The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 1!

It can be downloaded from http://www.freeipa.org/page/Downloads. At this point, we do not plan to provide releases to Fedora 33 or earlier versions due to a large number of changes coming with FreeIPA 4.9 series.

Highlights in 4.9.0 release candidate 1#

298: [RFE] Add support for cracklib to password policies

FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords.

2445: [RFE] IdM password policy should include checks for repeating characters

FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords.

3687: [RFE] IPA user account expiry warning.

EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.

3827: [RFE] Expose TTL in web UI

DNS record time to live (TTL) parameters can be edited in Web UI

3999: [RFE] Fix and Document how to set up Samba File Server with IPA

Samba file server can now be configured on the FreeIPA-enrolled system to provide file services to users in IPA domain and to users from trusted Active Directory forests

4751: Implement ACME certificate enrolment

Configure the Automatic Certificate Management Environment (ACME) protocol support provided by the dogtag CA.

5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI

5608: [RFE] Add Dogtag configuration extensions

5662: ID Views: do not allow custom Views for the masters

Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.

5948: [RFE] Implement pam_pwquality featureset in IPA password policies

6783: [RFE] Host-group names command rename

host groups can now be renamed with IPA CLI: ‘ipa hostgroup-mod group-name –rename new-name’. Protected hostgroups (‘ipaservers’) cannot be renamed.

7137: [RFE]: Able to browse different links from IPA web gui in new tabs

7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled

FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.

7522: Disable cert publishing in dogtag

Dogtag certificate publishing facility is not configured anymore as it is not used in FreeIPA.

7577: [RFE] DNS package check should be called earlier in installation routine

The ``–setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.

7695: ipa service-del should display principal name instead of Invalid ‘principal’.

When deleting services, report exact name of a system required principal that couldn’t be deleted.

7966: Add support for JSON-RPC in ipa-join

ipa-join tool defaults to use of JSON-RPC protocol when communicating to IPA masters by default. The choice of JSON-RPC or XML-RPC is a compile-time setting now.

7971: [RFE] Include hint for replication_wait_timeout if timeout fails

8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install

On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.

8114: [RFE] Delegate group membership management

It is now possible to associate group managers with the groups. Group managers have rights to add and remove members of the individual group rather than being administrators for every group.

8217: RFE: ipa-backup should compare locally and globally installed server roles

ipa-backup now checks whether the local replica’s roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.

8222: Upgrade dojo.js

Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.

8233: 4.8.5 master Installation error

On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn’t actually needed and thus was removed.

8236: Enforce a check to prevent adding objects from IPA as external members of external groups

Command ‘ipa group-add-member’ allowed to specify any user or group for ‘–external’ option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.

8239: Actualize Bootstrap version

Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.

8241: Build fails on Fedora 30

SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions.

8268: Prevent use of too long passwords

Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.

8275: Support systemd-resolved

FreeIPA DNS servers now detect systemd-resolved and configure it to pass through itself.

8276: Add default password policy for sysaccounts

cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The “Default System Accounts Password Policy” has a minimum password length in case the password is directly modified with LDAP.

8284: Upgrade jQuery version to actual one

Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.

8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets

service delegation rules and targets now allow to specify hosts as a rule or a target’s member principal.

8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias

Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.

8301: The value of the first character in target* keywords is expected to be a double quote

389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.

8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf

ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting “ChallengeResponseAuthentication yes” take precedence.

8315: [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings

389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.

8322: [RFE] Changing default hostgroup is too easy

In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.

8325: [WebUI] Fix htmlPrefilter issue in jQuery

CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.

8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain

When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.

8348: Allow managed permissions with ldap:///self bind rule

Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.

8357: Allow managing IPA resources as a user from a trusted Active Directory forest

A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.

8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp

LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.

8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn

EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present.

8401: Create platform definitions for freeipa-container

ipaplatform now provides container platform flavors for freeipa/freeipa-container

8404: Detect and fail if not enough memory is available for installation

FreeIPA server now requires at least 1.2 GiB RAM for installation to prevent performance degradation.

8444: EPN: enhance input validation

Various input validation checks were added to EPN.

8445: EPN: ‘[Errno 111] Connection refused’ when the SMTP is down

EPN now displays a proper message if the configured SMTP server cannot be contacted.

8449: EPN: enhance CLI option tests

EPN: enhance existing tests for –dry-run, –from-nbdays and –to-nbdays.

8488: SELinux blocks custodia key replication / retrieval for sub-CAs

SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key.

8490: It is not possible to edit KDC database when the FreeIPA server is running

kadmin.local command ‘getprincs’ is now supported

8493: Synchronize index LDIF and index update files

Configuration of LDAP indices was moved into a single place. New indices were added to attributes related to trusted domains operations. Performance improvement is expected for Kerberos service tickets requested by users from trusted Active Directory domains.

8503: pkispawn logs files are empty

On recent versions of Dogtag PKI, pkispawn does not create logs by default, making debugging failed IPA installs impossible. Invoke pkispawn with –debug to revert to the previous behavior.

8507: [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)

Support reproducible builds for jQuery library

8510: create_active_user and kinit_as_user should collect kdcinfo.REALM on failure

Sometimes, requesting a TGT after a password reset fails because SSSD seems to select different hosts for these two sequential tasks, leaving no time for replication to replicate the password hashes. Add debug information to the test suites that exhibit the problem and always display the kdcinfo file maintained by SSSD that contains the KRB5KDC IP it should be pinned to.

8530: Running ipa-server-install fails on machine where libsss_sudo is not installed

The FreeIPA client RPM now has a soft dependency on libsss_sudo and sudo itself.

Enhancements#

Known Issues#

8240: KRA install fails if all KRA members are Hidden Replicas

If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete.

Bug fixes#

FreeIPA 4.9.0 release candidate 1 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 350 bug-fixes since FreeIPA 4.8.10 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

#298 (rhbz#587752) [RFE] Add support for cracklib to password policies
#2018 (rhbz#1703564) Change hostname length limit to 64
#2445 (rhbz#798359) [RFE] IdM password policy should include checks for repeating characters
#3473 Switch to using RESTful interface in dogtag CA interface
#3687 (rhbz#913799) [RFE] IPA user account expiry warning.
#3827 [RFE] Expose TTL in web UI
#3999 (rhbz#837604) [RFE] Fix and Document how to set up Samba File Server with IPA
#4751 (rhbz#1851835) Implement ACME certificate enrolment
#4972 (rhbz#1206690) check for existence of private group is done even if UPG definition is disabled
#5011 (rhbz#1527185) [RFE] Forward CA requests to dogtag or helper by GSSAPI
#5062 (rhbz#1229657) [WebUI] Unlock option is enabled for all user.
#5566 Permit creation of PTR records in non-.arpa master zones via the DNS UI
#5608 (rhbz#1405935) [RFE] Add Dogtag configuration extensions
#5628 webui: Unclear(UX) purpose of OTP field in password reset form on login
#5662 (rhbz#1404770) ID Views: do not allow custom Views for the masters
#5879 (rhbz#1334619) Attempt to fix capitalization fails with ipa: ERROR: Type or value exists:
#5914 (rhbz#1298288) invalid setting of DS lock table size
#5948 (rhbz#1340463) [RFE] Implement pam_pwquality featureset in IPA password policies
#6115 (rhbz#1357495) ipa command provides stack trace when provided with single hypen commands
#6210 (rhbz#1364139, rhbz#1751951) When master’s IP address does not resolve to its name, ipa-replica-install fails
#6423 Validate cert requests in Dogtag
#6474 Remove ipaplatform dependency from ipa modules
#6708 Unused config options
#6783 (rhbz#1430365) [RFE] Host-group names command rename
#6843 (rhbz#1428690) ipa-backup does not create log file at /var/log/
#6857 ipa_pwd.c: Use OpenSSL instead of NSS for hashing
#6884 (rhbz#1441262) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
#6891 (rhbz#1461914) Move FreeIPA SELinux policy from system policy to project policy
#6951 (rhbz#1449133) Update samba config file and use sss idmap module
#6964 (rhbz#1442413) IPA password policy has no password difference checking
#7125 (rhbz#1480102) ipa-server-upgrade failes with “This entry already exists”
#7137 (rhbz#1484088) [RFE]: Able to browse different links from IPA web gui in new tabs
#7181 (rhbz#1545755) ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
#7188 Issues after promoting one CA-less IPA server to CA-full
#7255 baseidoverride.get_dn() does not default to a default ID view when resolving user IDs
#7305 (rhbz#1518153) PKINIT status not displayed in the web UI (IPA Server > Configuration)
#7307 (rhbz#1518939) RFE: Extend IPA to support unadvertised replicas
#7323 IPv6 hack for Travis CI
#7329 update_ra_cert_store does not remove private key from NSSDB
#7416 Uninstalling IPA requires on being in a existent working directory
#7522 Disable cert publishing in dogtag
#7534 (rhbz#1569011) Investigate failures to restore 389-ds attriubtes on upgrade failure
#7548 Need integration test for –external-ca-type=ms-cs
#7566 (rhbz#1591824) Installation of replica against a specific master
#7577 (rhbz#1579296) [RFE] DNS package check should be called earlier in installation routine
#7597 (rhbz#1583950) IPA: IDM drops all custom attributes when moving account from preserved to stage
#7600 (rhbz#1585020) Enable compat tree to provide information about AD users and groups on trust agents
#7610 ldapupdate.py users ldap.LOCAL_ERROR and other direct ldap exceptions while relying on ipaldap
#7630 (rhbz#1613015) ipa-restore should check that optional feature packages are installed before restoring a backup using a feature
#7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key
#7695 (rhbz#1623763) ipa service-del should display principal name instead of Invalid ‘principal’.
#7725 (rhbz#1636765) ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory
#7804 (rhbz#1777811) `ipa otptoken-sync` fails with stack trace
#7810 [F28] Require NSS with fix for p11-kit issue.
#7816 (rhbz#1642395) [WebUI] not able to set a password for user as Active Directory Administrator user
#7870 (rhbz#1680039) [certmonger][upgrade] “Failed to get request: bus, object_path and dbus_interface must not be None.”
#7895 (rhbz#1686302) ipa trust fetch-domains, server parameter ignored
#7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules
#7908 Write tests for interactive prompt for NTP options.
#7929 (rhbz#1712794) ERROR: invalid ‘PKINIT enabled server’: all masters must have IPA master role enabled
#7932 FreeIPA queries rely on missing attribute altsecurityidentities
#7933 FreeIPA must index certmap attributes.
#7938 ‘ipa dnszone-show/find’ should display “Dynamic Update” and “Bind update policy” by default
#7949 test_integration/test_nfs.py fails at cleanup
#7958 (rhbz#1782169) traceback in idview
#7961 [WebUI] Identity Manager WebUI requires you to save changes after changing specifications before making other change
#7966 Add support for JSON-RPC in ipa-join
#7971 (rhbz#1715961) [RFE] Include hint for replication_wait_timeout if timeout fails
#7985 test failure in test_dnssec.py::TestInstallDNSSECLast::()::test_disable_reenable_signing_replica::teardown
#7987 Python shebang: Use isolated mode
#7989 Pytest4.2+ errors
#7991 Use profile-based renewal for system certificates
#7995 (rhbz#1711172) Removing TLSv1.0, TLSv1.1 from nss.conf
#7996 `test_selinuxusermap_plugin` fails against not default SELinux settings
#8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
#8004 RHEL 8 uses nis-domainname instead of rhel-domainname
#8005 (rhbz#1729099) User field separator uses ‘$$’ within ipaSELinuxUserMapOrder
#8007 Not stable nodeids within pytest
#8008 Azure Pipeline slicing
#8009 Missing execution bit on `ipa-run-tests` within virtualenv
#8010 Extended Kerberos Ticket Policy
#8012 test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure
#8013 (rhbz#1731433) ipa service-find does not list cifs service created by ipa-client-samba
#8015 p11helper: insufficient logging when loading LIBSOFTHSM2_SO
#8017 (rhbz#1817927) host-add –password logs cleartext userpassword to Apache error log
#8019 (rhbz#1732524) repeated uninstallation of ipa-client-samba crashes
#8020 support AES in LWCA key replication
#8021 (rhbz#1732528) ipa-client-samba can not install samba after uninstallation
#8022 azure pipeline: fail if dnf builddep exits on failure
#8024 [WebUI] test_webui/test_trust.py failed because of request timeout
#8026 Update pr-ci definitions with master_3client topology
#8027 test_nfs.py: migrate to master_3client
#8029 (rhbz#1749788) ipa host-find –pkey-only includes SSH keys in output
#8030 azure pipelines fail at “Install prerequisites” of Tox job
#8031 (rhbz#1734369) HBAC Test Validation error when running the HBAC test the second time round via the IPA Web GUI
#8034 Existing p11-kit config file is not restored on uninstall
#8038 (rhbz#1740167) ipa-client-automount –uninstall is not restoring nsswitch.conf
#8040 (rhbz#1731963) ipa migrate-ds fails with internal error.
#8044 (rhbz#1717008) Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
#8048 Travis-CI sometimes fails at dnf
#8052 test failure in test_integration/test_sudo.py::TestSudo::()::test_domain_resolution_order on fedora29
#8053 [WebUI] Fix login screen loading issue in test_loginscreen
#8054 (rhbz#1746557) ipa-client-install calls “authselect select sssd –force” at uninstall time before restoring user-nsswitch.conf
#8055 Test for PG6843: ipa-backup does not create log file at /var/log is failing
#8056 (rhbz#1746882) BuildRequires is not compatible with %{_libdir}
#8057 (rhbz#1747895) Running ipa-server-install produces SyntaxWarning: “is not” with a literal. Did you mean “!=”?
#8062 Re-add configure_nsswitch_database, configure_nsswitch, … to ipaclient.install
#8063 Nightly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::()::test_nsswitch_backup_restore_sssd
#8064 Request for IPA CI to enable DS audit/auditfail logging
#8066 (rhbz#1750242) Don’t use -t option to klist in adtrust code when timestamp is not needed
#8067 (rhbz#1750700) add default access control configuration to trusted domain objects
#8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
#8073 Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module
#8075 Don’t create log file for helper scripts
#8077 New pylint 2.4.0 errors
#8079 (rhbz#1754530) [Security] By default, DNS recursion is open, breaking best practices
#8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.
#8084 (rhbz#1758406) KRA authentication fails when IPA CA has custom Subject DN
#8086 (rhbz#1756568) ipa-server-certinstall man page does not match built-in help.
#8094 Allow using of a custom OpenSSL engine for ISC BIND
#8097 ipa user-add-certmapdata is not able to add several entries correctly
#8098 Host principals lack ACI to look up DNS objects in LDAP
#8099 (rhbz#1762317) ipa-backup command is failing on rhel-7.8
#8101 Wrong pytest requirement in specfile
#8102 Pylint 2.4.3 + Astroid 2.3.2 errors
#8104 RFE: Disable Stale/Inactive Users - Upstream Design Document
#8105 (rhbz#1759281) getcert with -F option returns before cacert file is created
#8106 ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
#8110 (rhbz#1768015) Enable AES SHA 256 and 384 Kerberos enctypes
#8111 (rhbz#1768959) [FIPS] Don’t add camellia KRB5 encsalttypes in FIPS mode
#8113 (rhbz#1755535) ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
#8114 [RFE] Delegate group membership management
#8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb
#8116 Pylint parallel execution with custom plugin
#8118 Run smoke tests in FIPS mode
#8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements
#8122 (rhbz#1773528) group-add-member-manager does not report errors
#8123 (rhbz#1773528) [WebUI] Finish group membership management UI
#8124 Add option to ipa-cacert-manage to delete certificates
#8125 (rhbz#1777809) Use default crypto policy for TLS and enable TLS 1.3 support
#8129 Tests: Replace paramiko with OpenSSH
#8131 (rhbz#1777920) covscan memory leaks report
#8133 check_client_configuration() no longer works with IPA_CONFDIR
#8134 ipa user-add is inefficient
#8135 (rhbz#1777806) When Service weight is set as 0 for server in IPA location “IPA Error 903: InternalError” is displayed
#8137 reinstall failed in adding delegation layout
#8138 (rhbz#1780548) Man page ipa-cacert-manage does not display correctly on RHEL
#8142 check Not Before / Not After in externally signed CA sanity check
#8143 service.ldap_disable() does not remove “enabledService”
#8144 test_nfs.py: umount.nfs4: /home: device is busy
#8148 (rhbz#1782587) add “systemctl restart sssd” to warning message when adding trust agents to replicas
#8149 (rhbz#1783046) SIDs of AD domains do not display in ipa-client-samba installer
#8150 (rhbz#1784003) IPA Server install fail
#8151 test_commands timing-out
#8153 (rhbz#1784761) Kerberos ticket policy reset does not reset per-indicator policies
#8157 NIghtly test failure in fedora-rawhide/test_webui_network
#8159 please migrate to the new Fedora translation platform
#8163 (rhbz#1782572) “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]
#8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs
#8169 NIghtly test failure in fedora-rawhide/test_webui_policy
#8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
#8173 Broken -k argument parsing in ipa-run-tests 4.8.4-1 package
#8176 External CA is tracked for renewals and replaced with a self-signed certificate
#8179 Tests broken with python version < 3.7 (module ‘re’ has no attribute ‘Pattern’)
#8186 Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
#8189 (rhbz#1810179) NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
#8190 (rhbz#1790886) ipa-client-automount fails after repeated installation/uninstallation
#8192 (rhbz#1665051) ipa-adtrust-install does not list service records for manual addition to DNS zone
#8193 (rhbz#1801791) Re-order 50-externalmembers.update to be after 80-schema_compat.update
#8196 API: dnsrecord_del failure with empty list aaaarecord
#8200 (rhbz#1803786) ipa krb5kdc db: krb5kdc coredump
#8201 update ssbrowser.html
#8202 Azure: add support for multi-container tests
#8204 (rhbz#1810148) ipa-server-certinstall -> certmonger add_subject template-subject dbus ‘unable to set arguments’ a{sv}
#8207 Extend Web UI for Kerberos ticket policy to add authentication indicator support
#8214 Support for opendnssec 2.1.6
#8217 (rhbz#1810154) RFE: ipa-backup should compare locally and globally installed server roles
#8219 ipatests: unify editing of sssd.conf
#8221 (rhbz#1812169) Secure AJP connector between Dogtag and Apache proxy
#8222 Upgrade dojo.js
#8226 (rhbz#1813330) ipa-restore does not restart httpd
#8228 Nightly failure in backup/restore while calling ‘id admin’
#8233 4.8.5 master Installation error
#8236 (rhbz#1809835) Enforce a check to prevent adding objects from IPA as external members of external groups
#8239 Actualize Bootstrap version
#8240 (rhbz#1816784) KRA install fails if all KRA members are Hidden Replicas
#8241 Build fails on Fedora 30
#8247 test_fips PR-CI templates have a too-short timeout
#8248 httpd ccaches created during server upgrade aren’t cleaned up on uninstall/install
#8251 [Azure] Catch coredumps
#8254 [Azure] ‘Tox’ task fails against Python3.8
#8261 [ipatests] Integration tests fail on non-firewalld distros
#8262 test_ipahealthcheck needs a higher timeout than 3600
#8264 Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
#8265 [ipatests] `/var/log/ipaupgrade.log` is not collected
#8266 test_webui_server requires a higher timeout than 3600
#8268 Prevent use of too long passwords
#8272 Use /run instead of /var/run
#8273 (rhbz#1834385) Man page syntax issue detected by rpminspect
#8275 (rhbz#1880628) Support systemd-resolved
#8276 Add default password policy for sysaccounts
#8283 Failures and AVCs with OpenDNSSEC 2.1
#8284 Upgrade jQuery version to actual one
#8287 named not starting after #8079, ipa-ext.conf breaks bind
#8289 ipa servicedelegationtarget-add-member does not allow to add hosts as targets
#8290 API inconsistencies
#8291 krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
#8297 Fix new pylint 2.5.0 warnings and errors
#8298 [WebUI] Cover membership management with UI tests
#8300 Replace uglify-js with python3-rjsmin
#8301 The value of the first character in target* keywords is expected to be a double quote
#8304 [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
#8306 Adopt Black code style
#8307 make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py
#8308 (rhbz#1829787) ipa service-del deletes the required principal when specified in lower/upper case
#8309 Convert ipaplatform from namespace package to regular package
#8311 (rhbz#1825829) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
#8312 Fix api.env.in_tree detection logic
#8313 Values of api.env.mode are inconsistent
#8315 (rhbz#1833266) [dirsrv] set ‘nsslapd-enable-upgrade-hash: off’ as this raises warnings
#8316 [Azure] Whitelist clock_adjtime syscall
#8317 XML-RCP and CLI tests depend on internal –force option
#8319 Support server referrals for enterprise principals
#8322 [RFE] Changing default hostgroup is too easy
#8323 [Build failure] Race: make po fails on parallel build
#8325 [WebUI] Fix htmlPrefilter issue in jQuery
#8326 CVE-2020-10747
#8328 krbtpolicy-mod cannot handle two auth ind options of the same type at the same time
#8330 [Azure] Build job fails on `tests` container preparation
#8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain
#8336 [WebUI] “User attributes for SMB services” section always shown
#8338 [WebUI] Host detail with no assigned ID view makes invalid RPC call
#8339 [WebUI] User details tab headers don’t show member count when on settings tab
#8344 Nightly test failure in test_smb.py::TestSMB::test_smb_service_s4u2self
#8348 Allow managed permissions with ldap:///self bind rule
#8349 bind-9.16 and dnssec-enable
#8350 bind-9.16 and DLV
#8352 RPC API crashes when a user is disabled while a session exists
#8357 Allow managing IPA resources as a user from a trusted Active Directory forest
#8358 TTL of DNS record can be set to negative value
#8359 [WebUI] dnsrecord_mod results in JS error
#8360 lite-server: Werkzeug deprecation warnings
#8362 (rhbz#1826659) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
#8363 DNS config upgrade code fails
#8364 Nightly test failure while establishing trust: Cannot find specified domain or server name
#8366 CA-less replica deployment fails with –setup-ca
#8367 IPA-EPN fails to build in ONLY_CLIENT mode
#8368 (rhbz#1846349) cannot issue certs with multiple IP addresses corresponding to different hosts
#8369 cert_find returns “CA not configured” in CA-less install
#8370 ipa-join does not set nshardwareplatform and nsosversion
#8371 Nightly test failure [testing_master_testing] in test_integration/test_idviews.py::TestCertsInIDOverrides
#8372 (rhbz#1849914) FreeIPA - Utilize 256-bit AJP connector passwords
#8374 (rhbz#1847999) EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
#8377 Nightly test failure (timeout) in test_caless_TestReplicaInstall
#8378 CA validity past year 2038 breaks cert.py plugin on 32-bit platform
#8379 Nightly test failure [testing_master_pki] while installing CA replica
#8381 Nightly test failure in test_webui/test_loginscreen.py::TestLoginScreen::test_login_view
#8383 Test with dnspython 2.0
#8384 Provide reliable way to know if a server installation is complete
#8388 Make help() on plugins more useful
#8391 Remove dnf workaround from test_epn.y
#8394 Nightly test failure in cert-related tests
#8395 selinux don’t audit rules deny fetching trust topology
#8396 [WebUI] Font type of “Enabled” column in user search facet wrong
#8399 certmonger attempts to add LWCA tracking requests on non-CA server.
#8400 sshd template file is installed in a wrong (server) location while used by the client side
#8401 Create platform definitions for freeipa-container
#8403 Add option to add ipaapi user as an allowed uid for ifp in /etc/sssd/sssd.conf when running ipa-replica-install
#8404 Detect and fail if not enough memory is available for installation
#8405 Don’t delegate full TGT in ipa-join
#8407 Support changelog integrated into main database
#8408 Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_client_enrollment_by_unprivileged_user
#8412 (rhbz#1857157) AVC: httpd cannot connect to ipa-custodia.sock
#8413 Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp
#8414 Nightly test failure in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp
#8416 [WebUI] Error while adding user ID overrides to group
#8419 Azure is reporting a slew of new no-member lint errors
#8425 Nightly test failure in test_cert.test_cert.TestInstallMasterClient (certmonger timeout)
#8428 [ipatests] fails due to new python-cryptography 3.0
#8429 Add fips-mode-setup to ipaplatform.paths
#8432 test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError
#8435 [ipatests] failures due to new Pytest6.0 (pypi part)
#8437 unit tests for ipa-extdom-extop are failing in Fedora 33
#8439 Nightly test failure in test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#8440 (rhbz#1863616) CA-less install does not set required permissions on KDC certificate
#8441 (rhbz#1870202) File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
#8442 [pylint] warnings/errors against pylint 2.5.3
#8443 ipa delegation-add can add permissions and attributes several times
#8444 (rhbz#1866291) EPN: enhance input validation
#8445 (rhbz#1863079) EPN: ‘[Errno 111] Connection refused’ when the SMTP is down
#8446 ipa dnszone-add ignores –name-from-ip option if name is given
#8447 Nightly test failure in test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS
#8449 (rhbz#1866291) EPN: enhance CLI option tests
#8456 Need new aci’s for the new replication changelog entries
#8458 auto-upgrade will never happen for existing installations
#8459 [upgrade] handle missing openssh-clients
#8461 [ALTLinux] server uninstall error on missing /var/lib/samba
#8463 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#8464 Increase replication changelog trimming interval
#8468 [pylint] new warnings on dev branch
#8472 [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA
#8473 Nightly test failure in all webui tests: Invalid or corrupt jarfile /opt/selenium.jar
#8474 Mozilla’s NSS without DBM
#8475 Azure: tox task and virtualenv 20+
#8481 Nightly test failure in rawhide in tasks.configure_dns_for_trust
#8482 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_source_ipahealthcheck_meta_services_check
#8488 (rhbz#1868432) SELinux blocks custodia key replication / retrieval for sub-CAs
#8490 (rhbz#1875001) It is not possible to edit KDC database when the FreeIPA server is running
#8491 Unindexed searches in FreeIPA git master
#8493 Synchronize index LDIF and index update files
#8494 Azure Pipelines are broken due to docker compose tool upgrade
#8496 [Tracker] Multiple nightly test failures in test_dnssec
#8498 Check 3rd-party IPA server HTTP cert for ipa-ca.$DOMAIN dnsName on CA replicas
#8501 Unify how FreeIPA gets FQDN of current host
#8502 Don’t create DirSRV SSCA
#8503 (rhbz#1879604) pkispawn logs files are empty
#8505 Nightly failure (fedora31) in test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
#8507 [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)
#8510 (rhbz#1881630) create_active_user and kinit_as_user should collect kdcinfo.REALM on failure
#8511 The selinux subpackage does not have a requirement to match the server install
#8512 Import of psutil can trigger SELinux violation
#8513 (rhbz#1868432) SELinux module fails to load: Re-declaration of type node_t
#8515 (rhbz#1882340) nsslapd-db-locks patching no longer works
#8516 Nightly test failure (master) in ipa trust-add
#8518 Upgrade F32 to F33 fails in DNS upgrade code
#8519 Fedora container platform is incomplete
#8521 Speed up ipa-server-install
#8522 Remove cainstance.migrate_profiles_to_ldap()
#8523 Topology Graph returns Runtime Error
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
#8528 Use separate logs for AD Trust and DNS installer
#8529 ipa-ca record incomplete when hostname is not in DNS
#8530 (rhbz#1859185) Running ipa-server-install fails on machine where libsss_sudo is not installed
#8533 Nightly failure in ipa-replica-install configuring renewals: DBusException: org.freedesktop.DBus.Error.NoReply
#8535 (rhbz#1887928) RPM spec moves ssh server config to a snippet but does not ensure sshd_config includes the snippet
#8536 RFE: ipatests: run healthcheck on hidden replica
#8541 Nightly failure (fed33) in test_installation.py::TestInstallMaster::test_selinux_avcs
#8551 (rhbz#1784657) Unlock user accounts after a password reset and replicate that unlock to all IdM servers
#8554 (rhbz#1891056) ipa-kdb: support subordinate/superior UPN suffixes
#8555 (rhbz#1340463) Nightly test failure in test_pwpolicy.py::test_pwpolicy::test_misc
#8558 Create backend entry before creating mapping tree entry for ipaca backend
#8559 Nightly test failure in test_trust.py::TestTrust::test_password_login_as_aduser
#8560 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
#8563 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
#8566 Subordinate suffixes aren’t treated as subordinate in trust to Active Directory (crash part)
#8567 (rhbz#1894800) IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing
#8572 Nightly failure in test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica
#8573 Nightly failure in test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS::test_ipa_dns_systemrecords_check
#8578 EPN: SMTP client downgrade smtp_security from `starttls` to `none`
#8579 EPN: SMTP client doesn’t validate server certificate
#8580 EPN: SMTP client authentication by certificate
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8585 Compile warnings on rawhide

Detailed changelog since 4.8.10#

Armando Neto (25)#

ipatests: Update PRCI Fedora 32 templates commit
ipatests: Add nightly definitions for enforcing mode commit
ipatests: Bump PR-CI templates commit #8473
ipatests: Bump PR-CI templates commit
ipatests: bump pr-ci templates commit
ipatests: bump pr-ci templates commit
ipatests: bump prci templates commit
ipatests: bump prci templates commit
prci: update templates for new Fedora release commit
Update instructions for Fedora 28 / FreeIPA 4.6.90 commit
prci: bump version for latest and previous templates commit
prci: Bump version of all templates commit
prci: update packages for rawhide nightly runs commit
ipatests: Skip test_sss_ssh_authorizedkeys method commit #8151
ipatests: Improve test_commands reliability commit
travis: Remove CI integration commit #7323
prci: bump template version for temp_commit and nightly_latest commit
prci: bump fedora release commit
prci: rename definitions files and jobs to change how fedora releases are referenced commit
prci: increase timeout argument for test_sssd.py commit
prci: increase timeout for jobs that required AD commit
prci: update packages for pki and testing nightly runs commit
Update definitions for nightly tests commit
prci: fix typo on nightly test definitions commit
prci: update test definitions commit

Alexander Bokovoy (140)#

Become FreeIPA 4.9.0 release candidate 1 commit
Translations: update translations template commit
Add contributors from translations project at Weblate commit
Azure CI: mask chronyd in the container commit
spec: use pkgconf to find out krb5 version commit
Azure CI: use PPA to provide newer libseccomp version commit
Azure CI: use Ubuntu-20.04 image by default commit
ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints commit #8584
ipa-otpd: fix gcc complaints in Rawhide commit #8585
ipa-sam: fix gcc complaints on Rawhide commit #8585
ipa-kdb: fix gcc complaints in kdb tests commit #8585
ipa-kdb: fix gcc complaints commit #8585
wgi/plugins.py: ignore empty plugin directories commit #8567
ipa-kdb: fix crash in MS-PAC cache init code commit #8566
rpcserver: fix exception handling for FAST armor failure commit
rpcserver: fallback to non-armored kinit in case of trusted domains commit
pylint: remove unused variable commit
ipa-kdb: support subordinate/superior UPN suffixes commit #8554
Pre-populate IP addresses for the name server upgrades commit #8518
Specify memory limits as strings for docker compose commit #8494
ipa-kdb: test kadmin.local getprincs command commit #8490
ipa-kdb: support getprincs request in kadmin.local commit #8490
test_smb: make sure both smbserver and smbclient use IPA master for DNS commit #8344
Add new contributors commit
Add alternative email to the mailmap for myself commit
master: update po/ipa.pot commit
extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration commit #8437
selinux: support running ipa-custodia with PrivateTmp=yes commit #8395
selinux: allow oddjobd to set up ipa_helper_t context for execution commit #8395
handle Y2038 in timestamp to datetime conversions commit #8378
update list of contributors commit
Update translation files commit
ipatests: test that adding Active Directory user to a role makes it an administrator commit #8357
Web UI: allow users from trusted Active Directory forest manage IPA commit #8335
tests: account for ID overrides as members of groups and roles commit #7255
Support adding user ID overrides as group and role members commit #7255
idviews: handle unqualified ID override lookups from Web UI commit #7255
support using trust-related operations in the server console commit
Add design page for managing IPA resources as a user from a trusted Active Directory forest commit #7816, #8357
kdb: handle enterprise principal lookup in AS_REQ commit #8319
ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset commit #8362
azure: do not run test_commands due to failures in low memory cases commit
test_smb: test S4U2Self operation by IPA service commit #8319
ipa-kdb: refactor principal lookup to support S4U2Self correctly commit #8319
ipa-kdb: cache local TGS in the driver context commit #8319
ipa-kdb: add primary group to list of groups in MS-PAC commit #8319
ipa-kdb: Always allow services to get PAC if needed commit #8319
ipa-kdb: add asserted identity SIDs commit #8319
kdb: add minimal server referrals support for enterprise principals commit #8319
ipa-tests: add a test to make sure MS-PAC is produced by KDC commit #8319
ipa-print-pac: acquire and print PAC record for a user commit #8319
ipa-kdb: add UPN_DNS_INFO PAC structure commit #8319
baseldap: de-duplicate passed attributes when checking for limits commit #8328
service delegation: allow to add and remove host principals commit #8289
WebUI: use python3-rjsmin to minify JavaScript files commit #8300
test_smb: test that we can auth as NetBIOS alias commit #8291
kdb: fix memory handling in ipadb_find_principal commit #8291
kdb: initialize flags in ipadb_delete_principal() commit #8291
Azure Pipelines: switch to Fedora 32 commit
Azure Pipelines: Override services known to not work in containers commit
Add pytest.skip_if_container() commit
CVE-2020-1722: prevent use of too long passwords commit #8268
Allow rename of a host group commit #6783
Add ‘api’ and ‘aci’ targets to make commit
Remove Fedora repository fastmirror selection commit
ipa-pwd-extop: don’t check password policy for non-Kerberos account set by DM or a passsync manager commit #7181
ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN commit #7181
ipatests: test sysaccount password change with a password policy applied commit #7181
ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181
Fix indentation levels commit
ipatests: always skip additional input for group-add-member –external commit #8236
po: update Chinese (China) translation commit
po: update Ukrainian translation commit
po: update Tajik translation timestamp commit
po: update Slovak translation timestamp commit
po: update Russian translation commit
po: update Portuguese (Brazil) translation timestamp commit
po: update Portuguese translation timestamp commit
po: update Polish translation commit
po: update Punjabi translation timestamp commit
po: update Dutch translation timestamp commit
po: update Marathi translation timestamp commit
po: update Kannada translation timestamp commit
po: update Japanese translation timestamp commit
po: update Indonesian translation timestamp commit
po: update Hungarian translation timestamp commit
po: update Hindi translation timestamp commit
po: update French translation commit
po: update Basque translation timestamp commit
po: update Spanish translation commit
po: update English (United Kingdom) translation timestamp commit
po: update German translation commit
po: update Czech translation timestamp commit
po: update Catalan translation timestamp commit
po: update Bengali translation timestamp commit
po: update ipa.pot template commit
Update translation infrastructure commit #8159
Keep ipa.pot translation file in git for weblate commit #8159
Do not force any particular sphinx theme commit
Override master document for ReadTheDocs commit
Move workshop documents to doc/workshop commit
Add unit 11: Kerberos ticket policy commit
Prevent adding IPA objects as external members of external groups commit #8236
Secure AJP connector between Dogtag and Apache proxy commit #8221
Tighten permissions on PKI proxy configuration commit #8221
Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+ commit
kdb: make sure audit_as_req callback signature change is preserved commit #8200
adtrust: print DNS records for external DNS case after role is enabled commit #8192
Update Azure Pipelines to use Fedora 31 commit
install/updates: move external members past schema compat update commit #8193
Reset per-indicator Kerberos policy commit #8153
ipa-client-samba: map domain sid of trust domain properly for display commit #8149
DNS install check: allow overlapping zone to be from the master itself commit
covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131
covscan: free encryption types in case there is an error commit #8131
Add Authentication Indicator Kerberos ticket policy options commit #8001
Allow presence of LDAP attribute options commit #8001
Do not run trust upgrade code if master lacks Samba bindings commit #8001
Update contributors commit
Update translations commit
Add local helpers to handle unixid structure commit
adtrust: add default read_keys permission for TDO objects commit #8067
add default access control when migrating trust objects commit #8067
adtrust: avoid using timestamp in klist output commit #8066
Mark failing test as xfail for use of python-dns make_ds method commit
ipa-extdom-extop: test timed out getgrgid_r commit #8044
Update contributors commit
Update translations commit
Add Theodor van Nahl to the Contributors.txt commit
Restore SELinux context for p11-kit config overrides commit #7810
Change RA agent certificate profile to caSubsystemCert commit
certmaprule: add negative test for altSecurityIdentities commit #7932
certmap rules: altSecurityIdentities should only be used for trusted domains commit #7932
Create indexes for altSecurityIdentities and ipaCertmapData attributes commit #7932, #7933
Add altSecurityIdentities attribute from MS-WSPP schema definition commit #7932, #7933
Use stage and phase attempt counters when saving test artifacts commit
Use any nodejs version instead of forcing a version before nodejs 11 commit
Fix rpmlint errors for Rawhide commit
Set git master to 4.9.0 commit
Changing IPA master back to git snapshots commit

Abhijeet (1)#

Update workshop.rst commit

Alexandre Mulatinho (2)#

ipa-join: allowing call with jsonrpc into freeipa API commit #7966
ipa-scripts: fix all ipa command line scripts to operate with -I commit #7987

Anuja More (18)#

ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn commit
ipatests: xfail test with older versions of sssd commit
ipatests : Test to verify override_gid works with subdomain. commit
ipatests: xfail test with older versions of sssd commit
ipatests: Test that trusted AD users should not lose their AD domains. commit
Mark test to skip sssd-2.2.2 commit
ipatests: User and group with same name should not break reading AD user data. commit
ipatests: Added test when 2FA prompting configurations is set. commit
ipatests: SSSD should fetch external groups without any limit. commit
Update topology for test_integration/test_sssd.py commit
ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit
After mounting “Unspecified GSS failure” should not be in logs. commit
Add xmlrpc test with input validation check for kerberos ticket policy. commit
Fix fedora version for xfail for sssd test commit
Add integration test for otp kerberos ticket policy. commit #8001
ipatests: filter_users should be applied correctly. commit
ipatests : Login via ssh using private-key for ipa-user should work. commit
Extdom plugin should not return error (32)/’No such object’ commit #8044

Andika Triwidada (1)#

Translated using Weblate (Indonesian) commit

Ariel O. Barria (1)#

vagrant user does not have permission to write to /etc/resolv.conf commit

Alexander Scheel (3)#

Specify cert_paths when calling PKIConnection commit #8379
Configure PKI AJP Secret with 256-bit secret commit #8372
Clarify AJP connector creation process commit

Peter Keresztes Schmidt (33)#

WebUI: Unify adapter property definition for state evaluators commit #8336
WebUI: Make object_class_evaluator evaluator compatible with batch responses commit #8336
ipa-backup/restore: remove remaining chdir calls commit #7416
ipa-join: handle JSON-RPC error codes commit #8408
ipa-join: extract common JSON-RPC response parsing to common function commit #8408
ipa-join: Generalize XML-RPC references in man page commit #7966
ipa-join: Use bool type where appropriate commit #7966
ipa-join: select {JSON,XML}-RPC at build time commit #7966
ipa-join: implement JSON-RPC based unenrollment commit #7966
ipa-join: extract unenrollment code common to JSON and XML-RPC to separate function commit #7966
ipa-join: switch to jansson for json handling commit #7966
ipa-join: buffer curl response before parsing json commit #7966
ipa-join: improve curl error handling in JSON-RPC code commit #7966
ipa-join: don’t set TLS related curl options for JSON-RPC commit #7966
Populate nshardwareplatform and nsosversion during join operation commit #8370
WebUI: Fix rendering of boolean_status_formatter commit #8396
Unify spelling of “One-Time Password” commit
WebUI: reword OTP info message displayed during PW reset commit #5628
WebUI: move OTP to be the last field in the PW reset form commit #5628
Split named custom config to allow changes in options stanza commit #8287
lite-server: Fix werkzeug deprecation warnings commit #8360
util: replace NSS usage with OpenSSL commit #6857
util: add unit test for pw hashing commit #6857
po: remove zanata config since translation was moved to weblate commit #8159
Remove unused support for dm_password arg from ldapupdate.connect commit #7610
Use ipaldap exceptions rather than ldap error codes in LDAP updater commit #7610
Specify min and max values for TTL of a DNS record commit #8358
WebUI: Add units to some DNS zone and IPA config fields commit
WebUI: Expose TTL of DNS records commit #3827
WebUI: Refresh DNS record data correctly after mod operation commit #8359
WebUI: Use data adapter to load facet header data commit #8339
WebUI: Fix invalid RPC calls when link widget has no pkey passed commit #8338
Remove remains of unused config options commit #6708

Christian Heimes (181)#

Easier to use ipa_gethostfqdn() commit
Update debug strings to reflect new calls commit
Remove problematic optimization from gethostfqdn() commit
Replace nodename with ipa_gethostfqdn() commit #8501
Unify access to FQDN commit #8501
Reuse main LDAP connection commit #8521
Speed up cainstance.migrate_profiles_to_ldap commit #8521, #8522
Lookup ipa-ca record with NSS commit #8501, #8521, #8529
Simplify update code commit #8275
Don’t add 127.0.0.1 to resolv.conf twice commit #8275
Require(post) systemd with resolved enabled on F33 commit #8275
Replace sudo with runuser commit #8530
Use separate install logs for AD and DNS instance commit #8528
Spawn PKI: Execute more steps early commit #8521
Dogtag: Remove set_audit_renewal step commit #8521
Skip offline dse.ldif patching by default commit #8521
Remove magic sleep from create_index_task commit #8521
Remove root-autobind configuration commit #8521
Verify freeipa-selinux’s ipa module is loaded commit
Check ca_wrapped in ipa-custodia-check commit #8488
Retry chronyc waitsync only once commit #8521
configure_dns_resolver: call self.restore_context commit #8518
Drop unused extended sleep feature from Sleeper commit #8521
Faster certmonger wait_for_request() commit #8521
Add helper for poll/sleep loops with timeout commit #8521
Add missing fedora_container platform members commit #8519
Add more indices commit
Use single update LDIF for indices commit #8493
Also backup DNS config drop-ins commit #8275
Ensure that resolved.conf.d is accessible commit #8275
Fix compiler warning in ipa-kdb commit
Fix compiler warnings in libotp commit
Fix compiler warning in ipa-pwd-extop commit
trust-add: Catch correct exception when chown SSSD commit #8516
Fix nsslapd-db-lock tuning of BDB backend commit #5914, #8515
Create systemd-resolved configuration on update commit
Configure systemd-resolved to use IPA’s BIND commit #8275
Use new API for auto-forwarders commit #8275
Configure NetworkManager to use systemd-resolved commit #8275
Add helpers for resolve1 and nameservers commit #8275
Make git a build requirement commit
Delay import of psutil to avoid AVC commit #8512
Add User and Group to all ipaplatform.constants commit
Use new classes for run_command and Service commit
Add user and group wrappers commit
Simplify LDAPUpdater commit
Add ldap_update() helper to service class commit
Don’t create DS SSCA and self-signed cert commit #8502
Duplicate CA CRT: ignore expected cert commit #7125
Add krbPrincipalName pres index correctly commit #8491
Only restart DS when duplicate cacrt was found commit #7125
Treat container subplatforms like main platform commit #8401
Don’t configure authselect in containers commit #8401
Convert ipa-httpd-pwdreader into Python script commit #8401
Explicitly pass keytab to ipa-join commit
Write state dir to smb.conf commit #8401
Add ipaplatform for Fedora and RHEL container commit #8401
Allow to override ipaplatform with env var commit #8401
Teach pylint how dnspython 2.x works commit #8419
Add missing SELinux rule for ipa-custodia.sock commit #8412
Make tab completion in console more useful commit
Add __signature__ to plugins commit #8388
Run test_fips in DS and PKI nightly commit
SELinux: Backport dirsrv_systemctl interface commit
RHEL 8.3 has KRB5 1.18 with KDB 8.0 commit
Terminology improvements: use block list commit
Terminology improvements: use allow list commit
Grammar: whitespace is a word commit
Terminology improvements: CA renewal commit
Use old uglifyjs on RHEL 8 commit #8300
Build ipa-selinux package on RHEL 8 commit
Prevent local account takeover commit #8326
Move ipa-epn systemd files and run RPM hooks commit #8367
Auto-generated ipa-epn files to gitignore commit
Overhaul bind upgrade process commit
More upgrade tests commit
Fix named.conf named_conf_include_re commit
Remove named_validate_dnssec update step commit
Fix named.conf update bug NAMED_DNSSEC_VALIDATION commit #8363
libotp: Replace NSS with OpenSSL HMAC commit #6857
Include named config files in backup commit
Handle DatabaseError in RPC-Server connect() commit #8352
Allow permissions with ‘self’ bindruletype commit #8348
make: serialize strip-po / strip-pot commit #8323
Remove obsolete BIND named.conf options commit #8349, #8350
Add ipa-print-pac to gitignore commit
Allow dnsrecord-add –force on clients commit #8317
Explain the effect of OPT_X_TLS_PROTOCOL_MIN commit
Check for freeipa-server-dns package early commit #7577
Hard-code in_tree=True for tests commit #8317
Fix detection logic for api.env.in_tree commit #8312
Make api.env.mode consistent commit #8313
Disable password schema update on LDAP bind commit #8315
Use httpd 2.4 syntax for access control commit
Let GH auto-notify and auto-close stale PRs commit
Fix make devcheck commit #8307
Simplify pki proxy conf commit
Make check_required_principal() case-insensitive commit #8308
Make ipaplatform a regular top-level package commit #6474, #8309
Reconfigure pycodestyle commit #8306
Manually reformat ipapython/version.py.in commit #8306
Silence W601 .has_key() is deprecated commit #8306
Fix E722 do not use bare ‘except’ commit #8306
Fix E721 do not compare types, use ‘isinstance()’ commit #8306
Fix E714 test for object identity should be ‘is not’ commit #8306
Fix E713 test for membership should be ‘not in’ commit #8306
Fix E712 comparison to True / False commit #8306
Fix E711 comparison to None commit #8306
Fix E266 too many leading ‘#’ for block comment commit #8306
Address issues found by new pylint 2.5.0 commit #8297
Require Sphinx >2.1 commit
Fix /doc/workshop subtree merge commit
Create ipasphinx package for Sphinx plugins commit
Add skip_if_platform marker commit
Define default password policy for sysaccounts commit #8276
Use api.env.container_sysaccounts commit #8276
Fix exception escape warning commit
Fix APIVersion.__getnewargs__ commit
servrole: takes_params must be a tuple commit #8290
Improve Sphinx building and linting commit
Fix various OpenDNSSEC 2.1 issues commit #8283
Use /run and /run/lock instead of /var commit #8272
po: fix LINGUAS to use whitespace separation commit #8159
SELinux: apache_manage_pid_files for F30 commit #8241
Add pytest OpenSSH transport with password commit
Add explicit syntax language to code blocks commit
Use m2r instead of recommonmark commit
Include workshop in sphinx build commit
Fix codestyle commit
Test documentation builds in Azure commit
Include design documentation commit
Introduce FreeIPA commit
Bootstrap Sphinx documentation commit
Move freeipa-selinux dependency to freeipa-common commit #6891
Integrate ipa_custodia policy commit #6891
Allow hosts to read DNS records for IP SAN commit #8098
Cleanup SELinux policy commit #6891
Integrate SELinux policy into build system commit
dnsrecord: Treat empty list arguments correctly commit #8196
Remove dependency on custodia package commit
lite-setup: configure lite-server test env commit
Add tracemalloc support to profile memory usage commit
Make assert_error compatible with Python 3.6 commit #8179
Print LDAP diagnostic messages on error commit
Fix get_trusted_domain_object_from_sid() commit #7958
Check valid before/after of external certs commit #8142
Fix service ldap_disable() commit #8143
Require idstart to be larger than UID_MAX commit #8137
Fix lite-server to work with GSS_NAME commit
Fix logic of check_client_configuration commit #8133
Optimize user-add by caching ldap2.has_upg() commit #8134
Don’t run test_smb in gating tests commit
Don’t hard-code client’s TLS versions and ciphers commit #8125
Update Apache HTTPd for RHBZ#1775146 commit #8125
Enable TLS 1.3 support on the server commit #8125
Skip paramiko tests in FIPS mode commit #8129
FIPS: server key has different name in FIPS mode commit
Remove FIPS noise from SSHd commit
Fix otptoken_sync plugin commit #7804
Add test case for OTP login commit #7804
Show group-add/remove-member-manager failures commit #8122
Test installation with (fake) userspace FIPS commit #8118
Use default ssh host key algorithms commit #8082
Add tests for member management commit
Add group membership management commit #8114
Skip commented lines after substitution commit #8111
Block camellia in krbenctypes update in FIPS commit #8111
Don’t install a preexec_fn by default commit
Don’t create log files from help scripts commit #8075
Add new env vars to pylint plugin commit #3999
Fix wrong use of identity operation commit #8057
Enable literal-comparison linter again commit #8057
Replace %{_libdir} macro in BuildRequires commit #8056
Fix ca_initialize_hsm_state commit #5608
Store HSM token and state commit #5608
Allow insecure binds for migration commit #8040
Don’t move keys when key backup is disabled commit #7677
Update comments to explain caSubsystemCert switch commit
Test external CA with DNS name constraints commit
Add PKCS#11 module name to p11helper errors commit #8015
Use nis-domainname.service on all RH platforms commit #8004

Cédric Jeanneret (3)#

Update selinux-policy minimal requirement commit
Prevents DNS Amplification Attack and allow to customize named commit #8079
Add new tip for dependencies commit

Changmin Teng (5)#

Add design document commit #8001
Modify webUI to adhere to new IPA server API commit #8001
Implement user pre-authentication control with kdcpolicy plugin commit #8001
Extend the list of supported pre-auth mechanisms in IPA server API commit #8001
Add new authentication indicators in kdc.conf.template commit #8001

Daniel Lara Souza (1)#

Translated using Weblate (Portuguese (Brazil)) commit

Dinesh Prasanth M K (1)#

Adding auto COPR builds commit

Endi Sukma Dewata (1)#

Removed hard-coded default profile subsystem class name commit

Emilio Herrera (1)#

Translated using Weblate (Spanish) commit

François Cami (93)#

ipatests: run freeipa-healthcheck on hidden replica commit #8536
ipatests: tasks: add user_del commit #8536
ipatests: kinit_as_user improvements commit #8510
ipatests: create_active_user improvements commit #8510
ipatests: add get_kdcinfo commit #8510
ipatests: add check_if_sssd_is_online commit #8510
SELinux: do not double-define node_t and pki_tomcat_cert_t commit #8513
SELinux Policy: Allow tomcat_t to read kerberos keytabs commit #8488
SELinux Policy: make interfaces for kernel modules non-optional commit #8488
SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type commit #8488
SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t commit #8488
SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t commit #8488
SELinux Policy: let custodia_t map custodia_tmp_t commit #8488
SELinux: Add dedicated policy for ipa-pki-retrieve-key commit #8488
ipatests: enhance TestSubCAkeyReplication commit #8488
dogtaginstance.py: add –debug to pkispawn commit #8503
ipatests: check that pkispawn log is not empty commit #8503
SELinux Policy: let custodia replicate keys commit #8488
ipatests: test_epn: update error messages commit #8449
IPA-EPN: enhance input validation commit #8444
IPA-EPN: Fix SMTP connection error handling commit #8445
ipatests: test_epn: add test_EPN_connection_refused commit #8445
IPA-EPN: fix configuration file typo commit
IPA-EPN: Use a helper to retrieve LDAP attributes from an entry commit
ipatests: test_epn: test_EPN_nbdays enhancements commit #8449
ipatests: tasks.py: fix ipa-epn invocation commit #8449
ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd commit #8129
ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd commit #8129
ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_from_controller: refactor commit #8129
ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH commit #8129
tasks: add run_ssh_cmd commit #8129
ipatests: test_sss_ssh_authorizedkeys commit #8151
ipatests: re-enable test_sss_ssh_authorizedkeys commit #8151
ipatests: test_commands: test_login_wrong_password: look farther in time commit #8432
ipatests: xfail TestIpaClientAutomountFileRestore’s final test commit #8189
ipatests: remove dnf workaround from test_epn.py commit #8391
ipatests: display SSSD kdcinfo in test_adtrust_install.py commit
ipatests: ipa_epn: uninstall/reinstall ipa-client-epn commit #8374
ipatests: check that EPN’s configuration file is installed. commit #8374
man pages: fix epn.conf.5 and ipa-epn.1 formatting commit
EPN: ship the configuration file. commit #8374
ipatests: increase test_caless_TestReplicaInstall timeout commit #8377
.mailmap: add fcami commit
IPA-EPN: Test suite. commit #3687
IPA-EPN: First version. commit #3687
ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py commit
tasks.py: add krb5_trace to create_active_user and kinit_as_user commit
tox.ini: switch from W503 to W504 commit
IPA-EPN: Add design draft commit #3687
doc/Makefile: use sphinx-build -W by default commit
Makefile.am: add doclint to fastcheck commit
ipatests: increase test_webui_server timeout commit #8266
ipatests: increase test_ipahealthcheck timeout commit #8262
ipatests: move ipa_backup to tasks commit #8217
pr-ci templates: update test_fips timeouts commit #8247
ipa-backup: Make sure all roles are installed on the current master. commit #8217
test_backup_and_restore: add server role verification steps commit #8217
ipatests: test ipa-backup with different role configurations. commit #8217
pr-ci templates: update test_fips timeouts commit #8247
ipatests: test_replica_promotion.py: test KRA on Hidden Replica commit #8240
8-sudorule.rst: add sudo and su-l as services for bob’s HBAC rule. commit
ipa-restore: restart services at the end commit #8226
ipatests: make sure ipa-client-automount reverts sssd.conf commit #8190
ipa-client-automount: call save_domain() for each change commit #8190
ipatests: expect “Dynamic Update” and “Bind update policy” in default dnszone* output commit #7938
ipaserver/plugins/dns.py: add “Dynamic Update” and “Bind update policy” to default dnszone* output commit #7938
ipatests/test_nfs.py: wait before umount commit #8144
ipatests: fix pr-ci templates’ indentation commit
adtrust.py: mention restarting sssd when adding trust agents commit #8148
DSU: add Design for Disable Stale Users commit #8104
ipatests: nightly_f29: disable TestIpaClientAutomountFileRestore commit #8063
ipatests: temporarily remove test_smb from gating commit
ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf) commit
ipapython/ipachangeconf.py: change “is not 0” for “!= 0” commit #8057
authconfig.py: restore user-nsswitch.conf at uninstall time commit #8054
ipatests: remove xfail in TestIpaClientAutomountFileRestore commit
ipa-client-automount: always restore nsswitch.conf at uninstall time commit #8038
ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time commit
travis-ci: make dnf invocations more resilient commit #8048
azure-pipelines.yml: switch to Python 3.7 commit #8030
test_nfs.py: switch to master_3repl commit #8027
ipatests: rename config_replica_resolvconf_with_master_data() commit
test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data() commit #7949
prci_definitions: add master_3client topology commit #8026
ipapython/admintool.py: use SERVER_NOT_CONFIGURED commit
ipa-client-samba: remove state on uninstall commit #8021
ipatests: test ipa-client-samba after –uninstall commit
ipa-client-samba: remove and restore smb.conf only on first uninstall commit #8019
ipatests: test multiple invocations of ipa-client-samba –uninstall commit
ipatests/azure: display actual dnf repo URLs commit

Florence Blanc-Renaud (89)#

ipatests: temporarily remove test_dnssec.py::TestInstallDNSSECFirst from gating commit #8496
ipatests: ipa-acme-manage status returns 3 on a CA-less server commit #8572
ipatests: IPADNSSystemRecordsCheck also checks for AAAA records commit #8573
ipatests: curl outputs the cookie in stderr and not in sdtout commit #8559
ipatests: properly handle journalctl return code commit #8541
rpmspec: ensure ipa snippet for sshd is always included commit #8535
ipatests: add tests to 389ds regression commit
test_smb: skip test_smb_service_s4u2self for fed31 commit #8505
dnsforwardzone-add: support dnspython 2.0 commit #8481
ipatests: fix bind service name commit #8482
ipatests: add missing healthcheck test in PRCI nightlies commit
ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately commit #8472
ipatests: remove xfail from test_dnssec commit
ipatests: fix TestIpaHealthCheckWithoutDNS failure commit #8447
ipatests: collect IPA_RENEWAL_LOCK file commit
ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck commit #8439
ipatests: check KDC cert permissions in CA less install commit #8440
CAless installation: set the perms on KDC cert file commit #8440
ipatests: increase test_trust timeout commit
ipatests: fix test_authselect commit #8189
ipatests: remove the xfail for test_nfs.py commit #8189
ipa-client-install: use the authselect backup during uninstall commit #8189
ipatests: Fix TestReplicaPromotionLevel1 commit #8414
ipatests: fix TestUnprivilegedUserPermissions commit #8413
sshd template must be part of client package commit #8400
Add test_dnssec to 389ds nightly tests commit
ipa cert-show: fix the code setting revocation reason commit #8394
Bump requires for selinux-policy commit
ipatests: fix the method adding ifp to sssd.conf commit #8371
Unify spelling of “One-Time Password” (take 2) commit #5628, #8381
client install: fix broken sshd config commit #8304
ipa-client-install: use sshd drop-in configuration commit #8304
ipatests: Update the pki-master-f32 image version commit
ipatests: add a test for ipa-replica-install –setup-ca –http-cert-file commit #8366
ipa-replica-install: –setup-ca and *-cert-file are mutually exclusive commit #8366
ipatests: fix the disable_dnssec_validation method commit #8364
ipatests: Check if user with ‘User Administrator’ role can delete group. commit #6884
ipa-advise: fallback to /usr/libexec/platform-python if python3 not found commit #8311
Man pages: fix syntax issues commit #8273
ipatests: wait for SSSD to become online in backup/restore tests commit #8228
xmlrpc tests: add a test for idview-apply on a master commit #5662
idviews: prevent applying to a master commit #5662
opendnssec2.1 support: move all ods tasks to specific file commit #8214
DnsSecMaster migration: move the call to zonelist export later commit #8214
Support OpenDNSSEC 2.1: new ods-signer protocol commit #8214
With opendnssec 2, read the zone list from file commit #8214
Remove the from opendnssec conf commit #8214
Support opendnssec 2.1.6 commit #8214
selinux policy: add the right context for org.freeipa.server.trust-enable-agent commit #7600
ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600
ipatests: add test for ipa-adtrust-install –add-agents commit #7600
ipa-adtrust-install: run remote configuration for new agents commit #7600
Privilege: add a helper checking if a principal has a given privilege commit #7600
ipatests: fix TestSubCAkeyReplication commit
Part2: Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201
ipatests: fix modify_sssd_conf() commit
ipatests: update packages for rawhide and updates-testing nightlies commit
ipatests: fix backup and restore commit #8170
AD user without override receive InternalServerError with API commit #8163
ipa-cacert-manage man page: fix indentation commit #8138
ipatests: fix TestMigrateDNSSECMaster teardown commit #7985
trust upgrade: ensure that host is member of adtrust agents commit
ipatests: fix test_crlgen_manage commit
ipatests: fix teardown commit
ipatests: generic uninstall should call ipa server-del commit #7985
Nightly definition: use right template for krbtpolicy commit #8001
test_ipalib: add test for DNParam class commit #8097
XMLRPCtest: add a test for add-certmapdata with multiple subject/issuer commit #8097
DNParam: raise Exception when multiple values provided to a 1-val param commit #8097
smartcard: make the ipa-advise script compatible with authselect/authconfig commit #8113
ipa-backup: fix python2 issue with os.mkdir commit #8099
ipa-server-certinstall manpage: add missing options commit #8086
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion commit #8070
ipatests: add XMLRPC test for user-add when UPG plugin is disabled commit #4972
ipa user_add: do not check group if UPG is disabled commit #4972
ipatests: fix fedora29 nightly definition commit
replica install: enforce –server arg commit #7566
ipatests: ensure that backup/restore restores pkcs 11 modules config file commit #8073
ipa-backup: backup the PKCS module config files setup by IPA commit #8073
ipatests: enable 389-ds audit log and collect audit file commit #8064
ipatests: add nightly definition for DS integration tests commit
config plugin: replace ‘is 0’ with ‘== 0’ commit #8057
ipatests: fix wrong xfail in test_domain_resolution_order commit #8052
Nightly test definition: add missing tests commit
xmlrpc test: add test for preserved > stage user commit #7597
user-stage: transfer all attributes from preserved to stage user commit #7597
test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules commit #7902
Azure pipeline: report failure in prepare-build step commit #8022
upgrade: remove ipaCert and key from /etc/httpd/alias commit #7329

Francisco Trivino (2)#

prci: bump template version and fix test_smb gating definition commit
prci: increase gating tasks priority commit

Fraser Tweedale (141)#

mailmap: add ftweedal commit
dns: allow PTR records in arbitrary zones commit #5566
ipa_sam: do not modify static buffer holding fqdn commit #8501
spec: require pki-acme if pki-ca >= 10.10 commit
install: simplify host name verification commit
delete unused subroutine get_host_name() commit
certupdate: update config after deployment becomes CA-ful commit #7188
cainstance: extract function import_ra_key commit #7188
cainstance.update_ipa_conf: allow specifying ca_host commit #7188
acme: delete ACME RA account on server uninstall commit #4751
acme: enable mod_md tests on Fedora commit #4751
acme: add certbot dns-01 test commit #4751
acme: add certbot dns script commit #4751
acme: add revocation test commit #4751
acme: handle alternative schema ldif location commit #4751
acme: add mod_md integration test commit #4751
acme: add integration tests to gating commit #4751
acme: add integration test to nightly CI commit #4751
acme: add integration test commit #4751
acme: add ipa-acme-manage command commit #4751
acme: configure engine.conf and disable by default commit #4751
acme: configure ACME service on upgrade commit #4751
acme: add certificate profile commit #4751
acme: add Dogtag ACL to allow ACME agents to revoke certs commit #4751
acme: create ACME RA account commit #4751
dogtaginstance: add ensure_group method commit #4751
dogtaginstance: extract user creation to subroutine. commit #4751
acme: set up ACME service when configuring CA commit #4751
acme: ipa-pki-proxy: proxy /acme to Dogtag commit #4751
certupdate: only add LWCA tracking requests on CA servers commit #8399
tests: fix cleanup for CATracker commit #5011
ca plugin: improve doc commit #5011
ca-del: require CA to already be disabled commit #5011
cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf commit
ra.get_certificate: use REST API commit #3473, #5011
extract virtual operation access check subroutine commit #5011, #6423
Define errors_by_code in ipalib.errors commit #5011
fix iPAddress cert issuance for >1 host/service commit #8368
fix cert-find errors in CA-less deployment commit #8369
upgrade: avoid stopping certmonger when fixing requests commit #8186
httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure commit #8186
ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname commit #8186
upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate commit #8186
httpinstance: add ipa-ca.$DOMAIN alias in initial request commit #8186
cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers commit #8186
httpinstance: add fqdn and ipa-ca alias to Certmonger request commit #8186
certmonger: support dnsname as request search criterion commit #8186
certmonger: move ‘criteria’ description to module docstring commit #8186
certmonger: avoid mutable default argument commit #8186
add resources section commit
typospotting commit
suggest `ipa help topics` commit
lots of minor tweaks and updates commit
rename certificates module commit
Vagrantfile: set DNS configuration in network-scripts commit
add more prerequisites and fix some links commit
add inter-module links commit
split workshop into separate files commit
add sudorule and selinux units to TOC commit
add selinuxusermap unit commit
add sudorule unit commit
minor editoral improvements commit
Change workshop “Modules” to “Units” commit
prep: updates for f24, box version 0.0.7 commit
certs: request SAN DNS name commit
updates for FreeIPA 4.3 commit
typospotting commit
add facilitator notes; remove feedback link commit
building: note disk and memory requirements commit
bump libvirt vm mem to 1G; other fixes commit
update feedback url commit
update clone url commit
add internal links to modules commit
symlink README to workshop.rst commit
add replica installation module commit
update to f23 commit
add vagrant box building instructions commit
workshop: remove references to freeipa-workshop-vagrantfile repo commit
enable and start httpd on client commit
typospotting commit
initial commit commit
remove proposal commit
add copyright notice commit
freeipa-workshop: fix mod_authnz_pam link commit
merge (most of) zdover’s edits commit
20151029-osdc-freeipa-workshop: add app.py commit
osdc-freeipa-workshop: add certificate management module commit
osdc-freeipa-workshop: add OS X and update Debian/Ubuntu details commit
osdc-freeipa-workshop: add debian/ubuntu prep instructions commit
osdc-freeipa-workshop: support vagrant-libvirt on Fedora commit
osdc-freeipa-workshop: presentation, minor curriculum edits commit
osdc-freeipa-workshop: typospotting commit
osdc-freeipa-workshop: remove definition list of VMs commit
osdc-freeipa-workshop: add missing dnf install vagrant commit
osdc-freeipa-workshop: clarify prep goals and VirtualBox version commit
osdc-freeipa-workshop: update troubleshooting doc commit
osdc-freeipa-workshop: incorporate wibrown's feedback commit
osdc-freeipa-workshop: update f22 installation steps commit
osdc-freeipa-workshop: add Windows prep details commit
osdc-freeipa-workshop: add Vagrantfile clone instructions and curriculum overview commit
osdc-freeipa-workshop: remove vagrant-hostmanager steps, add editing notes commit
osdc-freeipa-workshop: selinux and other minor fixes commit
osdc-freeipa-workshop: add mod_lookup_identity and mod_authnz_pam sections commit
osdc-freeipa-workshop: add mod_auth_gssapi section commit
sudo make me a sandwich commit
osdc-freeipa-workshop: add rpmfusion instructions commit
osdc-freeipa-workshop: external authnz module (WIP); minor fixes commit
osdc-freeipa-workshop: add initial workshop modules commit
fix osdc2015 and lca2016 dates commit
Do not renew externally-signed CA as self-signed commit #8176
ipatests: add test for certinstall with notBefore in the future commit #8142
Fix test regressions caused by certificate validation changes commit #8142
ipatests: assert_error: allow regexp match commit #8142
removed unused function export_pem_p12 commit
test_integration: add tests for custom CA subject DN commit #8084
upgrade: fix ipakra people entry ‘description’ attribute commit #8084
krainstance: set correct issuer DN in uid=ipakra entry commit #8084
Bump Dogtag min version to 10.7.3 commit #8020
ipa-pki-retrieve-key: request AES encryption (with fallback) commit #8020
NSSWrappedCertDB: accept optional symmetric algorithm commit #8020
IPASecStore: support extra key arguments commit #8020
dsinstance: add proflie when tracking certificate commit #7991
ipatests: test ipa-server-upgrade in CA-less deployment commit #7991
Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants commit #7991
cainstance: add profile to IPA RA tracking request commit #7991
upgrade: fix spurious certmonger re-tracking commit #7991
upgrade: log missing/misconfigured tracking requests commit #7991
upgrade: update KRA tracking requests commit #7991
upgrade: always add profile to tracking requests commit #7991
dogtaginstance: avoid special cases for Server-Cert commit #7991
dogtag-ipa-ca-renew-agent: always use profile-based renewal commit #7991
certmonger: use long options when invoking dogtag-ipa-renew-agent commit #7991
upgrade: add profile to Dogtag tracking requests commit #7991
dogtaginstance: add profile to tracking requests commit #7991
ci: add –external-ca-profile tests to gating commit #7548
ci: add –external-ca-profile tests to nightly commit #7548
Collapse –external-ca-profile tests into single class commit #7548
Add more tests for –external-ca-profile handling commit #7548
Fix use of incorrect variable commit #5608, #7548
install: fix –external-ca-profile option commit #5608, #7548
move MSCSTemplate classes to ipalib commit #7548

Gaurav Talreja (3)#

Normalize title of test external_ca in prci-definition commit
Normalize test definations titles commit
prci: bump template version for nightly_rawhide commit

Isaac Boukris (2)#

Fix legacy S4U2Proxy in DAL v8 support commit
Fix DAL v8 support commit

Jeremy Frasier (2)#

replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas commit #8403
replica: Ensure the ipaapi user is allowed to access ifp on replicas commit #8403

Jayesh Garg (4)#

Nightly definations commit commit
Test for ipa-ca-install on replica commit
Test ipa-getkeytab quiet mode, encryptons commit
Test if ipactl starts services stopped by systemctl commit

Julian Gethmann (1)#

Fix typo in idrange.py docstring commit

Kaleemullah Siddiqui (4)#

Tests for fake_mname parameter setup commit
Test for check of HostKeyAlgorithms option in ssh_config commit #8082
Fix for regression from PR#3962 commit
Tests for backup-restore when pkg required is missing commit #7630

Christian Hermann (1)#

configure.ac: don’t rely on bashisms commit

Miro Hrončok (1)#

Fix a syntax typo commit

MIZUTA Takeshi (1)#

Add config that maintains existing content to ipa-client-install manpage commit

Michal Polovka (7)#

ipatests: test_epn: test_EPN_config_file: Package name fix commit
ipatests: test_epn: Fix package installation commit
Test for healthcheck being run on replica with stopped master commit
Test for output being indented by default value if not stated implicitly. commit
ipatests: add tests for ipa host-add with non-default maxhostnamelength commit #2018
ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions commit #6843, #8055
ipatests: Test for ipa-backup with ipa not configured commit #6843

Mark Reynolds (4)#

Reorder creation of the CA mapping tree and database backend commit #8558
Increase replication changelog trimming to 30 days commit #8464
Issue 8456 - Add new aci’s for the new replication changelog entries commit #8456
Issue 8407 - Support changelog integration into main database commit #8407

Mohammad Rizwan (28)#

Move acme client installation part to classmethod commit
PEP8 fixes for test_acme.py commit
External-CA scenarios for ACME service commit #4751
ipatests: Check if ACME is enabled on all CA servers commit #8524
PEP8 fixes commit
ipatests: add –skip-overlap-check option to prepare_reverse_zone() commit
ipatests: Add PTR record for IP SAN commit
ipatests: Test certmonger rekey command works fine commit
Xfail test for sssd < 2.3.0 commit
ipatests: Test ipa user login with wrong password commit
WebUI tests: fix PEP8 issues in test_webui/test_user.py commit
webui: check if notification area doesn’t intercept menu button commit #8120
ipatests: Test deletion of required principal throws proper error commit #7695
Display principal name while del required principal commit #7695
ipatests: Test to check password leak in apache error log commit #8017
ipatests:Test if proper error thrown when AD user tries to run IPA commands commit #8163
ipatests: Skip test using paramiko when FIPS is enabled commit
Test if schema-compat-entry-attribute is set commit #8193
Test if schema-compat-entry-attribute is set commit #8193
Test if getcert creates cacert file with -F option commit #8105
Move wait_for_request() method to tasks.py commit
Test if server installer lock Bind9 recursion commit #8079
Add certmonger wait_for_request that uses run_command commit
Test if certmonger reads the token in HSM commit
Test AES SHA 256 and 384 Kerberos enctypes enabled commit #8110
Add test to nightly yamls commit
Installation of replica against a specific server commit #7566
Check file ownership and permission for dirsrv log instance commit #7725

ndehadra (1)#

Hidden Replica: Add a test for Automatic CRL configuration commit #7307

Weblate (4)#

Update translation files commit
Update translation files commit
Update translation files commit
Update translation files commit

Oğuz Ersen (2)#

Translated using Weblate (Turkish) commit
Translated using Weblate (Turkish) commit

Spencer E. Olson (1)#

Fixes debian path for IPA_CUSTODIA_HANDLER commit

Piotr Drąg (1)#

Translated using Weblate (Polish) commit

Petr Voborník (2)#

baseuser: fix ipanthomedirectorydrive option name commit
webui: hide user attributes for SMB services section if empty commit #8336

Rafael Fontenelle (1)#

Translated using Weblate (Portuguese (Brazil)) commit

Rob Crittenden (116)#

ipatests: Test that password reset unlocks users too commit #8551
On password reset also set krbLastAdminUnlock to unlock account commit #8551
Wrap libpwquality PKG_CHECK_MODULES in ENABLE_SERVER test commit #2445, #298, #5948, #6964
Catch EmptyResult exception in update_idranges commit #8555
Test that ipapwpolicy objectclass is added on upgrade commit #8555
Add ipwpwdpolicy objectclass to all policies on upgrade commit #8555
ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled commit #8498
Change the return codes of ipa-acme-manage commit #8498
Require an ipa-ca SAN on 3rd party certs if ACME is enabled commit #8498
ipatests: Collect the let’s encrypt log commit #8524
Add a status option to ipa-acme-manage commit #8524
Don’t install ACME if full support is not available commit #8524
Centralize enable/disable of the ACME service commit #8524
Let dogtag.py be imported if the api is not initialized commit #8524
Enable importing LDIF files not shipped by IPA commit #8524
Use a state to determine if a 389-ds upgrade is in progress commit #7534
ipatests: Add test_pwpolicy to nightly runs commit #2445, #298, #5948, #6964
Requirements and design for libpwquality integration commit #2445, #298, #5948, #6964
Add SELinux policy so kadmind can read the crackdb dictionary commit #2445, #298, #5948, #6964
ipatests: add test for password policies commit #2445, #298, #5948, #6964
Add a raiseonerr option to ldappasswd_user_change commit #2445, #298, #5948, #6964
Pass the user to the password policy check in the kdb driver commit #2445, #298, #5948, #6964
Add a unit test for libpwquality-based password policy commit #2445, #298, #5948, #6964
Extend password policy to evaluate passwords using libpwpolicy commit #2445, #298, #5948, #6964
Require libpwolicy and configure it in the build system commit #2445, #298, #5948, #6964
Add new pwpolicy objectclass to test_xmprpc/objectclasses.py commit #2445, #298, #5948, #6964
Extend IPA pwquality plugin to include libpwquality support commit #2445, #298, #5948, #6964
Add LDAP schema for new libpwquality attributes commit #2445, #298, #5948, #6964
Don’t restart certmonger after stopping tracking in uninstall commit #8533
Reduce the memory requirement from 1.6 to 1.2 GB commit #8404
Test that ccaches are cleaned up during installation commit #8248
Clean up entire /run/ipa/ccaches directory not just files commit #8248
Require a matching server package for the selinux subpackage commit #8511
Add index for more trust-related attributes commit #8491
ipatests: Add tests for checking available memory commit #8404
Require at least 1.6Gb of available RAM to install the server commit #8404
ipatests: Add test for ACI attribute and permission uniqueness commit #8443
Use ACI class set_permissions() method to set permissions commit #8443
De-duplicate ACI attributes and permissions commit #8443
ipatests: test that a zone name and name-from-ip will be rejected commit #8446
Don’t allow both a zone name and –name-from-ip to be provided commit #8446
Set the certmonger subject with a string, not an object commit #8204
ipatests: test ipa_server_certinstall with an IPA-issued cert commit #8204
cli: When parsing options require name/value pairs commit #6115
ipatests: Add option/arg parsing tests for the cli commit #6115
ipatests: stop the CA during healthcheck expiration test commit #8463
Improve performance of ipa-server-guard commit #8425
ipatests: Add test for is_ipa_configured commit #8458
Use is_ipa_configured from ipalib.facts commit #8458
Fall back to old server installation detection when needed commit #8458
IPA-EPN: Test that EPN can be install, uninstalled and re-installed commit
Added negative test case for –list-sources option commit
ipatests: CLI validation of ipa-healthcheck command commit
IPA-EPN: Test that users without givenname and/or mail are handled commit
Address legacy pylint issues in sysrestore.py commit #8384
Update check_client_configuration to use new client fact commit #8384
Don’t use the has_files() to know if client/server is configured commit #8384
Create a common place to retrieve facts about an IPA installation commit #8384
Simplify determining if IPA client configuration is complete commit #8384
Simplify determining if an IPA server installation is complete commit #8384
ipatests: Check permissions of /etc/ipa/ca.crt new installations commit #8441
Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations commit #8441
ipatests: Test healthcheck revocation checker commit
ipatests: Use healthcheck namespacing in stopped server test commit
ipatests: lib389 is now providing healthchecks, update naming commit
ipatests: verify that all services can be detected by healthcheck commit
ipatests: Add healthcheck test for FileSystemSpaceCheck commit
ipatests: Test that healthcheck detects and reports expiration commit
ipatests: Test cases for healthcheck File checker(s) commit
Replace SSLCertVerificationError with CertificateError for py36 commit
Add fips-mode-setup to ipaplatform.paths to determine FIPS status commit #8429
Don’t delegate the TGT in ipa-join commit #8405
IPA-EPN: Don’t treat givenname differently commit #3687
IPA-EPN: add test to validate smtp_delay value commit #3687
IPA-EPN: add smtp_delay to limit the velocity of e-mails sent commit #3687
IPA-EPN: Add tests for –mail-test option commit #3687
IPA-EPN: Add mail-test option for testing sending live email commit #3687
IPA-EPN: test using SSL against port 465 commit #3687
IPA-EPN: Add test for starttls mode commit #3687
IPA-EPN: Add tests for sending real mail with auth and templates commit #3687
IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions commit #3687
Add index for krbPasswordExpiration for EPN commit #3687
Add a jinja2 e-mail template for EPN commit #3687
Perform baseline healthcheck commit
Test that pwpolicy only applied on Kerberos entries commit
Add ability to change a user password as the Directory Manager commit
Don’t save password history on non-Kerberos accounts commit
Test that ipa-healthcheck human output translates error strings commit
Move execution of ipa-healthcheck to a separate function commit
Fix div-by-zero when svc weight is 0 for all masters in location commit #8135
Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201
Add tests for ipa-cacert-manage delete command commit #8124
ipa-certupdate removes all CA certs from db before adding new ones commit #8124
Add delete option to ipa-cacert-manage to remove CA certificates commit #8124
Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164
CVE-2019-10195: Don’t log passwords embedded in commands in calls using batch commit
Add integration test for Kerberos ticket policy commit #8001
Conditionally restart certmonger after client installation commit #8105
Add conditional restart (try-restart) capability to services commit #8105
Enable AES SHA 256 and 384-bit enctypes in Kerberos commit #8110
Disable dogtag cert publishing commit #7522
ipa-restore: Restore ownership and perms on 389-ds log directory commit #7725
Report if a certmonger CA is missing commit #7870
Re-order tasks.restore_pkcs11_modules() to run earlier commit #8034
Don’t log host passwords when they are set/modified commit #8017
Skip lock and fork in ipa-server-guard on unsupported ops commit
Defer initializing the API in dogtag-ipa-ca-renew-agent-submit commit
Add missing timeout option to logging statement commit
Log dogtag auth timeout in install, provide hint to increase it commit #7971
Log the replication wait timeout for debugging purposes commit #7971
Replace replication_wait_timeout with certmonger_wait_timeout commit #7971
Use tasks to configure automount nsswitch settings commit
Move ipachangeconf from ipaclient.install to ipapython commit
Don’t return SSH keys with ipa host-find –pkey-only commit #8029
httpinstance: add pinfile when tracking certificate commit #7991
Remove posixAccount from service_find search filter commit #8013

Robbie Harwood (16)#

Drop upper bound on krb5 version in freeipa.spec commit
ipa-kdb: implement AS-REQ lifetime jitter commit #8010
Update kdcpolicy design doc for jitter implementation commit
Drop support for DAL version 5.0 commit
Support DAL version 8.0 commit
Handle the removal of KRB5_KDB_FLAG_ALIAS_OK commit
Fix several leaks in ipadb_find_principal commit
Use separate variable for client fetch in kdcpolicy commit
Make the coding style explicit commit
Provide modern example enctypes in ipa-getkeytab(1) commit
Fix segfault in ipadb_parse_ldap_entry() commit
Add a skeleton kdcpolicy plugin commit
Move certauth configuration into a server krb5.conf template commit
Enable krb5 snippet updates on client update commit
Fix NULL pointer dereference in maybe_require_preauth() commit
Log INFO message when LDAP connection fails on startup commit

Rafael Guterres Jeffman (1)#

Fixes pylint errors introduced by version 2.4.0. commit

Rafael Guterres Jeffman (6)#

Removed unnecessary imports after code review. commit
Removes several pylint warnings. commit
Removed unnecessary imports after code review. commit
Removes several pylint warnings. commit
Removes rpmlint warning on freeipa.spec. commit
Re-add function façades removed by commit 2da9088. commit #8062

Robert Collins (1)#

Note sss_cache -E. commit

Sam Bristow (1)#

Workaround networking issues with Libvirt commit

Sam Morris (1)#

Debian: write out only one CA certificate per file commit #8106

Sumit Bose (2)#

ipa-kdb: Remove keys if password auth is disabled commit #8001
extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT commit #8044

Sergio Oliveira Campos (1)#

Add test for sssd ad trust lookup with dn in certmaprule commit

Stanislav Levin (91)#

ipatests: Collect EPN log for debugging commit
EPN: Allow authentication by SMTP client’s certificate commit #8580
EPN: Enable certificate validation and hostname checking commit #8579
test_epn: Standardize EPN configs for deduplication commit
EPN: Don’t downgrade security commit #8578
ipatests: Respect platform’s openssl dir commit
dns: Make use of `resolve_address` of a current resolver instead of the global one commit
dnspython: Add compatibility shim commit #8383
tox: Don’t expand symlinks commit #8475
Azure: Increase verbosity for Tox task commit
deps: Require `nss-tools` for make’s fasttest target commit
nss: Raise exception earlier on unsupported DB type commit #8474
Azure: base: Collect both install and uninstall logs commit
Azure: Drop dependency on UsePythonVersion task commit
Azure: Add Rawhide definitions commit
ipa-dnskeysyncd: Raise loglevel to DEBUG commit #8094
named: Include crypto policy in openssl config commit #8094
named: Don’t override custom command line options for named commit #8094
service: Allow service to clean up its state commit #8094
spec: Bump required openssl-pkcs11 and softhsm commit #8094
named: Make use of ‘pkcs11’ OpenSSL engine for BIND on Fedora31 commit #8094
upgrade: Handle migration of BIND OpenSSL engine commit #8094
DNSKeySyncInstance: Populate named/ods uid/gid on instantiation commit #8094
named: Allow using of a custom OpenSSL engine for BIND commit #8094
named: Remove no longer used paths commit #8094
spec: Require ldns-utils commit #8094
pylint: Ignore `raise-missing-from` commit #8468
pylint: Ignore `super-with-arguments` commit #8468
pylint: Fix warning W0612(unused-variable) commit #8468
pylint: Teach pylint about more RRs types commit #8468
spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package commit
uninstall: Clean up no longer used flag commit #8461
uninstall: Don’t fail on missing /var/lib/samba commit #8461
rpm-spec: Don’t fail on missing /etc/ssh/ssh_config commit #8459
ipatests: Skip keyring tests on containerized platforms commit
Azure: Switch to dockerhub provider commit
ipatests: Add compatibility against python-cryptography 3.0 commit #8428
pylint: Fix warning and error commit #8442
ipatests: Don’t turn Pytest IPA deprecation warnings into errors commit #8435
Azure: Make dnf repos consistent commit #8330
Azure: Always update apt cache commit
Azure: Allow chronyd to sync time commit #8316
Azure: Add custom seccomp profile commit #8316
Azure: Increase memory limit commit #8264
ipatests: Collect all logs on all Unix hosts commit #8265
ipatests: Pretty print multihost config commit #8265
ipatests: Cleanup ‘collect_logs’ decorator commit #8265
ipatests: Specify shell implementation commit #8101
ipatests: Specify Pytest XML report schema commit #8101
ipatests: Remove no longer needed ‘skip’ compatibility commit #8101
ipatests: Remove no longer needed ‘capture’ compatibility commit #8101
ipatests: Remove no longer needed ‘get_marker’ commit #8101
ipatests: Remove deprecated yield_fixture commit #8101
ipatests: Bump required Pytest commit #8101
ipatests: Mark firewalld commands as no-op on non-firewalld distros commit #8261
Azure: Gather coredumps commit #8251
Azure: Allow distros to install Python they want commit #8254
pki-proxy: Don’t rely on running apache until it’s configured commit #8233
spec: Take the ownership over ‘/usr/libexec/ipa/custodia’ commit
Azure: Report elapsed time commit
Azure: Rebalance tests commit
Azure: Skip tests requiring external DNS commit
Azure: Free Docker resources after usage commit
Azure: Preliminary check for provided limits commit
Azure: Sync Gating definitions to current PR-CI commit
pylint: Run Pylint over Azure Python scripts commit #8202
Azure: Add support for testing multi IPA environments commit #8202
Azure: Don’t collect twice systemd_journal.log commit #8202
yamllint: Lint all the YAML files commit #8202
Azure: Make it possible to configure distro-specific stuff commit #8202
Azure: Allow to run integration tests commit #8202
Azure: Allow SSH for Docker environments commit #8202
Azure: Allow to not provide tests to be ignored commit #8202
ipatests: Allow zero-length arguments commit #8173
lint: Make Pylint-2.4 happy again commit #8116
pylint: Clean up comment commit #8116
pylint: Synchronize pylint plugin to ipatests code commit #8116
pylint: Teach Pylint how to handle request.context commit #8116
ipatests: Properly kill gpg-agent commit #7989
pytest: Warn about unittest/nose/xunit tests commit #7989
pytest: Migrate unittest/nose to Pytest fixtures commit #7989
pytest: Migrate xunit-style setups to Pytest fixtures commit #7989
Fix errors found by Pylint-2.4.3 commit #8102
Install language packs for tests commit
Restore running of ‘test_ipaserver’ tests on Azure commit
Setup DNS for AP Docker container commit #8077
Fixed errors newly exposed by pylint 2.4.0 commit #8077
Avoid use of ‘/tmp’ for pip operations commit #8009
Make use of Azure Pipeline slicing commit #8008
Simplify ipa-run-tests script commit #8007
Fix `test_webui.test_selinuxusermap` commit #7996, #8005

Sergey Orlov (45)#

ipatests: simplify fixture commit
ipatests: refactor test for login using cifs alias principal commit
Fix password file permission commit
ipatests: mark test_trustdomain_disable test as expectedly failing commit
ipatests: add context manager for declaring part of test as xfail commit
ipatests: add utility for getting sssd version on remote host commit
update prci definitions for test_sssd.py commit
ipatests: add test for sssd behavior with disabled trustdomains commit
ipatests: add missing classes from test_nfs in nightly_previous run commit
ipatests: add missing classes from test_installation in nightly runs commit
ipatests: run test_integration/test_cert.py in PR-CI commit
ipatests: run all cases from test_integration/test_idviews.py in nightlies commit
ipatests: explicitly save output of certutil commit
ipatests: add AD DC as a DNS forwarder before establishing trust commit
ipatests: add test_automember to “previous” nightly run commit
ipatests: add test_fips to testing-fedora nightly run commit
ipatests: provide AD admin password when trying to establish trust commit #7895
ipatests: remove test_ordering commit
ipatests: add test for SSSD updating expired cache items commit
ipatests: provide docstrings instead of imporperly placed comments commit
ipatests: remove invalid parameter from sssd.conf commit #8219
ipatests: use remote_sssd_config to modify sssd.conf commit #8219
ipatests: replace utility for editing sssd.conf commit #8219
ipatests: update docstring to reflect changes in FileBackup.restore() commit
ipatests: add test_trust suite to nightly runs commit
ipatests: add check for output contents of ipa-client-samba commit #8149
ipatests: add test_winsyncmigrate suite to nightly runs commit
ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951
ipatests: enable test_smb.py in gating.yaml commit
ipatests: replace ad hoc backup with FileBackup helper commit #8115
ipatests: refactor FileBackup helper commit #8115
ipatests: in DNS zone file add A record for name server commit
ipatests: strip newline character when getting name of temp file commit
ipatests: add test to check that only TLS 1.2 is enabled in Apache commit #7995
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains commit
ipatests: add tests for cached_auth_timeout in sssd.conf commit
ipatests: refactoring: use library function to check if selinux is enabled commit
ipatests: add new utilities for file management commit
ipatests: refactor and extend tests for IPA-Samba integration commit #3999
ipatests: modify run_command to allow specify successful return codes commit
ipatests: add utility functions related to using and managing user accounts commit
ipatests: allow to pass additional options for clients installation commit
ipatests: new test for trust with partially unreachable AD topology commit
ipatests: mark test_domain_resolution_order as expectedly failing commit
ipatests: add test for sudo with runAsUser and domain resolution order. commit

Sumedh Sidhaye (6)#

test_cert.py is timing out due to newly added test test_cert.py::TestCertmongerRekey which needs more time to execute. Adding additional 30 mins to the timeout in order to complete the test run commit
Test for removing a subgroup commit
Test to check if Certmonger tracks certs in between reboots/interruptions and while in “CA_WORKING” state commit #8164
Added a test to check if ipa host-find –pkey-only does not return SSH public key commit #8029
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf commit
Test: To check ipa replica-manage del does not fail commit #7929

Simo Sorce (1)#

Make sure to have storage space for tag commit

Stasiek Michalski (1)#

Support for SUSE/openSUSE ipaplatform commit

Serhii Tsymbaliuk (28)#

WebUI tests: Add simple test to check topology graph page is available commit #8523
WebUI: Fix topology graph navigation crash commit #8523
WebUI: Fix jQuery DOM manipulation issues commit #8507
WebUI tests: Add test case to cover user ID override feature commit #8416
WebUI: Fix error “unknown command ‘idoverrideuser_add_member’” commit #8416
WebUI tests: Change navigation tests to find menu items using data-name instead of href commit #7137
WebUI: Fix issue with opening links in new tab/window commit #7137
WebUI: Fix “IPA Error 3007: RequirmentError” while adding idoverrideuser association commit #8335
WebUI: Apply jQuery patch to fix htmlPrefilter issue commit #8325
WebUI tests: Test all available fields on “Kerberos Ticket Policy” page commit #8207
WebUI: Add authentication indicator specific fields to “Kerberos Ticket Policy” page commit #8207
WebUI tests: Add confirmation step after changing default group in automember tests commit #8322
WebUI: Add confirmation dialog for changing default user/host group commit #8322
WebUI tests: cover membership management with UI tests commit #8298
Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1 commit #8284
Web UI: Upgrade Dojo version 1.13.0 -> 1.16.2 commit #8222
Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 commit #8239
WebUI tests: Fix broken reference to parent facet in table record check commit #8157
WebUI tests: Fix ‘Button is not displayed’ exception commit #8169
WebUI: Fix notification area layout commit #8120
WebUI: Fix adding member manager for groups and host groups commit #8123
WebUI: Fix new test initialization on “HBAC Test” page commit #8031
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages commit #7961
WebUI: Make ‘Unlock’ option is available only on locked user page commit #5062
WebUI tests: Fix login screen loading issue commit #8053
WebUI tests: Fix request timeout for test_trust commit #8024
WebUI: Add PKINIT status field to ‘Configuration’ page commit #7305
WebUI tests: Fix timeout issues for reset password tests commit #8012

Sudhir Menon (32)#

Added nsslapd-logging-hr-timestamps-enabled attribute in _SINGLE_VALUE_OVERRIDE table commit
ipatests: ipa-healthcheck tests for DS checks commit
ipatests: Fix for test_ipahealthcheck_ds_riplugincheck commit #8563
ipatests: Fix for test_ipahealthcheck_ds_encryption commit #8560
ipatests: ipa-healthcheck test for DS RIPluginCheck commit
ipatests: ipa-healthcheck test for EncryptionCheck commit
ipatests: ipa-healthcheck test for DS BackendsCheck commit
ipatests: ipa-healthcheck fixes for tests running on RHEL commit
ipatests: ipa-healthcheck test fixes running on RHEL commit
ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust commit
Modified nightly YAML files to include ipa-healthcheck ExternalCA Tests commit
ipatests: Tests for ipahealthcheck tool with IPA external commit
ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert commit
ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed commit
ipatests: Test for ipa-nis-manage CLI tool. commit
ipatests: Increase timeout value in test_getcert_list_profile_using_subca commit
ipatests: Tests to check profile is displayed for getcert request. commit
Modified YAML to include healthcheck AD tests commit
ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario commit
ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files commit
ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck commit
ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck commit
ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8 commit #8066
ipatests: Test for ipahealthcheck tool for IPADomainCheck. commit
ipatests: Test for ipahealthcheck.ds.ruv check commit
Test for ipahealthcheck.ipa.idns check when integrated DNS is setup commit
ipatests: Added testcase to check logrotate is added for healthcheck tool commit
ipatests: check that ipa-healthcheck warns if no dna range is set commit
Adding back temp config definition removed commit
Nightly definition for ipa-healthcheck tool commit
Tier-1 test for ipa-healthcheck tool commit
Added testcase to check capitalization fix while running ipa user-mod commit #5879

Tibor Dudlák (5)#

Add container environment check to replicainstall commit #6210
Increase ntp_options test timeout commit
ipatests: refactor TestNTPoptions commit
ipatests: Add tests for interactive chronyd config commit #7908
ipatests: Update test tasks for client to be interactive commit #7908

Tomas Halman (4)#

extdom: add extdom protocol documentation commit
extdom: use sss_nss_*_timeout calls commit
extdom: plugin doesn’t use timeout in blocking call commit
extdom: plugin doesn’t allow @ in group name commit

Timo Aaltonen (6)#

ipatests/test_installation: Use knownservices to map the service name. commit
ipatests/test_commands: Check sssd version like on test_sssd commit
Debian: Use parse_ipa_version from redhat. commit
Debian: Use enable/disable_ldap_automount() from base commit
Debian: Fix font-awesome path. commit
install: Add missing scripts to app_DATA. commit

Thorsten Scherf (5)#

Corrected some typos and added improvements to some setup instructions commit
Module added about ssh pubkey management commit
Added bash-completion rpm to build instructions. commit
Added –mkhomedir option for server and replica. commit
Added vagrant-libvirt-doc rpm and polkit rule commit

Theodor van Nahl (1)#

Fix UnboundLocalError in ipa-replica-manage on errors commit

Thomas Woerner (4)#

ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels commit
DNS install check: Fix overlapping DNS zone from the master itself commit #8150
Enable TestInstallMasterDNSRepeatedly in prci_definitions commit
Test repeated installation of the primary with DNS enabled and domain set commit

Viktor Ashirov (1)#

Update ACIs with the correct syntax commit #8301

Vit Mojzis (4)#

selinux: disable ipa_custodia when installing custom policy commit #6891
selinux: Remove obsolete memcached access commit
selinux: move BUILD_SELINUX_POLICY definition commit
Add freeipa-selinux subpackage commit

Yuri Chornoivan (2)#

Translated using Weblate (Ukrainian) commit
Translated using Weblate (Ukrainian) commit

zdover (5)#

100 percent complete edit commit
sixty percent edited commit
thirty percent edited commit
first tranche of edits commit
making a list’s items agree with one another commit

Zdenek Pytela (2)#

Add ipa_pki_retrieve_key_exec() interface commit #8488
Allow ipa-adtrust-install restart sssd and dirsrv services commit

Highlights in 4.9.0 release candidate 1

Contents