[Freeipa-interest] Announcing FreeIPA 4.6.0

Fri Sep 1 13:28:30 UTC 2017

The FreeIPA team would like to announce FreeIPA 4.6.0 release!

It can be downloaded from https://releases.pagure.org/freeipa/. Builds for
Fedora 25 and 26 will be available in the officialCOPR repository
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ .

== Highlights in 4.6.0 ==

=== Enhancements ===

* Python 3 is now supported.

=== Known Issues ===

* WebUI doesn't work [#7126, #7127]
* Attempting un-installation if IPA isn't installed prints confusing
strings [#7063]

=== Bug fixes ===
Contains all bugfixes and enhancements of 4.5.1, 4.5.2 and 4.5.3 releases.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.

== Resolved tickets ==
* 7123 External CA renewal fails when IPA CA subject DN does not match
"CN=Certificate Authority, {subject-base}"
* 7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
* 7108 ipa-backup broken because of cyclic import
* 7086 [ipatests] - add caless to cafull tests
* 7066 WebUI: All columns of user in group table are clickable
* 7035 ipa-otptoken-import  - XML file is missing PBKDF2 parameters!
* 7017 NULL LDAP context in call to ldap_search_ext_s during search in
cn=ad,cn=trusts,dc=example,dc=com
* 6605 make lint + make modifies PO files in place
* 6582 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and
"Role-Based"
* 6447 [WebUI] Remove offline version of WebUI
* 6261 Replace ERROR: cannot connect to
'http://localhost:8888/ipa/json': [Errno 111] Connection refused with
'IPA is not configured on this system'
* 6176 Updating of dns system records rapidly slowdown uninstallation
* 7121 ipa otptoken-add-yubikey fails with python3
* 7118 Fix CA-less installation due to incorrect with statement
* 7110 Missing requirement in freeipa 4.5.90.dev201708161122+git799551892-0
* 7100 test_caless: add SAN dNSName extensions for wildcard tests
* 7088 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA
CA CSR
* 7076 Adjust to CURL whichs started to use OpenSSL - 
ipa-server-install fails to obtain RA certificate from CA (CA_UNREACHABLE)
* 7053 Replica install fails to configure IPA-specific temporary
files/directories
* 7052 WebUI: search facet spec actions contains 'undefined' item
* 7051 ipapython/graph.py complexity optimization
* 7050 Type error when running tests for whoami command.
* 7046 missing default basedn causes failure during initialization of
multi host tests
* 7030 tests: CA-less test suite broken due to missing subject key
identifier extension
* 7011 --force-join option is not mentioned in ipa-replica-install man page
* 7010 ipa-backup fails silently
* 7002 adtrustinstance: broken ID range assessment
* 6987 ca-add: invalid X.509 DN fails ungracefully
* 6986 make pylint is not working on F26
* 6980 Pagination Size under Customization in IPA WebUI accepts negative
values
* 6976 External CA: check that IPA CA certificate contains Subject Key
Identifier
* 6974 WebUI: Fix unit webUI tests
* 6971 ipatests: collect systemd journal
* 6956 Backup and restore tests faliling
* 6946 ipa-replica-manage del (dl 0) doesn't remove server from
defaultServerList
* 6945 Bring back error messages from certificate validation
* 6943 server-del doesn't remove server from defaultServerList in
cn=default,ou=profile,$BASE
* 6940 installer should indicate that it is waiting for keys
* 6939 ipaserver.plugins.host.get_dn timeout due to unindexed search
* 6928 ipa-managed-entries incorrectly states server not installed
* 6865 minor spelling mistake in ipa-adtrust-install.1
* 6863 minor spelling mistake
* 6852 [RFE] Create client enrollment role
* 6849  Priority field missing in required field incicator - *
* 6845 ipa-otpd.socket.in has wrong kdc service name for Debian
* 6834 ipa-kdc-proxy.conf.template hardcodes python module directory
* 6822 git-commit-template: update ticket URL to use pagure.io instead
of fedorahosted.org
* 6818 Update asn1c code in /asn1/asn1c
* 6809 Failed to write schema: b'sudo/1' is not JSON serializable
* 6745 [test] ipa whoami command
* 6725 No page for information on build from source
* 6642 Py3: test_serverroles: use ldap2/ldapclient instead of MockLDAP
* 6591 pytest 3.0: yield tests are deprecated
* 5990 Py3: zonemgr_callback: expected unicode, got bytes
* 5919 cert-request rfc822Name check compares whole email address
case-sensitively
* 4985 [RFE] Support Python 3

== Detailed changelog since 4.5.3 ==
=== Alexander Bokovoy (13) ===
* csrgen: support openssl 1.0 and 1.1
* dcerpc: support Python 3
* ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
* ipa-sam: use own private structure, not ldapsam_privates
* trust-mod: allow modifying list of UPNs of a trusted forest
* ipa-kdb: add pkinit authentication indicator in case of a successful
certauth
* Fix index definition for ipaAnchorUUID
* krb5: make sure KDC certificate is readable
* trust: always use oddjobd helper for fetching trust information
* ipaserver/dcerpc: unify error processing
* adtrust: make sure that runtime hostname result is consistent with the
configuration
* server: make sure we test for sss_nss_getlistbycert
* ldap2: use LDAP whoami operation to retrieve bind DN for current
connection

=== Abhijeet Kasurde (6) ===
* Vault testcase improvement
* Minor typo fixes
* Minor typo in details.js
* Hide request_type doc string in cert-request help
* Hide PKI Client database password in log file
* Use with statement for opening file

=== Alex Zeleznikov (1) ===
* Sort SRV records by priority

=== Aleksei Slaikovskii (3) ===
* ipapython/graph.py redundant variable fix
* ipapython/graph.py String formatting
* ipapython/graph.py complexity optimization

=== Ben Lipton (4) ===
* csrgen: Beginnings of NSS database support
* csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo
* csrgen: Change to pure openssl config format (no script)
* csrgen: Remove helper abstraction

=== Christian Heimes (40) ===
* Misc Python 3 fixes for ipaserver.secrets
* Reimplement yield tests are parametrized tests
* Silence pytest.yield_fixture deprecation warning
* Slim down dependencies
* Vault: Explicitly default to 3DES CBC
* Band-aid for pip dependency bug
* Correct PyPI package dependencies
* tox: use pylint 1.6.x for now
* Replace _BSD_SOURCE with _DEFAULT_SOURCE
* Regenerate ASN.1 code with asn1c 0.9.28
* tox testing support for client wheel packages
* Stabilize make pypi_packages
* Replace hard-coded kdcproxy path with WSGI script
* Use entry_points for ipa CLI
* Don't hard-code with_wheels
* Add an option to build ipaserver wheels
* Add extra_requires for additional dependencies
* Conditionally import pyhbac
* Skip test_session_storage in ipaclient unittest mode
* Add make devcheck for developers
* session storage parameters must be bytes
* Fix ipatests.util doc tests
* Use Custodia 0.3.1 features
* Simplify KRA transport cert cache
* pytest 3.x compatibility
* Constrain wheel package versions
* Move remaining util functions to tasks module
* Ship ipatests.pytest_plugins.integration
* Move function run_repeatedly to tasks module
* Move hosts module to ipatests.pytest_plugins.integration.hosts
* Move tasks module to ipatests.pytest_plugins.integration.tasks
* Move env_config module to ipatests.pytest_plugins.integration.env_config
* Move config module to ipatests.pytest_plugins.integration.config
* Move helper code for integration plugin
* Increase Apache HTTPD's default keep alive timeout
* Add debug logging for keep-alive
* Use connection keep-alive
* Add options to run only ipaclient unittests
* Python 3: Fix session storage
* Fix Python 3 pylint errors

=== David Kreitschmann (4) ===
* Disable pylint in get_help function because of type confusion.
* Store help in Schema before writing to disk
* Use os.fsync instead of os.fdatasync because macOS doesn't support
fdatasync
* Fix libkrb5 filename for macOS

=== David Kupka (22) ===
* tests: certmap: Add test for user-{add,remove}-certmap
* tests: tracker: Add CertmapdataMixin tracker
* tests: certmap: Add test for certmapconfig-{mod,show}
* tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands
* tests: certmap: Test permissions for certmap
* tests: certmap: Add basic tests for certmaprule commands
* tests: tracker: Add CertmapTracker for testing certmap-* commands
* tests: tracker: Add ConfigurationTracker to test *config-{mod,show}
commands
* tests: tracker: Add EnableTracker to test *-{enable,disable} commands
* tests: tracker: Split Tracker into one-purpose Trackers
* install: replica: Show message about key synchronization
* kra: promote: Get ticket before calling custodia
* ipapython.ipautil.run: Add option to set umask before executing command
* otptoken-add-yubikey: When --digits not provided use default value
* Bump version of ipa.conf file
* Create system users for FreeIPA services during package installation
* WebUI: cert login: Configure name of parameter used to pass username
* httpinstance.disable_system_trust: Don't fail if module 'Root Certs'
is not available
* spec file: Bump requires to make Certificate Login in WebUI work
* rpcserver.login_x509: Actually return reply from __call__ method
* Create temporaty directories at the begining of uninstall
* ipapython.ipautil.nolog_replace: Do not replace empty value

=== felipe (1) ===
* Fixing replica install: fix ldap connection in domlvl 0

=== Felipe Volpone (3) ===
* Removing part of circular dependency of ipalib in ipaplaform
* Changing how commands handles error when it can't connect to IPA server
* py3: fixing zonemgr_callback

=== Felipe Volpone (5) ===
* Adding section "Building FreeIPA from source" on README
* Changing cert-find to go through the proxy instead of using the port 8080
* Changing cert-find to do not use only primary key to search in LDAP.
* Fixing adding authenticator indicators to host
* Fixing the cert-request comparing whole email address case-sensitively.

=== Fabiano Fidêncio (1) ===
* Allow erasing ipaDomainResolutionOrder attribute

=== Florence Blanc-Renaud (22) ===
* Fix Certificate renewal (with ext ca)
* Fix ipa-server-upgrade: This entry already exists
* ipa-replica-conncheck: handle ssh not installed
* ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
* ipa-replica-manage del (dl 0): remove server from defaultServerList
* server-del: update defaultServerList in cn=default,ou=profile,$BASE
* ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
* ipa-server-install: fix uninstall
* ipa-kra-install manpage: document domain-level 1
* ipa-kra-install: fix check_host_keys
* ipa-server-install with external CA: fix pkinit cert issuance
* ipa-client-install: remove extra space in pkinit_anchors definition
* vault: piped input for ipa vault-add fails
* upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is
installed
* tests: add non-reg for idrange-add
* Upgrade: add gidnumber to trusted domain entry
* ipa-sam: create the gidNumber attribute in the trusted domain entry
* idrange-add: properly handle empty --dom-name option
* ipa-ca-install man page: Add domain level 1 help
* git-commit-template: update ticket url to use pagure.io instead of
fedorahosted.org
* dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
* man ipa-cacert-manage install needs clarification

=== Fraser Tweedale (14) ===
* Fix external renewal for CA with non-default subject DN
* py3: handle bytes in schema response
* py3: fix vault public key decoding
* cert: fix application of 'str' to bytes when formatting otherName
* py3: fix schema response for py2 server with py3 client
* Fix incorrect 'with' statement in CA-less installation
* Restore old version of caIPAserviceCert for upgrade only
* cert-request: simplify request processing
* Add CommonNameToSANDefault to default cert profile
* Add a README to certificate profile templates directory
* py3: fix regression in schemaupdate
* ca-add: validate Subject DN name attributes
* Add Subject Key Identifier to CA cert validity check
* Support 8192-bit RSA keys in default cert profile

=== Jan Cholasta (61) ===
* pylint: enable logging checks
* logging: do not use `ipa_log_manager` to create module-level loggers
* logging: do not log into the root logger
* logging: do not reference loggers in arguments and attributes
* doc: sync guide.org with cli.py
* logging: remove object-specific loggers
* logging: use the actual root logger as the root logger
* logging: port to standard Python logging
* logging: do not configure any handlers by default
* wsgi, oddjob: remove needless uses of Env
* config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn`
* ldap2: remove URI argument from ldap2 constructor
* test_ldap: drop redundant URI argument
* {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2
connections
* user, migration: use LDAPClient for ad-hoc LDAP connections
* install: do not assume /etc/krb5.conf.d exists
* server upgrade: do not enable PKINIT by default
* pkinit manage: introduce ipa-pkinit-manage
* server certinstall: update KDC master entry
* httpinstance: wait until the service entry is replicated
* server certinstall: support PKINIT
* cacert manage: support PKINIT
* replica install: respect --pkinit-cert-file
* server install: fix KDC certificate validation in CA-less
* certs: do not export CA certs in install_pem_from_p12
* certs: do not export keys world-readable in install_key_from_p12
* server install: fix KDC PKINIT configuration
* install: introduce generic Kerberos Augeas lens
* client install: fix client PKINIT configuration
* install: trust IPA CA for PKINIT
* certdb: use custom object for trust flags
* certdb, certs: make trust flags argument mandatory
* certdb: add named trust flag constants
* ipa-cacert-manage: add --external-ca-type
* renew agent: get rid of virtual profiles
* renew agent: always export CSR on IPA CA certificate renewal
* renew agent: allow reusing existing certs
* cainstance: use correct profile for lightweight CA certificates
* server upgrade: always fix certmonger tracking request
* renew agent: respect CA renewal master setting
* spec file: bump krb5 Requires for certauth fixes
* spec file: bump python-netaddr Requires
* configure: fix AC_CHECK_LIB usage
* cert: defer cert-find result post-processing
* renew agent, restart scripts: connect to LDAP after kinit
* renew agent: revert to host keytab authentication
* install: request service certs after host keytab is set up
* dsinstance, httpinstance: consolidate certificate request code
* httpinstance: avoid httpd restart during certificate request
* dsinstance: reconnect ldap2 after DS is restarted by certmonger
* httpinstance: make sure NSS database is backed up
* certdb: fix `AttributeError` in `verify_ca_cert_validity`
* setup, pylint, spec file: drop python-nss dependency
* certdb: use certutil and match_hostname for cert verification
* spec file: bump libsss_nss_idmap-devel BuildRequires
* spec file: bump krb5-devel BuildRequires for certauth
* cert: do not limit internal searches in cert-find
* replica prepare: fix wrong IPA CA nickname in replica file
* httpinstance: clean up /etc/httpd/alias on uninstall
* certs: do not implicitly create DS pin.txt
* tasks: run `systemctl daemon-reload` after httpd.service.d updates

=== René Genz (3) ===
* fix minor spelling mistakes
* fix spelling mistake; minor rewording
* fix minor typos in ipa-adtrust-install.1

=== Martin Babinsky (45) ===
* Move tmpfiles.d configuration handling back to spec file
* Do not remove the old masters when setting the attribute fails
* *config-show: Do not show empty roles/attributes
* smart-card-advises: ensure that krb5-pkinit is installed on client
* smart card advise: use password when changing trust flags on HTTP cert
* smart card advises: use a wrapper around Bash `for` loops
* Use the compound statement formatting API for configuring PKINIT
* Fix indentation of statements in Smart card advises
* delegate formatting of compound Bash statements to dedicated classes
* advise: add an infrastructure for formatting Bash compound statements
* delegate the indentation handling in advises to dedicated class
* add a class that tracks the indentation in the generated advises
* Allow to pass in multiple CA cert paths to the smart card advises
* smart-card advises: add steps to store smart card signing CA cert
* smart-card advises: configure systemwide NSS DB also on master
* Prepare advise plugin for smart card auth configuration
* Extend the advice printing code by some useful abstractions
* fix incorrect suffix handling in topology checks
* Do not delete DS and PKI users during backup/restore tests
* test_backup_restore: do not fail on missing KrbLastSuccessfulAuth
* only stop/disable simple service if it is installed
* test_serverroles: Get rid of MockLDAP and use ldap2 instead
* Add `pkinit-status` command
* Add the list of PKINIT servers as a virtual attribute to global config
* Add an attribute reporting client PKINIT-capable servers
* Refactor the role/attribute member reporting code
* Allow for multivalued server attributes
* Travis CI: Add the server uninstaller as a last step of tests
* Travis CI: explicitly update pip before running the builds
* Do not test anonymous PKINIT after install/upgrade
* Upgrade: configure local/full PKINIT depending on the master status
* Use local anchor when armoring password requests
* Stop requesting anonymous keytab and purge all references of it
* Use only anonymous PKINIT to fetch armor ccache
* API for retrieval of master's PKINIT status and publishing it in LDAP
* Allow for configuration of all three PKINIT variants when deploying KDC
* separate function to set ipaConfigString values on service entry
* Revert "Store GSSAPI session key in /var/run/ipa"
* Remove duplicate functionality in upgrade
* Always check and create anonymous principal during KDC install
* Ensure KDC is propery configured after upgrade
* Split out anonymous PKINIT test to a separate method
* Remove unused variable from failed anonymous PKINIT handling
* Upgrade: configure PKINIT after adding anonymous principal
* Travis CI: invoke integration test helper scripts before test execution

=== Martin Basti (63) ===
* DNS update: reduce timeout for CA records
* baseldap: fix format string
* IPAOptionParser: fix dict comprehension
* py3: run already ported scripts under py3 by default
* py3: temporary set dependencies to both py2 and py3 packages
* py3: test_otptoken_import: fix bytes usage
* py3: ipa_otptoken_import: fix hex decoding
* py3: ipa_otptoken_import: fix calling unicode on bytes
* py3: ipa_otptoken_import: fix lamba code inspection
* py3: Remove comparison >=2 of debnug log level
* py3: vault: data must be bytes
* py3: test_location_plugin: fix iteration over changed dict
* py3: test_kerberos_principal_aliases: fix code scope
* py3: dogtag.py: fix bytes warnings
* py3: travis: enable tests for plugins that are aleready working
* py3: secrets: remove iteritems usage
* Travis: check for BytesWarnings in httpd error_log
* py3: ipaldap: fix encoding of datetime objects
* py3: LDAPClient: remove __del__ method
* LDAPEntry: rename _orig to _orig_raw
* python-netifaces: update to reflect upstream changes
* Travis: enable temporary Py3 testing
* Travis: build only py2 packages for py2 testing
* Build: allow to build only py2 rpms for fedora
* Remove network and broadcast address warnings
* replica install: add missing check for non-local IP address
* Remove ip_netmask from option parser
* CheckedIPAddress: remove match_local param
* refactor CheckedIPAddress class
* ipa-dns-install: remove check for local ip address
* Fix local IP address validation
* Explicitly ask for py2 dependencies in py2 packages
* Only warn when specified server IP addresses don't match intf
* pylint: explicitly depends on python2-pylint
* py3: update_mod_nss_cipher_suite: ordering doesn't work with None
* py3: urlfetch: use "file://" prefix with filenames
* py3: cainstance: fix BytesWarning
* py3: schemaupdate: fix BytesWarning
* py3: LDAP updates: use only bytes/raw values
* py3: softhsm key_id must be bytes
* py3: ipaldap: encode Boolean as bytes
* py3: ConfigParser: replace deprecated readfd with read
* py3: use ConfigParser instead of SafeConfigParser
* Add remote_plugins subdirectories to RPM
* custodia dep: require explictly python2 version
* pylint: ignore new checks added in 1.7
* Pylint: fix ipa_forbidden_import checker
* travis: fix pylint execution with py3
* py3: add missing py3 pylint depedencies
* adtrust: move SELinux settings to constants
* httpd: move SELinux settings to constants
* ipasetup: fix dependencies handling based on python version
* ipaclient: fix missing RPM ownership
* tests: add missing dependency iptables
* ca_status: add HTTP timeout 30 seconds
* http_request: add timeout option
* Use proper SELinux context with http.keytab
* Store GSSAPI session key in /var/run/ipa
* Fix PKCS11 helper
* Remove surplus 'the' in output of ipa-adtrust-install
* collect audit.log for easier selinux investigation
* Set "KDC:Disable Last Success" by default
* Set development version to 4.5.90

=== Lewis Eason (1) ===
* Correct typo estabilish->establish in the install scripts

=== Michal Reznik (9) ===
* test_caless: add SAN dNSName extensions for wildcard tests
* test_caless: add replica ca-less to ca-full test (master caless)
* test_caless: add server_replica ca-less to ca-full test
* tests: fix external_ca test suite failing due to missing SKI
* test_caless: remove xfail in wildcard certificate tests
* test_caless: introduce new python makepki + fix SKI extension issue
* test_caless: mark TestCertinstall intermediate CA tests as xfail
* test_caless: add pkinit option and test it
* - added krb5kdc.log to pytest logging

=== Nathaniel McCallum (1) ===
* ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace

=== Oliver Gutierrez (1) ===
* Added plugins directory to paclient subpackages

=== Petr Spacek (1) ===
* ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri,
ldap_uri

=== Petr Vobornik (5) ===
* log progress of wait_for_open_ports
* control logging of host_port_open from caller
* kerberos session: use CA cert with full cert chain for obtaining cookie
* restore: restart/reload gssproxy after restore
* automount install: fix checking of SSSD functionality on uninstall

=== Pavel Vomacka (34) ===
* Fixes bug in actions creating for search facet
* WebUI: fix showing required asterisk '*'
* WebUI: Update unit test README
* Fixes details_test.js
* Fixes for widget_tests.js
* Fixes for aci_tests.js
* Fixes for entity_tests.js
* Fixes for ipa_test.js
* Add up to date JSON files
* Add loader.js into requirements of all HTML unit test files
* WebUI: remove creating js/libs symlink from makefile
* WebUI: Remove plugins symlink as it is unused
* Remove all old JSON files
* Revert "Web UI: Remove offline version of Web UI"
* WebUI: Add hyphenate versions of Host(Role) Based strings
* WebUI: fix incorrectly shown links in association tables
* WebUI: fix jslint error
* WebUI: change validator of page size settings
* WebUI: Add positive number validator
* WebUI: add support for changing trust UPN suffixes
* Bump version of python-gssapi
* Turn off OCSP check
* Change python-cryptography to python2-cryptography
* Turn on NSSOCSP check in mod_nss conf
* WebUI - Coverity: fix identical branches of if statement
* WebUI - Coverity: fixed null pointer exception
* WebUI: Coverity - add explicit window object to alert methods
* WebUI: Allow to add certs to certmapping with CERT LINES around
* WebUI: Fix showing vault in selfservice view
* WebUI: suppress truncation warning in select widget
* WebUI: Add support for suppressing warnings
* WebUI: Add support for login for AD users
* WebUI: add method for disabling item in user dropdown menu
* WebUI: check principals in lowercase

=== Rob Crittenden (2) ===
* Include the CA basic constraint in CSRs when renewing a CA
* Pass ipa-ca-agent credentials as PEM files

=== Gabe (2) ===
* Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
* Add --password-expiration to allow admin to force user password expiration

=== Sumit Bose (11) ===
* ipa_pwd_extop: do not generate NT hashes in FIPS mode
* ipa-sam: replace encode_nt_key() with E_md4hash()
* ipa-kdb: use canonical principal in certauth plugin
* ipa-kdb: reload certificate mapping rules periodically
* IPA-KDB: use relative path in ipa-certmap config snippet
* extdom: improve cert request
* extdom: do reverse search for domain separator
* ipa-kdb: do not depend on certauth_plugin.h
* configure: fix --disable-server with certauth plugin
* IPA certauth plugin
* ipa-kdb: add ipadb_fetch_principals_with_extra_filter()

=== Simo Sorce (12) ===
* Always check peer has keys before connecting
* Make sure we check ccaches in all rpcserver paths
* Revert setting sessionMaxAge for old clients
* Add code to be able to set default kinit lifetime
* Fix rare race condition with missing ccache file
* Make sure remote hosts have our keys
* Fix s4u2self with adtrust
* Prevent churn on ccaches
* Work around issues fetching session data
* Handle failed authentication via cookie
* Avoid growing FILE ccaches unnecessarily
* Add options to allow ticket caching

=== Stanislav Laznicka (97) ===
* spec: remove strict options from shebangs
* spec: have the scripts depend on py3 packages
* spec: remove python3 workaround
* Remove unused variable
* certmonger: remove temporary workaround
* cert: fix wrong assumption of cert-show result type
* rpc: don't encode bytes
* py3: Fix searching for yubikeys
* py3: remove relative import
* py3: remove Exception.message appearances
* Fix cert file creation during CA-less installation
* Uninstall: fix BytesWarning exception
* Unify storing certificates in LDAP
* py3: fix caless to CA promotion on replica
* cacert_manage: fix CA cert renewal
* python3: port certmonger requests script
* crtmgr: fix bug if CERTMONGER_CERTIFICATE not set
* certmonger: finish refactoring for request script
* certmonger: fix storing retrieved certificates
* Make the IPA server run under Python 3 by default
* Turn IPA scripts to python3 -bb for testing
* py3: Depend on newer pyldap for server-upgrade
* ipautil: port host_port_open() to python 3
* conncheck: fix progression on failure
* kerberos: fix sorting Principal objects
* host, service: fix adding host/svc with a cert
* server plugin: pass bytes to ldap.modify_s
* replica: fix SetuptoolsVersion comparison
* replica-prepare: run the script in py3 by default
* certs: write and read bytes as such
* client: make ipa-client-install py3 compatible
* cainstance: read cert file as bytes
* ca: TypeError fix
* krainstance: fix writing str to file
* replica-conncheck: log when failed to RPC connect
* Fixup of not-so-good PEM certs
* x509,certdb: handle certificates as bytes
* Create a Certificate parameter
* parameters: relax type checks
* tests: fix failing HTTPS connection
* Introduce load_unknown_x509_certificate()
* x509: Make certificates represented as objects
* Split x509.load_certificate() into PEM/DER functions
* README: Fix trailing whitespace
* Ensure network is online prior to an upgrade
* rpcserver: remove addition of str and bytes
* wsgi plugins: mod_wsgi expects bytes as an output
* adtrustinstance: write the conf as a string
* adtrustinstance: pep8 fix
* More verbose error message on kdc cert validation
* cert-validate: keep all messages in cert validation
* adtrustinstance: fix ID range comparison
* Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm()
* ipadiscovery: Return realm as a string
* session_storage: Correctly handle string/byte types
* rpc: avoid possible recursion in create_connection
* rpc: preparations for recursion fix
* Avoid possible endless recursion in RPC call
* kdc.key should not be visible to all
* Change ConfigParser to RawConfigParser
* ca/cert-show: check certificate_out in options
* Remove pkinit-anonymous command
* Make a doctext more clear
* Provide useful messages during cert validation
* cert-show: writable files does not mean dirs
* fix managed-entries printing IPA not installed
* Fix wrong message on Dogtag instances stop
* Make CA/KRA fail when they don't start
* Remove the cachedproperty class
* Refresh Dogtag RestClient.ca_host property
* compat plugin: Update link to slapi-nis project
* compat: ignore cn=topology,cn=ipa,cn=etc subtree
* Move the compat plugin setup at the end of install
* compat-manage: behave the same for all users
* Fix CAInstance.import_ra_cert for empty passwords
* Fix RA cert import during DL0 replication
* ext. CA: correctly write the cert chain
* server-install: No double Kerberos install
* Fix CA-less to CA-full upgrade
* replicainstall: better client install exception handling
* Add the force-join option to replica install
* server-install: remove broken no-pkinit check
* Add pki_pin only when needed
* Remove publish_ca_cert() method from NSSDatabase
* Get correct CA cert nickname in CA-less
* Remove redundant option check for cert files
* replica-prepare man: remove pkinit option refs
* Don't allow setting pkinit-related options on DL0
* Fix the order of cert-files check
* Generate PIN for PKI to help Dogtag in FIPS
* Backup CA cert from kerberos folder
* Allow renaming of the sudorule objects
* Allow renaming of the HBAC rule objects
* Reworked the renaming mechanism
* Bump samba version for FIPS and priv. separation
* Backup ipa-specific httpd unit-file
* Add debug log in case cookie retrieval went wrong

=== Thierry Bordaz (1) ===
* NULL LDAP context in call to ldap_search_ext_s during search

=== Tibor Dudlák (11) ===
* otptoken_yubikey.py: Removed traceback when package missing.
* topology.py: Removes error message from dictionary.
* Add test: test_xmlrpc/test_whoami_plugin.py
* whoami.py: Type error when running tests
* Create indexes for 'serverhostname' attribute
* Add --force-join into ipa-replica-install manpage
* dnsserver.py: dnsserver-find no longer returns internal server error
* Add Role 'Enrollment Administrator'
* server.py: Removes dns-server configuration from ldap
* sssd.py: Deprecating no-sssd option.
* client.py: Replace hardcoded 'admin' with options.principal

=== Tibor Dudlák (2) ===
* user.py: replace user_mod with ldap.update_entry()
* Add 'TIP' to enable copr repo.

=== Timo Aaltonen (2) ===
* ipa-otpd.socket.in: Use a platform specific value for KDC service file
* configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in

=== Tomas Krizek (25) ===
* Become IPA 4.6.0
* Contributors.txt: update
* zanata: update translations for ipa-4-6
* zanata: set project version to ipa-4-6
* dnssec: keep dnssec daemons in Python2
* ipatests: collect log after ipa-ca-install
* dnssec: fix localhsm.py utility script
* prci: add caless tests
* makerpms.sh: make git checkout optional
* build: checkout *.po files at the end of makerpms.sh
* freeipa-pr-ci: enable pull-request CI
* ipactl: log check_version exception
* logging: make sure logging level is set to proper value
* ipatests: do not finalize api when IPA is not configured
* ipatests: do not collect systemd journal when logfile_dir is missing
* ipatests: add systemd journal collection for multihost tests
* ipatests: change logdir naming pattern for multihost tests
* named.conf template: add modification warning
* ca, kra install: validate DM password
* installutils: add DM password validator
* ca install: merge duplicated code for DM password
* upgrade: add missing suffix to http instance
* installer service: fix typo in service entry
* python2-ipalib: add missing python dependency
* kra install: update installation failure message

=== Thorsten Scherf (2) ===
* Changed ownership of ldiffile to DS_USER
* Fixed typo in ipa-client-install output

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-interest/attachments/20170901/f3046ec6/attachment.sig>