[Freeipa-interest] FreeIPA 4.9.0 release candidate 1 released
Alexander Bokovoy
abokovoy at redhat.com
Tue Nov 17 17:49:31 UTC 2020
The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 1!
It can be downloaded from http://www.freeipa.org/page/Downloads. At this
point, we do not plan to provide releases to Fedora 33 or earlier
versions due to a large number of changes coming with FreeIPA 4.9
series.
This is a short version of the release notes. A full changelog can be found at
https://www.freeipa.org/page/Releases/4.9.0rc1
== Highlights in 4.9.0 release candidate 1
* 298: [RFE] Add support for cracklib to password policies
FreeIPA password quality checking plugin has been extended to use
libpwquality library. Password policies can now check for a reuse of
a user name, dictionary words using a cracklib package, numbers and
symbols replacement and repeating characters in the passwords.
* 2445: [RFE] IdM password policy should include checks for repeating
characters
FreeIPA password quality checking plugin has been extended to use
libpwquality library. Password policies can now check for a reuse of
a user name, dictionary words using a cracklib package, numbers and
symbols replacement and repeating characters in the passwords.
* 3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a
machine-readable (JSON) format, or send email notifications to these
users. EPN provides command-line options to display the list of
affected users. This provides data introspection and helps
understand how many emails would be sent for a given day, or a given
date range. The command-line options can also be used by a
monitoring system to alert whenever a number of emails over the SMTP
quota would be sent. EPN is meant to be launched once a day from an
IPA client (preferred) or replica from a systemd timer. EPN does not
keep state: the list of affected users is built at runtime but never
kept.
* 3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
* 3999: [RFE] Fix and Document how to set up Samba File Server with IPA
Samba file server can now be configured on the FreeIPA-enrolled
system to provide file services to users in IPA domain and to users
from trusted Active Directory forests
* 4751: Implement ACME certificate enrolment
Configure the Automatic Certificate Management Environment (ACME)
protocol support provided by the dogtag CA.
* 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI
* 5608: [RFE] Add Dogtag configuration extensions
* 5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added
to both IPA CLI and Web UI to prevent applying custom ID views to
avoid confusion and unintended side-effects.
* 5948: [RFE] Implement pam_pwquality featureset in IPA password
policies
* 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod
group-name --rename new-name'. Protected hostgroups ('ipaservers')
cannot be renamed.
* 7137: [RFE]: Able to browse different links from IPA web gui in new
tabs
* 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory
is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt
non-Kerberos LDAP objects from checking Kerberos policy during
password changes by the Directory Manager or a password
synchronization manager. This issue affected, among others, an
integrated CA administrator account during deployment of more than
one replica in some cases.
* 7522: Disable cert publishing in dogtag
Dogtag certificate publishing facility is not configured anymore as
it is not used in FreeIPA.
* 7577: [RFE] DNS package check should be called earlier in installation
routine
The ``--setup-dns`` knob and interactive installer now both check
for the presence of freeipa-server-dns early and abort the installer
with an error before starting actual deployment.
* 7695: ipa service-del should display principal name instead of Invalid
'principal'.
When deleting services, report exact name of a system required
principal that couldn't be deleted.
* 7966: Add support for JSON-RPC in ipa-join
ipa-join tool defaults to use of JSON-RPC protocol when
communicating to IPA masters by default. The choice of JSON-RPC or
XML-RPC is a compile-time setting now.
* 7971: [RFE] Include hint for replication_wait_timeout if timeout fails
* 8106: ca-certificate file not being parsed correctly on Ubuntu with
p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support
multiple certificates in a single file. IPA installers now write
individual files per each certificate for Debian-based platforms.
* 8114: [RFE] Delegate group membership management
It is now possible to associate group managers with the groups.
Group managers have rights to add and remove members of the
individual group rather than being administrators for every group.
* 8217: RFE: ipa-backup should compare locally and globally installed
server roles
ipa-backup now checks whether the local replica's roles match those
used in the cluster and exits with a warning if this is not the case
as backups taken on this host would not be sufficient for a proper
restore. FreeIPA administrators are advised to double check whether
the host backups are run has all the necessary (used) roles.
* 8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to
1.16.2.
* 8233: 4.8.5 master Installation error
On Debian and ALT Linux setup of AJP connector did restart Apache
instance before it was configured. The restart wasn't actually
needed and thus was removed.
* 8236: Enforce a check to prevent adding objects from IPA as external
members of external groups
Command 'ipa group-add-member' allowed to specify any user or group
for '--external' option. A stricter check is added to verify that a
group or user to be added as an external member does not come from
IPA domain.
* 8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to
version 3.4.1.
* 8241: Build fails on Fedora 30
SELinux rules for ipa-custodia were merged into FreeIPA SELinux
policy. The policy relied on an SELinux interface that is not
available in Fedora 30. The logic was changed to allow better
portability across SELinux versions.
* 8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to
1024 characters but do not allow to distinguish between passwords
cut off at 1024 characters and passwords with 1024 characters. Thus,
a limit of 1000 characters is now applied everywhere in FreeIPA.
* 8275: Support systemd-resolved
FreeIPA DNS servers now detect systemd-resolved and configure it to
pass through itself.
* 8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit
system accounts with krbPrincipalAux object class. This allows
system accounts to have a keytab that does not expire. The "Default
System Accounts Password Policy" has a minimum password length in
case the password is directly modified with LDAP.
* 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to
3.4.1.
* 8289: ipa servicedelegationtarget-add-member does not allow to add
hosts as targets
service delegation rules and targets now allow to specify hosts as a
rule or a target's member principal.
* 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal
alias
Memory handling in various FreeIPA KDC functions was improved,
preventing potential crashes when looking up machine account aliases
for Windows machines.
* 8301: The value of the first character in target* keywords is expected
to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr,
targetfilter, etc) to have quoted attributes. Otherwise the aci that
contains unquoted parameters is ignored. Default FreeIPA access
controls were fixed to follow 389-ds syntax. Any third-party ACIs
need to be updated manually.
* 8304: [fed32] client-install does not properly set
ChallengeResponseAuthentication yes in sshd conf
ipa-client-installation now writes the sshd configuration to the
drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf
snippet, thus ensuring that the setting
"ChallengeResponseAuthentication yes" take precedence.
* 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises
warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP
binds. FreeIPA now disables this feature because changing password
hash in FreeIPA is not allowed by the internal plugins that
synchronize password hashes between LDAP and Kerberos.
* 8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember
configuration to prevent unintended modification of a default host
group.
* 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and
before 3.5.0, passing HTML from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(), .append(), and others) may execute untrusted code. FreeIPA
is not allowing to pass arbitrary code into affected jQuery path but
we applied jQuery fix anyway.
* 8335: [WebUI] manage IPA resources as a user from a trusted Active
Directory domain
When users from trusted Active Directory domains have permissions to
manage IPA resources, they can do so through a Web UI management
console.
* 8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This
makes possible for 3rd-party plugins to supply full set of managed
permissions.
* 8357: Allow managing IPA resources as a user from a trusted Active
Directory forest
A 3rd-party plugin to provide management of IPA resources as users
from trusted Active Directory domains was merged into FreeIPA core.
ID user overrides can now be added to IPA management groups and
roles and thus allow AD users to manage IPA.
* 8362: IPA: Ldap authentication failure due to Kerberos principal
expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password
expiration time in UTC time zone. Previously, a local server time
zone was applied even though UTC was implied in the settings.
* 8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf
) in freeipa-client-epn
EPN did not ship any configuration file. This was an oversight, but
the tool itself would work fine as it had sane defaults ; moreover,
the man page for the configuration file was present.
* 8401: Create platform definitions for freeipa-container
ipaplatform now provides container platform flavors for
freeipa/freeipa-container
* 8404: Detect and fail if not enough memory is available for
installation
FreeIPA server now requires at least 1.2 GiB RAM for installation to
prevent performance degradation.
* 8444: EPN: enhance input validation
Various input validation checks were added to EPN.
* 8445: EPN: '[Errno 111] Connection refused' when the SMTP is down
EPN now displays a proper message if the configured SMTP server
cannot be contacted.
* 8449: EPN: enhance CLI option tests
EPN: enhance existing tests for --dry-run, --from-nbdays and
--to-nbdays.
* 8488: SELinux blocks custodia key replication / retrieval for sub-CAs
SELinux: Make sure ipa_custodia_t has the necessary rights ; add
dedicated policy rules for ipa-pki-retrieve-key.
* 8490: It is not possible to edit KDC database when the FreeIPA server
is running
kadmin.local command 'getprincs' is now supported
* 8493: Synchronize index LDIF and index update files
Configuration of LDAP indices was moved into a single place. New
indices were added to attributes related to trusted domains
operations. Performance improvement is expected for Kerberos service
tickets requested by users from trusted Active Directory domains.
* 8503: pkispawn logs files are empty
On recent versions of Dogtag PKI, pkispawn does not create logs by
default, making debugging failed IPA installs impossible. Invoke
pkispawn with --debug to revert to the previous behavior.
* 8507: [WebUI] Backport jQuery patches from newer versions of the
library (e.g. 3.5.0)
Support reproducible builds for jQuery library
* 8510: create_active_user and kinit_as_user should collect
kdcinfo.REALM on failure
Sometimes, requesting a TGT after a password reset fails because
SSSD seems to select different hosts for these two sequential tasks,
leaving no time for replication to replicate the password hashes.
Add debug information to the test suites that exhibit the problem
and always display the kdcinfo file maintained by SSSD that contains
the KRB5KDC IP it should be pinned to.
* 8530: Running ipa-server-install fails on machine where libsss_sudo is
not installed
The FreeIPA client RPM now has a soft dependency on libsss_sudo and
sudo itself.
=== Known Issues
* 8240: KRA install fails if all KRA members are Hidden Replicas
If the first KRA instance is installed on a hidden replica, more KRA
instances cannot be added to the cluster. As a workaround,
temporarily make the the hidden replica with the KRA role visible
before adding more KRA instances. The previously-hidden replica can
be hidden again as soon as ipa-kra-install is complete.
=== Bug fixes
FreeIPA 4.9.0 release candidate 1 is a stabilization release for the features
delivered as a part of 4.9 version series.
There are more than 350 bug-fixes since FreeIPA 4.8.10 release. Details
of the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.
== Resolved tickets
* https://pagure.io/freeipa/issue/298[#298]
(https://bugzilla.redhat.com/show_bug.cgi?id=587752[rhbz#587752]) [RFE]
Add support for cracklib to password policies
* https://pagure.io/freeipa/issue/2018[#2018]
(https://bugzilla.redhat.com/show_bug.cgi?id=1703564[rhbz#1703564])
Change hostname length limit to 64
* https://pagure.io/freeipa/issue/2445[#2445]
(https://bugzilla.redhat.com/show_bug.cgi?id=798359[rhbz#798359]) [RFE]
IdM password policy should include checks for repeating characters
* https://pagure.io/freeipa/issue/3473[#3473] Switch to using RESTful
interface in dogtag CA interface
* https://pagure.io/freeipa/issue/3687[#3687]
(https://bugzilla.redhat.com/show_bug.cgi?id=913799[rhbz#913799]) [RFE]
IPA user account expiry warning.
* https://pagure.io/freeipa/issue/3827[#3827] [RFE] Expose TTL in web UI
* https://pagure.io/freeipa/issue/3999[#3999]
(https://bugzilla.redhat.com/show_bug.cgi?id=837604[rhbz#837604]) [RFE]
Fix and Document how to set up Samba File Server with IPA
* https://pagure.io/freeipa/issue/4751[#4751]
(https://bugzilla.redhat.com/show_bug.cgi?id=1851835[rhbz#1851835])
Implement ACME certificate enrolment
* https://pagure.io/freeipa/issue/4972[#4972]
(https://bugzilla.redhat.com/show_bug.cgi?id=1206690[rhbz#1206690])
check for existence of private group is done even if UPG definition is
disabled
* https://pagure.io/freeipa/issue/5011[#5011]
(https://bugzilla.redhat.com/show_bug.cgi?id=1527185[rhbz#1527185])
[RFE] Forward CA requests to dogtag or helper by GSSAPI
* https://pagure.io/freeipa/issue/5062[#5062]
(https://bugzilla.redhat.com/show_bug.cgi?id=1229657[rhbz#1229657])
[WebUI] Unlock option is enabled for all user.
* https://pagure.io/freeipa/issue/5566[#5566] Permit creation of PTR
records in non-.arpa master zones via the DNS UI
* https://pagure.io/freeipa/issue/5608[#5608]
(https://bugzilla.redhat.com/show_bug.cgi?id=1405935[rhbz#1405935])
[RFE] Add Dogtag configuration extensions
* https://pagure.io/freeipa/issue/5628[#5628] webui: Unclear(UX) purpose
of OTP field in password reset form on login
* https://pagure.io/freeipa/issue/5662[#5662]
(https://bugzilla.redhat.com/show_bug.cgi?id=1404770[rhbz#1404770]) ID
Views: do not allow custom Views for the masters
* https://pagure.io/freeipa/issue/5879[#5879]
(https://bugzilla.redhat.com/show_bug.cgi?id=1334619[rhbz#1334619])
Attempt to fix capitalization fails with ipa: ERROR: Type or value
exists:
* https://pagure.io/freeipa/issue/5914[#5914]
(https://bugzilla.redhat.com/show_bug.cgi?id=1298288[rhbz#1298288])
invalid setting of DS lock table size
* https://pagure.io/freeipa/issue/5948[#5948]
(https://bugzilla.redhat.com/show_bug.cgi?id=1340463[rhbz#1340463])
[RFE] Implement pam_pwquality featureset in IPA password policies
* https://pagure.io/freeipa/issue/6115[#6115]
(https://bugzilla.redhat.com/show_bug.cgi?id=1357495[rhbz#1357495]) ipa
command provides stack trace when provided with single hypen commands
* https://pagure.io/freeipa/issue/6210[#6210]
(https://bugzilla.redhat.com/show_bug.cgi?id=1364139[rhbz#1364139],
https://bugzilla.redhat.com/show_bug.cgi?id=1751951[rhbz#1751951]) When
master's IP address does not resolve to its name, ipa-replica-install
fails
* https://pagure.io/freeipa/issue/6423[#6423] Validate cert requests in
Dogtag
* https://pagure.io/freeipa/issue/6474[#6474] Remove ipaplatform
dependency from ipa modules
* https://pagure.io/freeipa/issue/6708[#6708] Unused config options
* https://pagure.io/freeipa/issue/6783[#6783]
(https://bugzilla.redhat.com/show_bug.cgi?id=1430365[rhbz#1430365])
[RFE] Host-group names command rename
* https://pagure.io/freeipa/issue/6843[#6843]
(https://bugzilla.redhat.com/show_bug.cgi?id=1428690[rhbz#1428690])
ipa-backup does not create log file at /var/log/
* https://pagure.io/freeipa/issue/6857[#6857] ipa_pwd.c: Use OpenSSL
instead of NSS for hashing
* https://pagure.io/freeipa/issue/6884[#6884]
(https://bugzilla.redhat.com/show_bug.cgi?id=1441262[rhbz#1441262]) ipa
group-del gives ipa: ERROR: Insufficient access: but still deletes group
* https://pagure.io/freeipa/issue/6891[#6891]
(https://bugzilla.redhat.com/show_bug.cgi?id=1461914[rhbz#1461914]) Move
FreeIPA SELinux policy from system policy to project policy
* https://pagure.io/freeipa/issue/6951[#6951]
(https://bugzilla.redhat.com/show_bug.cgi?id=1449133[rhbz#1449133])
Update samba config file and use sss idmap module
* https://pagure.io/freeipa/issue/6964[#6964]
(https://bugzilla.redhat.com/show_bug.cgi?id=1442413[rhbz#1442413]) IPA
password policy has no password difference checking
* https://pagure.io/freeipa/issue/7125[#7125]
(https://bugzilla.redhat.com/show_bug.cgi?id=1480102[rhbz#1480102])
ipa-server-upgrade failes with "This entry already exists"
* https://pagure.io/freeipa/issue/7137[#7137]
(https://bugzilla.redhat.com/show_bug.cgi?id=1484088[rhbz#1484088])
[RFE]: Able to browse different links from IPA web gui in new tabs
* https://pagure.io/freeipa/issue/7181[#7181]
(https://bugzilla.redhat.com/show_bug.cgi?id=1545755[rhbz#1545755])
ipa-replica-prepare fails for 2nd replica when passwordHistory is
enabled
* https://pagure.io/freeipa/issue/7188[#7188] Issues after promoting one
CA-less IPA server to CA-full
* https://pagure.io/freeipa/issue/7255[#7255] baseidoverride.get_dn()
does not default to a default ID view when resolving user IDs
* https://pagure.io/freeipa/issue/7305[#7305]
(https://bugzilla.redhat.com/show_bug.cgi?id=1518153[rhbz#1518153])
PKINIT status not displayed in the web UI (IPA Server > Configuration)
* https://pagure.io/freeipa/issue/7307[#7307]
(https://bugzilla.redhat.com/show_bug.cgi?id=1518939[rhbz#1518939]) RFE:
Extend IPA to support unadvertised replicas
* https://pagure.io/freeipa/issue/7323[#7323] IPv6 hack for Travis CI
* https://pagure.io/freeipa/issue/7329[#7329] update_ra_cert_store does
not remove private key from NSSDB
* https://pagure.io/freeipa/issue/7416[#7416] Uninstalling IPA requires
on being in a existent working directory
* https://pagure.io/freeipa/issue/7522[#7522] Disable cert publishing in
dogtag
* https://pagure.io/freeipa/issue/7534[#7534]
(https://bugzilla.redhat.com/show_bug.cgi?id=1569011[rhbz#1569011])
Investigate failures to restore 389-ds attriubtes on upgrade failure
* https://pagure.io/freeipa/issue/7548[#7548] Need integration test for
--external-ca-type=ms-cs
* https://pagure.io/freeipa/issue/7566[#7566]
(https://bugzilla.redhat.com/show_bug.cgi?id=1591824[rhbz#1591824])
Installation of replica against a specific master
* https://pagure.io/freeipa/issue/7577[#7577]
(https://bugzilla.redhat.com/show_bug.cgi?id=1579296[rhbz#1579296])
[RFE] DNS package check should be called earlier in installation routine
* https://pagure.io/freeipa/issue/7597[#7597]
(https://bugzilla.redhat.com/show_bug.cgi?id=1583950[rhbz#1583950]) IPA:
IDM drops all custom attributes when moving account from preserved to
stage
* https://pagure.io/freeipa/issue/7600[#7600]
(https://bugzilla.redhat.com/show_bug.cgi?id=1585020[rhbz#1585020])
Enable compat tree to provide information about AD users and groups on
trust agents
* https://pagure.io/freeipa/issue/7610[#7610] ldapupdate.py users
ldap.LOCAL_ERROR and other direct ldap exceptions while relying on
ipaldap
* https://pagure.io/freeipa/issue/7630[#7630]
(https://bugzilla.redhat.com/show_bug.cgi?id=1613015[rhbz#1613015])
ipa-restore should check that optional feature packages are installed
before restoring a backup using a feature
* https://pagure.io/freeipa/issue/7677[#7677] HSM: ipa ca-add fails with
error in ipa-pki-retrieve-key
* https://pagure.io/freeipa/issue/7695[#7695]
(https://bugzilla.redhat.com/show_bug.cgi?id=1623763[rhbz#1623763]) ipa
service-del should display principal name instead of Invalid
'principal'.
* https://pagure.io/freeipa/issue/7725[#7725]
(https://bugzilla.redhat.com/show_bug.cgi?id=1636765[rhbz#1636765])
ipa-restore set wrong file permissions and ownership for
/var/log/dirsrv/slapd- directory
* https://pagure.io/freeipa/issue/7804[#7804]
(https://bugzilla.redhat.com/show_bug.cgi?id=1777811[rhbz#1777811]) `ipa
otptoken-sync` fails with stack trace
* https://pagure.io/freeipa/issue/7810[#7810] [F28] Require NSS with fix
for p11-kit issue.
* https://pagure.io/freeipa/issue/7816[#7816]
(https://bugzilla.redhat.com/show_bug.cgi?id=1642395[rhbz#1642395])
[WebUI] not able to set a password for user as Active Directory
Administrator user
* https://pagure.io/freeipa/issue/7870[#7870]
(https://bugzilla.redhat.com/show_bug.cgi?id=1680039[rhbz#1680039])
[certmonger][upgrade] "Failed to get request: bus, object_path and
dbus_interface must not be None."
* https://pagure.io/freeipa/issue/7895[#7895]
(https://bugzilla.redhat.com/show_bug.cgi?id=1686302[rhbz#1686302]) ipa
trust fetch-domains, server parameter ignored
* https://pagure.io/freeipa/issue/7902[#7902] 389-ds-base-1.4.0.22-1
breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules
* https://pagure.io/freeipa/issue/7908[#7908] Write tests for
interactive prompt for NTP options.
* https://pagure.io/freeipa/issue/7929[#7929]
(https://bugzilla.redhat.com/show_bug.cgi?id=1712794[rhbz#1712794])
ERROR: invalid 'PKINIT enabled server': all masters must have IPA master
role enabled
* https://pagure.io/freeipa/issue/7932[#7932] FreeIPA queries rely on
missing attribute altsecurityidentities
* https://pagure.io/freeipa/issue/7933[#7933] FreeIPA must index certmap
attributes.
* https://pagure.io/freeipa/issue/7938[#7938] 'ipa dnszone-show/find'
should display "Dynamic Update" and "Bind update policy" by default
* https://pagure.io/freeipa/issue/7949[#7949]
test_integration/test_nfs.py fails at cleanup
* https://pagure.io/freeipa/issue/7958[#7958]
(https://bugzilla.redhat.com/show_bug.cgi?id=1782169[rhbz#1782169])
traceback in idview
* https://pagure.io/freeipa/issue/7961[#7961] [WebUI] Identity Manager
WebUI requires you to save changes after changing specifications before
making other change
* https://pagure.io/freeipa/issue/7966[#7966] Add support for JSON-RPC
in ipa-join
* https://pagure.io/freeipa/issue/7971[#7971]
(https://bugzilla.redhat.com/show_bug.cgi?id=1715961[rhbz#1715961])
[RFE] Include hint for replication_wait_timeout if timeout fails
* https://pagure.io/freeipa/issue/7985[#7985] test failure in
test_dnssec.py::TestInstallDNSSECLast::()::test_disable_reenable_signing_replica::teardown
* https://pagure.io/freeipa/issue/7987[#7987] Python shebang: Use
isolated mode
* https://pagure.io/freeipa/issue/7989[#7989] Pytest4.2+ errors
* https://pagure.io/freeipa/issue/7991[#7991] Use profile-based renewal
for system certificates
* https://pagure.io/freeipa/issue/7995[#7995]
(https://bugzilla.redhat.com/show_bug.cgi?id=1711172[rhbz#1711172])
Removing TLSv1.0, TLSv1.1 from nss.conf
* https://pagure.io/freeipa/issue/7996[#7996]
`test_selinuxusermap_plugin` fails against not default SELinux settings
* https://pagure.io/freeipa/issue/8001[#8001] Need default
authentication indicators for SPAKE, PKINIT and encrypted challenge
preauth
* https://pagure.io/freeipa/issue/8004[#8004] RHEL 8 uses nis-domainname
instead of rhel-domainname
* https://pagure.io/freeipa/issue/8005[#8005]
(https://bugzilla.redhat.com/show_bug.cgi?id=1729099[rhbz#1729099]) User
field separator uses '$$' within ipaSELinuxUserMapOrder
* https://pagure.io/freeipa/issue/8007[#8007] Not stable nodeids within
pytest
* https://pagure.io/freeipa/issue/8008[#8008] Azure Pipeline slicing
* https://pagure.io/freeipa/issue/8009[#8009] Missing execution bit on
`ipa-run-tests` within virtualenv
* https://pagure.io/freeipa/issue/8010[#8010] Extended Kerberos Ticket
Policy
* https://pagure.io/freeipa/issue/8012[#8012]
test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view
failure
* https://pagure.io/freeipa/issue/8013[#8013]
(https://bugzilla.redhat.com/show_bug.cgi?id=1731433[rhbz#1731433]) ipa
service-find does not list cifs service created by ipa-client-samba
* https://pagure.io/freeipa/issue/8015[#8015] p11helper: insufficient
logging when loading LIBSOFTHSM2_SO
* https://pagure.io/freeipa/issue/8017[#8017]
(https://bugzilla.redhat.com/show_bug.cgi?id=1817927[rhbz#1817927])
host-add --password logs cleartext userpassword to Apache error log
* https://pagure.io/freeipa/issue/8019[#8019]
(https://bugzilla.redhat.com/show_bug.cgi?id=1732524[rhbz#1732524])
repeated uninstallation of ipa-client-samba crashes
* https://pagure.io/freeipa/issue/8020[#8020] support AES in LWCA key
replication
* https://pagure.io/freeipa/issue/8021[#8021]
(https://bugzilla.redhat.com/show_bug.cgi?id=1732528[rhbz#1732528])
ipa-client-samba can not install samba after uninstallation
* https://pagure.io/freeipa/issue/8022[#8022] azure pipeline: fail if
dnf builddep exits on failure
* https://pagure.io/freeipa/issue/8024[#8024] [WebUI]
test_webui/test_trust.py failed because of request timeout
* https://pagure.io/freeipa/issue/8026[#8026] Update pr-ci definitions
with master_3client topology
* https://pagure.io/freeipa/issue/8027[#8027] test_nfs.py: migrate to
master_3client
* https://pagure.io/freeipa/issue/8029[#8029]
(https://bugzilla.redhat.com/show_bug.cgi?id=1749788[rhbz#1749788]) ipa
host-find --pkey-only includes SSH keys in output
* https://pagure.io/freeipa/issue/8030[#8030] azure pipelines fail at
"Install prerequisites" of Tox job
* https://pagure.io/freeipa/issue/8031[#8031]
(https://bugzilla.redhat.com/show_bug.cgi?id=1734369[rhbz#1734369]) HBAC
Test Validation error when running the HBAC test the second time round
via the IPA Web GUI
* https://pagure.io/freeipa/issue/8034[#8034] Existing p11-kit config
file is not restored on uninstall
* https://pagure.io/freeipa/issue/8038[#8038]
(https://bugzilla.redhat.com/show_bug.cgi?id=1740167[rhbz#1740167])
ipa-client-automount --uninstall is not restoring nsswitch.conf
* https://pagure.io/freeipa/issue/8040[#8040]
(https://bugzilla.redhat.com/show_bug.cgi?id=1731963[rhbz#1731963]) ipa
migrate-ds fails with internal error.
* https://pagure.io/freeipa/issue/8044[#8044]
(https://bugzilla.redhat.com/show_bug.cgi?id=1717008[rhbz#1717008])
Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout
or other errors
* https://pagure.io/freeipa/issue/8048[#8048] Travis-CI sometimes fails
at dnf
* https://pagure.io/freeipa/issue/8052[#8052] test failure in
test_integration/test_sudo.py::TestSudo::()::test_domain_resolution_order
on fedora29
* https://pagure.io/freeipa/issue/8053[#8053] [WebUI] Fix login screen
loading issue in test_loginscreen
* https://pagure.io/freeipa/issue/8054[#8054]
(https://bugzilla.redhat.com/show_bug.cgi?id=1746557[rhbz#1746557])
ipa-client-install calls "authselect select sssd --force" at uninstall
time before restoring user-nsswitch.conf
* https://pagure.io/freeipa/issue/8055[#8055] Test for PG6843:
ipa-backup does not create log file at /var/log is failing
* https://pagure.io/freeipa/issue/8056[#8056]
(https://bugzilla.redhat.com/show_bug.cgi?id=1746882[rhbz#1746882])
BuildRequires is not compatible with %\{_libdir}
* https://pagure.io/freeipa/issue/8057[#8057]
(https://bugzilla.redhat.com/show_bug.cgi?id=1747895[rhbz#1747895])
Running ipa-server-install produces SyntaxWarning: "is not" with a
literal. Did you mean "!="?
* https://pagure.io/freeipa/issue/8062[#8062] Re-add
configure_nsswitch_database, configure_nsswitch, ... to
ipaclient.install
* https://pagure.io/freeipa/issue/8063[#8063] Nightly test failure in
test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::()::test_nsswitch_backup_restore_sssd
* https://pagure.io/freeipa/issue/8064[#8064] Request for IPA CI to
enable DS audit/auditfail logging
* https://pagure.io/freeipa/issue/8066[#8066]
(https://bugzilla.redhat.com/show_bug.cgi?id=1750242[rhbz#1750242])
Don't use -t option to klist in adtrust code when timestamp is not
needed
* https://pagure.io/freeipa/issue/8067[#8067]
(https://bugzilla.redhat.com/show_bug.cgi?id=1750700[rhbz#1750700]) add
default access control configuration to trusted domain objects
* https://pagure.io/freeipa/issue/8070[#8070] Test failure in
test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
* https://pagure.io/freeipa/issue/8073[#8073] Backup/restore does not
restore /etc/pkcs11/modules/softhsm2.module
* https://pagure.io/freeipa/issue/8075[#8075] Don't create log file for
helper scripts
* https://pagure.io/freeipa/issue/8077[#8077] New pylint 2.4.0 errors
* https://pagure.io/freeipa/issue/8079[#8079]
(https://bugzilla.redhat.com/show_bug.cgi?id=1754530[rhbz#1754530])
[Security] By default, DNS recursion is open, breaking best practices
* https://pagure.io/freeipa/issue/8082[#8082]
(https://bugzilla.redhat.com/show_bug.cgi?id=1756432[rhbz#1756432])
Default client configuration breaks ssh in FIPS mode.
* https://pagure.io/freeipa/issue/8084[#8084]
(https://bugzilla.redhat.com/show_bug.cgi?id=1758406[rhbz#1758406]) KRA
authentication fails when IPA CA has custom Subject DN
* https://pagure.io/freeipa/issue/8086[#8086]
(https://bugzilla.redhat.com/show_bug.cgi?id=1756568[rhbz#1756568])
ipa-server-certinstall man page does not match built-in help.
* https://pagure.io/freeipa/issue/8094[#8094] Allow using of a custom
OpenSSL engine for ISC BIND
* https://pagure.io/freeipa/issue/8097[#8097] ipa user-add-certmapdata
is not able to add several entries correctly
* https://pagure.io/freeipa/issue/8098[#8098] Host principals lack ACI
to look up DNS objects in LDAP
* https://pagure.io/freeipa/issue/8099[#8099]
(https://bugzilla.redhat.com/show_bug.cgi?id=1762317[rhbz#1762317])
ipa-backup command is failing on rhel-7.8
* https://pagure.io/freeipa/issue/8101[#8101] Wrong pytest requirement
in specfile
* https://pagure.io/freeipa/issue/8102[#8102] Pylint 2.4.3 + Astroid
2.3.2 errors
* https://pagure.io/freeipa/issue/8104[#8104] RFE: Disable
Stale/Inactive Users - Upstream Design Document
* https://pagure.io/freeipa/issue/8105[#8105]
(https://bugzilla.redhat.com/show_bug.cgi?id=1759281[rhbz#1759281])
getcert with -F option returns before cacert file is created
* https://pagure.io/freeipa/issue/8106[#8106] ca-certificate file not
being parsed correctly on Ubuntu with p11-kit-trust.so due to data
inserted by FreeIPA Client install
* https://pagure.io/freeipa/issue/8110[#8110]
(https://bugzilla.redhat.com/show_bug.cgi?id=1768015[rhbz#1768015])
Enable AES SHA 256 and 384 Kerberos enctypes
* https://pagure.io/freeipa/issue/8111[#8111]
(https://bugzilla.redhat.com/show_bug.cgi?id=1768959[rhbz#1768959])
[FIPS] Don't add camellia KRB5 encsalttypes in FIPS mode
* https://pagure.io/freeipa/issue/8113[#8113]
(https://bugzilla.redhat.com/show_bug.cgi?id=1755535[rhbz#1755535])
ipa-advise on a RHEL7 IdM server is not able to generate a configuration
script for a RHEL8 IdM client
* https://pagure.io/freeipa/issue/8114[#8114] [RFE] Delegate group
membership management
* https://pagure.io/freeipa/issue/8115[#8115] Nightly test failure in
fedora-30/test_smb and fedora-29/test_smb
* https://pagure.io/freeipa/issue/8116[#8116] Pylint parallel execution
with custom plugin
* https://pagure.io/freeipa/issue/8118[#8118] Run smoke tests in FIPS
mode
* https://pagure.io/freeipa/issue/8120[#8120]
(https://bugzilla.redhat.com/show_bug.cgi?id=1769791[rhbz#1769791])
Invisible part of notification area in Web UI intercepts clicks of some
page elements
* https://pagure.io/freeipa/issue/8122[#8122]
(https://bugzilla.redhat.com/show_bug.cgi?id=1773528[rhbz#1773528])
group-add-member-manager does not report errors
* https://pagure.io/freeipa/issue/8123[#8123]
(https://bugzilla.redhat.com/show_bug.cgi?id=1773528[rhbz#1773528])
[WebUI] Finish group membership management UI
* https://pagure.io/freeipa/issue/8124[#8124] Add option to
ipa-cacert-manage to delete certificates
* https://pagure.io/freeipa/issue/8125[#8125]
(https://bugzilla.redhat.com/show_bug.cgi?id=1777809[rhbz#1777809]) Use
default crypto policy for TLS and enable TLS 1.3 support
* https://pagure.io/freeipa/issue/8129[#8129] Tests: Replace paramiko
with OpenSSH
* https://pagure.io/freeipa/issue/8131[#8131]
(https://bugzilla.redhat.com/show_bug.cgi?id=1777920[rhbz#1777920])
covscan memory leaks report
* https://pagure.io/freeipa/issue/8133[#8133]
check_client_configuration() no longer works with IPA_CONFDIR
* https://pagure.io/freeipa/issue/8134[#8134] ipa user-add is
inefficient
* https://pagure.io/freeipa/issue/8135[#8135]
(https://bugzilla.redhat.com/show_bug.cgi?id=1777806[rhbz#1777806]) When
Service weight is set as 0 for server in IPA location "IPA Error 903:
InternalError" is displayed
* https://pagure.io/freeipa/issue/8137[#8137] reinstall failed in adding
delegation layout
* https://pagure.io/freeipa/issue/8138[#8138]
(https://bugzilla.redhat.com/show_bug.cgi?id=1780548[rhbz#1780548]) Man
page ipa-cacert-manage does not display correctly on RHEL
* https://pagure.io/freeipa/issue/8142[#8142] check Not Before / Not
After in externally signed CA sanity check
* https://pagure.io/freeipa/issue/8143[#8143] service.ldap_disable()
does not remove "enabledService"
* https://pagure.io/freeipa/issue/8144[#8144] test_nfs.py: umount.nfs4:
/home: device is busy
* https://pagure.io/freeipa/issue/8148[#8148]
(https://bugzilla.redhat.com/show_bug.cgi?id=1782587[rhbz#1782587]) add
"systemctl restart sssd" to warning message when adding trust agents to
replicas
* https://pagure.io/freeipa/issue/8149[#8149]
(https://bugzilla.redhat.com/show_bug.cgi?id=1783046[rhbz#1783046]) SIDs
of AD domains do not display in ipa-client-samba installer
* https://pagure.io/freeipa/issue/8150[#8150]
(https://bugzilla.redhat.com/show_bug.cgi?id=1784003[rhbz#1784003]) IPA
Server install fail
* https://pagure.io/freeipa/issue/8151[#8151] test_commands timing-out
* https://pagure.io/freeipa/issue/8153[#8153]
(https://bugzilla.redhat.com/show_bug.cgi?id=1784761[rhbz#1784761])
Kerberos ticket policy reset does not reset per-indicator policies
* https://pagure.io/freeipa/issue/8157[#8157] NIghtly test failure in
fedora-rawhide/test_webui_network
* https://pagure.io/freeipa/issue/8159[#8159] please migrate to the new
Fedora translation platform
* https://pagure.io/freeipa/issue/8163[#8163]
(https://bugzilla.redhat.com/show_bug.cgi?id=1782572[rhbz#1782572])
"Internal Server Error" reported for minor issues implies IPA is broken
[IdmHackfest2019]
* https://pagure.io/freeipa/issue/8164[#8164]
(https://bugzilla.redhat.com/show_bug.cgi?id=1788907[rhbz#1788907])
Renewed certs are not picked up by IPA CAs
* https://pagure.io/freeipa/issue/8169[#8169] NIghtly test failure in
fedora-rawhide/test_webui_policy
* https://pagure.io/freeipa/issue/8170[#8170] Nightly test failure in
fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
* https://pagure.io/freeipa/issue/8173[#8173] Broken -k argument parsing
in ipa-run-tests 4.8.4-1 package
* https://pagure.io/freeipa/issue/8176[#8176] External CA is tracked for
renewals and replaced with a self-signed certificate
* https://pagure.io/freeipa/issue/8179[#8179] Tests broken with python
version < 3.7 (module 're' has no attribute 'Pattern')
* https://pagure.io/freeipa/issue/8186[#8186] Add ipa-ca.$DOMAIN alias
to IPA server HTTP certificates
* https://pagure.io/freeipa/issue/8189[#8189]
(https://bugzilla.redhat.com/show_bug.cgi?id=1810179[rhbz#1810179])
NIghtly test failure in
test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
* https://pagure.io/freeipa/issue/8190[#8190]
(https://bugzilla.redhat.com/show_bug.cgi?id=1790886[rhbz#1790886])
ipa-client-automount fails after repeated installation/uninstallation
* https://pagure.io/freeipa/issue/8192[#8192]
(https://bugzilla.redhat.com/show_bug.cgi?id=1665051[rhbz#1665051])
ipa-adtrust-install does not list service records for manual addition to
DNS zone
* https://pagure.io/freeipa/issue/8193[#8193]
(https://bugzilla.redhat.com/show_bug.cgi?id=1801791[rhbz#1801791])
Re-order 50-externalmembers.update to be after 80-schema_compat.update
* https://pagure.io/freeipa/issue/8196[#8196] API: dnsrecord_del failure
with empty list aaaarecord
* https://pagure.io/freeipa/issue/8200[#8200]
(https://bugzilla.redhat.com/show_bug.cgi?id=1803786[rhbz#1803786]) ipa
krb5kdc db: krb5kdc coredump
* https://pagure.io/freeipa/issue/8201[#8201] update ssbrowser.html
* https://pagure.io/freeipa/issue/8202[#8202] Azure: add support for
multi-container tests
* https://pagure.io/freeipa/issue/8204[#8204]
(https://bugzilla.redhat.com/show_bug.cgi?id=1810148[rhbz#1810148])
ipa-server-certinstall -> certmonger add_subject template-subject dbus
'unable to set arguments' a\{sv}
* https://pagure.io/freeipa/issue/8207[#8207] Extend Web UI for Kerberos
ticket policy to add authentication indicator support
* https://pagure.io/freeipa/issue/8214[#8214] Support for opendnssec
2.1.6
* https://pagure.io/freeipa/issue/8217[#8217]
(https://bugzilla.redhat.com/show_bug.cgi?id=1810154[rhbz#1810154]) RFE:
ipa-backup should compare locally and globally installed server roles
* https://pagure.io/freeipa/issue/8219[#8219] ipatests: unify editing of
sssd.conf
* https://pagure.io/freeipa/issue/8221[#8221]
(https://bugzilla.redhat.com/show_bug.cgi?id=1812169[rhbz#1812169])
Secure AJP connector between Dogtag and Apache proxy
* https://pagure.io/freeipa/issue/8222[#8222] Upgrade dojo.js
* https://pagure.io/freeipa/issue/8226[#8226]
(https://bugzilla.redhat.com/show_bug.cgi?id=1813330[rhbz#1813330])
ipa-restore does not restart httpd
* https://pagure.io/freeipa/issue/8228[#8228] Nightly failure in
backup/restore while calling 'id admin'
* https://pagure.io/freeipa/issue/8233[#8233] 4.8.5 master Installation
error
* https://pagure.io/freeipa/issue/8236[#8236]
(https://bugzilla.redhat.com/show_bug.cgi?id=1809835[rhbz#1809835])
Enforce a check to prevent adding objects from IPA as external members
of external groups
* https://pagure.io/freeipa/issue/8239[#8239] Actualize Bootstrap
version
* https://pagure.io/freeipa/issue/8240[#8240]
(https://bugzilla.redhat.com/show_bug.cgi?id=1816784[rhbz#1816784]) KRA
install fails if all KRA members are Hidden Replicas
* https://pagure.io/freeipa/issue/8241[#8241] Build fails on Fedora 30
* https://pagure.io/freeipa/issue/8247[#8247] test_fips PR-CI templates
have a too-short timeout
* https://pagure.io/freeipa/issue/8248[#8248] httpd ccaches created
during server upgrade aren't cleaned up on uninstall/install
* https://pagure.io/freeipa/issue/8251[#8251] [Azure] Catch coredumps
* https://pagure.io/freeipa/issue/8254[#8254] [Azure] 'Tox' task fails
against Python3.8
* https://pagure.io/freeipa/issue/8261[#8261] [ipatests] Integration
tests fail on non-firewalld distros
* https://pagure.io/freeipa/issue/8262[#8262] test_ipahealthcheck needs
a higher timeout than 3600
* https://pagure.io/freeipa/issue/8264[#8264] Nightly test failure in
test_integration.test_commands.TestIPACommand.test_hbac_systemd_user
* https://pagure.io/freeipa/issue/8265[#8265] [ipatests]
`/var/log/ipaupgrade.log` is not collected
* https://pagure.io/freeipa/issue/8266[#8266] test_webui_server requires
a higher timeout than 3600
* https://pagure.io/freeipa/issue/8268[#8268] Prevent use of too long
passwords
* https://pagure.io/freeipa/issue/8272[#8272] Use /run instead of
/var/run
* https://pagure.io/freeipa/issue/8273[#8273]
(https://bugzilla.redhat.com/show_bug.cgi?id=1834385[rhbz#1834385]) Man
page syntax issue detected by rpminspect
* https://pagure.io/freeipa/issue/8275[#8275]
(https://bugzilla.redhat.com/show_bug.cgi?id=1880628[rhbz#1880628])
Support systemd-resolved
* https://pagure.io/freeipa/issue/8276[#8276] Add default password
policy for sysaccounts
* https://pagure.io/freeipa/issue/8283[#8283] Failures and AVCs with
OpenDNSSEC 2.1
* https://pagure.io/freeipa/issue/8284[#8284] Upgrade jQuery version to
actual one
* https://pagure.io/freeipa/issue/8287[#8287] named not starting after
#8079, ipa-ext.conf breaks bind
* https://pagure.io/freeipa/issue/8289[#8289] ipa
servicedelegationtarget-add-member does not allow to add hosts as
targets
* https://pagure.io/freeipa/issue/8290[#8290] API inconsistencies
* https://pagure.io/freeipa/issue/8291[#8291] krb5kdc crashes in IPA
plugin on use of IPA Windows principal alias
* https://pagure.io/freeipa/issue/8297[#8297] Fix new pylint 2.5.0
warnings and errors
* https://pagure.io/freeipa/issue/8298[#8298] [WebUI] Cover membership
management with UI tests
* https://pagure.io/freeipa/issue/8300[#8300] Replace uglify-js with
python3-rjsmin
* https://pagure.io/freeipa/issue/8301[#8301] The value of the first
character in target* keywords is expected to be a double quote
* https://pagure.io/freeipa/issue/8304[#8304] [fed32] client-install
does not properly set ChallengeResponseAuthentication yes in sshd conf
* https://pagure.io/freeipa/issue/8306[#8306] Adopt Black code style
* https://pagure.io/freeipa/issue/8307[#8307] make devcheck fails for
test_ipatests_plugins/test_ipa_run_tests.py
* https://pagure.io/freeipa/issue/8308[#8308]
(https://bugzilla.redhat.com/show_bug.cgi?id=1829787[rhbz#1829787]) ipa
service-del deletes the required principal when specified in lower/upper
case
* https://pagure.io/freeipa/issue/8309[#8309] Convert ipaplatform from
namespace package to regular package
* https://pagure.io/freeipa/issue/8311[#8311]
(https://bugzilla.redhat.com/show_bug.cgi?id=1825829[rhbz#1825829])
ipa-advise on a RHEL7 IdM server generate a configuration script for
client having hardcoded python3
* https://pagure.io/freeipa/issue/8312[#8312] Fix api.env.in_tree
detection logic
* https://pagure.io/freeipa/issue/8313[#8313] Values of api.env.mode are
inconsistent
* https://pagure.io/freeipa/issue/8315[#8315]
(https://bugzilla.redhat.com/show_bug.cgi?id=1833266[rhbz#1833266])
[dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
* https://pagure.io/freeipa/issue/8316[#8316] [Azure] Whitelist
clock_adjtime syscall
* https://pagure.io/freeipa/issue/8317[#8317] XML-RCP and CLI tests
depend on internal --force option
* https://pagure.io/freeipa/issue/8319[#8319] Support server referrals
for enterprise principals
* https://pagure.io/freeipa/issue/8322[#8322] [RFE] Changing default
hostgroup is too easy
* https://pagure.io/freeipa/issue/8323[#8323] [Build failure] Race: make
po fails on parallel build
* https://pagure.io/freeipa/issue/8325[#8325] [WebUI] Fix htmlPrefilter
issue in jQuery
* https://pagure.io/freeipa/issue/8326[#8326] CVE-2020-10747
* https://pagure.io/freeipa/issue/8328[#8328] krbtpolicy-mod cannot
handle two auth ind options of the same type at the same time
* https://pagure.io/freeipa/issue/8330[#8330] [Azure] Build job fails on
`tests` container preparation
* https://pagure.io/freeipa/issue/8335[#8335] [WebUI] manage IPA
resources as a user from a trusted Active Directory domain
* https://pagure.io/freeipa/issue/8336[#8336] [WebUI] "User attributes
for SMB services" section always shown
* https://pagure.io/freeipa/issue/8338[#8338] [WebUI] Host detail with
no assigned ID view makes invalid RPC call
* https://pagure.io/freeipa/issue/8339[#8339] [WebUI] User details tab
headers don't show member count when on settings tab
* https://pagure.io/freeipa/issue/8344[#8344] Nightly test failure in
test_smb.py::TestSMB::test_smb_service_s4u2self
* https://pagure.io/freeipa/issue/8348[#8348] Allow managed permissions
with ldap:///self bind rule
* https://pagure.io/freeipa/issue/8349[#8349] bind-9.16 and
dnssec-enable
* https://pagure.io/freeipa/issue/8350[#8350] bind-9.16 and DLV
* https://pagure.io/freeipa/issue/8352[#8352] RPC API crashes when a
user is disabled while a session exists
* https://pagure.io/freeipa/issue/8357[#8357] Allow managing IPA
resources as a user from a trusted Active Directory forest
* https://pagure.io/freeipa/issue/8358[#8358] TTL of DNS record can be
set to negative value
* https://pagure.io/freeipa/issue/8359[#8359] [WebUI] dnsrecord_mod
results in JS error
* https://pagure.io/freeipa/issue/8360[#8360] lite-server: Werkzeug
deprecation warnings
* https://pagure.io/freeipa/issue/8362[#8362]
(https://bugzilla.redhat.com/show_bug.cgi?id=1826659[rhbz#1826659]) IPA:
Ldap authentication failure due to Kerberos principal expiration UTC
timestamp
* https://pagure.io/freeipa/issue/8363[#8363] DNS config upgrade code
fails
* https://pagure.io/freeipa/issue/8364[#8364] Nightly test failure while
establishing trust: Cannot find specified domain or server name
* https://pagure.io/freeipa/issue/8366[#8366] CA-less replica deployment
fails with --setup-ca
* https://pagure.io/freeipa/issue/8367[#8367] IPA-EPN fails to build in
ONLY_CLIENT mode
* https://pagure.io/freeipa/issue/8368[#8368]
(https://bugzilla.redhat.com/show_bug.cgi?id=1846349[rhbz#1846349])
cannot issue certs with multiple IP addresses corresponding to different
hosts
* https://pagure.io/freeipa/issue/8369[#8369] cert_find returns "CA not
configured" in CA-less install
* https://pagure.io/freeipa/issue/8370[#8370] ipa-join does not set
nshardwareplatform and nsosversion
* https://pagure.io/freeipa/issue/8371[#8371] Nightly test failure
[testing_master_testing] in
test_integration/test_idviews.py::TestCertsInIDOverrides
* https://pagure.io/freeipa/issue/8372[#8372]
(https://bugzilla.redhat.com/show_bug.cgi?id=1849914[rhbz#1849914])
FreeIPA - Utilize 256-bit AJP connector passwords
* https://pagure.io/freeipa/issue/8374[#8374]
(https://bugzilla.redhat.com/show_bug.cgi?id=1847999[rhbz#1847999]) EPN
does not ship its default configuration ( /etc/ipa/epn.conf ) in
freeipa-client-epn
* https://pagure.io/freeipa/issue/8377[#8377] Nightly test failure
(timeout) in test_caless_TestReplicaInstall
* https://pagure.io/freeipa/issue/8378[#8378] CA validity past year 2038
breaks cert.py plugin on 32-bit platform
* https://pagure.io/freeipa/issue/8379[#8379] Nightly test failure
[testing_master_pki] while installing CA replica
* https://pagure.io/freeipa/issue/8381[#8381] Nightly test failure in
test_webui/test_loginscreen.py::TestLoginScreen::test_login_view
* https://pagure.io/freeipa/issue/8383[#8383] Test with dnspython 2.0
* https://pagure.io/freeipa/issue/8384[#8384] Provide reliable way to
know if a server installation is complete
* https://pagure.io/freeipa/issue/8388[#8388] Make help() on plugins
more useful
* https://pagure.io/freeipa/issue/8391[#8391] Remove dnf workaround from
test_epn.y
* https://pagure.io/freeipa/issue/8394[#8394] Nightly test failure in
cert-related tests
* https://pagure.io/freeipa/issue/8395[#8395] selinux don't audit rules
deny fetching trust topology
* https://pagure.io/freeipa/issue/8396[#8396] [WebUI] Font type of
"Enabled" column in user search facet wrong
* https://pagure.io/freeipa/issue/8399[#8399] certmonger attempts to add
LWCA tracking requests on non-CA server.
* https://pagure.io/freeipa/issue/8400[#8400] sshd template file is
installed in a wrong (server) location while used by the client side
* https://pagure.io/freeipa/issue/8401[#8401] Create platform
definitions for freeipa-container
* https://pagure.io/freeipa/issue/8403[#8403] Add option to add ipaapi
user as an allowed uid for ifp in /etc/sssd/sssd.conf when running
ipa-replica-install
* https://pagure.io/freeipa/issue/8404[#8404] Detect and fail if not
enough memory is available for installation
* https://pagure.io/freeipa/issue/8405[#8405] Don't delegate full TGT in
ipa-join
* https://pagure.io/freeipa/issue/8407[#8407] Support changelog
integrated into main database
* https://pagure.io/freeipa/issue/8408[#8408] Nightly test failure in
test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_client_enrollment_by_unprivileged_user
* https://pagure.io/freeipa/issue/8412[#8412]
(https://bugzilla.redhat.com/show_bug.cgi?id=1857157[rhbz#1857157]) AVC:
httpd cannot connect to ipa-custodia.sock
* https://pagure.io/freeipa/issue/8413[#8413] Nightly test failure in
test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp
* https://pagure.io/freeipa/issue/8414[#8414] Nightly test failure in
test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp
* https://pagure.io/freeipa/issue/8416[#8416] [WebUI] Error while adding
user ID overrides to group
* https://pagure.io/freeipa/issue/8419[#8419] Azure is reporting a slew
of new no-member lint errors
* https://pagure.io/freeipa/issue/8425[#8425] Nightly test failure in
test_cert.test_cert.TestInstallMasterClient (certmonger timeout)
* https://pagure.io/freeipa/issue/8428[#8428] [ipatests] fails due to
new python-cryptography 3.0
* https://pagure.io/freeipa/issue/8429[#8429] Add fips-mode-setup to
ipaplatform.paths
* https://pagure.io/freeipa/issue/8432[#8432] test failure in
test_commands.py::TestIPACommand::test_login_wrong_password:
AssertionError
* https://pagure.io/freeipa/issue/8435[#8435] [ipatests] failures due to
new Pytest6.0 (pypi part)
* https://pagure.io/freeipa/issue/8437[#8437] unit tests for
ipa-extdom-extop are failing in Fedora 33
* https://pagure.io/freeipa/issue/8439[#8439] Nightly test failure in
test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
* https://pagure.io/freeipa/issue/8440[#8440]
(https://bugzilla.redhat.com/show_bug.cgi?id=1863616[rhbz#1863616])
CA-less install does not set required permissions on KDC certificate
* https://pagure.io/freeipa/issue/8441[#8441]
(https://bugzilla.redhat.com/show_bug.cgi?id=1870202[rhbz#1870202]) File
permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
* https://pagure.io/freeipa/issue/8442[#8442] [pylint] warnings/errors
against pylint 2.5.3
* https://pagure.io/freeipa/issue/8443[#8443] ipa delegation-add can add
permissions and attributes several times
* https://pagure.io/freeipa/issue/8444[#8444]
(https://bugzilla.redhat.com/show_bug.cgi?id=1866291[rhbz#1866291]) EPN:
enhance input validation
* https://pagure.io/freeipa/issue/8445[#8445]
(https://bugzilla.redhat.com/show_bug.cgi?id=1863079[rhbz#1863079]) EPN:
'[Errno 111] Connection refused' when the SMTP is down
* https://pagure.io/freeipa/issue/8446[#8446] ipa dnszone-add ignores
--name-from-ip option if name is given
* https://pagure.io/freeipa/issue/8447[#8447] Nightly test failure in
test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS
* https://pagure.io/freeipa/issue/8449[#8449]
(https://bugzilla.redhat.com/show_bug.cgi?id=1866291[rhbz#1866291]) EPN:
enhance CLI option tests
* https://pagure.io/freeipa/issue/8456[#8456] Need new aci's for the new
replication changelog entries
* https://pagure.io/freeipa/issue/8458[#8458] auto-upgrade will never
happen for existing installations
* https://pagure.io/freeipa/issue/8459[#8459] [upgrade] handle missing
openssh-clients
* https://pagure.io/freeipa/issue/8461[#8461] [ALTLinux] server
uninstall error on missing /var/lib/samba
* https://pagure.io/freeipa/issue/8463[#8463] Nightly test failure in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
* https://pagure.io/freeipa/issue/8464[#8464] Increase replication
changelog trimming interval
* https://pagure.io/freeipa/issue/8468[#8468] [pylint] new warnings on
dev branch
* https://pagure.io/freeipa/issue/8472[#8472] [tracker] Nightly test
failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA
* https://pagure.io/freeipa/issue/8473[#8473] Nightly test failure in
all webui tests: Invalid or corrupt jarfile /opt/selenium.jar
* https://pagure.io/freeipa/issue/8474[#8474] Mozilla's NSS without DBM
* https://pagure.io/freeipa/issue/8475[#8475] Azure: tox task and
virtualenv 20+
* https://pagure.io/freeipa/issue/8481[#8481] Nightly test failure in
rawhide in tasks.configure_dns_for_trust
* https://pagure.io/freeipa/issue/8482[#8482] Nightly test failure in
test_ipahealthcheck.py::TestIpaHealthCheck::test_source_ipahealthcheck_meta_services_check
* https://pagure.io/freeipa/issue/8488[#8488]
(https://bugzilla.redhat.com/show_bug.cgi?id=1868432[rhbz#1868432])
SELinux blocks custodia key replication / retrieval for sub-CAs
* https://pagure.io/freeipa/issue/8490[#8490]
(https://bugzilla.redhat.com/show_bug.cgi?id=1875001[rhbz#1875001]) It
is not possible to edit KDC database when the FreeIPA server is running
* https://pagure.io/freeipa/issue/8491[#8491] Unindexed searches in
FreeIPA git master
* https://pagure.io/freeipa/issue/8493[#8493] Synchronize index LDIF and
index update files
* https://pagure.io/freeipa/issue/8494[#8494] Azure Pipelines are broken
due to docker compose tool upgrade
* https://pagure.io/freeipa/issue/8496[#8496] [Tracker] Multiple nightly
test failures in test_dnssec
* https://pagure.io/freeipa/issue/8498[#8498] Check 3rd-party IPA server
HTTP cert for ipa-ca.$DOMAIN dnsName on CA replicas
* https://pagure.io/freeipa/issue/8501[#8501] Unify how FreeIPA gets
FQDN of current host
* https://pagure.io/freeipa/issue/8502[#8502] Don't create DirSRV SSCA
* https://pagure.io/freeipa/issue/8503[#8503]
(https://bugzilla.redhat.com/show_bug.cgi?id=1879604[rhbz#1879604])
pkispawn logs files are empty
* https://pagure.io/freeipa/issue/8505[#8505] Nightly failure (fedora31)
in test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
* https://pagure.io/freeipa/issue/8507[#8507] [WebUI] Backport jQuery
patches from newer versions of the library (e.g. 3.5.0)
* https://pagure.io/freeipa/issue/8510[#8510]
(https://bugzilla.redhat.com/show_bug.cgi?id=1881630[rhbz#1881630])
create_active_user and kinit_as_user should collect kdcinfo.REALM on
failure
* https://pagure.io/freeipa/issue/8511[#8511] The selinux subpackage
does not have a requirement to match the server install
* https://pagure.io/freeipa/issue/8512[#8512] Import of psutil can
trigger SELinux violation
* https://pagure.io/freeipa/issue/8513[#8513]
(https://bugzilla.redhat.com/show_bug.cgi?id=1868432[rhbz#1868432])
SELinux module fails to load: Re-declaration of type node_t
* https://pagure.io/freeipa/issue/8515[#8515]
(https://bugzilla.redhat.com/show_bug.cgi?id=1882340[rhbz#1882340])
nsslapd-db-locks patching no longer works
* https://pagure.io/freeipa/issue/8516[#8516] Nightly test failure
(master) in ipa trust-add
* https://pagure.io/freeipa/issue/8518[#8518] Upgrade F32 to F33 fails
in DNS upgrade code
* https://pagure.io/freeipa/issue/8519[#8519] Fedora container platform
is incomplete
* https://pagure.io/freeipa/issue/8521[#8521] Speed up
ipa-server-install
* https://pagure.io/freeipa/issue/8522[#8522] Remove
cainstance.migrate_profiles_to_ldap()
* https://pagure.io/freeipa/issue/8523[#8523] Topology Graph returns
Runtime Error
* https://pagure.io/freeipa/issue/8524[#8524]
(https://bugzilla.redhat.com/show_bug.cgi?id=1851835[rhbz#1851835])
Deploy & manage the ACME service topology wide from a single system
* https://pagure.io/freeipa/issue/8528[#8528] Use separate logs for AD
Trust and DNS installer
* https://pagure.io/freeipa/issue/8529[#8529] ipa-ca record incomplete
when hostname is not in DNS
* https://pagure.io/freeipa/issue/8530[#8530]
(https://bugzilla.redhat.com/show_bug.cgi?id=1859185[rhbz#1859185])
Running ipa-server-install fails on machine where libsss_sudo is not
installed
* https://pagure.io/freeipa/issue/8533[#8533] Nightly failure in
ipa-replica-install configuring renewals: DBusException:
org.freedesktop.DBus.Error.NoReply
* https://pagure.io/freeipa/issue/8535[#8535]
(https://bugzilla.redhat.com/show_bug.cgi?id=1887928[rhbz#1887928]) RPM
spec moves ssh server config to a snippet but does not ensure
sshd_config includes the snippet
* https://pagure.io/freeipa/issue/8536[#8536] RFE: ipatests: run
healthcheck on hidden replica
* https://pagure.io/freeipa/issue/8541[#8541] Nightly failure (fed33) in
test_installation.py::TestInstallMaster::test_selinux_avcs
* https://pagure.io/freeipa/issue/8551[#8551]
(https://bugzilla.redhat.com/show_bug.cgi?id=1784657[rhbz#1784657])
Unlock user accounts after a password reset and replicate that unlock to
all IdM servers
* https://pagure.io/freeipa/issue/8554[#8554]
(https://bugzilla.redhat.com/show_bug.cgi?id=1891056[rhbz#1891056])
ipa-kdb: support subordinate/superior UPN suffixes
* https://pagure.io/freeipa/issue/8555[#8555]
(https://bugzilla.redhat.com/show_bug.cgi?id=1340463[rhbz#1340463])
Nightly test failure in test_pwpolicy.py::test_pwpolicy::test_misc
* https://pagure.io/freeipa/issue/8558[#8558] Create backend entry
before creating mapping tree entry for ipaca backend
* https://pagure.io/freeipa/issue/8559[#8559] Nightly test failure in
test_trust.py::TestTrust::test_password_login_as_aduser
* https://pagure.io/freeipa/issue/8560[#8560] Nightly test failure in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
* https://pagure.io/freeipa/issue/8563[#8563] Nightly test failure in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
* https://pagure.io/freeipa/issue/8566[#8566] Subordinate suffixes
aren't treated as subordinate in trust to Active Directory (crash part)
* https://pagure.io/freeipa/issue/8567[#8567]
(https://bugzilla.redhat.com/show_bug.cgi?id=1894800[rhbz#1894800]) IPA
WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js
missing
* https://pagure.io/freeipa/issue/8572[#8572] Nightly failure in
test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica
* https://pagure.io/freeipa/issue/8573[#8573] Nightly failure in
test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS::test_ipa_dns_systemrecords_check
* https://pagure.io/freeipa/issue/8578[#8578] EPN: SMTP client downgrade
smtp_security from `starttls` to `none`
* https://pagure.io/freeipa/issue/8579[#8579] EPN: SMTP client doesn't
validate server certificate
* https://pagure.io/freeipa/issue/8580[#8580] EPN: SMTP client
authentication by certificate
* https://pagure.io/freeipa/issue/8584[#8584] ACME communication with
dogtag REST endpoints should be using the cookie it creates
* https://pagure.io/freeipa/issue/8585[#8585] Compile warnings on
rawhide
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the Freeipa-interest
mailing list