Ctrl+K

Highlights in 4.7.3

The FreeIPA team would like to announce FreeIPA 4.7.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 29 will be available in the official COPR repository.

Highlights in 4.7.3#

  • 6077: [RFE] Support One-Way Trust authenticated by trust secret

With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC). Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret from both Active Directory and from IdM.

  • 7193: [RFE] Warn or adjust umask if it is too restrictive to break installation

If the umask has been used during the installation of an Identity Management (IdM) it was “too restrictive” This RFE checks for too-restrictive mask at install time and error out when this happens to avoid not working deployments of the FreeIPA server.

  • 7206: [RFE] Provide an option to include FQDN in IDM topology graph

IdM WebUI is now able to display the fully qualified domain name (FQDN) of the nodes in its Topology Graph. As a result, the topology graph is able to distinguish nodes with the same short hostname but within different domains.

  • 7716: [RFE] remove “last init status” from ipa-replica-manage list if it’s None.

In verbose mode, the command ipa-replica-manage list displays additional details such as the status and timestamp of the last initialization or the last update. When no initialization occurred on the server, the command doesn’t display any more the labels ‘last init status: None’ and ‘last init ended: 1970-01-01 00:00:00+00:00’ which were confusing.

  • 7747: [RFE] Support interactive prompt for NTP options for FreeIPA

With patches related to this RFE an Identity Management (IdM) is no longer unable to set time servers/pool when run without NTP related options passed only by command line options. This prompt for NTP server and pool options applies to interactive installations run without –unattended/-U option aiming to improve user experience for users not familiar with command line options.

Enhancements#

Known Issues#

Bug fixes#

FreeIPA 4.7.3 is a stabilization release for the features delivered as a part of 4.7.0.

There are more than 130 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • 2018 Change hostname length limit to 64

  • 4270 CA-less installation should not continue if dirsrv/httpd certificate is revoked

  • 4271 CA-less test suite always generate failures

  • 4607 ipa-getkeytab fails if -k points to empty file or a symlink to nonexistent file

  • 4812 Switch nsslapd-unhashed-pw-switch to nolog

  • 5062 [WebUI] Unlock option is enabled for all user.

  • 5803 Add utility to promote CA replica to CRL master

  • 5880 Second call to ldapmodify in ipatests.test_integration.tasks.enable_replication_debugging fails

  • 6077 [RFE] Support One-Way Trust authenticated by trust secret

  • 6468 Make ipaclient pip install-able

  • 6594 ipa idoverrideuser-find view –anchor fails to return output

  • 6627 WebUI: Enable pagination

  • 6951 Update samba config file and use sss idmap module

  • 6979 Suggest user to install libyubikey package instead of traceback

  • 7139 Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.

  • 7193 [RFE] Warn or adjust umask if it is too restrictive to break installation

  • 7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.

  • 7206 [RFE] Provide an option to include FQDN in IDM topology graph

  • 7288 set_directive can overwrite wrong directives

  • 7305 PKINIT status not displayed in the web UI (IPA Server > Configuration)

  • 7329 update_ra_cert_store does not remove private key from NSSDB

  • 7347 ipa-server-install breaks if subject base RDN has an escaped comma

  • 7369 The ipa-replica-install command failed, exception: ValidationError: invalid ‘dnszoneidnsname’: only master zones can contain records

  • 7451 Allow issuing certificates with IP addresses in subjectAltName

  • 7492 client install still creates /etc/ipa/nssdb

  • 7548 Need integration test for –external-ca-type=ms-cs

  • 7578 IPA server upgrade should remove stale kdcinfo_* generated by SSSD

  • 7597 IPA: IDM drops all custom attributes when moving account from preserved to stage

  • 7598 ipa-client-install: autodiscovery must refuse single label domains

  • 7603 In IPA WebUI, a warning appears in the background(warning message behind the dialog box).

  • 7647 Error message should be more useful while ipa-backup fails for insufficient space

  • 7651 ipa-replica-install –setup-kra broken on DL1

  • 7654 ipa-kra-install fails on DL1

  • 7667 When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy

  • 7708 Create a warning that SSSD needs restart after idrange-mod

  • 7716 [RFE] remove “last init status” from ipa-replica-manage list if it’s None.

  • 7719 Automation added for NTP Replacement test scenarios

  • 7723 NTP options fails on ipa replica

  • 7744 ipa-replica-install picks wrong replica for CA initial replication

  • 7745 nss.conf needs to be zero length, not removed.

  • 7746 IPA help command fails in an environment without the `less` binary

  • 7747 [RFE] Support interactive prompt for NTP options for FreeIPA

  • 7750 ipaldap: invalid modlist when attribute encoding can vary

  • 7751 add ipaapi user to the list of allowed uids in [ifp] section in sssd configuration

  • 7756 Split Web UI test suite in nightly PR CI configuration

  • 7761 External CA renewal accepts issuer key < 2048-bit

  • 7762 External CA renewal accepts IPA CA cert with empty Subject Key Identifier

  • 7775 IPA Upgrade failed with “unable to convert the attribute u’cACertificate;binary’”

  • 7778 test_full_backup_and_restore_with_replica fails with “Unknown host replica1.ipa.test”

  • 7780 Make ipa-client-automount –uninstall more robust

  • 7781 Don’t start/enable nfs-idmap nor nfs-secure

  • 7783 use non-symlink (aliases) NFS unit names

  • 7786 Index accessruletype, hostcategory, ipaenabledflag, ipserviceport, and ipserviceprotocol by default

  • 7787 Missing indexes for automountmapname and automountkey

  • 7790 ipa host-del –updatedns FQDN yeilds unindexed searches

  • 7792 Missing index on ipaconfigstring

  • 7793 ipa service-del service fails with internal error

  • 7795 ipa-pkinit-manage enable fails on replica if it doesn’t host the CA

  • 7796 ipa-replica-install fails migrating CentOS 6 to 7

  • 7797 SSSD’s getservby*() causes performance issues

  • 7803 Missing index on idnsName

  • 7805 [NFS] test kerberized NFS

  • 7807 Detect container installation to avoid Kernel keyring

  • 7809 All Web UI tests fail with UnexpectedAlertPresentException

  • 7810 [F28] Require NSS with fix for p11-kit issue.

  • 7811 Fix compile issue with new 389-ds

  • 7828 ipa trust-add fails with ipa: ERROR: an internal error has occurred

  • 7829 ipa-server-upgrade when run displays ‘No such file name in the index’ on the console

  • 7831 add systemd-user HBAC service to default set of HBAC services

  • 7835 Cert revokation for services and hosts is inefficient

  • 7836 print appropriate message when uninstalling non-existent IPA client

  • 7837 Replace os.getenv(‘HOME’) with os.path.expanduser

  • 7838 configure_openldap_conf() does not handle multi-value URI

  • 7841 Remove tests for client installation with –no-sssd and –noac options

  • 7843 [WebUI] Use generated certificates and CSR for testing

  • 7844 testcase test_change_sysaccount_password_issue7561 fails with some test configurations

  • 7855 Automember XML-RPC test failure

  • 7857 Create tests for ipa-winsync-migrate

  • 7858 Define C feature macros

  • 7860 389-ds-base will no longer use /etc/sysconfig

  • 7862 “ccache” may not exist if GSSError occurs in ipa-client-automount causing an exception to be thrown

  • 7864 [WebUI] Review and increase timeouts for UI tests in Nightly PR configuration

  • 7865 test_topology_TestTopologyOptions:test_add_remove_segment nightly failure in fed28 and fed29

  • 7866 FreeIPA server deployment fails due to ‘Permission denied’ error under /tmp during pki-tomcatd deployment

  • 7868 ipa-client-automount exception backing up /etc/sysconfig/nfs

  • 7873 remove all occurrences of osinfo.version_id from ipatests/

  • 7874 testcase test_commands.py::TestIPACommand::test_ssh_key_connection fails with some test configurations

  • 7876 Fail replica install

  • 7877 External CA installation: sanity check pathLenConstraints

  • 7881 [WebUI] Automember UI tests are broken

  • 7883 Cannot install ipa-server on rhel7.7

  • 7884 Coverity: New defect found in ipa-4.6.5

  • 7885 RFE: wrapper for Dogtag cert-fix command

  • 7886 ipa-replica-manage force-sync –from keeps prompting “No status yet”

  • 7889 test_integration/test_trust.py need improvement

  • 7892 Implement hidden / unadvertised IPA replicas

  • 7893 ipasam needs changes for Samba 4.10

  • 7895 ipa trust fetch-domains, server parameter ignored

  • 7896 ipa-server-upgrade fails with ConversionError: invalid ‘cn’: must be Unicode text

  • 7897 ipa-kra-install failing with invalid ‘role_servrole’: must be Unicode text error

  • 7900 dns and search not fixed for dns enabled deployments

  • 7901 IPA Web UI is slow to display user details page.

  • 7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules

  • 7903 d-bus interface signature failure for oddjobd helper trust-fetch-domains

  • 7905 ipa-dnskeysync-replica should handle LDAP down gracefully

  • 7906 ipa-kra-install fails due to fs.protected_regular=1

  • 7907 ipa-replica-install due to permission error, leaves ipa server in unstable condition

  • 7916 ipaplatform.debian.services does not implement wait for CA service

  • 7918 ipa-client-automount needs option to specify domain

  • 7921 Missing deps for `make pylint`

  • 7922 Command ipa conole is broken

  • 7926 cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign

  • 7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd

  • 7928 cn=cacert could show expired certificate

  • 7929 ERROR: invalid ‘PKINIT enabled server’: all masters must have IPA master role enabled

  • 7930 Interactive promt for NTP options after install check.

  • 7932 FreeIPA queries rely on missing attribute altsecurityidentities

  • 7933 FreeIPA must index certmap attributes.

  • 7934 ipa-server-common expected file permissions in package don’t match runtime permissions

  • 7937 `build_requestinfo` crashes in OpenSSL1.1.0+ enviroments

  • 7939 Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured

  • 7943 [FIPS] Use PKCS#8 instead of weaker traditional OpenSSL private key format

  • 7952 ipa-backup file logging does not work

  • 7956 Ipatests don’t honor TMPDIR, TEMP or TMP environment variables

  • 7959 ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character

  • 7962 Different pycodestyle results: Travis vs Azure

  • 7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs

  • 7964 GSSAPI failure causing LWCA key replication failure on f30

  • 7969 test failure in test_caless.py::TestServerInstall

  • 7970 test failure in test_backup_and_restore.py::TestBackupAndRestore

  • 7972 automember rebuild sometimes appears to return before the rebuild is complete

  • 7981 Pytest4.x warnings

  • 7982 Cannot modify TTL with ipa dnsrecord-mod –ttl alone on command line

  • 7983 Staged user is not being recognized if the user entry doesn’t have an objectClass “posixaccount”

  • 7984 make sure ‘make fastlint’ processes Python .in files

  • 7986 Increase debugging level of certmonger

  • 7988 test_nfs.py: errors when running ipa-client-automount

  • 7992 ipa upgrade fails with trust entry already exists

  • 8012 test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure

  • 8024 [WebUI] test_webui/test_trust.py failed because of request timeout

Detailed changelog since 4.7.2#

Armando Neto (4)#

  • travis: Use Fedora 29 to test ipa-4-7 branch

  • Update Travis config to run on Fedora 28

  • Bump template version

  • Add missing nightly test definitions from master

Alexander Bokovoy (29)#

  • translations: update Ukrainian translation from Zanata

  • certmaprule: add negative test for altSecurityIdentities

  • certmap rules: altSecurityIdentities should only be used for trusted domains

  • Create indexes for altSecurityIdentities and ipaCertmapData attributes

  • Add altSecurityIdentities attribute from MS-WSPP schema definition

  • trust-fetch-domains: make sure we use right KDC when –server is specified

  • adtrust upgrade: fix wrong primary principal name, part 2

  • adtrust upgrade: fix wrong primary principal name

  • upgrade: adtrust - catch empty result when retrieving list of trusts

  • Enforce SMBLoris attack protection in default Samba configuration

  • Set idmap config for Samba to follow IPA ranges and use SSSD

  • Update list of contributors and sort it alphabetically

  • Update translations in ipa-4-7

  • Update mailmap

  • Bypass D-BUS interface definition deficiences for trust-fetch-domains

  • Remove DsInstance.request_service_keytab as it is not needed anymore

  • oddjob: allow to pass options to trust-fetch-domains

  • ipasam: use SID formatting calls to libsss_idmap

  • upgrade: add trust upgrade to actual upgrade code

  • upgrade: upgrade existing trust agreements to new layout

  • trusts: add support for one-way shared secret trust

  • trust: allow trust agents to read POSIX identities of trust

  • Add design page for one-way trust to AD with shared secret

  • domainlevel-get: fix various issues when running as non-admin

  • make sure IPA_CONFDIR is used to check that client is configured

  • ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned

  • ipa-sidgen: make internal fetch_attr helper really internal

  • Update ipa-4-7 translations from Zanata

  • Revert to development after a release

Anuja More (1)#

  • ipatests: POSIX attributes are no longer overwritten or missing

Ian Pilcher (1)#

  • Allow issuing certificates with IP addresses in subjectAltName

Adam Williamson (1)#

  • Correct default fontawesome path (broken by da2cf1c5)

Christian Heimes (96)#

  • Fix CustodiaClient ccache handling

  • Use only TLS 1.2 by default

  • Replace PYTHONSHEBANG with valid shebang

  • Increase default debug level of certmonger

  • Forbid imports of ipaserver and install packages

  • Don’t import ipaserver in conf.py

  • Replace imports from ipaserver

  • Delay import of SSSDConfig

  • Consider configured servers as valid

  • Correct path to systemd-detect-virt

  • Add helper to look for missing binaries

  • Guard dbus.start() with dbus.is_running()

  • chmod SYSTEMD_PKI_TOMCAT_IPA_CONF

  • Check for SELinux AVCs after installation

  • Refactor tasks to include is_selinux_enabled()

  • Globally disable softhsm2 in p11-kit-proxy

  • Deprecate ipa-client-install –request-cert

  • Fix pylint error with absolute_import

  • Debian: Use RedHatCAService for pki-tomcatd

  • Debian: auto-generate config files for oddjobd

  • Debian: Fix replicatio of light weight sub CAs

  • Add ODS manager abstraction to ipaplatform

  • Debian: Use different paths for KDC cert and key

  • Debian: Add fixes for OpenDNSSEC 2.0

  • Debian: Add paths for open-sans and font-awesome

  • Debian doesn’t have authselect

  • Debian: use -m lesscpy instead of hard-coded name

  • Reduce startup_timeout to 120sec as documented

  • Add ExecStartPost hook to wait for Dogtag PKI

  • Use Network Manager to configure resolv.conf

  • Improve error handling in DNSSEC helpers

  • Gating: remove vault and kdcproxy tests

  • automount: rmtree temp directory

  • Adapt cert-find performance workaround for users

  • Make netifaces optional

  • Skip orphan automember rule test

  • Verify external CA’s basic constraint pathlen

  • Move DS’s Kerberos env vars to unit file

  • Add tasks.systemd_daemon_reload()

  • Add option to remove lines from a file

  • Add test case for configure_openldap_conf

  • Don’t fail if config-show does not return servers

  • Add design draft

  • Test replica installation from hidden replica

  • Synchronize hidden state from IPA master role

  • Don’t allow to hide last server for a role

  • More test fixes

  • Improve config-show to show hidden servers

  • Consider hidden servers as role provider

  • Implement server-state –state=enabled/hidden

  • Simplify and improve tests

  • Add hidden replica feature

  • Consolidate container_masters queries

  • Use api.env.container_masters

  • Unify and simplify LDAP service discovery

  • replica install: acknowledge ca_host override

  • Fix assign instead of compare

  • GIT: ignore ipa-crlgen-manage

  • Disable dependency on dogtag-pki PyPI package

  • Test –external-ca-type=ms-cs

  • Remove ZERO_STRUCT() call

  • Update build requirements on twine

  • Compile IPA modules with C11 extensions

  • Require 389-ds 1.4.0.21

  • Mark two failing automember tests as xfail

  • ipa-getkeytab: resolve symlink

  • Optimize cert remove case

  • Add workaround for slow host/service del

  • Use expanduser instead of HOME env var

  • Don’t configure KEYRING ccache in containers

  • Fix systemd-user HBAC rule

  • Create systemd-user HBAC service and rule

  • Require krb5 with fix for CVE-2018-20217

  • Don’t use Python dependency generator yet

  • Use debug logger in ntpd_cleanup()

  • Make conftest compatible with pytest 4.x

  • Add index on idnsName

  • Require 3.41.0-3 on Fedora 28

  • Create reindex task for ipaca DB

  • Add more LDAP indices

  • LDAPUpdate: Batch index tasks

  • Always collect test logs

  • Handle service_del with bad service name

  • Add index and container for RFC 2307 IP services

  • Python 2 compatibility

  • Add install/remove package helpers to advise

  • Test smart card advise scripts

  • Log stderr in run_command

  • Smart card auth advise: Allow Apache user

  • Allow HTTPd user to access SSSD IFP

  • Remove dead code

  • Disable nss-p11-kit crypto policy for tests

  • Run idviews integration tests in nightly

  • Add integration tests for idviews

  • Resolve user/group names in idoverride*-find

  • Require Dogtag PKI 10.6.8-3

Diogo Nunes (1)#

  • Fix f52e0e31f7c76a3cd6b9b51aeba120c4ba3f38c9 typo in tests label definition.

François Cami (24)#

  • test_nfs.py: change pr-ci configuration to run on master_2repl_1client

  • ipatests: add proper timeouts to nfs.py

  • ipa-client-automount: fix ‘–idmap-domain DNS’ logic

  • nfs.py: fix user creation

  • Hidden replica documentation: fix typo

  • ipa-backup: better error message if ENOSPC

  • ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR

  • ipatests: add tests for the new NFSv4 domain option of ipa-client-automount

  • ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)

  • ipaplatform: add more services

  • ipatests: add nfs tests

  • ipaserver/install/cainstance.py: unlink before creating new file in /tmp

  • ipaserver/install/krainstance.py: chown after write

  • ipatests: Exercise hidden replica feature

  • ipa-{server,replica}-install: add too-restritive mask detection

  • ipatests: add too-restritive mask tests

  • ipa-client-automount: fix PEP8 issues

  • ipatests: remove all occurrences of osinfo.version_id

  • pylintrc: ignore R1720 no-else-raise errors

  • ipa-client-automount: handle NFS configuration file changes

  • ipa-server-install: fix ca setup when fs.protected_regular=1

  • ipatests: add a test for ipa-client-automount

  • ipa-client-automount: use nfs-utils unit

  • Fix NFS unit names

Florence Blanc-Renaud (41)#

  • xmlrpc test: add test for preserved > stage user

  • user-stage: transfer all attributes from preserved to stage user

  • test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules

  • upgrade: remove ipaCert and key from /etc/httpd/alias

  • ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py

  • XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD –ttl

  • dnsrecord-mod: allow to modify ttl without passing the record

  • ipatests: add a test for stageuser-find with non-posix account

  • stageuser-find: fix search with non-posix user

  • ipatests: fix test_backup_and_restore.py::TestBackupAndRestore

  • ipatests: fix test_caless.py

  • ipatests: add integration test for ipa-replica-manage list

  • NSSDatabase: fix get_trust_chain

  • ipatests: CA renewal must refresh cn=CAcert

  • CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA

  • ipatests: add integration test checking the files mode

  • Fix expected file permissions for ghost files

  • ipactl restart: fix wrong logic when checking service list

  • ipa-client-install: autodiscovery must refuse single-label domains

  • ipa-setup-kra: fix python2 parameter

  • ipa-server-upgrade: fix add_systemd_user_hbac

  • ipa-replica-manage: fix force-sync

  • Coverity: fix issue in ipa_extdom_extop.c

  • XML RPC test: fix test_automember_plugin

  • ipa server: prevent uninstallation if the server is CRL master

  • Test: add new tests for ipa-crlgen-manage

  • CRL generation master: new utility to enable|disable

  • pkinit setup: fix regression on master install

  • test: add non-reg test checking pkinit after server install

  • tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment

  • ipatests: mark known failures as xfail

  • ipatests: add test for replica in forward zone

  • replica installation: add master record only if in managed zone

  • ipatests: fix CA less expectations

  • ipatests: add integration test for pkinit enable on replica

  • pkinit enable: use local dogtag only if host has CA

  • replication: check remote ds version before editing attributes

  • ipatests: fix test_full_backup_and_restore

  • PKINIT: fix ipa-pkinit-manage enable|disable

  • ipatest: add test for ipa-pkinit-manage enable|disable

  • ipatests: fix TestUpgrade::test_double_encoded_cacert

Fraser Tweedale (25)#

  • CustodiaClient: fix IPASecStore config on ipa-4-7

  • CustodiaClient: use ldapi when ldap_uri not specified

  • Handle missing LWCA certificate or chain

  • dn: sort AVAs when converting from x509.Name

  • .gitignore: add ipa-cert-fix program

  • ipa-cert-fix: fix spurious renewal master change

  • ipa-cert-fix: handle ‘pki-server cert-fix’ failure

  • require Dogtag 10.7.0-1

  • ipa-cert-fix: use customary exit statuses

  • ipa-cert-fix: add man page

  • Add ipa-cert-fix tool

  • constants: add ca_renewal container

  • cainstance: add function to determine ca_renewal nickname

  • Extract ca_renewal cert update subroutine

  • add test for external CA key size sanity check

  • dn: handle multi-valued RDNs in Name conversion

  • Fix installation when CA subject DN has escapes

  • cert-request: handle missing zone

  • cert-request: more specific errors in IP address validation

  • Add tests for cert-request IP address SAN support

  • cert-request: report all unmatched SAN IP addresses

  • cert-request: generalise _san_dnsname_ips for arbitrary cname depth

  • cert-request: collect only qualified DNS names for IPAddress validation

  • cert-request: restrict IPAddress SAN to host/service principals

  • certupdate: add commentary about certmonger behaviour

German Parente (1)#

  • ipa-replica-manage: remove “last init status” if it’s None.

Kaleemullah Siddiqui (2)#

  • Tests for autounmembership feature

  • Order of master and replica corrected in logger.info

Varun Mylaraiah (3)#

  • nightly_rawhide.yaml Added test_integration/test_ntp_options.py

  • nightly_master.yaml Added test_integration/test_ntp_options.py

  • ipatests: add tests for NTP options usage on server, replica, and client

Mohammad Rizwan Yusuf (4)#

  • Test if ipactl restart restarts the pki-tomcatd

  • Check if issuer DN is updated after external-ca > self-signed

  • Test error when yubikey hardware not present

  • Test KRA installtion after ca agent cert renewal

Oleg Kozlov (4)#

  • Remove stale kdc requests info files when upgrading IPA server

  • Replace nss.conf with zero-length file instead of removing

  • Fix python2 compatibility

  • Check pager’s executable before subprocess.Popen

Pavel Picka (1)#

  • PRCI failures fix

Rob Crittenden (13)#

  • For Fedora and RHEL use system-wide crypto policy for mod_ssl

  • Log the raised message when DNS check_zone_overlap fails

  • admintool: don’t display log file on errors unless logging is setup

  • tests: Wait for automember rebuild –no-wait tasks to finish

  • Fix expected return code in tests when server is uninstalled

  • Return 0 on uninstall when on_master for case of not installed

  • Drop list of return values to be ignored in AdminTool

  • When reading SSH pub key don’t assume last character is newline

  • Add knob to limit hostname length

  • Send only the path and not the full URI to httplib.request

  • Remove tests which install KRA on replica w/o KRA on master

  • tests: Don’t provide explicit hostname to ldapmodify

  • Update mod_nss cipher list so there is overlap with a 4.x master

Robbie Harwood (1)#

  • Fix unnecessary usrmerge assumptions

Sumit Bose (2)#

  • ipa_sam: remove dependency to talloc_strackframe.h

  • ipa-extdom-exop: add instance counter and limit

Stanislav Levin (8)#

  • Fix Pytest4.x warning about `message`

  • Fix Pytest4.1+ warnings about pytest.config

  • Fix `build_requestinfo` in LibreSSL environments

  • Fix `build_requestinfo` in OpenSSL1.1.0+ environments

  • Make `pycodestyle` results identical

  • Respect TMPDIR, TEMP or TMP environment variables during testing

  • Fix `inconsistent-return-statements` in ipa-dnskeysync-replica

  • Add missing deps for `make pylint`

Sergey Orlov (21)#

  • ipatests: new test for trust with partially unreachable AD topology

  • ipatests: mark test_domain_resolution_order as expectedly failing

  • ipatests: add test for sudo with runAsUser and domain resolution order.

  • ipatests: new tests for establishing one-way AD trust with shared secret

  • ipatests: make encoding to base64 compatible with python2

  • ipatests: new tests for ipa-winsync-migrate utility

  • ipa console: catch proper exception when history file can not be open

  • ipatests: refactor test_trust.py

  • ipatests: adapt test_trust.py for changes in multihost fixture

  • ipatests: allow AD hosts to be placed in separate domain config objects

  • ipatests: relax requirements for time server quality

  • ipatests: fix expectations of `ipa trust-find` output for trust with root domain

  • ipatests: in test_trust.py fix parent class

  • ipatests: disable bind dns validation when preparing to establish AD trust

  • ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust

  • Revert “Tests: Remove DNS configuration from trust tests”

  • ipatests: fix host name for ssh connection from controller to master

  • ipatests: add test for correct modlist when value encoding differs

  • Remove obsolete tests from test_caless.py

  • ipatests: fix ldap server url

  • Remove unused tests

Serhii Tsymbaliuk (14)#

  • WebUI tests: Fix request timeout for test_trust

  • WebUI: Add PKINIT status field to ‘Configuration’ page

  • WebUI tests: Fix timeout issues for reset password tests

  • WebUI: Fix automount maps pagination

  • WebUI: Disable ‘Unlock’ action for users with no password

  • WebUI: Fix ‘user not found’ traceback on user ID override details page

  • Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone

  • WebUI test: Fix automember tests according to new behavior

  • Web UI: Increase timeouts for UI tests in Nightly PR configuration

  • Split Web UI test suite in nightly PR CI configuration (IPA 4.7)

  • Fix test_arbitrary_certificates for Web UI

  • Web UI tests: Get rid of *_cert_path and *_csr_path config variables

  • Fix “Configured size limit exceeded” warning on Web UI

  • WebUI: Temporary fix for UnexpectedAlertPresentException

Thierry Bordaz (1)#

  • Switch nsslapd-unhashed-pw-switch to nolog

Tibor Dudlák (4)#

  • ipatests: Add Unattended option to external ca task

  • Moving prompt for NTP options to install_check

  • Support interactive prompt for ntp options

  • Fix test_ntp_options to use tasks’ methods

Oleg Kozlov (1)#

  • Show a notification that sssd needs restarting after idrange-mod

Contents