The FreeIPA team is proud to announce FreeIPA v4.2.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository.
Highlights in 4.2#
Enhancements#
Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules (ticket, design)
User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - preserved - to special tree and re-activated when user returns, preserving it’s UID/GID (ticket, design)
Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! (ticket, design, implementation)
Datepicker is now used for datetime fields in the Web UI (ticket)
Upgrade process was overhauled. There is now single upgrade tool (
ipa-server-upgrade
) providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. (ticket, design)Service constrained delegation rules can be now added by UI and CLI (ticket, design)
FreeIPA Web UI now provides API browser and documentation. See IPA Server - API Browser tab (ticket)
Access control instructions were updated so that hosts can create their own services (ticket)
FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service (ticket, design)
FreeIPA Web Server no longer use deprecated
mod_auth_kerb
but switched to the modernmod_auth_gssapi
(ticket)New automated migration tool from winsync to ID Views (ticket, design)
migrate-ds
command can now search the migrated users and groups with different scopeDNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow Deployment Recommendations for DNS.
ipa migrate-ds command can now run with different search scopes (ticket)
And many other small improvements or bug fixes!
Changes to upgrade#
The server still upgrades automatically during RPM update. However,
ipactl start
now verifies that the server was really upgraded before
starting FreeIPA to prevent running upgraded bits on old data when
ipa-server-upgrade
was not run during RPM update (for example during
FedUp Fedora upgrade).
Update files (files in /usr/share/ipa/updates/
) format was changed.
Namely:
Updates are not merged, update files are applied one at a time (ticket)
Update entries no longer support CSV - commas can be now freely used in the added attributes
Update can now use base64 values (ticket)
Update plugins are now not run automatically, but when referenced from update files (
plugin:
)
Upgrading#
Upgrade instructions are available on the Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.1#
Ade Lee (3)#
Add a KRA to IPA
Add man page for ipa-kra-install
Re-enable uninstall feature for ipa-kra-install
Ales ‘alich’ Marecek (1)#
Ipatests DNS SOA Record Maintenance
Alexander Bokovoy (21)#
Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
Update slapi-nis dependency to pull 0.54.1
AD trust: improve trust validation
Support Samba PASSDB 0.2.0 aka interface version 24
ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
ipa-kdb: when processing transitions, hand over unknown ones to KDC
ipa-kdb: reject principals from disabled domains as a KDC policy
fix Makefile.am for daemons
slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
ipaserver/dcerpc: Ensure LSA pipe has session key before using it
ipa-kdb: use proper memory chunk size when moving sids
ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
add one-way trust support to ipasam
ipa-adtrust-install: add IPA master host principal to adtrust agents
trusts: pass AD DC hostname if specified explicitly
ipa-sidgen: reduce log level to normal if domain SID is not available
ipa-adtrust-install: allow configuring of trust agents
trusts: add support for one-way trust and switch to it by default
ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
trust: support retrieving POSIX IDs with one-way trust during trust-add
Christian Heimes (4)#
Provide Kerberos over HTTP (MS-KKDCP)
Fix removal of ipa-kdc-proxy.conf symlink
Fix upgrade of HTTPInstance for KDC Proxy
Improve error handling in ipa-httpd-kdcproxy
David Kupka (27)#
Respect UID and GID soft static allocation.
Stop dirsrv last in ipactl stop.
Remove unneeded internal methods. Move code to public methods.
Remove service file even if it isn’t link.
Produce better error in group-add command.
Fix –{user,group}-ignore-attribute in migration plugin.
ipa-restore: Check if directory is provided + better errors.
Fix error message for nonexistent members and add tests.
Use singular in help metavars + update man pages.
Always add /etc/hosts record when DNS is being configured.
Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.
Abort backup restoration on not matching host.
idviews: Allow setting ssh public key on ipauseroverride-add
Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
Restore default.conf and use it to build API.
Always reload StateFile before getting or modifying the stored values.
Remove unused part of ipa.conf.
Use mod_auth_gssapi instead of mod_auth_kerb.
Bump ipa.conf version to 17.
Lint: Skip checking of functions stolen by python-nose.
Make lint work on Fedora 22.
Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1.
Do not store state if CA is enabled
Move CA installation code into single module.
Use 389-ds centralized scripts.
upgrade: Raise error when certmonger is not running.
ipa-replica-prepare: Do not create DNS zone it automatically.
Drew Erny (1)#
Migration now accepts scope as argument
Endi Sukma Dewata (8)#
Fixed KRA backend.
Modififed NSSConnection not to shutdown existing database.
Added vault plugin.
Added vault-archive and vault-retrieve commands.
Fixed KRA installation problem.
Added symmetric and asymmetric vaults.
Added ipaVaultPublicKey attribute.
Added vault access control.
Francesco Marella (1)#
Refactor selinuxenabled check
Fraser Tweedale (25)#
Support multiple host and service certificates
Fix certificate management with service-mod
Install CA with LDAP profiles backend
Add schema for certificate profiles
ipa-pki-proxy: provide access to profiles REST API
Add ACL to allow CA agent to modify profiles
Add certprofile plugin
Enable LDAP-based profiles in CA on upgrade
Import included profiles during install or upgrade
Add generic split_any_principal method
Add profile_id parameter to ‘request_certificate’
Add usercertificate attribute to user plugin
Update cert-request to support user certs and profiles
Fix certificate subject base
Import profiles earlier during install
ipa-pki-proxy: allow certificate and password authentication
Add CA ACL plugin
Enforce CA ACLs in cert-request command
certprofile: fix doc error
Upgrade CA schema during upgrade
Migrate CA profiles after enabling LDAPProfileSubsystem
certprofile: add option to export profile config
certprofile: add ability to update profile config in Dogtag
caacl: fix incorrect construction of HbacRequest for hosts
cert-request: enforce caacl for principals in SAN
Gabe Alford (17)#
Remove trivial path constants from modules
ipa-server-install Directory Manager help incorrect
ipa-managed-entries requires password with bad password
Update default NTP configuration
Remove usage of app_PYTHON in ipaserver Makefiles
Remove dependency on subscription-manager
Typos in ipa-rmkeytab options help and man page
permission-add does not prompt for ipapermright in interactive mode
ipa-replica-prepare should document ipv6 options
ipatests: Add tests for valid and invalid ipa-advise
ipa-replica-prepare can only be created on the first master
Add message for skipping NTP configuration during client install
Remove unneeded ip-address option in ipa-adtrust-install
Unsaved changes dialog internally inconsistent
Allow ipa help command to run when ipa-client-install is not configured
Do not print traceback when pipe is broken
Clear SSSD caches when uninstalling the client
Jan Cholasta (109)#
Do not crash in CAInstance.__init__ when default argument values are used
Fix certmonger configuration in installer code
Do not check if port 8443 is available in step 2 of external CA install
Handle profile changes in dogtag-ipa-ca-renew-agent
Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
Fail if certmonger can’t see new CA certificate in LDAP in ipa-cacert-manage
Fix possible NULL dereference in ipa-kdb
Fix memory leaks in ipa-extdom-extop
Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
Fix memory leak in ipa-pwd-extop
Fix memory leaks in ipa-join
Fix various bugs in ipap11helper
Fix CA certificate backup and restore
Fix wrong expiration date on renewed IPA CA certificates
Restore file extended attributes and SELinux context in ipa-restore
Use correct service name in cainstance.backup_config
Stop tracking certificates before restoring them in ipa-restore
Remove redefinition of LOG from ipa-otp-lasttoken
Unload P11_Helper object’s library when it is finalized in ipap11helper
Fix Kerberos error handling in ipa-sam
Fix unchecked return value in ipa-kdb
Fix unchecked return values in ipa-winsync
Fix unchecked return value in ipa-join
Fix unchecked return value in krb5 common utils
Fix memory leak in GetKeytabControl asn1 code
Add TLS 1.2 to the protocol list in mod_nss config
Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent
Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
Improve validation of –instance and –backend options in ipa-restore
Check subject name encoding in ipa-cacert-manage renew
Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage
Fix ipa-restore on systems without IPA installed
Remove RUV from LDIF files before using them in ipa-restore
Fix CA certificate renewal syslog alert
Do not crash on unknown services in installutils.stopped_service
Restart dogtag when its server certificate is renewed
Make certificate renewal process synchronized
Fix validation of ipa-restore options
Do not assume certmonger is running in httpinstance
Put LDIF files to their original location in ipa-restore
Revert “Make all ipatokenTOTP attributes mandatory”
Create correct log directories during full restore in ipa-restore
Do not crash when replica is unreachable in ipa-restore
Bump 389-ds-base and pki-ca dependencies for POODLE fixes
ipalib: Allow multiple API instances
ipalib: Move plugin package setup to ipalib-specific API subclass
advise: Add separate API object for ipa-advise
ldap2: Use self API instance instead of ipalib.api
replica-install: Use different API instance for the remote server
certstore: Make certificate retrieval more robust
client-install: Do not crash on invalid CA certificate in LDAP
client: Fix ca_is_enabled calls
upload_cacrt: Fix empty cACertificate in cn=CAcert
ldap: Drop python-ldap tuple compatibility
ldap: Remove unused IPAdmin methods
ldap: Add connection management to LDAPClient
ldap: Use LDAPClient connection management in IPAdmin
ldap: Use LDAPClient connection management in ldap2
ldap: Add bind and unbind methods to LDAPClient
ldap: Use LDAPClient bind and unbind methods in IPAdmin
ldap: Use LDAPClient bind and unbind methods in ldap2
ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password
cainstance: Use LDAPClient instead of IPASimpleLDAPObject
makeaci: Use LDAPClient instead of IPASimpleLDAPObject
ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient
ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntry
ldap: Move schema handling from IPASimpleLDAPObject to LDAPClient
ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClient
ldap: Remove IPASimpleLDAPObject
Fix stop_tracking_certificates call in ipa-restore
baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry
client-install: Fix kinits with non-default Kerberos config file
install: Make a package out of ipaserver.install.server
install: Move ipa-server-install code into a module
install: Move ipa-replica-install code into a module
install: Move ipa-server-upgrade code into a module
install: Fix missing variable initialization in replica install
install: Fix CA-less server install
install: Fix external CA server install
install: Move private_ccache from ipaserver to ipapython
install: Introduce installer framework ipapython.install
install: Migrate ipa-server-install to the install framework
install: Handle Knob cli_name and cli_aliases values consistently
install: Add support for positional arguments in CLI tools
install: Allow setting usage in CLI tools
install: Migrate ipa-replica-install to the install framework
vault: Move vaults to cn=vaults,cn=kra
install: Initialize API early in server and replica install
vault: Fix ipa-kra-install
install: Fix logging setup in server and replica install
User life cycle: provide preserved user virtual attribute
install: Fix ipa-replica-install not installing RA cert
User life cycle: change user-del flags to be CLI-specific
plugable: Move plugin base class and override logic to API
ipalib: Load ipaserver plugins when api.env.in_server is True
ipalib: Move find_modules_in_dir from util to plugable
plugable: Specify plugins to import in API by module names
plugable: Load plugins only from modules imported by API
plugable: Pass API to plugins on initialization rather than using set_api
plugable: Do not use DictProxy for API
plugable: Lock API on finalization rather than on initialization
ipaplatform: Do not use MagicDict for KnownServices
plugable: Remove SetProxy, DictProxy and MagicDict
plugable: Change is_production_mode to method of API
plugable: Specify plugin base classes and modules using API properties
plugable: Remove unused call method of Plugin
replica prepare: Do not use entry after disconnecting from LDAP
ipalib: Fix skip_version_check option
spec file: Update minimal versions of required packages
Jan Pazdziora (1)#
No explicit zone specification.
Lenka Ryznarova (1)#
Test Objectclass of postdetach group
Ludwig Krispenz (14)#
ds plugin - manage replication topology in the shared tree
install part - manage topology in shared tree
replica install fails with domain level 1
accept missing binddn group
plugin uses 1 as minimum domain level to become active no calculation based on plugin version
crash when removing a replica
check for existing and self referential segments
make sure the agremment rdn match the rdn used in the segment
v2-reject modifications of endpoints and connectivity of a segment
correct management of one directional segments
fix coverity issues
v2 clear start attr from segment after initialization
v2 improve processing of invalid data.
allow deletion of segment if endpoint is not managed
Lukáš Slebodník (2)#
SPEC: Explicitly requires python-sssdconfig
SPEC: Require python2 version of sssd bindings
Martin Babinsky (43)#
Use ‘remove-ds.pl’ to remove DS instance
Moved dbus-python dependence to freeipa-python package
ipa-kdb: unexpected error code in ‘ipa_kdb_audit_as_req’ triggers a message
always get PAC for client principal if AS_REQ is true
ipa-kdb: more robust handling of principal addition/editing
OTP: failed search for the user of last token emits an error message
ipa-pwd-extop: added an informational comment about intentional fallthrough
ipa-uuid: emit a message when unexpected mod type is encountered
OTP: emit a log message when LDAP entry for config record is not found
ipa-client-install: put eol character after the last line of altered config file(s)
migrate-ds: exit with error message if no users/groups to migrate are found
Changing the token owner changes also the manager
ipa-dns-install: use STARTTLS to connect to DS
ipa-dns-install: use LDAPI to connect to DS
migrate-ds: print out failed attempts when no users/groups are migrated
show the exception message thrown by dogtag._parse_ca_status during install
do not log BINDs to non-existent users as errors
fix improper handling of boolean option in
proper client host setup/teardown in forced client reenrollment integration test suite
do not install CA on replica during integration test if setup_ca=False
ipautil: new functions kinit_keytab and kinit_password
ipa-client-install: try to get host TGT several times before giving up
Adopted kinit_keytab and kinit_password for kerberos auth
use separate ccache filename for each IPA DNSSEC daemon
point the users to PKI-related logs when CA configuration fails
suppress errors arising from deleting non-existent files during client uninstall
prevent duplicate IDs when setting up multiple replicas against single master
ipa-server-install: deprecate manual setting of master KDC password
update ‘api.env.ca_host’ if a different hostname is used during server install
provide dedicated ccache file for httpd
move IPA-related http runtime directories to common subdirectory
explicitly destroy httpd service ccache file during httpinstance removal
do not check for directory manager password during KRA uninstall
merge KRA installation machinery to a single module
KRA: get the right dogtag version during server uninstall
add DS index for userCertificate attribute
generalize certificate creation during testing
ipa-kdb: common function to get key encodings/salt types
increase NSS memcache timeout for IPA server
baseldap: add support for API commands managing only a single attribute
reworked certificate normalization and revocation
new commands to manage user/host/service certificates
add option to skip client API version check
Martin Bašti (126)#
Dogtag 10.2 to spec.file
Fix dns zonemgr validation regression
Add bind-dyndb-ldap working dir to IPA specfile
Fix CI tests: install_adtrust
Fix upgrade: do not use invalid ldap connection
Fix: DNS installer adds invalid zonemgr email
Fix: DNS policy upgrade raises asertion error
Fix upgrade referint plugin
Upgrade: fix trusts objectclass violationi
Fix named working directory permissions
Fix: zonemgr must be unicode value
Fix warning message should not contain CLI commands
Show warning instead of error if CA did not start
Raise right exception if domain name is not valid
Fix pk11helper module compiler warnings
Fix: read_ip_addresses should return ipaddr object
Fix detection of encoding in zonemgr option
Fix zonemgr option encoding detection
Throw zonemgr error message before installation proceeds
Upgrade fix: masking named should be executed only once
Using wget to get status of CA
Show SSHFP record containing space in fingerprint
Fix don’t check certificate during getting CA status
Fix: Upgrade forwardzones zones after adding newer replica
Fix zone find during forwardzone upgrade
Fix traceback if zonemgr error contains unicode
DNS tests: separate current forward zone tests
New test cases for Forward_zones
Detect and warn about invalid DNS forward zone configuration
DNS tests: warning if forward zone is inactive
Add debug messages into client autodetection
DNSSEC catch ldap exceptions in ipa-dnskeysyncd
DNSSEC: fix root zone dns name conversion
Always return absolute idnsname in dnszone commands
Use dyndns_update instead of deprecated sssd option
Fix reference counting in pkcs11 extension
Prevent install scripts fail silently if timeout exceeded
Fix warning message on client side
Fix restoring services status during uninstall
Fix do not enable service before storing status
Uninstall configured services only
Fix saving named restore status
Migrate uniquess plugins configuration to new style
Fix uniqueness plugins
DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
Fix memory leaks in ipap11helper
Remove unused method from ipap11pkcs helper module
Remove unused disable-betxn.ldif file
DNS fix: do not traceback if unsupported records are in LDAP
DNS fix: do not show part options for unsupported records
DNS: remove NSEC3PARAM from records
Fix dead code in ipap11helper module
Server Upgrade: Remove unused PRE_SCHEMA_UPDATE
Server Upgrade: do not sort updates by DN
Server Upgrade: Upgrade one file per time
Server Upgrade: Set modified to false, before each update
Server Upgrade: Update entries in order specified in file
Server Upgrade: order update files by default
Server Upgrade: respect –test option in plugins
Server Upgrade: remove –test option
Server Upgrade: Fix comments
DNSSEC: Do not log into files
Fix ldap2 shared connection
Server Upgrade: use only LDAPI connection
Server Upgrade: remove unused code in upgrade
Server Upgrade: Apply plugin updates immediately
Server Upgrade: specify order of plugins in update files
Server Upgrade: plugins should use ldapupdater API instance
Server Upgrade: Handle connection better in updates_from_dict
Server Upgrade: use ldap2 connection in fix_replica_agreements
Server Upgrade: restart DS using ipaplatfom service
Server Upgrade: only root can run updates
DNSSEC CI tests
ipa client: make –ntp-server option multivalued
ipa client: use NTP servers detected from SRV
ipa client: use NTP servers specified by user
Server Upgrade: ipa-server-upgrade command
Server Upgrade: Verify version and platform
Server Upgrade: use ipa-server-upgrade in RPM upgrade
Server Upgrade: fix a comment in ldapupdater
move realm_to_serverid to installutils module
Server Upgrade: use LDIF parser to modify DSE.ldif
Server Upgrade: enable DS global lock during upgrade
Server Upgrade: remove CSV from upgrade files
Server Upgrade: Allow base64 encoded values
Server Upgrade: fix memberUid index
Dont use the proxy to check CA status
Server Upgrade: Do not start DS if it was stopped before upgrade
Server Upgrade: raise RuntimeError instead exit()
Server Upgrade: do not allow to run upgradeinstace alone
Server Upgrade: handle errors better
Server Upgrade: ipa-ldap-updater will not do overall upgrade
Server Upgrade: Fix uniqueness plugins
DNSSEC: FIX Do not re-create kasp.db if already exists
DNSSEC: update OpenDNSSEC KASP configuration
DNS install: extract DNS installer into one module
Pylint: fix false positive warning for domain
Uid uniqueness: fix: exclude compat tree from uniqueness
Server Upgrade: wait until DS is ready
Server Upgrade: Fix: execute schema update
Server Upgrade: Move code from ipa-upgradeconfig to separate module
Fix: use DS socket check only for upgrade
Server Upgrade: fix remove statement
Installers fix: remove temporal ccache
ULC: fix: upgrade for stage Stage User Admins failed
Fix: regression in host and service plugin
DNSSEC: Improve global forwarders validation
DNSSEC: validate forward zone forwarders
Revert 389-DS BuildRequires version to 1.3.3.9
DNSSEC: fix traceback during shutdown phase
Server Upgrade: disconnect ldap2 connection before DS restart
DNS: add UnknownRecord to schema
ipa-ca-install fix: reconnect ldap2 after DS restart
Server Upgrade: create default config for NIS Server plugin
Fix indicies ntUserDomainId, ntUniqueId
Sanitize CA replica install
DNS: Do not traceback if DNS is not installed
KRA Install: check replica file if contains req. certificates
Server Upgrade: use debug log level for upgrade instead of info
DNSSEC: allow to disable/replace DNSSEC key master
DNSSEC: update message
Allow to run subprocess with suplementary groups
FIX: Clear SSSD caches when uninstalling the client
Fix regression: ipa-dns-install will add CA records if required
Upgrade: Do not show upgrade failed message when IPA is not installed
Fix logging in API
Martin Košek (11)#
Fix ImportError in ipa-ca-install
Bump SSSD Requires to 1.12.3
Fix IPA_BACKUP_DIR path name
Allow PassSync user to locate and update NT users
Allow Replication Administrators manipulate Winsync Agreements
Replication Administrators cannot remove replication agreements
Add anonymous read ACI for DUA profile
Print PublicError traceback when in debug mode
group-detach does not add correct objectclasses
Remove references to GPL v2.0 license
Fix typo in ipa-server-upgrade man page
Milan Kubik (1)#
ipatests: port of p11helper test from github
Milan Kubík (2)#
Abstract the HostTracker class from host plugin test
Fix for a typo in certprofile mod command.
Nathan Kinder (2)#
Timeout when performing time sync during client install
Skip time sync during client install when using –no-ntp
Nathaniel McCallum (15)#
Ensure that a password exists after OTP validation
Improve otptoken help messages
Ensure users exist when assigning tokens to them
Enable QR code display by default in otptoken-add
Catch USBError during YubiKey location
Preliminary refactoring of libotp files
Move authentication configuration cache into libotp
Enable last token deletion when password auth type is configured
Make token auth and sync windows configurable
Create an OTP help topic
Prefer TCP connections to UDP in krb5 clients
Expose the disabled User Auth Type
Update python-yubico dependency version
Fix a signedness bug in OTP code
Fix OTP token URI generation
Petr Viktorin (35)#
ipa-restore: Don’t crash if AD trust is not installed
ipaplatform: Use the dirsrv service, not target
Do not restore SELinux settings that were not backed up
Add additional backup & restore checks
tests: Use PEP8-compliant setup/teardown method names
tests: Add configuration for pytest
ipatests.util.ClassChecker: Raise AttributeError in get_subcls
test_automount_plugin: Fix test ordering
Use setup_class/teardown_class in Declarative tests
dogtag plugin: Don’t use doctest syntax for non-doctest examples
test_webui: Don’t use __init__ for test classes
test_ipapython: Use functions instead of classes in test generators
Configure pytest to run doctests
Declarative tests: Move cleanup to setup_class/teardown_class
Declarative tests: Switch to pytest
Integration tests: Port the ordering plugin to pytest
Switch make-test to pytest
Add local pytest plugin for –with-xunit and –logging-level
Switch ipa-run-tests to pytest
Switch integration testing config to a fixture
Integration tests: Port the BeakerLib plugin and log collection to pytest
test_integration: Adjust tests for pytest
copy_schema_to_ca: Fallback to old import location for ipaplatform.services
Ignore ipap11helper/setup.py in doctests
test_integration: Use python-pytest-multihost
test_integration: Use collect_log from the host, not the testing class
test_integration: Parametrize test instead of using a generator
ipatests: Use pytest-beakerlib
ipatests: Use pytest-sourceorder
Run pylint on tests
test_host_plugin: Convert tests to imperative style
test_host_plugin: Split tests into independent classes
test_host_plugin: Use HostTracker fixtures
rename_managed: Remove use of EditableDN
Remove Editable DN and DN component classes
Petr Voborník (113)#
build: increase java stack size for all arches
ranges: prohibit setting –rid-base with ipa-trust-ad-posix type
unittests: baserid for ipa-ad-trust-posix idranges
ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges
idrange: include raw range type in output
webui: prohibit setting rid base with ipa-trust-ad-posix type
webui: fix potential XSS vulnerabilities
restore: clear httpd ccache after restore
webui: use domain name instead of domain SID in idrange adder dialog
webui: normalize idview tab labels
webui: add radius fields to user page
fix indentation in ipa-restore page
add –hosts and –hostgroup options to allow/retrieve keytab methods
webui: fix service unprovisioning
webui: increase duration of notification messages
revert removal of cn attribute from idnsRecord
migrate-ds: fix compat plugin check
rpcclient: use json_encode_binary for verbose output
Fix TOTP Synchronization Window label
ipatests: add missing ssh object classes to idoverrideuser
webui: service: add ipakrbrequirespreauth checkbox
webui: unable to select single value in CB by enter key
webui: use no_members option in entity select search
performance: faster DN implementation
speed up convert_attribute_members
speed up indirect member processing
webui: add pwpolicy link to group details page if group has associated pwpolicy
webui-ci: do not open 2 browser windows
Update BUILD.txt
allow to call ldap2.destroy_connection multiple times
use Connectible.disconnect() instead of .destroy_connection()
jQuery.ordered_map: faster creation
jQuery.ordered_map: remove map attribute
migrate-ds: optimize adding users to default group
migrate-ds: skip default group option
migrate-ds: remove unused def_group_gid context property
migrate-ds: optimize gid checks by utilizing dictionary nature of set
migrate-ds: log migrated group members only on debug level
cli: differentiate Flag a Bool when autofill is set
webui-ci: fix type error in host_tasks inicializations
webui: update patternfly to v1.1.4
webui: rename IPA.user_* to IPA.user.*
webui: declare search command options in search facet
webui: register construction spec based on existing spec
webui: entity facets in facet registry
webui: entity menu items navigate to main entity facet
webui: prefer entity fallback in menu item select
webui: navigation: do not remember selected childs of menu item
webui: navigation: unique names on entity facet menu items
webui: metadata validator min and max value overrides
webui: custom facet groups in a facet
webui: facet groups widget
webui: allow to replace facet tabs with sidebar
webui: allow to hide facet tabs or sidebar
webui: facet policies for all facets
webui: stageuser plugin
webui: extend user deleter dialog with –permanent and –preserve options
webui: update stageuser/user pages based on action in diffrent user search page
webui: stageusers, display page elements based on user state
webui: prefer search facet’s deleter dialog
webui: fix empty table border in Firefox
webui: option to not create user private group
webui: add boostrap-datepicker files
webui: datetime widget with datepicker
git ignore ipaplatform/__init__.py
server-find and server-show commands
topology: ipa management commands
webui: IPA.command_dialog - a new dialog base class
webui: use command_dialog as a base class for password dialog
webui: make usage of –all in details facet optional
webui: topology plugin
webui: configurable refresh command
webui: don’t log in back after logout
topology: allow only one node to be specified in topologysegment-refresh
topology: hide topologysuffix-add del mod commands
move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX
add entries required by topology plugin on update
webui: make topology suffices UI readonly
rename topologysegment_refresh to topologysegment_reinitialize
disallow mod of topology segment nodes
topology: restrict direction changes
topology: fix swapped topologysegment-reinitialize behavior
regenerate ACI.txt after stage user permission rename
ipa-replica-manage: Do not allow topology altering commands from DL 1
server: add “del” command
ipa-replica-manage: adjust del to work with managed topology
webui: adjust user deleter dialog to new api
Become IPA 4.2.0 Alpha 1
fix handling of ldap.LDAPError in installer
add python-setuptools to requires
fix force-sync, re-initialize of replica and a check for replication agreement existence
topology: check topology in ipa-replica-manage del
Verify replication topology for a suffix
replication: fix regression in get_agreement_type
ipa-replica-manage del: relax segment deletement check if topology is disconnected
ipa-replica-manage del: add timeout to segment removal check
topologysegment: hide direction and enable options
topology: make cn of new segment consistent with topology plugin
include more information in metadata
webui: ListViewWidget
webui: fix webui specific metadata
webui: menu and navigation fixes
webui: API browser
webui: add mangedby tab to otptoken
webui: certificate profiles
webui: caacl
webui: hide facet tab in certificate details facet
move session_logout command to ipalib/plugins directory
webui: cert-request improvements
webui: show multiple cert
webui: remove cert manipulation actions from host and service
fix error message when certificate CN is invalid
Become IPA 4.2.0
Petr Špaček (28)#
Fix zone name to directory name conversion in BINDMgr.
Fix minimal version of BIND for Fedora 20 and 21
Fix default value type for wait_for_dns option
p11helper: standardize indentation and other visual aspects of the code
p11helper: use sizeof() instead of magic constants
p11helper: clarify error message
Clarify messages related to adding DNS forwarders
Grammar fix in ‘Estimated time’ messages printed by installer
Clarify host name output in ipa-client-install
Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.
DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures.
Bump run-time requires to SoftHSM 2.0.0rc1.
Improve error messages about reverse address resolution in ipa-replica-prepare
Clarify recommendation about –ip-address option in ipa-replica-prepapre
Clarify error messages in ipa-replica-prepare: add_dns_records()
Hide traceback in ipa-dnskeysyncd if kinit failed.
Bump minimal BIND version for CentOS.
Rate-limit while loop in SystemdService.is_active().
Add hint how to re-run IPA upgrade.
DNSSEC: Detect invalid master keys in LDAP.
DNSSEC: Accept ipa-ods-exporter commands from command line.
DNSSEC: ipa-ods-exporter: move zone synchronization into separate function
DNSSEC: log ipa-ods-exporter file lock operations into debug log
DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.
DNSSEC: Improve ipa-ods-exporter log messages with key metadata.
DNSSEC: Store time & date key metadata in UTC.
DNSSEC: ipa-dns-install: Detect existing master server sooner.
DNSSEC: Detect attempt to install & disable master at the same time.
Rob Crittenden (5)#
Search using proper scope when connecting CA instances
Use NSS protocol range API to set available TLS protocols
Add plugin to manage service constraint delegations
Add ACI to allow hosts to add their own services
Don’t rely on positional arguments for python-kerberos calls
Simo Sorce (14)#
Add UTC date to GIT snapshot version generation
Fix filtering of enctypes in server code.
Add asn1c generated code for keytab controls
Use asn1c helpers to encode/decode the getkeytab control
Stop saving the master key in a stash file
Avoid calling ldap functions without a context
Remove the removal of the ccache
Handle DAL ABI change in MIT 1.13
Add a clear OpenSSL exception.
Stop including the DES algorythm from openssl.
Detect default encsalts kadmin password change
Add compatibility function for older libkrb5
Fix s4u2proxy README and add warning
Replicas cannot define their own master password.
Sumit Bose (16)#
ipa-range-check: do not treat missing objects as error
Add configure check for cwrap libraries
extdom: handle ERANGE return code for getXXYYY_r() calls
extdom: make nss buffer configurable
extdom: return LDAP_NO_SUCH_OBJECT to the client
extdom: fix memory leak
extdom: add err_msg member to request context
extdom: add add_err_msg() with test
extdom: add selected error messages
extdom: migrate check-based test to cmocka
extdom: fix wrong realloc size
extdom: add unit-test for get_user_grouplist()
ipa-kdb: convert test to cmocka
ipa-kdb: add unit-test for filter_logon_info()
ipa-kdb: make string_to_sid() and dom_sid_string() more robust
ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()
Thierry Bordaz (19)#
User Life Cycle: create containers and scoping DS plugins
User Life Cycle: DNA scopes full SUFFIX
Deadlock in schema compat plugin (between automember_update_membership task and dse update)
User Life Cycle: Exclude subtree for ipaUniqueID generation
User life cycle: stageuser-add verb
User life cycle: allows MODRDN from ldap2
User life cycle: new stageuser commands del/mod/find/show
User life cycle: new stageuser commands activate
User life cycle: new stageuser commands activate (provisioning)
User life cycle: user-del supports –permanently, –preserve options and ability to delete deleted user
User life cycle: user-find support finding delete users
User life cycle: support of user-undel
User life cycle: DNA DS plugin should exclude provisioning DIT
User life cycle: Stage user Administrators permission/priviledge
User life cycle: Add ‘Stage User Provisioning’ permission/priviledge
Stage User: Fix permissions naming and split them where apropriate.
Display the wrong attribute name when mandatory attribute is missing
Limit deadlocks between DS plugin DNA and slapi-nis
User life cycle: permission to delete a preserved user
Thorsten Scherf (4)#
pwpolicy-add: Added better error handling
Add help string on how to configure multiple DNS forwards for various cli tools
Removed recommendation from ipa-adtrust-install
Changed in-tree development setup instructions
Tomáš Babej (52)#
Bump 4.2 development version to 4.1.99
specfile: Add BuildRequires for pki-base 10.2.1-0
Re-initialize NSS database after otptoken plugin tests
certs: Fix incorrect flag handling in load_cacert
hosts: Display assigned ID view by default in host-find and show commands
ipatests: Increase required version for pytest-multihost plugin
idviews: Complain if host is already assigned the ID View in idview-apply
idviews: Ignore host or hostgroup options set to None
ipatests: Invoke class install methods properly with respect to pytest-multihost
ipatests: Set the correct number of required clients for IntegrationTest
ipatests: Refactor and fix docstrings in integration pytest plugin
baseldap: Handle missing parent objects properly in *-find commands
spec: Add BuildRequires for python-pytest plugins
ipatests: Make descriptions sorted according to the order of the tests
ipatests: Add coverage for referential integrity plugin applied on ipaAssignedIDView
ipatests: Fix old command references in the ID views tests
ipatests: Fix incorrect assumptions in idviews tests
ipapython: Fix incorrect python shebangs
ipatests: Add coverage for adding and removing sshpubkeys in ID overrides
ipalib: Make sure correct attribute name is referenced for fax
idviews: Use case-insensitive detection of Default Trust View
Revert “Server Upgrade: respect –test option in plugins”
replica-manage: Properly delete nested entries
Add Domain Level feature
idviews: Set dcerpc detection flag properly
idviews: Allow users specify the raw anchor directly as identifier
idviews: Remove ID overrides for permanently removed users and groups
ipaplatform: Remove redundant definitions
winsync-migrate: Add initial plumbing
winsync-migrate: Add a way to find all winsync users
migrate-winsync: Create user ID overrides in place of winsynced user entries
migrate-winsync: Add option validation and handling
winsync-migrate: Move the api initalization and LDAP connection to the main method
dcerpc: Change logging level for debug information
dcerpc: Add debugging message to failing kinit as http
winsync-migrate: Require root privileges
idviews: Do not abort the find & show commands on conversion errors
winsync-migrate: Require explicit specification of the target server and validate existing agreement
winsync-migrate: Delete winsync agreement prior to migration
winsync-migrate: Rename to tool to achive consistency with other tools
winsync-migrate: Move the tool under ipaserver.install package
winsync-migrate: Include the tool parts in Makefile and friends
idviews: Fallback to AD DC LDAP only if specifically allowed
man: Add manpage for ipa-winsync-migrate
winsync_migrate: Migrate memberships of the winsynced users
winsync_migrate: Generalize membership migration
l10n: Add configuration file for Zanata
l10n: Update translation strings
Hide topology and domainlevel features
dcerpc: Raise ACIError correctly
adtrustinstance: Enable and start oddjobd
upgrade: Enable and start oddjobd if adtrust is available