The FreeIPA team would like to announce the first release candidate of FreeIPA 4.8.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora will be available in the official COPR repository.
Highlights in 4.7.90.pre1#
4580: FreeIPA’s LDAP server requires SASL security strength factor of >= 56
FreeIPA LDAP server default configuration is improved to require SASL security strength factor higher than 56 bit.
4491: Use lib389 to install 389-ds instead of setup-ds.pl
FreeIPA now utilizes Python-based installer of 389-ds directory server
4440: Add support for bounce_url to /ipa/ui/reset_password.html
The /ipa/ui/reset_password.html page accepts url parameter to provide the user with a back link after successful password reset, to support resets initiated by external web applications. Additional parameter delay automatically redirects back after the specified number of seconds has elapsed.
5608: Tech preview: add Dogtag configuration extensions
FreeIPA team started rewrite of the Certificate Authority configuration to make possible passing additional options when configuring Dogtag. This is required to allow use of hardware secure (HSM) modules within FreeIPA CA but also to allow tuning CA defaults. HSM configuration is not yet fully available due to a number of open issues in Dogtag itself.
5803: Add utility to promote CA replica to CRL master
New utility was added to promote a CA replica to be the CRL master. Design page provides more details and use examples.
6077: Support One-Way Trust authenticated by trust secret
Samba integration was updated to allow establishing trust to Active Directory from Windows side using a Trust wizard. This allows to establish a one-way trust authenticated by a shared trust secret. Additionally, it allows to establish a trust with Samba AD DC 4.7 or later, initiated from Samba AD DC side.
6790: Allow creating IPA CA with 3084-bit key.
CA key size default is raised to 3072 instead of 2048 because it’s the recommended size by NIST. An extensibility feature added with ticket 5608 allows increasing the CA key size further buta 4096-bit key is considerably slower. The change only affects new deployments. There is no way to upgrade existing CA infrastructure other than issuing a new CA key and re-issuing new certificates to all existing users of the old root CA. In addition, lightweight sub-CAs are currently hard-coded to 2048 bit key size. All relevant public root CAs in the CA/B forum use 2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.
7193: Warn or adjust umask if it is too restrictive to break installation
FreeIPA deployment now enforces own umask settings where required to allow deployment at hardened sites which follow some of STIG recommendations.
7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not
The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT cert is not re-issued. The command triggers the request of a new certificate (signed by IPA CA when state=enable, selfsigned when disabled), but as the cert file is still present, certmonger does not create a new request and the existing certificate is kept.
The fix consists in deleting the cert and key file before calling certmonger to request a new cert.
7206: Provide an option to include FQDN in IDM topology graph
In the replication topology graph visualization, it is now possible to see a fully qualified name of the server. This change helps to reduce confusion when managing complex multi-datacenter topologies.
7365: make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable
Log level for technical messages of a KDC proxy was reduced to keep logs clean.
7451: Allow issuing certificates with IP addresses in subjectAltName
FreeIPA now allows issuing certificates with IP addresses in the subject alternative name (SAN), if all of the following are true:
One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).
All of the DNS entries in the resolution chain are managed by this IPA instance.
The IP address has a (correct) reverse DNS entry that is managed by this IPA instance
7568: FreeIPA no longer supports Python 2
Removed Python 2 related code and configuration from spec file, autoconf and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python 3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are no longer available. PR-CI, lint, and tox aren’t testing Python 2 compatibility anymore.
7632: Allow IPA Services to Start After the IPA Backup Has Completed
ipa-backup gathers all the files needed for the backup, then compresses the file and finally restarts the IPA services. When the backup is a large file, the compression may take time and widen the unavailabity window. This fix restarts the services as soon as all the required files are gathered, and compresses after services are restarted.
7619, 7640, 7641: UI migration, password reset and configuration pages support translations
Static pages in FreeIPA web UI now allow translated content
7658: sysadm_r should be included in default SELinux user map order
sysadm_r is a standard SELinux user role included in Red Hat Enterprise Linux.
7689: Domain Level 0 is no longer supported
Code to support operation on Domain Level 0 is removed. In order to upgrade to FreeIPA 4.8.0 via replication, an existing deployment must first be brought up to Domain Level 1.
7747: Support interactive prompt for NTP options for FreeIPA
FreeIPA now asks user for NTP source server or pool address in interactive mode if there is no server nor pool specified and autodiscovery has not found any NTP source in DNS records.
7892: Tech preview: hidden / unadvertised IPA replica
A hidden replica is an IPA master server that is not advertised to clients or other masters. Hidden replicas have all services running and available, but none of the services has any DNS SRV records or enabled LDAP server roles. This makes hidden replicas invisible for service discovery. Design document provides more details on use cases and management of hidden replicas.
PyPI packages have fewer dependencies
The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient no longer depend on the binary extensions netifaces and python-ldap by default.
Bug fixes#
There are more than 220 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
631 ipa-getkeytab does not support -W option
4270 CA-less installation should not continue if dirsrv/httpd certificate is revoked
4271 CA-less test suite always generate failures
4440 Add support for bounce_url to /ipa/ui/reset_password.html
4491 Investigate utilizing lib389
4580 Investigate SSF values when SASL/GSSAPI is used to authenticate to LDAP
4607 ipa-getkeytab fails if -k points to empty file or a symlink to nonexistent file
5378 Incorrect error message at wrong password from private key file
5608 [RFE] Add Dogtag HSM support
5803 Add utility to promote CA replica to CRL master
5880 Second call to ldapmodify in ipatests.test_integration.tasks.enable_replication_debugging fails
5887 IDNA domains does not work under py3
6077 [RFE] Support One-Way Trust authenticated by trust secret
6261 Replace ERROR: cannot connect to ‘http://localhost:8888/ipa/json’: [Errno 111] Connection refused with ‘IPA is not configured on this system’
6353 During one step replica install the command accepts both OTP and Admin password simultaneously
6468 Make ipaclient pip install-able
6476 automember-rebuild crashes
6594 ipa idoverrideuser-find view –anchor fails to return output
6790 [RFE] Allow creating IPA CA with 4096-bit key.
6844 ipa-restore fails when umask is set to 0027
6888 ipa-custodia must not require DAC_OVERRIDE
6951 Update samba config file and use sss idmap module
6959 ipa-server-certinstall should add any intermediate CA certificate a server certificate is signed with
6979 Suggest user to install libyubikey package instead of traceback
7082 FreeIPA 4.5 is not compatible with latest pyasn1
7140 Configure DS to use minssf = 128
7193 [RFE] Warn or adjust umask if it is too restrictive to break installation
7196 ipa-replica-install fails with ‘HTTPError: 403 Client Error: Forbidden’ due to a custodia issue
7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.
7206 [RFE] Provide an option to include FQDN in IDM topology graph
7217 Significantly reduce the KDC LDAP driver search timeout
7262 Authn/TOTP defined users periodically prompt for just password credentials to access resources
7288 set_directive can overwrite wrong directives
7347 ipa-server-install breaks if subject base RDN has an escaped comma
7362 Update FreeIPA project logo
7365 [RFE] make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable
7366 RFE: ipa client should setup openldap for GSSAPI
7369 The ipa-replica-install command failed, exception: ValidationError: invalid ‘dnszoneidnsname’: only master zones can contain records
7408 ipa-replica-install command should display proper message on the console.
7451 Allow issuing certificates with IP addresses in subjectAltName
7455 Add a test for backup-restore in multimaster topology
7492 client install still creates /etc/ipa/nssdb
7517 Failures in test_server_del test suite
7528 Upon ipa-server-install on Ubuntu 18.04, Apache unable to use encrypted httpd.key
7532 ipa-advise config-client-for-smart-card-auth: enable smart card auth in sssd.conf
7537 PR-CI: external_ca tests are hitting timeout
7538 sudo rule for “admins” members should be created by default
7545 TestCASpecificRUVs.test_replica_uninstall_deletes_ruvs start failing with assertion error
7548 Need integration test for –external-ca-type=ms-cs
7559 UI LoginScreen widget cannot be translated
7566 Installation of replica against a specific master
7568 Deprecate Python 2
7569 Users with user creation/modification privileges fail to add the “–radius-username” option when creating users
7570 Create a system permission for access to radius proxy entries
7578 IPA server upgrade should remove stale kdcinfo_* generated by SSSD
7579 ipa-cacert-manage cannot import PKCS#7 files
7587 Increase WSGI worker process count
7598 ipa-client-install: autodiscovery must refuse single label domains
7601 ldapmodify userPassword reflects on krblastpwdchange on RHEL6 but not RHEL7
7602 ipa-replica-install allows to use –setup-adtrust without the package freeipa-server-trust-ad installed
7603 In IPA WebUI, a warning appears in the background(warning message behind the dialog box).
7608 FreeIPA 4.6.3 install fails when `/proc/sys/crypto` is absent
7617 ipa-replica-install defines nsds5replicabinddngroup before the group contains the DN of the replication manager
7619 [Translation] reset password page is not translated
7620 client uninstall fails when installed using non-existing hostname
7621 [Translation] sync otp page is not translated completely
7625 ipa-client-install fails with ScriptError(rval=CLIENT_INSTALL_ERROR)
7628 ipa ca-show –certificate-out=/tmp/ca fails with python type error
7629 Replica installation fails with connection refused error
7630 ipa-restore should check that optional feature packages are installed before restoring a backup using a feature
7632 [RFE] Allow IPA Services to Start After the IPA Backup Has Completed
7638 PR-CI: Make “Not enough resources configured” an error
7640 [Translation] ipa/config/{unauthorized,ssbrowser}.html are not translated
7641 [Translation] ipa/migration/{error,index,invalid}.html are not translated
7642 Installation fails: Replica Busy
7644 ipa-server-upgrade displays ‘DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or haven’t been updated’
7649 error shown when options are added to an existing sudo rule
7650 client installer uses invalid format in chmod (0x…)
7651 ipa-replica-install –setup-kra broken on DL1
7652 ipaserver/plugins/cert.py: Add reason to raise of errors.NotFound
7654 ipa-kra-install fails on DL1
7656 ipa-replica-install on DL0 doesn’t completely honor –no-host-dns
7657 Leaving IPA domain fails: Failed to remove krb5/LDAP configuration: expected str, bytes or os.PathLike object, not NoneType
7658 [RFE] sysadm_r should be included in default SELinux user map order
7659 ipa trust-add fails in FIPS mode.
7661 SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/lib/systemd/system/fedora-domainname.service
7662 SELinux is preventing /usr/sbin/httpd from write access on the directory /etc/httpd/alias/
7663 pytest 3.7.0 fails on pytest_plugins in ipatests.plugins
7664 ipa_tests: test ssh keys login
7666 ipa-server-install script is failing when using the “–no-dnssec-validation” parameter combined with the “–forwarder”
7669 Hide domain level 0 specific options from tools and commands
7671 Remove –no-sssd and –noac options
7674 client install fails on Fedora 29
7678 [WebUI] JS error of ‘reset’ view
7679 [WebUI] all validation items are rendered on each key typing at login form
7680 Detect Python interpreter during configure
7681 ipa server uninstall with -v option displays “IOError: [Errno 9] Bad file descriptor Logged from file ipautil.py, line 442”
7684 Re-installing replica on the same system displays ‘WARNING: cannot check if port 443 is already configured’
7685 [pyasn1] not supported upstream’s version
7687 Integration test for sssd_ssh leaks
7688 ipa-server-upgrade does not store the upgrade state for subCa
7689 Remove Domain Level 0 specific code
7691 ‘ipa vault-retrieve’ is failing with “ipa: ERROR: an internal error has occurred”
7699 [Translation] [remove dialog] not entire sentences
7700 ipa cert-show –chain –certificate-out fails with an internal error
7702 [Translation] not entire sentence of title of ‘Remove’ dialog for ‘Association’ facet
7704 [Translation] not entire sentence of title of ‘Remove’ dialog for ‘association_table’ widget
7705 Support Samba 4.9
7707 [Translation] not entire sentence of title of Entity’s ‘Add’ dialog
7708 Create a warning that SSSD needs restart after idrange-mod
7709 [WebUI] Tests for “ID Ranges”
7710 Update spec file to require sssd-ipa, not an sssd meta-package
7711 python 3 fallout in ipa-server-install
7712 [Translation] not entire sentence of title of association facet’s ‘Add’ dialog
7714 [Translation] not entire sentence of title of ‘Add’ dialog for ‘association_table’ widget
7715 Remove Python 2 specific elements
7717 jslint is not running in pr ci tests
7718 javascript ‘errors’ found by jslint
7719 Automation added for NTP Replacement test scenarios
7721 [WebUI] Tests for “Automember”
7723 NTP options fails on ipa replica
7728 RFE: Validation and better error messages when novajoin fails because of SSL errors
7729 Bad output on failed client installation rollback
7731 ipa-advise command points to old URL’s.
7732 systemd complains about legacy of /var/run
7735 [WebUI] Tests for “Automount”
7738 Fix C issues found by coverity and other tools
7740 continuous-integration/travis-ci/pr fails with latest gcc update
7741 Smart card advise script uses hard-coded Python interpreter
7742 External CA installer removes Dogtag’s client DB after step 1
7743 Create automation to ensure that all integration tests are executed
7744 ipa-replica-install picks wrong replica for CA initial replication
7745 nss.conf needs to be zero length, not removed.
7746 IPA help command fails in an environment without the `less` binary
7747 [RFE] Support interactive prompt for NTP options for FreeIPA
7750 ipaldap: invalid modlist when attribute encoding can vary
7751 add ipaapi user to the list of allowed uids in [ifp] section in sssd configuration
7752 ipa client throws http.client.ResponseNotReady error
7753 CID 323644: logically dead code in ipaserver.install.adtrust.py
7754 Replace archaic term messagebus with dbus
7755 Enable firewall in the tests
7756 Split Web UI test suite in nightly PR CI configuration
7758 pylint-2.1.1 errors on Fedora 29
7759 ipa-server-certinstall –http allows to install a server cert even though the CA is not known
7761 External CA renewal accepts issuer key < 2048-bit
7762 External CA renewal accepts IPA CA cert with empty Subject Key Identifier
7767 make fasttest errors because of missing python3-lib389
7769 Installer does not detect that kadmin port 749/UDP is blocked
7770 searching for ipa users by certificate fails
7771 [WebUI] “ID views” tests fail after running “Automember” tests
7772 pylint 2.2.0 violations
7775 IPA Upgrade failed with “unable to convert the attribute u’cACertificate;binary’”
7776 authselect 1.0.2 fails on unknown feature
7777 new prci_definitions memory requirements
7778 test_full_backup_and_restore_with_replica fails with “Unknown host replica1.ipa.test”
7779 Update PR-CI definitions to use Fedora 29
7780 Make ipa-client-automount –uninstall more robust
7781 Don’t start/enable nfs-idmap nor nfs-secure
7783 use non-symlink (aliases) NFS unit names
7786 Index accessruletype, hostcategory, ipaenabledflag, ipserviceport, and ipserviceprotocol by default
7787 Missing indexes for automountmapname and automountkey
7788 Majority of gating tests are not part of nightly flows.
7790 ipa host-del –updatedns FQDN yeilds unindexed searches
7792 Missing index on ipaconfigstring
7793 ipa service-del service fails with internal error
7795 ipa-pkinit-manage enable fails on replica if it doesn’t host the CA
7796 ipa-replica-install fails migrating CentOS 6 to 7
7797 SSSD’s getservby*() causes performance issues
7803 Missing index on idnsName
7805 [NFS] test kerberized NFS
7807 Detect container installation to avoid Kernel keyring
7809 All Web UI tests fail with UnexpectedAlertPresentException
7810 [F28] Require NSS with fix for p11-kit issue.
7811 Fix compile issue with new 389-ds
7828 ipa trust-add fails with ipa: ERROR: an internal error has occurred
7829 ipa-server-upgrade when run displays ‘No such file name in the index’ on the console
7830 FreeIPA installation fails with 389-DS 1.4.0.20-1
7831 add systemd-user HBAC service to default set of HBAC services
7832 [WebUI] cross-origin request
7834 Fix certificate revocation tests for Web UI
7835 Cert revokation for services and hosts is inefficient
7837 Replace os.getenv(‘HOME’) with os.path.expanduser
7838 configure_openldap_conf() does not handle multi-value URI
7841 Remove tests for client installation with –no-sssd and –noac options
7843 [WebUI] Use generated certificates and CSR for testing
7844 testcase test_change_sysaccount_password_issue7561 fails with some test configurations
7855 Automember XML-RPC test failure
7856 Nightly test failure in test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall
7857 Create tests for ipa-winsync-migrate
7858 Define C feature macros
7860 389-ds-base will no longer use /etc/sysconfig
7861 Make IPADiscovery available in PyPI packages
7862 “ccache” may not exist if GSSError occurs in ipa-client-automount causing an exception to be thrown
7864 [WebUI] Review and increase timeouts for UI tests in Nightly PR configuration
7865 test_topology_TestTopologyOptions:test_add_remove_segment nightly failure in fed28 and fed29
7866 FreeIPA server deployment fails due to ‘Permission denied’ error under /tmp during pki-tomcatd deployment
7868 ipa-client-automount exception backing up /etc/sysconfig/nfs
7873 remove all occurrences of osinfo.version_id from ipatests/
7874 testcase test_commands.py::TestIPACommand::test_ssh_key_connection fails with some test configurations
7876 Fail replica install
7877 External CA installation: sanity check pathLenConstraints
7881 [WebUI] Automember UI tests are broken
7883 Cannot install ipa-server on rhel7.7
7884 Coverity: New defect found in ipa-4.6.5
7886 ipa-replica-manage force-sync –from keeps prompting “No status yet”
7889 test_integration/test_trust.py need improvement
7891 Extend test for #6476 automember-rebuild crashes
7892 Implement hidden / unadvertised IPA replicas
7893 ipasam needs changes for Samba 4.10
7894 restoring a backup done on a hidden replica results
7895 ipa trust fetch-domains, server parameter ignored
7896 ipa-server-upgrade fails with ConversionError: invalid ‘cn’: must be Unicode text
7897 ipa-kra-install failing with invalid ‘role_servrole’: must be Unicode text error
7900 dns and search not fixed for dns enabled deployments
7901 IPA Web UI is slow to display user details page.
7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules
7903 d-bus interface signature failure for oddjobd helper trust-fetch-domains
7905 ipa-dnskeysync-replica should handle LDAP down gracefully
7906 ipa-kra-install fails due to fs.protected_regular=1
7907 ipa-replica-install due to permission error, leaves ipa server in unstable condition
7909 Wrong evaluation of replication update status
7916 ipaplatform.debian.services does not implement wait for CA service
7921 Missing deps for `make pylint`
7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd
Detailed changelog since 4.7.2#
Armando Neto (3)#
Add test for client installation with empty keytab file
Fix certificate type error when exporting to file
Delete empty keytab during client installation
Alexander Bokovoy (32)#
Enforce SMBLoris attack protection in default Samba configuration
Set idmap config for Samba to follow IPA ranges and use SSSD
Update list of contributors and sort them alphabetically
Update mailmap
Update translations from Zanata
Bypass D-BUS interface definition deficiences for trust-fetch-domains
Remove DsInstance.request_service_keytab as it is not needed anymore
oddjob: allow to pass options to trust-fetch-domains
ipasam: use SID formatting calls to libsss_idmap
upgrade: add trust upgrade to actual upgrade code
upgrade: upgrade existing trust agreements to new layout
trusts: add support for one-way shared secret trust
trust: allow trust agents to read POSIX identities of trust
Add design page for one-way trust to AD with shared secret
domainlevel-get: fix various issues when running as non-admin
make sure IPA_CONFDIR is used to check that client is configured
ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
ipa-sidgen: make internal fetch_attr helper really internal
Update translations from Zanata
ipa-kdb: reduce LDAP operations timeout to 30 seconds
Update translations from Zanata
ipaserver.install.adtrust: fix CID 323644
net groupmap: force using empty config when mapping Guests
adtrust: define Guests mapping after creating cifs/ principal
Update list of contributors
Import updated translations from Zanata
Re-sort the translations before importing new ones from Zanata
When stripping PO files, sort the output
Support Samba 4.9
ipasam: do not use RC4 in FIPS mode
Move fips_enabled to a common library to share across different plugins
ipa-extdom-extop: Update licenses to GPLv3 or later with exceptions
Ian Pilcher (1)#
Allow issuing certificates with IP addresses in subjectAltName
Alexander Scheel (2)#
Add missing docstrings to kernel_keyring.py
Add docstring to verify_kdc_cert_validity
Adam Williamson (1)#
Fix authselect invocations to work with 1.0.2
Christian Heimes (183)#
Make ipaclient.discovery usable from command line
Make IPADiscovery work without ldap
Make python-ldap optional for PyPI packages
Correct path to systemd-detect-virt
Add helper to look for missing binaries
Guard dbus.start() with dbus.is_running()
Move Custodia secrets handler to scripts
chmod SYSTEMD_PKI_TOMCAT_IPA_CONF
Check for SELinux AVCs after installation
Refactor tasks to include is_selinux_enabled()
Globally disable softhsm2 in p11-kit-proxy
Pass token_name to certmonger
Fix and extend pki config override test
Deprecate ipa-client-install –request-cert
Debian: Use RedHatCAService for pki-tomcatd
Debian: auto-generate config files for oddjobd
Debian: Fix replicatio of light weight sub CAs
Add ODS manager abstraction to ipaplatform
Debian: Use different paths for KDC cert and key
Debian: Add fixes for OpenDNSSEC 2.0
Debian: Add paths for open-sans and font-awesome
Debian doesn’t have authselect
Debian: use -m lesscpy instead of hard-coded name
Reduce startup_timeout to 120sec as documented
Add ExecStartPost hook to wait for Dogtag PKI
Remove deprecated object logger
Explain why tests still use 2048bit external CA
Reuse key type and size in certmonger resubmit
Increase default key size for CA to 3072 bits
Use Network Manager to configure resolv.conf
Add –pki-config-override to man pages
Add test case for pki config override
Verify pki ini override early
Simplify and consolidate ipaca.ini
Add pki.ini override option
Use new pki_ipaca.ini to spawn instances
Add IPA specific vars to ipaca_default.ini
Simplify and slim down ipaca_default.ini
Add current default.cfg from Dogtag
Improve error handling in DNSSEC helpers
Gating: remove vault and kdcproxy tests
automount: rmtree temp directory
Make netifaces optional
Adapt cert-find performance workaround for users
Skip orphan automember rule test
Verify external CA’s basic constraint pathlen
Require a minimum SASL security factor of 56
Move DS’s Kerberos env vars to unit file
Add tasks.systemd_daemon_reload()
Add option to remove lines from a file
Disable flaky hidden replica backup test
Add test case for configure_openldap_conf
Don’t fail if config-show does not return servers
Add design draft
Test replica installation from hidden replica
Synchronize hidden state from IPA master role
Don’t allow to hide last server for a role
More test fixes
Improve config-show to show hidden servers
Consider hidden servers as role provider
Implement server-state –state=enabled/hidden
Simplify and improve tests
Add hidden replica feature
Consolidate container_masters queries
Use api.env.container_masters
replica install: acknowledge ca_host override
Fix assign instead of compare
GIT: ignore ipa-crlgen-manage
Reformat and PEP8 ipaclient.discovery
Make IPADiscovery available in PyPI packages
Disable dependency on dogtag-pki PyPI package
Test –external-ca-type=ms-cs
Remove ZERO_STRUCT() call
Update build requirements on twine
Compile IPA modules with C11 extensions
Add ldapmodify/search helper functions
Let 389-DS configure LDAPI for us
Use LDAPS when installing CA on replica
Use secure LDAP connection in tests
Use new LDAPClient constructors
Add constructors to ldap client
Move realm_to_serverid/ldap_uri to ipaldap
Mark two failing automember tests as xfail
Require 389-ds 1.4.0.21
ipa-getkeytab: resolve symlink
Optimize cert remove case
Add workaround for slow host/service del
Add workaround for lib389 HOME bug
Use expanduser instead of HOME env var
Don’t configure KEYRING ccache in containers
Mark failing NTP test as expected failure
Fix systemd-user HBAC rule
Create systemd-user HBAC service and rule
Require krb5 with fix for CVE-2018-20217
Don’t use Python dependency generator yet
Use debug logger in ntpd_cleanup()
Make conftest compatible with pytest 4.x
Require 389-DS = 1.4.0.16
Add index on idnsName
Require 3.41.0-3 on Fedora 28
Fix test_advise in nightly runs
Create reindex task for ipaca DB
Add more LDAP indices
LDAPUpdate: Batch index tasks
Always collect test logs
Disable nss-p11-kit crypto policy for tests
Add install/remove package helpers to advise
Test smart card advise scripts
Log stderr in run_command
Smart card auth advise: Allow Apache user
Allow HTTPd user to access SSSD IFP
Remove dead code
Add index and container for RFC 2307 IP services
Handle service_del with bad service name
Run idviews integration tests in nightly
Add integration tests for idviews
Resolve user/group names in idoverride*-find
Require Dogtag PKI 10.6.8-3
Update temp commit template to F29
Increase debugging for blocked port 749 and 464
Address misc pylint issues in CLI scripts
pylint: also verify scripts
pylint: Fix duplicate-string-formatting-argument
pylint 2.2: Fix unnecessary pass statement
TestBackupAndRestoreWithReplica needs 2 replicas
Unify and simplify LDAP service discovery
PR-CI: Restart rpcbind when it blocks kadmin port
Fix pytest deprecation warning
certdb: validate server cert signature
Require pylint 2.1.1-2
Silence comparison-with-itself in tests
Fix raising-format-tuple
Fix various dict related pylint warnings
Fix Module ‘pytest’ has no ‘config’ member
Fix useless-import-alias
Fix comparison-with-callable
Address consider-using-in
Ignore consider-using-enumerate for now
Address inconsistent-return-statements
Address pylint violations in lite-server
Ignore W504 code style like in travis config
Remove DS perl paths from debian platform
Drop dependency on 389-ds-base-legacy-tools
Speed up test_customized_ds_config_install
Add missing tests to nighly runs
Replace messagebus with modern name dbus
Fix test_cli_fsencoding on Python 3.7, take 2
Copy-paste error in permssions plugin, CID 323649
Allow ipaapi user to access SSSD’s info pipe
Fix test_cli_fsencoding on Python 3.7
ipapwd_pre_mod: NULL ptr deref
ipadb_mspac_get_trusted_domains: NULL ptr deref
has_krbprincipalkey: avoid double free
Require Dogtag 10.6.7-3
Use tasks.install_master() in external_ca tests
Keep Dogtag’s client db in external CA step 1
Improve Python configuration for LGTM
Add Coverity Scan target
Replace hard-coded interpreter with sys.executable
Don’t abuse strncpy() length limitation
Fix ipadb_multires resource handling
Add lgtm.yml to analyzse C code with LGTM
Fix zonemgr encoding issue
Py3: Replace six.moves imports
Lint yaml and RPM spec
Py3: Replace six.bytes_type with bytes
Py3: Replace six.text_type with str
Py3: Replace six.integer_types with int
Py3: Replace six.string_types with str
Require sssd-ipa instead of sssd meta pkg
Py3: Remove subclassing from object
Sprinkle raw strings across the code base
Workaround for pyasn1 0.4
Remove Python 2 support and packages
Don’t check for systemd service
Refactor os-release and platform information
Generate scripts from templates
Rename Python scripts and add dynamic shebang
Detect and prefer platform Python
Disable DL0 specific tests
Rename pytest_plugins to ipatests.pytest_ipa
Add convenient template for temp commits
Fix topology configuration of nightly runs
Diogo Nunes (3)#
Fix f52e0e31f7c76a3cd6b9b51aeba120c4ba3f38c9 typo in tests label definition.
PR-CI: Add gating tests to nightly_[master, f28, rawhide]
PR-CI: Move to Fedora 29 template, version 0.2.0
Felipe Barreto (1)#
Making nigthly test definition editable by FreeIPA’s contributors
François Cami (18)#
ipaplatform: add more services
ipatests: add nfs tests
ipaserver/install/cainstance.py: unlink before creating new file in /tmp
ipaserver/install/krainstance.py: chown after write
ipatests: Exercise hidden replica feature
ipa-{server,replica}-install: add too-restritive mask detection
ipatests: add too-restritive mask tests
ipa-client-automount: fix PEP8 issues
ipatests: remove all occurrences of osinfo.version_id
pylintrc: ignore R1720 no-else-raise errors
ipa-client-automount: handle NFS configuration file changes
ipa-server-install: fix ca setup when fs.protected_regular=1
ipatests: add a test for ipa-client-automount
ipa-client-automount: use nfs-utils unit
Fix NFS unit names
Add a “Find enabled services” ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Add a shared-vault-retrieve test
Add sysadm_r to default SELinux user map order
William Brown (1)#
Support the 1.4.x python installer tools in 389-ds
Florence Blanc-Renaud (77)#
ipactl restart: fix wrong logic when checking service list
Fix wrong evaluation of attributes in check_repl_update
ipa-client-install: autodiscovery must refuse single-label domains
ipa-setup-kra: fix python2 parameter
ipa-server-upgrade: fix add_systemd_user_hbac
ipa-replica-manage: fix force-sync
Coverity: fix issue in ipa_extdom_extop.c
XML RPC test: fix test_automember_plugin
ipa server: prevent uninstallation if the server is CRL master
Test: add new tests for ipa-crlgen-manage
CRL generation master: new utility to enable|disable
test: add non-reg test checking pkinit after server install
pkinit setup: fix regression on master install
tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
tests: mark xfail for test_selinux_user_optimized on fed<=28
Tests: fix option name for dsctl
ipatests: add test for replica in forward zone
replica installation: add master record only if in managed zone
ipatests: add integration test for pkinit enable on replica
pkinit enable: use local dogtag only if host has CA
replica install: set the same master as preferred source for domain and CA
replication: check remote ds version before editing attributes
ipatests: fix test_full_backup_and_restore
ipatests: fix TestUpgrade::test_double_encoded_cacert
PKINIT: fix ipa-pkinit-manage enable|disable
ipatest: add test for ipa-pkinit-manage enable|disable
ipatests: add upgrade test for double-encoded cacert
ipa upgrade: handle double-encoded certificates
ipatests: add xmlrpc test for user|host-find –certificate
ipaldap.py: fix method creating a ldap filter for IPACertificate
ipatests: add missing tests for test_replica_promotion.py
ipatests: add missing tests for test_installation.py
ipatests: add missing tests for test_external_ca.py
ipatests: add test for ipa-replica-install options
ipa-replica-install: password and admin-password options mutually exclusive
ipatests: fix test_replica_uninstall_deletes_ruvs
freeipa.spec.in: add BuildRequires for python3-lib389
ipatests: add missing tests in test_backup_and_restore.py
Revert “temp commit: run test_integration/test_caless.py::TestCertInstall”
temp commit: run test_integration/test_caless.py::TestCertInstall
ipatests: update tests for ipa-server-certinstall
ipatests: add missing tests for test_caless
ipatests: add integration test for “Read radius servers” perm
radiusproxy: add permission for reading radius proxy servers
tests: add xmlrpc test for ipa user-add –radius-username
ipa user-add: add optional objectclass for radius-username
ipatests: fix CA less expectations
Nightly tests: add test_user_permissions.py
ipatest: add functional test for ipa-backup
ipa-backup: restart services before compressing the backup
ipa-replica-install –setup-adtrust: check for package ipa-server-trust-ad
ipatests: fix path in expected error message
Bump requires 389-ds-base
ipatests: mark known failures as xfail
ipa tests: CA less
certdb: provide meaningful err msg for wrong PIN
ipatests: remove TestReplicaManageDel (dl0)
ipatests: mark known failure for installation_TestInstallWithCA2
ipa-server-upgrade: fix inconsistency in setup_lightweight_ca_key_retrieval
Tests: remove dl0 tests from nightly definition
ipatests: mark known failures as xfail
tests: add test for uninstall with incomplete sysrestore.state
authselect: harden uninstallation of ipa client
ipa-advise: configure pam_cert_auth=True for smart card on client
Test: scenario replica install/uninstall should restore ssl.conf
ipa-replica-install: properly use the file store
Tests: test successful PKINIT install on replica
ipa-replica-install: fix pkinit setup
tests: add test for server install with –no-dnssec-validation
ipa-server-install: do not perform forwarder validation with –no-dnssec-validation
DS replication settings: fix regression with <3.3 master
Test: test ipa-* commands when IPA is not configured
ipa commands: print ‘IPA is not configured’ when ipa is not setup
ipautil.run: add test for runas parameter
uninstall -v: remove Tracebacks
PRCI: extend timeouts for gating
Tests: add integration test for password changes by dir mgr
Francisco Trivino (2)#
prci_definitions: Add nightly flow for pki dep testing
prci_definitions: update vagrant memory topology requirements
Fraser Tweedale (16)#
Fix installation when CA subject DN has escapes
cert-request: handle missing zone
cert-request: more specific errors in IP address validation
Add tests for cert-request IP address SAN support
cert-request: report all unmatched SAN IP addresses
cert-request: generalise _san_dnsname_ips for arbitrary cname depth
cert-request: collect only qualified DNS names for IPAddress validation
cert-request: restrict IPAddress SAN to host/service principals
certupdate: add commentary about certmonger behaviour
certdb: validate certificate signatures
Print correct subject on CA cert verification failure
certdb: ensure non-empty Subject Key Identifier
rpc: always read response
ipaldap: avoid invalid modlist when attribute encoding differs
Restore KRA clone installation integration test
Fix writing certificate chain to file
Ganna Kaihorodova (1)#
Add check for occuring traceback during uninstallation ipa master
Michal Reznik (8)#
bump PRCI template version to 0.1.9
add strip_cert_header() to tasks.py
tests: sssd_ssh fd leaks when user cert converted into SSH key
bump PRCI template version to 0.1.8
Add “389-ds-base-legacy-tools” to requires.
test: client uninstall fails when installed using non-existing hostname
ipa_tests: test ssh keys login
prci_definitions: fix wrong indentation in the nightly yaml
Varun Mylaraiah (4)#
nightly_rawhide.yaml Added test_integration/test_ntp_options.py
nightly_master.yaml Added test_integration/test_ntp_options.py
ipatests: add tests for NTP options usage on server, replica, and client
Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
Mohammad Rizwan Yusuf (6)#
ipatests: check if username are not optimized out in semanage context
Check if issuer DN is updated after external-ca > self-signed
Test error when yubikey hardware not present
Test KRA installtion after ca agent cert renewal
Test if WSGI worker process count is set to 4
Check if user permssions and umask 0022 is set when executing ipa-restore
Oleg Kozlov (5)#
Show a notification that sssd needs restarting after idrange-mod
Remove stale kdc requests info files when upgrading IPA server
Replace nss.conf with zero-length file instead of removing
Check pager’s executable before subprocess.Popen
Check have packages for extra features been installed before restoring backup
Orion Poplawski (1)#
ipaclient-install: chmod needs octal permissions
Peter Keresztes Schmidt (1)#
README: Update link to freeipa-devel archive
Pavel Picka (3)#
PRCI failures fix
PR-CI extend timeouts
WebUI Tests stabilize
Petr Vobornik (4)#
ipa-advise: update url of cacerdir_rehash tool
webui: redable color of invalid fields on login-screen-like pages
webui: remove mixed indentation in App and LoginScreen
webui: change indentation of freeipa/_base/debug.js
Rob Crittenden (27)#
Add interactive prompt for the LDAP bind password to ipa-getkeytab
Send only the path and not the full URI to httplib.request
Update mod_nss cipher list so there is overlap with a 4.x master
tests: Don’t provide explicit hostname to ldapmodify
Remove 389-ds templates now that lib389 is used for installs
Add support for multiple certificates/formats to ipa-cacert-manage
Add tests for ipa-cacert-manage install
Enable replica install info logging to match ipa-server-install
Demote log message in custodia _wait_keys to debug
Pass a list of values into add_master_dns_records
Collect the client and server uninstall logs in tests
Fix misleading errors during client install rollback
Remove the authselect profile warning if sssd was not configured.
Handle NTP configuration in a replica server installation
Remove tests which install KRA on replica w/o KRA on master
Enable LDAP debug output in client to display TLS errors in join
Add entry for Serhii to mailmap
Fix identifier typo in UI
Add uninstallation tests to night master and rawhide
Fix uninstallation test, use different method to stop dirsrv
Try to resolve the name passed into the password reader to a file
Advise plugin for enabling sudo for members of the admins group
Update required version of dogtag to detect when FIPS is available
Retrieve certificate subject base directly instead of ipa-join
Honor no-host-dns when creating client host in replica install
Convert members into types in sudorule-*-option
Set development version to 4.7.90
Robbie Harwood (3)#
Fix unnecessary usrmerge assumptions
Add cmocka unit tests for ipa otpd queue code
Clear next field when returnining list elements in queue.c
Sumit Bose (2)#
ipa-extdom-exop: add instance counter and limit
ipa_sam: remove dependency to talloc_strackframe.h
Stanislav Laznicka (7)#
Use the newer way of removing the DS instance
DS install: don’t fail if SSL already configured
DS install: fix DS asking for NSS pin during install
DS uninstall: fix serverid missing in state restore
Move lib389 imports to module scope
Don’t try legacy installs
Remove some basic pystyle and pylint errors
Stanislav Levin (120)#
Fix `inconsistent-return-statements` in ipa-dnskeysync-replica
Add missing deps for `make pylint`
Completely drop /var/cache/ipa/sessions
Don’t use cross-origin request
Move ipa’s systemd tmpfiles from /var/run to /run
Add title to ‘add’ dialog for ‘association_table’ widget of Topology entity
Add title to ‘add’ dialog for ‘association_table’ widget of Vaults entity
Add title to ‘add’ dialog for ‘association_table’ widget of Certificates entity
Add title to ‘add’ dialog for ‘association_table’ widget of SELinux User Maps entity
Add title to ‘add’ dialog for ‘association_table’ widget of Sudo entity
Add title to ‘add’ dialog for ‘association_table’ widget of HBAC entity
Add title to ‘add’ dialog for ‘association_table’ widget of Groups entity
Add title to ‘add’ dialog for ‘association_table’ widget of Services entity
Add title to ‘add’ dialog for ‘association_table’ widget of Hosts entity
Drop concatenated title of add dialog for association_table widget
Add title to ‘add’ dialog for details of ‘RBAC’ entity
Add title to ‘add’ dialog for details of ‘OTP Tokens’ entity
Add title to ‘add’ dialog for details of ‘Sudo’ entity
Add title to ‘add’ dialog for details of ‘HBAC’ entity
Add title to ‘add’ dialog for details of ‘ID Views’ entity
Add title to ‘add’ dialog for details of ‘Groups’ entity
Add title to ‘add’ dialog for details of ‘Services’ entity
Add title to ‘add’ dialog for details of ‘Hosts’ entity
Add title to ‘add’ dialog for details of ‘Users’ entity
Add title to ‘add’ dialog for details of ‘Certificate’ entity
Drop concatenated title of ‘Add’ dialog for details of entity
Add title to ‘add’ dialog for ‘Topology’ entity
Add title to ‘add’ dialog for ‘Trusts’ entity
Add title to ‘add’ dialog for ‘ID Ranges’ entity
Add title to ‘add’ dialog for ‘RBAC’ entity
Add title to ‘add’ dialog for ‘Vault’ entity
Add title to ‘add’ dialog for ‘DNS’ entity
Add title to ‘add’ dialog for ‘Automount’ entity
Add title to ‘add’ dialog for ‘Certificate Identity’ entity
Add title to ‘add’ dialog for ‘RADIUS’ entity
Add title to ‘add’ dialog for ‘Certificates’ entity
Add title to ‘add’ dialog for ‘Password Policies’ entity
Add title to ‘add’ dialog for ‘SELinux’ entity
Add title to ‘add’ dialog for ‘Sudo’ entity
Add title to ‘add’ dialog for ‘HBAC’ entity
Add title to ‘add’ dialog for ‘Automember’ entity
Drop concatenated title of ‘add’ dialog for ‘attribute_table’ widget
Add title to ‘add’ dialog for ‘ID Views’ entity
Add title to ‘add’ dialog for ‘Groups’ entity
Add title to ‘add’ dialog for ‘Service’ entity
Add title to ‘add’ dialog for ‘Host’ entity
Add title to ‘add’ dialog for ‘OTP’ entity
Add title to ‘add’ dialog for ‘Users’ entity
Drop concatenated title of ‘add’ dialog
Add jslint check to PR CI tests
Fix javascript ‘errors’ found by jslint
Add title to remove dialog of ‘DNS’ entity
Add title to ‘unprovision’ dialog
Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘Vault’ entity
Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘Topology’ entity
Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘CA’ entity
Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘SELinux’ entity
Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘Sudo’ entity
Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘HBAC’ entity
Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘Automember’ entity
Allow having a custom title of ‘Remove’ dialog for ‘attribute_table’ widget
Add title to ‘remove’ dialog for ‘association_table’ widget of ‘Groups’ entity
Add title to ‘remove’ dialog for ‘association_table’ widget of ‘Services’ entity
Add title to ‘remove’ dialog for ‘association_table’ widget of ‘Hosts’ entity
Drop concatenated title of remove dialog
Fix loading ‘freeipa/text’ at production mode
Add a title to ‘remove’ dialog for details of ‘Trusts’ entity
Add a title to ‘remove’ dialog for details of ‘RBAC’ entity
Add a title to ‘remove’ dialog for details of ‘OTP Tokens’ entity
Add a title to ‘remove’ dialog for details of ‘Sudo’ entity
Add a title to ‘remove’ dialog for details of ‘HBAC’ entity
Add a title to ‘remove’ dialog for details of ‘Groups’ entity
Add a title to ‘remove’ dialog for details of ‘Services’ entity
Add a title to ‘remove’ dialog for details of ‘Hosts’ entity
Add a title to ‘remove’ dialog for details of ‘Users’ entity
Drop concatenated title of remove dialog
Add title to remove dialog of ‘Trusts’ entity
Add title to remove dialog of ‘Topology’ entity
Add title to remove dialog of ‘ID Ranges’ entity
Add title to remove dialog of ‘RBAC’ entity
Add title to remove dialog of ‘DNS’ entity
Add title to remove dialog of ‘Automount Locations’ entity
Add title to remove dialog of ‘Certificate Identity Mapping Rules’ entity
Add title to remove dialog of ‘RADIUS Servers’ entity
Add title to remove dialog of ‘OTP Tokens’ entity
Add title to remove dialog of ‘Certificates’ entity
Add title to remove dialog of ‘Password Policies’ entity
Add title to remove dialog of ‘SELinux User Maps’ entity
Add title to remove dialog of ‘Sudo’ entity
Add title to remove dialog of ‘HBAC’ entity
Add title to remove dialog of ‘Automember’ entity
Add title to remove dialog of ‘ID Views’ entity
Add title to remove dialog of ‘Groups’ entity
Add title to remove dialog of ‘Services’ entity
Add title to remove dialog of ‘Hosts’ entity
Add title to remove dialog of ‘Users’ entity
Drop concatenated title of remove dialog
Add tests for LoginScreen widget
Add “bounce” logic from “reset_password.js”
Fix translations of messages in LoginScreen widget
Clean up reset_password.js file from project
Use “login” plugin instead of standalone JS file
Add “reset_and_login” view to LoginScreen widget
Replace the direct URL with config’s one
Add basic tests to web pages which are located at /ipa/config/
Fix translation of “ssbrowser.html” Web page
Fix translation of “unauthorized.html” Web page
Fix render validation items on keypress event at login form
Reindex ‘key_indicies’ after item delete
Fix “get_key_index” to fit caller’s expectations
Add basic tests for “migration” end point
Clean up migration “error” and “invalid” pages from project
Provide translatable messages for MigrateScreen widget
Integrate “migration” page to IPA Web framework.
Return the result of “password migration” procedure
Add “migrate” Web UI plugin
Add MigrateScreen widget
Fix translation of “SyncOTPScreen” widget
Fix translation of “sync_otp” plugin
Replace the direct URL with config’s one
Sergey Orlov (17)#
ipatests: new tests for ipa-winsync-migrate utility
ipatests: refactor test_trust.py
ipatests: adapt test_trust.py for changes in multihost fixture
ipatests: allow AD hosts to be placed in separate domain config objects
ipatests: relax requirements for time server quality
ipatests: fix expectations of `ipa trust-find` output for trust with root domain
ipatests: in test_trust.py fix parent class
ipatests: disable bind dns validation when preparing to establish AD trust
ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
Revert “Tests: Remove DNS configuration from trust tests”
ipatests: fix host name for ssh connection from controller to master
ipatests: add test for correct modlist when value encoding differs
ipatests: fix ldap server url
Remove obsolete tests from test_caless.py
Remove unused tests
ipatests: add test for ipa-restore in multi-master configuration
ipatests: add test for ipa-advise for enabling sudo for admins group
Serhii Tsymbaliuk (53)#
Replace logo images with new one (version 4.7)
Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone
WebUI test: Fix automember tests according to new behavior
Web UI: Increase timeouts for UI tests in Nightly PR configuration
Fix test_arbitrary_certificates for Web UI
Web UI tests: Get rid of *_cert_path and *_csr_path config variables
Fix certificate revocation tests for Web UI
Split test_webui_hosts PRCI tests
Fix “Configured size limit exceeded” warning on Web UI
WebUI: Temporary fix for UnexpectedAlertPresentException
Fix “ID views” tests fail after running “Automember” tests
Fix nightly PR CI configuration for Web UI tests
Split Web UI test suite in nightly PR CI configuration
Increase memory size for ipaserver topology (nightly-master.yaml)
WebUI tests: Make possible to use kwargs with @screenshot decorator
UI tests for “Automount”: check dialog confirmation using ENTER
UI tests for “Automount”: check some negative cases
UI tests for “Automount”: check indirect map duplication
UI tests for “Automount”: check creating automount key without some fields
UI tests for “Automount”: check creating indirect automount map without some fields
UI tests for “Automount”: Fix item deleting
UI tests for “Automount”: check modifying map and key settings
UI tests for “Automount”: check “Add Automount…” dialogs
UI tests for “Automember”: Extend search cases
UI tests for “Automember”: Negative cases
UI tests for “Automember”: check setting default user/host group
UI tests for “Automember”: check creating and deleting of automember rule conditions
UI tests for “Automember”: check creating and deleting of multiple rules
UI tests for “Automember”: check search filter
UI tests for “ID Range”: Clean unnecessary Python2 compatible code constructions
UI tests for “ID Range”: check deleting primary local range
UI tests for “ID Range”: check creating ID Range with overlapping of primary and secondary RID base
UI tests for “ID Range”: - check creating ID range with special characters in name - check modifying ID range with existing secondary RID base
UI tests for “ID Range”: check modifying ID range with invalid or missing values
UI tests for “ID Range”: check adding range with overlapping of existing local range
UI tests for “ID Range”: check primary RID base duplication
UI tests for “ID Range”: check adding range without primary and secondary RID bases
UI tests for “ID Range”: check range name and base ID duplication
Change Web UI tests setup flow
Fix UI_driver.has_class exception. Handle situation when element has no class attribute
Increase some timeouts in Web UI tests
Remove unnecessary session clearing in some Web UI tests
Add cookies clearing for all Web UI tests
Generate CSR for test_host::test_certificates (Web UI test)
Add SAN extension for CSR generation in test_cert (Web UI tests)
Fix unpermitted user session in test_selfservice (Web UI test)
Fix test_user::test_login_without_username (Web UI test)
Use random realmdomains in test_webui/test_realmdomains.py
Fix test_realmdomains::test_add_single_labeled_domain (Web UI test)
Increase request timeout for WebUI tests
Use random IPs and domains in test_webui/test_host.py
Fix hardcoded CSR in test_webui/test_cert.py
Replace old login screen logo with new one
sudharsanomprakash (1)#
Don’t use deprecated Apache Access options.
Thierry Bordaz (1)#
In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange
Tibor Dudlák (5)#
Support interactive prompt for ntp options
Fix test_ntp_options to use tasks’ methods
Do not set ca_host when –setup-ca is used
Add assert to check output of upgrade
Re-open the ldif file to prevent error message
Thomas Woerner (56)#
Extend test for orphan automember rules (issue/6476)
Enable firewall in the tests for PR CI
ipatests/test_integration/test_server_del.py: Enable dns in fw for dnssec
ipatests/test_integration/test_replica_promotion.py: Fix firewall config
ipatests/test_integration/test_backup_and_restore.py: No clean master uninstall
ipatests integration/tasks.py: Honor clean for firewall in uninstall_master
ipatests/test_integration/test_replica_promotion.py: Configure firewall
ipatests/test_integration/test_dnssec.py: Enable dns firewall service
ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import
ipatests/test_integration/test_forced_client_reenrollment.py: Use unshare
ipatests/pytest_ipa/integration/tasks.py: Configure firewall
New firewall support class in ipatests/pytest_ipa/integration/firewall
Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
Fix ressource leak in client/config.c get_config_entry
Update annobin to fix continuous-integration/travis-ci/pr issues
Find orphan automember rules
Remove DL0 specific code from ipatests/test_integration/test_caless.py
Remove DL0 specific code from ipatests/pytest_ipa/integration/tasks.py
Remove DL0 specific tests from ipatests/test_integration/test_replica_promotion.py
Remove replica_file knob from ipalib/install/service.py
Remove replica_file from ClientInstall class in ipaclient/install/client.py
Remove options.promote from install in ipaserver/install/server/install
Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER
Remove DL0 specific code from custodiainstance in ipaserver/install
Remove create_replica_config from installutils in ipaserver/install
Remove DL0 specific code from replicainstall in ipaserver/install/server
Remove DL0 specific code from __init__ in ipaserver/install/server
Remove DL0 specific code from ipa_replica_install in ipaserver/install
Remove unused promote arg in krbinstance.create_replica in ipaserver/install
Remove DL0 specific code from kra in ipaserver/install
Remove DL0 specific code from dsinstance ipaserver/install
Remove DL0 specific code from ipa_kra_install in ipaserver/install
Remove DL0 specific code from cainstance and ca in ipaserver/install
Remove DL0 specific code from ipa-ca-install
Remove ipa-replica-prepare script and man page
Adapt freeipa.spec.in for latest Fedora, fix python2 ipatests packaging bug
replicainstall: Make sure that domain fulfills minimal domain level requirement
ipatests/test_xmlrpc/tracker/server_plugin.py: Increase hard coded mindomainlevel
ipaserver/install/adtrust.py: Do not use DOMAIN_LEVEL_0 for minimum
ipatests/test_ipaserver/test_install/test_installer.py: Drop tempfile import
ipatests: Drop test_password_option_DL0
Move DL0 raises outside if existing conditionals to calm down pylint
Remove “at DL1” from ipa-server-install man page
Remove “at DL1” from ipa-replica-manage man page
Remove DL0 specific sections from ipa-replica-install man page
Remove support for replica_file option from ipa-kra-install
Remove support for replica_file option from ipa-ca-install
Raise error if DL is set to 0 or DL0 options are used
Mark replica_file option as deprecated
Increase MIN_DOMAIN_LEVEL to DOMAIN_LEVEL_1
Do not install ipa-replica-prepare
ipaclient: Remove –no-sssd and –no-ac options
ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X
httpinstance: Restore SELinux context of session_dir /etc/httpd/alias
ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound
Fix $-style format string in ipa_ldap_init (util/ipa_ldap.c)