The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 1!
It can be downloaded from http://www.freeipa.org/page/Downloads. At this point, we do not plan to provide releases to Fedora 33 or earlier versions due to a large number of changes coming with FreeIPA 4.9 series.
Highlights in 4.9.0 release candidate 1#
298: [RFE] Add support for cracklib to password policies
FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords.
2445: [RFE] IdM password policy should include checks for repeating characters
FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords.
3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.
3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
3999: [RFE] Fix and Document how to set up Samba File Server with IPA
Samba file server can now be configured on the FreeIPA-enrolled system to provide file services to users in IPA domain and to users from trusted Active Directory forests
4751: Implement ACME certificate enrolment
Configure the Automatic Certificate Management Environment (ACME) protocol support provided by the dogtag CA.
5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI
5608: [RFE] Add Dogtag configuration extensions
5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.
5948: [RFE] Implement pam_pwquality featureset in IPA password policies
6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: ‘ipa hostgroup-mod group-name –rename new-name’. Protected hostgroups (‘ipaservers’) cannot be renamed.
7137: [RFE]: Able to browse different links from IPA web gui in new tabs
7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.
7522: Disable cert publishing in dogtag
Dogtag certificate publishing facility is not configured anymore as it is not used in FreeIPA.
7577: [RFE] DNS package check should be called earlier in installation routine
The ``–setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.
7695: ipa service-del should display principal name instead of Invalid ‘principal’.
When deleting services, report exact name of a system required principal that couldn’t be deleted.
7966: Add support for JSON-RPC in ipa-join
ipa-join tool defaults to use of JSON-RPC protocol when communicating to IPA masters by default. The choice of JSON-RPC or XML-RPC is a compile-time setting now.
7971: [RFE] Include hint for replication_wait_timeout if timeout fails
8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.
8114: [RFE] Delegate group membership management
It is now possible to associate group managers with the groups. Group managers have rights to add and remove members of the individual group rather than being administrators for every group.
8217: RFE: ipa-backup should compare locally and globally installed server roles
ipa-backup now checks whether the local replica’s roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.
8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.
8233: 4.8.5 master Installation error
On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn’t actually needed and thus was removed.
8236: Enforce a check to prevent adding objects from IPA as external members of external groups
Command ‘ipa group-add-member’ allowed to specify any user or group for ‘–external’ option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.
8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.
8241: Build fails on Fedora 30
SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions.
8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.
8275: Support systemd-resolved
FreeIPA DNS servers now detect systemd-resolved and configure it to pass through itself.
8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The “Default System Accounts Password Policy” has a minimum password length in case the password is directly modified with LDAP.
8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.
8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets
service delegation rules and targets now allow to specify hosts as a rule or a target’s member principal.
8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.
8301: The value of the first character in target* keywords is expected to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.
8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting “ChallengeResponseAuthentication yes” take precedence.
8315: [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.
8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.
8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.
8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain
When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.
8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.
8357: Allow managing IPA resources as a user from a trusted Active Directory forest
A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.
8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.
8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present.
8401: Create platform definitions for freeipa-container
ipaplatform now provides container platform flavors for freeipa/freeipa-container
8404: Detect and fail if not enough memory is available for installation
FreeIPA server now requires at least 1.2 GiB RAM for installation to prevent performance degradation.
8444: EPN: enhance input validation
Various input validation checks were added to EPN.
8445: EPN: ‘[Errno 111] Connection refused’ when the SMTP is down
EPN now displays a proper message if the configured SMTP server cannot be contacted.
8449: EPN: enhance CLI option tests
EPN: enhance existing tests for –dry-run, –from-nbdays and –to-nbdays.
8488: SELinux blocks custodia key replication / retrieval for sub-CAs
SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key.
8490: It is not possible to edit KDC database when the FreeIPA server is running
kadmin.local command ‘getprincs’ is now supported
8493: Synchronize index LDIF and index update files
Configuration of LDAP indices was moved into a single place. New indices were added to attributes related to trusted domains operations. Performance improvement is expected for Kerberos service tickets requested by users from trusted Active Directory domains.
8503: pkispawn logs files are empty
On recent versions of Dogtag PKI, pkispawn does not create logs by default, making debugging failed IPA installs impossible. Invoke pkispawn with –debug to revert to the previous behavior.
8507: [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)
Support reproducible builds for jQuery library
8510: create_active_user and kinit_as_user should collect kdcinfo.REALM on failure
Sometimes, requesting a TGT after a password reset fails because SSSD seems to select different hosts for these two sequential tasks, leaving no time for replication to replicate the password hashes. Add debug information to the test suites that exhibit the problem and always display the kdcinfo file maintained by SSSD that contains the KRB5KDC IP it should be pinned to.
8530: Running ipa-server-install fails on machine where libsss_sudo is not installed
The FreeIPA client RPM now has a soft dependency on libsss_sudo and sudo itself.
Enhancements#
Known Issues#
8240: KRA install fails if all KRA members are Hidden Replicas
If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete.
Bug fixes#
FreeIPA 4.9.0 release candidate 1 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 350 bug-fixes since FreeIPA 4.8.10 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#298 (rhbz#587752) [RFE] Add support for cracklib to password policies
#2018 (rhbz#1703564) Change hostname length limit to 64
#2445 (rhbz#798359) [RFE] IdM password policy should include checks for repeating characters
#3473 Switch to using RESTful interface in dogtag CA interface
#3687 (rhbz#913799) [RFE] IPA user account expiry warning.
#3827 [RFE] Expose TTL in web UI
#3999 (rhbz#837604) [RFE] Fix and Document how to set up Samba File Server with IPA
#4751 (rhbz#1851835) Implement ACME certificate enrolment
#4972 (rhbz#1206690) check for existence of private group is done even if UPG definition is disabled
#5011 (rhbz#1527185) [RFE] Forward CA requests to dogtag or helper by GSSAPI
#5062 (rhbz#1229657) [WebUI] Unlock option is enabled for all user.
#5566 Permit creation of PTR records in non-.arpa master zones via the DNS UI
#5608 (rhbz#1405935) [RFE] Add Dogtag configuration extensions
#5628 webui: Unclear(UX) purpose of OTP field in password reset form on login
#5662 (rhbz#1404770) ID Views: do not allow custom Views for the masters
#5879 (rhbz#1334619) Attempt to fix capitalization fails with ipa: ERROR: Type or value exists:
#5914 (rhbz#1298288) invalid setting of DS lock table size
#5948 (rhbz#1340463) [RFE] Implement pam_pwquality featureset in IPA password policies
#6115 (rhbz#1357495) ipa command provides stack trace when provided with single hypen commands
#6210 (rhbz#1364139, rhbz#1751951) When master’s IP address does not resolve to its name, ipa-replica-install fails
#6423 Validate cert requests in Dogtag
#6474 Remove ipaplatform dependency from ipa modules
#6708 Unused config options
#6783 (rhbz#1430365) [RFE] Host-group names command rename
#6843 (rhbz#1428690) ipa-backup does not create log file at /var/log/
#6857 ipa_pwd.c: Use OpenSSL instead of NSS for hashing
#6884 (rhbz#1441262) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
#6891 (rhbz#1461914) Move FreeIPA SELinux policy from system policy to project policy
#6951 (rhbz#1449133) Update samba config file and use sss idmap module
#6964 (rhbz#1442413) IPA password policy has no password difference checking
#7125 (rhbz#1480102) ipa-server-upgrade failes with “This entry already exists”
#7137 (rhbz#1484088) [RFE]: Able to browse different links from IPA web gui in new tabs
#7181 (rhbz#1545755) ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
#7188 Issues after promoting one CA-less IPA server to CA-full
#7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
#7305 (rhbz#1518153) PKINIT status not displayed in the web UI (IPA Server > Configuration)
#7307 (rhbz#1518939) RFE: Extend IPA to support unadvertised replicas
#7323 IPv6 hack for Travis CI
#7329 update_ra_cert_store does not remove private key from NSSDB
#7416 Uninstalling IPA requires on being in a existent working directory
#7522 Disable cert publishing in dogtag
#7534 (rhbz#1569011) Investigate failures to restore 389-ds attriubtes on upgrade failure
#7548 Need integration test for –external-ca-type=ms-cs
#7566 (rhbz#1591824) Installation of replica against a specific master
#7577 (rhbz#1579296) [RFE] DNS package check should be called earlier in installation routine
#7597 (rhbz#1583950) IPA: IDM drops all custom attributes when moving account from preserved to stage
#7600 (rhbz#1585020) Enable compat tree to provide information about AD users and groups on trust agents
#7610 ldapupdate.py users ldap.LOCAL_ERROR and other direct ldap exceptions while relying on ipaldap
#7630 (rhbz#1613015) ipa-restore should check that optional feature packages are installed before restoring a backup using a feature
#7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key
#7695 (rhbz#1623763) ipa service-del should display principal name instead of Invalid ‘principal’.
#7725 (rhbz#1636765) ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory
#7804 (rhbz#1777811) `ipa otptoken-sync` fails with stack trace
#7810 [F28] Require NSS with fix for p11-kit issue.
#7816 (rhbz#1642395) [WebUI] not able to set a password for user as Active Directory Administrator user
#7870 (rhbz#1680039) [certmonger][upgrade] “Failed to get request: bus, object_path and dbus_interface must not be None.”
#7895 (rhbz#1686302) ipa trust fetch-domains, server parameter ignored
#7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules
#7908 Write tests for interactive prompt for NTP options.
#7929 (rhbz#1712794) ERROR: invalid ‘PKINIT enabled server’: all masters must have IPA master role enabled
#7932 FreeIPA queries rely on missing attribute altsecurityidentities
#7933 FreeIPA must index certmap attributes.
#7938 ‘ipa dnszone-show/find’ should display “Dynamic Update” and “Bind update policy” by default
#7949 test_integration/test_nfs.py fails at cleanup
#7958 (rhbz#1782169) traceback in idview
#7961 [WebUI] Identity Manager WebUI requires you to save changes after changing specifications before making other change
#7966 Add support for JSON-RPC in ipa-join
#7971 (rhbz#1715961) [RFE] Include hint for replication_wait_timeout if timeout fails
#7985 test failure in test_dnssec.py::TestInstallDNSSECLast::()::test_disable_reenable_signing_replica::teardown
#7987 Python shebang: Use isolated mode
#7989 Pytest4.2+ errors
#7991 Use profile-based renewal for system certificates
#7995 (rhbz#1711172) Removing TLSv1.0, TLSv1.1 from nss.conf
#7996 `test_selinuxusermap_plugin` fails against not default SELinux settings
#8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
#8004 RHEL 8 uses nis-domainname instead of rhel-domainname
#8005 (rhbz#1729099) User field separator uses ‘$$’ within ipaSELinuxUserMapOrder
#8007 Not stable nodeids within pytest
#8008 Azure Pipeline slicing
#8009 Missing execution bit on `ipa-run-tests` within virtualenv
#8010 Extended Kerberos Ticket Policy
#8012 test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure
#8013 (rhbz#1731433) ipa service-find does not list cifs service created by ipa-client-samba
#8015 p11helper: insufficient logging when loading LIBSOFTHSM2_SO
#8017 (rhbz#1817927) host-add –password logs cleartext userpassword to Apache error log
#8019 (rhbz#1732524) repeated uninstallation of ipa-client-samba crashes
#8020 support AES in LWCA key replication
#8021 (rhbz#1732528) ipa-client-samba can not install samba after uninstallation
#8022 azure pipeline: fail if dnf builddep exits on failure
#8024 [WebUI] test_webui/test_trust.py failed because of request timeout
#8026 Update pr-ci definitions with master_3client topology
#8027 test_nfs.py: migrate to master_3client
#8029 (rhbz#1749788) ipa host-find –pkey-only includes SSH keys in output
#8030 azure pipelines fail at “Install prerequisites” of Tox job
#8031 (rhbz#1734369) HBAC Test Validation error when running the HBAC test the second time round via the IPA Web GUI
#8034 Existing p11-kit config file is not restored on uninstall
#8038 (rhbz#1740167) ipa-client-automount –uninstall is not restoring nsswitch.conf
#8040 (rhbz#1731963) ipa migrate-ds fails with internal error.
#8044 (rhbz#1717008) Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
#8048 Travis-CI sometimes fails at dnf
#8052 test failure in test_integration/test_sudo.py::TestSudo::()::test_domain_resolution_order on fedora29
#8053 [WebUI] Fix login screen loading issue in test_loginscreen
#8054 (rhbz#1746557) ipa-client-install calls “authselect select sssd –force” at uninstall time before restoring user-nsswitch.conf
#8055 Test for PG6843: ipa-backup does not create log file at /var/log is failing
#8056 (rhbz#1746882) BuildRequires is not compatible with %{_libdir}
#8057 (rhbz#1747895) Running ipa-server-install produces SyntaxWarning: “is not” with a literal. Did you mean “!=”?
#8062 Re-add configure_nsswitch_database, configure_nsswitch, … to ipaclient.install
#8063 Nightly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::()::test_nsswitch_backup_restore_sssd
#8064 Request for IPA CI to enable DS audit/auditfail logging
#8066 (rhbz#1750242) Don’t use -t option to klist in adtrust code when timestamp is not needed
#8067 (rhbz#1750700) add default access control configuration to trusted domain objects
#8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
#8073 Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module
#8075 Don’t create log file for helper scripts
#8077 New pylint 2.4.0 errors
#8079 (rhbz#1754530) [Security] By default, DNS recursion is open, breaking best practices
#8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.
#8084 (rhbz#1758406) KRA authentication fails when IPA CA has custom Subject DN
#8086 (rhbz#1756568) ipa-server-certinstall man page does not match built-in help.
#8094 Allow using of a custom OpenSSL engine for ISC BIND
#8097 ipa user-add-certmapdata is not able to add several entries correctly
#8098 Host principals lack ACI to look up DNS objects in LDAP
#8099 (rhbz#1762317) ipa-backup command is failing on rhel-7.8
#8101 Wrong pytest requirement in specfile
#8102 Pylint 2.4.3 + Astroid 2.3.2 errors
#8104 RFE: Disable Stale/Inactive Users - Upstream Design Document
#8105 (rhbz#1759281) getcert with -F option returns before cacert file is created
#8106 ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
#8110 (rhbz#1768015) Enable AES SHA 256 and 384 Kerberos enctypes
#8111 (rhbz#1768959) [FIPS] Don’t add camellia KRB5 encsalttypes in FIPS mode
#8113 (rhbz#1755535) ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
#8114 [RFE] Delegate group membership management
#8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb
#8116 Pylint parallel execution with custom plugin
#8118 Run smoke tests in FIPS mode
#8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements
#8122 (rhbz#1773528) group-add-member-manager does not report errors
#8123 (rhbz#1773528) [WebUI] Finish group membership management UI
#8124 Add option to ipa-cacert-manage to delete certificates
#8125 (rhbz#1777809) Use default crypto policy for TLS and enable TLS 1.3 support
#8129 Tests: Replace paramiko with OpenSSH
#8131 (rhbz#1777920) covscan memory leaks report
#8133 check_client_configuration() no longer works with IPA_CONFDIR
#8134 ipa user-add is inefficient
#8135 (rhbz#1777806) When Service weight is set as 0 for server in IPA location “IPA Error 903: InternalError” is displayed
#8137 reinstall failed in adding delegation layout
#8138 (rhbz#1780548) Man page ipa-cacert-manage does not display correctly on RHEL
#8142 check Not Before / Not After in externally signed CA sanity check
#8143 service.ldap_disable() does not remove “enabledService”
#8144 test_nfs.py: umount.nfs4: /home: device is busy
#8148 (rhbz#1782587) add “systemctl restart sssd” to warning message when adding trust agents to replicas
#8149 (rhbz#1783046) SIDs of AD domains do not display in ipa-client-samba installer
#8150 (rhbz#1784003) IPA Server install fail
#8151 test_commands timing-out
#8153 (rhbz#1784761) Kerberos ticket policy reset does not reset per-indicator policies
#8157 NIghtly test failure in fedora-rawhide/test_webui_network
#8159 please migrate to the new Fedora translation platform
#8163 (rhbz#1782572) “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]
#8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs
#8169 NIghtly test failure in fedora-rawhide/test_webui_policy
#8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
#8173 Broken -k argument parsing in ipa-run-tests 4.8.4-1 package
#8176 External CA is tracked for renewals and replaced with a self-signed certificate
#8179 Tests broken with python version < 3.7 (module ‘re’ has no attribute ‘Pattern’)
#8186 Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
#8189 (rhbz#1810179) NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
#8190 (rhbz#1790886) ipa-client-automount fails after repeated installation/uninstallation
#8192 (rhbz#1665051) ipa-adtrust-install does not list service records for manual addition to DNS zone
#8193 (rhbz#1801791) Re-order 50-externalmembers.update to be after 80-schema_compat.update
#8196 API: dnsrecord_del failure with empty list aaaarecord
#8200 (rhbz#1803786) ipa krb5kdc db: krb5kdc coredump
#8201 update ssbrowser.html
#8202 Azure: add support for multi-container tests
#8204 (rhbz#1810148) ipa-server-certinstall -> certmonger add_subject template-subject dbus ‘unable to set arguments’ a{sv}
#8207 Extend Web UI for Kerberos ticket policy to add authentication indicator support
#8214 Support for opendnssec 2.1.6
#8217 (rhbz#1810154) RFE: ipa-backup should compare locally and globally installed server roles
#8219 ipatests: unify editing of sssd.conf
#8221 (rhbz#1812169) Secure AJP connector between Dogtag and Apache proxy
#8222 Upgrade dojo.js
#8226 (rhbz#1813330) ipa-restore does not restart httpd
#8228 Nightly failure in backup/restore while calling ‘id admin’
#8233 4.8.5 master Installation error
#8236 (rhbz#1809835) Enforce a check to prevent adding objects from IPA as external members of external groups
#8239 Actualize Bootstrap version
#8240 (rhbz#1816784) KRA install fails if all KRA members are Hidden Replicas
#8241 Build fails on Fedora 30
#8247 test_fips PR-CI templates have a too-short timeout
#8248 httpd ccaches created during server upgrade aren’t cleaned up on uninstall/install
#8251 [Azure] Catch coredumps
#8254 [Azure] ‘Tox’ task fails against Python3.8
#8261 [ipatests] Integration tests fail on non-firewalld distros
#8262 test_ipahealthcheck needs a higher timeout than 3600
#8264 Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
#8265 [ipatests] `/var/log/ipaupgrade.log` is not collected
#8266 test_webui_server requires a higher timeout than 3600
#8268 Prevent use of too long passwords
#8272 Use /run instead of /var/run
#8273 (rhbz#1834385) Man page syntax issue detected by rpminspect
#8275 (rhbz#1880628) Support systemd-resolved
#8276 Add default password policy for sysaccounts
#8283 Failures and AVCs with OpenDNSSEC 2.1
#8284 Upgrade jQuery version to actual one
#8287 named not starting after #8079, ipa-ext.conf breaks bind
#8289 ipa servicedelegationtarget-add-member does not allow to add hosts as targets
#8290 API inconsistencies
#8291 krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
#8297 Fix new pylint 2.5.0 warnings and errors
#8298 [WebUI] Cover membership management with UI tests
#8300 Replace uglify-js with python3-rjsmin
#8301 The value of the first character in target* keywords is expected to be a double quote
#8304 [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
#8306 Adopt Black code style
#8307 make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py
#8308 (rhbz#1829787) ipa service-del deletes the required principal when specified in lower/upper case
#8309 Convert ipaplatform from namespace package to regular package
#8311 (rhbz#1825829) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
#8312 Fix api.env.in_tree detection logic
#8313 Values of api.env.mode are inconsistent
#8315 (rhbz#1833266) [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings
#8316 [Azure] Whitelist clock_adjtime syscall
#8317 XML-RCP and CLI tests depend on internal –force option
#8319 Support server referrals for enterprise principals
#8322 [RFE] Changing default hostgroup is too easy
#8323 [Build failure] Race: make po fails on parallel build
#8325 [WebUI] Fix htmlPrefilter issue in jQuery
#8326 CVE-2020-10747
#8328 krbtpolicy-mod cannot handle two auth ind options of the same type at the same time
#8330 [Azure] Build job fails on `tests` container preparation
#8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain
#8336 [WebUI] “User attributes for SMB services” section always shown
#8338 [WebUI] Host detail with no assigned ID view makes invalid RPC call
#8339 [WebUI] User details tab headers don’t show member count when on settings tab
#8344 Nightly test failure in test_smb.py::TestSMB::test_smb_service_s4u2self
#8348 Allow managed permissions with ldap:///self bind rule
#8349 bind-9.16 and dnssec-enable
#8350 bind-9.16 and DLV
#8352 RPC API crashes when a user is disabled while a session exists
#8357 Allow managing IPA resources as a user from a trusted Active Directory forest
#8358 TTL of DNS record can be set to negative value
#8359 [WebUI] dnsrecord_mod results in JS error
#8360 lite-server: Werkzeug deprecation warnings
#8362 (rhbz#1826659) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
#8363 DNS config upgrade code fails
#8364 Nightly test failure while establishing trust: Cannot find specified domain or server name
#8366 CA-less replica deployment fails with –setup-ca
#8367 IPA-EPN fails to build in ONLY_CLIENT mode
#8368 (rhbz#1846349) cannot issue certs with multiple IP addresses corresponding to different hosts
#8369 cert_find returns “CA not configured” in CA-less install
#8370 ipa-join does not set nshardwareplatform and nsosversion
#8371 Nightly test failure [testing_master_testing] in test_integration/test_idviews.py::TestCertsInIDOverrides
#8372 (rhbz#1849914) FreeIPA - Utilize 256-bit AJP connector passwords
#8374 (rhbz#1847999) EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
#8377 Nightly test failure (timeout) in test_caless_TestReplicaInstall
#8378 CA validity past year 2038 breaks cert.py plugin on 32-bit platform
#8379 Nightly test failure [testing_master_pki] while installing CA replica
#8381 Nightly test failure in test_webui/test_loginscreen.py::TestLoginScreen::test_login_view
#8383 Test with dnspython 2.0
#8384 Provide reliable way to know if a server installation is complete
#8388 Make help() on plugins more useful
#8391 Remove dnf workaround from test_epn.y
#8394 Nightly test failure in cert-related tests
#8395 selinux don’t audit rules deny fetching trust topology
#8396 [WebUI] Font type of “Enabled” column in user search facet wrong
#8399 certmonger attempts to add LWCA tracking requests on non-CA server.
#8400 sshd template file is installed in a wrong (server) location while used by the client side
#8401 Create platform definitions for freeipa-container
#8403 Add option to add ipaapi user as an allowed uid for ifp in /etc/sssd/sssd.conf when running ipa-replica-install
#8404 Detect and fail if not enough memory is available for installation
#8405 Don’t delegate full TGT in ipa-join
#8407 Support changelog integrated into main database
#8408 Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_client_enrollment_by_unprivileged_user
#8412 (rhbz#1857157) AVC: httpd cannot connect to ipa-custodia.sock
#8413 Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp
#8414 Nightly test failure in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp
#8416 [WebUI] Error while adding user ID overrides to group
#8419 Azure is reporting a slew of new no-member lint errors
#8425 Nightly test failure in test_cert.test_cert.TestInstallMasterClient (certmonger timeout)
#8428 [ipatests] fails due to new python-cryptography 3.0
#8429 Add fips-mode-setup to ipaplatform.paths
#8432 test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError
#8435 [ipatests] failures due to new Pytest6.0 (pypi part)
#8437 unit tests for ipa-extdom-extop are failing in Fedora 33
#8439 Nightly test failure in test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#8440 (rhbz#1863616) CA-less install does not set required permissions on KDC certificate
#8441 (rhbz#1870202) File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
#8442 [pylint] warnings/errors against pylint 2.5.3
#8443 ipa delegation-add can add permissions and attributes several times
#8444 (rhbz#1866291) EPN: enhance input validation
#8445 (rhbz#1863079) EPN: ‘[Errno 111] Connection refused’ when the SMTP is down
#8446 ipa dnszone-add ignores –name-from-ip option if name is given
#8447 Nightly test failure in test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS
#8449 (rhbz#1866291) EPN: enhance CLI option tests
#8456 Need new aci’s for the new replication changelog entries
#8458 auto-upgrade will never happen for existing installations
#8459 [upgrade] handle missing openssh-clients
#8461 [ALTLinux] server uninstall error on missing /var/lib/samba
#8463 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#8464 Increase replication changelog trimming interval
#8468 [pylint] new warnings on dev branch
#8472 [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA
#8473 Nightly test failure in all webui tests: Invalid or corrupt jarfile /opt/selenium.jar
#8474 Mozilla’s NSS without DBM
#8475 Azure: tox task and virtualenv 20+
#8481 Nightly test failure in rawhide in tasks.configure_dns_for_trust
#8482 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_source_ipahealthcheck_meta_services_check
#8488 (rhbz#1868432) SELinux blocks custodia key replication / retrieval for sub-CAs
#8490 (rhbz#1875001) It is not possible to edit KDC database when the FreeIPA server is running
#8491 Unindexed searches in FreeIPA git master
#8493 Synchronize index LDIF and index update files
#8494 Azure Pipelines are broken due to docker compose tool upgrade
#8496 [Tracker] Multiple nightly test failures in test_dnssec
#8498 Check 3rd-party IPA server HTTP cert for ipa-ca.$DOMAIN dnsName on CA replicas
#8501 Unify how FreeIPA gets FQDN of current host
#8502 Don’t create DirSRV SSCA
#8503 (rhbz#1879604) pkispawn logs files are empty
#8505 Nightly failure (fedora31) in test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
#8507 [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)
#8510 (rhbz#1881630) create_active_user and kinit_as_user should collect kdcinfo.REALM on failure
#8511 The selinux subpackage does not have a requirement to match the server install
#8512 Import of psutil can trigger SELinux violation
#8513 (rhbz#1868432) SELinux module fails to load: Re-declaration of type node_t
#8515 (rhbz#1882340) nsslapd-db-locks patching no longer works
#8516 Nightly test failure (master) in ipa trust-add
#8518 Upgrade F32 to F33 fails in DNS upgrade code
#8519 Fedora container platform is incomplete
#8521 Speed up ipa-server-install
#8522 Remove cainstance.migrate_profiles_to_ldap()
#8523 Topology Graph returns Runtime Error
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
#8528 Use separate logs for AD Trust and DNS installer
#8529 ipa-ca record incomplete when hostname is not in DNS
#8530 (rhbz#1859185) Running ipa-server-install fails on machine where libsss_sudo is not installed
#8533 Nightly failure in ipa-replica-install configuring renewals: DBusException: org.freedesktop.DBus.Error.NoReply
#8535 (rhbz#1887928) RPM spec moves ssh server config to a snippet but does not ensure sshd_config includes the snippet
#8536 RFE: ipatests: run healthcheck on hidden replica
#8541 Nightly failure (fed33) in test_installation.py::TestInstallMaster::test_selinux_avcs
#8551 (rhbz#1784657) Unlock user accounts after a password reset and replicate that unlock to all IdM servers
#8554 (rhbz#1891056) ipa-kdb: support subordinate/superior UPN suffixes
#8555 (rhbz#1340463) Nightly test failure in test_pwpolicy.py::test_pwpolicy::test_misc
#8558 Create backend entry before creating mapping tree entry for ipaca backend
#8559 Nightly test failure in test_trust.py::TestTrust::test_password_login_as_aduser
#8560 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
#8563 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
#8566 Subordinate suffixes aren’t treated as subordinate in trust to Active Directory (crash part)
#8567 (rhbz#1894800) IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing
#8572 Nightly failure in test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica
#8573 Nightly failure in test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS::test_ipa_dns_systemrecords_check
#8578 EPN: SMTP client downgrade smtp_security from `starttls` to `none`
#8579 EPN: SMTP client doesn’t validate server certificate
#8580 EPN: SMTP client authentication by certificate
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8585 Compile warnings on rawhide
Detailed changelog since 4.8.10#
Armando Neto (25)#
ipatests: Update PRCI Fedora 32 templates commit
ipatests: Add nightly definitions for enforcing mode commit
ipatests: Bump PR-CI templates commit
ipatests: bump pr-ci templates commit
ipatests: bump pr-ci templates commit
ipatests: bump prci templates commit
ipatests: bump prci templates commit
prci: update templates for new Fedora release commit
Update instructions for Fedora 28 / FreeIPA 4.6.90 commit
prci: bump version for latest and previous templates commit
prci: Bump version of all templates commit
prci: update packages for rawhide nightly runs commit
ipatests: Skip test_sss_ssh_authorizedkeys method commit #8151
ipatests: Improve test_commands reliability commit
prci: bump template version for temp_commit and nightly_latest commit
prci: bump fedora release commit
prci: rename definitions files and jobs to change how fedora releases are referenced commit
prci: increase timeout argument for test_sssd.py commit
prci: increase timeout for jobs that required AD commit
prci: update packages for pki and testing nightly runs commit
Update definitions for nightly tests commit
prci: fix typo on nightly test definitions commit
prci: update test definitions commit
Alexander Bokovoy (140)#
Become FreeIPA 4.9.0 release candidate 1 commit
Translations: update translations template commit
Add contributors from translations project at Weblate commit
Azure CI: mask chronyd in the container commit
spec: use pkgconf to find out krb5 version commit
Azure CI: use PPA to provide newer libseccomp version commit
Azure CI: use Ubuntu-20.04 image by default commit
ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints commit #8584
wgi/plugins.py: ignore empty plugin directories commit #8567
rpcserver: fix exception handling for FAST armor failure commit
rpcserver: fallback to non-armored kinit in case of trusted domains commit
pylint: remove unused variable commit
ipa-kdb: support subordinate/superior UPN suffixes commit #8554
Pre-populate IP addresses for the name server upgrades commit #8518
Specify memory limits as strings for docker compose commit #8494
ipa-kdb: support getprincs request in kadmin.local commit #8490
test_smb: make sure both smbserver and smbclient use IPA master for DNS commit #8344
Add new contributors commit
Add alternative email to the mailmap for myself commit
master: update po/ipa.pot commit
extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration commit #8437
selinux: support running ipa-custodia with PrivateTmp=yes commit #8395
selinux: allow oddjobd to set up ipa_helper_t context for execution commit #8395
handle Y2038 in timestamp to datetime conversions commit #8378
update list of contributors commit
Update translation files commit
ipatests: test that adding Active Directory user to a role makes it an administrator commit #8357
Web UI: allow users from trusted Active Directory forest manage IPA commit #8335
tests: account for ID overrides as members of groups and roles commit #7255
Support adding user ID overrides as group and role members commit #7255
idviews: handle unqualified ID override lookups from Web UI commit #7255
support using trust-related operations in the server console commit
Add design page for managing IPA resources as a user from a trusted Active Directory forest commit #7816, #8357
kdb: handle enterprise principal lookup in AS_REQ commit #8319
ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset commit #8362
azure: do not run test_commands due to failures in low memory cases commit
test_smb: test S4U2Self operation by IPA service commit #8319
ipa-kdb: refactor principal lookup to support S4U2Self correctly commit #8319
ipa-kdb: add primary group to list of groups in MS-PAC commit #8319
ipa-kdb: Always allow services to get PAC if needed commit #8319
kdb: add minimal server referrals support for enterprise principals commit #8319
ipa-tests: add a test to make sure MS-PAC is produced by KDC commit #8319
ipa-print-pac: acquire and print PAC record for a user commit #8319
baseldap: de-duplicate passed attributes when checking for limits commit #8328
service delegation: allow to add and remove host principals commit #8289
WebUI: use python3-rjsmin to minify JavaScript files commit #8300
test_smb: test that we can auth as NetBIOS alias commit #8291
kdb: fix memory handling in ipadb_find_principal commit #8291
kdb: initialize flags in ipadb_delete_principal() commit #8291
Azure Pipelines: switch to Fedora 32 commit
Azure Pipelines: Override services known to not work in containers commit
Add pytest.skip_if_container() commit
CVE-2020-1722: prevent use of too long passwords commit #8268
Add ‘api’ and ‘aci’ targets to make commit
Remove Fedora repository fastmirror selection commit
ipa-pwd-extop: don’t check password policy for non-Kerberos account set by DM or a passsync manager commit #7181
ipatests: test sysaccount password change with a password policy applied commit #7181
ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181
Fix indentation levels commit
ipatests: always skip additional input for group-add-member –external commit #8236
po: update Chinese (China) translation commit
po: update Ukrainian translation commit
po: update Tajik translation timestamp commit
po: update Slovak translation timestamp commit
po: update Russian translation commit
po: update Portuguese (Brazil) translation timestamp commit
po: update Portuguese translation timestamp commit
po: update Polish translation commit
po: update Punjabi translation timestamp commit
po: update Dutch translation timestamp commit
po: update Marathi translation timestamp commit
po: update Kannada translation timestamp commit
po: update Japanese translation timestamp commit
po: update Indonesian translation timestamp commit
po: update Hungarian translation timestamp commit
po: update Hindi translation timestamp commit
po: update French translation commit
po: update Basque translation timestamp commit
po: update Spanish translation commit
po: update English (United Kingdom) translation timestamp commit
po: update German translation commit
po: update Czech translation timestamp commit
po: update Catalan translation timestamp commit
po: update Bengali translation timestamp commit
po: update ipa.pot template commit
Keep ipa.pot translation file in git for weblate commit #8159
Do not force any particular sphinx theme commit
Override master document for ReadTheDocs commit
Move workshop documents to doc/workshop commit
Add unit 11: Kerberos ticket policy commit
Prevent adding IPA objects as external members of external groups commit #8236
Secure AJP connector between Dogtag and Apache proxy commit #8221
Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+ commit
kdb: make sure audit_as_req callback signature change is preserved commit #8200
adtrust: print DNS records for external DNS case after role is enabled commit #8192
Update Azure Pipelines to use Fedora 31 commit
install/updates: move external members past schema compat update commit #8193
ipa-client-samba: map domain sid of trust domain properly for display commit #8149
DNS install check: allow overlapping zone to be from the master itself commit
covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131
covscan: free encryption types in case there is an error commit #8131
Add Authentication Indicator Kerberos ticket policy options commit #8001
Do not run trust upgrade code if master lacks Samba bindings commit #8001
Update contributors commit
Update translations commit
Add local helpers to handle unixid structure commit
adtrust: add default read_keys permission for TDO objects commit #8067
add default access control when migrating trust objects commit #8067
Mark failing test as xfail for use of python-dns make_ds method commit
Update contributors commit
Update translations commit
Add Theodor van Nahl to the Contributors.txt commit
Restore SELinux context for p11-kit config overrides commit #7810
Change RA agent certificate profile to caSubsystemCert commit
certmaprule: add negative test for altSecurityIdentities commit #7932
certmap rules: altSecurityIdentities should only be used for trusted domains commit #7932
Create indexes for altSecurityIdentities and ipaCertmapData attributes commit #7932, #7933
Add altSecurityIdentities attribute from MS-WSPP schema definition commit #7932, #7933
Use stage and phase attempt counters when saving test artifacts commit
Use any nodejs version instead of forcing a version before nodejs 11 commit
Fix rpmlint errors for Rawhide commit
Set git master to 4.9.0 commit
Changing IPA master back to git snapshots commit
Abhijeet (1)#
Update workshop.rst commit
Alexandre Mulatinho (2)#
Anuja More (18)#
ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn commit
ipatests: xfail test with older versions of sssd commit
ipatests : Test to verify override_gid works with subdomain. commit
ipatests: xfail test with older versions of sssd commit
ipatests: Test that trusted AD users should not lose their AD domains. commit
Mark test to skip sssd-2.2.2 commit
ipatests: User and group with same name should not break reading AD user data. commit
ipatests: Added test when 2FA prompting configurations is set. commit
ipatests: SSSD should fetch external groups without any limit. commit
Update topology for test_integration/test_sssd.py commit
ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit
After mounting “Unspecified GSS failure” should not be in logs. commit
Add xmlrpc test with input validation check for kerberos ticket policy. commit
Fix fedora version for xfail for sssd test commit
Add integration test for otp kerberos ticket policy. commit #8001
ipatests: filter_users should be applied correctly. commit
ipatests : Login via ssh using private-key for ipa-user should work. commit
Extdom plugin should not return error (32)/’No such object’ commit #8044
Andika Triwidada (1)#
Translated using Weblate (Indonesian) commit
Ariel O. Barria (1)#
vagrant user does not have permission to write to /etc/resolv.conf commit
Alexander Scheel (3)#
Peter Keresztes Schmidt (33)#
WebUI: Unify adapter property definition for state evaluators commit #8336
WebUI: Make object_class_evaluator evaluator compatible with batch responses commit #8336
ipa-backup/restore: remove remaining chdir calls commit #7416
ipa-join: extract common JSON-RPC response parsing to common function commit #8408
ipa-join: Generalize XML-RPC references in man page commit #7966
ipa-join: implement JSON-RPC based unenrollment commit #7966
ipa-join: extract unenrollment code common to JSON and XML-RPC to separate function commit #7966
ipa-join: buffer curl response before parsing json commit #7966
ipa-join: improve curl error handling in JSON-RPC code commit #7966
ipa-join: don’t set TLS related curl options for JSON-RPC commit #7966
Populate nshardwareplatform and nsosversion during join operation commit #8370
WebUI: Fix rendering of boolean_status_formatter commit #8396
Unify spelling of “One-Time Password” commit
WebUI: reword OTP info message displayed during PW reset commit #5628
WebUI: move OTP to be the last field in the PW reset form commit #5628
Split named custom config to allow changes in options stanza commit #8287
po: remove zanata config since translation was moved to weblate commit #8159
Remove unused support for dm_password arg from ldapupdate.connect commit #7610
Use ipaldap exceptions rather than ldap error codes in LDAP updater commit #7610
Specify min and max values for TTL of a DNS record commit #8358
WebUI: Add units to some DNS zone and IPA config fields commit
WebUI: Refresh DNS record data correctly after mod operation commit #8359
WebUI: Use data adapter to load facet header data commit #8339
WebUI: Fix invalid RPC calls when link widget has no pkey passed commit #8338
Christian Heimes (181)#
Easier to use ipa_gethostfqdn() commit
Update debug strings to reflect new calls commit
Remove problematic optimization from gethostfqdn() commit
Speed up cainstance.migrate_profiles_to_ldap commit #8521, #8522
Require(post) systemd with resolved enabled on F33 commit #8275
Use separate install logs for AD and DNS instance commit #8528
Verify freeipa-selinux’s ipa module is loaded commit
configure_dns_resolver: call self.restore_context commit #8518
Drop unused extended sleep feature from Sleeper commit #8521
Add more indices commit
Fix compiler warning in ipa-kdb commit
Fix compiler warnings in libotp commit
Fix compiler warning in ipa-pwd-extop commit
trust-add: Catch correct exception when chown SSSD commit #8516
Fix nsslapd-db-lock tuning of BDB backend commit #5914, #8515
Create systemd-resolved configuration on update commit
Configure NetworkManager to use systemd-resolved commit #8275
Make git a build requirement commit
Add User and Group to all ipaplatform.constants commit
Use new classes for run_command and Service commit
Add user and group wrappers commit
Simplify LDAPUpdater commit
Add ldap_update() helper to service class commit
Treat container subplatforms like main platform commit #8401
Explicitly pass keytab to ipa-join commit
Make tab completion in console more useful commit
Run test_fips in DS and PKI nightly commit
SELinux: Backport dirsrv_systemctl interface commit
RHEL 8.3 has KRB5 1.18 with KDB 8.0 commit
Terminology improvements: use block list commit
Terminology improvements: use allow list commit
Grammar: whitespace is a word commit
Terminology improvements: CA renewal commit
Build ipa-selinux package on RHEL 8 commit
Auto-generated ipa-epn files to gitignore commit
Overhaul bind upgrade process commit
More upgrade tests commit
Fix named.conf named_conf_include_re commit
Remove named_validate_dnssec update step commit
Fix named.conf update bug NAMED_DNSSEC_VALIDATION commit #8363
Include named config files in backup commit
Add ipa-print-pac to gitignore commit
Explain the effect of OPT_X_TLS_PROTOCOL_MIN commit
Use httpd 2.4 syntax for access control commit
Let GH auto-notify and auto-close stale PRs commit
Simplify pki proxy conf commit
Make check_required_principal() case-insensitive commit #8308
Make ipaplatform a regular top-level package commit #6474, #8309
Fix E721 do not compare types, use ‘isinstance()’ commit #8306
Fix E714 test for object identity should be ‘is not’ commit #8306
Fix E713 test for membership should be ‘not in’ commit #8306
Fix E266 too many leading ‘#’ for block comment commit #8306
Require Sphinx >2.1 commit
Fix /doc/workshop subtree merge commit
Create ipasphinx package for Sphinx plugins commit
Add skip_if_platform marker commit
Fix exception escape warning commit
Fix APIVersion.__getnewargs__ commit
Improve Sphinx building and linting commit
Add pytest OpenSSH transport with password commit
Add explicit syntax language to code blocks commit
Use m2r instead of recommonmark commit
Include workshop in sphinx build commit
Fix codestyle commit
Test documentation builds in Azure commit
Include design documentation commit
Introduce FreeIPA commit
Bootstrap Sphinx documentation commit
Move freeipa-selinux dependency to freeipa-common commit #6891
Integrate SELinux policy into build system commit
dnsrecord: Treat empty list arguments correctly commit #8196
Remove dependency on custodia package commit
lite-setup: configure lite-server test env commit
Add tracemalloc support to profile memory usage commit
Print LDAP diagnostic messages on error commit
Fix lite-server to work with GSS_NAME commit
Don’t run test_smb in gating tests commit
Don’t hard-code client’s TLS versions and ciphers commit #8125
FIPS: server key has different name in FIPS mode commit
Remove FIPS noise from SSHd commit
Add tests for member management commit
Don’t install a preexec_fn by default commit
Update comments to explain caSubsystemCert switch commit
Test external CA with DNS name constraints commit
Cédric Jeanneret (3)#
Changmin Teng (5)#
Daniel Lara Souza (1)#
Translated using Weblate (Portuguese (Brazil)) commit
Dinesh Prasanth M K (1)#
Adding auto COPR builds commit
Endi Sukma Dewata (1)#
Removed hard-coded default profile subsystem class name commit
Emilio Herrera (1)#
Translated using Weblate (Spanish) commit
François Cami (93)#
ipatests: run freeipa-healthcheck on hidden replica commit #8536
SELinux: do not double-define node_t and pki_tomcat_cert_t commit #8513
SELinux Policy: Allow tomcat_t to read kerberos keytabs commit #8488
SELinux Policy: make interfaces for kernel modules non-optional commit #8488
SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type commit #8488
SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t commit #8488
SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t commit #8488
SELinux Policy: let custodia_t map custodia_tmp_t commit #8488
SELinux: Add dedicated policy for ipa-pki-retrieve-key commit #8488
ipatests: test_epn: add test_EPN_connection_refused commit #8445
IPA-EPN: fix configuration file typo commit
IPA-EPN: Use a helper to retrieve LDAP attributes from an entry commit
ipatests: test_epn: test_EPN_nbdays enhancements commit #8449
ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd commit #8129
ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd commit #8129
ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_from_controller: refactor commit #8129
ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH commit #8129
ipatests: re-enable test_sss_ssh_authorizedkeys commit #8151
ipatests: test_commands: test_login_wrong_password: look farther in time commit #8432
ipatests: xfail TestIpaClientAutomountFileRestore’s final test commit #8189
ipatests: remove dnf workaround from test_epn.py commit #8391
ipatests: display SSSD kdcinfo in test_adtrust_install.py commit
ipatests: ipa_epn: uninstall/reinstall ipa-client-epn commit #8374
ipatests: check that EPN’s configuration file is installed. commit #8374
man pages: fix epn.conf.5 and ipa-epn.1 formatting commit
ipatests: increase test_caless_TestReplicaInstall timeout commit #8377
.mailmap: add fcami commit
ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py commit
tasks.py: add krb5_trace to create_active_user and kinit_as_user commit
tox.ini: switch from W503 to W504 commit
doc/Makefile: use sphinx-build -W by default commit
Makefile.am: add doclint to fastcheck commit
ipa-backup: Make sure all roles are installed on the current master. commit #8217
test_backup_and_restore: add server role verification steps commit #8217
ipatests: test ipa-backup with different role configurations. commit #8217
ipatests: test_replica_promotion.py: test KRA on Hidden Replica commit #8240
8-sudorule.rst: add sudo and su-l as services for bob’s HBAC rule. commit
ipatests: make sure ipa-client-automount reverts sssd.conf commit #8190
ipa-client-automount: call save_domain() for each change commit #8190
ipatests: expect “Dynamic Update” and “Bind update policy” in default dnszone* output commit #7938
ipaserver/plugins/dns.py: add “Dynamic Update” and “Bind update policy” to default dnszone* output commit #7938
ipatests: fix pr-ci templates’ indentation commit
adtrust.py: mention restarting sssd when adding trust agents commit #8148
ipatests: nightly_f29: disable TestIpaClientAutomountFileRestore commit #8063
ipatests: temporarily remove test_smb from gating commit
ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf) commit
ipapython/ipachangeconf.py: change “is not 0” for “!= 0” commit #8057
authconfig.py: restore user-nsswitch.conf at uninstall time commit #8054
ipatests: remove xfail in TestIpaClientAutomountFileRestore commit
ipa-client-automount: always restore nsswitch.conf at uninstall time commit #8038
ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time commit
ipatests: rename config_replica_resolvconf_with_master_data() commit
test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data() commit #7949
ipapython/admintool.py: use SERVER_NOT_CONFIGURED commit
ipatests: test ipa-client-samba after –uninstall commit
ipa-client-samba: remove and restore smb.conf only on first uninstall commit #8019
ipatests: test multiple invocations of ipa-client-samba –uninstall commit
ipatests/azure: display actual dnf repo URLs commit
Florence Blanc-Renaud (89)#
ipatests: temporarily remove test_dnssec.py::TestInstallDNSSECFirst from gating commit #8496
ipatests: ipa-acme-manage status returns 3 on a CA-less server commit #8572
ipatests: IPADNSSystemRecordsCheck also checks for AAAA records commit #8573
ipatests: curl outputs the cookie in stderr and not in sdtout commit #8559
ipatests: properly handle journalctl return code commit #8541
rpmspec: ensure ipa snippet for sshd is always included commit #8535
ipatests: add tests to 389ds regression commit
test_smb: skip test_smb_service_s4u2self for fed31 commit #8505
ipatests: add missing healthcheck test in PRCI nightlies commit
ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately commit #8472
ipatests: remove xfail from test_dnssec commit
ipatests: fix TestIpaHealthCheckWithoutDNS failure commit #8447
ipatests: collect IPA_RENEWAL_LOCK file commit
ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck commit #8439
ipatests: check KDC cert permissions in CA less install commit #8440
CAless installation: set the perms on KDC cert file commit #8440
ipatests: increase test_trust timeout commit
ipa-client-install: use the authselect backup during uninstall commit #8189
Add test_dnssec to 389ds nightly tests commit
ipa cert-show: fix the code setting revocation reason commit #8394
Bump requires for selinux-policy commit
ipatests: fix the method adding ifp to sssd.conf commit #8371
Unify spelling of “One-Time Password” (take 2) commit #5628, #8381
ipa-client-install: use sshd drop-in configuration commit #8304
ipatests: Update the pki-master-f32 image version commit
ipatests: add a test for ipa-replica-install –setup-ca –http-cert-file commit #8366
ipa-replica-install: –setup-ca and *-cert-file are mutually exclusive commit #8366
ipatests: fix the disable_dnssec_validation method commit #8364
ipatests: Check if user with ‘User Administrator’ role can delete group. commit #6884
ipa-advise: fallback to /usr/libexec/platform-python if python3 not found commit #8311
ipatests: wait for SSSD to become online in backup/restore tests commit #8228
xmlrpc tests: add a test for idview-apply on a master commit #5662
opendnssec2.1 support: move all ods tasks to specific file commit #8214
DnsSecMaster migration: move the call to zonelist export later commit #8214
Support OpenDNSSEC 2.1: new ods-signer protocol commit #8214
With opendnssec 2, read the zone list from file commit #8214
selinux policy: add the right context for org.freeipa.server.trust-enable-agent commit #7600
ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600
ipatests: add test for ipa-adtrust-install –add-agents commit #7600
ipa-adtrust-install: run remote configuration for new agents commit #7600
Privilege: add a helper checking if a principal has a given privilege commit #7600
ipatests: fix TestSubCAkeyReplication commit
Part2: Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201
ipatests: fix modify_sssd_conf() commit
ipatests: update packages for rawhide and updates-testing nightlies commit
AD user without override receive InternalServerError with API commit #8163
trust upgrade: ensure that host is member of adtrust agents commit
ipatests: fix test_crlgen_manage commit
ipatests: fix teardown commit
ipatests: generic uninstall should call ipa server-del commit #7985
Nightly definition: use right template for krbtpolicy commit #8001
XMLRPCtest: add a test for add-certmapdata with multiple subject/issuer commit #8097
DNParam: raise Exception when multiple values provided to a 1-val param commit #8097
smartcard: make the ipa-advise script compatible with authselect/authconfig commit #8113
ipa-server-certinstall manpage: add missing options commit #8086
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion commit #8070
ipatests: add XMLRPC test for user-add when UPG plugin is disabled commit #4972
ipa user_add: do not check group if UPG is disabled commit #4972
ipatests: fix fedora29 nightly definition commit
ipatests: ensure that backup/restore restores pkcs 11 modules config file commit #8073
ipa-backup: backup the PKCS module config files setup by IPA commit #8073
ipatests: enable 389-ds audit log and collect audit file commit #8064
ipatests: add nightly definition for DS integration tests commit
ipatests: fix wrong xfail in test_domain_resolution_order commit #8052
Nightly test definition: add missing tests commit
xmlrpc test: add test for preserved > stage user commit #7597
user-stage: transfer all attributes from preserved to stage user commit #7597
test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules commit #7902
Azure pipeline: report failure in prepare-build step commit #8022
upgrade: remove ipaCert and key from /etc/httpd/alias commit #7329
Francisco Trivino (2)#
Fraser Tweedale (141)#
mailmap: add ftweedal commit
ipa_sam: do not modify static buffer holding fqdn commit #8501
spec: require pki-acme if pki-ca >= 10.10 commit
install: simplify host name verification commit
delete unused subroutine get_host_name() commit
certupdate: update config after deployment becomes CA-ful commit #7188
cainstance.update_ipa_conf: allow specifying ca_host commit #7188
acme: delete ACME RA account on server uninstall commit #4751
acme: configure engine.conf and disable by default commit #4751
acme: add Dogtag ACL to allow ACME agents to revoke certs commit #4751
dogtaginstance: extract user creation to subroutine. commit #4751
certupdate: only add LWCA tracking requests on CA servers commit #8399
cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf commit
extract virtual operation access check subroutine commit #5011, #6423
fix iPAddress cert issuance for >1 host/service commit #8368
upgrade: avoid stopping certmonger when fixing requests commit #8186
httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure commit #8186
ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname commit #8186
upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate commit #8186
httpinstance: add ipa-ca.$DOMAIN alias in initial request commit #8186
cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers commit #8186
httpinstance: add fqdn and ipa-ca alias to Certmonger request commit #8186
certmonger: support dnsname as request search criterion commit #8186
certmonger: move ‘criteria’ description to module docstring commit #8186
add resources section commit
typospotting commit
suggest `ipa help topics` commit
lots of minor tweaks and updates commit
rename certificates module commit
Vagrantfile: set DNS configuration in network-scripts commit
add more prerequisites and fix some links commit
add inter-module links commit
split workshop into separate files commit
add sudorule and selinux units to TOC commit
add selinuxusermap unit commit
add sudorule unit commit
minor editoral improvements commit
Change workshop “Modules” to “Units” commit
prep: updates for f24, box version 0.0.7 commit
certs: request SAN DNS name commit
updates for FreeIPA 4.3 commit
typospotting commit
add facilitator notes; remove feedback link commit
building: note disk and memory requirements commit
bump libvirt vm mem to 1G; other fixes commit
update feedback url commit
update clone url commit
add internal links to modules commit
symlink README to workshop.rst commit
add replica installation module commit
update to f23 commit
add vagrant box building instructions commit
workshop: remove references to freeipa-workshop-vagrantfile repo commit
enable and start httpd on client commit
typospotting commit
initial commit commit
remove proposal commit
add copyright notice commit
freeipa-workshop: fix mod_authnz_pam link commit
merge (most of) zdover’s edits commit
20151029-osdc-freeipa-workshop: add app.py commit
osdc-freeipa-workshop: add certificate management module commit
osdc-freeipa-workshop: add OS X and update Debian/Ubuntu details commit
osdc-freeipa-workshop: add debian/ubuntu prep instructions commit
osdc-freeipa-workshop: support vagrant-libvirt on Fedora commit
osdc-freeipa-workshop: presentation, minor curriculum edits commit
osdc-freeipa-workshop: typospotting commit
osdc-freeipa-workshop: remove definition list of VMs commit
osdc-freeipa-workshop: add missing dnf install vagrant commit
osdc-freeipa-workshop: clarify prep goals and VirtualBox version commit
osdc-freeipa-workshop: update troubleshooting doc commit
osdc-freeipa-workshop: incorporate wibrown's feedback commit
osdc-freeipa-workshop: update f22 installation steps commit
osdc-freeipa-workshop: add Windows prep details commit
osdc-freeipa-workshop: add Vagrantfile clone instructions and curriculum overview commit
osdc-freeipa-workshop: remove vagrant-hostmanager steps, add editing notes commit
osdc-freeipa-workshop: selinux and other minor fixes commit
osdc-freeipa-workshop: add mod_lookup_identity and mod_authnz_pam sections commit
osdc-freeipa-workshop: add mod_auth_gssapi section commit
sudo make me a sandwich commit
osdc-freeipa-workshop: add rpmfusion instructions commit
osdc-freeipa-workshop: external authnz module (WIP); minor fixes commit
osdc-freeipa-workshop: add initial workshop modules commit
fix osdc2015 and lca2016 dates commit
Do not renew externally-signed CA as self-signed commit #8176
ipatests: add test for certinstall with notBefore in the future commit #8142
Fix test regressions caused by certificate validation changes commit #8142
removed unused function export_pem_p12 commit
test_integration: add tests for custom CA subject DN commit #8084
upgrade: fix ipakra people entry ‘description’ attribute commit #8084
krainstance: set correct issuer DN in uid=ipakra entry commit #8084
ipa-pki-retrieve-key: request AES encryption (with fallback) commit #8020
NSSWrappedCertDB: accept optional symmetric algorithm commit #8020
dsinstance: add proflie when tracking certificate commit #7991
ipatests: test ipa-server-upgrade in CA-less deployment commit #7991
Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants commit #7991
cainstance: add profile to IPA RA tracking request commit #7991
upgrade: log missing/misconfigured tracking requests commit #7991
upgrade: always add profile to tracking requests commit #7991
dogtaginstance: avoid special cases for Server-Cert commit #7991
dogtag-ipa-ca-renew-agent: always use profile-based renewal commit #7991
certmonger: use long options when invoking dogtag-ipa-renew-agent commit #7991
upgrade: add profile to Dogtag tracking requests commit #7991
dogtaginstance: add profile to tracking requests commit #7991
Collapse –external-ca-profile tests into single class commit #7548
Add more tests for –external-ca-profile handling commit #7548
install: fix –external-ca-profile option commit #5608, #7548
Gaurav Talreja (3)#
Isaac Boukris (2)#
Jeremy Frasier (2)#
Jayesh Garg (4)#
Julian Gethmann (1)#
Fix typo in idrange.py docstring commit
Kaleemullah Siddiqui (4)#
Christian Hermann (1)#
configure.ac: don’t rely on bashisms commit
Miro Hrončok (1)#
Fix a syntax typo commit
MIZUTA Takeshi (1)#
Add config that maintains existing content to ipa-client-install manpage commit
Michal Polovka (7)#
ipatests: test_epn: test_EPN_config_file: Package name fix commit
ipatests: test_epn: Fix package installation commit
Test for healthcheck being run on replica with stopped master commit
Test for output being indented by default value if not stated implicitly. commit
ipatests: add tests for ipa host-add with non-default maxhostnamelength commit #2018
ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions commit #6843, #8055
ipatests: Test for ipa-backup with ipa not configured commit #6843
Mark Reynolds (4)#
Mohammad Rizwan (28)#
Move acme client installation part to classmethod commit
PEP8 fixes for test_acme.py commit
ipatests: Check if ACME is enabled on all CA servers commit #8524
PEP8 fixes commit
ipatests: add –skip-overlap-check option to prepare_reverse_zone() commit
ipatests: Add PTR record for IP SAN commit
ipatests: Test certmonger rekey command works fine commit
Xfail test for sssd < 2.3.0 commit
ipatests: Test ipa user login with wrong password commit
WebUI tests: fix PEP8 issues in test_webui/test_user.py commit
webui: check if notification area doesn’t intercept menu button commit #8120
ipatests: Test deletion of required principal throws proper error commit #7695
Display principal name while del required principal commit #7695
ipatests: Test to check password leak in apache error log commit #8017
ipatests:Test if proper error thrown when AD user tries to run IPA commands commit #8163
ipatests: Skip test using paramiko when FIPS is enabled commit
Test if getcert creates cacert file with -F option commit #8105
Move wait_for_request() method to tasks.py commit
Add certmonger wait_for_request that uses run_command commit
Test if certmonger reads the token in HSM commit
Test AES SHA 256 and 384 Kerberos enctypes enabled commit #8110
Add test to nightly yamls commit
Installation of replica against a specific server commit #7566
Check file ownership and permission for dirsrv log instance commit #7725
ndehadra (1)#
Weblate (4)#
Oğuz Ersen (2)#
Spencer E. Olson (1)#
Fixes debian path for IPA_CUSTODIA_HANDLER commit
Piotr Drąg (1)#
Translated using Weblate (Polish) commit
Petr Voborník (2)#
Rafael Fontenelle (1)#
Translated using Weblate (Portuguese (Brazil)) commit
Rob Crittenden (116)#
ipatests: Test that password reset unlocks users too commit #8551
On password reset also set krbLastAdminUnlock to unlock account commit #8551
Wrap libpwquality PKG_CHECK_MODULES in ENABLE_SERVER test commit #2445, #298, #5948, #6964
Test that ipapwpolicy objectclass is added on upgrade commit #8555
Add ipwpwdpolicy objectclass to all policies on upgrade commit #8555
ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled commit #8498
Require an ipa-ca SAN on 3rd party certs if ACME is enabled commit #8498
Don’t install ACME if full support is not available commit #8524
Let dogtag.py be imported if the api is not initialized commit #8524
Use a state to determine if a 389-ds upgrade is in progress commit #7534
ipatests: Add test_pwpolicy to nightly runs commit #2445, #298, #5948, #6964
Requirements and design for libpwquality integration commit #2445, #298, #5948, #6964
Add SELinux policy so kadmind can read the crackdb dictionary commit #2445, #298, #5948, #6964
ipatests: add test for password policies commit #2445, #298, #5948, #6964
Add a raiseonerr option to ldappasswd_user_change commit #2445, #298, #5948, #6964
Pass the user to the password policy check in the kdb driver commit #2445, #298, #5948, #6964
Add a unit test for libpwquality-based password policy commit #2445, #298, #5948, #6964
Extend password policy to evaluate passwords using libpwpolicy commit #2445, #298, #5948, #6964
Require libpwolicy and configure it in the build system commit #2445, #298, #5948, #6964
Add new pwpolicy objectclass to test_xmprpc/objectclasses.py commit #2445, #298, #5948, #6964
Extend IPA pwquality plugin to include libpwquality support commit #2445, #298, #5948, #6964
Add LDAP schema for new libpwquality attributes commit #2445, #298, #5948, #6964
Don’t restart certmonger after stopping tracking in uninstall commit #8533
Reduce the memory requirement from 1.6 to 1.2 GB commit #8404
Test that ccaches are cleaned up during installation commit #8248
Clean up entire /run/ipa/ccaches directory not just files commit #8248
Require a matching server package for the selinux subpackage commit #8511
ipatests: Add tests for checking available memory commit #8404
Require at least 1.6Gb of available RAM to install the server commit #8404
ipatests: Add test for ACI attribute and permission uniqueness commit #8443
Use ACI class set_permissions() method to set permissions commit #8443
ipatests: test that a zone name and name-from-ip will be rejected commit #8446
Don’t allow both a zone name and –name-from-ip to be provided commit #8446
Set the certmonger subject with a string, not an object commit #8204
ipatests: test ipa_server_certinstall with an IPA-issued cert commit #8204
cli: When parsing options require name/value pairs commit #6115
ipatests: Add option/arg parsing tests for the cli commit #6115
ipatests: stop the CA during healthcheck expiration test commit #8463
Fall back to old server installation detection when needed commit #8458
IPA-EPN: Test that EPN can be install, uninstalled and re-installed commit
Added negative test case for –list-sources option commit
ipatests: CLI validation of ipa-healthcheck command commit
IPA-EPN: Test that users without givenname and/or mail are handled commit
Update check_client_configuration to use new client fact commit #8384
Don’t use the has_files() to know if client/server is configured commit #8384
Create a common place to retrieve facts about an IPA installation commit #8384
Simplify determining if IPA client configuration is complete commit #8384
Simplify determining if an IPA server installation is complete commit #8384
ipatests: Check permissions of /etc/ipa/ca.crt new installations commit #8441
Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations commit #8441
ipatests: Test healthcheck revocation checker commit
ipatests: Use healthcheck namespacing in stopped server test commit
ipatests: lib389 is now providing healthchecks, update naming commit
ipatests: verify that all services can be detected by healthcheck commit
ipatests: Add healthcheck test for FileSystemSpaceCheck commit
ipatests: Test that healthcheck detects and reports expiration commit
ipatests: Test cases for healthcheck File checker(s) commit
Replace SSLCertVerificationError with CertificateError for py36 commit
Add fips-mode-setup to ipaplatform.paths to determine FIPS status commit #8429
IPA-EPN: add smtp_delay to limit the velocity of e-mails sent commit #3687
IPA-EPN: Add mail-test option for testing sending live email commit #3687
IPA-EPN: Add tests for sending real mail with auth and templates commit #3687
IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions commit #3687
Perform baseline healthcheck commit
Test that pwpolicy only applied on Kerberos entries commit
Add ability to change a user password as the Directory Manager commit
Don’t save password history on non-Kerberos accounts commit
Test that ipa-healthcheck human output translates error strings commit
Move execution of ipa-healthcheck to a separate function commit
Fix div-by-zero when svc weight is 0 for all masters in location commit #8135
Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201
ipa-certupdate removes all CA certs from db before adding new ones commit #8124
Add delete option to ipa-cacert-manage to remove CA certificates commit #8124
Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164
CVE-2019-10195: Don’t log passwords embedded in commands in calls using batch commit
Add integration test for Kerberos ticket policy commit #8001
Conditionally restart certmonger after client installation commit #8105
Add conditional restart (try-restart) capability to services commit #8105
Enable AES SHA 256 and 384-bit enctypes in Kerberos commit #8110
ipa-restore: Restore ownership and perms on 389-ds log directory commit #7725
Re-order tasks.restore_pkcs11_modules() to run earlier commit #8034
Don’t log host passwords when they are set/modified commit #8017
Skip lock and fork in ipa-server-guard on unsupported ops commit
Defer initializing the API in dogtag-ipa-ca-renew-agent-submit commit
Add missing timeout option to logging statement commit
Log dogtag auth timeout in install, provide hint to increase it commit #7971
Log the replication wait timeout for debugging purposes commit #7971
Replace replication_wait_timeout with certmonger_wait_timeout commit #7971
Use tasks to configure automount nsswitch settings commit
Move ipachangeconf from ipaclient.install to ipapython commit
Don’t return SSH keys with ipa host-find –pkey-only commit #8029
httpinstance: add pinfile when tracking certificate commit #7991
Remove posixAccount from service_find search filter commit #8013
Robbie Harwood (16)#
Drop upper bound on krb5 version in freeipa.spec commit
Update kdcpolicy design doc for jitter implementation commit
Drop support for DAL version 5.0 commit
Support DAL version 8.0 commit
Handle the removal of KRB5_KDB_FLAG_ALIAS_OK commit
Fix several leaks in ipadb_find_principal commit
Use separate variable for client fetch in kdcpolicy commit
Make the coding style explicit commit
Provide modern example enctypes in ipa-getkeytab(1) commit
Fix segfault in ipadb_parse_ldap_entry() commit
Add a skeleton kdcpolicy plugin commit
Move certauth configuration into a server krb5.conf template commit
Enable krb5 snippet updates on client update commit
Fix NULL pointer dereference in maybe_require_preauth() commit
Log INFO message when LDAP connection fails on startup commit
Rafael Guterres Jeffman (1)#
Fixes pylint errors introduced by version 2.4.0. commit
Rafael Guterres Jeffman (6)#
Robert Collins (1)#
Note sss_cache -E. commit
Sam Bristow (1)#
Workaround networking issues with Libvirt commit
Sam Morris (1)#
Sumit Bose (2)#
Sergio Oliveira Campos (1)#
Add test for sssd ad trust lookup with dn in certmaprule commit
Stanislav Levin (91)#
ipatests: Collect EPN log for debugging commit
EPN: Allow authentication by SMTP client’s certificate commit #8580
EPN: Enable certificate validation and hostname checking commit #8579
test_epn: Standardize EPN configs for deduplication commit
ipatests: Respect platform’s openssl dir commit
dns: Make use of `resolve_address` of a current resolver instead of the global one commit
Azure: Increase verbosity for Tox task commit
deps: Require `nss-tools` for make’s fasttest target commit
nss: Raise exception earlier on unsupported DB type commit #8474
Azure: base: Collect both install and uninstall logs commit
Azure: Drop dependency on UsePythonVersion task commit
Azure: Add Rawhide definitions commit
named: Don’t override custom command line options for named commit #8094
named: Make use of ‘pkcs11’ OpenSSL engine for BIND on Fedora31 commit #8094
upgrade: Handle migration of BIND OpenSSL engine commit #8094
DNSKeySyncInstance: Populate named/ods uid/gid on instantiation commit #8094
named: Allow using of a custom OpenSSL engine for BIND commit #8094
spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package commit
uninstall: Don’t fail on missing /var/lib/samba commit #8461
rpm-spec: Don’t fail on missing /etc/ssh/ssh_config commit #8459
ipatests: Skip keyring tests on containerized platforms commit
Azure: Switch to dockerhub provider commit
ipatests: Add compatibility against python-cryptography 3.0 commit #8428
ipatests: Don’t turn Pytest IPA deprecation warnings into errors commit #8435
Azure: Always update apt cache commit
ipatests: Remove no longer needed ‘skip’ compatibility commit #8101
ipatests: Remove no longer needed ‘capture’ compatibility commit #8101
ipatests: Mark firewalld commands as no-op on non-firewalld distros commit #8261
Azure: Allow distros to install Python they want commit #8254
pki-proxy: Don’t rely on running apache until it’s configured commit #8233
spec: Take the ownership over ‘/usr/libexec/ipa/custodia’ commit
Azure: Report elapsed time commit
Azure: Rebalance tests commit
Azure: Skip tests requiring external DNS commit
Azure: Free Docker resources after usage commit
Azure: Preliminary check for provided limits commit
Azure: Sync Gating definitions to current PR-CI commit
Azure: Add support for testing multi IPA environments commit #8202
Azure: Make it possible to configure distro-specific stuff commit #8202
Azure: Allow to not provide tests to be ignored commit #8202
pylint: Synchronize pylint plugin to ipatests code commit #8116
pylint: Teach Pylint how to handle request.context commit #8116
pytest: Migrate unittest/nose to Pytest fixtures commit #7989
pytest: Migrate xunit-style setups to Pytest fixtures commit #7989
Install language packs for tests commit
Restore running of ‘test_ipaserver’ tests on Azure commit
Sergey Orlov (45)#
ipatests: simplify fixture commit
ipatests: refactor test for login using cifs alias principal commit
Fix password file permission commit
ipatests: mark test_trustdomain_disable test as expectedly failing commit
ipatests: add context manager for declaring part of test as xfail commit
ipatests: add utility for getting sssd version on remote host commit
update prci definitions for test_sssd.py commit
ipatests: add test for sssd behavior with disabled trustdomains commit
ipatests: add missing classes from test_nfs in nightly_previous run commit
ipatests: add missing classes from test_installation in nightly runs commit
ipatests: run test_integration/test_cert.py in PR-CI commit
ipatests: run all cases from test_integration/test_idviews.py in nightlies commit
ipatests: explicitly save output of certutil commit
ipatests: add AD DC as a DNS forwarder before establishing trust commit
ipatests: add test_automember to “previous” nightly run commit
ipatests: add test_fips to testing-fedora nightly run commit
ipatests: provide AD admin password when trying to establish trust commit #7895
ipatests: remove test_ordering commit
ipatests: add test for SSSD updating expired cache items commit
ipatests: provide docstrings instead of imporperly placed comments commit
ipatests: remove invalid parameter from sssd.conf commit #8219
ipatests: use remote_sssd_config to modify sssd.conf commit #8219
ipatests: replace utility for editing sssd.conf commit #8219
ipatests: update docstring to reflect changes in FileBackup.restore() commit
ipatests: add test_trust suite to nightly runs commit
ipatests: add check for output contents of ipa-client-samba commit #8149
ipatests: add test_winsyncmigrate suite to nightly runs commit
ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951
ipatests: enable test_smb.py in gating.yaml commit
ipatests: replace ad hoc backup with FileBackup helper commit #8115
ipatests: in DNS zone file add A record for name server commit
ipatests: strip newline character when getting name of temp file commit
ipatests: add test to check that only TLS 1.2 is enabled in Apache commit #7995
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains commit
ipatests: add tests for cached_auth_timeout in sssd.conf commit
ipatests: refactoring: use library function to check if selinux is enabled commit
ipatests: add new utilities for file management commit
ipatests: refactor and extend tests for IPA-Samba integration commit #3999
ipatests: modify run_command to allow specify successful return codes commit
ipatests: add utility functions related to using and managing user accounts commit
ipatests: allow to pass additional options for clients installation commit
ipatests: new test for trust with partially unreachable AD topology commit
ipatests: mark test_domain_resolution_order as expectedly failing commit
ipatests: add test for sudo with runAsUser and domain resolution order. commit
Sumedh Sidhaye (6)#
test_cert.py is timing out due to newly added test test_cert.py::TestCertmongerRekey which needs more time to execute. Adding additional 30 mins to the timeout in order to complete the test run commit
Test for removing a subgroup commit
Test to check if Certmonger tracks certs in between reboots/interruptions and while in “CA_WORKING” state commit #8164
Added a test to check if ipa host-find –pkey-only does not return SSH public key commit #8029
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf commit
Test: To check ipa replica-manage del does not fail commit #7929
Simo Sorce (1)#
Make sure to have storage space for tag commit
Stasiek Michalski (1)#
Support for SUSE/openSUSE ipaplatform commit
Serhii Tsymbaliuk (28)#
WebUI tests: Add simple test to check topology graph page is available commit #8523
WebUI tests: Add test case to cover user ID override feature commit #8416
WebUI: Fix error “unknown command ‘idoverrideuser_add_member’” commit #8416
WebUI tests: Change navigation tests to find menu items using data-name instead of href commit #7137
WebUI: Fix issue with opening links in new tab/window commit #7137
WebUI: Fix “IPA Error 3007: RequirmentError” while adding idoverrideuser association commit #8335
WebUI: Apply jQuery patch to fix htmlPrefilter issue commit #8325
WebUI tests: Test all available fields on “Kerberos Ticket Policy” page commit #8207
WebUI: Add authentication indicator specific fields to “Kerberos Ticket Policy” page commit #8207
WebUI tests: Add confirmation step after changing default group in automember tests commit #8322
WebUI: Add confirmation dialog for changing default user/host group commit #8322
WebUI tests: cover membership management with UI tests commit #8298
Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 commit #8239
WebUI tests: Fix broken reference to parent facet in table record check commit #8157
WebUI tests: Fix ‘Button is not displayed’ exception commit #8169
WebUI: Fix adding member manager for groups and host groups commit #8123
WebUI: Fix new test initialization on “HBAC Test” page commit #8031
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages commit #7961
WebUI: Make ‘Unlock’ option is available only on locked user page commit #5062
WebUI tests: Fix request timeout for test_trust commit #8024
WebUI: Add PKINIT status field to ‘Configuration’ page commit #7305
WebUI tests: Fix timeout issues for reset password tests commit #8012
Sudhir Menon (32)#
Added nsslapd-logging-hr-timestamps-enabled attribute in _SINGLE_VALUE_OVERRIDE table commit
ipatests: ipa-healthcheck tests for DS checks commit
ipatests: Fix for test_ipahealthcheck_ds_riplugincheck commit #8563
ipatests: Fix for test_ipahealthcheck_ds_encryption commit #8560
ipatests: ipa-healthcheck test for DS RIPluginCheck commit
ipatests: ipa-healthcheck test for EncryptionCheck commit
ipatests: ipa-healthcheck test for DS BackendsCheck commit
ipatests: ipa-healthcheck fixes for tests running on RHEL commit
ipatests: ipa-healthcheck test fixes running on RHEL commit
ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust commit
Modified nightly YAML files to include ipa-healthcheck ExternalCA Tests commit
ipatests: Tests for ipahealthcheck tool with IPA external commit
ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert commit
ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed commit
ipatests: Test for ipa-nis-manage CLI tool. commit
ipatests: Increase timeout value in test_getcert_list_profile_using_subca commit
ipatests: Tests to check profile is displayed for getcert request. commit
Modified YAML to include healthcheck AD tests commit
ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario commit
ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files commit
ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck commit
ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck commit
ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8 commit #8066
ipatests: Test for ipahealthcheck tool for IPADomainCheck. commit
ipatests: Test for ipahealthcheck.ds.ruv check commit
Test for ipahealthcheck.ipa.idns check when integrated DNS is setup commit
ipatests: Added testcase to check logrotate is added for healthcheck tool commit
ipatests: check that ipa-healthcheck warns if no dna range is set commit
Adding back temp config definition removed commit
Nightly definition for ipa-healthcheck tool commit
Tier-1 test for ipa-healthcheck tool commit
Added testcase to check capitalization fix while running ipa user-mod commit #5879
Tibor Dudlák (5)#
Tomas Halman (4)#
Timo Aaltonen (6)#
ipatests/test_installation: Use knownservices to map the service name. commit
ipatests/test_commands: Check sssd version like on test_sssd commit
Debian: Use parse_ipa_version from redhat. commit
Debian: Use enable/disable_ldap_automount() from base commit
Debian: Fix font-awesome path. commit
install: Add missing scripts to app_DATA. commit
Thorsten Scherf (5)#
Theodor van Nahl (1)#
Fix UnboundLocalError in ipa-replica-manage on errors commit
Thomas Woerner (4)#
ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels commit
DNS install check: Fix overlapping DNS zone from the master itself commit #8150
Enable TestInstallMasterDNSRepeatedly in prci_definitions commit
Test repeated installation of the primary with DNS enabled and domain set commit