.
TOTP has a known issue where tokens can be re-used within a short window. This is due to lacking high-watermark support. Implementing this restriction without careful consideration for the impact on replication could result in similar problems to HOTP (above).
The workflow for changing passwords causes problems with HOTP tokens. This is most noticable when passwords expire. In the case of the Web UI, logins will simply fail. As a workaround for this, the password can simply be changed using the CLI. In the case of SSSD logins, the login will succeed but the password change will appear to fail while actually succeeding.
Currently there is no workflow for lost tokens.
Reworked Control Access
Permissions can be set to apply to anonymous or all authenticated users, or use the existing privilege/role system of assigning rights to specific users. (design)
Previously, all of the directory, except a few security-sensitive attributes, was readable by anyone that could connect to the directory server, even anonymous users. Instead, FreeIPA 4.0 uses fine-grained permissions to grant read access. (design) This change may render some information unreadable to unprivileged users. To grant read rights, create or find a permission that governs read access to the offending attribute(s), and either add it to an appropriate role, or set its bind rule to 'all' or 'anonymous'.
FreeIPA's existing default add/modify/delete permissions were also reworked. The default permissions have the "System:" name prefix, and do not allow structural modifications. Administrators of deployments where default permissions were customized beyond attribute lists and privilege/role membership should carefully read the Documentation draft and Upgrade considerations sections of the design page, and to test before deploying FreeIPA 4.0 to production.
Permissions in FreeIPA 4.0 are more flexible, allowing arbitrary combinations of type, subtree and filters. (design)
Note that permissions that were created or modified on a FreeIPA 4.0 server, including FreeIPA's default permissions, can not be modified on older servers. Adding them to privileges is still possible on any server.
DNS Master and Forward Zones
New command ipa dnsforwardzone was introduced and semantics of --forwarder option for ipa dnszone command was changed to match BIND semantics.
Functionality previously provided by command ipa dnszone-* --forwarder is from FreeIPA 4.0 provided by command ipa dnsforwardzone-* --forwarder.
Sematics of the old command ipa dnszone now matches BIND semantics for master zone type. I.e. local BIND replies authoritatively to queries for data in given zone (including authoritative NXDOMAIN answers for non-existent names) and forwarding affects only queries made by BIND to answer recursive queries which cannot be answered locally. I.e. forwarding affects only queries for names below zone cuts (NS records) of locally served zones. For further explanation please see:
- https://lists.isc.org/pipermail/bind-users/2006-January/060810.html
- https://lists.isc.org/pipermail/bind-users/2011-March/083244.html
The new command ipa dnsforwardzone offers semantics equivalent to BIND forward zone type. Forward zone does not contain any authoritative data and forward queries which cannot be answered from local cache to configured servers.
Forwarding policy is documented in section "Forwarding" in BIND 9 Configuration Reference.
Experimental DNSSEC Support
DNS zones served by FreeIPA can be secured with DNSSEC. The signing process is fully automatic but signing keys have to be provided by user manually and all keys need to be copied to all FreeIPA DNS servers.
On the first FreeIPA server you can generate signing keys with following commands (please replace "$ZONE" with zone name without trailing period, e.g. "example.com"):
cd "/var/named/dyndb-ldap/ipa/$ZONE/keys" dnssec-keygen -3 -b 2048 -f KSK "$ZONE" dnssec-keygen -3 -b 2048 "$ZONE"
At this point you need to securely copy all files in directory /var/named/dyndb-ldap/ipa/$ZONE/keys from the first server to all other FreeIPA DNS servers. On all servers you have to fix filesystem permissions and inform named that keys are in place:
cd "/var/named/dyndb-ldap/ipa/$ZONE/keys" chown named: * chmod u=rw,go= * rndc sign "$ZONE"
Now is your zone signed with given keys. As a last step, it is necessary to add DS records to your parent zone. See man dnssec-dsfromkey and man dnssec-checkds or ask parent zone operator for guidance.
To enable NSEC3 for given zone you have to specify NSEC3PARAM record. For example:
ipa dnszone-mod "$ZONE" --nsec3param-rec="1 0 8 1B3140F28A1C"
For security reasons it is recommended not to use NSEC3 opt-out feature.
Upgrading
An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.
Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:
# ipa-ldap-updater --upgrade # ipa-upgradeconfig
Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 3.3.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.
Transformation Master to Forward zones
Zones with specified forwarders, with policy different than none, are transformed to forward zones. All master zones data are backed up in /var/lib/ipa/backup/dns-forward-zones-backup-%Y-%m-%d-%H-%M-%S.ldif.
Transformation to forward zones, is executed only once, by one replica only, and only if ipa version is lower than 4.0.
Since this upgrade, you should use forward zones to forwarding queries.
Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 3.3.0
Adam Misnyovszki (17): ipactl can not restart ipa services if current status is stopped Add --force option to ipactl Certificate search max_serial_number problem fixed Extending user plugin with inetOrgPerson fields CA-less tests generate failure automember rebuild nowait feature added plugin registration refactoring for automembership CI - test_forced_client_reenrollment stability fix webui doc: typo fixes in guides webui: select all checkbox remains selected after operation plugin registration refactoring for pwpolicy Trust add datetime fix webui OTP token test data added webui static site delete command fixed webui tests: callback, assert_disabled feature added webui tests: range test extended Call generate-rndc-key.sh during ipa-server-install Alexander Bokovoy (39): Remove systemd upgrader as it is not used anymore ipa-sam: do not modify objectclass when trust object already created ipa-sam: do not leak LDAPMessage on ipa-sam initialization ipa-sam: report supported enctypes based on Kerberos realm configuration ipaserver/dcerpc.py: populate forest trust information using realmdomains trusts: support subdomains in a forest frontend: report arguments errors with better detail ipaserver/dcerpc: remove use of trust account authentication trust: integrate subdomains support into trust-add ipasam: for subdomains pick up defaults for missing values KDC: implement transition check for trusted domains ipa-kdb: Handle parent-child relationship for subdomains Guard import of adtrustinstance for case without trusts Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skew subdomains: Use AD admin credentials when trust is being established trust: fix get_dn() to distinguish creating and re-adding trusts trust-fetch-domains: create ranges for new child domains trustdomain-find: report status of the (sub)domain ipaserver/install/installutils: clean up properly after yield group-show: resolve external members of the groups ipa-adtrust-install: configure host netbios name by default ipasam: delete trusted child domains before removing the trust libotp: do not call internal search for NULL dn bindinstance: make sure zone manager is initialized in add_master_dns_records ipa-kdb: in case of delegation use original client's database entry, not the proxy ipa-kdb: make sure we don't produce MS-PAC in case of authdata flag cleared by admin trustdomain_find: make sure we skip short entries when --pkey-only is specified trust: make sure we always discover topology of the forest trust ipaserver/dcerpc: catch the case of insuffient permissions when establishing trust adtrustinstance: make sure to stop and disable winbind in uninstall() fix filtering of subdomain-based trust users ipa-kdb: do not fetch client principal if it is the same as existing entry ipaserver/dcerpc: make sure to always return unicode SID of the trust domain trust: do not fetch subdomains in case shared secret was used to set up the trust schema-compat: set precedence to 49 to allow OTP binds over compat tree freeipa.spec.in: update dependencies to 389-ds and selinux-policy Fix packaging issue with doubly specified directories Add missing ipa-otptoken-import.1.gz to spec file ipa-ldap-updater: make possible to use LDAPI with autobind in case of hardened LDAP configuration Ana Krivokapić (33): Handle --subject option in ipa-server-install Fix handling of CSS files in sync.sh script Fix broken replica installation Add integration tests for Kerberos Flags Fix tests which fail after ipa-adtrust-install Add integration tests for forced client re-enrollment Create DS user and group during ipa-restore Add warning when uninstalling active replica Add option to ipa-client-install to configure automount Replace ntpdate calls with ntpd Fix invocations of FileError in ipa-client-install Do not crash if DS is down during server uninstall Do not show unexpected error in ipa-ldap-updater Follow tmpfiles.d packaging guidelines Add ipa-advise plugins for nss-pam-ldapd legacy clients Do not roll back failed client installation on server Make sure nsds5ReplicaStripAttrs is set on agreements Add test for external CA installation Fix regression which prevents creating a winsync agreement Use EXTERNAL auth mechanism in ldapmodify Add automember rebuild command Add a privilege and a permission needed for automember rebuild command Add unit tests for automember rebuild command Fix error message when adding duplicate automember rule Add automember rebuild command to the web UI Web UI integration test driver enhancement Add web UI integration tests for automember rebuild Add userClass attribute for users WebUI: Add userClass attribute to user and host pages Make Expression field required when adding automember condition Make sure state of services is preserved after client uninstall Enable Retro Changelog and Content Synchronization DS plugins Improve error message on failed Kerberos authentication Gabe (8): ipa-join usage instructions are incorrect Typo in warning message where IPA realm and domain name differ Fix order of synchronizing time when running ipa-client-install fix typo in ipa -v migrate-ds ipa-client-automount should not configure nsswitch.conf manually ipa recursively adds old backups ipautil.run args log message is confusing Add version and API version Jakub Hrozek (2): EXTDOM: Do not overwrite domain_name for INP_SID trusts: combine filters with AND to make sure only the intended domain matches Jan Cholasta (105): Make PKCS#12 handling in ipa-server-certinstall closer to what other tools do. Port ipa-server-certinstall to the admintool framework. Remove unused NSSDatabase and CertDB method find_root_cert_from_pkcs12. Ignore empty mod error when updating DS SSL config in ipa-server-certinstall. Replace only the cert instead of the whole NSS DB in ipa-server-certinstall. Untrack old and track new cert with certmonger in ipa-server-certinstall. Add --pin option to ipa-server-certinstall. Ask for PKCS#12 password interactively in ipa-server-certinstall. Fix nsSaslMapping object class before configuring SASL mappings. Add --dirman-password option to ipa-server-certinstall. Fix ipa-server-certinstall usage string. Fix service-disable in CA-less install. Fix nsslapdPlugin object class after initial replication. Read passwords from stdin when importing PKCS#12 files with pk12util. Allow PKCS#12 files with empty password in install tools. Track DS certificate with certmonger on replicas. Make LDAPEntry a wrapper around dict rather than a dict subclass. Introduce IPASimpleLDAPObject.decode method for decoding LDAP values. Always use lists for values in LDAPEntry internally. Decode and encode attribute values in LDAPEntry on demand. Make sure attributeTypes updates are done before objectClasses updates. Remove legacy toDict and origDataDict methods of LDAPEntry. Store encoded attribute values from search results directly in entry objects. Use encoded values from entry objects directly when generating modlists. Use encoded values from entry objects directly when adding new entries. Turn LDAPEntry.single_value into a dictionary-like property. Remove mod_ssl port workaround. Move IPA specific code from LDAPClient to the ldap2 plugin. Add wrapper for result3 to IPASimpleLDAPObject. Support searches with paged results control in LDAPClient. Refactor indirect membership processing. Remove unused method get_api of the ldap2 plugin. Use hardening flags for ipa-optd. Own /usr/share/ipa/ui/js/ in the spec file. Prefer user CFLAGS/CPPFLAGS over those provided by rpmbuild in the spec file. Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file. Add stricter default CFLAGS to Makefile. Fix compilation error in ipa-cldap. Remove CFLAGS duplication. Fix internal error in the user-status command. Convert remaining backend code to LDAPEntry API. Prevent garbage from readline on standard output of dogtag-ipa-retrieve-agent. PKI service restart after CA renewal failed Rename LDAPEntry method commit to reset_modlist. Use old entry state in LDAPClient.update_entry. Move LDAPClient method get_single_value to IPASimpleLDAPObject. Make IPASimpleLDAPObject.get_single_value result overridable. Use LDAPClient.update_entry for LDAP mods in ldapupdate. Reduce amount of LDAPEntry.reset_modlist calls in ldapupdate. Add LDAPEntry method generate_modlist. Remove unused LDAPClient methods get_syntax and get_single_value. Remove legacy LDAPEntry properties data and orig_data. Store old entry state in dict rather than LDAPEntry. Do not crash on bad LDAP data when formatting decode error message. Use raw LDAP data in ldapupdate. Fix ipa-client-automount uninstall when fstore is empty. Do not start the service in stopped_service if it was not running before. Increase service startup timeout default. Fix ntpd config on clients. Get original entry state from LDAP in LDAPUpdate. Convert remaining installer code to LDAPEntry API. Convert remaining update code to LDAPEntry API. Convert remaining test code to LDAPEntry API. Raise an exception when legacy LDAP API is used. Convert remaining frontend code to LDAPEntry API. Remove sourcehostcategory from the default HBAC rule. Always use real entry DNs for memberOf in ldap2. Fix modlist generation code not to generate empty replace mods. Log unhandled exceptions in certificate renewal scripts. Fix certificate renewal scripts to work with separate CA DS instance. Move CACERT definition to a single place. Do not create CA certificate files in CA-less server install. Use LDAP API to upload CA certificate instead of ldapmodify command. Upload CA certificate from DS NSS database in CA-less server install. Remove unused method export_ca_cert of dsinstance. Show progress when enabling SSL in DS in ipa-server-install output. Use certmonger D-Bus API to configure certmonger in CA install. Add new certmonger CA helper dogtag-ipa-ca-renew-agent. Update pkcs10 module functions to always load CSRs and allow selecting format. Remove unused function get_subjectaltname from the cert plugin. Add function for parsing friendly name from certificate requests. Support retrieving renewed certificates from LDAP in dogtag-ipa-ca-renew-agent. Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP. Remove dogtag-ipa-retrieve-agent-submit. Support storing renewed certificates to LDAP in dogtag-ipa-ca-renew-agent. Use dogtag-ipa-ca-renew-agent to track certificates on master CA. Store information about which CA server is master for renewals in LDAP. Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup. Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad. Merge restart_httpd functionality to renew_ra_cert. Use the same certmonger configuration for both CA masters and clones. Update certmonger configuration in ipa-upgradeconfig. Support exporting CSRs in dogtag-ipa-ca-renew-agent. Remove unused method is_master of CAInstance. Fix upload of CA certificate to LDAP in CA-less install. Fix update_ca_renewal_master plugin on CA-less installs. Allow primary keys to use different type than unicode. Support API version-specific RPC marshalling. Replace get_syntax method of IPASimpleObject with new get_type method. Use raw attribute values in command result when --raw is specified. Keep original name when setting attribute in LDAPEntry. Allow SAN in IPA certificate profile. Support requests with SAN in cert-request. Remove GetEffectiveRights control when ldap2.get_effective_rights fails. Do not corrupt sshd_config in client install when trailing newline is missing. Jan Pazdziora (1): Adding verb to error message to make it less confusing. Jason Woods (1): ipa-sam: cache gid to sid and uid to sid requests in idmap cache Krzysztof Klimonda (1): Fix -Wformat-security warnings Lukáš Slebodník (1): BUILD: Fix portability of NSS in file ipa_pwd.c Martin Bašti (72): Added warning if cert '/etc/ipa/ca.crt' exists ipa-client-install: Added options to configure firefox Removed old firefox configuration scripts Changed CLI to allow to use FILE as optional param migrate-ds added --ca-cert-file=FILE option PTR records can be added without specify FQDN zone name DNS classless support for reverse domains DNS tests for classless reverse domains Fix test_host_plugin for DNS Classless Reverse zones Allows to sort non text entries DNSName type DNSNameParam parameter dns_name_values capability added get_ancestors_primary_keys clone CLI conversion of DNSName type DNSName conversion in ipaldap Modified has_output attributes Modified dns related global functions Modified records and zone parameters to use DNSNameParam Modified record and zone class to support IDN _domain_name_validatord moved from DNS to realmdomains move hostname validation from DNS to hosts DNS modified tests DNS new tests PTR record target can be relative Test DNS: wildcard in RR owner Fix indentation Test DNS: dnsrecord-* zone.test. zone.test. should work Make zonenames absolute in host plugin Python-kerberos update in freeipa.spec.in Separate master and forward DNS zones Prevent commands to modify different type of a zone Create BASE zone class Tests DNS: forward zones Fix handle python-dns UnicodeError DNSSEC: remove unsuported records DNSSEC: added NSEC3PARAM record type DNSSEC: webui update DNSSEC attributes Tests: remove unused records from tests Tests: tests for NSEC3PARAM records DNSSEC: DLVRecord type added DNSSEC: Test: DLV record Digest part in DLV/DS records allows only heaxadecimal characters DNSSEC: WebUI add DLV record type Fix ipa.service restart Fix incompatible DNS permission Added upgrade step executed before schmema is upgraded Upgrade special master zones to forward zones Check normalization only for IDNA domains DNSSEC: add TLSA record type DNSSEC: WebUI: add TLSA record Fix ACI in DNS Remove NSEC3PARAM record Add NSEC3PARAM to zone settings NSEC3PARAM tests Allow to add non string values to named conf DNSSEC: Add experimental support for DNSSEC Add warning about semantic change for zones Add DNSSEC experimental support warning message Use documentation addresses in dns help Help for forward zones Split dns docstring Fix upgrade to forward zones Fix incompatible permission name *zone-del Non IDNA zonename should be normalized to lowercase Fix tests dns_realmdomains_integration Fix: Missing ACI for records in 40-dns.update Restore privileges after forward zones update Allow to add managed permission for reverse zones Test DNS: test zone normalization Test DNS: TLSA record Test DNS: add zone with consecutive dash characters Martin Košek (58): Bump 3.4 development version to 3.3.90 Prevent *.pyo and *.pyc multilib problems Remove rpmlint warnings in spec file Fix selected minor issues in the spec file and license Use FQDN when creating MSDCS SRV records Do not set DNS discovery domain in server mode Require new SSSD to pull required AD subdomain fixes Remove faulty DNS memberOf Task Do not allow '%' in DM password Remove --no-serial-autoincrement PKI installation on replica failing due to missing proxy conf Use consistent realm name in cainstance and dsinstance Winsync re-initialize should not run memberOf fixup task Installer should always wait until CA starts up Administrative password change does not respect password policy Do not add kadmin/changepw ACIs on new installs Make set_directive and get_directive more strict Remove mod_ssl conflict Add nsswitch.conf to FILES section of ipa-client-install man page Remove ipa-pwd-extop and ipa-enrollment duplicate error strings Remove deprecated AllowLMhash config Server does not detect different server and IPA domain Allow kernel keyring CCACHE when supported Consolidate .gitignore entries Increase Java stack size on PPC platforms Increase Java stack size on s390 platforms Revert restart scripts file permissions change hbactest does not work for external users sudoOrder missing in sudoers Add missing example to sudorule Remove missing VERSION warning in dnsrecord-mod Hide trust-resolve command Add runas option to run function Switch httpd to use default CCACHE httpd should destroy all CCACHEs ntpconf: remove redundant comment Fallback to global policy in ipa-lockout plugin ipa-lockout: do not fail when default realm cannot be read Migration does not add users to default group .mailmap: use correct name format for Adam Avoid passing non-terminated string to is_master_host ipa-replica-install never checks for 7389 port Fix idrange unit test failure Update Dogtag 9 database during replica installation Proxy PKI clone /ca/ee/ca/profileSubmit URI Add missing dependencies to freeipa-python package Add requires for pki-core-10.1.1-1.fc20 Make ipa-client-automount backwards compatible Make trust objects available to regular users Revert "Check for password expiration in pre-bind" Add python-yubico to BuildRequires Fix objectClass casing in LDIF to prevent schema update error Let Host Administrators use host-disable command Remove python-cherrypy BuildRequires Update X-ORIGIN for 4.0 Clear NSS session cache when socket is closed Add Modify Realm Domains permission Prepare spec for 4.0 release Nalin Dahyabhai (3): Add missing dependency Accept any alias, not just the last value Restore krbCanonicalName handling Nathaniel McCallum (41): Bypass ipa-replica-conncheck ssh tests when ssh is not installed Ensure credentials structure is initialized Document no_search in Param flags Don't special case the Password class in Param.__init__() Add optional_create flag Allow multiple types in Param type validation Add IntEnum parameter to ipalib Add support for managing user auth types Add RADIUS proxy support to ipalib CLI Add OTP support to ipalib CLI Add rpmbuild/ to .gitignore Move ipa-otpd socket directory Fix OTP token names/labels Fix generation of invalid OTP URIs Update ACIs to permit users to add/delete their own tokens ipa-kdb: validate that an OTP user has tokens Enable building in C99 mode Add libotp internal library for slapi plugins Add support to ipa-kdb for keyless principals Add HOTP support Add OTP last token plugin Add OTP sync support to ipa-pwd-extop Teach ipa-pwd-extop to respect global ipaUserAuthType settings Use super() properly to avoid an exception Make all ipatokenTOTP attributes mandatory Remove NULLS from constants.py Rework how otptoken defaults are handled Fix token secret length RFC compliance Fix a typo in the otptoken doc string kdb: Don't provide password expiration when using only RADIUS Only specify the ipatokenuniqueid default in the add operation Default the token owner to the person adding the token Update all remaining plugins to the new Registry API Add support for managedBy to tokens Periodically refresh global ipa-kdb configuration Make otptoken use os.urandom() for random data Implement OTP token importing Change OTPSyncRequest structure to use OctetString Add /session/token_sync POST support Add the otptoken-add-yubikey command Add otptoken-sync command Nick Hatch (1): Don't exclude symlinks when loading plugins Petr Viktorin (258): Allow freeipa-tests to work with older paramiko versions Allow API plugin registration via a decorator Add missing license header to ipa-test-config Add CA-less install tests Add man pages for testing tools Remove __all__ specifications in ipaclient and ipaserver.install Make make-lint compatible with Pylint 1.0 Move tests to test directories Convert test_ipautil from unittest to nose Add missing dict methods to CIDict Raise an error when updating CIDict with duplicate keys Use correct super-calls in get_args() methods test_integration.host: Move transport-related functionality to a new module test_integration: Add OpenSSHTransport, used if paramiko is not available ipatests.test_integration.test_caless: Fix mkdir_recursive call ipatests.beakerlib_plugin: Warn instead of failing when some logs are missing ipatests.order_plugin: Exclude test generators from the order ipatests.beakerlib_plugin: Add argument of generated tests to test captions ipatests.test_cmdline.test_help: Re-raise unexpected exceptions on failure Add tests for installing with empty PKCS#12 password Update translations from Transifex ipa-client-install: Use direct RPC instead of api.Command ipa-client-install: Verify RPC connection with a ping Do not fail upgrade if the global anonymous read ACI is not found ipapython.nsslib: Name arguments to NSPRError test_ipalib.test_crud: Don't use a string in takes_options Add tests for the IntEnum class test_caless.TestCertInstall: Fix 'test_no_ds_password' test case Use new CLI options in certinstall tests Use a user result template in tests test_simple_replication: Fix waiting for replication Fix date in last changelog entry Update Permission and ACI plugins to decorator registration API Fix indentation in permission plugin tests Fix invalid assumption NSS initialization check in SSLTransport Help plugin: don't fail if a topic's module is not found Use new ipaldap entry API in aci and permission plugin Improve permission plugin test cleanup Tests: mkdir_recursive: Don't fail when top-level directory doesn't exist beakerlib plugin: Don't try to submit logs if they are missing Fix debug output in integration test Add tests for user auth type management Remove unused utf8_encode_value functions ldapupdate: Factor out connection code dsinstance: Move the list of schema filenames to a constant Add schema updater based on IPA schema files Update the man page for ipa-ldap-updater Remove schema modifications from update files Remove schema special-casing from the LDAP updater Make schema files conform to new updater Add formerly update-only schema Unify capitalization of attribute names in schema files Update translations from Transifex Add ConcatenatedLazyText object Break long doc string in the Host plugin Improve LDAPEntry.__repr__ for freshly created entries Remove changelog from the spec Switch client to JSON-RPC Make jsonserver_kerb start a cookie-based session Add server/protocol type to rpcserver logs Add tests for the radiusproxy plugin test_integration: Support external names for hosts test_integration: Log external hostname in Host.ldap_connect Regression test for user_status crash test_webui: Allow False values in configuration for no_ca, no_dns, has_trusts Allow sets for initialization of frozenset-typed Param keywords Allow Declarative test classes to specify the API version Add tests for permission plugin with older clients Add new permission schema Rewrite the Permission plugin Verify ACIs are added correctly in tests Roll back ACI changes on failed permission updates permission plugin: Ensure ipapermlocation (subtree) always exists Make sure SYSTEM permissions can be retreived with --all --raw Test adding noaci/system permissions to privileges Remove default from the ipapermlocation option permission_find: Do not fail for ipasearchrecordslimit=-1 cli.print_attribute: Convert values to strings Use new registration API in the privilege plugin Allow anonymous and all permissions rpcserver: Consolidate __call__ in xmlclient and jsonclient_kerb Implement XML introspection ipa-replica-install: Move check for existing host before DNS resolution check integration tests OpenSSHTransport: Expand tilde to home in root_ssh_key_filename ipa tool: Print the name of the server we are connecting to with -v Add a .mailmap file Correct Jenny Severance's last name Update README and BUILD Remove the TODO file Permission plugin fixes permission plugin: Convert options in execute, not args_options_2_params permission plugin: Generate ACIs in the plugin Make it possible to call custom functions in Declarative tests Add support for managed permissions .mailmap: Remove spurious Kyle Baker line permission-mod: Do not copy member attributes to new entry permissions: Use multivalued targetfilter Add permission_filter_objectclasses for explicit type filters Add tests for multivalued filters Remove the unused ipalib.frontend.Property class permission plugin: Do not assume attribute-level rights for new attributes are present Update API.txt ipalib.plugins: Expose LDAPObjects' eligibility for permission --type in JSON metadata Test fixed modlist generation code test_integration.config: Fix crash in to_env when no replica is defined test_integration.config: Do not save the input environment test_integration.config: Use a more declarative approach to test-wide settings test_integration.config: Do not store the index in Domain and Host objects test_integration.config: Load/store from/to dicts test_integration.config: Add environment variables for JSON/YAML ipa-test-config: Add --json and --yaml output options test_integration.config: Convert some text values to str Add tests for integration test configuration ipalib.plugable: Always set the parser in bootstrap() tests: Create the testing service certificate on demand permission-mod: Remove attributelevelrights before reverting entry permission plugin: Allow multiple values for memberof permissions plugin: Don't crash with empty targetfilter permission-find: Cache the root entry for legacy permissions permission_add: Remove permission entry if adding the ACI fails Do not hardcode path to ipa-getkeytab in tests ipaserver.install.service: Fix estimated time display permission plugin: Output the extratargetfilter virtual attribute permission plugin: Write support for extratargetfilter permission CLI: Rename filter to rawfilter, extratargetfilter to filter permission plugin: Add tests for extratargetfilter permission plugin: Support searching by extratargetfilter permission plugin: Do not fail on non-DN memberof filters permission plugin: Do not change extra target filters by "views" Add Nathaniel McCallum to .mailmap test_integration.tasks: Do not fail cleanup if backup directory does not exist cli: Clean up imports cli: Show list of values in --help for all Enums cli: Add mechanism for deprecated option name aliases permission CLI: rename --permissions to --right permission plugin: Do not add the ipapermissionv2 for output Allow indexing API object types by class permission-find: Fix handling of the search term for legacy permissions test_permission_plugin: Fix tests that make too broad assumptions Allow modifying permissions with ":" in the name Add Object metadata and update plugin for managed permissions permission plugin: Add 'top' to the list of object classes Allow anonymous read access to containers Add managed read permissions to HBAC objects Document the managed permission updater operation Allow overriding all attributes of default permissions ipalib.errors: Fix TaskTimeout doctest Add managed read permissions to Sudo objects Add managed read permissions to group Add managed read permission to hostgroup CA-less tests: Use sequential certificate serial numbers Add mechanism for adding default permissions to privileges Add managed read permissions to RBAC objects Add managed read permissions to realmdomains Add managed read permission for SELinux user map test_realmdomains_plugin: Add default ACI to expected output Add managed read permissions to host Add managed read permissions to pwpolicy and cosentry Fix expected output in permission tests Add managed read permission to config Add managed read permissions to krbtpolicy Allow anonymous read access to Kerberos containers Add managed read permission to idrange Add managed read permission to automount Do not ask for memberindirect when updating managed permissions Add managed read permissions to automember test_integration.host: Export the hostname to dict as string Add a new ipaVirtualOperation objectClass to virtual operations Extend anonymous read ACI for containers Add managed read permission to service Add support for non-plugin default permissions Add several managed read permissions under cn=etc test_ldap: Read a publicly accessible attribute when testing anonymous bind aci-update: Trim the admin write blacklist aci-update: Add ACI for read-only admin attributes trust plugin: Remove ipatrustauth{incoming,outgoing} from default attrs Add managed read permissions to trust ipalib.aci: Add support for == and != operators to ACI Move ACI tests to the testsuite ipalib.aci: Allow alternate "aci" keyword in ACIs ipa-client-automount: Use rpcclient, not xmlclient, for automountlocation_show Replace "replica admins read access" ACI with a permission ipalib.cli: Add filename argument to ipa console Add managed read permissions to user update_managed_permissions: Pass around anonymous ACI rather than its blacklist Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x Remove the global anonymous read ACI ldap2.find_entries: Do not modify attrs_list in-place ipalib.version: Add VENDOR_VERSION admin tools: Log IPA version dns: Add idnsSecInlineSigning attribute, add --dnssec option to zone pwpolicy-mod: Fix crash when priority is changed aci plugin: Fix internal error when ACIs are not readable Add managed read permission for the UPG Definition ldap2.has_upg: Raise an error if the UPG definition is not found krbtpolicy plugin: Code cleanup krbtpolicy plugin: Fix internal error when global policy is not readable Add read permissions for automember tasks ipalib.aci: Fix bugs in comparison test_permission_plugin: limit results in targetfilter find test Add mechanism for updating permissions to managed Convert Sudo rule default permissions to managed Add missing attributes to 'Modify Sudo rule' permission Split long docstrings that were recently modified managed perm updater: Handle case where we changed default ACIs in the past Convert User default permissions to managed Add missing attributes to User managed permissions permission plugin: Sort rights when writing the ACI Add method to enumerate managed permission templates Add ACI.txt Make 'permission' the default bind type for managed permissions Make sure member* attrs are always granted together in read permissions ipalib.frontend: Do API version check before converting arguments ipalib.config: Only convert basedn to DN ipalib.config: Don't autoconvert values to float Fix self argument in tasks managed permission updater: Add mechanism to replace SYSTEM permissions Convert DNS default permissions to managed Remove the update_dns_permissions plugin Add $REALM to variables supported by the managed permission updater Convert COSTemplate default permissions to managed Convert Password Policy default permissions to managed Allow read access to masters, but not their services, to auth'd users Fix: Allow read access to masters, but not their services, to auth'd users Allow anonymous read access to virtual operation entries Test and docstring fixes permission plugin: Join --type objectclass filters with OR Add posixgroup to groups' permission object filter Convert Host default permissions to managed host permissions: Allow writing attributes needed for automatic enrollment netgroup: Add objectclass attribute to read permissions Convert Automount default permissions to managed Convert Group default permissions to managed Convert HBAC Rule default permissions to managed Convert HBAC Service default permissions to managed Convert HBAC Service Group default permissions to managed Convert Hostgroup default permissions to managed Convert Netgroup default permissions to managed Convert the Modify privilege membership permission to managed Convert Role default permissions to managed Convert SELinux User Map default permissions to managed Convert Service default permissions to managed Convert Sudo Command default permissions to managed Convert Sudo Command Group default permissions to managed Add several CRUD default permissions test_permission_plugin: Fix permission_find test for legacy permissions Update translations install/ui/build: Build core.js permission plugin: Ignore unparseable ACIs Allow admins to write krbLoginFailedCount Do not fail if there are multiple nsDS5ReplicaId values in cn=replication,cn=etc test_ipagetkeytab: Fix expected error message test_ipaserver: Add OTP token test data to ipatests package ldapupdate: Restore 'replace' functionality Allow read access to services in cn=masters to auth'd users makeaci: Use the DN where the ACI is stored, not the permission's DN Update translations Become IPA 4.0.0 Petr Voborník (264): Make ssh_widget not-editable if attr is readonly Hide delete button in multivalued widget if attr is not writable Removal of deprecated selenium tests Add base-id, range-size and range-type options to trust-add dialog Hide 'New Certificate' action on CA-less install Web UI integration tests: CA-less Web UI Integration tests: Kerberos Flags Web UI integration tests: ID range types Show human-readable error name in error dialog title Update idrange search facet after trust creation Fix RUV search scope in ipa-replica-manage Fix redirection on deletion of last dns record entry Allow edit of ipakrbokasdelegate in Web UI when attrlevelrights are unknown Fix enablement of automount map type selector ipatests.test_integration.host: Add logging to ldap_connect() Load updated Web UI files after server upgrade Removal of unused code Web UI source code annotation Configuration for JSDuck documentation generator Phases Guide Debugging Web UI guide Plugin Infrastructure Guide Navigation Guide Registries and Build Guide Fix password expiration notification Fix license in some Web UI files Increase stack size for Web UI builder Remove SID resolve call from Web UI Fix disabled logic of menu item RCUE initial commit Move RCUE styles to its own directory Delete Overpass fonts in UI root Use RCUE fonts Updated sync.sh Change menu rendering to match RCUE structure Allow RCUE Prefer Open Sans Regular font Remove background Remove width limit Remove jquery UI RCUE Navigation RCUE Header New header logo Adapt password expiration notification to new navigation Fix breadcrumb Fix search facet table styling - bug in chrome Fix action panel list styles Remove jquery button usage and unify button code Change undo to regular button Change undo-all to regular button New checkboxes and radio styles Always create radio and checkbox with label New Fluid form layout Use Fluid layout be default Do not display tooltip everywhere RCUE dialog implementation RCUE dialog close icon Dialog keyboard behavior Fluid layout in DNS Zone adder dialog Fix Association adder dialog styling CSS: make hostname in host adder dialog wider Do not open dialog in a container Remove left-margin from details-section Fix h1 style in dialog Fix radios behavior in automount map adder dialog CSS: fix network activity indicator position in control panel Fix padding of link buttons and labels in forms CSS: fix footer padding Fix hbac test styling Fix search input styling Combobox styles Action list styling Dojo event support in widgets Display required, enabled and error widget states in fluid layout Focus input on label click in fluid layout Do not show section header in unauthorized dialog username_r in password reset part of unauthorized dialog should be enabled as well Fix notification area Add style to dialog message area Update Dojo to 1.9.1 Remove last usage of jQuery UI Update jQuery to version 2.0.3 Add Font Awesome Change font-awesome to be compilable by lesscpy Font Awesome icons in header Replace icons with the ones from Font Awesome Status widgets icons Facet title status icons Use font awesome glyph for dialog close button Font awesome glyphs as checkboxes and radios Increase margin between facet control buttons Fix association adder dialog table-body position New header spinner Increase distance between control buttons and facet-tabs About dialog Use fluid layout in host adder dialog fqdn widget Web UI integration tests: maximize browser window by default Use only system fonts Trust domains Web UI webui: Focus expand/collapse link in batch_error dialog webui: Don't act on keyboard events which originated in different dialog Added empty value meaning to boolean formatter Declarative replacement of array item in specification object Fixed doc examples in Spec_mod Password Dialog Use general password dialog for host OTP Fix handling of action visibility change in action panel UI for OTP tokens UI for radius proxy UI for managing user-auth types Added QRcode generation to Web UI Support OTP in form based auth webui: use unique ids for checkboxes webui: Datetime parsing and formatting webui: remove hover effect from disabled action button webui-css: improve radio,checkbox keyboard support and color webui: do not use dom for getting selected automount keys webui-static: update metadata files webui: fix unit tests webui: better check for existing options in attributes_widgets webui: do not create ⟨hr⟩ delimiter between sections webui: reflect enabled state in child widgets of a multivalued widget webui: change permissions UI to v2 webui: update license information of used third party code webui-ci: fix test_rebuild_membership_hosts on server without DNS webui: rename domNode to dom_node webui: make navigation module independent on app module webui: move RPC code from IPA module to its own module webui: replace IPA.command usage with rpc.command webui: field and widget binding refactoring webui: replace widget's hidden property with visible webui: change widget updated event into value change event webui-tests: binding test suite webui: facet container webui: FormMixin webui: ContainerMixin webui: standalone facet webui: activity widget webui: publish network activity topics webui: load page webui: validation summary widget webui: login screen widget webui: login page webui: authentication module webui: use asynchronous call for authentication webui: fix combobox styles to work with selenium testing webui-ci: adapt to new login screen webui: remove IPA.unauthorized_dialog webui: fix OTP Token add regression webui: regression - enable fields on idrange type change (add) webui-ci: adjust id range tests to new validator webui: fix switching between multiple_choice_section choices webui: otptoken-adder dialog - remove obsolete comment migration: fix import of wsgiref.util webui-ci: save screenshot on test failure webui-ci: decorate all webui tests with screenshot decorator rpcserver: login_password datetime fix in expiration check Increase Java stack size for Web UI build on aarch64 webui: remove logout.html webui: remove login.html webui: add PaternFly css webui: apply PatternFly login theme on reset_password.html webui: apply PatternFly theme on config pages webui: styles for alert icons webui: apply PatternFly theme on migration pages webui: remove remnants of jquery-ui webui: remove unused icons webui: remove unused collapsible feature from section webui: remove unused images webui: change absolutely positioned layout to fluid webui: remove column sizing in tables, use PF styles webui: change navigation from RCUE to PatternFly webui: adjust styles to PatternFly webui: display undo and multivalued delete buttons in input-group webui: allow multiple base section layouts webui: change breadcrumb to PatternFly webui: use h1 in facet title instead of h3 webui: remove action list widget webui: add action dropdown webui: add space between action buttons's icon and text webui: remove select action webui: add confirmation to action dropdown actions webui: move certificate actions to action dropdown webui: move user reset password action to action dropdown webui: patternFly dialog webui: adjust association adder dialog to PatternFly webui: activity indicators webui: improve pagination webui: do not show empty table footer webui: restyle automember default group webui: preload automember default group select list webui: adjust login page to PatternFly webui: use BS alerts in validation_summary_widget webui-ci: select search table item - chrome issue webui: remove old css for standalone pages webui: adjust header controls alignment webui: add search box placeholder text webui: change control buttons to normal buttons webui: certificate search - select search attribute only when defined webui: association adder dialog - change find label to filter webui: use dark color for facet titles without pkey webui-ci: assert_action_list_action webui: move host action panel actions to action dropdown webui: move service action panel actions to action dropdown webui: use normal buttons instead of link buttons in multivalued widget webui: move radius proxy action panel commands to header actions webui: proper alerts in dialogs webui: use propert alerts in header notification area webui: fix search box overlap in mobile mode webui: fix layout of QR code on wide screens webui: break long text in a code element in a modal webui: fix regression: enabled gid field on group add webui: add idnsSecInlineSigning option to DNS zone details facet webui: simplify self-service menu webui: display only dialogs which belong to current facet webui: handle back button when unauthenticated webui: fix SSH Key widget update webui: handle "unknown" result of automember-default-group-show webui: control sudo rule deny command tables by category switch webui: add sudoorder field to sudo rule page webui: move RPC result extraction logic to Adapter webui: expose krbprincipalexpiration webui: fix excessive registration of state change event listeners webui: support standalone facets in navigation module webui: generic routing webui: add parent link to widgets in ContainerMixin webui: plugin API webui-ci: adjust tests to dns changes webui: fix field's default value webui: don't limit permission search in privileges ldap2: add otp support to modify_password rpcserver: add otp support to change_password handler ipa-passwd: add OTP support webui: support password change with OTP in login screen webui: placeholder attribute support in textbox and textarea webui: add placeholders to login screen webui: rebase user password dialog on password dialog and add otp support webui: support otp in reset_password.html rpcserver: fix local vs utc time comparison webui: add confirmation for dns zone permission actions webui: dns forward zones webui-ci: dns forward zone tests webui-test: static metadata update webui-test: dns forward zone json data webui: fix detection of RPC command webui: send API version in RPC requests webui: extract rpc value from object envelope webui: base class for LoginScreen-like facets webui: add OTP token synchronization webui: add link pointing to OTP sync page to login webui: support global notifications in all containers webui: bind Login facet and OTP sync facet webui: fix confirmation mixin origin check webui: layer for standalone pages which use WebUI framework webui: add sync_otp.html webui-ci: fix action list action visibility and enablement assertion webui: support unlock user command webui: show notification instead of modal dialog on validation error webui: fix required error notification in multivalued widget webui: focus invalid widget on validation error webui-build: use /usr/share/java/js.jar instead of rhino.jar webui: change ipatokennotbefore and ipatokennotafter types to datetime webui: new navigation structure webui: display messages contained in API responses Petr Špaček (15): Add timestamps to named debug logs in /var/named/data/named.run Clarify error message about IPv6 socket creation in ipa-cldap plugin Treat error during write to /etc/resolv.conf as non-fatal. Limit memberOf and refInt DS plugins to main IPA suffix. Remove working directory for bind-dyndb-ldap plugin. Use private IPv4 addresses for tests Rename variables in test xmlrpc/dns_plugin Use reserved domain names for tests tests: Move zone enable/disable tests to end of test_dns_plugin.py Fix regular expression for LOC records in DNS. Modify DNS tests with LOC records to workaround bug in python-dns. Clarify error message about missing DNS component in ipa-replica-prepare. Add wait_for_dns option to default.conf. Fix --ttl description for DNS zones Clarify LDAPClient docstrings about get_entry, get_entries and find_entries Rob Crittenden (5): Re-order NULL check in ipa_lockout. Change the way we determine if the host has a password set. Implement an IPA Foreman smartproxy server Clean up Smartproxy support, drop unused code Remove IPA Foreman Smart Proxy Simo Sorce (16): pwd-plugin: Fix ignored return error kdb-mspac: Fix out of bounds memset kdb-princ: Fix memory leak Add Delegation Info to MS-PAC Add krbticketPolicyAux objectclass if needed Fix license tag in python setup files Harmonize policy discovery to kdb driver Stop adding a default password policy reference Check for password expiration in pre-bind keytabs: Modularize setkeytab operation keytabs: Expose and modify key encoding function keytab: Add new extended operation to get a keytab. ipa-getkeytab: Modularize ldap_set_keytab function ipa-getkeytab: Add support for get_keytab extop man: Add -r option to ipa-getkeytab.1 Fix getkeytab code to always use implicit tagging. Sumit Bose (9): CLDAP: make sure an empty reply is returned on any error CLDAP: do not read IPA domain from hostname Use the right attribute with ipapwd_entry_checks for MagicRegen Remove AllowLMhash from the allowed IPA config strings Remove generation and handling of LM hashes CLDAP: do not prepend \\ CLDAP: generate NetBIOS name like ipa-adtrust-install does CLDAP: add unit tests for make_netbios_name extdom: do not return results from the wrong domain Thorsten Scherf (4): Fixed typo how to create an example gpg key Fixed typo in ipa-test-task man page Fixed various typos in ipa-client-install man page Fixed typo in ipa-replica-manage man page Timo Aaltonen (2): Use /usr/bin/python as fallback python path Don't search platform path Tomáš Babej (139): Remove support for IPA deployments with no persistent search Remove redundant shebangs Perform dirsrv tuning at platform level Make CS.cfg edits with CA instance stopped Fix incorrect error message occurence when re-adding the trust Log proper error message when defaultNamingContext not found Use getent admin@domain for nss check in ipa-client-install Do not add trust to AD in case of IPA realm-domain mismatch Warn user about realm-domain mismatch in install scripts trusts: Do not create ranges for subdomains in case of POSIX trust ipa-upgradeconfig: Remove backed up smb.conf ipa-adtrust-install: Add warning that we will break existing samba configuration adtrustinstance: Properly handle uninstall of AD trust instance adtrustinstance: Move attribute definitions from setup to init method ipatests: Extend the order plugin to properly handle inheritance Get the created range type in case of re-establishing trust ipatests: Add Active Directory support to configuration ipatests: Extend domain object with 'ad' role support and WinHosts ipatests: Extend IntegrationTest with multiple AD domain support ipatests: Create util module for ipatests ipatests: Add WinHost class ipatests: Add AD-integration related tasks ipatests: Add AD integration test case trusts: Fix typo in error message for realm-domain mismatch advice: Add legacy client configuration script using nss-ldap ipatests: Extend clear_sssd_cache to support non-systemd platforms ipatests: Restore SELinux context after restoring files from backup ipatests: Do not use /usr/bin hardcoded paths ipatests: Add support for extra roles referenced by a keyword ipatests: Use command -v instead of which in legacy client advice ipatests: Add integration tests for legacy clients ipatests: test_trust: use domain name instead of realm for user lookups platform: Add Fedora 19 platform file ipa-client-install: Publish CA certificate to systemwide store trusts: Do not pass base-id to the subdomain ranges trusts: Always stop and disable smb service on uninstall ipa-client-install: Always pass hostname to the ipa-join ipa-cldap: Cut NetBIOS name after 15 characters Fix incorrect path in error message on sysrestore failure acl: Remove krbPrincipalExpiration from list of admin's excluded attrs ipatests: Remove sudo calls from tasks ipatests: Check for legacy_client attribute presence if unapplying fixes ipatests: test_legacy_clients: Change "test group" to "testgroup" ipatests: Add records for all hosts in master's domain ipatests: Run restoring backup files and restoring their context in one session ipatests: legacy_clients: Test legacy clients with non-posix trust ipatests: Perform a connection test before preparing the client ipatests: Make sure we re-kinit as admin before adding the disabledipauser ipatests: Stop sssd service before deleting the cache ipatests: Add test cases for subdomain users on legacy clients ipatests: Change expected home directories returned by getent ipatests: Do not require group name resolution for the non-posix tests ipatests: Fix incorrect order of operations when restoring backup trusts: Remove usage of deprecated LDAP API man: sshd should be run at least once before client enrollment Prohibit deletion of active subdomain range ipatests: test_trust: Change expected home directories for posix users ipatests: Do not depend on the case of the attributes when testing ID ranges ipatests: Make sure that remnants of PKI are removed ipatests: legacy_clients: Use hostname instead of external hostname for AD subdomain ipatests: legacy_clients: Relax regex checks ipatests: tasks: Wait 2 seconds after restart of SSSD when clearing the cache ipa-pwd-extop: Fix memory leak in ipapwd_pre_bind ipa-range-check: Fix memory leaks when freeing range object Extend ipa-range-check DS plugin to handle range types ipatests: Fix apache semaphores prior to installing IPA server ipatests: tasks: Accept extra arguments when installing client ipatests: Allow using FQDN with trailing dot as final hostname ipatests: Fix incorrect UID/GID reference for subdomain users and groups ipa_range_check: Use special attributes to determine presence of RID bases ipa_range_check: Connect the new node of the linked list ipa_range_check: Make a new copy of forest_root_id attribute for range_info struct ipa_range_check: Do not fail when no trusted domain is available ipa_range_check: Fix typo when comparing strings using strcasecmp ipa_range_check: Change range_check return values from int to range_check_result_t enum ipatests: Extend test suite for ID ranges ipa-pwd-extop: Deny LDAP binds for accounts with expired principals ipalib: Add DateTime parameter ipatests: Cover DateTime in test_parameters.py ipalib: Expose krbPrincipalExpiration in CLI ipatests: Fix formatting errors in test_user_plugin.py ipatests: Add coverage for setting krbPrincipalExpiration ipatests: Add test for denying expired principals ipa-client: Set NIS domain name in the installer ipa-client-install: Configure sudo to use SSSD as data source ipatests: Add Sudo integration test ipatests: legacy clients: Do not use external hostnames for testing login to legacy clients from master ipatests: Setup SSSD debugging mode by default ipatests: Enable SSSD debugging on legacy clients with SSSD ipaplatform: Create separate module for platform files ipaplatform: Move service base platfrom related functionality to ipaplatform/base/service.py ipaplatform: Move default implementations of tasks from service.py.in ipaplatform: Create default implementations for tasks that were missing them ipaplatform: Add base fedora platform module ipaplatform: Moved Fedora 16 service implementations and refactored them as base Fedora module service implementations ipaplatform: Move restore_context and check_selinux_status implementations to base fedora platform tasks ipaplatform: Do not require custom Authconfig implementations from platform modules ipaplatform: Remove legacy redhat platform module ipaplatform: Move Fedora-specific implementations of tasks to fedora base platform file ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasks ipaplatform: Change service code in freeipa to use ipaplatform services ipaplatform: Change paths dependant on ipaservices to use ipaplatform.paths ipaplatform: Remove redundant imports of ipaservices ipaplatform: Move all filesystem paths to ipaplatform.paths module ipaplatform: Remove remnants of the ipapython/platform ipaplatform: Change makefiles to accomodate for new platform package ipaplatform: Let fedora path module use PathNamespace class ipaplatform: Link to platform module during build time ipaplatform: Pylint fixes ipaplatform: Contain all the tasks in the TaskNamespace ipaplatform: Move hardcoded paths from Fedora platform files to path namespace sudorule: Allow unsetting sudoorder trusts: Allow reading ipaNTSecurityIdentifier in user and group objects trusts: Add more read attributes trusts: Allow reading system trust accounts by adtrust agents sudorule: PEP8 fixes in sudorule.py sudorule: Allow using hostmasks for setting allowed hosts sudorule: Allow using external groups as groups of runAsUsers sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute sudorule: Include externalhost and ipasudorunasextgroup in the list of default attributes sudorule: Allow adding deny commands when command category set to ALL sudorule: Make sure all the relevant attributes are checked when setting category to ALL sudorule: Fix the order of the parameters to have less chaotic output sudorule: Enforce category ALL checks on dirsrv level ipatests: test_sudo: Add tests for allowing hosts via hostmasks ipatests: test_sudo: Add coverage for external entries ipatests: test_sudo: Add coverage for category ALL validation ipatests: test_sudo: Fix assertions not assuming runasgroupcat set to ALL ipatests: test_sudo: Do not expect enumeration of runasuser groups ipatests: test_sudo: Expect root listed out if no RunAsUser available sudorule: Refactor add and remove external_post_callback ipaplatform: Document the platform tasks API ipaplatform: Drop the base authconfig class ipaplatform: Fix build warnings ipaplatform: Fix misspelled path constant ipaplatform: Move paths from installers to paths module ipa-client-install: Restart nisdomain service instead of starting ipaldap: Override conversion of nsds5replicalast{update,init}{start,end} ipalib: Use DateTime parameter class for OTP token timestamp attributes Xiao-Long Chen (1): Use /usr/bin/python2