The FreeIPA team would like to announce the first release candidate of FreeIPA 4.8.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora will be available in the official COPR repository.

Highlights in 4.7.90.pre1#

  • 4580: FreeIPA’s LDAP server requires SASL security strength factor of >= 56

FreeIPA LDAP server default configuration is improved to require SASL security strength factor higher than 56 bit.


  • 4491: Use lib389 to install 389-ds instead of setup-ds.pl

FreeIPA now utilizes Python-based installer of 389-ds directory server


  • 4440: Add support for bounce_url to /ipa/ui/reset_password.html

The /ipa/ui/reset_password.html page accepts url parameter to provide the user with a back link after successful password reset, to support resets initiated by external web applications. Additional parameter delay automatically redirects back after the specified number of seconds has elapsed.


  • 5608: Tech preview: add Dogtag configuration extensions

FreeIPA team started rewrite of the Certificate Authority configuration to make possible passing additional options when configuring Dogtag. This is required to allow use of hardware secure (HSM) modules within FreeIPA CA but also to allow tuning CA defaults. HSM configuration is not yet fully available due to a number of open issues in Dogtag itself.


  • 5803: Add utility to promote CA replica to CRL master

New utility was added to promote a CA replica to be the CRL master. Design page provides more details and use examples.


  • 6077: Support One-Way Trust authenticated by trust secret

Samba integration was updated to allow establishing trust to Active Directory from Windows side using a Trust wizard. This allows to establish a one-way trust authenticated by a shared trust secret. Additionally, it allows to establish a trust with Samba AD DC 4.7 or later, initiated from Samba AD DC side.


  • 6790: Allow creating IPA CA with 3084-bit key.

CA key size default is raised to 3072 instead of 2048 because it’s the recommended size by NIST. An extensibility feature added with ticket 5608 allows increasing the CA key size further buta 4096-bit key is considerably slower. The change only affects new deployments. There is no way to upgrade existing CA infrastructure other than issuing a new CA key and re-issuing new certificates to all existing users of the old root CA. In addition, lightweight sub-CAs are currently hard-coded to 2048 bit key size. All relevant public root CAs in the CA/B forum use 2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.


  • 7193: Warn or adjust umask if it is too restrictive to break installation

FreeIPA deployment now enforces own umask settings where required to allow deployment at hardened sites which follow some of STIG recommendations.


  • 7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not

The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT cert is not re-issued. The command triggers the request of a new certificate (signed by IPA CA when state=enable, selfsigned when disabled), but as the cert file is still present, certmonger does not create a new request and the existing certificate is kept.

The fix consists in deleting the cert and key file before calling certmonger to request a new cert.


  • 7206: Provide an option to include FQDN in IDM topology graph

In the replication topology graph visualization, it is now possible to see a fully qualified name of the server. This change helps to reduce confusion when managing complex multi-datacenter topologies.


  • 7365: make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable

Log level for technical messages of a KDC proxy was reduced to keep logs clean.


  • 7451: Allow issuing certificates with IP addresses in subjectAltName

FreeIPA now allows issuing certificates with IP addresses in the subject alternative name (SAN), if all of the following are true:

    • One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).

    • All of the DNS entries in the resolution chain are managed by this IPA instance.

    • The IP address has a (correct) reverse DNS entry that is managed by this IPA instance


  • 7568: FreeIPA no longer supports Python 2

Removed Python 2 related code and configuration from spec file, autoconf and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python 3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are no longer available. PR-CI, lint, and tox aren’t testing Python 2 compatibility anymore.


  • 7632: Allow IPA Services to Start After the IPA Backup Has Completed

ipa-backup gathers all the files needed for the backup, then compresses the file and finally restarts the IPA services. When the backup is a large file, the compression may take time and widen the unavailabity window. This fix restarts the services as soon as all the required files are gathered, and compresses after services are restarted.


  • 7619, 7640, 7641: UI migration, password reset and configuration pages support translations

Static pages in FreeIPA web UI now allow translated content


  • 7658: sysadm_r should be included in default SELinux user map order

sysadm_r is a standard SELinux user role included in Red Hat Enterprise Linux.


  • 7689: Domain Level 0 is no longer supported

Code to support operation on Domain Level 0 is removed. In order to upgrade to FreeIPA 4.8.0 via replication, an existing deployment must first be brought up to Domain Level 1.


  • 7747: Support interactive prompt for NTP options for FreeIPA

FreeIPA now asks user for NTP source server or pool address in interactive mode if there is no server nor pool specified and autodiscovery has not found any NTP source in DNS records.


  • 7892: Tech preview: hidden / unadvertised IPA replica

A hidden replica is an IPA master server that is not advertised to clients or other masters. Hidden replicas have all services running and available, but none of the services has any DNS SRV records or enabled LDAP server roles. This makes hidden replicas invisible for service discovery. Design document provides more details on use cases and management of hidden replicas.


  • PyPI packages have fewer dependencies

The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient no longer depend on the binary extensions netifaces and python-ldap by default.


Bug fixes#

There are more than 220 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • 631 ipa-getkeytab does not support -W option

  • 4270 CA-less installation should not continue if dirsrv/httpd certificate is revoked

  • 4271 CA-less test suite always generate failures

  • 4440 Add support for bounce_url to /ipa/ui/reset_password.html

  • 4491 Investigate utilizing lib389

  • 4580 Investigate SSF values when SASL/GSSAPI is used to authenticate to LDAP

  • 4607 ipa-getkeytab fails if -k points to empty file or a symlink to nonexistent file

  • 5378 Incorrect error message at wrong password from private key file

  • 5608 [RFE] Add Dogtag HSM support

  • 5803 Add utility to promote CA replica to CRL master

  • 5880 Second call to ldapmodify in ipatests.test_integration.tasks.enable_replication_debugging fails

  • 5887 IDNA domains does not work under py3

  • 6077 [RFE] Support One-Way Trust authenticated by trust secret

  • 6261 Replace ERROR: cannot connect to ‘http://localhost:8888/ipa/json’: [Errno 111] Connection refused with ‘IPA is not configured on this system’

  • 6353 During one step replica install the command accepts both OTP and Admin password simultaneously

  • 6468 Make ipaclient pip install-able

  • 6476 automember-rebuild crashes

  • 6594 ipa idoverrideuser-find view –anchor fails to return output

  • 6790 [RFE] Allow creating IPA CA with 4096-bit key.

  • 6844 ipa-restore fails when umask is set to 0027

  • 6888 ipa-custodia must not require DAC_OVERRIDE

  • 6951 Update samba config file and use sss idmap module

  • 6959 ipa-server-certinstall should add any intermediate CA certificate a server certificate is signed with

  • 6979 Suggest user to install libyubikey package instead of traceback

  • 7082 FreeIPA 4.5 is not compatible with latest pyasn1

  • 7140 Configure DS to use minssf = 128

  • 7193 [RFE] Warn or adjust umask if it is too restrictive to break installation

  • 7196 ipa-replica-install fails with ‘HTTPError: 403 Client Error: Forbidden’ due to a custodia issue

  • 7200 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.

  • 7206 [RFE] Provide an option to include FQDN in IDM topology graph

  • 7217 Significantly reduce the KDC LDAP driver search timeout

  • 7262 Authn/TOTP defined users periodically prompt for just password credentials to access resources

  • 7288 set_directive can overwrite wrong directives

  • 7347 ipa-server-install breaks if subject base RDN has an escaped comma

  • 7362 Update FreeIPA project logo

  • 7365 [RFE] make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable

  • 7366 RFE: ipa client should setup openldap for GSSAPI

  • 7369 The ipa-replica-install command failed, exception: ValidationError: invalid ‘dnszoneidnsname’: only master zones can contain records

  • 7408 ipa-replica-install command should display proper message on the console.

  • 7451 Allow issuing certificates with IP addresses in subjectAltName

  • 7455 Add a test for backup-restore in multimaster topology

  • 7492 client install still creates /etc/ipa/nssdb

  • 7517 Failures in test_server_del test suite

  • 7528 Upon ipa-server-install on Ubuntu 18.04, Apache unable to use encrypted httpd.key

  • 7532 ipa-advise config-client-for-smart-card-auth: enable smart card auth in sssd.conf

  • 7537 PR-CI: external_ca tests are hitting timeout

  • 7538 sudo rule for “admins” members should be created by default

  • 7545 TestCASpecificRUVs.test_replica_uninstall_deletes_ruvs start failing with assertion error

  • 7548 Need integration test for –external-ca-type=ms-cs

  • 7559 UI LoginScreen widget cannot be translated

  • 7566 Installation of replica against a specific master

  • 7568 Deprecate Python 2

  • 7569 Users with user creation/modification privileges fail to add the “–radius-username” option when creating users

  • 7570 Create a system permission for access to radius proxy entries

  • 7578 IPA server upgrade should remove stale kdcinfo_* generated by SSSD

  • 7579 ipa-cacert-manage cannot import PKCS#7 files

  • 7587 Increase WSGI worker process count

  • 7598 ipa-client-install: autodiscovery must refuse single label domains

  • 7601 ldapmodify userPassword reflects on krblastpwdchange on RHEL6 but not RHEL7

  • 7602 ipa-replica-install allows to use –setup-adtrust without the package freeipa-server-trust-ad installed

  • 7603 In IPA WebUI, a warning appears in the background(warning message behind the dialog box).

  • 7608 FreeIPA 4.6.3 install fails when `/proc/sys/crypto` is absent

  • 7617 ipa-replica-install defines nsds5replicabinddngroup before the group contains the DN of the replication manager

  • 7619 [Translation] reset password page is not translated

  • 7620 client uninstall fails when installed using non-existing hostname

  • 7621 [Translation] sync otp page is not translated completely

  • 7625 ipa-client-install fails with ScriptError(rval=CLIENT_INSTALL_ERROR)

  • 7628 ipa ca-show –certificate-out=/tmp/ca fails with python type error

  • 7629 Replica installation fails with connection refused error

  • 7630 ipa-restore should check that optional feature packages are installed before restoring a backup using a feature

  • 7632 [RFE] Allow IPA Services to Start After the IPA Backup Has Completed

  • 7638 PR-CI: Make “Not enough resources configured” an error

  • 7640 [Translation] ipa/config/{unauthorized,ssbrowser}.html are not translated

  • 7641 [Translation] ipa/migration/{error,index,invalid}.html are not translated

  • 7642 Installation fails: Replica Busy

  • 7644 ipa-server-upgrade displays ‘DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or haven’t been updated’

  • 7649 error shown when options are added to an existing sudo rule

  • 7650 client installer uses invalid format in chmod (0x…)

  • 7651 ipa-replica-install –setup-kra broken on DL1

  • 7652 ipaserver/plugins/cert.py: Add reason to raise of errors.NotFound

  • 7654 ipa-kra-install fails on DL1

  • 7656 ipa-replica-install on DL0 doesn’t completely honor –no-host-dns

  • 7657 Leaving IPA domain fails: Failed to remove krb5/LDAP configuration: expected str, bytes or os.PathLike object, not NoneType

  • 7658 [RFE] sysadm_r should be included in default SELinux user map order

  • 7659 ipa trust-add fails in FIPS mode.

  • 7661 SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/lib/systemd/system/fedora-domainname.service

  • 7662 SELinux is preventing /usr/sbin/httpd from write access on the directory /etc/httpd/alias/

  • 7663 pytest 3.7.0 fails on pytest_plugins in ipatests.plugins

  • 7664 ipa_tests: test ssh keys login

  • 7666 ipa-server-install script is failing when using the “–no-dnssec-validation” parameter combined with the “–forwarder”

  • 7669 Hide domain level 0 specific options from tools and commands

  • 7671 Remove –no-sssd and –noac options

  • 7674 client install fails on Fedora 29

  • 7678 [WebUI] JS error of ‘reset’ view

  • 7679 [WebUI] all validation items are rendered on each key typing at login form

  • 7680 Detect Python interpreter during configure

  • 7681 ipa server uninstall with -v option displays “IOError: [Errno 9] Bad file descriptor Logged from file ipautil.py, line 442”

  • 7684 Re-installing replica on the same system displays ‘WARNING: cannot check if port 443 is already configured’

  • 7685 [pyasn1] not supported upstream’s version

  • 7687 Integration test for sssd_ssh leaks

  • 7688 ipa-server-upgrade does not store the upgrade state for subCa

  • 7689 Remove Domain Level 0 specific code

  • 7691 ‘ipa vault-retrieve’ is failing with “ipa: ERROR: an internal error has occurred”

  • 7699 [Translation] [remove dialog] not entire sentences

  • 7700 ipa cert-show –chain –certificate-out fails with an internal error

  • 7702 [Translation] not entire sentence of title of ‘Remove’ dialog for ‘Association’ facet

  • 7704 [Translation] not entire sentence of title of ‘Remove’ dialog for ‘association_table’ widget

  • 7705 Support Samba 4.9

  • 7707 [Translation] not entire sentence of title of Entity’s ‘Add’ dialog

  • 7708 Create a warning that SSSD needs restart after idrange-mod

  • 7709 [WebUI] Tests for “ID Ranges”

  • 7710 Update spec file to require sssd-ipa, not an sssd meta-package

  • 7711 python 3 fallout in ipa-server-install

  • 7712 [Translation] not entire sentence of title of association facet’s ‘Add’ dialog

  • 7714 [Translation] not entire sentence of title of ‘Add’ dialog for ‘association_table’ widget

  • 7715 Remove Python 2 specific elements

  • 7717 jslint is not running in pr ci tests

  • 7718 javascript ‘errors’ found by jslint

  • 7719 Automation added for NTP Replacement test scenarios

  • 7721 [WebUI] Tests for “Automember”

  • 7723 NTP options fails on ipa replica

  • 7728 RFE: Validation and better error messages when novajoin fails because of SSL errors

  • 7729 Bad output on failed client installation rollback

  • 7731 ipa-advise command points to old URL’s.

  • 7732 systemd complains about legacy of /var/run

  • 7735 [WebUI] Tests for “Automount”

  • 7738 Fix C issues found by coverity and other tools

  • 7740 continuous-integration/travis-ci/pr fails with latest gcc update

  • 7741 Smart card advise script uses hard-coded Python interpreter

  • 7742 External CA installer removes Dogtag’s client DB after step 1

  • 7743 Create automation to ensure that all integration tests are executed

  • 7744 ipa-replica-install picks wrong replica for CA initial replication

  • 7745 nss.conf needs to be zero length, not removed.

  • 7746 IPA help command fails in an environment without the `less` binary

  • 7747 [RFE] Support interactive prompt for NTP options for FreeIPA

  • 7750 ipaldap: invalid modlist when attribute encoding can vary

  • 7751 add ipaapi user to the list of allowed uids in [ifp] section in sssd configuration

  • 7752 ipa client throws http.client.ResponseNotReady error

  • 7753 CID 323644: logically dead code in ipaserver.install.adtrust.py

  • 7754 Replace archaic term messagebus with dbus

  • 7755 Enable firewall in the tests

  • 7756 Split Web UI test suite in nightly PR CI configuration

  • 7758 pylint-2.1.1 errors on Fedora 29

  • 7759 ipa-server-certinstall –http allows to install a server cert even though the CA is not known

  • 7761 External CA renewal accepts issuer key < 2048-bit

  • 7762 External CA renewal accepts IPA CA cert with empty Subject Key Identifier

  • 7767 make fasttest errors because of missing python3-lib389

  • 7769 Installer does not detect that kadmin port 749/UDP is blocked

  • 7770 searching for ipa users by certificate fails

  • 7771 [WebUI] “ID views” tests fail after running “Automember” tests

  • 7772 pylint 2.2.0 violations

  • 7775 IPA Upgrade failed with “unable to convert the attribute u’cACertificate;binary’”

  • 7776 authselect 1.0.2 fails on unknown feature

  • 7777 new prci_definitions memory requirements

  • 7778 test_full_backup_and_restore_with_replica fails with “Unknown host replica1.ipa.test”

  • 7779 Update PR-CI definitions to use Fedora 29

  • 7780 Make ipa-client-automount –uninstall more robust

  • 7781 Don’t start/enable nfs-idmap nor nfs-secure

  • 7783 use non-symlink (aliases) NFS unit names

  • 7786 Index accessruletype, hostcategory, ipaenabledflag, ipserviceport, and ipserviceprotocol by default

  • 7787 Missing indexes for automountmapname and automountkey

  • 7788 Majority of gating tests are not part of nightly flows.

  • 7790 ipa host-del –updatedns FQDN yeilds unindexed searches

  • 7792 Missing index on ipaconfigstring

  • 7793 ipa service-del service fails with internal error

  • 7795 ipa-pkinit-manage enable fails on replica if it doesn’t host the CA

  • 7796 ipa-replica-install fails migrating CentOS 6 to 7

  • 7797 SSSD’s getservby*() causes performance issues

  • 7803 Missing index on idnsName

  • 7805 [NFS] test kerberized NFS

  • 7807 Detect container installation to avoid Kernel keyring

  • 7809 All Web UI tests fail with UnexpectedAlertPresentException

  • 7810 [F28] Require NSS with fix for p11-kit issue.

  • 7811 Fix compile issue with new 389-ds

  • 7828 ipa trust-add fails with ipa: ERROR: an internal error has occurred

  • 7829 ipa-server-upgrade when run displays ‘No such file name in the index’ on the console

  • 7830 FreeIPA installation fails with 389-DS 1.4.0.20-1

  • 7831 add systemd-user HBAC service to default set of HBAC services

  • 7832 [WebUI] cross-origin request

  • 7834 Fix certificate revocation tests for Web UI

  • 7835 Cert revokation for services and hosts is inefficient

  • 7837 Replace os.getenv(‘HOME’) with os.path.expanduser

  • 7838 configure_openldap_conf() does not handle multi-value URI

  • 7841 Remove tests for client installation with –no-sssd and –noac options

  • 7843 [WebUI] Use generated certificates and CSR for testing

  • 7844 testcase test_change_sysaccount_password_issue7561 fails with some test configurations

  • 7855 Automember XML-RPC test failure

  • 7856 Nightly test failure in test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall

  • 7857 Create tests for ipa-winsync-migrate

  • 7858 Define C feature macros

  • 7860 389-ds-base will no longer use /etc/sysconfig

  • 7861 Make IPADiscovery available in PyPI packages

  • 7862 “ccache” may not exist if GSSError occurs in ipa-client-automount causing an exception to be thrown

  • 7864 [WebUI] Review and increase timeouts for UI tests in Nightly PR configuration

  • 7865 test_topology_TestTopologyOptions:test_add_remove_segment nightly failure in fed28 and fed29

  • 7866 FreeIPA server deployment fails due to ‘Permission denied’ error under /tmp during pki-tomcatd deployment

  • 7868 ipa-client-automount exception backing up /etc/sysconfig/nfs

  • 7873 remove all occurrences of osinfo.version_id from ipatests/

  • 7874 testcase test_commands.py::TestIPACommand::test_ssh_key_connection fails with some test configurations

  • 7876 Fail replica install

  • 7877 External CA installation: sanity check pathLenConstraints

  • 7881 [WebUI] Automember UI tests are broken

  • 7883 Cannot install ipa-server on rhel7.7

  • 7884 Coverity: New defect found in ipa-4.6.5

  • 7886 ipa-replica-manage force-sync –from keeps prompting “No status yet”

  • 7889 test_integration/test_trust.py need improvement

  • 7891 Extend test for #6476 automember-rebuild crashes

  • 7892 Implement hidden / unadvertised IPA replicas

  • 7893 ipasam needs changes for Samba 4.10

  • 7894 restoring a backup done on a hidden replica results

  • 7895 ipa trust fetch-domains, server parameter ignored

  • 7896 ipa-server-upgrade fails with ConversionError: invalid ‘cn’: must be Unicode text

  • 7897 ipa-kra-install failing with invalid ‘role_servrole’: must be Unicode text error

  • 7900 dns and search not fixed for dns enabled deployments

  • 7901 IPA Web UI is slow to display user details page.

  • 7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules

  • 7903 d-bus interface signature failure for oddjobd helper trust-fetch-domains

  • 7905 ipa-dnskeysync-replica should handle LDAP down gracefully

  • 7906 ipa-kra-install fails due to fs.protected_regular=1

  • 7907 ipa-replica-install due to permission error, leaves ipa server in unstable condition

  • 7909 Wrong evaluation of replication update status

  • 7916 ipaplatform.debian.services does not implement wait for CA service

  • 7921 Missing deps for `make pylint`

  • 7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd

Detailed changelog since 4.7.2#

Armando Neto (3)#

  • Add test for client installation with empty keytab file

  • Fix certificate type error when exporting to file

  • Delete empty keytab during client installation

Alexander Bokovoy (32)#

  • Enforce SMBLoris attack protection in default Samba configuration

  • Set idmap config for Samba to follow IPA ranges and use SSSD

  • Update list of contributors and sort them alphabetically

  • Update mailmap

  • Update translations from Zanata

  • Bypass D-BUS interface definition deficiences for trust-fetch-domains

  • Remove DsInstance.request_service_keytab as it is not needed anymore

  • oddjob: allow to pass options to trust-fetch-domains

  • ipasam: use SID formatting calls to libsss_idmap

  • upgrade: add trust upgrade to actual upgrade code

  • upgrade: upgrade existing trust agreements to new layout

  • trusts: add support for one-way shared secret trust

  • trust: allow trust agents to read POSIX identities of trust

  • Add design page for one-way trust to AD with shared secret

  • domainlevel-get: fix various issues when running as non-admin

  • make sure IPA_CONFDIR is used to check that client is configured

  • ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned

  • ipa-sidgen: make internal fetch_attr helper really internal

  • Update translations from Zanata

  • ipa-kdb: reduce LDAP operations timeout to 30 seconds

  • Update translations from Zanata

  • ipaserver.install.adtrust: fix CID 323644

  • net groupmap: force using empty config when mapping Guests

  • adtrust: define Guests mapping after creating cifs/ principal

  • Update list of contributors

  • Import updated translations from Zanata

  • Re-sort the translations before importing new ones from Zanata

  • When stripping PO files, sort the output

  • Support Samba 4.9

  • ipasam: do not use RC4 in FIPS mode

  • Move fips_enabled to a common library to share across different plugins

  • ipa-extdom-extop: Update licenses to GPLv3 or later with exceptions

Ian Pilcher (1)#

  • Allow issuing certificates with IP addresses in subjectAltName

Alexander Scheel (2)#

  • Add missing docstrings to kernel_keyring.py

  • Add docstring to verify_kdc_cert_validity

Adam Williamson (1)#

  • Fix authselect invocations to work with 1.0.2

Christian Heimes (183)#

  • Make ipaclient.discovery usable from command line

  • Make IPADiscovery work without ldap

  • Make python-ldap optional for PyPI packages

  • Correct path to systemd-detect-virt

  • Add helper to look for missing binaries

  • Guard dbus.start() with dbus.is_running()

  • Move Custodia secrets handler to scripts

  • chmod SYSTEMD_PKI_TOMCAT_IPA_CONF

  • Check for SELinux AVCs after installation

  • Refactor tasks to include is_selinux_enabled()

  • Globally disable softhsm2 in p11-kit-proxy

  • Pass token_name to certmonger

  • Fix and extend pki config override test

  • Deprecate ipa-client-install –request-cert

  • Debian: Use RedHatCAService for pki-tomcatd

  • Debian: auto-generate config files for oddjobd

  • Debian: Fix replicatio of light weight sub CAs

  • Add ODS manager abstraction to ipaplatform

  • Debian: Use different paths for KDC cert and key

  • Debian: Add fixes for OpenDNSSEC 2.0

  • Debian: Add paths for open-sans and font-awesome

  • Debian doesn’t have authselect

  • Debian: use -m lesscpy instead of hard-coded name

  • Reduce startup_timeout to 120sec as documented

  • Add ExecStartPost hook to wait for Dogtag PKI

  • Remove deprecated object logger

  • Explain why tests still use 2048bit external CA

  • Reuse key type and size in certmonger resubmit

  • Increase default key size for CA to 3072 bits

  • Use Network Manager to configure resolv.conf

  • Add –pki-config-override to man pages

  • Add test case for pki config override

  • Verify pki ini override early

  • Simplify and consolidate ipaca.ini

  • Add pki.ini override option

  • Use new pki_ipaca.ini to spawn instances

  • Add IPA specific vars to ipaca_default.ini

  • Simplify and slim down ipaca_default.ini

  • Add current default.cfg from Dogtag

  • Improve error handling in DNSSEC helpers

  • Gating: remove vault and kdcproxy tests

  • automount: rmtree temp directory

  • Make netifaces optional

  • Adapt cert-find performance workaround for users

  • Skip orphan automember rule test

  • Verify external CA’s basic constraint pathlen

  • Require a minimum SASL security factor of 56

  • Move DS’s Kerberos env vars to unit file

  • Add tasks.systemd_daemon_reload()

  • Add option to remove lines from a file

  • Disable flaky hidden replica backup test

  • Add test case for configure_openldap_conf

  • Don’t fail if config-show does not return servers

  • Add design draft

  • Test replica installation from hidden replica

  • Synchronize hidden state from IPA master role

  • Don’t allow to hide last server for a role

  • More test fixes

  • Improve config-show to show hidden servers

  • Consider hidden servers as role provider

  • Implement server-state –state=enabled/hidden

  • Simplify and improve tests

  • Add hidden replica feature

  • Consolidate container_masters queries

  • Use api.env.container_masters

  • replica install: acknowledge ca_host override

  • Fix assign instead of compare

  • GIT: ignore ipa-crlgen-manage

  • Reformat and PEP8 ipaclient.discovery

  • Make IPADiscovery available in PyPI packages

  • Disable dependency on dogtag-pki PyPI package

  • Test –external-ca-type=ms-cs

  • Remove ZERO_STRUCT() call

  • Update build requirements on twine

  • Compile IPA modules with C11 extensions

  • Add ldapmodify/search helper functions

  • Let 389-DS configure LDAPI for us

  • Use LDAPS when installing CA on replica

  • Use secure LDAP connection in tests

  • Use new LDAPClient constructors

  • Add constructors to ldap client

  • Move realm_to_serverid/ldap_uri to ipaldap

  • Mark two failing automember tests as xfail

  • Require 389-ds 1.4.0.21

  • ipa-getkeytab: resolve symlink

  • Optimize cert remove case

  • Add workaround for slow host/service del

  • Add workaround for lib389 HOME bug

  • Use expanduser instead of HOME env var

  • Don’t configure KEYRING ccache in containers

  • Mark failing NTP test as expected failure

  • Fix systemd-user HBAC rule

  • Create systemd-user HBAC service and rule

  • Require krb5 with fix for CVE-2018-20217

  • Don’t use Python dependency generator yet

  • Use debug logger in ntpd_cleanup()

  • Make conftest compatible with pytest 4.x

  • Require 389-DS = 1.4.0.16

  • Add index on idnsName

  • Require 3.41.0-3 on Fedora 28

  • Fix test_advise in nightly runs

  • Create reindex task for ipaca DB

  • Add more LDAP indices

  • LDAPUpdate: Batch index tasks

  • Always collect test logs

  • Disable nss-p11-kit crypto policy for tests

  • Add install/remove package helpers to advise

  • Test smart card advise scripts

  • Log stderr in run_command

  • Smart card auth advise: Allow Apache user

  • Allow HTTPd user to access SSSD IFP

  • Remove dead code

  • Add index and container for RFC 2307 IP services

  • Handle service_del with bad service name

  • Run idviews integration tests in nightly

  • Add integration tests for idviews

  • Resolve user/group names in idoverride*-find

  • Require Dogtag PKI 10.6.8-3

  • Update temp commit template to F29

  • Increase debugging for blocked port 749 and 464

  • Address misc pylint issues in CLI scripts

  • pylint: also verify scripts

  • pylint: Fix duplicate-string-formatting-argument

  • pylint 2.2: Fix unnecessary pass statement

  • TestBackupAndRestoreWithReplica needs 2 replicas

  • Unify and simplify LDAP service discovery

  • PR-CI: Restart rpcbind when it blocks kadmin port

  • Fix pytest deprecation warning

  • certdb: validate server cert signature

  • Require pylint 2.1.1-2

  • Silence comparison-with-itself in tests

  • Fix raising-format-tuple

  • Fix various dict related pylint warnings

  • Fix Module ‘pytest’ has no ‘config’ member

  • Fix useless-import-alias

  • Fix comparison-with-callable

  • Address consider-using-in

  • Ignore consider-using-enumerate for now

  • Address inconsistent-return-statements

  • Address pylint violations in lite-server

  • Ignore W504 code style like in travis config

  • Remove DS perl paths from debian platform

  • Drop dependency on 389-ds-base-legacy-tools

  • Speed up test_customized_ds_config_install

  • Add missing tests to nighly runs

  • Replace messagebus with modern name dbus

  • Fix test_cli_fsencoding on Python 3.7, take 2

  • Copy-paste error in permssions plugin, CID 323649

  • Allow ipaapi user to access SSSD’s info pipe

  • Fix test_cli_fsencoding on Python 3.7

  • ipapwd_pre_mod: NULL ptr deref

  • ipadb_mspac_get_trusted_domains: NULL ptr deref

  • has_krbprincipalkey: avoid double free

  • Require Dogtag 10.6.7-3

  • Use tasks.install_master() in external_ca tests

  • Keep Dogtag’s client db in external CA step 1

  • Improve Python configuration for LGTM

  • Add Coverity Scan target

  • Replace hard-coded interpreter with sys.executable

  • Don’t abuse strncpy() length limitation

  • Fix ipadb_multires resource handling

  • Add lgtm.yml to analyzse C code with LGTM

  • Fix zonemgr encoding issue

  • Py3: Replace six.moves imports

  • Lint yaml and RPM spec

  • Py3: Replace six.bytes_type with bytes

  • Py3: Replace six.text_type with str

  • Py3: Replace six.integer_types with int

  • Py3: Replace six.string_types with str

  • Require sssd-ipa instead of sssd meta pkg

  • Py3: Remove subclassing from object

  • Sprinkle raw strings across the code base

  • Workaround for pyasn1 0.4

  • Remove Python 2 support and packages

  • Don’t check for systemd service

  • Refactor os-release and platform information

  • Generate scripts from templates

  • Rename Python scripts and add dynamic shebang

  • Detect and prefer platform Python

  • Disable DL0 specific tests

  • Rename pytest_plugins to ipatests.pytest_ipa

  • Add convenient template for temp commits

  • Fix topology configuration of nightly runs

Diogo Nunes (3)#

  • Fix f52e0e31f7c76a3cd6b9b51aeba120c4ba3f38c9 typo in tests label definition.

  • PR-CI: Add gating tests to nightly_[master, f28, rawhide]

  • PR-CI: Move to Fedora 29 template, version 0.2.0

Felipe Barreto (1)#

  • Making nigthly test definition editable by FreeIPA’s contributors

François Cami (18)#

  • ipaplatform: add more services

  • ipatests: add nfs tests

  • ipaserver/install/cainstance.py: unlink before creating new file in /tmp

  • ipaserver/install/krainstance.py: chown after write

  • ipatests: Exercise hidden replica feature

  • ipa-{server,replica}-install: add too-restritive mask detection

  • ipatests: add too-restritive mask tests

  • ipa-client-automount: fix PEP8 issues

  • ipatests: remove all occurrences of osinfo.version_id

  • pylintrc: ignore R1720 no-else-raise errors

  • ipa-client-automount: handle NFS configuration file changes

  • ipa-server-install: fix ca setup when fs.protected_regular=1

  • ipatests: add a test for ipa-client-automount

  • ipa-client-automount: use nfs-utils unit

  • Fix NFS unit names

  • Add a “Find enabled services” ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.

  • Add a shared-vault-retrieve test

  • Add sysadm_r to default SELinux user map order

William Brown (1)#

  • Support the 1.4.x python installer tools in 389-ds

Florence Blanc-Renaud (77)#

  • ipactl restart: fix wrong logic when checking service list

  • Fix wrong evaluation of attributes in check_repl_update

  • ipa-client-install: autodiscovery must refuse single-label domains

  • ipa-setup-kra: fix python2 parameter

  • ipa-server-upgrade: fix add_systemd_user_hbac

  • ipa-replica-manage: fix force-sync

  • Coverity: fix issue in ipa_extdom_extop.c

  • XML RPC test: fix test_automember_plugin

  • ipa server: prevent uninstallation if the server is CRL master

  • Test: add new tests for ipa-crlgen-manage

  • CRL generation master: new utility to enable|disable

  • test: add non-reg test checking pkinit after server install

  • pkinit setup: fix regression on master install

  • tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment

  • tests: mark xfail for test_selinux_user_optimized on fed<=28

  • Tests: fix option name for dsctl

  • ipatests: add test for replica in forward zone

  • replica installation: add master record only if in managed zone

  • ipatests: add integration test for pkinit enable on replica

  • pkinit enable: use local dogtag only if host has CA

  • replica install: set the same master as preferred source for domain and CA

  • replication: check remote ds version before editing attributes

  • ipatests: fix test_full_backup_and_restore

  • ipatests: fix TestUpgrade::test_double_encoded_cacert

  • PKINIT: fix ipa-pkinit-manage enable|disable

  • ipatest: add test for ipa-pkinit-manage enable|disable

  • ipatests: add upgrade test for double-encoded cacert

  • ipa upgrade: handle double-encoded certificates

  • ipatests: add xmlrpc test for user|host-find –certificate

  • ipaldap.py: fix method creating a ldap filter for IPACertificate

  • ipatests: add missing tests for test_replica_promotion.py

  • ipatests: add missing tests for test_installation.py

  • ipatests: add missing tests for test_external_ca.py

  • ipatests: add test for ipa-replica-install options

  • ipa-replica-install: password and admin-password options mutually exclusive

  • ipatests: fix test_replica_uninstall_deletes_ruvs

  • freeipa.spec.in: add BuildRequires for python3-lib389

  • ipatests: add missing tests in test_backup_and_restore.py

  • Revert “temp commit: run test_integration/test_caless.py::TestCertInstall”

  • temp commit: run test_integration/test_caless.py::TestCertInstall

  • ipatests: update tests for ipa-server-certinstall

  • ipatests: add missing tests for test_caless

  • ipatests: add integration test for “Read radius servers” perm

  • radiusproxy: add permission for reading radius proxy servers

  • tests: add xmlrpc test for ipa user-add –radius-username

  • ipa user-add: add optional objectclass for radius-username

  • ipatests: fix CA less expectations

  • Nightly tests: add test_user_permissions.py

  • ipatest: add functional test for ipa-backup

  • ipa-backup: restart services before compressing the backup

  • ipa-replica-install –setup-adtrust: check for package ipa-server-trust-ad

  • ipatests: fix path in expected error message

  • Bump requires 389-ds-base

  • ipatests: mark known failures as xfail

  • ipa tests: CA less

  • certdb: provide meaningful err msg for wrong PIN

  • ipatests: remove TestReplicaManageDel (dl0)

  • ipatests: mark known failure for installation_TestInstallWithCA2

  • ipa-server-upgrade: fix inconsistency in setup_lightweight_ca_key_retrieval

  • Tests: remove dl0 tests from nightly definition

  • ipatests: mark known failures as xfail

  • tests: add test for uninstall with incomplete sysrestore.state

  • authselect: harden uninstallation of ipa client

  • ipa-advise: configure pam_cert_auth=True for smart card on client

  • Test: scenario replica install/uninstall should restore ssl.conf

  • ipa-replica-install: properly use the file store

  • Tests: test successful PKINIT install on replica

  • ipa-replica-install: fix pkinit setup

  • tests: add test for server install with –no-dnssec-validation

  • ipa-server-install: do not perform forwarder validation with –no-dnssec-validation

  • DS replication settings: fix regression with <3.3 master

  • Test: test ipa-* commands when IPA is not configured

  • ipa commands: print ‘IPA is not configured’ when ipa is not setup

  • ipautil.run: add test for runas parameter

  • uninstall -v: remove Tracebacks

  • PRCI: extend timeouts for gating

  • Tests: add integration test for password changes by dir mgr

Francisco Trivino (2)#

  • prci_definitions: Add nightly flow for pki dep testing

  • prci_definitions: update vagrant memory topology requirements

Fraser Tweedale (16)#

  • Fix installation when CA subject DN has escapes

  • cert-request: handle missing zone

  • cert-request: more specific errors in IP address validation

  • Add tests for cert-request IP address SAN support

  • cert-request: report all unmatched SAN IP addresses

  • cert-request: generalise _san_dnsname_ips for arbitrary cname depth

  • cert-request: collect only qualified DNS names for IPAddress validation

  • cert-request: restrict IPAddress SAN to host/service principals

  • certupdate: add commentary about certmonger behaviour

  • certdb: validate certificate signatures

  • Print correct subject on CA cert verification failure

  • certdb: ensure non-empty Subject Key Identifier

  • rpc: always read response

  • ipaldap: avoid invalid modlist when attribute encoding differs

  • Restore KRA clone installation integration test

  • Fix writing certificate chain to file

Ganna Kaihorodova (1)#

  • Add check for occuring traceback during uninstallation ipa master

Michal Reznik (8)#

  • bump PRCI template version to 0.1.9

  • add strip_cert_header() to tasks.py

  • tests: sssd_ssh fd leaks when user cert converted into SSH key

  • bump PRCI template version to 0.1.8

  • Add “389-ds-base-legacy-tools” to requires.

  • test: client uninstall fails when installed using non-existing hostname

  • ipa_tests: test ssh keys login

  • prci_definitions: fix wrong indentation in the nightly yaml

Varun Mylaraiah (4)#

  • nightly_rawhide.yaml Added test_integration/test_ntp_options.py

  • nightly_master.yaml Added test_integration/test_ntp_options.py

  • ipatests: add tests for NTP options usage on server, replica, and client

  • Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418

Mohammad Rizwan Yusuf (6)#

  • ipatests: check if username are not optimized out in semanage context

  • Check if issuer DN is updated after external-ca > self-signed

  • Test error when yubikey hardware not present

  • Test KRA installtion after ca agent cert renewal

  • Test if WSGI worker process count is set to 4

  • Check if user permssions and umask 0022 is set when executing ipa-restore

Oleg Kozlov (5)#

  • Show a notification that sssd needs restarting after idrange-mod

  • Remove stale kdc requests info files when upgrading IPA server

  • Replace nss.conf with zero-length file instead of removing

  • Check pager’s executable before subprocess.Popen

  • Check have packages for extra features been installed before restoring backup

Orion Poplawski (1)#

  • ipaclient-install: chmod needs octal permissions

Peter Keresztes Schmidt (1)#

  • README: Update link to freeipa-devel archive

Pavel Picka (3)#

  • PRCI failures fix

  • PR-CI extend timeouts

  • WebUI Tests stabilize

Petr Vobornik (4)#

  • ipa-advise: update url of cacerdir_rehash tool

  • webui: redable color of invalid fields on login-screen-like pages

  • webui: remove mixed indentation in App and LoginScreen

  • webui: change indentation of freeipa/_base/debug.js

Rob Crittenden (27)#

  • Add interactive prompt for the LDAP bind password to ipa-getkeytab

  • Send only the path and not the full URI to httplib.request

  • Update mod_nss cipher list so there is overlap with a 4.x master

  • tests: Don’t provide explicit hostname to ldapmodify

  • Remove 389-ds templates now that lib389 is used for installs

  • Add support for multiple certificates/formats to ipa-cacert-manage

  • Add tests for ipa-cacert-manage install

  • Enable replica install info logging to match ipa-server-install

  • Demote log message in custodia _wait_keys to debug

  • Pass a list of values into add_master_dns_records

  • Collect the client and server uninstall logs in tests

  • Fix misleading errors during client install rollback

  • Remove the authselect profile warning if sssd was not configured.

  • Handle NTP configuration in a replica server installation

  • Remove tests which install KRA on replica w/o KRA on master

  • Enable LDAP debug output in client to display TLS errors in join

  • Add entry for Serhii to mailmap

  • Fix identifier typo in UI

  • Add uninstallation tests to night master and rawhide

  • Fix uninstallation test, use different method to stop dirsrv

  • Try to resolve the name passed into the password reader to a file

  • Advise plugin for enabling sudo for members of the admins group

  • Update required version of dogtag to detect when FIPS is available

  • Retrieve certificate subject base directly instead of ipa-join

  • Honor no-host-dns when creating client host in replica install

  • Convert members into types in sudorule-*-option

  • Set development version to 4.7.90

Robbie Harwood (3)#

  • Fix unnecessary usrmerge assumptions

  • Add cmocka unit tests for ipa otpd queue code

  • Clear next field when returnining list elements in queue.c

Sumit Bose (2)#

  • ipa-extdom-exop: add instance counter and limit

  • ipa_sam: remove dependency to talloc_strackframe.h

Stanislav Laznicka (7)#

  • Use the newer way of removing the DS instance

  • DS install: don’t fail if SSL already configured

  • DS install: fix DS asking for NSS pin during install

  • DS uninstall: fix serverid missing in state restore

  • Move lib389 imports to module scope

  • Don’t try legacy installs

  • Remove some basic pystyle and pylint errors

Stanislav Levin (120)#

  • Fix `inconsistent-return-statements` in ipa-dnskeysync-replica

  • Add missing deps for `make pylint`

  • Completely drop /var/cache/ipa/sessions

  • Don’t use cross-origin request

  • Move ipa’s systemd tmpfiles from /var/run to /run

  • Add title to ‘add’ dialog for ‘association_table’ widget of Topology entity

  • Add title to ‘add’ dialog for ‘association_table’ widget of Vaults entity

  • Add title to ‘add’ dialog for ‘association_table’ widget of Certificates entity

  • Add title to ‘add’ dialog for ‘association_table’ widget of SELinux User Maps entity

  • Add title to ‘add’ dialog for ‘association_table’ widget of Sudo entity

  • Add title to ‘add’ dialog for ‘association_table’ widget of HBAC entity

  • Add title to ‘add’ dialog for ‘association_table’ widget of Groups entity

  • Add title to ‘add’ dialog for ‘association_table’ widget of Services entity

  • Add title to ‘add’ dialog for ‘association_table’ widget of Hosts entity

  • Drop concatenated title of add dialog for association_table widget

  • Add title to ‘add’ dialog for details of ‘RBAC’ entity

  • Add title to ‘add’ dialog for details of ‘OTP Tokens’ entity

  • Add title to ‘add’ dialog for details of ‘Sudo’ entity

  • Add title to ‘add’ dialog for details of ‘HBAC’ entity

  • Add title to ‘add’ dialog for details of ‘ID Views’ entity

  • Add title to ‘add’ dialog for details of ‘Groups’ entity

  • Add title to ‘add’ dialog for details of ‘Services’ entity

  • Add title to ‘add’ dialog for details of ‘Hosts’ entity

  • Add title to ‘add’ dialog for details of ‘Users’ entity

  • Add title to ‘add’ dialog for details of ‘Certificate’ entity

  • Drop concatenated title of ‘Add’ dialog for details of entity

  • Add title to ‘add’ dialog for ‘Topology’ entity

  • Add title to ‘add’ dialog for ‘Trusts’ entity

  • Add title to ‘add’ dialog for ‘ID Ranges’ entity

  • Add title to ‘add’ dialog for ‘RBAC’ entity

  • Add title to ‘add’ dialog for ‘Vault’ entity

  • Add title to ‘add’ dialog for ‘DNS’ entity

  • Add title to ‘add’ dialog for ‘Automount’ entity

  • Add title to ‘add’ dialog for ‘Certificate Identity’ entity

  • Add title to ‘add’ dialog for ‘RADIUS’ entity

  • Add title to ‘add’ dialog for ‘Certificates’ entity

  • Add title to ‘add’ dialog for ‘Password Policies’ entity

  • Add title to ‘add’ dialog for ‘SELinux’ entity

  • Add title to ‘add’ dialog for ‘Sudo’ entity

  • Add title to ‘add’ dialog for ‘HBAC’ entity

  • Add title to ‘add’ dialog for ‘Automember’ entity

  • Drop concatenated title of ‘add’ dialog for ‘attribute_table’ widget

  • Add title to ‘add’ dialog for ‘ID Views’ entity

  • Add title to ‘add’ dialog for ‘Groups’ entity

  • Add title to ‘add’ dialog for ‘Service’ entity

  • Add title to ‘add’ dialog for ‘Host’ entity

  • Add title to ‘add’ dialog for ‘OTP’ entity

  • Add title to ‘add’ dialog for ‘Users’ entity

  • Drop concatenated title of ‘add’ dialog

  • Add jslint check to PR CI tests

  • Fix javascript ‘errors’ found by jslint

  • Add title to remove dialog of ‘DNS’ entity

  • Add title to ‘unprovision’ dialog

  • Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘Vault’ entity

  • Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘Topology’ entity

  • Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘CA’ entity

  • Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘SELinux’ entity

  • Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘Sudo’ entity

  • Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘HBAC’ entity

  • Add title to ‘Remove’ dialog for ‘association_table’ widget of ‘Automember’ entity

  • Allow having a custom title of ‘Remove’ dialog for ‘attribute_table’ widget

  • Add title to ‘remove’ dialog for ‘association_table’ widget of ‘Groups’ entity

  • Add title to ‘remove’ dialog for ‘association_table’ widget of ‘Services’ entity

  • Add title to ‘remove’ dialog for ‘association_table’ widget of ‘Hosts’ entity

  • Drop concatenated title of remove dialog

  • Fix loading ‘freeipa/text’ at production mode

  • Add a title to ‘remove’ dialog for details of ‘Trusts’ entity

  • Add a title to ‘remove’ dialog for details of ‘RBAC’ entity

  • Add a title to ‘remove’ dialog for details of ‘OTP Tokens’ entity

  • Add a title to ‘remove’ dialog for details of ‘Sudo’ entity

  • Add a title to ‘remove’ dialog for details of ‘HBAC’ entity

  • Add a title to ‘remove’ dialog for details of ‘Groups’ entity

  • Add a title to ‘remove’ dialog for details of ‘Services’ entity

  • Add a title to ‘remove’ dialog for details of ‘Hosts’ entity

  • Add a title to ‘remove’ dialog for details of ‘Users’ entity

  • Drop concatenated title of remove dialog

  • Add title to remove dialog of ‘Trusts’ entity

  • Add title to remove dialog of ‘Topology’ entity

  • Add title to remove dialog of ‘ID Ranges’ entity

  • Add title to remove dialog of ‘RBAC’ entity

  • Add title to remove dialog of ‘DNS’ entity

  • Add title to remove dialog of ‘Automount Locations’ entity

  • Add title to remove dialog of ‘Certificate Identity Mapping Rules’ entity

  • Add title to remove dialog of ‘RADIUS Servers’ entity

  • Add title to remove dialog of ‘OTP Tokens’ entity

  • Add title to remove dialog of ‘Certificates’ entity

  • Add title to remove dialog of ‘Password Policies’ entity

  • Add title to remove dialog of ‘SELinux User Maps’ entity

  • Add title to remove dialog of ‘Sudo’ entity

  • Add title to remove dialog of ‘HBAC’ entity

  • Add title to remove dialog of ‘Automember’ entity

  • Add title to remove dialog of ‘ID Views’ entity

  • Add title to remove dialog of ‘Groups’ entity

  • Add title to remove dialog of ‘Services’ entity

  • Add title to remove dialog of ‘Hosts’ entity

  • Add title to remove dialog of ‘Users’ entity

  • Drop concatenated title of remove dialog

  • Add tests for LoginScreen widget

  • Add “bounce” logic from “reset_password.js”

  • Fix translations of messages in LoginScreen widget

  • Clean up reset_password.js file from project

  • Use “login” plugin instead of standalone JS file

  • Add “reset_and_login” view to LoginScreen widget

  • Replace the direct URL with config’s one

  • Add basic tests to web pages which are located at /ipa/config/

  • Fix translation of “ssbrowser.html” Web page

  • Fix translation of “unauthorized.html” Web page

  • Fix render validation items on keypress event at login form

  • Reindex ‘key_indicies’ after item delete

  • Fix “get_key_index” to fit caller’s expectations

  • Add basic tests for “migration” end point

  • Clean up migration “error” and “invalid” pages from project

  • Provide translatable messages for MigrateScreen widget

  • Integrate “migration” page to IPA Web framework.

  • Return the result of “password migration” procedure

  • Add “migrate” Web UI plugin

  • Add MigrateScreen widget

  • Fix translation of “SyncOTPScreen” widget

  • Fix translation of “sync_otp” plugin

  • Replace the direct URL with config’s one

Sergey Orlov (17)#

  • ipatests: new tests for ipa-winsync-migrate utility

  • ipatests: refactor test_trust.py

  • ipatests: adapt test_trust.py for changes in multihost fixture

  • ipatests: allow AD hosts to be placed in separate domain config objects

  • ipatests: relax requirements for time server quality

  • ipatests: fix expectations of `ipa trust-find` output for trust with root domain

  • ipatests: in test_trust.py fix parent class

  • ipatests: disable bind dns validation when preparing to establish AD trust

  • ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust

  • Revert “Tests: Remove DNS configuration from trust tests”

  • ipatests: fix host name for ssh connection from controller to master

  • ipatests: add test for correct modlist when value encoding differs

  • ipatests: fix ldap server url

  • Remove obsolete tests from test_caless.py

  • Remove unused tests

  • ipatests: add test for ipa-restore in multi-master configuration

  • ipatests: add test for ipa-advise for enabling sudo for admins group

Serhii Tsymbaliuk (53)#

  • Replace logo images with new one (version 4.7)

  • Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone

  • WebUI test: Fix automember tests according to new behavior

  • Web UI: Increase timeouts for UI tests in Nightly PR configuration

  • Fix test_arbitrary_certificates for Web UI

  • Web UI tests: Get rid of *_cert_path and *_csr_path config variables

  • Fix certificate revocation tests for Web UI

  • Split test_webui_hosts PRCI tests

  • Fix “Configured size limit exceeded” warning on Web UI

  • WebUI: Temporary fix for UnexpectedAlertPresentException

  • Fix “ID views” tests fail after running “Automember” tests

  • Fix nightly PR CI configuration for Web UI tests

  • Split Web UI test suite in nightly PR CI configuration

  • Increase memory size for ipaserver topology (nightly-master.yaml)

  • WebUI tests: Make possible to use kwargs with @screenshot decorator

  • UI tests for “Automount”: check dialog confirmation using ENTER

  • UI tests for “Automount”: check some negative cases

  • UI tests for “Automount”: check indirect map duplication

  • UI tests for “Automount”: check creating automount key without some fields

  • UI tests for “Automount”: check creating indirect automount map without some fields

  • UI tests for “Automount”: Fix item deleting

  • UI tests for “Automount”: check modifying map and key settings

  • UI tests for “Automount”: check “Add Automount…” dialogs

  • UI tests for “Automember”: Extend search cases

  • UI tests for “Automember”: Negative cases

  • UI tests for “Automember”: check setting default user/host group

  • UI tests for “Automember”: check creating and deleting of automember rule conditions

  • UI tests for “Automember”: check creating and deleting of multiple rules

  • UI tests for “Automember”: check search filter

  • UI tests for “ID Range”: Clean unnecessary Python2 compatible code constructions

  • UI tests for “ID Range”: check deleting primary local range

  • UI tests for “ID Range”: check creating ID Range with overlapping of primary and secondary RID base

  • UI tests for “ID Range”: - check creating ID range with special characters in name - check modifying ID range with existing secondary RID base

  • UI tests for “ID Range”: check modifying ID range with invalid or missing values

  • UI tests for “ID Range”: check adding range with overlapping of existing local range

  • UI tests for “ID Range”: check primary RID base duplication

  • UI tests for “ID Range”: check adding range without primary and secondary RID bases

  • UI tests for “ID Range”: check range name and base ID duplication

  • Change Web UI tests setup flow

  • Fix UI_driver.has_class exception. Handle situation when element has no class attribute

  • Increase some timeouts in Web UI tests

  • Remove unnecessary session clearing in some Web UI tests

  • Add cookies clearing for all Web UI tests

  • Generate CSR for test_host::test_certificates (Web UI test)

  • Add SAN extension for CSR generation in test_cert (Web UI tests)

  • Fix unpermitted user session in test_selfservice (Web UI test)

  • Fix test_user::test_login_without_username (Web UI test)

  • Use random realmdomains in test_webui/test_realmdomains.py

  • Fix test_realmdomains::test_add_single_labeled_domain (Web UI test)

  • Increase request timeout for WebUI tests

  • Use random IPs and domains in test_webui/test_host.py

  • Fix hardcoded CSR in test_webui/test_cert.py

  • Replace old login screen logo with new one

sudharsanomprakash (1)#

  • Don’t use deprecated Apache Access options.

Thierry Bordaz (1)#

  • In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange

Tibor Dudlák (5)#

  • Support interactive prompt for ntp options

  • Fix test_ntp_options to use tasks’ methods

  • Do not set ca_host when –setup-ca is used

  • Add assert to check output of upgrade

  • Re-open the ldif file to prevent error message

Thomas Woerner (56)#

  • Extend test for orphan automember rules (issue/6476)

  • Enable firewall in the tests for PR CI

  • ipatests/test_integration/test_server_del.py: Enable dns in fw for dnssec

  • ipatests/test_integration/test_replica_promotion.py: Fix firewall config

  • ipatests/test_integration/test_backup_and_restore.py: No clean master uninstall

  • ipatests integration/tasks.py: Honor clean for firewall in uninstall_master

  • ipatests/test_integration/test_replica_promotion.py: Configure firewall

  • ipatests/test_integration/test_dnssec.py: Enable dns firewall service

  • ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import

  • ipatests/test_integration/test_forced_client_reenrollment.py: Use unshare

  • ipatests/pytest_ipa/integration/tasks.py: Configure firewall

  • New firewall support class in ipatests/pytest_ipa/integration/firewall

  • Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon

  • Fix ressource leak in client/config.c get_config_entry

  • Update annobin to fix continuous-integration/travis-ci/pr issues

  • Find orphan automember rules

  • Remove DL0 specific code from ipatests/test_integration/test_caless.py

  • Remove DL0 specific code from ipatests/pytest_ipa/integration/tasks.py

  • Remove DL0 specific tests from ipatests/test_integration/test_replica_promotion.py

  • Remove replica_file knob from ipalib/install/service.py

  • Remove replica_file from ClientInstall class in ipaclient/install/client.py

  • Remove options.promote from install in ipaserver/install/server/install

  • Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER

  • Remove DL0 specific code from custodiainstance in ipaserver/install

  • Remove create_replica_config from installutils in ipaserver/install

  • Remove DL0 specific code from replicainstall in ipaserver/install/server

  • Remove DL0 specific code from __init__ in ipaserver/install/server

  • Remove DL0 specific code from ipa_replica_install in ipaserver/install

  • Remove unused promote arg in krbinstance.create_replica in ipaserver/install

  • Remove DL0 specific code from kra in ipaserver/install

  • Remove DL0 specific code from dsinstance ipaserver/install

  • Remove DL0 specific code from ipa_kra_install in ipaserver/install

  • Remove DL0 specific code from cainstance and ca in ipaserver/install

  • Remove DL0 specific code from ipa-ca-install

  • Remove ipa-replica-prepare script and man page

  • Adapt freeipa.spec.in for latest Fedora, fix python2 ipatests packaging bug

  • replicainstall: Make sure that domain fulfills minimal domain level requirement

  • ipatests/test_xmlrpc/tracker/server_plugin.py: Increase hard coded mindomainlevel

  • ipaserver/install/adtrust.py: Do not use DOMAIN_LEVEL_0 for minimum

  • ipatests/test_ipaserver/test_install/test_installer.py: Drop tempfile import

  • ipatests: Drop test_password_option_DL0

  • Move DL0 raises outside if existing conditionals to calm down pylint

  • Remove “at DL1” from ipa-server-install man page

  • Remove “at DL1” from ipa-replica-manage man page

  • Remove DL0 specific sections from ipa-replica-install man page

  • Remove support for replica_file option from ipa-kra-install

  • Remove support for replica_file option from ipa-ca-install

  • Raise error if DL is set to 0 or DL0 options are used

  • Mark replica_file option as deprecated

  • Increase MIN_DOMAIN_LEVEL to DOMAIN_LEVEL_1

  • Do not install ipa-replica-prepare

  • ipaclient: Remove –no-sssd and –no-ac options

  • ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X

  • httpinstance: Restore SELinux context of session_dir /etc/httpd/alias

  • ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound

  • Fix $-style format string in ipa_ldap_init (util/ipa_ldap.c)