The FreeIPA team would like to announce FreeIPA 4.5.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25 and Fedora 26 will be available soon in the official COPR repository.
Highlights in 4.5.0#
Enhancements#
AD User Short Names#
Support for AD users short names has been added. Short names can be
enabled from CLI by setting
ipa config-mod --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.
Please note that this feature is not supported by SSSD yet and the work is tracked with <https://pagure.io/SSSD/sssd/issue/3210>
FIPS 140-2 Support#
FreeIPA server and client can be installed on FIPS enabled systems. MD5 fingerprints have been replaced with SHA256. Variable fips_mode has been added to env that indicates whether FIPS is turned on the server.
Please note that FIPS 140-2 support may not work on some platforms because all dependencies of FreeIPA must support FIPS 140-2 what we cannot guarantee. (Should work with RHEL 7.4+.) The FreeIPA code itself is FIPS 140-2 compatible.
Certificate Identity Mapping#
Support for multiple certificates on Smart cards has been added. User can choose which certificate is used to authenticate. This allows to define multiple certificates per user. The same certificate can be used by different accounts, and the mapping between a certificate and an account can be done through binary match of the whole certificate or a match on custom certificate attributes (such as Subject + Issuer).
Improvements for Containerization#
AD trust and KRA can be installed in one step in containers without need to call subsequent ipa-adtrust-install and ipa-kra-install in containers. Option –setup-adtrust has been added to ipa-server-install and ipa-replica-install, and option –setup-kra has been added to ipa-server-install.
Semi-automatic Integration with External DNS#
Option “–out” has been added to command “ipa dns-update-system-records”. This option allows to store IPA system DNS records in nsupdate format in specified file and can be used with nsupdate command to update records on an external DNS server. For more details see this howto <https://www.freeipa.org/page/Howto/Updating_FreeIPA_system_DNS_records_on_a_remote_DNS_server>
Known Issues#
CLI doesn’t work after ipa-restore <https://pagure.io/freeipa/issue/6748>
AD Trust doesn’t work with enabled FIPS mode <https://pagure.io/freeipa/issue/6697>
cert-find does not find all certificates without sizelimit=0 <https://pagure.io/freeipa/issue/6716>
Bug fixes#
Contains all bugfixes and enhacements of 4.4.1, 4.4.2, 4.4.3 releases
Installers Refactoring#
Installers code base has been migrated into modules and many code duplication has been removed.
“Normal” group has been renamed to “Non-POSIX” in WebUI#
In the web UI, the group type label “Normal” has been changed to “Non-POSIX” to be compatible with CLI options. The semantics of group types is unchanged.
Build System Refactoring#
Several improvements of FreeIPA build system have been done. In case you are package maintainer please read the following design document.
LDAP Connection Management Refactoring#
LDAP connection management has been standardized across FreeIPA and should prevent LDAP connection issues during installation and upgrades in future.
Do not fail when IPA server has shortname first in /etc/hosts#
Kerberos client library is now instructed to not attempt to canonicalize hostnames when issuing TGS requests. This improves security by avoiding DNS lookups during canonicalization and also improves robustness of service principal lookups in more complex DNS environments (clouds, containerized applications). Due to this change in behavior, care must be taken to specify correct FQDN in host/service principals as no attempt to resolve e.g. short names will be made.
Replica Connection Check Improvements#
Improved connection check reduces possibility of failure in further installation steps. Now ports on both IPv4 and IPv6 addresses are checked (if available).
Replace NSS with OpenSSL#
Should reduce number of issues related to HTTPS connections. This change was also needed to support FIPS.
Fully customisable CA name#
The CA subject name is now fully customisable, and is no longer required to be related to the certificate subject base. The ipa-server-instal and ipa-ca-install commands learned the –ca-subject and –subject-base options for configuring these values.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
The FreeIPA team would like to announce FreeIPA 4.5.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 25 and Fedora 26 will be available in the official COPR repository.
Resolved tickets#
#6764 debian: python modules should be installed under dist-packages
#6759 replica prepare broken on KDC cert export
#6755 [certs.py] - “ipa-replica-prepare” command fails when trying to unlink non-existing “tmpcert.der” file in /var/lib/ipa/
#6750 Web page ipa/config/ssbrowser.html refers to missing ipa/config/ca.crt file
#6739 Cannot login to replica’s WebUI
#6735 The ipa-managed-entries command failed, exception: AttributeError: ldap2
#6734 vaultconfig-show throws internal error
#6731 ipa-server-install: allow to in install KRA in one step
#6730 Harden client HTTPS connections
#6724 [test_csrgen.py] - comparison test scripts not reflected changes in “openssl_base.tmpl”
#6723 ipa systemd unit should define Wants=network instead of Requires=network
#6718 SessionMaxAge in /etc/httpd/conf.d/ipa.conf introduces regression
#6717 WebUI: change structure of Identity submenu
#6714 ipaclient.csrgen depends on ipaplatform
#6713 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands (CVE-2017-2590)
#6712 WebUI: Arbitrary certificates on {user|host|service} details pages are not displayed in WebUI
#6707 Removal of IPAConfig broke Ipsilon’s FreeIPA integration
#6701 Add SHA256 fingerprints
#6698 User with ticket gets GSS failure when calling freeipa CLI command
#6694 ipa-client-install command failed, TypeError: list found
#6690 Plugin schema cache is slow
#6686 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) after adding externally signed CA cert
#6685 logout does not work properly
#6682 session logout should not remove ccache
#6680 kra-agent.pem file is not auto-renewed by certmonger
#6676 unable to parse cookie header
#6675 KRA_AGENT_PEM file is missing
#6674 ipactl: noise error from pki-tomcatd start
#6673 httpd unit files deletes root ccache
#6670 PKINIT upgrade process is incomplete
#6661 Move ipa session data from keyring to ccaches
#6659 ipa-backup does not include /root/kracert.p12
#6650 [vault] Replace nss crypto with cryptography
#6648 Make ipa-cacert-manage man page more clear
#6647 batch param compatibility is incorrect
#6646 IdM Server: list all Employees with matching Smart Card
#6643 [RFE] Add ipa-whoami command
#6640 DS certificate request during replica install fails due to bytes/string mismatch
#6639 Rewrite the code handling discovery and adding of AD trust agents in AD trust installer
#6638 AD trust installer should be able to configure samba instance also without admin credentials
#6637 Build fails on Fedora 26
#6636 UnboundLocalError during ipa-client-install
#6634 –ignore-last-of-role is not in man page
#6633 IPA replica install log shows password in plain text
#6631 Use Python warnings for development
#6630 Merge AD trust installer to server/replica install
#6629 Migrate AD trust installer on the new-style installer framework
#6625 WSGI fails with internal server error when mode != production (locked attribute)
#6623 Stageuser is missing -{add,remove}-{cert,principal} commands
#6620 Remove ipa-upgradeconfig command
#6619 krb5 1.15 broke DAL principal free
#6608 IPA server installation should check if IPv6 stack is enabled
#6607 Deprecate SSLv2 from API config
#6606 Full backup and restore prevents KRA from installing
#6601 [RFE] WebUI: Certificate Identity Mapping
#6600 Legacy client tests doesn’t have tree domain role.
#6598 [webui] Show “CA replica warning” only if there one or more replicas but only 1 CA
#6597 ipapython.version.DEFAULT_PLUGINS is not configured
#6596 Update ETAs in installers
#6588 replication race condition prevents IPA to install
#6586 Minor string fixes in dsinstance.py
#6585 [RFE] nsupdate output format in dns-update-system-records command
#6584 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts
#6578 IPA CLI will eventually stop working when invoked in parallel
#6575 ipa-replica-install fails on requesting DS cert when master is not configured with IPv6
#6574 description of –domain and –realm is confusing
#6573 CA-less replica installation fails due to attempted cert issuance
#6570 Duplicate PKINIT certificates being tracked after restoring IPA backup on re-installed master
#6565 FreeIPA server install fails (and existing servers probably fail to start) due to changes in ‘dyndb’ feature on merge to upstream BIND
#6564 IPA WebUI certificates are grayed out on overview page but not on details page
#6559 [py3] switch to PY3 causes warnings from IPA schema cache
#6558 [Py3] http session cookie doesn’t work under Py3
#6551 Upgrade Samba configuration to not include keytab prefix
#6550 Refactor PKCS #7 parsing to use pyasn1_modules
#6548 [RFE] Mention ipa-backup in warning message before uninstalling IPA server
#6547 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain
#6546 Delete option shouldn’t be available for hosts applied to view.
#6542 [RFE] Certificate Identity Mapping
#6541 ipa-replica-install fails to import DS cert from replica file
#6540 Migration from ipa-3.0 fails due to crashing copy-schema-to-ca.py
#6539 ipa vault operations are not possible with an older server
#6538 KRA: add checks to prevent removing the last instance of KRA in topology
#6534 topology should not include A<->B segment “both” and B->A “left right” at the same time.
#6532 replica installation incorrectly sets nsds5replicabinddngroup/nsds5replicabinddngroupcheckinterval on IPA 3.x instance
#6526 remove “request certificate with subjectaltname” permission
#6522 ipa-replica-conncheck should check for open ports on all IPs resolved from hostname
#6518 Can not install IPA server when hostname is not DNS resolvable
#6514 replica install: request_service_cert doesn’t raise error when certificate isuance failed
#6513 `ipa plugins` command crashes with internal error
#6512 Improve the robustness FreeIPA’s i18n module and its tests
#6510 Wrong error message during failed domainlevel 0 installations without a replica file
#6508 ipa-ca-install on promoted replica hangs on creating a temporary CA admin
#6505 Make ipapython.kerberos.Principal.__repr__ show the actual principal name
#6504 Create a test for uniqueness of CA renewal master
#6503 IPA upgrade of replica without DNS fails during restart of named-pkcs11
#6500 ipa-server-upgrade fails with AttributeError
#6498 Build system must regenerate file when template changes.
#6497 Misleading error message in replica_conn_check()
#6496 remove references to ds_newinst.pl
#6495 DNSSEC: ipa-ods-expoter.socket creates incorrect socket and breaks DNSSEC signing
#6492 Register entry points of Custodia plugins
#6490 Add local-env subcommand to ipa script
#6489 Provide legacy client test coverage with tree root domain
#6487 ipa-replica-conncheck fails randomly (race condition)
#6486 Add NTP server list to ipaplatform
#6481 Create a test for instantiating rules with service principals
#6480 Update man page for ipa-adtrust-install by removing –no-msdcs option
#6474 Remove ipaplatform dependency from ipa modules
#6472 cert-request no longer accepts CSR with extraneous data surrounding PEM data
#6469 Use xml.etree instead of lxml in odsmgr.py
#6466 [abrt] krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV
#6461 LDAP Connection Management refactoring
#6460 NSSNickname enclosed in single quotes causes ipa-server-certinstall failure
#6457 ipa dnsrecord-add fails with Keyerror stack trace
#6455 Add example of RDN order for ipa-server-install –subject
#6451 Automate managed replication topology 4.4 features
#6448 Tests: Stageuser tracker creation of user with minimal values, with uid not specified
#6446 Create test for kerberos over http
#6445 Traceback seen in error_log when trustdomain-del is run
#6439 Members of nested netgroups configured in IdM cannot be seen by getent on clients
#6435 Fix zanata.xml config to skip testing ipa.pot file
#6434 Installers: perform host enrollment also in domain level 0 replica install
#6433 Refactor installer code requesting certificates
#6420 Pretty print option of pytest makes tracker fail when used in ipa console
#6419 cert-show default output does not show validity
#6417 Skip topology disconnect/last of role checks when uninstalling single domain level 1 master
#6415 replica-install creates spurious entries in cn=certificates
#6412 Create tests for certs in idoverrides feature
#6410 Tests: Verify that cert commands show CA without –all
#6409 [RFE] extend ipa-getkeytab to support other LDAP bind methods
#6406 Use common mechanism for setting up initial replication in both domain levels
#6405 unify domain level-specific mechanisms for replica’s DS/HTTP keytab generation
#6402 IPA Allows Password Reuse with History value defined when admin resets the password.
#6401 Revert expected returncode in replica_promotion test
#6400 Add file_exists method as a member of transport object
#6399 Object-Signing cert is unused; don’t create it
#6398 Refactor certificate inspection code to use python-cryptography
#6397 WebUI: Services are not displayed correctly after upgrade
#6396 Cleanup AD trust information after tests
#6394 WebUI: Update Patternfly and Bootstrap to newer versions
#6393 Make httpd publish CA certificate on Domain Level 1
#6392 Installers refactoring tracker
#6388 WebUI: Adder dialog cannot be reopened in case that it is closed using ESC and dropdown field was focuseded
#6386 Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
#6384 Web UI: Lowercase “b” in the “API browser” subtab label
#6381 ipa-cacert-manage man page should mention to run ipa-certupdate
#6375 ipa-replica-install fails when replica file created after ipa-ca-install on domain level 0
#6372 [RFE] allow managing prioritized list of trusted domains for unqualified ID resolution
#6369 [tracker] raise 389 requires when “Total init may fail if the pushed schema is rejected” is part of update
#6365 Custodia compatibility: add iSecStore.span method
#6359 test_0003_find_OCSP will never fail
#6358 ipa migrate-ds fails when it finds a referral
#6357 ipa-server-install script option –no_hbac_allow should match other options
#6354 regression: certmap.conf file is not backedup during ipa-server-upgrade
#6352 replica promotion with OTP: add additional info to “”Insufficient privileges” error message
#6347 Tests: provide trust test coverage for tree root domains
#6344 [RFE] support URI resource records
#6343 [RFE] Allow login to WebUI using Kerberos aliases/enterprise principals
#6340 IPA client ipv6 - invalid –ip-address shows traceback
#6335 Set priority as required filed in password policy
#6334 “Normal” group type in the UI is confusing
#6331 Reason is lost when CheckedIPAddress returns ValueError in ipa-client-install
#6308 [webui] Does not handle uppercase authentication indicators.
#6305 host/service-mod with –certificate= (remove all certs) does not revoke certs
#6295 cert-request is not aware of Kerberos principal aliases
#6269 cert-find –all does not show information about revocation
#6263 ipa-server-certinstall does not update all certificate stores and doesn’t set proper trust permissions
#6226 ipa-replica-install in CA-less environment does not configure DS TLS - ipa-ca-install then fails on replica
#6225 [RFE] Web UI: allow Smart Card authentication - finalization
#6202 ipa-client-install - document that –server option expects FQDN
#6178 Add options to retrieve lightweight CA certificate/chain
#6169 ipa dnsforwardzone-add w/o arguments fails
#6144 RPC code should be agnostic to display layer
#6132 Broken setup if 3rd party CA certificate conflicts with system-wide CA certificate
#6128 Tests: Base tracker contains leftover attributes from host tracker
#6126 Tests: User tracker does not enable creation of user with minimal values
#6125 Tests: unaccessible variable self.attrs for entries that are not created via standard create method in Tracker
#6124 Tests: remove –force option from tracker base class
#6123 Tests: Tracker enables silent deleting and creating entries
#6114 Traceback message seen when ipa is provided with invalid configuration file name
#6088 test_installation.py tests involving KRA installation on replicas fail in domain level 0
#6005 Create an automated test for Certs in idoverrides feature
#5949 ipa-server-install: improve prompt on interactive installation
#5935 [py3] DNSName.ToASCII broken with python3
#5742 [RFE] [webui] Configurable page size / User config page
#5695 [RFE] FreeIPA on FIPS enabled systems
#5640 Framework does not respect sizelimit passed via webUI in some searches
#5348 [tracker] dig + dnssec does not display signature of freshly created root zone
#4821 UI drops “Unknown Error” when the ipa record in /etc/hosts changes
#4189 [RFE] Use GSS-Proxy for the HTTP service
#3461 [RFE] Extend freeipa’s sudo to support selinux transition roles
#157 Python 3.2a1 in rawhide
Detailed changelog since 4.4.4#
Jan Barta (8)#
pylint: fix bad-mcs-method-argument commit
pylint: fix bad-mcs-classmethod-argument commit
pylint: fix bad-classmethod-argument commit
pylint: fix old-style-class commit
pylint: fix redefine-in-handler commit
pylint: fix pointless-statement commit
pylint: fix unneeded-not commit
pylint: fix simplifiable-if-statement warnings commit
Alexander Bokovoy (7)#
ipaserver/dcerpc.py: use arcfour_encrypt from samba commit #6697
pkinit: make sure to have proper dictionary for Kerberos instance on upgrade commit #6670
adtrust: remove FILE: prefix from ‘dedicated keytab file’ in smb.conf commit #6551
trustdomain-del: fix the way how subdomain is searched commit #6445
Abhijeet Kasurde (11)#
Minor typo fix in DNS install plugin commit
Update warning message for ipa server uninstall commit #6548
Fix for handling CalledProcessError in authconfig commit #5244
Provide user hint about IP address in IPA install commit #5949
Add fix for no-hbac-allow option in server install commit #6357
Added a fix for setting Priority as required field in Password Policy Details facet commit #6335
Ben Lipton (8)#
csrgen: Allow overriding the CSR generation profile commit #4899
csrgen: Use data_sources option to define which fields are rendered commit #4899
csrgen: Add a CSR generation profile for user certificates commit #4899
csrgen: Add CSR generation profile for caIPAserviceCert commit #4899
csrgen: Add code to generate scripts that generate CSRs commit #4899
Christian Heimes (88)#
Add PYTHON_INSTALL_EXTRA_OPTIONS and –install-layout=deb commit #6764
Run test_ipaclient test suite commit
Chain CSR generator file loaders commit
Use https to get security domain from Dogtag commit
Cleanup certdb commit
Default to pkginstall=true without duplicated definitions commit
pylint: ignore pypi placeholders commit
Python build: use –build-base everywhere commit
Add with_wheels global to install wheel and PyPI packaging dependencies commit
Add placeholders for ipaplatform, ipaserver and ipatests commit
Add python-wheel as build requirement commit
Packaging: Add placeholder packages commit
Vault: port key wrapping to python-cryptography commit #6650
Remove import nss from test_ldap commit
certdb: Don’t restore_context() of new NSSDB commit
Finish port to PyCA cryptography commit
Drop in-memory copy of schema zip file commit
C compilation fixes and hardening commit
lite-server: validate LDAP connection and cache schema commit #6679
Add –without-ipatests option commit
Add missing include of stdint.h for uint8_t commit
New lite-server implementation commit
Explain more performance tricks in doc string commit
Fix test, nested lists are no longer converted to nested tuples commit
Pretty print JSON in debug mode (debug level >= 2) commit
Convert list to tuples commit
Ditch version_info and use version number from ipapython.version commit
test_StrEnum: use int as bad type commit
Stable _is_null check commit
cryptography has deprecated serial in favor of serial_number commit
Enable additional warnings (BytesWarning, DeprecationWarning) commit #6631
Print test env information commit
Clean / ignore make check artefact commit
ipapython: Add dependencies on version.py commit
pytest: set rules to find test files and functions commit
Fix used before assignment bug in host_port_open() commit
Use pytest conftest.py and drop pytest.ini commit
Catch ValueError raised by pytest.config.getoption() commit
Silence pylint import errors of ipaserver in ipalib and ipaclient commit #6468
Relax check for .git to support freeipa in submodules commit
Ignore backup~ files like config.h.in~ commit
Fetch correct exception in IPA_CONFDIR test commit
Use env var IPA_CONFDIR to get confdir commit
Set explicit confdir option for global contexts commit #6389
Remove import of ipaplatform.paths from test_ipalib commit #6474
Add pylint guard to import of ipaplatform in ipapython.certdb commit #6474
wrap long line commit
Add main guards to a couple of Python scripts commit
Break ipaplatform / ipalib import cycle of hell commit
Pylint: whitelist packages with extension modules commit #6468
ipapython and ipatest no longer require lxml commit
Use xml.etree in ipa-client-automount script commit
Make api.env.nss_dir relative to api.env.confdir commit #6386
Don’t modify redhat_system_units commit
Use correct classifiers to make setup.py files PyPI compatible commit
Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR commit #6386
Add __name__ == __main__ guards to setup.pys commit
Remove ipapython/ipa.conf commit
Port all setup.py to setuptools commit
Replace ipaplatform’s symlinks with a meta importer commit
Move ipa.1 man file commit
David Kupka (20)#
rpcserver: x509_login: Handle unsuccessful certificate login gracefully commit #6225
Bump required version of gssproxy to 0.7.0 commit #6671, #6698
tests: Add tests for kerberos principal aliases in stageuser commit #6623
tests: kerberos_principal_aliases: Deduplicate tests commit #6623
tests: add-remove-cert: Use harcoded certificates instead of requesting them commit #6623
ipalib.x509: Handle missing SAN gracefully commit
stageuser: Add stageuser-{add,remove}-principal commit #6623
build: Add missing dependency on libxmlrpc{,_util} commit #6637
ipaclient: schema cache: Handle malformed server info data gracefully commit #6578
schema_cache: Make handling of string compatible with python3 commit #6559
installer: Stop adding distro-specific NTP servers into ntp.conf commit #6486
tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} –all commit #6561
password policy: Add explicit default password policy for hosts and services commit #6561
ipaclient.plugins: Use api_version from internally called commands commit #6539
tests: Mark 389-ds acceptance tests commit
tests: Mark Dogtag acceptance tests commit
UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling commit #6385
schema cache: Store and check info for pre-schema servers commit #6095
Florence Blanc-Renaud (20)#
Installation must publish CA cert in /usr/share/ipa/html/ca.crt commit #6750
IdM Server: list all Employees with matching Smart Card commit #6646
ipa systemd unit should define Wants=network instead of Requires=network commit #6723
Do not configure PKI ajp redirection to use “::1” commit #6575
ipa-kra-install must create directory if it does not exist commit #6606
ipa-restore must stop tracking PKINIT cert in the preparation phase commit #6570
Increase the timeout waiting for certificate issuance in installer commit #6433
Check the result of cert request in replica installer commit #6514
Fix ipa-replica-install when upgrade from ca-less to ca-full commit #6375
Fix ipa migrate-ds when it finds a search reference commit #6358
Refactor installer code requesting certificates commit #6433
Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent commit
Fraser Tweedale (52)#
rabase.get_certificate: make serial number arg mandatory commit #3473, #5011
Extract method to map principal to princpal type commit #5011
ca: correctly authorise ca-del, ca-enable and ca-disable commit #6713
replica install: relax domain level check for promotion commit #5011
Add sanity checks for use of –ca-subject and –subject-base commit #2614
Indicate that ca subject / subject base uses LDAP RDN order commit #6455
Allow full customisability of IPA CA subject DN commit #2614
dsinstance: extract function for writing certmap.conf commit #2614
ipa-ca-install: add missing –subject-base option commit #2614
Extract function for computing default subject base commit #2614
installutils: remove hardcoded subject DN assumption commit #2614
Refactor and relocate set_subject_base_in_config commit #2614
Remove “Request Certificate with SubjectAltName” permission commit #6526
Fix DL1 replica installation in CA-less topology commit #6573
certprofile-mod: correctly authorise config update commit #6560
Add options to write lightweight CA cert or chain to file commit #6178
certdb: accumulate extracted certs as list of PEMs commit #6178
Add function for extracting PEM certs from PKCS #7 commit #6178
cert-request: match names against principal aliases commit #6295
Ensure correct IPA CA nickname in DS and HTTP NSSDBs commit #6415
Remove __main__ code from ipalib.x509 and ipalib.pkcs10 commit #6398
pkcs10: use python-cryptography for CSR processing commit #6398
dn: support conversion from python-cryptography Name commit #6398
sudorule: add SELinux transition examples to plugin doc commit #3461
Fix cert revocation when removing all certs via host/service-mod commit #6305
Make host/service cert revocation aware of lightweight CAs commit #6221
cert-request: raise CertificateOperationError if CA disabled commit #6260
Use Dogtag REST API for certificate requests commit #3473, #6260
Allow Dogtag RestClient to perform requests without logging in commit #3473, #6260
Ganna Kaihorodova (7)#
Jan Cholasta (106)#
spec file: always provide python package aliases commit
slapi plugins: fix CFLAGS commit
spec file: add unconditional python-setuptools BuildRequires commit
httpinstance: disable system trust module in /etc/httpd/alias commit #6132
cert: include certificate chain in cert command output commit #6547
backend plugins: fix crashes in development mode commit #6625
vault: cache the transport certificate on client commit #6652
client install: split off SSSD options into a separate class commit #6392
server install: remove duplicate knob definitions commit #6392
install: add missing space in realm_name description commit #6392
certmap: load certificate from file in certmap-match CLI commit #6646
pylint_plugins: add forbidden import checker commit
server install: do not attempt to issue PKINIT cert in CA-less commit #5678
compat: fix `Any` params in `batch` and `dnsrecord` commit #6647
scripts, tests: explicitly set confdir in the rest of server code commit #6389
server upgrade: uninstall ipa_memcached properly commit #5959
server upgrade: always upgrade KRA agent PEM file commit #6675
client install: create /etc/ipa/nssdb with correct mode commit #5959
ipaldap: preserve order of values in LDAPEntry._sync() commit #4985
tests: add test for PEM certificate files with leading text commit
ipa-ca-install: do not fail without –subject-base and –ca-subject commit #2614
ipaldap: properly escape raw binary values in LDAP filters commit #4985
dogtaginstance: track server certificate with our renew agent commit #5959
renew agent: handle non-replicated certificates commit #5959
server install: fix KRA agent PEM file not being created commit #6392
spec file: do not define with_lint inside a comment commit #6418
replica install: track the RA agent certificate again commit #6392
ipaclient: remove hard dependency on ipaplatform commit #6474
ipaclient: move install modules to the install subpackage commit #6474
ipalib: move certstore to the install subpackage commit #6474
ipapython: remove hard dependency on ipaplatform commit #6474
ipautil: move file encryption functions to installutils commit #6474
ipautil: move kinit functions to ipalib.install commit #6474
ipautil: move is_fips_enabled() to ipaplatform.tasks commit #6474
certdb: use a temporary file to pass password to pk12util commit #6474
certdb: move IPA NSS DB install functions to ipaclient.install commit #6474
ipapython: move certmonger and sysrestore to ipalib.install commit #6474
ipapython: move dnssec, p11helper and secrets to ipaserver commit #6474
custodiainstance: automatic restart on config file update commit #6474
install: migrate client install to the new class hierarchy commit #6392
install: allow specifying verbosity and console log format in CLI commit #6392
install: migrate server installers to the new class hierarchy commit #6392
install: declare knob CLI names using the argparse convention commit #6392
install: use standard Python classes to declare knob types commit #6392
install: improve CLI positional argument handling commit #6392
install: use ldaps for pkispawn in ipa-ca-install commit #6392
replica install: fix DS restart failure during replica promotion commit #6392
replica install: merge KRA agent cert export into KRA install commit #6392
replica install: merge RA cert import into CA install commit #6392
server install: do not restart httpd during CA install commit #6392
install: merge all KRA install code paths into one commit #6392
install: merge all CA install code paths into one commit #6392
replica install: use one remote KRA host name everywhere commit #6392
replica install: use one remote CA host name everywhere commit #6392
spec file: bump minimal required version of 389-ds-base commit #6369
makeapi, makeaci: do not fail on missing imports commit #6418
spec file: do not include BuildRequires for lint by default commit #6418
cert: add revocation reason back to cert-find output commit #6269
cert: fix cert-find –certificate when the cert is not in LDAP commit #6304
dns: fix crash in interactive mode against old servers commit #6203
dns: normalize record type read interactively in dnsrecord_add commit #6203
Lenka Doudova (23)#
Document make_delete_command method in UserTracker commit #6485
Tests: Providing trust tests with tree root domain commit #6347
Tests: Verify that validity info is present in cert-show and cert-find command commit #6419
Add file_exists method as a member of transport object commit #6400
Tests: Provide AD cleanup for legacy client tests commit #6396
Tests: Verify that cert commands show CA without –all commit #6410
Tests: Remove silent deleting and creating entries by tracker commit #6123
Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap commit #6323
Tests: Fix host attributes in ipa-join host test commit #6326
Tests: Add krb5kdc.service restart to integration trust tests commit #6322
Tests: Remove unnecessary attributes from base tracker commit #6128
Tests: Remove –force options from tracker base class commit #6124
Tests: Remove SSSD restart from integration tests commit #6338
Tests: Fix integration sudo tests setup and checks commit #6262
Tests: Fix regex errors in integration trust tests commit #6285
Ludwig Krispenz (1)#
Lukas Slebodnik (6)#
Martin Babinsky (113)#
Try out anonymous PKINIT after it is configured commit #6739
check for replica’s KDC entry on master before requesting PKINIT cert commit #6739
check that the master requesting PKINIT cert has KDC enabled commit #6739
Move PKINIT configuration to a later stage of server/replica install commit #6739
Request PKINIT cert directly from Dogtag API on first master commit #6739
Make PKINIT certificate request logic consistent with other installers commit #6739
idviews: correctly handle modification of non-existent view commit #6372
Re-use trust domain retrieval code in certmap validators commit #6372
ipaconfig: add the ability to manipulate domain resolution order commit #6372
Short name resolution: introduce the required schema commit #6372
ipa-managed-entries: only permit running the command on IPA master commit #6735
Allow login to WebUI using Kerberos aliases/enterprise principals commit #6343
Provide basic integration tests for built-in AD trust installer commit #6630
Fix erroneous short name options in ipa-adtrust-install man page commit #6630
Merge AD trust configurator into replica installer commit #6630
Merge AD trust configurator into server installer commit #6630
expose AD trust related knobs in composite installers commit
Add AD trust installer interface for composite installer commit #6630
check for installed dependencies when *not* in standalone mode commit #6630
print the installation info only in standalone mode commit #6630
Refactor the code searching and presenting missing trust agents commit #6639
only check for netbios name when LDAP backend is connected commit #6630
use the methods of the parent class to retrieve CIFS kerberos keys commit #6638
httpinstance: re-use parent’s methods to retrieve anonymous keytab commit #6638
Make request_service_keytab into a public method commit #6638
allow for more flexibility when requesting service keytab commit #6638
Move AD trust installation code to a separate module commit #6629
ipa-adtrust-install: format the code for PEP-8 compliance commit #6629
Travis CI: Upload the logs from failed jobs to transfer.sh commit
Explicitly handle quoting/unquoting of NSSNickname directive commit #6460
Delegate directive value quoting/unquoting to separate functions commit #6460
installutils: improve directive value parsing in `get_directive` commit #6460
disable hostname canonicalization by Kerberos library commit #6584
Travis CI: actually return non-zero exit status when the test job fails commit
Trim the test runner log to show only pytest failures/errors commit
Add license headers to the files used by Travis CI commit
Travis CI: use specific Python version during build commit
introduce install step to .travis.yml and cache pip installs commit
split out lint to a separate Travis job commit
Travis: offload test execution to a separate script commit
Travis CI: a separate script to run test tasks commit
Put the commands informing and displaying build logs on single line commit
travis: mark FreeIPA as python project commit
Bump up ipa-docker-test-runner version commit
Add a basic test suite for `kadmin.local` interface commit #6561
Make `kadmin` family of functions return the result of ipautil.run commit #6561
gracefully handle setting replica bind dn group on old masters commit #6532
add missing attribute to ipaca replica during CA topology update commit #6508
Revert “upgrade: add replica bind DN group check interval to CA topology config” commit #6508
bindinstance: use data in named.conf to determine configuration status commit #6503
Use ipa-docker-test-runner to run tests in Travis CI commit
Configuration file for ipa-docker-test-runner commit
replication: ensure bind DN group check interval is set on replica config commit #6508
upgrade: add replica bind DN group check interval to CA topology config commit #6508
Improve the robustness FreeIPA’s i18n module and its tests commit #6512
Use common procedure to setup initial replication in both domain levels commit #6406
ensure that the initial sync using GSSAPI works agains old masters commit #6406
replication: refactor the code setting principals as replica bind DNs commit #6406
replication: augment setup_promote_replication method commit #6406
Turn replication manager group into ReplicationManager class member commit #6406
Fix the naming of ipa-dnskeysyncd service principal commit #6405
installutils: remove ‘install_service_keytab’ function commit #6405
domain-level agnostic keytab retrieval in httpinstance commit #6405
dsinstance: use keytab retrieval method from parent class commit #6405
use DM credentials to retrieve service keytab only in DLO commit #6405
Service: common method for service keytab requests commit #6405
Turn Kerberos-related properties to Service class members commit #6392
Make service user name a class member of Service commit #6392
fix incorrect invocation of ipa-getkeytab during DL0 host enrollment commit #6434
do partial host enrollment in domain level 0 replica install commit #6434
Separate function to purge IPA host principals from keytab commit #6434
certs: do not re-create NSS database when requesting service cert commit #6429
initialize empty /etc/http/alias during server/replica install commit #6429
CertDB: add API for non-destructive initialization from PKCS#12 bundle commit #6429
test_ipagetkeytab: use system-wide IPA CA cert location in tests commit #6409
Extend keytab retrieval test suite to cover new options commit #6409
extend ipa-getkeytab to support other LDAP bind methods commit #6409
server-del: fix incorrect check for one IPA master commit #6417
Revert “Fix install scripts debugging” commit
do not use keys() method when iterating through dictionaries commit #6391
mod_nss: use more robust quoting of NSSNickname directive commit #5809
Make Continuous installer continuous only during execution phase commit #5725
use separate exception handlers for executors and validators commit #5725
ipa passwd: use correct normalizer for user principals commit #6329
trust-fetch-domains: contact forest DCs when fetching trust domain info commit #6328
netgroup: avoid extraneous LDAP search when retrieving primary key from DN commit #5855
advise: Use `name` instead of `__name__` to get plugin names commit
Use Travis-CI for basic sanity checks commit
ldapupdate: Use proper inheritance in BadSyntax exception commit #6294
raise ValidationError when deprecated param is passed to command commit #6190
Always fetch forest info from root DCs when establishing one-way trust commit #6057
factor out `populate_remote_domain` method into module-level function commit #6057
Always fetch forest info from root DCs when establishing two-way trust commit #6057
Martin Basti (134)#
Become IPA 4.5.0 commit
Update 4.5 translations commit
pylint: bump dependency to version >= 1.6 commit
man: add missing –setup-adtrust option to manpage commit #6630
Tests: search for disabled users commit
Test: DNS nsupdate from dns-update-system-records commit #6585
DNS: dns-update-system-record can create nsupdate file commit #6585
py3: ipa_generate_password: do not compare None and Int commit #4985
py3: upgradeinstance: use bytes literals with LDIF operations commit #4985
py3: upgradeinstance: decode data before storing them as backup… commit #4985
py3: upgradeinstance: open dse.ldif in textual mode commit #4985
custodia: kem.set_keys: replace too-broad exception commit
py3: modify_s: attribute name must be str not bytes commit #4985
DNSSEC: forwarders validation improvement commit
Tests: fix wait_for_replication task commit
py3: send Decimal number as string instead of base64 encoded value commit #4985
py3: _convert_to_idna: fix bytes/unicode mistmatch commit #4985
py3: DNS: get_record_entry_attrs: do not modify dict during iteration commit #4985
py3: _ptrrecord_precallaback: use bytes with labels commit #4985
py3: remove_entry_from_group: attribute name must be string commit #4985
py3: base64 encoding/decoding returns always bytes don’t mix it commit #4985
py3: x509.py: return principal as unicode string commit #4985, #6640
py3: normalize_certificate: support both bytes and unicode commit #4985
py3: strip_header: support both bytes and unicode commit #4985
py3: fingerprint_hex_sha256: fix encoding/decoding commit #4985
Principal: validate type of input parameter commit
Use dict comprehension commit
py3: can_read: attributelevelrights is already string commit #4985
py3: get_effective_rights: values passed to ldap must be bytes commit #4985
py3: WSGI executioners must return bytes in list commit #4985
py3: rpcserver: decode input because json requires string commit #4985
Use proper logging for error messages commit
dogtag.py: fix exception logging of JSON data commit
py3: convert_attribute_members: don’t use bytes as parameter for DN commit #4985
py3: make_filter_from_attr: use string instead of bytes commit #4985
py3: add_entry_to_group: attribute name must be string not bytes commit #4985
py3: HTTPResponse has no ‘dict’ attribute in ‘msg’ commit #4985
py3: _httplib_request: don’t convert string to bytes commit #4985
py3: cainstance: replace mkstemp with NamedTemporaryFile commit #4985
py3: write CA/KRA config into file opened in text mode commit #4985
py3: ldap modlist must have keys as string, not bytes commit #4985
py3: service.py: replace mkstemp by NamedTemporaryFile commit #4985
py3: create_cert_db: write to file in a compatible way commit #4985
_resolve_records: fix assert, nameserver_ip can be none commit
Remove duplicated step from DS install commit
py3: enable py3 pylint commit
ipactl: pass api as argument to services commit
KRA: don’t add KRA container when KRA replica commit
client: use exceptions instead of return states commit #6392
client: move install cleanup from ipa-client-install to module commit #6392
client: Remove useless except in ipa-client-install commit #6392
client: move custom env variable into client module commit #6392
client: extract checks from uninstall to uninstall_check commit #6392
client: extract checks from install to install_check commit #6392
client: make statestore and fstore consistent with server commit #6392
client: import IPAChangeConf directly instead the module commit #6392
client: remove extra return from hardcode_ldap_server commit #6392
client: install function: return constant not hardcoded number commit #6392
client: remove unneded return from configure_ipa_conf commit #6392
client: remove unneded return configure_krb5_conf commit #6392
ipa-client-install: move client install to module commit #6392
CI: workaround: wait for dogtag before replica-prepare commit #6274
Pylint: fix the rest of unused local variables commit
Pylint: remove unused variables in tests commit
Pylint: remove unused variables in ipaserver package commit
Pylint: remove unused variables from installers and scripts commit
Pylint: enable check for unused-variables commit
Remove unused variables in tests commit
Remove unused variables in the code commit
Pylint: enable global-variable-not-assigned check commit
Pylint: enable cyclic-import check commit
Test: dont use global variable for iteration in test_cert_plugin commit #5755
Fix regexp patterns in parameters to not enforce length commit #5822
Catch DNS exceptions during emptyzones named.conf upgrade commit #6205
Tests: extend DNS cmdline tests with lowercased record type commit #6203
Show warning when net/broadcast IP address is used in installer commit #5814
Fix ScriptError to always return string from __str__ commit #6294
Bump master IPA devel version to 4.4.90 commit
Martin Kosek (1)#
Update Contributors.txt commit
Milan Kubík (4)#
Michal Reznik (1)#
Michal Židek (1)#
git: Add commit template commit
Nathaniel McCallum (3)#
Oleg Fayans (45)#
Test: made kinit_admin a returning function commit
tests: Added basic tests for certs in idoverrides commit #6412
Test for installing rules with service principals commit #6481
Test: integration tests for certs in idoverrides feature commit #6005
Added interface to certutil commit
Automated ipa-replica-manage del tests commit
Reverted the essertion for replica uninstall returncode commit #6401
Test: disabled wrong client domain tests for domlevel 0 commit #6382
tests: Fixed code styling in caless tests to make pep8 happy commit
tests: Reverted erroneous asserts in 4 tests commit
tests: fixed certinstall method commit
tests: fixed super method invocation commit
tests: added verbose assert to test_service_disable_doesnt_revoke commit
tests: Standardized replica_preparation in test_no_certs commit
tests: Implemented check for domainlevel before installation verification commit
tests: Fixed Usage of improper certs in ca-less tests commit
tests: fixed expects of incorrect error messages commit
tests: Replaced unused setUp method with install commit
tests: Replaced hardcoded certutil with imported from paths commit
tests: Enabled negative testing for cleaning replication agreements commit
tests: Made unapply_fixes call optional at master uninstallation commit
tests: Updated master and replica installation methods to enable negative testing commit
tests: Added necessary xfails commit
tests: Added necessary getkeytabs calls to fixtures commit
tests: Removed outdated command options test commit
tests: Applied correct teardown methods commit
tests: Fixed incorrect assert in verify_installation commit
tests: Adapted installation methods to utilize methods from tasks commit
tests: Removed call for install method from parent class commit
tests: Added teardown methods for server and replica installation commit
tests: Create a method that cleans all ipa certs commit
tests: Updated ipa server installation stdin text commit
tests: Added generation of missing certs commit
tests: Added basic constraints extension to the CA certs commit
tests: Fixed method failures during second call for the method commit #5880
Fixed segment naming in topology tests commit
Xfailed the tests due to a known bug with replica preparation commit #6274
Changed addressing to the client hosts to be replicas commit #6287
Petr Čech (1)#
Petr Spacek (126)#
Remove named-pkcs11 workarounds from DNSSEC tests. commit #5348
Build: forbid builds in working directories containing white spaces commit #6537
Build: always use Pylint from Python version used for rest of the build commit #157
Build: specify BuildRequires for Python 3 pylint commit #157
Build: makerpms.sh generates Python 2 & 3 packages at the same time commit #157
Accept server host names resolvable only using /etc/hosts commit #6518
Build: properly integrate ipa.pot into build system tests commit #6498
Build: properly integrate ipasetup.py into build system commit #6498
Build: properly integrate version.py into build system commit #6498
Build: properly integrate loader.js into build system commit #6498
Build: properly integrate freeipa.spec.in into build system commit #6498
Build: properly integrate ipa-version.h.in into build system commit #6498
Build: workaround bug while calling parallel make from rpmbuild commit #6418
Build: remove ipa.pot from Git as it can be re-generated at any time commit #6418
Build: integrate translation system tests again commit #6418
Build: automatically generate list of files to be translated in configure commit #6418
Build: support strip-po target for translations commit #6418
Build: use standard infrastructure for translations commit #6418
Build: fix path in ipa-ods-exporter.socket unit file commit #6495
Build: update makerpms.sh to use same paths as rpmbuild commit #6418
Build: remove incorrect use of MAINTAINERCLEANFILES commit #6418
Build: support –enable-silent-rules for Python packages commit #6418
Build: workaround bug 1005235 related to Python paths in auto-generated Requires commit #6418
Build: document what should be in %install section of SPEC file commit #6418
Build: move web UI file installation from SPEC to Makefile.am commit #6418
Build: move server directory handling from SPEC to Makefile.am commit #6418
Build: move client directory handling from SPEC to Makefile.am commit #6418
Update man page for ipa-adtrust-install by removing –no-msdcs option commit #6480
Build: pass down %{release} from SPEC to configure commit #6418
Build: update IPA_VERSION_IS_GIT_SNAPSHOT to comply with PEP440 commit #6418
Build: IPA_VERSION_IS_GIT_SNAPSHOT re-generates version number on RPM build commit #6418
Build: use POSIX 1003.1-1988 (ustar) file format for tar archives commit #6418
Build: IPA_VERSION_IS_GIT_SNAPSHOT checks if source directory is Git repo commit #6418
Build: remove unused and redundant code from configure.ac and po/Makefile.in commit #6418
Build: fix make clean to remove build artifacts from top-level directory commit #6418
Build: remove obsolete instructions about BuildRequires from BUILD.txt commit #6418
Build: add make rpms target and convenience script makerpms.sh commit #6418
Build: fix KDC proxy installation and remove unused kdcproxy.conf commit #6418
Build: remove unused dirs /var/cache/ipa/{sysupgrade,sysrestore} from SPEC commit #6418
Build: do not compress manual pages at install time commit #6418
Build: create /var/run directories at install time commit #6418
Build: integrate init and init/systemd into build system commit #6418
Build: integrate contrib directory into build system commit #6418
Build: integrate daemons/dnssec into build system commit #6418
Build: fix distribution of daemons/ipa-slapi-plugins/topology files commit #6418
Build: fix distribution of daemons/ipa-slapi-plugins/ipa-winsync files commit #6418
Build: fix distribution of daemons/ipa-slapi-plugins/ipa-sidgen files commit #6418
Build: fix distribution of daemons/ipa-slapi-plugins/ipa-pwd-extop files commit #6418
Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-lasttoken files commit #6418
Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-counter files commit #6418
Build: fix distribution of daemons/ipa-slapi-plugins/ipa-exdom-extop files commit #6418
Build: fix distribution of daemons/ipa-slapi-plugins/ipa-cldap files commit #6418
Build: fix distribution of ipa-slapi-plugins/common files commit #6418
Build: fix distribution of daemon/ipa-kdb files commit #6418
Build: fix distribution of install/REDME.schema file commit #6418
Build: Remove spurious EXTRA_DIST from install/share/Makefile.am commit #6418
Build: fix distribution and installation of update LDIFs commit #6418
Build: fix distribution of static files for web UI commit #6418
Build: stop build when a step in web UI build fails commit #6418
Build: fix distribution and installation of static files in top-level directory commit #6418
Build: rename project from ipa-server to freeipa commit #6418
Build: remove non-existing README files from Makefile.am commit #6418
Build: fix Makefile.am files to separate source and build directories commit #6418
Build: respect –prefix for systemdsystemunitdir commit #6418
Build: fix ipaplatform detection for out-of-tree builds commit #6418
Build: replace hand-made Makefile with one generated by Automake commit #6418
Build: move version handling from Makefile to configure commit #6418
Docs: update docs about ipaplatform to match reality commit #6418
Build: replace ipaplatform magic with symlinks generated by configure commit #6418
Build docs: update platform selection instructions commit #6418
Build: split out egg-info Makefile target from version-update target commit #6418
Build: split API/ACI checks into separate Makefile targets commit #6418
Build: use default error handling for PKG_CHECK_MODULES commit #6418
Build: use libutil convenience library for client commit #6418
Build: modernize XMLRPC-client library detection commit #6418
Build: merge client/configure.ac into top-level configure.ac commit #6418
Build: move translations from install/po/ to top-level po/ commit #6418
Build: merge install/configure.ac into top-level configure.ac commit #6418
Build: merge ipatests/man/configure.ac to top-level configure.ac commit #6418
Build: merge asn1/configure.ac to top-level configure.ac commit #6418
Build: transform util directory to libutil convenience library commit #6418
Build: promote daemons/configure.ac to top-level configure.ac commit #6418
Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c commit #6418
Build: pass down LIBDIR definition from RPM SPEC to Makefile commit #6418
Build: remove deprecated AC_STDC_HEADERS macro commit
Build: require Python >= 2.7 commit
Build: remove traces of mozldap library commit
Build: modernize crypto library detection commit
Build: modernize UUID library detection commit
Build: modernize Kerberos library detection commit
Build: add missing KRB5_LIBS to daemons/ipa-otpd commit
Tests: print what was expected from callables in xmlrpc_tests commit
DNS: Improve field descriptions for SRV records commit
Raise errors from service.py:_ldap_mod() by default commit
Petr Vobornik (6)#
permissions: add permissions for read and mod of external group members commit #5504
webui: do not warn about CAs if there is only one master commit #6598
webui: fixes normalization of value in attributes widget commit
Change README to use Markdown commit
Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used commit
replicainstall: log ACI and LDAP errors in promotion check commit
Pavel Vomacka (69)#
Remove allow_constrained_delegation from gssproxy.conf commit #6225
WebUI: Add support for management of user short name resolution commit #6372
WebUI: add link to login page which for login using certificate commit #6225
Support certificate login after installation and upgrade commit #6225
WebUI: allow to show rows with same pkey in tables commit #5426
WebUI: search facet’s default actions might be overriden commit #5426
Add possibility to hide only one tab in sidebar commit #5426
Possibility to set list of table attributes which will be added to _del command commit #5426
Extend _show command after _find command in table facets commit #5426
Add possibility to pass url parameter to update command of details page commit #5426
Add property which allows refresh command to use url value commit #5426
Added optional option in refreshing after modifying association table commit #5426
Possibility to skip checking writable according to metadata commit #5426
Additional option to add and del operations can be set commit #5426
WebUI: Add Adapter for certmap_match result table commit #6601
WebUI: Possibility to choose object when API call returns list of objects commit #6601
WebUI: Add possibility to turn of autoload when details.load is called commit #6601
WebUI: don’t change casing of Auth Indicators values commit #6308
WebUI: Allow disabling lowering text in custom_checkbox_widget commit #6308
WebUI: Add Custom command multivalued adder dialog commit #6601
WebUI: Create non editable row widget for mutlivalued widget commit #6601
WebUI: Add possibility to set field always writable commit #6601
WebUI: fix incorrect behavior of ESC button on combobox commit #6388
WebUI: add default on_cancel function in adder_dialog commit #6388
Coverity: removed useless semicolon which ends statement earlier commit
Coverity: Fix possibility of access to attribute of undefined commit
WebUI: Hide incorrectly shown buttons on hosts tab in ID Views commit #6546
Coverity - null pointer dereference commit
Coverity - accessing attribute of variable which can point to null commit
Coverity - opens dialog which might not be created commit
Coverity - iterating over variable which could be null commit
Coverity - null pointer dereference commit
Coverity - true branch can’t be executed commit
Coverity - true branch can’t be executed commit
Coverity - removed dead code commit
Coverity - Accesing attribute of null commit
Coverity - identical code for different branches commit
Coverity - not initialized variable commit
Coverity - null pointer exception commit
Coverity - null pointer exception commit
WebUI: services without canonical name are shown correctly commit #6397
Add tooltip to all fields in DNS record adder dialog commit
WebUI: hide buttons in certificate widget according to acl commit #6341
WebUI: Change group name from ‘normal’ to ‘Non-POSIX’ commit #6334
WebUI add support for sub-CAs while revoking certificates commit #6216
WebUI: Fix showing certificates issued by sub-CA commit #6238
Add support for additional options taken from table facet commit #6238
Gabe (1)#
Allow nsaccountlock to be searched in user-find command commit
Simo Sorce (31)#
Add support for searching policies in cn=accounts commit #6568
Add code to retrieve results from multiple bases commit
Explicitly pass down ccache names for connections commit #6543
Allow rpc callers to pass ccache and service names commit #6543
Rationalize creation of RA and HTTPD NSS databases commit #5959
Separate RA cert store from the HTTP cert store commit #5959
Properly handle multiple cookies in rpc lib. commit
Properly handle multiple cookies in rpcclient commit
Fix install scripts debugging commit
Fix error message encoding commit
Stanislav Laznicka (78)#
Don’t fail more if cert req/cert creation failed commit #6755
Add message about last KRA to WebUI Topology view commit #6538
Don’t use weak ciphers for client HTTPS connections commit #6730
We don’t offer no quickies commit
Workaround for certmonger’s “Subject” representations commit #5695
Remove ipapython.nsslib as it is not used anymore commit #5695
Move publishing of CA cert to cainstance creation on master commit #5695
Don’t run kra.configure_instance if not necessary commit #5695
Move RA agent certificate file export to a different location commit #5695, #6392
Remove NSSConnection from the Python RPC module commit #5695
Remove DM password files after successfull pkispawn run commit #5695
Use newer Certificate.serial_number in krainstance.py commit
Bump python-cryptography version in ipasetup.py.in commit #6631
custodiainstance: don’t use IPA-specific CertDB commit
Remove is_fips_enabled checks in installers and ipactl commit #5695
Generate sha256 ssh pubkey fingerprints for hosts commit #5695
Clarify meaning of –domain and –realm in installers commit #6574
replicainstall: give correct error message on DL mismatch commit #6510
permission-find: fix a sizelimit off-by-one bug commit #5640
fix permission_find fail on low search size limit commit #5640
Make get_entries() not ignore its limit arguments commit #5640
Do not log DM password in ca/kra installation logs commit #6461
Offer more general way to check domain level in replicainstall commit #6392
Use same means of checking replication agreements on both DLs commit #6392
replicainstall: move common checks to common_check() commit #6392
Take advantage of the ca/kra code cleanup in replica installation commit #6392
Use host keytab to connect to remote server on DL0 commit #6392
First step of merging replica installation of both DLs commit #6392
Move the pki-tomcat restart to cainstance creation commit #6392
Import just IPAChangeConf instead of the whole module commit #6392
Added file permissions option to IPAChangeConf.newConf() commit #6392
replicainstall: Unify default.conf file creation commit #6392
Replaced EMPTY_LINE constant with a function call commit #6392
client: Making the configure functions more readable commit #6392
Moved update of DNA plugin among update plugins commit #6392
Fix missing file that fails DL1 replica installation commit #6393
Make installer quit more nicely on external CA installation commit #6230
Thierry Bordaz (1)#
Timo Aaltonen (8)#
ipaplatform/debian/paths: Add some missing values. commit
ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB. commit
ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY. commit
ipaplatform/debian/services: Fix is_running arguments. commit
ipaplatform: Add Debian platform module. commit
client, platform: Use paths.SSH* instead of get_config_dir(). commit
Move ipa-otpd to $libexecdir/ipa commit
Purge obsolete firefox extension commit
Tomas Krizek (68)#
server install: require IPv6 stack to be enabled commit #6608
Env __setitem__: replace assert with exception commit
replicainstall: add context manager for rpc client commit
check_remote_version: update exception and docstring commit
Bump required version of bind-dyndb-ldap to 11.0-2 commit #6565
PEP8: fix line length for regexs in bindinstance commit
Remove obsolete serial_autoincrement from named.conf parsing commit #6565
certdb: remove unused valid_months property commit
certdb: remove unused keysize property commit
Fix coverity issue commit
ipautil: check for open ports on all resolved IPs commit #6522
replica-conncheck: improve error message during replicainstall commit #6497
ipa-replica-conncheck: do not close listening ports until required commit #6487
services: replace admin_conn with api.Backend.ldap2 commit #6461
upgrade: do not explicitly set principal for services commit #6500
cainstance: use correct certificate for replica install check commit #6461
replicainstall: use ldap_uri in ReplicationManager commit #6461
replicainstall: correct hostname in ReplicationManager commit #6461
install: remove adhoc dis/connect from services commit #6461
replicainstall: properly close adhoc connection in promote commit #6461
install: remove adhoc api.Backend.ldap2 (dis)connect commit #6461
install: add restart_dirsrv for directory server restarts commit #6461
replicainstall: set ldapi uri in replica promotion commit #6461
Update ipa-server-install man page for hostname commit #6330
Add help info about certificate revocation reasons commit #6327
Add log messages for IP checks during client install commit #6331
Show error message for invalid IPs in client install commit #6340
Thorsten Scherf (2)#
shanyin (1)#
fix missing translation string commit