[Freeipa-interest] Announcing freeIPA 4.7.0

Mon Jul 23 17:43:53 UTC 2018

The FreeIPA team would like to announce FreeIPA 4.7.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

== Highlights in 4.7.0 ==

=== Enhancements ===

==== mod_ssl =====

IPA has switched to mod_ssl as the crypto engine for Apache. This change
will be made automatically when upgrading.

==== NSS sqlite database ====

Fedora 28 changed the default database format type from dbm to sqlite.
Theoretically there should be no end-user difference but you will see
different file names for your NSS databases: cert9.db, key4.db and
pkcs11.txt.

==== authselect ====

Fedora 28 switched to a new PAM configuration tool, authselect.
https://fedoraproject.org/wiki/Changes/Authselect

==== Time server change to chronyd ====

The ntpd service was deprecated in F28. It was replaced by chronyd. The
client also uses chrony as its time client.

https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support

==== Python 3 ====

FreeIPA now fully supports Python 3 and can be installed without any
python 2 dependencies.

=== Known Issues ===

=== Bug fixes ===

FreeIPA 4.7.0 includes all of the bug fixes and enhancements from 4.6.1
- 4.6.4.

There are more than 170 bug fixes, details of which can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.

== Resolved tickets ==
* 7615 ipa_tests: ipa-replica-prepare stuck on user input
* 7550 [WebUI] extend host test suite
* 7547 ui_tests: checkbox click fix
* 7546 ui_tests: improve "field_validation" method
* 7544 ui_tests: extend test_selinuxusermap.py suite
* 7542 CLI and Web UI allow to add more then one radius server into
radius proxy
* 7540 Extend WebUI test_krbpolicy suite with the following test cases:
* 7535 ipa-restore fails because tmp/etc/ipa/ca.crt is missing
* 7526 IdM servers:/usr/share/ipa/html/ca.crt does not include the
complete chain
* 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has
occurred"
* 7519 Adding SSH keys for AD users as I created overrides
* 7510 validate_selinuxuser does not allow a period in selinux user
identifier
* 7505 WebUI tests: Extend netgroup tests
* 7503 multiple occurrences of profileId in certprofile causes incorrect
behaviour
* 7485 Extending webui user group test
* 7474 ipa-server-install --uninstall on replica fails with
"NoOptionError: No option 'ldap_uri' in section: 'global'"
* 7473 ERROR: No valid Negotiate header in server response
* 7468 test_host.py::test_host::test_crud is failing in nightly tests
* 7463 test_webui: add user life-cycles tests
* 7447 test_create_host_with_ip is not fully covering possible return errors
* 7436 ipa: Please log something after restarting the KDC
* 7433 CRL url on replicas gets incorrectly redirected
* 7432 make fasttest fails on fresh clone. fedora26
* 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn
-s CA
* 7424 Improve Realm Domains doc text
* 7411 Simplify CA, TLS and bytes warning configuration of LDAP connections
* 7400 Add excludearch for i686 because 389-ds is no longer doing 32-bit
builds
* 7397 ipa host-add --ip-address... returns Internal error when
forward-policy=none is defined
* 7394 file conflicts between python2-mod_wsgi and freeipa-server
* 7393 Installing 4.6.3-1 in rawhide/F28 fails with DuplicateEntry
enabling TLS in 389-ds
* 7390 cert-request: issuance of malformed certificate causes IPA
Internal Error
* 7389 F-27 upgrade to 4.6.3-1 fails with KRA update
* 7383 user-add: user creation proceeds when password is wrong
* 7381 Drop PyOpenSSL requirement
* 7380 Possible regression for limited OTP characters in host-add
* 7378 ipa-ods-exporter fails with socket activation did not return socket
* 7374 IPA 'Generate OTP' option in web gui does not show OTP code when
no reverse zone is managed
* 7373 "An internal error has occurred" show up when trying to add a
user to the Member User table in Vault.
* 7371 uninstalling replica leaves orphained data in ldap
* 7359 [RFE] extend topology plugin to clean up a removed replica ldap/
principal
* 7357 IntegrationTests do not fail even if the uninstall process fails
* 7342 admins group is not including all permissions of Role "User
Administrator"
* 7338 FreeIPA server install/upgrade does not process schema.d/ files
correctly
* 7335 Integration tests are not collecting all logs
* 7330 ipa-server-install --uninstall does not return error code on error
* 7318 Cannot uninstall ipaserver after fresh install - {'desc': "Can't
contact LDAP server", 'errno': 111, 'info': 'Connection refused'}
* 7315 Packaging: use pylint 1.7.5 and remove disable for import stat
* 7313 trust integration tests need to override test_establish_trust
method when using different trust-add options
* 7308 Help for ipa trust-add --range-type
* 7299 RPM post-install scripts fail because they are run with python2
* 7294 python3 incompatibility in vault_archive
* 7275 Viewing DNS Records with WebUI fails
* 7254 test_caless: fix http.p12 is not valid and provide domain_level
for replica tests
* 7253 Custodia keys are not removed on uninstall
* 7240 ipa-dnskeysyncd broken (and ipactl doesn't tell)
* 7226 Remove remaining references to Firefox configuration extension
* 7220 Third KRA  installation in topology fails
* 7210 Firefox reports insecure TLS configuration when visiting FreeIPA
web UI after standard server deployment
* 7208 freeipa: binary RPMs require both Python 2 and Python 3
* 7190 Wrong info message from tasks.py
* 7189 make check is failed
* 7187 ipa-replica-manage should provide a debug option
* 7186 testing: get back command outputs when running tests
* 7162 [ipatests] disable replication debugging for 389-ds logs in
integration tests
* 7157 [tracker] pyasn1 fails to parse kerberos principal name
* 7155 test_caless: add caless to external CA test
* 7154 test_external_ca: switch to python-cryptography
* 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start
tracking certs
* 7150 Ipa-server-install update dse.ldif with wrong SELinux context
* 7148 py3: ipa cert-request --principal --database fails with
BytesWarning: str() on a bytes instance
* 7143 "unknown command 'undefined'" error when changing user's password
via the web UI
* 7136 ipa-restore command doesn't exit with failure if wrong directory
manager's password is provided
* 7135 Server deployment still sets up Firefox extension, this is no
longer necessary and broken on F27+
* 7134 ipa param-find: command displays internal error
* 7132 [4.6] PyPI packages are broken
* 7131 Finish Python3 support
* 7129 ipa-server/replica-install fails with: "exception: BytesWarning:
Comparison between bytes and string" when using '--dirsrv-config-file'
parameter
* 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite
fails due to missing dns records
* 7119 kdc_proxy: kinit admin fails with "Cannot contact any KDC for
realm 'IPA.TEST' while getting initial credentials"
* 7115 ipa-pki-retrieve-key: failure results in crash report
* 7033 vault: TypeError: ... is not JSON serializable
* 7027 Use TLS for cert-find
* 7012 Users can delete their last active OTP token
* 6994 RFE: Remove 389-ds tuning step
* 6968 Consider moving upgrades from rpm install post
* 6874 pylint 1.7.1 fails
* 6858 RFE - Option to add custom OID or display name in IPA Cert
* 6851 Don't use ctypes.util.find_library in ipaclient
* 6844 ipa-restore fails when umask is set to 0027
* 6721 While performing ipa-server-upgrade, sssd goes offline and stalls
the upgrade process
* 6703 Enable ephemeral KRA requests
* 6609 A CA administrator fails to add CA for Insufficient 'add' privilege
* 5922 ipa vault-archive overwrites an existing value without warning
* 5887 IDNA domains does not work under py3
* 5813 ipa-kra-install disrupts bind-dyndb-ldap
* 5776 webui: some data disappear from user details page after the save
action is performed
* 5638 Port client code to Python 3
* 5442 [tracker] SELinux 'execmem' denials
* 7624 [WebUI] wrong link to browser configuration guide on Login page
* 7609 [py37] Import from collections.abc
* 7604 ipa-client-install --mkhomedir doesn't enable oddjobd
* 7591 [freeipa] Drop requirements for 'initscripts' from specfile
* 7590 lightweight subca: ca-show fails on replica
* 7589 cacert renew fails on replica
* 7585 Update to python3-lesscpy 0.13
* 7581 Translated text is formed incorrectly (API Browser)
* 7562 Regression: authselect 0.4-3 breaks FreeIPA sudo rules
* 7560 Do not depend on gnupg (1.x), use gnupg2
* 7559 UI LoginScreen widget cannot be translated
* 7536 [F28] SubCA failing, keys are orphan
* 7533 ipa-advise: remove plugin config-fedora-authconfig
* 7530 external CA replica installation fails with CA_UNREACHABLE
* 7529 AVC denials and errors for IPA server installed on Fedora28
* 7524 ipa-client-install fails because of missing file
/usr/share/ipa/freeipa.template
* 7523 external CA installation: step two reports self-signed configuration
* 7516 [F28] ipa-ca-install fails on replica
* 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf
despite the migration to ssl.conf
* 7514 Allow to create Kerberos services without a corresponding host object
* 7513 Allow Kerberos services to be members of IPA groups
* 7500 FreeIPA can remove svrcore-devel requirement
* 7498 [F28] CA replica fails with could not find certificate named
"caSigningCert cert-pki-ca"
* 7491 Unknown user 'ipaapi' when updating packages
* 7490 installutils.set_directive doesn't handle debian ssl.conf properly
* 7489 Test test_caless_TestCertInstall is failing in nightly
* 7478 [F28] ipa-backup fails with "Failed to execute authconfig command"
* 7471 [F28] replica pkispawn fails
* 7469 ipa-replica-prepare fail with "stat: path should be string,
bytes, os.PathLike or integer, not NoneType"
* 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
* 7465 [F28] oddjobd not started, replica install fails with dbus error
in conn check
* 7464 CI is failing with pkispawn timeout
* 7461 Hardening of topology plugin to prevent erronous deletion of a
replica agreement
* 7426 DogtagInstance.backup_config creates backup with wrong owner
* 7421 Store HTTPD private keys encrypted
* 7418 [RFE] Improve ipa-client-install behaviour when non-standard
ldap.conf is used
* 7415 CA installer need to check availability of port 8080
* 7410 ipa-replica-install --add-agents option doesn't install
trust-agent on replica
* 7396 ipa-client-automount --uninstall should return errcode
CLIENT_NOT_CONFIGURED
* 7377 Investigate and define plan of authconfig replacement in FreeIPA
* 7354 Fedora 28: Support NSSDB SQL format
* 7322 cert_find --subject is not finding by cert subject
* 7311 Update ui_driver to allow set path for geckodriver.log
* 7310 Integration tests don't collect logs from other replicas
* 7309 Integration tests: CA-less -> CA-ful promotion; post-promotion checks
* 7304 double ca acl provoke console error.
* 7302 test_external_ca: add selfsigned > external_ca > selfsigned test case
* 7301 Drop dependency on Python nose
* 7300 test_x509: test very long OID
* 7295 Build freeIPA with Python3 in @freeipa/freeipa-master-nightly
* 7278 Run WebUI unit test in TravisCI
* 7274 ipa-replica-install fails with PIN error [ CA-less environment ]
* 7263 Typo in login screen
* 7258 typo in accounts menu
* 7257 DNSSEC isn't supported in Python3
* 7251 f.flush() or os.fsync() don't sync
* 7246 Report CA Subject DN and subject base before installing.
* 7239 Using --auto-reverse and --allow-zone-overlap does not skip zone
overlap check
* 7225 CLI: view command / plugin help in pager
* 7224 Logging: ipa-replica-conncheck is missing a /n
* 7207 ipa-server-install should prevent installations with single label
domains
* 7201 ipa-replica-manage  re-initialize TypeError: 'NoneType' object
does not support item assignment
* 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall
* 7095 [tracker] please rotate & compress
/var/lib/pki/pki-tomcat/logs/ca/debug
* 7049 Prepare for NSS switch default database to sqlite in F-27
* 7024 freeipa depends on ntp
* 6931 custodia user isn't created when FreeIPA RPMs are installed
* 6890 Quickstart guide: mention how to open firewall ports
* 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still
deletes group
* 6843 ipa-backup does not create log file at /var/log/
* 6837 make ipa.conf and named.conf portable
* 6760 Improve console message for "ipa-server-install --uninstall" command
* 6604 Make pylint and jsl optional (and other issues)
* 6589 client should require /etc/krb5.conf.d/
* 6450 pylint: cyclic dep check sometimes makes build fail
* 4853 Utilize system-wide crypto-policies
* 4140 Configure the NSS shared database model in IPA servers
* 3757 [RFE] Allow IPA to use either mod_ssl or mod_nss
* 2536 Create DOAP description for the IPA project

== Detailed changelog since 4.6.4 ==

=== Armando Neto (9) ===
* Disable Pylint 2.0 violations
* Fix Pylint 2.0 violations
* Fix pylint 2.0 conditional-related violations
* Fix pylint 2.0 return-related violations
* Replace file.flush() calls with flush_sync() helper
* ipa-server-install: fix zonemgr argument validator
* ipa-client-install: Update how comments are added by ipachangeconf
* ui_tests: fix test_config::test_size_limits
* Prevent the creation on users and groups with numeric characters only

=== Alexander Bokovoy (28) ===
* ipaserver/dcerpc.py: handle indirect topology conflicts
* pylint3: workaround false positives reported for W1662
* group: allow services as members of groups
* service: allow creating services without a host to manage them
* group-del: add a warning to logs when password policy could not be removed
* idoverrideuser-add: allow adding ssh key in web ui
* ACL: Allow hosts to remove services they manage
* install: validate AD trust-related options in installers
* replication: support error messages from 389-ds 1.3.5 or later
* upgrade: treat duplicate entry when updating as not an error
* Allow anonymous access to parentID attribute
* upgrade: Run configuration upgrade under empty ccache collection
* use LDAP Whoami command when creating an OTP token
* Update template directory with new variables when upgrading
ipa.conf.template
* Processing of server roles should ignore errors.EmptyResult
* ipaserver/plugins/trust.py: pep8 compliance
* trust: detect and error out when non-AD trust with IPA domain name exists
* ipaserver/plugins/trust.py; fix some indenting issues
* ipa-extdom-extop: refactor nsswitch operations
* test_dns_plugin: cope with missing IPv6 in Travis
* travis-ci: collect logs from cmocka tests
* ipa-kdb: override krb5.conf when testing KDC code in cmocka
* adtrust: filter out subdomains when defining our topology to AD
* ipa-replica-manage: implicitly ignore initial time skew in force-sync
* ds: ignore time skew during initial replication step
* Make sure upgrade also checks for IPv6 stack
* OTP import: support hash names with HMAC- prefix
* dsinstance: Restore context after changing dse.ldif

=== Abhijeet Kasurde (3) ===
* Trivial typo fix.
* ipatests: Fix interactive prompt in ca_less tests
* tests: correct usage of hostname in logger in tasks

=== Alexander Koksharov (4) ===
* Fix replica_promotion-domlevel0 test failures
* preventing ldap principal to be deleted
* ensuring 389-ds plugins are enabled after install
* kra-install: better warning message

=== amitkuma (13) ===
* Match Common Name attribute in Subject
* ipa vault-archive overwrites an existing value without warning
* ipa-advise: remove plugin config-fedora-authconfig
* RFE: ipa client should setup openldap for GSSAPI
* Correcting detect typo in server.m4
* Correction of management spelling.
* clear sssd cache when uninstalling client
* clear sssd cache when uninstalling client
* Error message while adding idrange with untrusted domain
* Removing extra spaces present in man ipa-server-install
* ipa-advise for smartcards updated
* Custom ca-subject logging
* Documenting kinit_lifetime in /etc/ipa/default.conf

=== Anuja More (5) ===
* Test for ipa-client-install should not use hardcoded admin principal
* Test that host can remove there own services
* Test for ipa-replica-install fails with PIN error for CA-less env.
* Adding test-cases for ipa-cacert-manage
* Adding test-cases for ipa-cacert-manage

=== Aleksei Slaikovskii (17) ===
* Revert "Fixing
TestBackupAndRestore::test_full_backup_and_restore_with_removed_users"
* Uninstall fix for named-pkcs11
* Radius proxy multiservers fix
* test_backup_and_restore.py Fix logging
* Enable and start oddjobd after ipa-restore if it's not running.
* Fixing translation problems
* test_backup_and_restore.py AssertionError fix
* ipalib/frontend.py output_for_cli loops optimization
* View plugin/command help in pager
* ipa-restore: Set umask to 0022 while restoring
* Prevent installation with single label domains
* Add a notice to restart ipa services after certs are installed
* Fix TypeError while ipa-restore is restoring a backup
* ipaclient.plugins.dns: Cast DNS name to unicode
* Less confusing message for PKINIT configuration during install
* Make tox tests to generate results in JUnit XML
* Make WebUI unit tests to generate results as JUnit

=== Brian J. Murrell (1) ===
* Move ETag disabling to /ipa virtual server

=== Christian Heimes (191) ===
* Remove needless use of %defatt
* Add more RHEL customizations to spec file
* Update builddep command in BUILD.txt
* Use python2_sitelib in spec file
* Fedora 29: No longer build python2-ipaserver
* Add pylint ignore to magic config.Env attributes
* Teach pylint how our api works
* Fix ipa console filename
* Create helper function to upload to temp file
* Add tab completion and history to ipa console
* Handle races in replica config
* pylint 2.0: node.path is a list
* Fix XPASS in test_installation
* Mark all expected failures as strict
* Fix DNSSEC install regression
* Wait for client certificates
* Auto-retry failed certmonger requests
* Tune DS replication settings
* Fix race condition in get_locations_records()
* Fix CA topology warning
* Delay enabling services until end of installer
* Only create DNS SRV records for ready server
* Query for server role IPA master
* Cleanup shebang and executable bit
* Import ABCs from collections.abc
* Require JSS 4.4.5 with replication fixes
* Extend Sub CA replication test
* pylint: Class node has been renamed to ClassDef
* Pythhon3.7: re module has no re._pattern_type
* Catch ACIError instead of invalid credentials
* Fix permission of public files in upgrader
* Make /etc/httpd/alias world readable & executable
* Always make ipa.p11-kit world-readable
* Ensure that public cert and CA bundle are readable
* Use 4 WSGI workers on 64bit systems
* Fix replication races in Dogtag admin code
* Use common replication wait timeout of 5min
* Improve and fix timeout bug in wait_for_entry()
* Remove restarted_named and xfail
* Tests: Set default TTL for DNS zones to 1 sec
* Always set ca_host when installing replica
* Start to deprecate Python 2 and 3.5
* Sort and shuffle SRV record by priority and weight
* Increase WSGI process count to 5 on 64bit
* Fedora 29 renamed fedora-domainname.service
* Use python3-lesscpy 0.13.0
* Split external_ca PR-CI into two jobs
* Always build Python 3 packages
* Make Python 2 build dependency optional
* Use one Custodia peer to retrieve all secrets
* Move client templates to separate directory
* Print version string in installer
* Backport gzip.decompress for Python 2
* Require JSS 4.4.4 with fix for sub CA replication
* Refuse PORT, HOST in /etc/openldap/ldap.conf
* Apply sane LDAP settings to C code
* Use sane default settings for ldap connections
* Add test case for allow-create-keytab
* Use GnuPG 2 for backup/restore
* Use GnuPG 2 for symmentric encryption
* Require python-ldap >= 3.1.0
* Reproducer for issue 5923 (bytes in error response)
* Run PR-CI with Fedora 28
* Revert "Validate the Directory Manager password"
* Create missing /etc/httpd/alias for ipasession.key
* Only run subset of external CA tests
* Require Dogtag 10.6.1
* Require nss with fix for nickname bug
* ipa-client package needs sssd-tool
* Make ipatests' create_external_ca a script
* Load certificate files as binary data
* Remove contrib/nssciphersuite
* Compatibility with pytest 3.4
* Use shutil to copy file
* Use single Custodia instance in installers
* Add augeas dependency to client package
* Create users in server-common pre hook
* Require 389-ds-base >= 1.4.0.8-1
* CA replica PKCS12 workaround for SQL NSSDB
* Add nsds5ReplicaReleaseTimeout to replica config
* Fix Python dependencies
* Remove os.chdir() from test_ipap11helper
* certdb: Move chdir into subprocess call
* Provide ldap_uri in Custodia uninstaller
* Defer import of ipaclient.csrgen
* Require more recent glibc on F27
* Load librpm on demand for IPAVersion
* Fix installer CA port check for port 8080
* Temporarily disable authconfig backup and restore
* Cleanup and remove more files on uninstall
* Fix compatibility with latest pytest
* More cleanup after uninstall
* Require Dogtag PKI >= 10.6
* Keep owner when backing up CA.cfg
* Pylint 1.8.3 fixes
* Relax message check in test_create_host_with_ip
* Make fasttest pass without ~/.ipa/default.conf
* Instrument installer to profile steps
* autoconf prefers Python 3 over 2
* Simplify Python package installation
* Move DNS related files to server-dns package
* Silence GCC warning in ipa_extdom
* Silence GCC warning in ipa-kdb
* Remove unused modutils wrappers from NSS/CertDB
* Update /etc/ipa/nssdb in client scripts
* NSS: Force restore of SELinux context
* NSSDB: Let certutil decide its default db type
* Prepare migration of mod_nss NSSDB to sql format
* certmonger: Use explicit storage format
* Remove deprecated -p option from ipa-dns-install
* Add mocked test for named crypto policy update
* Upgrade named.conf to include crypto policy
* Use system-wide crypto-policies on Fedora
* Add better CalledProcessError and run() logging
* freeipa-server no longer supports i686 arch on F28
* ipa-custodia-checker now uses python3 shebang
* Unified ldap_initialize() function
* Fix multiple uninstallation of server
* Fix i18n test for Chinese translation
* Run API and ACI under Python 2 and 3
* Generate same API.txt under Python 2 and 3
* Replace wsgi package conflict with config file
* Restart named-pkcs11 after KRA installation
* Update existing 389-DS cn=RSA,cn=encryption config
* Replace hard-coded paths with path constants
* Bump python-ldap version to fix syncrepl bug
* Bump SELinux policy for DNSSEC
* ipa-server-upgrade now checks custodia server keys
* DNSSEC code cleanup
* DNSSEC: Reformat lines to address PEP8 violations
* Decode ODS commands
* Run DNSSEC under Python 3
* More DNSSEC house keeping
* Remove unused PyOpenSSL from spec file
* Give ODS socket a bit of time
* Require dbus-python on F27
* Fix pylint error in ipapython/dn.py
* Lower python-ldap requirement for F27
* ipa-run-tests: make --ignore absolute, too
* Sort external schema files
* LGTM: unnecessary else in for loop
* LGTM: Use explicit string concatenation
* LGTM: raise handle_not_found()
* LGTM: Fix multiple use before assignment
* LGTM: Remove redundant assignment
* LGTM: Fix exception in permission_del
* LGTM: Membership test with a non-container
* LGTM: Name unused variable in loop
* LGTM: Use of exit() or quit()
* LGTM: Silence unmatchable dollar
* Make fastlint even faster
* ipa-run-tests: replace chdir with plugin
* Include ipa_krb5.h without util prefix
* Custodia uninstall: Don't fail when LDAP is down
* Require python-ldap 3.0.0b2
* Use pylint 1.7.5 with fix for bad python3 import
* Vault: Add argument checks to encrypt/decrypt
* Fix pylint warnings inconsistent-return-statements
* Travis: Add workaround for missing IPv6 support
* Replace nose with unittest and pytest
* Add safe DirectiveSetter context manager
* More log in verbs
* Address more 'to login'
* Fix grammar error: Log out
* Fix grammar in login screen
* Add make targets for fast linting and testing
* Add marker needs_ipaapi and option to skip tests
* Add python_requires to Python package metadata
* Remove Custodia keys on uninstall
* NSSDB: use preferred convert command
* Skip test_rpcclient_context in client tests
* Update to python-ldap 3.0.0
* Update builddep command to install Python 3 and tox deps
* Add workaround for pytest 3.3.0 bug
* Fix dict iteration bug in dnsrecord_show
* Reproducer for bug in structured dnsrecord_show
* Use Python 3 on Travis
* Prevent installation of Py2 and Py3 mod_wsgi
* Require UTF-8 fs encoding
* libotp: add libraries after objects
* Run tox tests for PyPI packages on Travis
* Support sqlite NSSDB
* Py3: Fix vault tests
* Test script for ipa-custodia
* ipa-custodia: use Dogtag's alias/pwdfile.txt
* Use namespace-aware meta importer for ipaplatform
* Remove ignore_import_errors
* Backup ipa-custodia conf and keys
* Py3: fix fetching of tar files
* Use os.path.isfile() and isdir()
* Block PyOpenSSL to prevent SELinux execmem in wsgi

=== David Kupka (2) ===
* schema: Fix internal error in param-{find,show} with nonexistent object
* tests: Add LDAP URI to ldappasswd explicitly

=== Felipe Barreto (38) ===
* Adding xfail to failing tests
* Fixing tests on TestReplicaManageDel
* Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
* Fixing
TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
* Adding GSSPROXY_CONF to be backed up on ipa-backup
* Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
* Fix TestSubCAkeyReplication providing the right path to pki log
* temp commit: adding test to PR CI run
* Adding right parameters to install IPA in
TestInstallMasterReservedIPasForwarder
* Changing Django's CoC to reflect FreeIPA CoC
* Adding Django's Code of Conduct
* prci: Bump ci-master-f27 template to 1.0.3
* Adding more tests to PR CI
* Fixing cleanup process in test_caless
* WebUI Tests: changing the ActionsChains.move_to_element to a new approach
* WebUI Tests: fixing test_user.py::test_test_noprivate_posix
* WebUI Tests: Changing how the initial load process is done
* WebUI Tests: fixing test_range test case
* WebUI Tests: changing how the login screen is detected
* WebUI Tests: refactoring login method to be more readable
* WebUI Tests: fixing test_navigation
* WebUI Tests: fixing test_group
* WebUI Tests: fixing test_hbac
* Check if replication agreement exist before enable/disable it
* Make IntegrationTest fail if an error happened during uninstall
* IntegrationTests now collects logs from all test methods
* Fixing vault-add-member to be compatible with py3
* Fixing test_backup_and_restore assert to do not rely on the order
* Fixing test_testconfig with proper asserts
* Warning the user when using a loopback IP as forwarder
* Removing replica-s4u2proxy.ldif since it's not used anymore
* Fix log capture when running pytests_multihosts commands
* Checks if replica-s4u2proxy.ldif should be applied
* Fixing tox and pylint errors
* Fixing param-{find,show} and output-{find,show} commands
* Checks if Dir Server is installed and running before IPA installation
* Changing idoverrideuser-* to treat objectClass case insensitively
* Fixing how sssd.conf is updated when promoting a client to replica

=== François Cami (1) ===
* 10-config.update: remove nsslapd-sasl-max-buffer-size override as
https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389
Directory Server.

=== Florence Blanc-Renaud (38) ===
* ipa client uninstall: clean the state store when restoring hostname
* Add test for ticket 7604: ipa-client-install --mkhomedir doesn't
enable oddjobd
* ipa-client-install: enable and start oddjobd if mkhomedir
* fix dependency for *-domainname.service file
* Installer: configure authselect with-sudo
* Test for 7526
* ipa-server-install: publish complete cert chain in
/usr/share/ipa/html/ca.crt
* authselect migration: use stable interface to query current config
* authselect test: skip test if authselect is not available
* ipa-advise: adapt config-client-for-smart-card-auth to authselect
* Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
* New tests for authselect migration
* Migration from authconfig to authselect
* ipa-advise config-server-for-smart-card-auth: use mod-ssl
* ipa-replica-install: make sure that certmonger picks the right master
* ipa-restore: remove /etc/httpd/conf.d/nss.conf
* ipa-server-install: handle error when calling kdb5_util create
* ipa host-add: do not raise exception when reverse record not added
* ACI: grant access to admins group instead of admin user
* 389-ds OTP lasttoken plugin: Add unit test
* User must not be able to delete his last active otp token
* ipa host-add --ip-address: properly handle NoNameservers
* test_integration: backup custodia conf and keys
* Idviews: fix objectclass violation on idview-add
* Improve help message for ipa trust-add --range-type
* Fix ca less IPA install on fips mode
* Fix ipa-replica-install when key not protected by PIN
* Fix ipa-restore (python2)
* ipa-getkeytab man page: add more details about the -r option
* Py3: fix ipa-replica-conncheck
* Fix ipa-replica-conncheck when called with --principal
* py3: fix ipa cert-request --database ...
* ipa-cacert-manage renew: switch from ext-signed CA to self-signed
* ipa-server-upgrade: do not add untracked certs to the request list
* ipa-server-upgrade: fix the logic for tracking certs
* Fix ipa-server-upgrade with server cert tracking
* Python3: Fix winsync replication agreement
* Fix ipa config-mod --ca-renewal-master

=== Fraser Tweedale (52) ===
* Add missing space in error string
* Handle compressed responses from Dogtag
* install: fix reported external CA configuration
* csrgen: fix when attribute shortname is lower case
* csrgen: drive-by docstring
* csrgen: support initialising OpenSSL adaptor with key object
* py3: fix csrgen error handling
* certprofile: add tests for config profileId scenarios
* certprofile: reject config with multiple profileIds
* Fix upgrade (update_replica_config) in single master mode
* Add commentary about PKI admin password
* Fix upgrade when named.conf does not exist
* replica-install: warn when there is only one CA in topology
* install: configure dogtag status request timeout
* upgrade: remove fix_trust_flags procedure
* ldap2: fix implementation of can_add
* ipaldap: allow GetEffectiveRights on individual operations
* Update IPA CA issuer DN upon renewal
* cert-request: avoid internal error when cert malformed
* Improve warning message for malformed certificates
* Don't use admin cert during KRA installation
* Add uniqueness constraint on CA ACL name
* Add tests for installutils.set_directive
* installutils: refactor set_directive
* pep8: reduce line lengths in CAInstance.__enable_crl_publish
* Prevent set_directive from clobbering other keys
* install: report CA Subject DN and subject base to be used
* ipa_certupdate: avoid classmethod and staticmethod
* Run certupdate after promoting to CA-ful deployment
* ipa-ca-install: run certupdate as initial step
* CertUpdate: make it easy to invoke from other programs
* renew_ra_cert: fix update of IPA RA user entry
* Re-enable some KRA installation tests
* Use correct version of Python in RPM scripts
* Remove caJarSigningCert profile and related code
* CertDB: remove unused method issue_signing_cert
* Remove XPI and JAR MIME types from httpd config
* Remove mention of firefox plugin after CA-less install
* Add missing space in ipa-replica-conncheck error
* ipa-cacert-manage: avoid some duplicate string definitions
* ipa-cacert-manage: handle alternative tracking request CA name
* Add tests for external CA profile specifiers
* ipa-cacert-manage: support MS V2 template extension
* certmonger: add support for MS V2 template
* certmonger: refactor 'resubmit_request' and 'modify'
* ipa-ca-install: add --external-ca-profile option
* install: allow specifying external CA template
* Remove duplicate references to external CA type
* cli: simplify parsing of arbitrary types
* py3: fix pkcs7 file processing
* ipa-pki-retrieve-key: ensure we do not crash
* issue_server_cert: avoid application of str to bytes

=== Ganna Kaihorodova (7) ===
* check nsds5ReplicaReleaseTimeout option was set
* Fix trust tests for Posix Support
* Fix for integration tests dns_locations
* Fix in IPA's multihost fixture
* TestBasicADTrust.test_ipauser_authentication
* Fix for test TestInstallMasterReservedIPasForwarder
* Overide trust methods for integration tests

=== John Morris (1) ===
* Increase dbus client timeouts during CA install

=== Justin Stephenson (1) ===
* Skip zone overlap check with auto-reverse

=== Kaleemullah Siddiqui (1) ===
* Test coverage for multiservers for radius proxy

=== Martin Basti (3) ===
* py3: bindmgr: fix iteration over bytes
* py3: ipa-dnskeysyncd: fix bytes issues
* py3: set samba dependencies

=== Takeshi MIZUTA (1) ===
* Fix some typos in man page

=== Michal Reznik (54) ===
* Mark DL0 TestReplicaManageDel tests as xfail
* ipa_tests: ipa-replica-prepare stuck on user input
* ui_tests: stabilization fixes
* ui_tests: extend test_config.py suite
* ui_tests: fixes for issues with sending key and focus on element
* ui_tests: add click_undo_button() func
* ui_tests: extend test_selinuxusermap.py suite
* ui_tests: improve "field_validation" method
* ui_tests: checkbox click fix
* ui_tests: introduce new test_misc cases file
* ui_driver: extension and modifications related to test_user
* ui_tests: extend test_user suite
* test_web_ui: extend ui_driver methods
* test_webui: add user life-cycles tests
* ui_tests: run ipa-get/rmkeytab command on UI host
* ui_tests: select_combobox() fixes
* ui_tests: test cancel and delete without button
* ui_tests: make associations cancelable
* ui_tests: add function to run cmd on UI host
* ui_tests: add funcs to add/remove users public SSH key
* ui_tests: add assert_field_required()
* ui_tests: add assert_notification()
* ui_tests: add more test cases
* ui_tests: add more test cases to test_certification
* ui_tests: add_service() support func in test_service
* ui_tests: add_host() support func in test_service
* ui_tests: change get_http_pkey() function
* test_caless: adjust try/except to capture also IOError
* ipa_tests: test signing request with subca on replica
* tests: ca-less to ca-full - remove certupdate
* ipa_tests: test subca key replication
* test_caless: add SAN extension to other certs
* prci: run full external_ca test suite
* tests: move CA related modules to pytest_plugins
* test_external_ca: selfsigned->ext_ca->selfsigned
* test_tasks: add sign_ca_and_transport() function
* paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
* test_caless: test PKINIT install and anchor update
* test_renewal_master: add ipa csreplica-manage test
* test_cert_plugin: check if SAN is added with default profile
* test_help: test "help" command without cache
* test_x509: test very long OID
* test_batch_plugin: fix py2/3 failing assertion
* test_vault: increase WAIT_AFTER_ARCHIVE
* test_caless: fix http.p12 is not valid
* test_caless: fix TypeError on domain_level compare
* manpage: ipa-replica-conncheck - fix minor typo
* test_external_dns: add missing test cases
* test_caless: open CA cert in binary mode
* test_forced_client: decode get_file_contents() result
* tests: add host zone with overlap
* tests_py3: decode get_file_contents() result
* test_caless: add caless to external CA test
* test_external_ca: switch to python-cryptography

=== Varun Mylaraiah (5) ===
* ui_tests: extend test_pwpolicy.py suite
* Extend WebUI test_krbpolicy suite with the following test cases:
test_verifying_button (verify button's action in various scenarios)
test_negative_value (verify invalid values) test_verifying_measurement_unit
* WebUI tests: Extend netgroup tests with more scenarios
* Fixed improper clean-up in test_host::test_kerberos_flags added
closing the notification in kerberos flags
* WebUI tests: Extend user group tests with more scenarios

=== Mohammad Rizwan Yusuf (9) ===
* Check if issuer DN is updated after self-signed > external-ca
* Extended UI test for Certificates
* Extended UI test for selfservice permission.
* Test to check second replica installation after master restore
* Before the fix, when ipa-backup was called for the first time, the
LDAP database exported to
/var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif
is called for this and it runs under root, hence files were owned by root.
* Updated the TestExternalCA with the functions introduced for the steps
of external CA installation.
* When the dirsrv service, which gets started during the first
ipa-server-install --external-ca phase, is not running when the second
phase is run with --external-cert-file options, the ipa-server-install
command fail.
* IANA reserved IP address can not be used as a forwarder. This test
checks if ipa server installation throws an error when 0.0.0.0 is
specified as forwarder IP address.
* ipatest: replica install with existing entry on master

=== Nikhil Dehadrai (1) ===
* Test for improved Custodia key distribution

=== Armando Neto (1) ===
* ipaserver config plugin: Increase search records minimum limit

=== Nathaniel McCallum (3) ===
* Revert "Don't allow OTP or RADIUS in FIPS mode"
* Increase the default token key size
* Fix OTP validation in FIPS mode

=== Petr Čech (3) ===
* webui:tests: Add tests for realmd domains
* tests: Mark failing tests as failing
* ipatests: Fix on logs collection

=== Pavel Picka (2) ===
* Adding WebUI Host test cases
* WebUI Hostgroups tests cases added

=== Petr Vobornik (17) ===
* Update Dojo and Dojo builder to 1.13.0
* WebUI build: use NodeJS instead of Rhino
* WebUI build: replace uglifyjs with system package
* Fix test_server_del::TestLastServices
* server-del do not return early if CA renewal master cannot be changed
* webui: refresh complex pages after modification
* Fix order of commands in test for removing topology segments
* webui tests: fix test_host:test_crud failure
* realm domains: improve doc text
* webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes
* Revert "temp commit to run the affected tests"
* temp commit to run the affected tests
* webui:tests: close big notifications in realm domains tests
* webui:tests: realm domain add with DNS check
* webui:tests: move DNS test data to separate file
* fastcheck: do not test context in pycodestyle
* browser config: cleanup after removal of Firefox extension

=== Pavel Vomacka (16) ===
* WebUI: make keytab tables on service and host pages writable
* Include npm related files into Makefile and .gitignore
* Update jsl.conf in tests subfolder
* Edit TravisCI conf files to run WebUI unit tests
* Update README about WebUI unit tests
* Update tests
* Create symlink to qunit.js
* Update jsl to not warn about module in Gruntfile
* Add Gruntfile and package.json to ui directory
* Update QUnit CSS file to 2.4.1
* Update qunit.js to version 2.4.1
* Extend ui_driver to support geckodriver log_path
* WebUI: make Domain Resolution Order writable
* WebUI: Fix calling undefined method during reset passwords
* WebUI: remove unused parameter from get_whoami_command
* Adds whoami DS plugin in case that plugin is missing

=== Rob Crittenden (62) ===
* replicainstall: DS SSL replica install pick right certmonger host
* Extend CALessBase::installer_server to accept extra_args
* Handle subyptes in ACIs
* server install: drop some print statements, change log level
* Drop attr defaultServerList if removing the last server
* Improve console logging for ipa-server-install
* Replace some test case adjectives
* Suppress missing cn=schema compat on installation
* Use replace instead of add to set new default ipaSELinuxUserMapOrder
* Disable Schema Compat plugin during server upgrade
* Add tests for ipa-restore with DM password validation check
* Validate the Directory Manager password before starting restore
* Rename test class for testing simple commands, add test
* Don't try to set Kerberos extradata when there is no principal
* Client install should handle automount unconfigured on uninstall
* Return unique error when automount is already or not configured
* VERSION.m4: Set back to git snapshot
* Become IPA 4.6.90.pre2
* Update 4.7 translations
* Fix certificate retrieval in ipa-replica-prepare for DL0
* Disable message about log in ipa-backup if IPA is not configured
* Use a regex in installutils.get_directive instead of line splitting
* Handle whitespace, add separator to regex in set_directive_lines
* Validate the Directory Manager password before starting restore
* Log service start/stop/restart message
* Update project metadata in ipasetup.py.in
* Allow dot as a valid character in an selinux identity name
* Remove xfail from CALes test test_http_intermediate_ca
* Some PKCS#12 errors are reported with full path names
* ipa-server-certinstall failing, unknown option realm
* Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
* Break out of teardown in test_replica_promotion.py if no config
* Remove the Continuous installer class, it is unused
* Return a value if exceptions are raised in server uninstall
* VERSION.m4: Set back to git snapshot
* Become IPA 4.6.90.pre1
* Update Contributors.txt
* Redirect CRL requests to the http port, not the https port
* Don't try to backup CS.cfg during upgrade if CA is not configured
* Don't return None on mismatched interactive passwords
* Update smart_card_auth advise script for mod_ssl
* Add value in set_directive after a commented-out version
* Don't backup nss.conf on upgrade with the switch to mod_ssl
* Enable upgrades from a mod_nss-installed master to mod_ssl
* Convert ipa-pki-proxy.conf to use mod_ssl directives
* Remove main function from the certmonger library
* Use mod_ssl instead of mod_nss for Apache TLS for new installs
* Fix detection of KRA installation so upgrades can succeed
* Move Requires: pythonX-sssdconfig into conditional
* Log contents of files created or modified by IPAChangeConf
* Don't manually generate default.conf in server, use IPAChangeConf
* Enable ephemeral KRA requests
* Make the path to CS.cfg a class variable
* Run server upgrade in ipactl start/restart
* If the cafile is not present or readable then raise an exception
* Add test to ensure that properties are being set in rpcclient
* Use the CA chain file from the RPC context
* Fix cert-find for CA-less installations
* Use 389-ds provided method for file limits tuning
* Collect group membership without a size limit
* Add exec to /var/lib/ipa/sysrestore for install status inquiries
* Use TLS for the cert-find operation

=== Robbie Harwood (5) ===
* Fix elements not being removed in otpd_queue_pop_msgid()
* Move krb5 snippet into freeipa-client-common
* Enable SPAKE support using krb5.conf.d snippet
* Log errors from NSS during FIPS OTP key import
* ipa-kdb: support KDB DAL version 7.0

=== Rishabh Dave (1) ===
* ipa-ca-install: mention REPLICA_FILE as optional in help

=== Sumit Bose (1) ===
* ipa-kdb: reinit trusted domain data for enterprise principals

=== Sumit Bose (2) ===
* ipa-kdb: update trust information in all workers
* ipa-kdb: use magic value to check if ipadb is used

=== John L (1) ===
* Remove special characters in host_add random OTP generation

=== Stanislav Laznicka (84) ===
* Move config directives handling code
* Travis: ignore 'line break after binary operator'
* Allow user administrator to change user homedir
* mod_ssl: add SSLVerifyDepth for external CA installs
* Add absolute_import to test_authselect
* Fix typo in ipa-getkeytab --help
* Add absolute_import future imports
* replica-install: pass --ip-address to client install
* ipa_backup: Backup the password to HTTPD priv key
* Fix upgrading of FreeIPA HTTPD
* Remove py35 env from tox testing
* Encrypt httpd key stored on disk
* Dogtag configs: rename deprecated options
* Backup HTTPD's mod_ssl config and cert-key pair
* vault: fix vault-retrieve to a file
* Backup ssl.conf when migrating from mod_nss
* Move HTTPD cert/key pair to /var/lib/ipa/certs
* httpinstance fixup: remove commented-out lines
* httpinstance: fix publishing of CA cert
* httpinstance: verify priv key belongs to certificate
* httpinstance: backup mod_nss conf instead of just removing it
* service: rename import_ca_certs_* to export_*
* fixup: add ipa-rewrite.conf to ssl.conf on upgrade
* Make ipa-server-certinstall store HTTPD cert in a file
* certupdate: don't update HTTPD NSS db
* x509: Fix docstring of write_certificate()
* x509: Remove unused argument of load_certificate_from_file()
* httpinstance: handle supplied PKCS#12 files in installation
* mod_ssl migration: fix upload_cacrt.py plugin
* Fix FileStore.backup_file() not to backup same file
* Have all the scripts run in python 3 by default
* replica_prepare: Remove the correct NSS DB files
* Add a helpful comment to ca.py:install_check()
* Don't allow OTP or RADIUS in FIPS mode
* caless tests: decode cert bytes in debug log
* caless tests: make debug log of certificates sensible
* Add indexing to improve host-find performance
* Add the sub operation for fqdn index config
* x509: remove subject_base() function
* x509: remove the strip_header() function
* py3: pass raw entries to LDIFWriter
* ipatests: use python3 if built with python3
* PRCI: use a new template for py3 testing
* travis: pep8 changes to pycodestyle
* csrgen_ffi: cast the DN value to unsigned char *
* Remove pkcs10 module contents
* Add tests for CertificateSigningRequest
* parameters: introduce CertificateSigningRequest
* parameters: relax type checks
* csrgen: update docstring for py3
* csrgen: accept public key info as Bytes
* csrgen_ffi: pass bytes where "char *" is required
* p11-kit: add serial number in DER format
* travis: make tests fail if pep8 does not pass
* Remove the `message` attribute from exceptions
* rpc: don't decode cookie_string if it's None
* Don't write p11-kit EKU extension object if no EKU
* pylint: fix missing module
* travis: run the same tests in python2/3
* certmap testing: fix wrong cert construction
* ldap2: don't use decode() on str instance
* client: fix retrieving certs from HTTP
* uninstall: remove deprecation warning
* ldif: handle attribute names as strings
* pkinit: don't fail when no pkinit servers found
* pkinit: fix sorting dictionaries
* travis: remove "fast" from "makecache fast"
* Change Travis CI container to FreeIPA-owned
* Change the requirements for pylint in wheel
* rpcserver: don't call xmlserver.Command
* secrets: disable relative-imports for custodia
* pylint: disable __hash__ for some classes
* install.util: disable no-value-for-parameter
* pylint: make unsupported-assignment-operation check local
* sudocmd: fix unsupported assignment
* pylint: Iterate through dictionaries
* parameters: convert Decimal.precision to int
* dcerpc: disable unbalanced-tuple-unpacking
* dcerpc: refactor assess_dcerpc_exception
* pylint: fix no-member in schema plugin
* csrgen: fix incorrect codec for pyasn BitString
* pylint: fix not-context-manager false positives
* travis: temporary workaround for Travis CI
* Travis: archive logs of py3 jobs

=== Stanislav Levin (11) ===
* Fix link to browser configuration guide on Login page
* Fix some untranslatable commands in Web UI API Browser
* Apply validate_doc() to NO_CLI commands
* Fix formatted translations of error messages in topology plugin
* Fix formatted translations of error messages in serverroles plugin
* Fix formatted translations in trust plugin
* Fix translation of idrange_* commands description
* Fix formatted translations in domainlevel plugin
* Use intended format() method of translation object
* Add support for format method to translation objects
* Fix translation of commands description in API Browser

=== Sudhir Menon (2) ===
* Adding modified DOAP file
* DOAP Description for IPA Project

=== Thierry Bordaz (2) ===
* Hardening of topology plugin to prevent erronous deletion of a replica
agreement
* 389-ds-base crashed as part of ipa-server-intall in ipa-uuid

=== Tibor Dudlák (15) ===
* Use temporary pid file for chronyd -q task
* Fix format string passed to pytest-multihost
* Configure chrony with pool when server not set
* Add enabling chrony daemon when not configured
* Remove unnecessary option --force-chrony
* Remove NTP server role while upgrading
* Removes NTP server role from servroles and description
* Update man pages for FreeIPA client, replica and server install
* Adding method to ipa-server-upgrade to cleanup ntpd
* Add --ntp-pool option to installers
* FreeIPA server is time synchronization client only
* Replace ntpd with chronyd in installation
* Add dependency and paths for chrony
* Removes ntp from dependencies and behave as there is always -N option
* Do not check deleted files with `make fastlint`

=== Timo Aaltonen (9) ===
* Fix HTTPD SSL configuration for Debian.
* ldapupdate: Add support for Debian multiarch
* named.conf: Disable duplicate zone on debian, and modify data dir
* Add mkhomedir support for Debian
* paths: Fix some path definitions for Debian.
* constants: Fix HTTPD_GROUP for Debian
* Create kadm5.acl if it doesn't exist
* ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
* Move config templates from install/conf to install/share

=== Tomas Krizek (20) ===
* test_dnssec: re-add named-pkcs11 workarounds
* py3 dnssec: convert hexlify to str
* py3: bindmgr: fix bytes issues
* prci: bump ci-master-f27 template to 1.0.2
* prci: define testing topologies
* prci: start testing PRs on fedora 27
* py3 spec: remove python2 dependencies from server-trust-ad
* py3 spec: remove python2 dependencies from freeipa-server
* py3 spec: use proper python2 package names
* ipatests: fix circular import for collect_logs
* ipatests: collect logs for external_ca test suite
* prci: add external_ca test
* ldap: limit the retro changelog to dns subtree
* spec: bump 389-ds-base to 1.3.7.6-1
* ipatests: set default 389-ds log level to 0
* prci: update F26 template
* spec: bump python-pyasn1 to 0.3.2-2
* prci: use f26 template for master
* VERSION: set 4.6 git snapshot
* Contributors.txt: update

=== Thorsten Scherf (1) ===
* Add debug option to ipa-replica-manage and remove references to
api_env var.