The FreeIPA team would like to announce FreeIPA 4.5.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25 and Fedora 26 will be available soon in the official COPR repository.

Highlights in 4.5.0#

Enhancements#

AD User Short Names#

Support for AD users short names has been added. Short names can be enabled from CLI by setting ipa config-mod --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test" or from WebUI under Configuration tab. No manual configuration on SSSD side is required.

Please note that this feature is not supported by SSSD yet and the work is tracked with <https://pagure.io/SSSD/sssd/issue/3210>

FIPS 140-2 Support#

FreeIPA server and client can be installed on FIPS enabled systems. MD5 fingerprints have been replaced with SHA256. Variable fips_mode has been added to env that indicates whether FIPS is turned on the server.

Please note that FIPS 140-2 support may not work on some platforms because all dependencies of FreeIPA must support FIPS 140-2 what we cannot guarantee. (Should work with RHEL 7.4+.) The FreeIPA code itself is FIPS 140-2 compatible.

Certificate Identity Mapping#

Support for multiple certificates on Smart cards has been added. User can choose which certificate is used to authenticate. This allows to define multiple certificates per user. The same certificate can be used by different accounts, and the mapping between a certificate and an account can be done through binary match of the whole certificate or a match on custom certificate attributes (such as Subject + Issuer).

Improvements for Containerization#

AD trust and KRA can be installed in one step in containers without need to call subsequent ipa-adtrust-install and ipa-kra-install in containers. Option –setup-adtrust has been added to ipa-server-install and ipa-replica-install, and option –setup-kra has been added to ipa-server-install.

Semi-automatic Integration with External DNS#

Option “–out” has been added to command “ipa dns-update-system-records”. This option allows to store IPA system DNS records in nsupdate format in specified file and can be used with nsupdate command to update records on an external DNS server. For more details see this howto <https://www.freeipa.org/page/Howto/Updating_FreeIPA_system_DNS_records_on_a_remote_DNS_server>

Known Issues#

Bug fixes#

Contains all bugfixes and enhacements of 4.4.1, 4.4.2, 4.4.3 releases

Installers Refactoring#

Installers code base has been migrated into modules and many code duplication has been removed.

“Normal” group has been renamed to “Non-POSIX” in WebUI#

In the web UI, the group type label “Normal” has been changed to “Non-POSIX” to be compatible with CLI options. The semantics of group types is unchanged.

Build System Refactoring#

Several improvements of FreeIPA build system have been done. In case you are package maintainer please read the following design document.

LDAP Connection Management Refactoring#

LDAP connection management has been standardized across FreeIPA and should prevent LDAP connection issues during installation and upgrades in future.

Do not fail when IPA server has shortname first in /etc/hosts#

Kerberos client library is now instructed to not attempt to canonicalize hostnames when issuing TGS requests. This improves security by avoiding DNS lookups during canonicalization and also improves robustness of service principal lookups in more complex DNS environments (clouds, containerized applications). Due to this change in behavior, care must be taken to specify correct FQDN in host/service principals as no attempt to resolve e.g. short names will be made.

Replica Connection Check Improvements#

Improved connection check reduces possibility of failure in further installation steps. Now ports on both IPv4 and IPv6 addresses are checked (if available).

Replace NSS with OpenSSL#

Should reduce number of issues related to HTTPS connections. This change was also needed to support FIPS.

Fully customisable CA name#

The CA subject name is now fully customisable, and is no longer required to be related to the certificate subject base. The ipa-server-instal and ipa-ca-install commands learned the –ca-subject and –subject-base options for configuring these values.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

The FreeIPA team would like to announce FreeIPA 4.5.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25 and Fedora 26 will be available in the official COPR repository.

Resolved tickets#

  • #6764 debian: python modules should be installed under dist-packages

  • #6759 replica prepare broken on KDC cert export

  • #6755 [certs.py] - “ipa-replica-prepare” command fails when trying to unlink non-existing “tmpcert.der” file in /var/lib/ipa/

  • #6750 Web page ipa/config/ssbrowser.html refers to missing ipa/config/ca.crt file

  • #6739 Cannot login to replica’s WebUI

  • #6735 The ipa-managed-entries command failed, exception: AttributeError: ldap2

  • #6734 vaultconfig-show throws internal error

  • #6731 ipa-server-install: allow to in install KRA in one step

  • #6730 Harden client HTTPS connections

  • #6724 [test_csrgen.py] - comparison test scripts not reflected changes in “openssl_base.tmpl”

  • #6723 ipa systemd unit should define Wants=network instead of Requires=network

  • #6718 SessionMaxAge in /etc/httpd/conf.d/ipa.conf introduces regression

  • #6717 WebUI: change structure of Identity submenu

  • #6714 ipaclient.csrgen depends on ipaplatform

  • #6713 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands (CVE-2017-2590)

  • #6712 WebUI: Arbitrary certificates on {user|host|service} details pages are not displayed in WebUI

  • #6707 Removal of IPAConfig broke Ipsilon’s FreeIPA integration

  • #6701 Add SHA256 fingerprints

  • #6698 User with ticket gets GSS failure when calling freeipa CLI command

  • #6694 ipa-client-install command failed, TypeError: list found

  • #6690 Plugin schema cache is slow

  • #6686 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) after adding externally signed CA cert

  • #6685 logout does not work properly

  • #6682 session logout should not remove ccache

  • #6680 kra-agent.pem file is not auto-renewed by certmonger

  • #6676 unable to parse cookie header

  • #6675 KRA_AGENT_PEM file is missing

  • #6674 ipactl: noise error from pki-tomcatd start

  • #6673 httpd unit files deletes root ccache

  • #6670 PKINIT upgrade process is incomplete

  • #6661 Move ipa session data from keyring to ccaches

  • #6659 ipa-backup does not include /root/kracert.p12

  • #6650 [vault] Replace nss crypto with cryptography

  • #6648 Make ipa-cacert-manage man page more clear

  • #6647 batch param compatibility is incorrect

  • #6646 IdM Server: list all Employees with matching Smart Card

  • #6643 [RFE] Add ipa-whoami command

  • #6640 DS certificate request during replica install fails due to bytes/string mismatch

  • #6639 Rewrite the code handling discovery and adding of AD trust agents in AD trust installer

  • #6638 AD trust installer should be able to configure samba instance also without admin credentials

  • #6637 Build fails on Fedora 26

  • #6636 UnboundLocalError during ipa-client-install

  • #6634 –ignore-last-of-role is not in man page

  • #6633 IPA replica install log shows password in plain text

  • #6631 Use Python warnings for development

  • #6630 Merge AD trust installer to server/replica install

  • #6629 Migrate AD trust installer on the new-style installer framework

  • #6625 WSGI fails with internal server error when mode != production (locked attribute)

  • #6623 Stageuser is missing -{add,remove}-{cert,principal} commands

  • #6620 Remove ipa-upgradeconfig command

  • #6619 krb5 1.15 broke DAL principal free

  • #6608 IPA server installation should check if IPv6 stack is enabled

  • #6607 Deprecate SSLv2 from API config

  • #6606 Full backup and restore prevents KRA from installing

  • #6601 [RFE] WebUI: Certificate Identity Mapping

  • #6600 Legacy client tests doesn’t have tree domain role.

  • #6598 [webui] Show “CA replica warning” only if there one or more replicas but only 1 CA

  • #6597 ipapython.version.DEFAULT_PLUGINS is not configured

  • #6596 Update ETAs in installers

  • #6588 replication race condition prevents IPA to install

  • #6586 Minor string fixes in dsinstance.py

  • #6585 [RFE] nsupdate output format in dns-update-system-records command

  • #6584 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts

  • #6578 IPA CLI will eventually stop working when invoked in parallel

  • #6575 ipa-replica-install fails on requesting DS cert when master is not configured with IPv6

  • #6574 description of –domain and –realm is confusing

  • #6573 CA-less replica installation fails due to attempted cert issuance

  • #6570 Duplicate PKINIT certificates being tracked after restoring IPA backup on re-installed master

  • #6565 FreeIPA server install fails (and existing servers probably fail to start) due to changes in ‘dyndb’ feature on merge to upstream BIND

  • #6564 IPA WebUI certificates are grayed out on overview page but not on details page

  • #6559 [py3] switch to PY3 causes warnings from IPA schema cache

  • #6558 [Py3] http session cookie doesn’t work under Py3

  • #6551 Upgrade Samba configuration to not include keytab prefix

  • #6550 Refactor PKCS #7 parsing to use pyasn1_modules

  • #6548 [RFE] Mention ipa-backup in warning message before uninstalling IPA server

  • #6547 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain

  • #6546 Delete option shouldn’t be available for hosts applied to view.

  • #6542 [RFE] Certificate Identity Mapping

  • #6541 ipa-replica-install fails to import DS cert from replica file

  • #6540 Migration from ipa-3.0 fails due to crashing copy-schema-to-ca.py

  • #6539 ipa vault operations are not possible with an older server

  • #6538 KRA: add checks to prevent removing the last instance of KRA in topology

  • #6534 topology should not include A<->B segment “both” and B->A “left right” at the same time.

  • #6532 replica installation incorrectly sets nsds5replicabinddngroup/nsds5replicabinddngroupcheckinterval on IPA 3.x instance

  • #6526 remove “request certificate with subjectaltname” permission

  • #6522 ipa-replica-conncheck should check for open ports on all IPs resolved from hostname

  • #6518 Can not install IPA server when hostname is not DNS resolvable

  • #6514 replica install: request_service_cert doesn’t raise error when certificate isuance failed

  • #6513 `ipa plugins` command crashes with internal error

  • #6512 Improve the robustness FreeIPA’s i18n module and its tests

  • #6510 Wrong error message during failed domainlevel 0 installations without a replica file

  • #6508 ipa-ca-install on promoted replica hangs on creating a temporary CA admin

  • #6505 Make ipapython.kerberos.Principal.__repr__ show the actual principal name

  • #6504 Create a test for uniqueness of CA renewal master

  • #6503 IPA upgrade of replica without DNS fails during restart of named-pkcs11

  • #6500 ipa-server-upgrade fails with AttributeError

  • #6498 Build system must regenerate file when template changes.

  • #6497 Misleading error message in replica_conn_check()

  • #6496 remove references to ds_newinst.pl

  • #6495 DNSSEC: ipa-ods-expoter.socket creates incorrect socket and breaks DNSSEC signing

  • #6492 Register entry points of Custodia plugins

  • #6490 Add local-env subcommand to ipa script

  • #6489 Provide legacy client test coverage with tree root domain

  • #6487 ipa-replica-conncheck fails randomly (race condition)

  • #6486 Add NTP server list to ipaplatform

  • #6481 Create a test for instantiating rules with service principals

  • #6480 Update man page for ipa-adtrust-install by removing –no-msdcs option

  • #6474 Remove ipaplatform dependency from ipa modules

  • #6472 cert-request no longer accepts CSR with extraneous data surrounding PEM data

  • #6469 Use xml.etree instead of lxml in odsmgr.py

  • #6466 [abrt] krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV

  • #6461 LDAP Connection Management refactoring

  • #6460 NSSNickname enclosed in single quotes causes ipa-server-certinstall failure

  • #6457 ipa dnsrecord-add fails with Keyerror stack trace

  • #6455 Add example of RDN order for ipa-server-install –subject

  • #6451 Automate managed replication topology 4.4 features

  • #6448 Tests: Stageuser tracker creation of user with minimal values, with uid not specified

  • #6446 Create test for kerberos over http

  • #6445 Traceback seen in error_log when trustdomain-del is run

  • #6439 Members of nested netgroups configured in IdM cannot be seen by getent on clients

  • #6435 Fix zanata.xml config to skip testing ipa.pot file

  • #6434 Installers: perform host enrollment also in domain level 0 replica install

  • #6433 Refactor installer code requesting certificates

  • #6420 Pretty print option of pytest makes tracker fail when used in ipa console

  • #6419 cert-show default output does not show validity

  • #6417 Skip topology disconnect/last of role checks when uninstalling single domain level 1 master

  • #6415 replica-install creates spurious entries in cn=certificates

  • #6412 Create tests for certs in idoverrides feature

  • #6410 Tests: Verify that cert commands show CA without –all

  • #6409 [RFE] extend ipa-getkeytab to support other LDAP bind methods

  • #6406 Use common mechanism for setting up initial replication in both domain levels

  • #6405 unify domain level-specific mechanisms for replica’s DS/HTTP keytab generation

  • #6402 IPA Allows Password Reuse with History value defined when admin resets the password.

  • #6401 Revert expected returncode in replica_promotion test

  • #6400 Add file_exists method as a member of transport object

  • #6399 Object-Signing cert is unused; don’t create it

  • #6398 Refactor certificate inspection code to use python-cryptography

  • #6397 WebUI: Services are not displayed correctly after upgrade

  • #6396 Cleanup AD trust information after tests

  • #6394 WebUI: Update Patternfly and Bootstrap to newer versions

  • #6393 Make httpd publish CA certificate on Domain Level 1

  • #6392 Installers refactoring tracker

  • #6388 WebUI: Adder dialog cannot be reopened in case that it is closed using ESC and dropdown field was focuseded

  • #6386 Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR

  • #6384 Web UI: Lowercase “b” in the “API browser” subtab label

  • #6381 ipa-cacert-manage man page should mention to run ipa-certupdate

  • #6375 ipa-replica-install fails when replica file created after ipa-ca-install on domain level 0

  • #6372 [RFE] allow managing prioritized list of trusted domains for unqualified ID resolution

  • #6369 [tracker] raise 389 requires when “Total init may fail if the pushed schema is rejected” is part of update

  • #6365 Custodia compatibility: add iSecStore.span method

  • #6359 test_0003_find_OCSP will never fail

  • #6358 ipa migrate-ds fails when it finds a referral

  • #6357 ipa-server-install script option –no_hbac_allow should match other options

  • #6354 regression: certmap.conf file is not backedup during ipa-server-upgrade

  • #6352 replica promotion with OTP: add additional info to “”Insufficient privileges” error message

  • #6347 Tests: provide trust test coverage for tree root domains

  • #6344 [RFE] support URI resource records

  • #6343 [RFE] Allow login to WebUI using Kerberos aliases/enterprise principals

  • #6340 IPA client ipv6 - invalid –ip-address shows traceback

  • #6335 Set priority as required filed in password policy

  • #6334 “Normal” group type in the UI is confusing

  • #6331 Reason is lost when CheckedIPAddress returns ValueError in ipa-client-install

  • #6308 [webui] Does not handle uppercase authentication indicators.

  • #6305 host/service-mod with –certificate= (remove all certs) does not revoke certs

  • #6295 cert-request is not aware of Kerberos principal aliases

  • #6269 cert-find –all does not show information about revocation

  • #6263 ipa-server-certinstall does not update all certificate stores and doesn’t set proper trust permissions

  • #6226 ipa-replica-install in CA-less environment does not configure DS TLS - ipa-ca-install then fails on replica

  • #6225 [RFE] Web UI: allow Smart Card authentication - finalization

  • #6202 ipa-client-install - document that –server option expects FQDN

  • #6178 Add options to retrieve lightweight CA certificate/chain

  • #6169 ipa dnsforwardzone-add w/o arguments fails

  • #6144 RPC code should be agnostic to display layer

  • #6132 Broken setup if 3rd party CA certificate conflicts with system-wide CA certificate

  • #6128 Tests: Base tracker contains leftover attributes from host tracker

  • #6126 Tests: User tracker does not enable creation of user with minimal values

  • #6125 Tests: unaccessible variable self.attrs for entries that are not created via standard create method in Tracker

  • #6124 Tests: remove –force option from tracker base class

  • #6123 Tests: Tracker enables silent deleting and creating entries

  • #6114 Traceback message seen when ipa is provided with invalid configuration file name

  • #6088 test_installation.py tests involving KRA installation on replicas fail in domain level 0

  • #6005 Create an automated test for Certs in idoverrides feature

  • #5949 ipa-server-install: improve prompt on interactive installation

  • #5935 [py3] DNSName.ToASCII broken with python3

  • #5742 [RFE] [webui] Configurable page size / User config page

  • #5695 [RFE] FreeIPA on FIPS enabled systems

  • #5640 Framework does not respect sizelimit passed via webUI in some searches

  • #5348 [tracker] dig + dnssec does not display signature of freshly created root zone

  • #4821 UI drops “Unknown Error” when the ipa record in /etc/hosts changes

  • #4189 [RFE] Use GSS-Proxy for the HTTP service

  • #3461 [RFE] Extend freeipa’s sudo to support selinux transition roles

  • #157 Python 3.2a1 in rawhide

Detailed changelog since 4.4.4#

Jan Barta (8)#

  • pylint: fix bad-mcs-method-argument commit

  • pylint: fix bad-mcs-classmethod-argument commit

  • pylint: fix bad-classmethod-argument commit

  • pylint: fix old-style-class commit

  • pylint: fix redefine-in-handler commit

  • pylint: fix pointless-statement commit

  • pylint: fix unneeded-not commit

  • pylint: fix simplifiable-if-statement warnings commit

Alexander Bokovoy (7)#

  • ipaserver/dcerpc.py: use arcfour_encrypt from samba commit #6697

  • add whoami command commit #6643

  • pkinit: make sure to have proper dictionary for Kerberos instance on upgrade commit #6670

  • ipa-kdb: support KDB DAL version 6.1 commit #6619

  • ipa-kdb: search for password policies globally commit #6561

  • adtrust: remove FILE: prefix from ‘dedicated keytab file’ in smb.conf commit #6551

  • trustdomain-del: fix the way how subdomain is searched commit #6445

Abhijeet Kasurde (11)#

  • Minor typo fix in DNS install plugin commit

  • Update warning message for replica install commit #6352

  • Add fix for ipa plugins command commit #6513

  • Update man page of ipa-server-install commit #6634

  • Remove deprecated ipa-upgradeconfig command commit #6620

  • Update warning message for ipa server uninstall commit #6548

  • Fix for handling CalledProcessError in authconfig commit #5244

  • Enumerate available options in IPA installer commit #5435

  • Provide user hint about IP address in IPA install commit #5949

  • Add fix for no-hbac-allow option in server install commit #6357

  • Added a fix for setting Priority as required field in Password Policy Details facet commit #6335

Ben Lipton (8)#

  • csrgen: Support encrypted private keys commit #4899

  • csrgen: Allow overriding the CSR generation profile commit #4899

  • csrgen: Automate full cert request flow commit #4899

  • tests: Add tests for CSR autogeneration commit #4899

  • csrgen: Use data_sources option to define which fields are rendered commit #4899

  • csrgen: Add a CSR generation profile for user certificates commit #4899

  • csrgen: Add CSR generation profile for caIPAserviceCert commit #4899

  • csrgen: Add code to generate scripts that generate CSRs commit #4899

Christian Heimes (88)#

  • Add PYTHON_INSTALL_EXTRA_OPTIONS and –install-layout=deb commit #6764

  • Make pylint and jsl optional commit #6604

  • Ignore ipapython/.DEFAULT_PLUGINS commit #6597

  • Run test_ipaclient test suite commit

  • Chain CSR generator file loaders commit

  • Move csrgen templates into ipaclient package commit #6714

  • Use https to get security domain from Dogtag commit

  • Cleanup certdb commit

  • Default to pkginstall=true without duplicated definitions commit

  • pylint: ignore pypi placeholders commit

  • Python build: use –build-base everywhere commit

  • Add with_wheels global to install wheel and PyPI packaging dependencies commit

  • Add placeholders for ipaplatform, ipaserver and ipatests commit

  • Add python-wheel as build requirement commit

  • Packaging: Add placeholder packages commit

  • Vault: port key wrapping to python-cryptography commit #6650

  • Remove NSPRError exception from platform tasks commit #5695

  • Remove import nss from test_ldap commit

  • certdb: Don’t restore_context() of new NSSDB commit

  • Finish port to PyCA cryptography commit

  • Drop in-memory copy of schema zip file commit

  • Speed up client schema cache commit #6690

  • C compilation fixes and hardening commit

  • lite-server: validate LDAP connection and cache schema commit #6679

  • Add –without-ipatests option commit

  • Add missing include of stdint.h for uint8_t commit

  • Client-only builds with –disable-server commit #6517

  • New lite-server implementation commit

  • Explain more performance tricks in doc string commit

  • Fix test, nested lists are no longer converted to nested tuples commit

  • Pretty print JSON in debug mode (debug level >= 2) commit

  • Convert list to tuples commit

  • Faster JSON encoder/decoder commit #6655

  • Backup /root/kracert.p12 commit #6659

  • Ditch version_info and use version number from ipapython.version commit

  • test_StrEnum: use int as bad type commit

  • Stable _is_null check commit

  • cryptography has deprecated serial in favor of serial_number commit

  • Enable additional warnings (BytesWarning, DeprecationWarning) commit #6631

  • Print test env information commit

  • Clean / ignore make check artefact commit

  • ipapython: Add dependencies on version.py commit

  • pytest: set rules to find test files and functions commit

  • Fix used before assignment bug in host_port_open() commit

  • Use pytest conftest.py and drop pytest.ini commit

  • Catch ValueError raised by pytest.config.getoption() commit

  • Silence pylint import errors of ipaserver in ipalib and ipaclient commit #6468

  • Relax check for .git to support freeipa in submodules commit

  • Ignore backup~ files like config.h.in~ commit

  • Fetch correct exception in IPA_CONFDIR test commit

  • Use env var IPA_CONFDIR to get confdir commit

  • Set explicit confdir option for global contexts commit #6389

  • Remove import of ipaplatform.paths from test_ipalib commit #6474

  • Remove BIN_FALSE and BIN_TRUE commit #6474

  • Add pylint guard to import of ipaplatform in ipapython.certdb commit #6474

  • Require python-gssapi >= 1.2.0, take 2 commit #6468

  • Backwards compatibility with setuptools 0.9.8 commit #6468

  • Require python-cryptography >= 1.3.1 commit #6468

  • Wheel bundles fixes commit #6474

  • Require python-gssapi >= 1.2.0 commit #6468

  • Adjustments for setup requirements commit #6468

  • wrap long line commit

  • Silence import warnings for Samba bindings commit #4985

  • Fix Python 3 bugs discovered by pylint commit #4985

  • Python3 pylint fixes commit #4985

  • Add main guards to a couple of Python scripts commit

  • Break ipaplatform / ipalib import cycle of hell commit

  • Replace LooseVersion commit #6468

  • Don’t ship install subpackages with wheels commit #6468

  • Minor fixes for IPAVersion class commit #6473

  • Pylint: whitelist packages with extension modules commit #6468

  • Add ‘ipa localenv’ subcommand commit #6490

  • ipapython and ipatest no longer require lxml commit

  • Register entry points of Custodia plugins commit #6492

  • Use xml.etree in ipa-client-automount script commit

  • Port ipapython.dnssec.odsmgr to xml.etree commit #6469

  • Add install requirements to Python packages commit #6468

  • Make api.env.nss_dir relative to api.env.confdir commit #6386

  • Don’t modify redhat_system_units commit

  • Use correct classifiers to make setup.py files PyPI compatible commit

  • Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR commit #6386

  • Add __name__ == __main__ guards to setup.pys commit

  • Remove ipapython/ipa.conf commit

  • Port all setup.py to setuptools commit

  • Replace ipaplatform’s symlinks with a meta importer commit

  • Move ipa.1 man file commit

  • Add iSecStore.span commit #6365

  • Use RSA-OAEP instead of RSA PKCS#1 v1.5 commit #6278

David Kupka (20)#

  • rpcserver: x509_login: Handle unsuccessful certificate login gracefully commit #6225

  • Bump required version of gssproxy to 0.7.0 commit #6671, #6698

  • tests: Add tests for kerberos principal aliases in stageuser commit #6623

  • tests: kerberos_principal_aliases: Deduplicate tests commit #6623

  • tests: Stageuser-{add,remove}-cert commit #6623

  • tests: add-remove-cert: Use harcoded certificates instead of requesting them commit #6623

  • ipalib.x509: Handle missing SAN gracefully commit

  • stageuser: Add stageuser-{add,remove}-principal commit #6623

  • stageuser: Add stageuser-{add,remove}-cert commit #6623

  • build: Add missing dependency on libxmlrpc{,_util} commit #6637

  • ipaclient: schema cache: Handle malformed server info data gracefully commit #6578

  • schema_cache: Make handling of string compatible with python3 commit #6559

  • installer: Stop adding distro-specific NTP servers into ntp.conf commit #6486

  • tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} –all commit #6561

  • password policy: Add explicit default password policy for hosts and services commit #6561

  • ipaclient.plugins: Use api_version from internally called commands commit #6539

  • tests: Mark 389-ds acceptance tests commit

  • tests: Mark Dogtag acceptance tests commit

  • UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling commit #6385

  • schema cache: Store and check info for pre-schema servers commit #6095

Florence Blanc-Renaud (20)#

  • Installation must publish CA cert in /usr/share/ipa/html/ca.crt commit #6750

  • IdM Server: list all Employees with matching Smart Card commit #6646

  • ipa systemd unit should define Wants=network instead of Requires=network commit #6723

  • Support for Certificate Identity Mapping commit #6542

  • Define template version in certmap.conf commit #6354

  • Fix ipa.service unit re. gssproxy commit #6705

  • Do not configure PKI ajp redirection to use “::1” commit #6575

  • ipa-kra-install must create directory if it does not exist commit #6606

  • ipa-restore must stop tracking PKINIT cert in the preparation phase commit #6570

  • Increase the timeout waiting for certificate issuance in installer commit #6433

  • Check the result of cert request in replica installer commit #6514

  • Fix ipa-replica-install when upgrade from ca-less to ca-full commit #6375

  • Fix ipa migrate-ds when it finds a search reference commit #6358

  • Fix renewal lock issues on installation commit #6433

  • Refactor installer code requesting certificates commit #6433

  • Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent commit

  • Fix ipa-cacert-manage man page commit #6381

  • Add cert checks in ipa-server-certinstall commit #6263

  • Fix regression introduced in ipa-certupdate commit #6288

  • Fix ipa-certupdate for CA-less installation commit #6288

Fraser Tweedale (52)#

  • rabase.get_certificate: make serial number arg mandatory commit #3473, #5011

  • Extract method to map principal to princpal type commit #5011

  • Remove redundant principal_type argument commit #5011

  • dogtag: remove redundant property definition commit #3473

  • ca: correctly authorise ca-del, ca-enable and ca-disable commit #6713

  • replica install: relax domain level check for promotion commit #5011

  • Fix reference before assignment commit #6636

  • private_ccache: yield ccache name commit #5011

  • Add sanity checks for use of –ca-subject and –subject-base commit #2614

  • Indicate that ca subject / subject base uses LDAP RDN order commit #6455

  • Allow full customisability of IPA CA subject DN commit #2614

  • Reuse self.api when executing ca_enabled_check commit #2614

  • dsinstance: extract function for writing certmap.conf commit #2614

  • ipa-ca-install: add missing –subject-base option commit #2614

  • Extract function for computing default subject base commit #2614

  • installer: rename –subject to –subject-base commit #2614

  • installutils: remove hardcoded subject DN assumption commit #2614

  • Refactor and relocate set_subject_base_in_config commit #2614

  • dsinstance: minor string fixes commit #6586

  • Set up DS TLS on replica in CA-less topology commit #6226

  • Remove “Request Certificate with SubjectAltName” permission commit #6526

  • Fix DL1 replica installation in CA-less topology commit #6573

  • certprofile-mod: correctly authorise config update commit #6560

  • Fix regression in test suite commit #6178

  • Add options to write lightweight CA cert or chain to file commit #6178

  • certdb: accumulate extracted certs as list of PEMs commit #6178

  • Add function for extracting PEM certs from PKCS #7 commit #6178

  • cert-request: match names against principal aliases commit #6295

  • Remove references to ds_newinst.pl commit #6496

  • cert-request: accept CSRs with extraneous data commit #6472

  • Ensure correct IPA CA nickname in DS and HTTP NSSDBs commit #6415

  • Remove __main__ code from ipalib.x509 and ipalib.pkcs10 commit #6398

  • x509: use python-cryptography to process certs commit #6398

  • x509: use pyasn1-modules X.509 specs commit #6398

  • x509: avoid use of nss.data_to_hex commit #6398

  • pkcs10: remove pyasn1 PKCS #10 spec commit #6398

  • pkcs10: use python-cryptography for CSR processing commit #6398

  • dn: support conversion from python-cryptography Name commit #6398

  • cert-show: show validity in default output commit #6419

  • Do not create Object Signing certificate commit #6399

  • Add commentary about CA deletion to plugin doc commit #6256

  • spec: require Dogtag >= 10.3.5-6 commit #6256

  • sudorule: add SELinux transition examples to plugin doc commit #3461

  • Fix cert revocation when removing all certs via host/service-mod commit #6305

  • cert-request: raise error when request fails commit #6309

  • Make host/service cert revocation aware of lightweight CAs commit #6221

  • cert-request: raise CertificateOperationError if CA disabled commit #6260

  • Use Dogtag REST API for certificate requests commit #3473, #6260

  • Add HTTPRequestError class commit #3473, #6260

  • Allow Dogtag RestClient to perform requests without logging in commit #3473, #6260

  • Add ca-disable and ca-enable commands commit #6257

  • Track lightweight CAs on replica installation commit #6019

Ganna Kaihorodova (7)#

  • Tests: Basic coverage with tree root domain commit #6489

  • User Tracker: Test to create user with minimal values commit #6126

  • User Tracker: creation of user with minimal values commit #6126

  • Stage User: Test to create stage user with minimal values commit #6448

  • Tests: Stage User Tracker implementation commit #6448

  • Tests: Add tree root domain role in legacy client tests commit #6600

  • Unaccessible variable self.attrs in Tracker commit #6125

Jan Cholasta (106)#

  • spec file: always provide python package aliases commit

  • spec file: support client-only build commit #6517

  • spec file: support build without ipatests commit #6517

  • slapi plugins: fix CFLAGS commit

  • spec file: add unconditional python-setuptools BuildRequires commit

  • httpinstance: disable system trust module in /etc/httpd/alias commit #6132

  • csrgen: hide cert-get-requestdata in CLI commit #4899

  • cert: include certificate chain in cert command output commit #6547

  • cert: add output file option to cert-request commit #6547

  • Travis CI: run tests in development mode commit #6625

  • backend plugins: fix crashes in development mode commit #6625

  • vault: cache the transport certificate on client commit #6652

  • rpc: fix crash in verbose mode commit #6734

  • install: re-introduce option groups commit #6392

  • install CLI: remove magic option groups commit #6392

  • client install: split off SSSD options into a separate class commit #6392

  • server install: remove duplicate knob definitions commit #6392

  • install: add missing space in realm_name description commit #6392

  • server install: remove duplicate -w option commit #6392

  • certmap: load certificate from file in certmap-match CLI commit #6646

  • pylint_plugins: add forbidden import checker commit

  • ipapython: fix DEFAULT_PLUGINS in version.py commit #6597

  • config: re-add `init_config` and `config` commit #6707

  • dns: fix `dnsrecord_add` interactive mode commit #6457

  • server install: do not attempt to issue PKINIT cert in CA-less commit #5678

  • compat: fix `Any` params in `batch` and `dnsrecord` commit #6647

  • scripts, tests: explicitly set confdir in the rest of server code commit #6389

  • server upgrade: uninstall ipa_memcached properly commit #5959

  • server upgrade: always upgrade KRA agent PEM file commit #6675

  • server upgrade: fix upgrade from pre-4.0 commit #5959

  • server upgrade: fix upgrade in CA-less commit #5959

  • client install: create /etc/ipa/nssdb with correct mode commit #5959

  • ipaldap: preserve order of values in LDAPEntry._sync() commit #4985

  • replica install: do not log host OTP commit #6633

  • tests: add test for PEM certificate files with leading text commit

  • ipa-ca-install: do not fail without –subject-base and –ca-subject commit #2614

  • cert: fix search limit handling in cert-find commit #6564

  • dogtag: search past the first 100 certificates commit #6564

  • ipaldap: properly escape raw binary values in LDAP filters commit #4985

  • client install: correctly report all failures commit #6392

  • cainstance: do not configure renewal guard commit #5959

  • dogtaginstance: track server certificate with our renew agent commit #5959

  • renew agent: handle non-replicated certificates commit #5959

  • ca: fix ca-find with –pkey-only commit #6178

  • spec file: revert to the previous Release tag commit #6418

  • x509: use PyASN1 to parse PKCS#7 commit #6550

  • server install: fix KRA agent PEM file not being created commit #6392

  • spec file: do not define with_lint inside a comment commit #6418

  • certdb: fix PKCS#12 import with empty password commit #6541

  • server install: fix external CA install commit #6392

  • replica install: track the RA agent certificate again commit #6392

  • ipaclient: remove hard dependency on ipaplatform commit #6474

  • ipaclient: move install modules to the install subpackage commit #6474

  • ipalib: remove hard dependency on ipapython commit #6474

  • constants: remove CACERT commit #6474

  • ipalib: move certstore to the install subpackage commit #6474

  • ipapython: remove hard dependency on ipaplatform commit #6474

  • ipautil: move file encryption functions to installutils commit #6474

  • ipautil: move kinit functions to ipalib.install commit #6474

  • ipautil: move is_fips_enabled() to ipaplatform.tasks commit #6474

  • ipautil: remove the timeout argument of run() commit #6474

  • ipautil: remove get_domain_name() commit #6474

  • ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR commit #6474

  • certdb: use a temporary file to pass password to pk12util commit #6474

  • certdb: move IPA NSS DB install functions to ipaclient.install commit #6474

  • ipapython: move certmonger and sysrestore to ipalib.install commit #6474

  • ipapython: move dnssec, p11helper and secrets to ipaserver commit #6474

  • custodiainstance: automatic restart on config file update commit #6474

  • paths: remove DEV_NULL commit #6474

  • install: migrate client install to the new class hierarchy commit #6392

  • install: allow specifying verbosity and console log format in CLI commit #6392

  • install: migrate server installers to the new class hierarchy commit #6392

  • install: introduce installer class hierarchy commit #6392

  • install: fix subclassing of knob groups commit #6392

  • install: make knob base declaration explicit commit #6392

  • install: declare knob CLI names using the argparse convention commit #6392

  • install: use standard Python classes to declare knob types commit #6392

  • install: introduce updated knob constructor commit #6392

  • install: simplify CLI option parsing commit #6392

  • install: improve CLI positional argument handling commit #6392

  • install: use ldaps for pkispawn in ipa-ca-install commit #6392

  • replica install: fix DS restart failure during replica promotion commit #6392

  • replica install: merge KRA agent cert export into KRA install commit #6392

  • replica install: merge RA cert import into CA install commit #6392

  • server install: do not restart httpd during CA install commit #6392

  • install: merge all KRA install code paths into one commit #6392

  • install: merge all CA install code paths into one commit #6392

  • replica install: use one remote KRA host name everywhere commit #6392

  • replica install: use one remote CA host name everywhere commit #6392

  • spec file: bump minimal required version of 389-ds-base commit #6369

  • pwpolicy: do not run klist on import commit #6418

  • client: remove unused libcurl build dependency commit #6418

  • makeapi, makeaci: do not fail on missing imports commit #6418

  • ipaserver: remove ipalib import from setup.py commit #6418

  • pylint: enable the import-error check commit #6418

  • spec file: do not include BuildRequires for lint by default commit #6418

  • spec file: clean up BuildRequires commit #6418

  • cert: add revocation reason back to cert-find output commit #6269

  • test_plugable: update the rest of test_init commit #6313

  • dns: re-introduce –raw in dnsrecord-del commit #5644

  • client: remove hard dependency on pam_krb5 commit #5557

  • cert: fix cert-find –certificate when the cert is not in LDAP commit #6304

  • dns: fix crash in interactive mode against old servers commit #6203

  • dns: prompt for missing record parts in CLI commit #6203

  • dns: normalize record type read interactively in dnsrecord_add commit #6203

  • cli: use full name when executing a command commit #6279

Lenka Doudova (23)#

  • Document make_delete_command method in UserTracker commit #6485

  • Tests: Providing trust tests with tree root domain commit #6347

  • Tests: Verify that validity info is present in cert-show and cert-find command commit #6419

  • Add file_exists method as a member of transport object commit #6400

  • Tests: Provide AD cleanup for legacy client tests commit #6396

  • Tests: Provide AD cleanup for trust tests commit #6396

  • Tests: Fix integration sudo test commit #6378

  • Tests: Verify that cert commands show CA without –all commit #6410

  • Tests: Certificate revocation commit #6349

  • Tests: Remove invalid certplugin tests commit #6349

  • Tests: Fix failing test_ipalib/test_parameters commit #6292

  • Tests: Remove silent deleting and creating entries by tracker commit #6123

  • Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap commit #6323

  • Tests: Fix host attributes in ipa-join host test commit #6326

  • Tests: Update host test with ipa-join commit #6326

  • Tests: Add krb5kdc.service restart to integration trust tests commit #6322

  • Tests: Remove unnecessary attributes from base tracker commit #6128

  • Tests: Remove –force options from tracker base class commit #6124

  • Tests: Remove SSSD restart from integration tests commit #6338

  • Tests: Fix integration sudo tests setup and checks commit #6262

  • Tests: Fix failing ldap.backend test commit #6312

  • Tests: Add cleanup to integration trust tests commit #6306

  • Tests: Fix regex errors in integration trust tests commit #6285

Ludwig Krispenz (1)#

  • Check for conflict entries before raising domain level commit #6534

Lukas Slebodnik (6)#

  • CONFIGURE: Improve detection of xmlrpc_c flags commit #6418

  • CONFIGURE: Properly detect libpopt on el7 commit

  • ipa_pwd: remove unnecessary dependency on dirsrv plugins commit

  • SPEC: Fix build in mock commit #6604

  • CONFIGURE: Update help message for jslint commit #6604

  • CONFIGURE: Fix detection of pylint commit #6604

Martin Babinsky (113)#

  • Try out anonymous PKINIT after it is configured commit #6739

  • check for replica’s KDC entry on master before requesting PKINIT cert commit #6739

  • check that the master requesting PKINIT cert has KDC enabled commit #6739

  • Make wait_for_entry raise exceptions commit #6739

  • Move PKINIT configuration to a later stage of server/replica install commit #6739

  • Request PKINIT cert directly from Dogtag API on first master commit #6739

  • Make PKINIT certificate request logic consistent with other installers commit #6739

  • idviews: correctly handle modification of non-existent view commit #6372

  • Re-use trust domain retrieval code in certmap validators commit #6372

  • idview: add domain_resolution_order attribute commit #6372

  • ipaconfig: add the ability to manipulate domain resolution order commit #6372

  • Short name resolution: introduce the required schema commit #6372

  • ipa-managed-entries: only permit running the command on IPA master commit #6735

  • ipa-managed-entries: use server-mode API commit #6735

  • Allow login to WebUI using Kerberos aliases/enterprise principals commit #6343

  • Provide basic integration tests for built-in AD trust installer commit #6630

  • Update server/replica installer man pages commit #6630

  • Fix erroneous short name options in ipa-adtrust-install man page commit #6630

  • Merge AD trust configurator into replica installer commit #6630

  • Merge AD trust configurator into server installer commit #6630

  • expose AD trust related knobs in composite installers commit

  • Add AD trust installer interface for composite installer commit #6630

  • check for installed dependencies when *not* in standalone mode commit #6630

  • print the installation info only in standalone mode commit #6630

  • adtrust.py: Use logging to emit error messages commit #6630

  • Refactor the code searching and presenting missing trust agents commit #6639

  • only check for netbios name when LDAP backend is connected commit #6630

  • Refactor the code checking for missing SIDs commit #6630

  • use the methods of the parent class to retrieve CIFS kerberos keys commit #6638

  • httpinstance: re-use parent’s methods to retrieve anonymous keytab commit #6638

  • Make request_service_keytab into a public method commit #6638

  • allow for more flexibility when requesting service keytab commit #6638

  • Move AD trust installation code to a separate module commit #6629

  • Replace exit() calls with exceptions commit #6629

  • Remove unused variables in exception handling commit #6629

  • ipa-adtrust-install: format the code for PEP-8 compliance commit #6629

  • Travis CI: Upload the logs from failed jobs to transfer.sh commit

  • Explicitly handle quoting/unquoting of NSSNickname directive commit #6460

  • Delegate directive value quoting/unquoting to separate functions commit #6460

  • installutils: improve directive value parsing in `get_directive` commit #6460

  • Fix the installutils.set_directive docstring commit #6460

  • disable hostname canonicalization by Kerberos library commit #6584

  • Travis CI: actually return non-zero exit status when the test job fails commit

  • Trim the test runner log to show only pytest failures/errors commit

  • Add license headers to the files used by Travis CI commit

  • Travis CI: use specific Python version during build commit

  • introduce install step to .travis.yml and cache pip installs commit

  • split out lint to a separate Travis job commit

  • Travis: offload test execution to a separate script commit

  • Travis CI: a separate script to run test tasks commit

  • Put the commands informing and displaying build logs on single line commit

  • travis: mark FreeIPA as python project commit

  • Bump up ipa-docker-test-runner version commit

  • Add a basic test suite for `kadmin.local` interface commit #6561

  • Make `kadmin` family of functions return the result of ipautil.run commit #6561

  • gracefully handle setting replica bind dn group on old masters commit #6532

  • add missing attribute to ipaca replica during CA topology update commit #6508

  • Revert “upgrade: add replica bind DN group check interval to CA topology config” commit #6508

  • bindinstance: use data in named.conf to determine configuration status commit #6503

  • Use ipa-docker-test-runner to run tests in Travis CI commit

  • Configuration file for ipa-docker-test-runner commit

  • Add ‘env_confdir’ to constants commit #6389

  • Fix pep-8 transgressions in ipalib/misc.py commit #6490

  • Make `env` and `plugins` commands local again commit #6490

  • Revert “Add ‘ipa localenv’ subcommand” commit #6490

  • Enhance __repr__ method of Principal commit #6505

  • replication: ensure bind DN group check interval is set on replica config commit #6508

  • upgrade: add replica bind DN group check interval to CA topology config commit #6508

  • Improve the robustness FreeIPA’s i18n module and its tests commit #6512

  • Use common procedure to setup initial replication in both domain levels commit #6406

  • ensure that the initial sync using GSSAPI works agains old masters commit #6406

  • replication: refactor the code setting principals as replica bind DNs commit #6406

  • replication: augment setup_promote_replication method commit #6406

  • Turn replication manager group into ReplicationManager class member commit #6406

  • Fix the naming of ipa-dnskeysyncd service principal commit #6405

  • installutils: remove ‘install_service_keytab’ function commit #6405

  • domain-level agnostic keytab retrieval in httpinstance commit #6405

  • installers: restart DS after KDC is configured commit #6405

  • dsinstance: use keytab retrieval method from parent class commit #6405

  • use DM credentials to retrieve service keytab only in DLO commit #6405

  • Service: common method for service keytab requests commit #6405

  • Turn Kerberos-related properties to Service class members commit #6392

  • Make service user name a class member of Service commit #6392

  • service installers: clean up the inheritance commit #6392

  • fix incorrect invocation of ipa-getkeytab during DL0 host enrollment commit #6434

  • do partial host enrollment in domain level 0 replica install commit #6434

  • Separate function to purge IPA host principals from keytab commit #6434

  • certs: do not re-create NSS database when requesting service cert commit #6429

  • initialize empty /etc/http/alias during server/replica install commit #6429

  • CertDB: add API for non-destructive initialization from PKCS#12 bundle commit #6429

  • test_ipagetkeytab: use system-wide IPA CA cert location in tests commit #6409

  • Extend keytab retrieval test suite to cover new options commit #6409

  • Modernize ipa-getkeytab test suite commit #6409

  • extend ipa-getkeytab to support other LDAP bind methods commit #6409

  • ipa-getkeytab: expose CA cert path as option commit #6409

  • server-del: fix incorrect check for one IPA master commit #6417

  • Revert “Fix install scripts debugging” commit

  • do not use keys() method when iterating through dictionaries commit #6391

  • remove trailing newlines form python modules commit #6391

  • mod_nss: use more robust quoting of NSSNickname directive commit #5809

  • Move character escaping function to ipautil commit #5809

  • Make Continuous installer continuous only during execution phase commit #5725

  • use separate exception handlers for executors and validators commit #5725

  • ipa passwd: use correct normalizer for user principals commit #6329

  • trust-fetch-domains: contact forest DCs when fetching trust domain info commit #6328

  • netgroup: avoid extraneous LDAP search when retrieving primary key from DN commit #5855

  • advise: Use `name` instead of `__name__` to get plugin names commit

  • Use Travis-CI for basic sanity checks commit

  • ldapupdate: Use proper inheritance in BadSyntax exception commit #6294

  • raise ValidationError when deprecated param is passed to command commit #6190

  • Always fetch forest info from root DCs when establishing one-way trust commit #6057

  • factor out `populate_remote_domain` method into module-level function commit #6057

  • Always fetch forest info from root DCs when establishing two-way trust commit #6057

Martin Basti (134)#

  • Become IPA 4.5.0 commit

  • Update 4.5 translations commit

  • Add copy-schema-to-ca for RHEL6 to contrib/ commit #6540

  • Remove copy-schema-to-ca.py from master branch commit #6540

  • pylint: bump dependency to version >= 1.6 commit

  • backup: backup anonymous keytab commit #5959

  • tests: use –setup-kra in tests commit #6731

  • KRA: add –setup-kra to ipa-server-install commit #6731

  • man: add missing –setup-adtrust option to manpage commit #6630

  • ipactl restart: log httplib failues as debug commit #6674

  • Tests: search for disabled users commit

  • Test: DNS nsupdate from dns-update-system-records commit #6585

  • DNS: dns-update-system-record can create nsupdate file commit #6585

  • py3: ipa_generate_password: do not compare None and Int commit #4985

  • py3: change_admin_password: use textual mode commit #4985

  • py3: create DNS zonefile: use textual mode commit #4985

  • py3: upgradeinstance: use bytes literals with LDIF operations commit #4985

  • py3: upgradeinstance: decode data before storing them as backup… commit #4985

  • py3: upgradeinstance: open dse.ldif in textual mode commit #4985

  • custodia: kem.set_keys: replace too-broad exception commit

  • py3: kem.py: user bytes with ldap values commit #4985

  • py3: custodia: basedn must be unicode commit #4985

  • py3: configparser: use raw keyword commit #4985

  • py3: modify_s: attribute name must be str not bytes commit #4985

  • py3: ldapupdate: fix logging str(bytes) issue commit #4985

  • DNSSEC: forwarders validation improvement commit

  • py3: test_ipaserver: fix BytesWarnings commit #4985

  • py3: get_memberofindirect: fix ByteWarnings commit #4985

  • py3: DN: fix BytesWarning commit #4985

  • Tests: fix wait_for_replication task commit

  • py3: send Decimal number as string instead of base64 encoded value commit #4985

  • py3: ipaldap: properly encode DNSName to bytes commit #4985

  • py3: _convert_to_idna: fix bytes/unicode mistmatch commit #4985

  • py3: DNS: get_record_entry_attrs: do not modify dict during iteration commit #4985

  • py3: _ptrrecord_precallaback: use bytes with labels commit #4985

  • py3: remove_entry_from_group: attribute name must be string commit #4985

  • py3: base64 encoding/decoding returns always bytes don’t mix it commit #4985

  • pki-base: use pki-base-python2 as dependency commit #4985

  • pki: add missing depedency pki-base[-python3] commit #4985

  • py3: x509.py: return principal as unicode string commit #4985, #6640

  • py3: tests_xmlrpc: do not call str() on bytes commit #4985

  • py3: normalize_certificate: support both bytes and unicode commit #4985

  • py3: strip_header: support both bytes and unicode commit #4985

  • py3: fingerprint_hex_sha256: fix encoding/decoding commit #4985

  • py3: fix CSR encoding inside framework commit #4985

  • Principal: validate type of input parameter commit

  • Use dict comprehension commit

  • py3: can_read: attributelevelrights is already string commit #4985

  • py3: get_effective_rights: values passed to ldap must be bytes commit #4985

  • py3: ipaldap: update encode/decode methods commit #4985

  • py3: rpcserver fix undefined variable commit #4985

  • py3: WSGI executioners must return bytes in list commit #4985

  • py3: session: fix r/w ccache data commit #4985

  • Py3: Fix undefined variable commit #4985

  • py3: rpcserver: decode input because json requires string commit #4985

  • py3: session.py decode server name to str commit #4985

  • Use proper logging for error messages commit

  • wait_for_entry: use only DN as parameter commit #6588

  • py3: decode bytes for json.loads() commit #4985

  • dogtag.py: fix exception logging of JSON data commit

  • py3: convert_attribute_members: don’t use bytes as parameter for DN commit #4985

  • py3: make_filter_from_attr: use string instead of bytes commit #4985

  • py3: __add_acl: use standard ipaldap methods commit #4985

  • py3: add_entry_to_group: attribute name must be string not bytes commit #4985

  • py3: HTTPResponse has no ‘dict’ attribute in ‘msg’ commit #4985

  • py3: _httplib_request: don’t convert string to bytes commit #4985

  • py3: cainstance: replace mkstemp with NamedTemporaryFile commit #4985

  • py3: write CA/KRA config into file opened in text mode commit #4985

  • py3: CA/KRA: config parser requires string commit #4985

  • py3: ipautil: open tempfiles in text mode commit #4985

  • py3: ldap modlist must have keys as string, not bytes commit #4985

  • py3: open temporary ldif file in text mode commit #4985

  • py3: service.py: replace mkstemp by NamedTemporaryFile commit #4985

  • py3: create_cert_db: write to file in a compatible way commit #4985

  • _resolve_records: fix assert, nameserver_ip can be none commit

  • Remove duplicated step from DS install commit

  • py3: enable py3 pylint commit

  • Py3: Fix ToASCII method commit #5935

  • fix: regression in API version comparison commit #6468

  • ipactl: pass api as argument to services commit

  • DNS: URI records: bump python-dns requirements commit #6344

  • remove Knob function commit #6392

  • KRA: don’t add KRA container when KRA replica commit

  • Zanata: exlude testing ipa.pot file commit #6435

  • client: use correct code for failed uninstall commit #6392

  • client: use exceptions instead of return states commit #6392

  • client: move install part to else branch commit #6392

  • client: move install cleanup from ipa-client-install to module commit #6392

  • client: move clean CCACHE to module commit #6392

  • client: fix script execution commit #6392

  • client: Remove useless except in ipa-client-install commit #6392

  • client: move custom env variable into client module commit #6392

  • client: extract checks from uninstall to uninstall_check commit #6392

  • client: extract checks from install to install_check commit #6392

  • client: move checks to client.install_check commit #6392

  • client: make statestore and fstore consistent with server commit #6392

  • IPAChangeConf: use constant for empty line commit #6392

  • client: import IPAChangeConf directly instead the module commit #6392

  • client: remove extra return from hardcode_ldap_server commit #6392

  • client: install function: return constant not hardcoded number commit #6392

  • client: remove unneded return from configure_ipa_conf commit #6392

  • client: remove unneded return configure_krb5_conf commit #6392

  • ipa-client-install: move client install to module commit #6392

  • CI: Disable KRA install tests on DL0 commit #6088

  • CI: use –setup-kra with replica installation commit #6088

  • CI: extend replication layouts tests with KRA commit #6088

  • CI: workaround: wait for dogtag before replica-prepare commit #6274

  • Pylint: fix the rest of unused local variables commit

  • Pylint: remove unused variables in tests commit

  • Pylint: remove unused variables in ipaserver package commit

  • Pylint: remove unused variables from installers and scripts commit

  • Fix: find OSCP certificate test commit #6359

  • Pylint: enable check for unused-variables commit

  • Remove unused variables in tests commit

  • Remove unused variables in the code commit

  • test_text: add test ipa.pot file for tests commit #6333

  • Pylint: enable global-variable-not-assigned check commit

  • Pylint: enable cyclic-import check commit

  • Test: dont use global variable for iteration in test_cert_plugin commit #5755

  • Use constant for user and group patterns commit #5822

  • Fix regexp patterns in parameters to not enforce length commit #5822

  • Add check for IP addresses into DNS installer commit #5814

  • Fix missing config.ips in promote_check commit #5814

  • Abstract procedures for IP address warnings commit #5814

  • Catch DNS exceptions during emptyzones named.conf upgrade commit #6205

  • Start named during configuration upgrade. commit #6205

  • Tests: extend DNS cmdline tests with lowercased record type commit #6203

  • Show warning when net/broadcast IP address is used in installer commit #5814

  • Allow multicast addresses in A/AAAA records commit #5814

  • Allow broadcast ip addresses commit #5814

  • Allow network ip addresses commit #5814

  • Fix parse errors with link-local addresses commit #6296

  • Fix ScriptError to always return string from __str__ commit #6294

  • Bump master IPA devel version to 4.4.90 commit

Martin Kosek (1)#

  • Update Contributors.txt commit

Milan Kubík (4)#

  • ipatests: Fix assert_deepequal outside of pytest process commit #6420

  • ipatests: Implement tests with CSRs requesting SAN commit #6366

  • ipatests: Fix name property on a service tracker commit #6366

  • ipatests: provide context manager for keytab usage in RPC tests commit #6366

Michal Reznik (1)#

  • test_csrgen: adjusted comparison test scripts for CSRGenerator commit #6724

Michal Židek (1)#

  • git: Add commit template commit

Nathaniel McCallum (3)#

  • Migrate OTP import script to python-cryptography commit #5192

  • Use RemoveOnStop to cleanup systemd sockets commit

  • Properly handle LDAP socket closures in ipa-otpd commit #6368

Oleg Fayans (45)#

  • Test: uniqueness of certificate renewal master commit #6504

  • Test: basic kerberos over http functionality commit #6446

  • Test: made kinit_admin a returning function commit

  • tests: Added basic tests for certs in idoverrides commit #6412

  • Created idview tracker commit #6412

  • Test for installing rules with service principals commit #6481

  • Test: integration tests for certs in idoverrides feature commit #6005

  • Added interface to certutil commit

  • Automated ipa-replica-manage del tests commit

  • tests: Automated clean-ruv subcommand tests commit #6451

  • Reverted the essertion for replica uninstall returncode commit #6401

  • Test: disabled wrong client domain tests for domlevel 0 commit #6382

  • tests: Fixed code styling in caless tests to make pep8 happy commit

  • tests: Reverted erroneous asserts in 4 tests commit

  • tests: fixed certinstall method commit

  • tests: fixed super method invocation commit

  • tests: added verbose assert to test_service_disable_doesnt_revoke commit

  • tests: Standardized replica_preparation in test_no_certs commit

  • tests: Implemented check for domainlevel before installation verification commit

  • tests: Fixed Usage of improper certs in ca-less tests commit

  • tests: fixed expects of incorrect error messages commit

  • tests: Replaced unused setUp method with install commit

  • tests: Replaced hardcoded certutil with imported from paths commit

  • tests: Enabled negative testing for cleaning replication agreements commit

  • tests: Made unapply_fixes call optional at master uninstallation commit

  • tests: Updated master and replica installation methods to enable negative testing commit

  • tests: Added necessary xfails commit

  • tests: Added necessary getkeytabs calls to fixtures commit

  • tests: Removed outdated command options test commit

  • tests: Applied correct teardown methods commit

  • tests: Fixed incorrect assert in verify_installation commit

  • tests: Adapted installation methods to utilize methods from tasks commit

  • tests: Removed call for install method from parent class commit

  • tests: Added teardown methods for server and replica installation commit

  • tests: Create a method that cleans all ipa certs commit

  • tests: Updated ipa server installation stdin text commit

  • tests: Added generation of missing certs commit

  • tests: Added basic constraints extension to the CA certs commit

  • tests: Fixed method failures during second call for the method commit #5880

  • Xfailed a test that fails due to 6250 commit #6250

  • Fixed segment naming in topology tests commit

  • Xfailed the tests due to a known bug with replica preparation commit #6274

  • Changed addressing to the client hosts to be replicas commit #6287

  • Several fixes in replica_promotion tests commit #6301

  • Removed incorrect check for returncode commit #6300

Petr Čech (1)#

Petr Spacek (126)#

  • ipa_generate_password algorithm change commit #5695

  • Remove named-pkcs11 workarounds from DNSSEC tests. commit #5348

  • Build: forbid builds in working directories containing white spaces commit #6537

  • Build: always use Pylint from Python version used for rest of the build commit #157

  • Build: specify BuildRequires for Python 3 pylint commit #157

  • Build: makerpms.sh generates Python 2 & 3 packages at the same time commit #157

  • Accept server host names resolvable only using /etc/hosts commit #6518

  • Build: properly integrate ipa.pot into build system tests commit #6498

  • Build: properly integrate ipasetup.py into build system commit #6498

  • Build: properly integrate version.py into build system commit #6498

  • Build: properly integrate loader.js into build system commit #6498

  • Build: properly integrate freeipa.spec.in into build system commit #6498

  • Build: properly integrate ipa-version.h.in into build system commit #6498

  • Build: workaround bug while calling parallel make from rpmbuild commit #6418

  • Build: remove ipa.pot from Git as it can be re-generated at any time commit #6418

  • Build: integrate translation system tests again commit #6418

  • Build: automatically generate list of files to be translated in configure commit #6418

  • Build: clean in po/ removes *~ files as well commit #6418

  • Build: support strip-po target for translations commit #6418

  • Build: use standard infrastructure for translations commit #6418

  • Build: fix path in ipa-ods-exporter.socket unit file commit #6495

  • Build: fix file dependencies for make-css.sh commit #6418

  • Build: update makerpms.sh to use same paths as rpmbuild commit #6418

  • Build: remove incorrect use of MAINTAINERCLEANFILES commit #6418

  • Build: enable silent build in makerpms.sh commit #6418

  • Build: support –enable-silent-rules for Python packages commit #6418

  • Build: workaround bug 1005235 related to Python paths in auto-generated Requires commit #6418

  • Build: document what should be in %install section of SPEC file commit #6418

  • Build: move web UI file installation from SPEC to Makefile.am commit #6418

  • Build: move server directory handling from SPEC to Makefile.am commit #6418

  • Build: move client directory handling from SPEC to Makefile.am commit #6418

  • Update man page for ipa-adtrust-install by removing –no-msdcs option commit #6480

  • Build: pass down %{release} from SPEC to configure commit #6418

  • Build: update IPA_VERSION_IS_GIT_SNAPSHOT to comply with PEP440 commit #6418

  • Build: add make srpms target commit #6418

  • Build: IPA_VERSION_IS_GIT_SNAPSHOT re-generates version number on RPM build commit #6418

  • Build: use POSIX 1003.1-1988 (ustar) file format for tar archives commit #6418

  • Build: IPA_VERSION_IS_GIT_SNAPSHOT checks if source directory is Git repo commit #6418

  • Build: remove unused and redundant code from configure.ac and po/Makefile.in commit #6418

  • Build: fix make clean to remove build artifacts from top-level directory commit #6418

  • Build: fix make clean for web UI commit #6418

  • Build: add polint target for i18n tests commit #6418

  • Build: add makeapi lint target commit #6418

  • Build: add makeaci lint target commit #6418

  • Build: add JS lint target commit #6418

  • Build: add Python lint target commit #6418

  • Build: remove obsolete instructions about BuildRequires from BUILD.txt commit #6418

  • Build: add make rpms target and convenience script makerpms.sh commit #6418

  • Build: fix KDC proxy installation and remove unused kdcproxy.conf commit #6418

  • Build: remove unused dirs /var/cache/ipa/{sysupgrade,sysrestore} from SPEC commit #6418

  • Build: do not compress manual pages at install time commit #6418

  • Build: distribute doc directory commit #6418

  • Build: create /var/run directories at install time commit #6418

  • Build: integrate init and init/systemd into build system commit #6418

  • Build: remove init/SystemV directory commit #6418

  • Build: integrate contrib directory into build system commit #6418

  • Build: remove ancient checks/check-ra.py commit #6418

  • Build: integrate daemons/dnssec into build system commit #6418

  • Build: fix distribution of daemons/ipa-slapi-plugins/topology files commit #6418

  • Build: fix distribution of daemons/ipa-slapi-plugins/ipa-winsync files commit #6418

  • Build: fix distribution of daemons/ipa-slapi-plugins/ipa-sidgen files commit #6418

  • Build: fix distribution of daemons/ipa-slapi-plugins/ipa-pwd-extop files commit #6418

  • Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-lasttoken files commit #6418

  • Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-counter files commit #6418

  • Build: fix distribution of daemons/ipa-slapi-plugins/ipa-exdom-extop files commit #6418

  • Build: fix distribution of daemons/ipa-slapi-plugins/ipa-cldap files commit #6418

  • Build: fix distribution of ipa-slapi-plugins/common files commit #6418

  • Build: fix distribution of daemon/ipa-kdb files commit #6418

  • Build: fix distribution of client header file commit #6418

  • Build: fix distribution of asn1/asn1c files commit #6418

  • Build: fix distribution of install/REDME.schema file commit #6418

  • Build: fix distribution of oddjob files commit #6418

  • Build: Remove spurious EXTRA_DIST from install/share/Makefile.am commit #6418

  • Build: cleanup unused LDIFs from install/share commit #6418

  • Build: fix distribution of libexec scripts commit #6418

  • Build: fix distribution and installation of update LDIFs commit #6418

  • Web UI: Remove offline version of Web UI commit #6447

  • Build: fix distribution of static files for web UI commit #6418

  • Build: stop build when a step in web UI build fails commit #6418

  • Build: fix distribution and installation of static files in top-level directory commit #6418

  • Build: fix man page distribution commit #6418

  • Build: fix distdir target for translations commit #6418

  • Build: rename project from ipa-server to freeipa commit #6418

  • Build: remove non-existing README files from Makefile.am commit #6418

  • Build: fix Makefile.am files to separate source and build directories commit #6418

  • Build: respect –prefix for systemdsystemunitdir commit #6418

  • Build: fix make install in asn1 subdirectory commit #6418

  • Build: fix ipaplatform detection for out-of-tree builds commit #6418

  • Build: Makefiles for Python packages commit #6418

  • Build: fix module name in ipaserver/setup.py commit #6418

  • Build: replace hand-made Makefile with one generated by Automake commit #6418

  • Build: move version handling from Makefile to configure commit #6418

  • Docs: update docs about ipaplatform to match reality commit #6418

  • Build: replace ipaplatform magic with symlinks generated by configure commit #6418

  • Build docs: update platform selection instructions commit #6418

  • Build: split out egg-info Makefile target from version-update target commit #6418

  • Build: split API/ACI checks into separate Makefile targets commit #6418

  • Build: use default error handling for PKG_CHECK_MODULES commit #6418

  • Build: use libutil convenience library for client commit #6418

  • Build: cleanup INI library detection commit #6418

  • Build: modernize XMLRPC-client library detection commit #6418

  • Build: modernize CURL library detection commit #6418

  • Build: modernize SASL library detection commit #6418

  • Build: modernize POPT library detection commit #6418

  • Build: merge client/configure.ac into top-level configure.ac commit #6418

  • Build: remove Transifex support commit #6418

  • Build: move translations from install/po/ to top-level po/ commit #6418

  • Build: merge install/configure.ac into top-level configure.ac commit #6418

  • Build: merge ipatests/man/configure.ac to top-level configure.ac commit #6418

  • Build: merge asn1/configure.ac to top-level configure.ac commit #6418

  • Build: transform util directory to libutil convenience library commit #6418

  • Build: promote daemons/configure.ac to top-level configure.ac commit #6418

  • Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c commit #6418

  • Build: pass down LIBDIR definition from RPM SPEC to Makefile commit #6418

  • Build: remove deprecated AC_STDC_HEADERS macro commit

  • Build: require Python >= 2.7 commit

  • Build: remove traces of mozldap library commit

  • Build: modernize crypto library detection commit

  • Build: modernize UUID library detection commit

  • Build: modernize Kerberos library detection commit

  • Build: add missing KRB5_LIBS to daemons/ipa-otpd commit

  • Tests: print what was expected from callables in xmlrpc_tests commit

  • DNS: Improve field descriptions for SRV records commit

  • DNS: Support URI resource record type commit #6344

  • Fix compatibility with python-dns 1.15.0 commit #6390

  • Raise errors from service.py:_ldap_mod() by default commit

Petr Vobornik (6)#

  • permissions: add permissions for read and mod of external group members commit #5504

  • webui: do not warn about CAs if there is only one master commit #6598

  • webui: fixes normalization of value in attributes widget commit

  • Change README to use Markdown commit

  • Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used commit

  • replicainstall: log ACI and LDAP errors in promotion check commit

Pavel Vomacka (69)#

  • Remove allow_constrained_delegation from gssproxy.conf commit #6225

  • WebUI: Add support for management of user short name resolution commit #6372

  • WebUI: add link to login page which for login using certificate commit #6225

  • Support certificate login after installation and upgrade commit #6225

  • TESTS WebUI: Vaults management commit #5426

  • TESTS: Add support for sidebar with facets commit #5426

  • TESTS: Add support for KRA in ui_driver commit #5426

  • WebUI: add vault management commit #5426

  • WebUI: allow to show rows with same pkey in tables commit #5426

  • WebUI: search facet’s default actions might be overriden commit #5426

  • Add possibility to hide only one tab in sidebar commit #5426

  • Possibility to set list of table attributes which will be added to _del command commit #5426

  • Extend _show command after _find command in table facets commit #5426

  • Add possibility to pass url parameter to update command of details page commit #5426

  • Add property which allows refresh command to use url value commit #5426

  • Added optional option in refreshing after modifying association table commit #5426

  • Possibility to skip checking writable according to metadata commit #5426

  • Allow to set another other_entity name commit #5426

  • Additional option to add and del operations can be set commit #5426

  • WebUI: Add cermapmatch module commit #6601

  • WebUI: Add Adapter for certmap_match result table commit #6601

  • WebUI: Possibility to choose object when API call returns list of objects commit #6601

  • WebUI: Add possibility to turn of autoload when details.load is called commit #6601

  • WebUI: don’t change casing of Auth Indicators values commit #6308

  • WebUI: Allow disabling lowering text in custom_checkbox_widget commit #6308

  • Add support for custom table pagination size commit #5742

  • Make singleton from config module commit #5742

  • Add javascript integer validator commit #5742

  • WebUI: Add certmap module commit #6601

  • WebUI: Add Custom command multivalued adder dialog commit #6601

  • WebUI: Create non editable row widget for mutlivalued widget commit #6601

  • WebUI: Add possibility to set field always writable commit #6601

  • WebUI: Change structure of Identity submenu commit #6717

  • WebUI: add sizelimit:0 to cert-find commit #6712

  • WebUI: fix incorrect behavior of ESC button on combobox commit #6388

  • WebUI: add default on_cancel function in adder_dialog commit #6388

  • Coverity: removed useless semicolon which ends statement earlier commit

  • Coverity: Fix possibility of access to attribute of undefined commit

  • Change activity text while loading metadata commit #6144

  • Refactoring of rpc module commit #6144

  • WebUI: update Patternfly and Bootstrap commit #6394

  • WebUI: Hide incorrectly shown buttons on hosts tab in ID Views commit #6546

  • Lowered the version of gettext commit #6418

  • Add python-pyasn1-modules into dependencies commit #6398

  • Adjustments for setup requirements v2 commit #6468

  • TESTS: Update group type name commit #6334

  • Coverity - null pointer dereference commit

  • Coverity - accessing attribute of variable which can point to null commit

  • Coverity - opens dialog which might not be created commit

  • Coverity - iterating over variable which could be null commit

  • Coverity - null pointer dereference commit

  • Coverity - true branch can’t be executed commit

  • Coverity - true branch can’t be executed commit

  • Coverity - removed dead code commit

  • Coverity - Accesing attribute of null commit

  • Coverity - identical code for different branches commit

  • Coverity - not initialized variable commit

  • Coverity - null pointer exception commit

  • Coverity - null pointer exception commit

  • WebUI: services without canonical name are shown correctly commit #6397

  • WebUI: fix API Browser menu label commit #6384

  • Add tooltip to all fields in DNS record adder dialog commit

  • WebUI: hide buttons in certificate widget according to acl commit #6341

  • WebUI: Change group name from ‘normal’ to ‘Non-POSIX’ commit #6334

  • WebUI: Add handling for HTTP error 404 commit #4821

  • Add ‘Restore’ option to action dropdown menu commit #5818

  • WebUI add support for sub-CAs while revoking certificates commit #6216

  • WebUI: Fix showing certificates issued by sub-CA commit #6238

  • Add support for additional options taken from table facet commit #6238

Gabe (1)#

  • Allow nsaccountlock to be searched in user-find command commit

Simo Sorce (31)#

  • Store session cookie in a ccache option commit #6661

  • Add support for searching policies in cn=accounts commit #6568

  • Add code to retrieve results from multiple bases commit

  • Use GSS-SPNEGO if connecting locally commit #6656

  • Limit sessions to 30 minutes by default commit #5959

  • Remove non-sensical kdestroy on https stop commit #6673

  • Fix session logout commit #6685

  • Deduplicate session cookies in headers commit #6676

  • Change session logout to kill only the cookie commit #6682

  • Insure removal of session on identity change commit #6543

  • Explicitly pass down ccache names for connections commit #6543

  • Allow rpc callers to pass ccache and service names commit #6543

  • Fix uninstall stopping ipa.service commit #5959

  • Rationalize creation of RA and HTTPD NSS databases commit #5959

  • Add a new user to run the framework code commit #5959

  • Always use /etc/ipa/ca.crt as CA cert file commit #5959

  • Simplify NSSDatabase password file handling commit #5959

  • Separate RA cert store from the HTTP cert store commit #5959

  • Configure HTTPD to work via Gss-Proxy commit #4189, #5959

  • Use Anonymous user to obtain FAST armor ccache commit #5959

  • Drop use of kinit_as_http from trust code commit #5959

  • Generate tmpfiles config at install time commit #5959

  • Change session handling commit #5959

  • Use the tar Posix option for tarballs commit #6418

  • Add compatibility code to retrieve headers commit #6558

  • Configure Anonymous PKINIT on server install commit #5678

  • Properly handle multiple cookies in rpc lib. commit

  • Properly handle multiple cookies in rpcclient commit

  • Support DAL version 5 and version 6 commit #6466

  • Fix install scripts debugging commit

  • Fix error message encoding commit

Stanislav Laznicka (78)#

  • Remove pkinit from ipa-replica-prepare commit #6759

  • Backup KDC certificate pair commit #6748

  • Don’t fail more if cert req/cert creation failed commit #6755

  • Fix ipa-replica-prepare server-cert creation commit #6755

  • Don’t allow standalone KRA uninstalls commit #6538

  • Add message about last KRA to WebUI Topology view commit #6538

  • Add check to prevent removal of last KRA commit #6538

  • Don’t use weak ciphers for client HTTPS connections commit #6730

  • We don’t offer no quickies commit

  • Fix cookie with Max-Age processing commit #6718

  • Fix CA-less upgrade commit #5695

  • Fix replica with –setup-ca issues commit #5695

  • Moving ipaCert from HTTPD_ALIAS_DIR commit #5695, #6680

  • Added a PEMFileHandler for Custodia store commit #5695

  • Refactor certmonger for OpenSSL certificates commit #5695

  • Workaround for certmonger’s “Subject” representations commit #5695

  • Remove ipapython.nsslib as it is not used anymore commit #5695

  • Remove NSSConnection from otptoken plugin commit #5695

  • Remove pkcs12 handling functions from CertDB commit #5695

  • Remove NSSConnection from Dogtag commit #5695

  • Move publishing of CA cert to cainstance creation on master commit #5695

  • Don’t run kra.configure_instance if not necessary commit #5695

  • Move RA agent certificate file export to a different location commit #5695, #6392

  • Remove NSSConnection from the Python RPC module commit #5695

  • Remove md5_fingerprints from IPA commit #5695

  • Remove DM password files after successfull pkispawn run commit #5695

  • Remove ra_db argument from CAInstance init commit #5695

  • Fix ipa-server-upgrade commit #5959

  • Use newer Certificate.serial_number in krainstance.py commit

  • Fix error in ca_cert_files validator commit #6694

  • Don’t prepend option names with additional ‘–’ commit #6392

  • Bump python-cryptography version in ipasetup.py.in commit #6631

  • custodiainstance: don’t use IPA-specific CertDB commit

  • Add password to certutil calls in NSSDatabase commit #5695

  • Explicitly remove support of SSLv2/3 commit #6607

  • Add FIPS-token password of HTTPD NSS database commit #5695

  • Bump required python-cryptography version commit #6631

  • Remove is_fips_enabled checks in installers and ipactl commit #5695

  • Generate sha256 ssh pubkey fingerprints for hosts commit #5695

  • Unify password generation across FreeIPA commit #5695

  • Clarify meaning of –domain and –realm in installers commit #6574

  • replicainstall: give correct error message on DL mismatch commit #6510

  • Fix permission-find with sizelimit set commit #5640

  • Generalize filter generation in LDAPSearch commit #5640

  • permission-find: fix a sizelimit off-by-one bug commit #5640

  • fix permission_find fail on low search size limit commit #5640

  • Make get_entries() not ignore its limit arguments commit #5640

  • Do not log DM password in ca/kra installation logs commit #6461

  • Fix CA replica install on DL1 commit #6392

  • Offer more general way to check domain level in replicainstall commit #6392

  • Use same means of checking replication agreements on both DLs commit #6392

  • replicainstall: move common checks to common_check() commit #6392

  • Take advantage of the ca/kra code cleanup in replica installation commit #6392

  • Use updated CA certs in replica installation commit #6392

  • Use os.path.join instead of concatenation commit #6392

  • Remove redundant CA cert file existance check commit #6392

  • Use host keytab to connect to remote server on DL0 commit #6392

  • Split install_http_certs() into two functions commit #6392

  • First step of merging replica installation of both DLs commit #6392

  • Properly bootstrap replica promotion api commit #6392

  • Move the pki-tomcat restart to cainstance creation commit #6392

  • Move httpd restart to DNS installation commit #6392

  • Import just IPAChangeConf instead of the whole module commit #6392

  • Added file permissions option to IPAChangeConf.newConf() commit #6392

  • Fix to ipachangeconf docstrings commit #6392

  • replicainstall: Unify default.conf file creation commit #6392

  • Replaced EMPTY_LINE constant with a function call commit #6392

  • client: Making the configure functions more readable commit #6392

  • Moved update of DNA plugin among update plugins commit #6392

  • Move ds.replica_populate to an update plugin commit #6392

  • Remove redundant dsinstance restart commit #6392

  • Fix missing file that fails DL1 replica installation commit #6393

  • Make httpd publish its CA certificate on DL1 commit #6393

  • Make installer quit more nicely on external CA installation commit #6230

  • Fix test_util.test_assert_deepequal test commit #6373

  • Pretty-print structures in assert_deepequal commit #6212

  • Remove update_from_dict() method commit #6311

  • Updated help/man information about hostname commit #5754

Thierry Bordaz (1)#

  • IPA Allows Password Reuse with History value defined when admin resets the password. commit #6402

Timo Aaltonen (8)#

  • ipaplatform/debian/paths: Add some missing values. commit

  • ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB. commit

  • ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY. commit

  • ipaplatform/debian/services: Fix is_running arguments. commit

  • ipaplatform: Add Debian platform module. commit

  • client, platform: Use paths.SSH* instead of get_config_dir(). commit

  • Move ipa-otpd to $libexecdir/ipa commit

  • Purge obsolete firefox extension commit

Tomas Krizek (68)#

  • installer: update time estimates commit #6596

  • server install: require IPv6 stack to be enabled commit #6608

  • Add SHA256 fingerprints for certs commit #6701

  • man: update ipa-cacert-manage commit #6648

  • test_config: fix fips_mode key in Env commit #5695

  • Env __setitem__: replace assert with exception commit

  • FIPS: perform replica installation check commit #5695

  • replicainstall: add context manager for rpc client commit

  • check_remote_version: update exception and docstring commit

  • test_config: fix tests for env.fips_mode commit #5695

  • Add fips_mode variable to env commit #5695

  • Bump required version of bind-dyndb-ldap to 11.0-2 commit #6565

  • bindinstance: fix named.conf parsing regexs commit #6565

  • PEP8: fix line length for regexs in bindinstance commit

  • bump required version of BIND, bind-dyndb-ldap commit #6565

  • named.conf template: update API for bind 9.11 commit #6565

  • Remove obsolete serial_autoincrement from named.conf parsing commit #6565

  • certdb: remove unused valid_months property commit

  • certdb: remove unused keysize property commit

  • Fix coverity issue commit

  • ipautil: check for open ports on all resolved IPs commit #6522

  • replica-conncheck: improve message logging commit #6497

  • replica-conncheck: improve error message during replicainstall commit #6497

  • ipa-replica-conncheck: fix race condition commit #6487

  • ipa-replica-conncheck: do not close listening ports until required commit #6487

  • upgrade: ldap conn management commit #6461

  • services: replace admin_conn with api.Backend.ldap2 commit #6461

  • upgrade: do not explicitly set principal for services commit #6500

  • Build: ignore rpmbuild for lint target commit #6418

  • cainstance: use correct certificate for replica install check commit #6461

  • dns: check if container exists using ldapi commit #6461

  • ipaldap: remove do_bind from LDAPClient commit #6461

  • gitignore: ignore tar ball commit #6418

  • libexec scripts: ldap conn management commit #6461

  • ldap2: modify arguments for create_connection commit #6461

  • replicainstall: use ldap_uri in ReplicationManager commit #6461

  • replicainstall: correct hostname in ReplicationManager commit #6461

  • install tools: ldap conn management commit #6461

  • ldap2: change default bind_dn commit #6461

  • ipa-adtrust-install: ldap conn management commit #6461

  • install: remove adhoc dis/connect from services commit #6461

  • ldapupdate: use ldapi in LDAPUpdate commit #6461

  • replicainstall: properly close adhoc connection in promote commit #6461

  • install: ldap conn management commit #6461

  • install: remove adhoc api.Backend.ldap2 (dis)connect commit #6461

  • install: add restart_dirsrv for directory server restarts commit #6461

  • upgradeinstance: ldap conn management commit #6461

  • dsinstance: conn management commit #6461

  • ldap2: change default time/size limit commit #6461

  • cainstall: add dm_password to CA installation commit #6461

  • replicainstall: set ldapi uri in replica promotion commit #6461

  • dsinstance: enable ldapi and autobind in ds commit #6461

  • install: remove dirman_pw from services commit #6461

  • ipaldap: merge IPAdmin to LDAPClient commit #6461

  • ipaldap: merge gssapi_bind to LDAPClient commit #6461

  • ipaldap: merge external_bind into LDAPClient commit #6461

  • ipaldap: merge simple_bind into LDAPClient commit #6461

  • ipaldap: remove wait/timeout during binds commit #6461

  • ipa: check if provided config file exists commit #6114

  • ipa: allow relative paths for config file commit #6114

  • Prompt for forwarder in dnsforwardzone-add commit #6169

  • Update man/help for –server option commit #6202

  • Update ipa-server-install man page for hostname commit #6330

  • Add help info about certificate revocation reasons commit #6327

  • Add log messages for IP checks during client install commit #6331

  • Show error message for invalid IPs in client install commit #6340

  • Keep NSS trust flags of existing certificates commit #5791

  • Don’t show error messages in bash completion commit #6273

Thorsten Scherf (2)#

  • added ssl verification using IPA trust anchor commit #6686

  • added help about default value for –external-ca-type option commit

shanyin (1)#

  • fix missing translation string commit