FreeIPA 4.13.0#
The FreeIPA team would like to announce FreeIPA 4.13.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.13.0#
Introducing the Modern WebUI (Beta)
This FreeIPA release includes the first beta version of the new modern WebUI.
This interface has been rebuilt to provide a more intuitive design, improved workflows, and a responsive layout.
As a beta, this UI is not feature-complete and may contain bugs. Current WebUI is still available for those who prefer the classical view and can be used alongside the new beta interface.
A link to access the new modern Web UI is added to the login page of the current web interface.
Feedback is essential for stabilizing this new interface. The modern WebUI is developed in its own repository: freeipa/freeipa-webui. Please report all UI-specific issues or suggestions directly to that project’s issue tracker: freeipa/freeipa-webui#issues.
9605: Add support for DoT/DoH for Zero-Trust
You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.
Administrators can enable DoT during the installation by using the –dns-over-tls option.
The following options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service:
–dot-forwarder to specify an upstream DoT-enabled DNS server.
–dns-over-tls-key and –dns-over-tls-cert to configure DoT certificates.
–dns-policy to set a DNS security policy to either allow fallback to unencrypted DNS or enforce strict DoT usage.
More details are available at: https://freeipa.readthedocs.io/en/ipa-4-12/designs/edns.html
9842 Add support for LDAP system accounts
FreeIPA now introduces support for LDAP-based system accounts through a dedicated sysaccount plugin. Administrators can fully manage these accounts using a complete set of CLI commands: add, delete, modify, find, show, enable, and disable, making automation and service integration more consistent and reliable.
We’ve also enhanced role handling and passsync management across the platform. Roles and baseldap plugins now support system account membership, allowing system accounts to be assigned permissions just like users or hosts.
9612 [RFE]: add a tool to quickly detect and fix issues with IPA ID ranges
With this update, FreeIPA provides the ipa-idrange-fix tool. You can use ipa-idrange-fix tool to analyze existing IdM ID ranges, identify users and groups outside these ranges, and propose to create new ipa-local ranges to include them.
For more information, see the ipa-idrange-fix(1) man page.
9652: IPA requires unique CA certificate subject names
IPA actively prevented duplicate subjects. This requirement was relaxed with the following limitations: 1) the certificates cannot be added with different trust flags 2) the nickname of the CAs must be the same 3) an Authority Key Identifier extension should be included in any CA otherwise the chain of trust will not behave as expected
9661 Change the default CA serial number algorithm to random serial numbers
With this update, automated removal of expired certificates is now enabled by default in FreeIPA on new replicas. A prerequisite for this is the generation of random serial numbers for certificates using RSNv3, which is now also enabled by default.
As a result, certificates are now created with random serial numbers and are removed automatically when expired, after a default retention period of 30 days after expiry.
9780: [RFE] ipa-client-automount should have an option to include domain of the machine.
9363: Set compat tree and NIS configuration disabled by default when deploying FreeIPA.
9757 Support full 32-bit ID range space
9744 [RFE] Allow ipa tool to force running on specific server
The ipa tool now supports the –force-server option. When this option is specified, for instance like in “ipa –force-server user-find”, the CLI connects to the specified server instead of using the server configured in /etc/ipa/ca.crt or the server found in DNS SRV records. If the server does not reply, there is no fallback mechanism.
9835 RFE: Add support for libpwquality credit counting
9852 Add support for Samba 4.23
Automated FAST Armor
Enhancements#
#9674 Handle PKI 11.6.0 uninstallation
#9675 Support GSSAPI in Cockpit on IPA servers
#9757 Support full 32-bit ID range space
Bug fixes#
FreeIPA 4.13.0 is a stabilization release for the features delivered as a part of 4.13 version series.
There are more than 170 bug-fixes since FreeIPA 4.12.5 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#8924 ipa-client-install fails to install on Ubuntu 20.04 LTS due to incorrect cert name
#9002 Nightly failure in test_fips.py::TestInstallFIPS::test_basic::setup
#9135 Nightly test failure (f37+): reverse zone not created
#9202 Generated QR codes not being read by Android authentication apps
#9363 Set compat tree and NIS configuration disabled by default when deploying FreeIPA
#9365 Covscan issues: usage of free() instead of krb5_free_enctypes()
#9367 Covscan issues: Resource Leak
#9370 kdb: support storing and retrieving multiple master keys
#9387 FreeIPA OTP Allows Users with Expired Tokens to Authenticate
#9450 Find and replace del os.environ[‘foo’] with os.environ.pop(‘foo’, None)
#9468 Covscan issues in ipa-4.11
#9471 Pre-authentication with trusted domain object over IPA to IPA trust fails due to wrong canonical name choice
#9488 Nightly test failure in test_trust.py::TestTrust::test_server_option_with_unreachable_ad
#9571 Pytest 8 compatibility
#9577 Replica installation fails in FIPS mode in fedora 39+
#9584 Race condition in ipa-backup
#9603 ipa-server-install: token_password_file read in kra.install_check after calling hsm_validator in ca.install_check
#9605 Add support for DoT/DoH for Zero-Trust
#9606 Nightly test failure (f40+) in test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling
#9607 Nightly test failure (f40+) in test_commands.py::TestIPACommand::test_ssh_key_connection
#9609 ipa-otptoken-import fails to import encrypted file
#9610 ipa-client rpm post script creates always ssh_config.orig even if nothing needs to be changed
#9611 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica
#9612 RFE: add a tool to quickly detect and fix issues with IPA ID ranges
#9613 After backup/restore of dnssec master, zones are not signed
#9615 Nightly test failure (f40+) in test_sssd.py::TestNestedMembers::test_nested_group_members
#9616 Nightly test failure in test_backup_and_restore_TestReplicaInstallAfterRestore
#9617 The ipa-advise, ipa-backup, and ipa-restore manuals incorrectly show the –v option.
#9618 Allow IPA SIDgen task to continue if it finds an entity that SID can’t be assigned to
#9619 ipa-migrate starttls does not work
#9620 ipa-migrate remove -V option
#9621 ipa-migrate should not update mapped attributes in managed entries
#9624 A missing cccache prevents Kerberos SSO
#9625 Executing the -d option results in an error.
#9626 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure.
#9629 Syntax error uninstalling the selinux-luna subpackage
#9632 Unconditionally add MS-PAC to global config
#9633 Remove RC4 and 3DES default encryption types on update
#9635 Ignore time skew during CA replica installation
#9636 misleading warning for missing ipa-selinux-nfast package on luna hsm
#9637 adtrustinstance only prints issues in check_inst() and does not log them
#9640 ipa-migrate - fix migration issues with entries using ipaUniqueId in the RDN
#9641 support for python cryptography 43.0.0
#9642 ipa-migrate - properly handle invalid certificates
#9643 freeipa fails to build with nodejs22 on f39 and f40
#9644 Fedora 40 pylint issues with PY2/PY3 compatibility
#9645 support for python module netaddr 1.3.0
#9648 Nightly test failures in test_hsm_TestHSMNegative
#9649 Also enable SSSD’s ssh service when enabling sss_ssh_knownhosts
#9652 IPA requires unique CA certificate subject names
#9654 Update SELinux policy to mark IPA log files as ipa_log_t file context
#9655 upstream-adtrust-install: SSSD offline causing test-adtrust-install failure
#9656 Nightly test failure in test_ipa_idrange_fix.py::TestIpaIdrangeFix::test_idrange_no_rid_bases_reversed
#9657 Prepare ipatests environment to test multidomain ipa server
#9658 Nightly test failure in test_ipa_ipa_migration.py
#9661 Change the default CA serial number algorithm to random serial numbers
#9665 Sentences truncated in man pages
#9666 Nightly test failure (f42) in test_adtrust_install
#9667 Nightly test failure (f42) in test_trust
#9668 Nightly test failure (@pki/master) in test_ipahealthcheck.py::TestIpaHealthCheck::test_source_pki_server_clones_connectivity_and_data
#9673 Uninstall ACME separately during PKI uninstallation
#9674 Handle PKI 11.6.0 uninstallation
#9675 Support GSSAPI in Cockpit on IPA servers
#9676 move away from setuptools and pkg_resources
#9680 config-mod accepting invalid e-mail addresses for “Default e-mail domain”
#9681 Man page for ipa-migrate refers to non-existing option –hostname
#9682 ipa-migrate in stage mode fails with TypeError: ‘NoneType’ object is not iterable
#9686 ipa-migrate should also migrate DNS forward zones
#9687 ‘Organization’ should not be required for Okta provider type
#9689 vault-add fails in FIPS mode
#9691 pki.client: /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in PKIConnection.__init__() has been deprecated (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes)
#9692 ipa-kra-install fails - Unable to add KRA connector for URL KRA connector already exists
#9696 Support OpenSSL provider API
#9697 IPA-to-IPA migration tests should install destination server with –allow-zone-overlap
#9698 Static code analysis defects
#9699 EnforceLDAPOTP ldap-bind with sysaccount no longer possible
#9702 ipa trust-add fails in FIPS mode with an internal error has occurred
#9705 In FIPS mode + HSM, renewal of auditSigningCert cert-pki-kra prevents PKI restart
#9706 Nightly test failure in test_acme.py::TestACMEPrune::test_enable_pruning
#9707 Nightly test failure in test_webui/test_cert.py
#9708 add support for python cryptography 44.0.0
#9709 All user groups are not being included during HSM token validation
#9711 Regression: LDAP bind is allowed without OTP in 4.12
#9712 [ipa-4-9] ipa-server-upgrade fails after established trust with ad
#9715 [testday] Fix typo in ipa-migrate log file i.e ‘Privledges’ to ‘Privileges’
#9720 Workshop Vagrant OOMs During Setup
#9721 Nightly test failure in test_webui/test_host.py::test_host::test_search
#9723 Nightly test failure after pkg uninstall/install
#9724 Nightly test failure (rawhide) in test_integration/test_acme.py::TestACME::test_certbot_dns
#9725 A slow HSM can cause IPA server installation to fail setting up certificate tracking
#9730 [tests] test_ipahealthcheck_ds_configcheck fails against 389-ds-base 2.5.3
#9734 crash in ipa-otpd with –client-secret-stdin use
#9735 Installing IPA with KRA creates invalid ca_admin.cert format
#9737 ipa-migrate should skip tombstone entries
#9738 During server installation don’t use the PKI API directly to issue certificates
#9739 Remove migration support from mod_nss
#9740 Suppress meaningless errors when uninstalling the PKI ACME service
#9741 Add message to end of server install that service restart is happening
#9742 Log then a user attempts to authenticate using LDAP but is locked out due to policy
#9743 The pki-tomcatd service can time out starting with a slow HSM
#9748 Server installation: dot-forwarder not added as a forwarder
#9750 Remove fips-mode-setup
#9751 Nightly test failure (rawhide) in test_trust.py::TestTrust::test_server_option_with_unreachable_ad
#9752 ipatests: use “sos report” instead of “sosreport” command
#9753 Allow customizing ‘nobody’ group per platform
#9754 ipa vault-del triggers a deprecation warning
#9756 ipa dnsrecord-* –raw –structured throws internal error
#9757 Support full 32-bit ID range space
#9758 Search size limit tooltip has Search time limit tooltip text
#9760 ipa-cert-fix proceeds with the externally signed CA signing cert being expired
#9762 The test test_ca_show_error_handling should wait for replication
#9764 Protect *all* IPA service principals
#9765 Regression in ipa trust-add
#9768 Disable –raw and –structured tests are skipped
#9769 Test failure on f42 in test_integration/test_idp.py::TestIDPKeycloak::test_auth_sudo_idp
#9771 Fix deprecation warning in ipa-replica-manage
#9772 ipa-sidgen: important memory leak
#9776 ipa-migrate does not handle replication state data
#9777 kdb: ipadb_get_connection() succeeds but returns null LDAP context
#9779 When creating an ID range, should require a RID
#9780 [RFE] ipa-client-automount should have an option to include domain of the machine.
#9781 Give warning when adding user with UID out of any ID range
#9782 selinux avc when installing dns server in selinux enforcing mode
#9784 ipa-migrate –migrate-dns fails to update the DNS record
#9787 Rawhide: test failure when installing a replica in CA less mode
#9788 ipatests: Fix test_integration/test_uninstallation.py::TestUninstallCleanup::test_clean_uninstall
#9790 ipatests: test_manual_renewal_master_transfer should wait for replication
#9791 test_ipa_healthcheck_fips_enabled xfail annotation is incorrect
#9794 Unable to modify IPA config; –ipaconfigstring=”” causes internal error
#9799 edns is not available for older fedora
#9801 Nightly failure in test_integration/test_ipa_idrange_fix.py::TestIpaIdrangeFix::test_idrange_no_rid_bases and test_idrange_no_rid_bases_reversed
#9804 Description for –dot-forwarder in man pages for ipa-server-install and ipa-dns-install inconsistent
#9805 client: DNSSEC validation turned on for unbound by default
#9806 ipa-client-install: nsupdate issues when dns_over_tls is enabled
#9808 Replica: Request cert for DoT fails after setting up bind
#9809 ipa-idrange-fix should check if the server is configured
#9810 Nightly test failure in test_integration/test_fips.py - sed couldn’t open temporary file
#9811 Incorrect use of GitHub and GitLab trademarks
#9812 Test failure in test_adtrust_install_with_non_ipa_user
#9813 When using –dns-over-tls in read-only container, ipa-server-install fails due to /etc/resolv.conf operation
#9814 eDNS: Conflict between dnsconfd and IPA installer
#9824 Error when sizing output for a terminal
#9826 With rpm-5.99.91-1.fc43.x86_64, dnf installation of freeipa-server-trust-ad-4.12.2-14.fc43.x86_64 now fails
#9831 hsm validation fails on systems with private tmp
#9836 Fails to build on fedora42+ with nodejs24
#9838 Nightly test failure (rawhide) in test_edns.py::TestDNSOverTLS::test_install_dnsovertls_master
#9843 Bump samba version for rawhide
#9848 Test failure in test_certmonger_ipa_responder_jsonrpc
#9849 Random test failure in test_otp
#9850 Test failure in test_xmlrpc/test_automember_plugin.py/TestAutomemberFindOrphans
#5614 (rhbz#1310834) [tracker] mod_auth_gssapi additional NTLM auth request from Chrome
#5913 Use augeas for configuring krb5
#2496 (rhbz#797333) krbpasswordexpiration field in LDAP can not have value >= 20380119031408Z
#9744 [RFE] Allow ipa tool to force running on specific server
#9763 KRA install failure if /root/.dogtag/pki-tomcat/ca_admin.cert is expired
#9785 IPA fails to sign zone in FIPS mode
#9833 Nightly test failure (f43+) in test_idp.py::TestIDPKeycloak::test_auth_keycloak_idp
#9835 RFE: Add support for libpwquality credit counting
#9842 Add ability to configure external password reset agents with ipa_pwd_extop
#9845 ipatests: Port downstream ipa-trust-functional test suite.
#9852 Nightly tests failure (rawhide): ipactl restart fails to restart winbindd
#9854 Erroneous case-sensitivity in offline DSE lookup
#9857 Nightly failure in test_commands.py::TestIPACommand::test_cacert_manage
#9858 TestIPAMigratewithBackupRestore fails in IdM CI environment
#9859 Encrypted DNS: disable dnsconfd prior to configuring Unbound
#9862 Update breaks krb5.conf if modified
#9865 Support storing LWCA private keys on an HSM
#9866 [BUG] ATTR_NAME_BY_OID is missing OID 2.5.4.97, organizationIdentifier
#9867 IPA Modrdn plugin performs duplicate replication changes
#9870 backup-restore does not restore /etc/krb5.conf.d/freeipa-realm
#9871 test_http_kdc_proxy.py::TestHttpKdcProxy failure during its setup
#9874 Nightly test failure in test_sudo.py::TestSudo_Functional::test_007_sudorule_offline_caching_option_command
#9875 The permission with ‘System: Modify System Accounts’ fails to modify the description.
#9878 ipa-server-install fails in FIPS mode
#9879 ipa-pkinit-manage enable fails on replica without CA instance
#9881 Test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_dogtag_ca_connectivity_check
#9885 Minor typo in ipa_idrange_fix.py
#9888 Nightly test failure in test_integration/test_ipa_cert_fix.py::TestIpaCertFix::test_expired_CA_cert::teardown
Detailed changelog since 4.12.4#
Alexander Bokovoy (60)#
sysaccounts: extend permissions to include description and account lock commit #9875
sysaccount: make sure nsaccountlock is always present commit #9842
freeipa.spec: use proper package name when installing Web UI license commit
Require krb5.conf.d because we install snippets there commit
krb5.conf templates: move IPA domain configuration into a separate snippet commit
krb5.conf templates: remove Kerberos 4 support commit
API: correct ordering for password policy credits commit
makeapi: enforce en_US.UTF-8 locale when sorting API files commit
doc/api: regenerate notes commit
ipasam: remove definitions which included from ndr_drsblobs.h commit
ipasam: define prototypes commit
ipasam: address signedness warnings commit
ipasam: simplify error handling in fill_pdb_trusted_domain commit #9852
dcerpc: make sure forest trust info structure version is 1 commit #9852
freeipa.spec.in: protect scriptlets in environment where dbus or systemd do not run commit #9826
test_schema: do not fool pytest with a non-test class name commit
Azure CI: do not run test_ipaserver/test_migratepw commit
Make IPAAbstractVersion available to all platforms commit
test_console: rework matching to adjust to Python 3.13 commit
pylint: do not use return at the end of flow commit
fix used-before-assignment errors where pylint cannot infer logic commit
Move wheel constraints to F41+ commit
freeipa.spec.in: do not recommend encrypted DNS on pre-F42 systems commit
freeipa.spec.in: update BIND-related dependencies commit #9696
ipa-dnskeysyncd: use systemd-tmpfiles to handle tokens commit #9696
DNS: detect when OpenSSL engine should be removed on upgrade commit #9696
Use OpenSSL provider with BIND for Fedora 42+ and RHEL10+ commit #9696
Revert “add sourcery.ai github action” commit
add sourcery.ai github action commit
ipatests: add a test to use full 32-bit ID range space commit #9757
baseuser: allow uidNumber and gidNumber of 32-bit range commit #9757
update_dna_shared_config: do not fail when config is not found commit #9757
config-mod: allow disabling subordinate ID integration commit #9757
Migrate Keycloak tests to JDK 21 and Keycloak 26 commit
ipa-otpd: do not pass OIDC client secret if there is none to pass commit #9734
ipa tools: remove sensitive material from the commandline commit
Unify use of option parsers commit
ipa-pwd-extop: clarify OTP use over LDAP binds commit #9699, #9711
Revert “readthedocs: install crypto 43.0.0” commit
vault: handle pyca InternalError exception for PKCS#1 v1.5 padding commit #9689
web ui: Add explicit white border for QR code widget commit #9202
Minimal test for Cockpit integration on IPA master commit #9675
selinux: allow Cockpit to use HTTP keytab on IPA servers commit #9675
selinux: add all IPA log files to ipa_log_t file context commit #9654
Get rid of unicode and long helpers in ipa-otptoken-import commit #9641
Anuja More (7)#
ipatests: Refactor and port trust functional SUDO tests. commit #9845
Revert “Temp commit” commit
ipatests: Refactor and port trust functional HBAC tests. commit #9845
ipatests: Add comprehensive tests for ipa-client-automount –domain option commit #9780
ipatests: Remove xfail from test_installation::test_number_of_zones commit #9135
ipatests: Update ipatests to test topology with multiple domain. commit #9657
Added template for ad_master_1replica_1client commit
Andi Chandler (3)#
Antonio Torres (11)#
eDNS: disable dnsconfd before configuring Unbound commit #9859
dns: disable all previous Unbound configuration before deploying ours commit #9814
dns: only overwrite resolv.conf during eDNS setup when needed commit #9813
Fix inconsistency in manpage for DoT forwarder option commit #9804
dns: don’t populate forwarders with DoT forwarders commit #9748
dns: only disable unbound when DoT is enabled commit
spec: add unbound requirement and template file commit
PRCI: add definitions for DNS over TLS tests commit
ipatests: add tests for DNS over TLS commit
Add DNS over TLS support commit
Bump to IPA 4.13 commit
Arif Budiman (2)#
Aleksandr Sharov (6)#
Carla Martinez (2)#
David Hanina (11)#
Erik Belko (2)#
Emilio Herrera (1)#
Translated using Weblate (Spanish) commit
Finn Krein-Schuch (1)#
Florence Blanc-Renaud (112)#
test_ipahealthcheck_dogtag_ca_connectivity_check: update expected msg commit #9881
temp_commit: revert to the version pre 0b521f7 commit
ipatests: mark test_dnssec as xfail in fips mode commit #9785
FIPS mode: openssl pkcs12 command needs -nomacver option commit #9878
test_sudo: do not clean the cache for offline cache tests commit #9874
PRCI: switch testing from f41 and f42 to f42 and f43 commit
Backup-restore: backup krb5.conf.d snippet files commit #9870
TestHttpKdcProxy: use the snippet file for krb5 config commit #9871
Localization: remove zh_Hant file commit
Modern webui: refresh to the tip of main branch commit
Azure: fix WebUI tests commit
Azure: fix the configuration issue commit
Azure CI: Use F43 commit
ipatests: mark test_scale_add_subca as xfail commit
Integration test: fix teardown of test_expiration_date_post_2038 commit
test_cert: adapt the expect error message to PKI 11.7.0-5 commit
Revert “Tests xmlrpc: mark xfail tests requesting cert with subca” commit
PRCI tests: update vagrant image with latest PKI / certmonger package commit
ipatests: fix TestIpaClientAutomountDiscovery commit
Spec file: bump version for 389-ds commit
Tests xmlrpc: mark xfail tests requesting cert with subca commit
ipatests: extend test for unique krbcanonicalname commit
ipatests: fix TestIPAMigratewithBackupRestore setup commit #9858
ipatests: add xfail for TestKRAinstallAfterCertRenew commit #9763
ipatests: exclude TomcatFileCheck when RSN are enabled commit
azure webui tests: force chromium version commit
xmlrpc test: fix test_find_orphan_automember_rules commit #9850
ipatests: fix test_certmonger_ipa_responder_jsonrpc commit #9848
Spec file: bump samba version to 4.23.0 in f43 and above commit #9843
ipatests: fix test_adtrust_install_with_non_ipa_user commit #9812
ipa-idrange-fix: check that IPA server is installed commit #9809
ipatests: fix invalid range creation in test_ipa_idrange_fix.py commit #9801
ipatests: fix xfail annotation for test_ipa_healthcheck_fips_enabled commit #9791
ipatests: skip encrypted dns tests on fedora 41 commit #9799
ipa config-mod: fix internalerror when setting an empty ipaconfigstring commit #9794
ipatests: test_manual_renewal_master_transfer must wait for replication commit #9790
azure pipeline: disable InstallDNSSECFirst commit
ipatests: add extensions to server certificates for CAless mode commit #9787
PRCI tests: update vagrant image with latest bind package commit
Azure CI: use podman instead of docker through emulation commit
azure pipeline: skip step disabling conflicting apparmor profile commit
azure pipeline: replace ubuntu-20.04 with 24.04 commit
PRCI: switch testing from f40 and f41 to f41 and f42 commit
PRCI definitions: update vagrant box version for rawhide commit
ipatests: update fedora41 vagrant box to 0.0.2 commit
gating tests: add test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust commit
idrange: use minvalue=0 for baserid and secondarybaserid commit #9765
ipatest: make test_cert more robust to replication delays commit #9762
Leapp upgrade: skip systemctl calls commit
ipatests: adapt error code and message for samba 4.22 commit #9751
vault: remove PKIConnection deprecation warning commit #9754
ipatests: use “sos report” instead of “sosreport” command commit #9752
ipatests: simulate FIPS mode and install replica commit #9002
ipatests: on rhel10 do not install firefox commit
ipatests: restart dirsrv after time jumps commit
ipatests: skip test_ipahealthcheck_ds_configcheck for recent versions commit #9730
Nightly tests: add test_ipahelthcheck to 389ds pipeline commit
ipatests: force the version for uninstall/reinstall commit #9723
Fix pylint issue in ipatests/i18n.py commit
ipatests: certbot removed the –manual-public-ip-logging-ok parameter commit #9724
Temp commit: move to fedora 41 commit
Cert renewal: update the trust flags for audit cert commit #9705
Dogtag instance: add method to create temp password file commit #9705
KRA cert renewal: update ca.connector.KRA.transportCert commit #9692
Installation test: KRA on replica after cert renewal commit #9692
Fix copr build commit
readthedocs: install crypto 43.0.0 commit
ipatests: pruning is enabled by default with LMDB commit #9706
ipatests: install master with allow-zone-overlap commit #9697
Nightly test def: fix topology for test_IPAMigrateADTrust commit
Tests: migrate to f40/f41 commit
test_ipahealthcheck: skip connectivity_and_data check commit #9668
Nightly test definition: use master_1repl topology for idrange_fix commit
test_adtrust_install: add –use-krb5-ccache to smbclient command commit #9666
ipatests: provide a ccache to rpcclient deletetrustdom commit #9667
azure pipeline: use latest version of DownloadPipelineArtifact task commit
azure tests: move to fedora 40 commit
Custodia: in fips mode add -nomac or -nomacver to openssl pkcs12 commit #9577
ipatests: Add missing comma in test_idrange_no_rid_bases_reversed commit #9656
ipatests: increase the timeout for test_hsm.py::TestHSMInstall commit
Replica CA installation: ignore time skew during initial replication commit #9635
ipatests: remove xfail for test_ipa_migrate_stage_mode commit #9621
ipatests: remove xfail for test_ipa_migrate_version_option commit #9620
test_replica_install_after_restore: kinit after restore commit #9613
Uninstall: stop sssd-kcm before removing KCM ccaches database commit #9616
ipa-ods-enforcer: stop must also stop the socket commit #9613
ipatests: fix / permissions for test_nested_group_members commit #9615
ipatests: fix / permissions to allow ssh with private key commit #9607
ipatests: mark test_ca_show_error_handling as xfail commit #9606
Gating and nightly tests: move to f39/f40 commit
ipatests: add test for PKINIT renewal on hidden replica commit #9611
PKINIT certificate: fix renewal on hidden replica commit #9611
spec file: do not create /etc/ssh/ssh_config.orig if unchanged commit #9610
ipa-otptoken-import: open the key file in binary mode commit #9609
Frederik Himpe (2)#
Fco. Javier F. Serrador (2)#
Francisco Trivino (2)#
Fraser Tweedale (1)#
Dmytro Markevych (1)#
Translated using Weblate (Ukrainian) commit
Ian Brown (1)#
Julien Rische (11)#
ipatests: fix kdcproxy tests against AD commit
ipa-kdb: enforce PAC presence on TGT for TGS-REQ commit
Add test for master key upgrade commit
Use ipaplatform tasks for krb5 enctypes commit
ipa-kdb: support storing multiple KVNO for the same principal commit #9370
kdb: keep ipadb_get_connection() from succeeding with null LDAP context commit #9777
ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op commit #9772
Remove RC4 and 3DES default encryption types on update commit #9633
Unconditionally add MS-PAC to global config on update commit #9632
kdb: apply combinatorial logic for ticket flags commit
kdb: fix vulnerability in GCD rules handling commit
Jonathan Steffan (1)#
Léane GRASSER (1)#
Translated using Weblate (French) commit
TAKAHASHI Masatsuna (1)#
Shunsuke matsumoto (1)#
Miro Hrončok (1)#
Michal Polovka (1)#
Mark Reynolds (14)#
ipa-migrate - only remove repl state attribute options commit #9784
ipa-migrate - do not process AD entgries in staging mode commit #9776
ipa-migrate - remove replication state information commit #9776
ipa-migrate - do not migrate tombstone entries, ignore MidairCollisions, and krbpwdpolicyreference commit #9737
ipa-migrate - dryrun write updates crashes when removing values commit #9682
Do not let user with an expired OTP token to log in if only OTP is allowed commit #9387
ipa-migrate - fix alternate entry search filter commit #9658
ipa-migrate - fix migration issues with entries using ipaUniqueId in the RDN commit #9640
ipa-migrate - properly handle invalid certificates commit #9642
Issue 9621 - ipa-migrate - should not update mapped attributes in managed entries commit #9621
Madhuri Upadhye (1)#
ipatests: 2FA test cases commit
Mohammad Rizwan (3)#
N M (1)#
Translated using Weblate (Spanish) commit
Weblate Translation Memory (2)#
Weblate (2)#
Oğuz Ersen (1)#
Translated using Weblate (Turkish) commit
Piotr Drąg (1)#
Translated using Weblate (Polish) commit
Pejman Rezaei (1)#
Translated using Weblate (Persian) commit
Rafael Fontenelle (1)#
Translated using Weblate (Spanish) commit
Rob Crittenden (73)#
Don’t assume the server has a CA service when issuing certificates commit #9879
Revert “Temp commit” commit
PR-CI: Run test_installation_TestInstallKeySizes in the nightlies commit #9738
Move some functions to installutils to be more independent commit #9738
Detect the highest API version the remote server supports commit #9738
Refine restricting CA profiles to known subjects commit #9738
Sort when comparing tuples in the xmlrpc tests commit
Set minimum version of certmonger and PKI for PKI-API commit #9738
Reduce the log level before calling PKI functions commit #9738
Retrieve all cert profiles from the CA with –all commit #9738
Use PKIClient instead of deprecated PKIConnection commit #9738
Use the APIClient instead of direct REST calls for ACME commit #9738
Replace REST with PKI python API for cert and LWCA commit #9738
Add config option for RSA key size for HTTP, DS, PKINIT, RA certs commit #9738
Use the pki tool to bootstrap certificates during installation commit #9738
Temp commit commit
Use Augeas when updating dbmodules in krb5.conf commit #5913, #9862
Add support for libpwpolicy credit to password policy commit #9835
Enforce uniqueness across krbprincipalname and krbcanonicalname commit
Catch decoding errors in CertificateSigningRequest parameters commit #9738
Don’t let lack of subca in PKI prevent LDAP deletion commit #9738
Test that password expiration date past 2038 works commit #2496
Test that certificates beyond 2038 can be parsed commit #2496
Add token options to immutables for pki override commit
Set krbCanonicalName=admin@REALM on the admin user commit
Fix some issues identified by a static analyzer commit #9365, #9468
Add –domain option to ipa-client-automount for DNS discovery commit #9780
Test: dnf5 handles updating itself differently than dnf4 commit
Make the Azure template work with both dnf4 and dnf5 commit
Azure CI: Use F42 commit
Address deprecation warning in ipa-replica-manage commit #9771
Don’t require certificates to have unique ipaCertSubject commit #9652
Drop python 2 support in ipaserver/install/ca.py commit
Drop python 2 support in installutils.py commit
Drop python v2 in ipaserver/install/certs.py for lint errors commit #9738
Log failed auth attempts over LDAP when a user is locked commit #9742
Remove the migration of the RA cert from mod_nss to mod_ssl commit #9739
Fix some memory errors identified by a static analyzer commit #9698
Use new(er) PKI connection API in ipa-pki-wait-running commit #9691
Validate the default e-mail domain in the config plugin commit #9680
Align startup_timeout with the systemd default and document it commit #9743
Configure the pki-tomcatd service systemd timeout commit #9743
Suppress spurious failure messages when uninstalling ACME commit #9740
Add a message where the ipa service restarted at end of install commit #9741
Write out the PKI admin certificate as a PEM file commit #9735
Apply certmonger_timeout to start_tracking and request_cert commit #9725
Add 30-second timeout for certmonger request/start tracking commit #9725
Pass all pkiuser groups as suplementary when validating an HSM commit #9709
Allow looking up constants.Group by gid in addition to name commit #9709
Don’t drop certificates in cert-find if the LWCA was removed commit #9661
Enable pruning when Random Serial Numbers are enabled commit #9661
Set required version of 389-ds for VLV fix on F40/41 commit
ipatests: Test that when lmdb is available, enable RSN commit #9661
Change default to RSN when 389-ds uses the mdb backend commit #9661
Small fixup to determine which ACME uninstaller to use commit #9673, #9674
Don’t rely on removing the CA to uninstall the ACME depoyment commit #9673, #9674
Fix some resource leaks identified by a static analyzer commit #9367
Ignore TripleDES python-cryptography import warnings commit #9641
Correct usage of public_key_algorithm_oid in ipalib/x509 commit #9641
Force a logout in KerberosSession if a login is needed commit #9624
Log errors reported by adtrustinstance.check_inst() using logger commit #9637
Run HSM validation as pkiuser to verify token permissions commit #9626
Fix a copy/paste issue when detecting the HSM SELinux subpackage commit #9636
Include token password options in ipa-kra-install man page commit #9603
Re-organize HSM validation to be more consistent/less duplication commit #9603
Fix syntax error in the selinux-luna %postun script commit #9629
Use a unique task name for each backend in ipa-backup commit #9584
Ricky Tigg (3)#
Rafael Guterres Jeffman (2)#
Sam Morris (2)#
Sumit Bose (1)#
ipa-otpd: use oidc_child’s –client-secret-stdin option commit
김인수 (2)#
Stanislav Levin (4)#
Sumedh Sidhaye (2)#
Sudhir Menon (22)#
ipatests: Nightly definitions for TestIPAMigratewithBackupRestore commit
ipatests: Tests for ipa-migrate tool with ldif file commit #9776
ipatests: prci nightly definitions for 32BitIdranges commit
ipatests: Tests for 32BitIdranges. commit
Added TestIPAHealthcheckWithCALess to nightly yaml file. commit
ipatests: ipahealthcheck warns for user provided certificates about to expire commit
ipatests: Tests for krbLastSuccessfulAuth warning commit
ipatests: Test to check dot forwarders are added to unbound. commit
ipatests: Fix for ipa-healthcheck test in FIPS Mode commit
ipatests: Tests to check data in journal log commit
ipatests: Updated nightly definitions for ipa-ipa-migration commit
ipatests: Tests for ipa-migrate tool commit
ipatests: Fixes for ipa-idrange-fix testsuite commit
ipatests: Check Default PAC type is added to config commit #9632
ipatests: Test to check that the configured value for “nsslapd-ignore-time-skew” remains on even after a “force-sync” is done commit #9635
ipatests: Replace ‘usermod -r’ command with ‘gpasswd -d’ in test_hsm.py commit #9626
ipatests: ipa-migrate tool with -Z option (CACERTFILE) commit
Added new testsuite(ipa_ipa_migration) in prci definitions commit
ipatests: Tests for ipa-ipa migration tool commit
Temuri Doghonadze (5)#
Thomas Woerner (5)#
Replica: Request cert for DoT before setting up bind commit #9808
ipaserver/install/dns.py: Allow to Turn off DNSSEC validation for unbound commit #9805
ipa-client-install: New –no-dnssec-validation option commit #9805
ipa-client-install: Fix nsupdate issues when dns_over_tls is enabled commit #9806
ipa_sidgen: Allow sidgen_task to continue after finding issues commit #9618
vectinx (1)#
Vasily Parfenov (1)#
man: fix incorrect groff syntax in man pages commit
Wouter Schoot (1)#
Update 11-kerberos-ticket-policy.rst commit
Yaakov Selkowitz (1)#
spec: Use nodejs22 on RHEL 10 and ELN commit
Yuri Chornoivan (1)#
Translated using Weblate (Ukrainian) commit