[Freeipa-users] Announcing FreeIPA 3.2.0 Prerelease 1

Wed Apr 3 08:51:03 UTC 2013

Hello Stijn,

We plan to release FreeIPA 3.2.0 to Fedora 19 only (the Prerelease 1 should be
already in its repos).

Fedora 18 should receive only stabilization releases of FreeIPA 3.1 branch
(FreeIPA 3.1.3 build is currently in Fedora 18 updates-testing repo).

HTH,
Martin

On 04/03/2013 10:36 AM, Stijn De Weirdt wrote:
> hi all,
> 
> what minimal OS is targeted for freeipa 3.2: FC19 or FC18?
> 
> 
> stijn
> 
> On 04/02/2013 06:32 PM, Martin Kosek wrote:
>> The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We
>> would like to welcome any early testers of this prerelase to provide us
>> feedback and help us stabilize this feature release which we plan to release as
>> final in the beginning of May 2013.
>>
>> It can be downloaded from http://www.freeipa.org/page/Downloads. The new
>> version has also been built for Fedora 19 Alpha, if it does not appear in your
>> Fedora 19 yet, you can download the build from koji:
>>
>> http://koji.fedoraproject.org/koji/buildinfo?buildID=408311
>>
>> == Highlights in 3.2.0 Prerelease 1 ==
>>
>> === New features ===
>> * Support installing FreeIPA without an embedded Certificate Authority, with
>> user-provided SSL certificates for the HTTP and Directory servers. [1]
>> * New cert-find command. Search certificates in the Dogtag database based on
>> their serial number, validity or revocation details. This feature is available
>> both as a CLI command and Web UI page. [2]
>> * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust
>> settings generated during AD Trust installation (ipa-adtrust-install) [3]
>> * Multiple FreeIPA servers can now be designated as Domain Controllers for
>> trusts with Active Directory [12]
>> * New realmdomains-show and realmdomains-mod command. Manage list of DNS
>> domains associated with FreeIPA realm (realmdomains sommand). This list is
>> primarily used by AD, which can pull all domains managed by FreeIPA and use
>> that list for routing authentication requests for domains which do not match
>> FreeIPA realm name. [4]
>> * Support trusted domain users in HBAC test command (hbactest command).
>> * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command).
>> [5]
>> * Configurable PAC type for services. Service commands can now configure a set
>> of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the
>> service.
>> * Faster UI loading. FreeIPA Web UI application is now packaged in minimalized
>> format. FreeIPA web server is now also able to transmit data in compressed
>> format. [6] [7]
>> * UI now accepts confirmation of cancel of its dialogs via keyboard [11]
>> * Client reenrollment. A host that has been recreated can now be reenrolled to
>> FreeIPA server using a backed up host keytab or admin credentials [8]
>> * Service and Host commands now provide options to add or remove selected
>> Kerberos flags [9]
>>
>> === Prerelease 1 limitations ===
>>
>> * List of DNS domains associated with FreeIPA realm currently only works with a
>> special Samba build available for Fedora 18:
>> http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to
>> rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get
>> it working.
>> * Test of trusted domain users in HBAC rules is accessible to only to members
>> of 'Trust Admins' group due to privilege limitations
>> * Same applies to any other trust-specific operations that require translation
>> between user/group name and its security identifier (SID)
>>
>> === Bug fixes ===
>>
>> * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and
>> groups from OpenLDAP database instances.
>> * Migration process is now also a lot faster and provides more debug output (to
>> httpd error log).
>> * SUDO rules disabled by sudorule-disable command are now removed from
>> ou=sudoers compat tree without a need to restart 389 Directory Server instance.
>> * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release
>> * Fixed server installation with external CA (--external-ca)
>> * Consolidate on-line help system, show help without need of valid Kerberos
>> credentials (ipa help)
>> * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial
>> attribute for replicas which either do not have integrated DNS service enabled
>> to which have disabled SOA serial autoincrement
>> * LDAP lockout plugin has been fixed so that lockout policies are applied
>> consistently both for LDAP binds and Kerberos authentication
>> * ... and many others stabilization fixes, see Detailed changelog for full
>> details
>>
>> == Changes in API or CLI ==
>> === Dropped --selfsign option ===
>> FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This
>> configured the server with a NSS database based Certificate Authority with a
>> selfsigned CA certificate and limited certificate operation support.
>>
>> This option was always intended for development or testing purposes only and
>> was not intended for use in production. This release drops this option and
>> deprecates the functionality. Current FreeIPA servers installed with
>> --selfsigned option will still work, instructions on how to migrate to
>> supported certificate options will be provided.
>>
>> FreeIPA servers version 3.2.0 and later supports the following 2 flavors of
>> certificate management:
>> * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a
>> certificate signed by external CA (--external-ca option)
>> * FreeIPA with no pki-ca installed with certificates signed and provided by an
>> external CA [1]
>>
>> === Dropped CSV support ===
>> FreeIPA client CLI supported CSV in some arguments so that multiple values
>> could be added with just one convenient option:
>>
>>   ipa permission-add some-perm --permissions=read,write --attrs=sn,cn
>>   ipa dnsrecord-add example.com --a-rec=10.0.0.1,10.0.0.2
>>
>> CSV parsing however introduces great difficulty when trying to include a value
>> with an embedded space in it. Escaping these values is not intuitive and made
>> it very difficult to add such values. The level of effort in working around the
>> CSV problems has come to the point where the benefits of it are outweighed by
>> the problems which lead to decision to drop CSV support in CLI altogether [10].
>>
>> There are several ways to workaround lack of CSV:
>>
>> Provide an argument multiple times on the command-line:
>>
>>   ipa permission-add some-perm --permissions=read --permissions=write --attrs=sn
>> --attrs=cn
>>   ipa dnsrecord-add example.com --a-rec=10.0.0.1 --a-rec=10.0.0.2
>>
>> Let BASH do the expansion for you:
>>
>>   ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn}
>>   ipa dnsrecord-add example.com --a-rec={10.0.0.1,10.0.0.2}
>>
>> == Upgrading ==
>>
>> An IPA server can be upgraded simply by installing updated rpms. The server
>> does not need to be shut down in advance.
>>
>> Please note, that the referential integrity extension requires an extended set
>> of indexes to be configured. RPM update for an IPA server with a excessive
>> number of hosts, SUDO or HBAC entries may require several minutes to finish.
>>
>> If you have multiple servers you may upgrade them one at a time. It is expected
>> that all servers will be upgraded in a relatively short period (days or weeks
>> not months). They should be able to co-exist peacefully but new features will
>> not be available on old servers and enrolling a new client against an old
>> server will result in the SSH keys not being uploaded.
>>
>> Downgrading a server once upgraded is not supported.
>>
>> Upgrading from 2.2.0 and later versions is supported. Upgrading from previous
>> versions is not supported and has not been tested.
>>
>> An enrolled client does not need the new packages installed unless you want to
>> re-enroll it. SSH keys for already installed clients are not uploaded, you will
>> have to re-enroll the client or manually upload the keys.
>>
>> == Feedback ==
>>
>> Please provide comments, bugs and other feedback via the freeipa-users mailing
>> list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel
>> on Freenode.
>>
>> == Documentation ==
>> * [1] http://www.freeipa.org/page/V3/CA-less_install
>> * [2] http://www.freeipa.org/page/V3/Cert_find
>> * [3] http://www.freeipa.org/page/V3/Trust_config_command
>> * [4] http://www.freeipa.org/page/V3/Realm_Domains
>> * [5] http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
>> * [6] http://www.freeipa.org/page/V3/WebUI_gzip_compression
>> * [7] http://www.freeipa.org/page/V3/WebUI_build
>> * [8] http://www.freeipa.org/page/V3/Forced_client_re-enrollment
>> * [9] http://www.freeipa.org/page/V3/Kerberos_Flags
>> * [10] http://www.freeipa.org/page/V3/Drop_CSV
>> * [11] http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation
>> * [12] http://www.freeipa.org/page/V3/MultipleTrustServers
>>
>> == Detailed Changelog since 3.1.0 ==
>> Alexander Bokovoy (7):
>> * Update plugin to upload CA certificate to LDAP
>> * ipasam: use base scope when fetching domain information about own domain
>> * ipaserver/dcerpc: enforce search_s without schema checks for GC searching
>> * ipa-replica-manage: migrate to single_value after LDAPEntry updates
>> * Process exceptions when talking to Dogtag
>> * ipasam: add enumeration of UPN suffixes based on the realm domains
>> * Enhance ipa-adtrust-install for domains with multiple IPA server
>>
>> Ana Krivokapic (10):
>> * Raise ValidationError for incorrect subtree option.
>> * Add crond as a default HBAC service
>> * Take into consideration services when deleting replicas
>> * Add list of domains associated to our realm to cn=etc
>> * Improve error messages for external group members
>> * Remove check for alphabetic only characters from domain name validation
>> * Fix internal error for ipa show-mappings
>> * Realm Domains page
>> * Use default NETBIOS name in unattended ipa-adtrust-install
>> * Add mkhomedir option to ipa-server-install and ipa-replica-install
>>
>> Brian Cook (1):
>> * Add DNS Setup Prompt to Install
>>
>> JR Aquino (1):
>> * Allow PKI-CA Replica Installs when CRL exceeds default maxber value
>>
>> Jakub Hrozek (1):
>> * Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir
>>
>> Jan Cholasta (24):
>> * Pylint cleanup.
>> * Drop ipapython.compat.
>> * Add support for RFC 6594 SSHFP DNS records.
>> * Raise ValidationError on invalid CSV values.
>> * Run interactive_prompt callbacks after CSV values are split.
>> * Add custom mapping object for LDAP entry data.
>> * Add make_entry factory method to LDAPConnection.
>> * Remove the Entity class.
>> * Remove the Entry class.
>> * Use the dn attribute of LDAPEntry to set/get DNs of entries.
>> * Preserve case of attribute names in LDAPEntry.
>> * Aggregate IPASimpleLDAPObject in LDAPEntry.
>> * Support attributes with multiple names in LDAPEntry.
>> * Use full DNs in plugin code.
>> * Remove DN normalization from the baseldap plugin.
>> * Remove support for DN normalization from LDAPClient.
>> * Fix remove while iterating in suppress_netgroup_memberof.
>> * Remove disabled entries from sudoers compat tree.
>> * Fix internal error in output_for_cli method of sudorule_{enable,disable}.
>> * Do not fail if schema cannot be retrieved from LDAP server.
>> * Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin.
>> * Allow disabling attribute decoding in LDAPClient and IPAdmin.
>> * Disable schema retrieval and attribute decoding when talking to AD GC.
>> * Add Kerberos ticket flags management to service and host plugins.
>>
>> John Dennis (2):
>> * Cookie Expires date should be locale insensitive
>> * Use secure method to acquire IPA CA certificate
>>
>> Lynn Root (4):
>> * Switch %r specifiers to '%s' in Public errors
>> * Added the ability to do Beta versioning
>> * Fixed the catch of the hostname option during ipa-server-install
>> * Raise ValidationError when CSR does not have a subject hostname
>>
>> Martin Kosek (58):
>> * Add Lynn Root to Contributors.txt
>> * Enable SSSD on client install
>> * Fix delegation-find command --group handling
>> * Do not crash when Kerberos SRV record is not found
>> * permission-find no longer crashes with --targetgroup
>> * Avoid CRL migration error message
>> * Sort LDAP updates properly
>> * Upgrade process should not crash on named restart
>> * Installer should not connect to 127.0.0.1
>> * Fix migration for openldap DS
>> * Remove unused krbV imports
>> * Use fully qualified CCACHE names
>> * Fix permission_find test error
>> * Add trusconfig-show and trustconfig-mod commands
>> * ipa-kdb: add sentinel for LDAPDerefSpec allocation
>> * ipa-kdb: avoid ENOMEM when all SIDs are filtered out
>> * ipa-kdb: reinitialize LDAP configuration for known realms
>> * Add SID blacklist attributes
>> * ipa-kdb: read SID blacklist from LDAP
>> * ipa-sam: Fill SID blacklist when trust is added
>> * ipa-adtrust-install should ask for SID generation
>> * Test NetBIOS name clash before creating a trust
>> * Generalize AD GC search
>> * Do not hide SID resolver error in group-add-member
>> * Add support for AD users to hbactest command
>> * Fix hbachelp examples formatting
>> * ipa-kdb: remove memory leaks
>> * ipa-kdb: fix retry logic in ipadb_deref_search
>> * Add autodiscovery section in ipa-client-install man pages
>> * Avoid internal error when user is not Trust admin
>> * Use fixed test domain in realmdomains test
>> * Bump FreeIPA version for development branch
>> * Remove ORDERING for IA5 attributeTypes
>> * Fix includedir directive in krb5.conf template
>> * Use new 389-ds-base cleartext password API
>> * Do not hide idrange-add errors when adding trust
>> * Preserve order of servers in ipa-client-install
>> * Avoid multiple client discovery with fixed server list
>> * Update named.conf parser
>> * Use tkey-gssapi-keytab in named.conf
>> * Do not force named connections on upgrades
>> * ipa-client discovery with anonymous access off
>> * Use temporary CCACHE in ipa-client-install
>> * Improve client install LDAP cert retrieval fallback
>> * Configure ipa_dns DS plugin on install and upgrade
>> * Fix structured DNS record output
>> * Bump selinux-policy requires
>> * Clean spec file for Fedora 19
>> * Remove build warnings
>> * Remove syslog.target from ipa.server
>> * Put pid-file to named.conf
>> * Update mod_wsgi socket directory
>> * Normalize RA agent certificate
>> * Require 389-base-base 1.3.0.5
>> * Change CNAME and DNAME attributes to single valued
>> * Improve CNAME record validation
>> * Improve DNAME record validation
>> * Become 3.2.0 Prerelease 1
>>
>> Petr Spacek (1):
>> * Add 389 DS plugin for special idnsSOASerial attribute handling
>>
>> Petr Viktorin (101):
>> * Sort Options and Outputs in API.txt
>> * Add the CA cert to LDAP after the CA install
>> * Better logging for AdminTool and ipa-ldap-updater
>> * Port ipa-replica-prepare to the admintool framework
>> * Make ipapython.dogtag log requests at debug level, not info
>> * Don't add another nsDS5ReplicaId on updates if one already exists
>> * Improve `ipa --help` output
>> * Print help to stderr on error
>> * Store the OptionParser in the API, use it to print unified help messages
>> * Simplify `ipa help topics` output
>> * Add command summary to `ipa COMMAND --help` output
>> * Mention `ipa COMMAND --help` as the preferred way to get command help
>> * Parse command arguments before creating a context
>> * Add tests for the help command & --help options
>> * In topic help text, mention how to get help for commands
>> * Check SSH connection in ipa-replica-conncheck
>> * Use ipauniqueid for the RDN of sudo commands
>> * Prevent a sudo command from being deleted if it is a member of a sudo rule
>> * Update sudocmd ACIs to use targetfilter
>> * Add the version option to all Commands
>> * Add ipalib.messages
>> * Add client capabilities, enable messages
>> * Rename the "messages" Output of the i18n_messages command to "texts"
>> * Fix permission validation and normalization in aci.py
>> * Remove csv_separator and csv_skipspace Param arguments
>> * Drop support for CSV in the CLI client
>> * Update argument docs to reflect dropped CSV support
>> * Update plugin docstrings (topic help) to reflect dropped CSV support
>> * cli: Do interactive prompting after a context is created
>> * Remove some unused imports
>> * Remove unused methods from Entry, Entity, and IPAdmin
>> * Derive Entity class from Entry, and move it to ldapupdate
>> * Use explicit loggers in ldap2 code
>> * Move LDAPEntry to ipaserver.ipaldap and derive Entry from it
>> * Remove connection-creating code from ShemaCache
>> * Move the decision to force schema updates out of IPASimpleLDAPObject
>> * Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap
>> * Start LDAPConnection, a common base for ldap2 and IPAdmin
>> * Make IPAdmin not inherit from IPASimpleLDAPObject
>> * Move schema-related methods to LDAPConnection
>> * Move DN handling methods to LDAPConnection
>> * Move filter making methods to LDAPConnection
>> * Move entry finding methods to LDAPConnection
>> * Remove unused proxydn functionality from IPAdmin
>> * Move entry add, update, remove, rename to LDAPConnection
>> * Implement some of IPAdmin's legacy methods in terms of LDAPConnection methods
>> * Replace setValue by keyword arguments when creating entries
>> * Use update_entry with a single entry in adtrustinstance
>> * Replace entry.getValues() by entry.get()
>> * Replace entry.setValue/setValues by item assignment
>> * Replace add_s and delete_s by their newer equivalents
>> * Change {add,update,delete}_entry to take LDAPEntries
>> * Remove unused imports from ipaserver/install
>> * Remove unused bindcert and bindkey arguments to IPAdmin
>> * Turn the LDAPError handler into a context manager
>> * Remove dbdir, binddn, bindpwd from IPAdmin
>> * Remove IPAdmin.updateEntry calls from fix_replica_agreements
>> * Remove IPAdmin.get_dns_sorted_by_length
>> * Replace IPAdmin.checkTask by replication.wait_for_task
>> * Introduce LDAPEntry.single_value for getting single-valued attributes
>> * Remove special-casing for missing and single-valued attributes in
>> LDAPUpdate._entry_to_entity
>> * Replace entry.getValue by entry.single_value
>> * Replace getList by a get_entries method
>> * Remove toTupleList and attrList from LDAPEntry
>> * Rename LDAPConnection to LDAPClient
>> * Replace addEntry with add_entry
>> * Replace deleteEntry with delete_entry
>> * Fix typo and traceback suppression in replication.py
>> * replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)
>> * Inline inactivateEntry in its only caller
>> * Inline waitForEntry in its only caller
>> * Proxy LDAP methods explicitly rather than using __getattr__
>> * Remove search_s and search_ext_s from IPAdmin
>> * Replace IPAdmin.start_tls_s by an __init__ argument
>> * Remove IPAdmin.sasl_interactive_bind_s
>> * Remove IPAdmin.simple_bind_s
>> * Remove IPAdmin.unbind_s(), keep unbind()
>> * Use ldap instead of _ldap in ipaldap
>> * Do not use global variables in migration.py
>> * Use IPAdmin rather than raw python-ldap in migration.bind
>> * Use IPAdmin rather than raw python-ldap in ipactl
>> * Remove some uses of raw python-ldap
>> * Improve LDAPEntry tests
>> * Fix installing server with external CA
>> * Change DNA magic value to -1 to make UID 999 usable
>> * Move ipaldap to ipapython
>> * Remove ipaserver/ipaldap.py
>> * Use IPAdmin rather than raw python-ldap in ipa-client-install
>> * Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
>> * Remove unneeded python-ldap imports
>> * Don't download the schema in ipadiscovery
>> * ipa-server-install: Make temporary pin files available for the whole
>> installation
>> * ipa-server-install: Remove the --selfsign option
>> * Remove unused ipapython.certdb.CertDB class
>> * ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil
>> wrapper
>> * Trust CAs from PKCS#12 files even if they don't have Friendly Names
>> * dsinstance, httpinstance: Don't hardcode 'Server-Cert'
>> * Support installing with custom SSL certs, without a CA
>> * Load the CA cert into server NSS databases
>> * Do not call cert-* commands in host plugin if a RA is not available
>> * ipa-client-install: Do not request host certificate if server is CA-less
>>
>> Petr Vobornik (38):
>> * Make confirm_dialog a base class of revoke and restore certificate dialogs
>> * Make confirm_dialog a base class for deleter dialog
>> * Make confirm_dialog a base class for message_dialog
>> * Confirm mixin
>> * Confirm adder dialog by enter
>> * Confirm error dialog by enter
>> * Focus last dialog when some is closed
>> * Confirm association dialogs by enter
>> * Standardize login password reset, user reset password and host set OTP dialogs
>> * Focus first input element after 'Add and Add another'
>> * Enable mod_deflate
>> * Use Uglify.js for JS optimization
>> * Dojo Builder
>> * Config files for builder of FreeIPA UI layer
>> * Minimal Dojo layer
>> * Web UI development environment directory structure and configuration
>> * Web UI Sync development utility
>> * Move of Web UI non AMD dep. libs to libs subdirectory
>> * Move of core Web UI files to AMD directory
>> * Update JavaScript Lint configuration file
>> * AMD config file
>> * Change Web UI sources to simple AMD modules
>> * Updated makefiles to build FreeIPA Web UI layer
>> * Change tests to use AMD loader
>> * Fix BuildRequires: rhino replaced with java-1.7.0-openjdk
>> * Develop.js extended
>> * Allow to specify modules for which builder doesn't raise dependency error
>> * Web UI build profile updated
>> * Combobox keyboard support
>> * Fix dirty state update of editable combobox
>> * Fix handling of no_update flag in Web UI
>> * Web UI: configurable SID blacklists
>> * Web UI:Certificate pages
>> * Web UI:Choose different search option for cert-find
>> * Fixed Web UI build error caused by rhino changes in F19
>> * Nestable checkbox/radio widget
>> * Added Web UI support for service PAC type option: NONE
>> * Web UI: Disable cert functionality if a CA is not available
>>
>> Rob Crittenden (16):
>> * Convert uniqueMember members into DN objects.
>> * Add Ana Krivokapic to Contributors.txt
>> * Do SSL CA verification and hostname validation.
>> * Don't initialize NSS if we don't have to, clean up unused cert refs
>> * Update anonymous access ACI to protect secret attributes.
>> * Make certmonger a (pre) requires on server, restart it before upgrading
>> * Use new certmonger locking to prevent NSS database corruption.
>> * Improve migration performance
>> * Add LDAP server fallback to client installer
>> * Prevent a crash when no entries are successfully migrated.
>> * Implement the cert-find command for the dogtag CA backend.
>> * Add missing v3 schema on upgrades, fix typo in schema.
>> * Don't base64-encode the CA cert when uploading it during an upgrade.
>> * Extend ipa-replica-manage to be able to manage DNA ranges.
>> * Improve some error handling in ipa-replica-manage
>> * Fix lockout of LDAP bind.
>>
>> Simo Sorce (2):
>> * Log info on failure to connect
>> * Upload CA cert in the directory on install
>>
>> Sumit Bose (17):
>> * ipa-kdb: remove unused variable
>> * ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac()
>> * ipa-sam: Array compared against 0 in ipasam_set_trusted_domain()
>> * ipa-kdb: Dereference after null check in ipa_kdb_mspac.c
>> * ipa-lockout: Wrong sizeof argument in ipa_lockout.c
>> * ipa-extdom: Double-free in ipa_extdom_common.c
>> * ipa-pwd: Unchecked return value ipapwd_chpwop()
>> * Revert "MS-PAC: Special case NFS services"
>> * Add NFS specific default for authorization data type
>> * ipa-kdb: Read global defaul ipaKrbAuthzData
>> * ipa-kdb: Read ipaKrbAuthzData with other principal data
>> * ipa-kdb: add PAC only if requested
>> * Add unit test for get_authz_data_types()
>> * Mention PAC issue with NFS in service plugin doc
>> * Allow 'nfs:NONE' in global configuration
>> * Add support for cmocka C-Unit Test framework
>> * ipa-pwd-extop: do not use dn until it is really set
>>
>> Timo Aaltonen (1):
>> * convert the base platform modules into packages
>>
>> Tomas Babej (18):
>> * Relax restriction for leading/trailing whitespaces in *-find commands
>> * Forbid overlapping rid ranges for the same id range
>> * Fix a typo in ipa-adtrust-install help
>> * Prevent integer overflow when setting krbPasswordExpiration
>> * Add option to specify SID using domain name to idrange-add/mod
>> * Prevent changing protected group's name using --setattr
>> * Use default.conf as flag of IPA client being installed
>> * Make sure appropriate exit status is returned in make-test
>> * Make options checks in idrange-add/mod consistent
>> * Add trusted domain range objectclass when using idrange-mod
>> * Perform secondary rid range overlap check for local ranges only
>> * Add support for re-enrolling hosts using keytab
>> * Make sure uninstall script prompts for reboot as last
>> * Remove implicit Str to DN conversion using *-attr
>> * Enforce exact SID match when adding or modifying a ID range
>> * Allow host re-enrollment using delegation
>> * Add logging to join command
>> * Properly handle ipa-replica-install when its zone is not managed by IPA
>>
>> sbose (1):
>> * ipa-kdb: Free talloc autofree context when module is closed
>>
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users