The FreeIPA team would like to announce FreeIPA 4.6.0 release!

It can be downloaded from https://releases.pagure.org/freeipa/. Builds for Fedora 26 and 27 are available in the official COPR repository https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ .

Highlights in 4.6.0#

Enhancements#

  • Python 3 is now supported.

Known Issues#

  • WebUI may not work in some configurations [#7126, #7127]

  • Attempting to uninstall when IPA isn’t installed prints confusing strings [#7063]

Bug fixes#

Contains all bugfixes and enhancements of 4.5.1, 4.5.2 and 4.5.3 releases.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #7123 External CA renewal fails when IPA CA subject DN does not match “CN=Certificate Authority, {subject-base}”

  • #7116 dnssec: fix localhsm.py with openhsm >= 2.2.0

  • #7108 ipa-backup broken because of cyclic import

  • #7086 [ipatests] - add caless to cafull tests

  • #7066 WebUI: All columns of user in group table are clickable

  • #7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!

  • #7017 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com

  • #6605 make lint + make modifies PO files in place

  • #6582 Web UI: Change “Host Based” and “Role Based” to “Host-Based” and “Role-Based”

  • #6447 [WebUI] Remove offline version of WebUI

  • #6261 Replace ERROR: cannot connect to ‘http://localhost:8888/ipa/json’: [Errno 111] Connection refused with ‘IPA is not configured on this system’

  • #6176 Updating of dns system records rapidly slowdown uninstallation

  • #7121 ipa otptoken-add-yubikey fails with python3

  • #7118 Fix CA-less installation due to incorrect with statement

  • #7110 Missing requirement in freeipa 4.5.90.dev201708161122+git799551892-0

  • #7100 test_caless: add SAN dNSName extensions for wildcard tests

  • #7088 Use X509v3 Basic Constraints “CA:TRUE” instead of “CA:FALSE” IPA CA CSR

  • #7076 Adjust to CURL whichs started to use OpenSSL - ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE)

  • #7053 Replica install fails to configure IPA-specific temporary files/directories

  • #7052 WebUI: search facet spec actions contains ‘undefined’ item

  • #7051 ipapython/graph.py complexity optimization

  • #7050 Type error when running tests for whoami command.

  • #7046 missing default basedn causes failure during initialization of multi host tests

  • #7030 tests: CA-less test suite broken due to missing subject key identifier extension

  • #7011 –force-join option is not mentioned in ipa-replica-install man page

  • #7010 ipa-backup fails silently

  • #7002 adtrustinstance: broken ID range assessment

  • #6987 ca-add: invalid X.509 DN fails ungracefully

  • #6986 make pylint is not working on F26

  • #6980 Pagination Size under Customization in IPA WebUI accepts negative values

  • #6976 External CA: check that IPA CA certificate contains Subject Key Identifier

  • #6974 WebUI: Fix unit webUI tests

  • #6971 ipatests: collect systemd journal

  • #6956 Backup and restore tests faliling

  • #6946 ipa-replica-manage del (dl 0) doesn’t remove server from defaultServerList

  • #6945 Bring back error messages from certificate validation

  • #6943 server-del doesn’t remove server from defaultServerList in cn=default,ou=profile,$BASE

  • #6940 installer should indicate that it is waiting for keys

  • #6939 ipaserver.plugins.host.get_dn timeout due to unindexed search

  • #6928 ipa-managed-entries incorrectly states server not installed

  • #6865 minor spelling mistake in ipa-adtrust-install.1

  • #6863 minor spelling mistake

  • #6852 [RFE] Create client enrollment role

  • #6849 Priority field missing in required field incicator - *

  • #6845 ipa-otpd.socket.in has wrong kdc service name for Debian

  • #6834 ipa-kdc-proxy.conf.template hardcodes python module directory

  • #6822 git-commit-template: update ticket URL to use pagure.io instead of fedorahosted.org

  • #6818 Update asn1c code in /asn1/asn1c

  • #6809 Failed to write schema: b’sudo/1’ is not JSON serializable

  • #6745 [test] ipa whoami command

  • #6725 No page for information on build from source

  • #6642 Py3: test_serverroles: use ldap2/ldapclient instead of MockLDAP

  • #6591 pytest 3.0: yield tests are deprecated

  • #5990 Py3: zonemgr_callback: expected unicode, got bytes

  • #5919 cert-request rfc822Name check compares whole email address case-sensitively

  • #4985 [RFE] Support Python 3

Detailed changelog since 4.5.3#

Alexander Bokovoy (13)#

  • csrgen: support openssl 1.0 and 1.1 commit #7110

  • dcerpc: support Python 3 commit #4985

  • ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later commit #6877

  • ipa-sam: use own private structure, not ldapsam_privates commit #6877

  • trust-mod: allow modifying list of UPNs of a trusted forest commit #7015

  • ipa-kdb: add pkinit authentication indicator in case of a successful certauth commit #6736

  • Fix index definition for ipaAnchorUUID commit #6975

  • krb5: make sure KDC certificate is readable commit #6973

  • trust: always use oddjobd helper for fetching trust information commit

  • ipaserver/dcerpc: unify error processing commit #6859

  • adtrust: make sure that runtime hostname result is consistent with the configuration commit #6786

  • server: make sure we test for sss_nss_getlistbycert commit #6828

  • ldap2: use LDAP whoami operation to retrieve bind DN for current connection commit #6797

Abhijeet Kasurde (6)#

Alex Zeleznikov (1)#

  • Sort SRV records by priority commit

Aleksei Slaikovskii (3)#

  • ipapython/graph.py redundant variable fix commit

  • ipapython/graph.py String formatting commit

  • ipapython/graph.py complexity optimization commit #7051

Ben Lipton (4)#

  • csrgen: Beginnings of NSS database support commit #4899

  • csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo commit #4899

  • csrgen: Change to pure openssl config format (no script) commit #4899

  • csrgen: Remove helper abstraction commit #4899

Christian Heimes (40)#

  • Misc Python 3 fixes for ipaserver.secrets commit #4985

  • Reimplement yield tests are parametrized tests commit #6591

  • Silence pytest.yield_fixture deprecation warning commit #6591

  • Slim down dependencies commit

  • Vault: Explicitly default to 3DES CBC commit #6899

  • Band-aid for pip dependency bug commit

  • Correct PyPI package dependencies commit #6875

  • tox: use pylint 1.6.x for now commit #6874

  • Replace _BSD_SOURCE with _DEFAULT_SOURCE commit #6818

  • Regenerate ASN.1 code with asn1c 0.9.28 commit #6818

  • tox testing support for client wheel packages commit

  • Stabilize make pypi_packages commit

  • Replace hard-coded kdcproxy path with WSGI script commit #6834

  • Use entry_points for ipa CLI commit #6653, #6850

  • Don’t hard-code with_wheels commit

  • Add an option to build ipaserver wheels commit

  • Add extra_requires for additional dependencies commit

  • Conditionally import pyhbac commit

  • Skip test_session_storage in ipaclient unittest mode commit

  • Add make devcheck for developers commit #6604

  • session storage parameters must be bytes commit

  • Fix ipatests.util doc tests commit

  • Use Custodia 0.3.1 features commit

  • Simplify KRA transport cert cache commit #6787

  • pytest 3.x compatibility commit

  • Constrain wheel package versions commit #6468

  • Move remaining util functions to tasks module commit #6798

  • Ship ipatests.pytest_plugins.integration commit #6798

  • Move function run_repeatedly to tasks module commit #6798

  • Move hosts module to ipatests.pytest_plugins.integration.hosts commit #6798

  • Move tasks module to ipatests.pytest_plugins.integration.tasks commit #6798

  • Move env_config module to ipatests.pytest_plugins.integration.env_config commit #6798

  • Move config module to ipatests.pytest_plugins.integration.config commit #6798

  • Move helper code for integration plugin commit #6798

  • Increase Apache HTTPD’s default keep alive timeout commit

  • Add debug logging for keep-alive commit

  • Use connection keep-alive commit #6641

  • Add options to run only ipaclient unittests commit #6517

  • Python 3: Fix session storage commit

  • Fix Python 3 pylint errors commit

David Kreitschmann (4)#

  • Disable pylint in get_help function because of type confusion. commit

  • Store help in Schema before writing to disk commit

  • Use os.fsync instead of os.fdatasync because macOS doesn’t support fdatasync commit

  • Fix libkrb5 filename for macOS commit

David Kupka (22)#

  • tests: certmap: Add test for user-{add,remove}-certmap commit #7105

  • tests: tracker: Add CertmapdataMixin tracker commit #7105

  • tests: certmap: Add test for certmapconfig-{mod,show} commit #7105

  • tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands commit #7105

  • tests: certmap: Test permissions for certmap commit #7105

  • tests: certmap: Add basic tests for certmaprule commands commit #7105

  • tests: tracker: Add CertmapTracker for testing certmap-* commands commit #7105

  • tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands commit #7105

  • tests: tracker: Add EnableTracker to test *-{enable,disable} commands commit #7105

  • tests: tracker: Split Tracker into one-purpose Trackers commit #7105

  • install: replica: Show message about key synchronization commit #6940

  • kra: promote: Get ticket before calling custodia commit #7020

  • ipapython.ipautil.run: Add option to set umask before executing command commit #6831

  • otptoken-add-yubikey: When –digits not provided use default value commit #6900

  • Bump version of ipa.conf file commit #6860

  • Create system users for FreeIPA services during package installation commit #6743

  • WebUI: cert login: Configure name of parameter used to pass username commit #6860

  • httpinstance.disable_system_trust: Don’t fail if module ‘Root Certs’ is not available commit #6803

  • spec file: Bump requires to make Certificate Login in WebUI work commit #6823

  • rpcserver.login_x509: Actually return reply from __call__ method commit #6819

  • Create temporaty directories at the begining of uninstall commit #6715

  • ipapython.ipautil.nolog_replace: Do not replace empty value commit #6738

felipe (1)#

  • Fixing replica install: fix ldap connection in domlvl 0 commit #6549

Felipe Volpone (3)#

  • Removing part of circular dependency of ipalib in ipaplaform commit #7108

  • Changing how commands handles error when it can’t connect to IPA server commit #6261

  • py3: fixing zonemgr_callback commit #5990

Felipe Volpone (5)#

  • Adding section “Building FreeIPA from source” on README commit #6725

  • Changing cert-find to go through the proxy instead of using the port 8080 commit #6966

  • Changing cert-find to do not use only primary key to search in LDAP. commit #6948

  • Fixing adding authenticator indicators to host commit #6911

  • Fixing the cert-request comparing whole email address case-sensitively. commit #5919

Fabiano Fidêncio (1)#

  • Allow erasing ipaDomainResolutionOrder attribute commit #6825

Florence Blanc-Renaud (22)#

  • Fix Certificate renewal (with ext ca) commit #7106

  • Fix ipa-server-upgrade: This entry already exists commit #7125

  • ipa-replica-conncheck: handle ssh not installed commit #6935

  • ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt commit #6925

  • ipa-replica-manage del (dl 0): remove server from defaultServerList commit #6946

  • server-del: update defaultServerList in cn=default,ou=profile,$BASE commit #6943

  • ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname commit #6895

  • ipa-server-install: fix uninstall commit #6950

  • ipa-kra-install manpage: document domain-level 1 commit #6922

  • ipa-kra-install: fix check_host_keys commit #6934

  • ipa-server-install with external CA: fix pkinit cert issuance commit #6921

  • ipa-client-install: remove extra space in pkinit_anchors definition commit #6916

  • vault: piped input for ipa vault-add fails commit #6907

  • upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed commit #6881

  • tests: add non-reg for idrange-add commit #6404

  • Upgrade: add gidnumber to trusted domain entry commit #6827

  • ipa-sam: create the gidNumber attribute in the trusted domain entry commit #6827

  • idrange-add: properly handle empty –dom-name option commit #6404

  • ipa-ca-install man page: Add domain level 1 help commit #5831

  • git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org commit #6822

  • dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function commit #6813

  • man ipa-cacert-manage install needs clarification commit #6795

Fraser Tweedale (14)#

  • Fix external renewal for CA with non-default subject DN commit #7123

  • py3: handle bytes in schema response commit #6809

  • py3: fix vault public key decoding commit #7033

  • cert: fix application of ‘str’ to bytes when formatting otherName commit #4985

  • py3: fix schema response for py2 server with py3 client commit #4985

  • Fix incorrect ‘with’ statement in CA-less installation commit #7118

  • Restore old version of caIPAserviceCert for upgrade only commit #7097

  • cert-request: simplify request processing commit #6531

  • Add CommonNameToSANDefault to default cert profile commit #7007

  • Add a README to certificate profile templates directory commit #7014

  • py3: fix regression in schemaupdate commit #4985

  • ca-add: validate Subject DN name attributes commit #6987

  • Add Subject Key Identifier to CA cert validity check commit #6976

  • Support 8192-bit RSA keys in default cert profile commit #6319

Jan Cholasta (61)#

  • pylint: enable logging checks commit

  • logging: do not use `ipa_log_manager` to create module-level loggers commit

  • logging: do not log into the root logger commit

  • logging: do not reference loggers in arguments and attributes commit

  • doc: sync guide.org with cli.py commit

  • logging: remove object-specific loggers commit

  • logging: use the actual root logger as the root logger commit

  • logging: port to standard Python logging commit

  • logging: do not configure any handlers by default commit

  • wsgi, oddjob: remove needless uses of Env commit

  • config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn` commit

  • ldap2: remove URI argument from ldap2 constructor commit

  • test_ldap: drop redundant URI argument commit

  • {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections commit

  • user, migration: use LDAPClient for ad-hoc LDAP connections commit

  • install: do not assume /etc/krb5.conf.d exists commit #6589

  • server upgrade: do not enable PKINIT by default commit #7000

  • pkinit manage: introduce ipa-pkinit-manage commit #7000

  • server certinstall: update KDC master entry commit #7000

  • httpinstance: wait until the service entry is replicated commit #6867

  • server certinstall: support PKINIT commit #6831

  • cacert manage: support PKINIT commit #6831

  • replica install: respect –pkinit-cert-file commit #6831

  • server install: fix KDC certificate validation in CA-less commit #6831, #6869

  • certs: do not export CA certs in install_pem_from_p12 commit #6831, #6869

  • certs: do not export keys world-readable in install_key_from_p12 commit #6831

  • server install: fix KDC PKINIT configuration commit #6831

  • install: introduce generic Kerberos Augeas lens commit #6831

  • client install: fix client PKINIT configuration commit #6831

  • install: trust IPA CA for PKINIT commit #6831

  • certdb: use custom object for trust flags commit #6831

  • certdb, certs: make trust flags argument mandatory commit #6831

  • certdb: add named trust flag constants commit #6831

  • ipa-cacert-manage: add –external-ca-type commit #5799

  • renew agent: get rid of virtual profiles commit #5799

  • renew agent: always export CSR on IPA CA certificate renewal commit #5799

  • renew agent: allow reusing existing certs commit #5799

  • cainstance: use correct profile for lightweight CA certificates commit #5799

  • server upgrade: always fix certmonger tracking request commit #5799

  • renew agent: respect CA renewal master setting commit #5799

  • spec file: bump krb5 Requires for certauth fixes commit #4905

  • spec file: bump python-netaddr Requires commit #6894

  • configure: fix AC_CHECK_LIB usage commit #6846

  • cert: defer cert-find result post-processing commit #6808

  • renew agent, restart scripts: connect to LDAP after kinit commit #6757

  • renew agent: revert to host keytab authentication commit #6757

  • install: request service certs after host keytab is set up commit #6757

  • dsinstance, httpinstance: consolidate certificate request code commit #6757

  • httpinstance: avoid httpd restart during certificate request commit #6757

  • dsinstance: reconnect ldap2 after DS is restarted by certmonger commit #6757

  • httpinstance: make sure NSS database is backed up commit #4639

  • certdb: fix `AttributeError` in `verify_ca_cert_validity` commit

  • setup, pylint, spec file: drop python-nss dependency commit

  • certdb: use certutil and match_hostname for cert verification commit

  • spec file: bump libsss_nss_idmap-devel BuildRequires commit #6828

  • spec file: bump krb5-devel BuildRequires for certauth commit #4905

  • cert: do not limit internal searches in cert-find commit #6716

  • replica prepare: fix wrong IPA CA nickname in replica file commit #6777

  • httpinstance: clean up /etc/httpd/alias on uninstall commit #4639

  • certs: do not implicitly create DS pin.txt commit #4639

  • tasks: run `systemctl daemon-reload` after httpd.service.d updates commit #6773

René Genz (3)#

  • fix minor spelling mistakes commit

  • fix spelling mistake; minor rewording commit

  • fix minor typos in ipa-adtrust-install.1 commit

Martin Babinsky (45)#

  • Move tmpfiles.d configuration handling back to spec file commit #7053

  • Do not remove the old masters when setting the attribute fails commit #7029

  • *config-show: Do not show empty roles/attributes commit #7029

  • smart-card-advises: ensure that krb5-pkinit is installed on client commit #7036

  • smart card advise: use password when changing trust flags on HTTP cert commit #7036

  • smart card advises: use a wrapper around Bash `for` loops commit #7036

  • Use the compound statement formatting API for configuring PKINIT commit #7036

  • Fix indentation of statements in Smart card advises commit #7036

  • delegate formatting of compound Bash statements to dedicated classes commit #7036

  • advise: add an infrastructure for formatting Bash compound statements commit #7036

  • delegate the indentation handling in advises to dedicated class commit #7036

  • add a class that tracks the indentation in the generated advises commit #7036

  • Allow to pass in multiple CA cert paths to the smart card advises commit #7036

  • smart-card advises: add steps to store smart card signing CA cert commit #7036

  • smart-card advises: configure systemwide NSS DB also on master commit #7036

  • Prepare advise plugin for smart card auth configuration commit #6982

  • Extend the advice printing code by some useful abstractions commit #6982

  • fix incorrect suffix handling in topology checks commit #6965

  • Do not delete DS and PKI users during backup/restore tests commit #6956

  • test_backup_restore: do not fail on missing KrbLastSuccessfulAuth commit #6956

  • only stop/disable simple service if it is installed commit #6977

  • test_serverroles: Get rid of MockLDAP and use ldap2 instead commit #6937

  • Add `pkinit-status` command commit #6937

  • Add the list of PKINIT servers as a virtual attribute to global config commit #6937

  • Add an attribute reporting client PKINIT-capable servers commit #6937

  • Refactor the role/attribute member reporting code commit #6937

  • Allow for multivalued server attributes commit #6937

  • Travis CI: Add the server uninstaller as a last step of tests commit #6950

  • Travis CI: explicitly update pip before running the builds commit

  • Do not test anonymous PKINIT after install/upgrade commit #6830

  • Upgrade: configure local/full PKINIT depending on the master status commit #6830

  • Use local anchor when armoring password requests commit #6830

  • Stop requesting anonymous keytab and purge all references of it commit #6830

  • Use only anonymous PKINIT to fetch armor ccache commit #6830

  • API for retrieval of master’s PKINIT status and publishing it in LDAP commit #6830

  • Allow for configuration of all three PKINIT variants when deploying KDC commit #6830

  • separate function to set ipaConfigString values on service entry commit #6830

  • Revert “Store GSSAPI session key in /var/run/ipa” commit #6880

  • Remove duplicate functionality in upgrade commit #6799

  • Always check and create anonymous principal during KDC install commit #6799

  • Ensure KDC is propery configured after upgrade commit #6792

  • Split out anonymous PKINIT test to a separate method commit #6792

  • Remove unused variable from failed anonymous PKINIT handling commit #6792

  • Upgrade: configure PKINIT after adding anonymous principal commit #6792

  • Travis CI: invoke integration test helper scripts before test execution commit

Martin Basti (63)#

  • DNS update: reduce timeout for CA records commit #6176

  • baseldap: fix format string commit

  • IPAOptionParser: fix dict comprehension commit

  • py3: run already ported scripts under py3 by default commit #4985

  • py3: temporary set dependencies to both py2 and py3 packages commit #4985

  • py3: test_otptoken_import: fix bytes usage commit #4985

  • py3: ipa_otptoken_import: fix hex decoding commit #4985

  • py3: ipa_otptoken_import: fix calling unicode on bytes commit #4985

  • py3: ipa_otptoken_import: fix lamba code inspection commit #4985

  • py3: Remove comparison >=2 of debnug log level commit #4985

  • py3: vault: data must be bytes commit #4985

  • py3: test_location_plugin: fix iteration over changed dict commit #4985

  • py3: test_kerberos_principal_aliases: fix code scope commit #4985

  • py3: dogtag.py: fix bytes warnings commit #4985

  • py3: travis: enable tests for plugins that are aleready working commit #4985

  • py3: secrets: remove iteritems usage commit #4985

  • Travis: check for BytesWarnings in httpd error_log commit

  • py3: ipaldap: fix encoding of datetime objects commit #4985

  • py3: LDAPClient: remove __del__ method commit

  • LDAPEntry: rename _orig to _orig_raw commit #4985

  • python-netifaces: update to reflect upstream changes commit #7021

  • Travis: enable temporary Py3 testing commit

  • Travis: build only py2 packages for py2 testing commit

  • Build: allow to build only py2 rpms for fedora commit

  • Remove network and broadcast address warnings commit #4317

  • replica install: add missing check for non-local IP address commit #4317

  • Remove ip_netmask from option parser commit #4317

  • CheckedIPAddress: remove match_local param commit #4317

  • refactor CheckedIPAddress class commit #4317

  • ipa-dns-install: remove check for local ip address commit #4317

  • Fix local IP address validation commit #4317

  • Explicitly ask for py2 dependencies in py2 packages commit #4985

  • Only warn when specified server IP addresses don’t match intf commit #2715, #4317

  • pylint: explicitly depends on python2-pylint commit #6986

  • py3: update_mod_nss_cipher_suite: ordering doesn’t work with None commit #4985

  • py3: urlfetch: use “file://” prefix with filenames commit #4985

  • py3: cainstance: fix BytesWarning commit #4985

  • py3: schemaupdate: fix BytesWarning commit #4985

  • py3: LDAP updates: use only bytes/raw values commit #4985

  • py3: softhsm key_id must be bytes commit #4985

  • py3: ipaldap: encode Boolean as bytes commit #4985

  • py3: ConfigParser: replace deprecated readfd with read commit #4985

  • py3: use ConfigParser instead of SafeConfigParser commit #4985

  • Add remote_plugins subdirectories to RPM commit #6927

  • custodia dep: require explictly python2 version commit #6962

  • pylint: ignore new checks added in 1.7 commit #6874

  • Pylint: fix ipa_forbidden_import checker commit #6874

  • travis: fix pylint execution with py3 commit #4985

  • py3: add missing py3 pylint depedencies commit #4985, #6874

  • adtrust: move SELinux settings to constants commit

  • httpd: move SELinux settings to constants commit

  • ipasetup: fix dependencies handling based on python version commit #6875

  • ipaclient: fix missing RPM ownership commit #6927

  • tests: add missing dependency iptables commit

  • ca_status: add HTTP timeout 30 seconds commit #6766

  • http_request: add timeout option commit #6766

  • Use proper SELinux context with http.keytab commit #6924

  • Store GSSAPI session key in /var/run/ipa commit #6880

  • Fix PKCS11 helper commit #6692

  • Remove surplus ‘the’ in output of ipa-adtrust-install commit #6864

  • collect audit.log for easier selinux investigation commit

  • Set “KDC:Disable Last Success” by default commit #5313

  • Set development version to 4.5.90 commit

Lewis Eason (1)#

  • Correct typo estabilish->establish in the install scripts commit

Michal Reznik (9)#

  • test_caless: add SAN dNSName extensions for wildcard tests commit #7100

  • test_caless: add replica ca-less to ca-full test (master caless) commit #6226, #7086

  • test_caless: add server_replica ca-less to ca-full test commit #7086

  • tests: fix external_ca test suite failing due to missing SKI commit #7099

  • test_caless: remove xfail in wildcard certificate tests commit #5603

  • test_caless: introduce new python makepki + fix SKI extension issue commit #7030

  • test_caless: mark TestCertinstall intermediate CA tests as xfail commit #6959

  • test_caless: add pkinit option and test it commit #6854

  • added krb5kdc.log to pytest logging commit

Nathaniel McCallum (1)#

  • ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace commit #7035

Oliver Gutierrez (1)#

  • Added plugins directory to paclient subpackages commit

Petr Spacek (1)#

  • ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri commit

Petr Vobornik (5)#

  • log progress of wait_for_open_ports commit #7083

  • control logging of host_port_open from caller commit #7083

  • kerberos session: use CA cert with full cert chain for obtaining cookie commit #6876

  • restore: restart/reload gssproxy after restore commit #6902

  • automount install: fix checking of SSSD functionality on uninstall commit #6861

Pavel Vomacka (34)#

  • Fixes bug in actions creating for search facet commit #7052

  • WebUI: fix showing required asterisk ‘*’ commit #6849

  • WebUI: Update unit test README commit #6974

  • Fixes details_test.js commit #6974

  • Fixes for widget_tests.js commit #6974

  • Fixes for aci_tests.js commit #6974

  • Fixes for entity_tests.js commit #6974

  • Fixes for ipa_test.js commit #6974

  • Add up to date JSON files commit #6974

  • Add loader.js into requirements of all HTML unit test files commit #6974

  • WebUI: remove creating js/libs symlink from makefile commit #6447

  • WebUI: Remove plugins symlink as it is unused commit #6447

  • Remove all old JSON files commit #6447

  • Revert “Web UI: Remove offline version of Web UI” commit

  • WebUI: Add hyphenate versions of Host(Role) Based strings commit #6582

  • WebUI: fix incorrectly shown links in association tables commit #7066

  • WebUI: fix jslint error commit

  • WebUI: change validator of page size settings commit #6980

  • WebUI: Add positive number validator commit #6980

  • WebUI: add support for changing trust UPN suffixes commit #7015

  • Bump version of python-gssapi commit #6796

  • Turn off OCSP check commit #6981, #6982

  • Change python-cryptography to python2-cryptography commit #6749

  • Turn on NSSOCSP check in mod_nss conf commit #6370

  • WebUI - Coverity: fix identical branches of if statement commit

  • WebUI - Coverity: fixed null pointer exception commit

  • WebUI: Coverity - add explicit window object to alert methods commit

  • WebUI: Allow to add certs to certmapping with CERT LINES around commit #6772

  • WebUI: Fix showing vault in selfservice view commit #6812

  • WebUI: suppress truncation warning in select widget commit #6618

  • WebUI: Add support for suppressing warnings commit #6618

  • WebUI: Add support for login for AD users commit #3242

  • WebUI: add method for disabling item in user dropdown menu commit #3242

  • WebUI: check principals in lowercase commit #3242

Rob Crittenden (2)#

  • Include the CA basic constraint in CSRs when renewing a CA commit #7088

  • Pass ipa-ca-agent credentials as PEM files commit #7076

Gabe (2)#

  • Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches commit #6896

  • Add –password-expiration to allow admin to force user password expiration commit

Sumit Bose (11)#

  • ipa_pwd_extop: do not generate NT hashes in FIPS mode commit #7026

  • ipa-sam: replace encode_nt_key() with E_md4hash() commit #7026

  • ipa-kdb: use canonical principal in certauth plugin commit #6993

  • ipa-kdb: reload certificate mapping rules periodically commit #6963

  • IPA-KDB: use relative path in ipa-certmap config snippet commit #6833

  • extdom: improve cert request commit #6826

  • extdom: do reverse search for domain separator commit

  • ipa-kdb: do not depend on certauth_plugin.h commit #4905

  • configure: fix –disable-server with certauth plugin commit #6816

  • IPA certauth plugin commit #4905

  • ipa-kdb: add ipadb_fetch_principals_with_extra_filter() commit #4905

Simo Sorce (12)#

  • Always check peer has keys before connecting commit

  • Make sure we check ccaches in all rpcserver paths commit

  • Revert setting sessionMaxAge for old clients commit #7001

  • Add code to be able to set default kinit lifetime commit #7001

  • Fix rare race condition with missing ccache file commit

  • Make sure remote hosts have our keys commit #6838

  • Fix s4u2self with adtrust commit #6862

  • Prevent churn on ccaches commit #6775

  • Work around issues fetching session data commit #6775

  • Handle failed authentication via cookie commit #6775

  • Avoid growing FILE ccaches unnecessarily commit #6775

  • Add options to allow ticket caching commit #6771

Stanislav Laznicka (97)#

  • spec: remove strict options from shebangs commit #4985

  • spec: have the scripts depend on py3 packages commit #4985

  • spec: remove python3 workaround commit #4985

  • Remove unused variable commit

  • certmonger: remove temporary workaround commit

  • cert: fix wrong assumption of cert-show result type commit #4985

  • rpc: don’t encode bytes commit #4985

  • py3: Fix searching for yubikeys commit #7121

  • py3: remove relative import commit #4985, #6874

  • py3: remove Exception.message appearances commit #4985, #6874

  • Fix cert file creation during CA-less installation commit #7118

  • Uninstall: fix BytesWarning exception commit #4985

  • Unify storing certificates in LDAP commit #4985

  • py3: fix caless to CA promotion on replica commit #4985

  • cacert_manage: fix CA cert renewal commit #4985

  • python3: port certmonger requests script commit #4985

  • crtmgr: fix bug if CERTMONGER_CERTIFICATE not set commit #4985

  • certmonger: finish refactoring for request script commit #4985

  • certmonger: fix storing retrieved certificates commit #4985

  • Make the IPA server run under Python 3 by default commit #4985

  • Turn IPA scripts to python3 -bb for testing commit #4985

  • py3: Depend on newer pyldap for server-upgrade commit #4985

  • ipautil: port host_port_open() to python 3 commit #4985

  • conncheck: fix progression on failure commit #4985

  • kerberos: fix sorting Principal objects commit #4985

  • host, service: fix adding host/svc with a cert commit #7077

  • server plugin: pass bytes to ldap.modify_s commit #4985

  • replica: fix SetuptoolsVersion comparison commit #4985

  • replica-prepare: run the script in py3 by default commit #4985

  • certs: write and read bytes as such commit #4985

  • client: make ipa-client-install py3 compatible commit #4985

  • cainstance: read cert file as bytes commit #4985

  • ca: TypeError fix commit #4985

  • krainstance: fix writing str to file commit #4985

  • replica-conncheck: log when failed to RPC connect commit

  • Fixup of not-so-good PEM certs commit #4985

  • x509,certdb: handle certificates as bytes commit #4985

  • Create a Certificate parameter commit #4985

  • parameters: relax type checks commit #4985

  • tests: fix failing HTTPS connection commit #4985

  • Introduce load_unknown_x509_certificate() commit #4985

  • x509: Make certificates represented as objects commit #4985

  • Split x509.load_certificate() into PEM/DER functions commit #4985

  • README: Fix trailing whitespace commit

  • Ensure network is online prior to an upgrade commit #7039

  • rpcserver: remove addition of str and bytes commit #4985

  • wsgi plugins: mod_wsgi expects bytes as an output commit #4985

  • adtrustinstance: write the conf as a string commit #4985

  • adtrustinstance: pep8 fix commit

  • More verbose error message on kdc cert validation commit #6945

  • cert-validate: keep all messages in cert validation commit #6945

  • adtrustinstance: fix ID range comparison commit #7002

  • Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm() commit

  • ipadiscovery: Return realm as a string commit #4985

  • session_storage: Correctly handle string/byte types commit #4985

  • rpc: avoid possible recursion in create_connection commit #6796

  • rpc: preparations for recursion fix commit #6796

  • Avoid possible endless recursion in RPC call commit #6796

  • kdc.key should not be visible to all commit #6973

  • Change ConfigParser to RawConfigParser commit #4985

  • ca/cert-show: check certificate_out in options commit #6885

  • Remove pkinit-anonymous command commit #6936

  • Make a doctext more clear commit

  • Provide useful messages during cert validation commit #6945

  • cert-show: writable files does not mean dirs commit #6883

  • fix managed-entries printing IPA not installed commit #6928

  • Fix wrong message on Dogtag instances stop commit #6766

  • Make CA/KRA fail when they don’t start commit #6766

  • Remove the cachedproperty class commit #6878

  • Refresh Dogtag RestClient.ca_host property commit #6878

  • compat plugin: Update link to slapi-nis project commit

  • compat: ignore cn=topology,cn=ipa,cn=etc subtree commit #6821

  • Move the compat plugin setup at the end of install commit #6821

  • compat-manage: behave the same for all users commit #6821

  • Fix CAInstance.import_ra_cert for empty passwords commit #6878

  • Fix RA cert import during DL0 replication commit #6878

  • ext. CA: correctly write the cert chain commit #6872

  • server-install: No double Kerberos install commit #6757

  • Fix CA-less to CA-full upgrade commit #6853

  • replicainstall: better client install exception handling commit #6183

  • Add the force-join option to replica install commit #6183

  • server-install: remove broken no-pkinit check commit #6807

  • Add pki_pin only when needed commit #6839

  • Remove publish_ca_cert() method from NSSDatabase commit #6806

  • Get correct CA cert nickname in CA-less commit #6806

  • Remove redundant option check for cert files commit #6801

  • replica-prepare man: remove pkinit option refs commit #6801

  • Don’t allow setting pkinit-related options on DL0 commit #6801

  • Fix the order of cert-files check commit #6801

  • Generate PIN for PKI to help Dogtag in FIPS commit #6824

  • Backup CA cert from kerberos folder commit #6748

  • Allow renaming of the sudorule objects commit #2466

  • Allow renaming of the HBAC rule objects commit #6784

  • Reworked the renaming mechanism commit #2466, #6784

  • Bump samba version for FIPS and priv. separation commit #6671, #6697

  • Backup ipa-specific httpd unit-file commit #6748

  • Add debug log in case cookie retrieval went wrong commit #6774

Thierry Bordaz (1)#

  • NULL LDAP context in call to ldap_search_ext_s during search commit #7017

Tibor Dudlák (11)#

  • otptoken_yubikey.py: Removed traceback when package missing. commit #6979

  • topology.py: Removes error message from dictionary. commit #6533

  • Add test: test_xmlrpc/test_whoami_plugin.py commit #6745

  • whoami.py: Type error when running tests commit #7050

  • Create indexes for ‘serverhostname’ attribute commit #6939

  • Add –force-join into ipa-replica-install manpage commit #7011

  • dnsserver.py: dnsserver-find no longer returns internal server error commit #6571

  • Add Role ‘Enrollment Administrator’ commit #6852

  • server.py: Removes dns-server configuration from ldap commit #6572

  • sssd.py: Deprecating no-sssd option. commit #5860

  • client.py: Replace hardcoded ‘admin’ with options.principal commit #5406

Tibor Dudlák (2)#

  • user.py: replace user_mod with ldap.update_entry() commit #5788

  • Add ‘TIP’ to enable copr repo. commit

Timo Aaltonen (2)#

  • ipa-otpd.socket.in: Use a platform specific value for KDC service file commit #6845

  • configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in commit

Tomas Krizek (25)#

  • Become IPA 4.6.0 commit

  • Contributors.txt: update commit

  • zanata: update translations for ipa-4-6 commit

  • zanata: set project version to ipa-4-6 commit

  • dnssec: keep dnssec daemons in Python2 commit #4985

  • ipatests: collect log after ipa-ca-install commit #7060

  • dnssec: fix localhsm.py utility script commit #7116

  • prci: add caless tests commit

  • makerpms.sh: make git checkout optional commit #6605

  • build: checkout *.po files at the end of makerpms.sh commit #6605

  • freeipa-pr-ci: enable pull-request CI commit

  • ipactl: log check_version exception commit

  • logging: make sure logging level is set to proper value commit

  • ipatests: do not finalize api when IPA is not configured commit #7046

  • ipatests: do not collect systemd journal when logfile_dir is missing commit #6971

  • ipatests: add systemd journal collection for multihost tests commit #6971

  • ipatests: change logdir naming pattern for multihost tests commit #6971

  • named.conf template: add modification warning commit

  • ca, kra install: validate DM password commit #6892

  • installutils: add DM password validator commit #6892

  • ca install: merge duplicated code for DM password commit #6892

  • upgrade: add missing suffix to http instance commit #6920

  • installer service: fix typo in service entry commit #6920

  • python2-ipalib: add missing python dependency commit #6920

  • kra install: update installation failure message commit #6923

Thorsten Scherf (2)#

  • Changed ownership of ldiffile to DS_USER commit #7010

  • Fixed typo in ipa-client-install output commit