[Freeipa-users] Announcing FreeIPA 4.1.0

Petr Vobornik pvoborni at redhat.com
Thu Oct 23 10:19:18 UTC 2014

The FreeIPA team is proud to announce FreeIPA v4.1.0!

It can be downloaded from http://www.freeipa.org/page/Downloads. The 
builds will be available for Fedora 21. Builds for Fedora 20 are 
available in the official COPR repository 

== Highlights in 4.1 ==
=== Enhancements ===
* New concept of 'ID Views' allowing FreeIPA administrator to define or 
override POSIX attributes for users/groups coming from trusted domains. 
Such users then do not need to have POSIX attributes defined in the 
Active Directory to authenticate to FreeIPA clients. It also allows to 
assign particular view to selected hosts or hostgroups, thus allowing 
having a user / group with different POSIX attributes on different 
hosts. Per-host overrides should be used with extreme care! 
* New tool ipa-cacert-manage to manually renew or change FreeIPA PKI CA 
certificate [http://www.freeipa.org/page/V4/CA_certificate_renewal]
* DNSSEC Support
* OTP authentication plugin now prevents multiple usage of token codes 
on a single FreeIPA server
* DNS interface now supports adding DNS root zone (".") allowing admin 
to for example centrally override DNS root hints.
* DNS zone adding interface was simplified - name server and it's IP 
address is no longer required. The list of authoritative name servers 
are read from LDAP
* Seamless signing of FreeIPA CA us a subCA in Windows Certificate 
Services [https://fedorahosted.org/freeipa/ticket/4496]
* New option --request-cert to optionally request host certificates on 
FreeIPA clients (to /etc/ipa/nssdb/)
* CLI and Web UI for 'retrive keytab' and 'create keytab' authorization 
* Services can now be assigned as members of RBAC roles
* `ipa` command run with `-vv` option now prints JSON request and reply 
exchanged with the FreeIPA server. `-vvv` also prints HTTP communication.
* Description attribute is no longer required (e.g. in groups, sudo 
command groups or others) given that it is also not required in schema.
* Packages can be now built and installed on RHEL/CentOS 7.0
* ipa-replica-prepare now waits for the replica DNS record to be 
available to fix race conditions in automated test environments
* Port 8443 is now checked before server installation to prevent 
failures in configuring PKI which uses the port

=== Bug fixes ===
* Server installers can now handle hosts with multiple IPv4 or IPv6 
* DNS zone interface no longer accepts `--class` option as it had no 
effect as FreeIPA DNS only supports 'IN' class.
* ipa-ldap-upgrade restores Directory Server settings when upgrade fails
* SSLv3.0 (CVE-2014-3566) ciphers are now disabled on new installations

=== DNSSEC Support ===
FreeIPA now automates basic key management for Domain Name System 
Security Extensions (DNSSEC) 
Before you start signing you DNS zones you have to install DNSSEC key 
master role to an existing FreeIPA DNS server using command:
  ipa-dns-install --dnssec-master

It allows you to enable DNSSEC for particular DNS zone using command:
  ipa dnszone-mod zone.name.example. --dnssec=true

This command will generate new zone keys, distribute keys to all FreeIPA 
DNS servers and configure all servers to independently sign the zone. 
Please keep in mind that it can take few minutes before all servers sign 
the zone.

==== Known Limitations ====
* User has to manually upload Delegation Signer (DS) record 
to parent DNS zone to establish chain of trust.

* User has to manually confirm that DS record in parent zone was 
published otherwise Key Signing Key (KSK) 
will not be rotated. This confirmation has to be done on FreeIPA server 
with key master role using following command:
   sudo -u ods ods-ksmutil key ds-seen --zone zone.name.example. 
--keytag 12345
* Keytag can be obtained from dig output:
   dig +dnssec zone.name.example. DS

* User is not notified about automated key rotation. This does not lower 
stability of the system because of `ds-seen` logic mentioned above.

* Key and signing policy cannot be changed using FreeIPA tools. 
Currently it is stored in `/etc/opendnssec/kasp.xml` file on DNSSEC key 
master server. Manual changes to `kasp.xml` will be lost during next 
FreeIPA upgrade.

* Only one FreeIPA server can have DNSSEC key master role:
** *Please plan carefully, current version does not allow you to easily 
move DNSSEC master role to a different server.*
** DNSSEC key management will not work when the key master is not 
running, i.e. DNSSEC keys will not be rotated according to the policy 
and keys for new zones will not be generated.

== Known Issues ==
* Directory Server may deadlock in some situations (tracked in upstream 
ticket [https://fedorahosted.org/freeipa/ticket/4635]).
* SSLv3.0 (CVE-2014-3566) ciphers are not disabled on upgrades. See 
CVE-2014-3566 and referred external articles on advise how to deal with 
this vulnerability.

== Upgrading ==
An IPA server can be upgraded simply by installing updated rpms. The 
server does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment 
(e.g. FedUp) which does not allow running the LDAP server during upgrade 
process, upgrade scripts need to be run manually after the first boot:

  # ipa-ldap-updater --upgrade
  # ipa-upgradeconfig

Also note that the performance improvements require an extended set of 
indexes to be configured. RPM update for an IPA server with a excessive 
number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is 
expected that all servers will be upgraded in a relatively short period 
(days or weeks, not months). They should be able to co-exist peacefully 
but new features will not be available on old servers and enrolling a 
new client against an old server will result in the SSH keys not being 

Downgrading a server once upgraded is not supported.

Upgrading from 3.3.0 and later versions is supported. Upgrading from 
previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you 
want to re-enroll it. SSH keys for already installed clients are not 
uploaded, you will have to re-enroll the client or manually upload the keys.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or 
#freeipa channel on Freenode.

== Detailed Changelog since 4.0.0 ==

  Alexander Bokovoy (15):
       ipaserver/dcerpc.py: if search of a closest GC failed, try to 
find any GC
       ipaserver/dcerpc.py: make PDC discovery more robust
       ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts 
on Windows Server prior to 2012
       ipaserver/dcerpc.py: be more open to what domains can be seen 
through the forest trust
       ipaserver/dcerpc.py: Make sure trust is established only to 
forest root domain
       Support overridding user shell in ID views
       Allow user overrides to specify SSH public keys
       Allow user overrides to specify GID of the user
       Allow override of gecos field in ID views
       Update API version for ID views support
       Require slapi-nis 0.54 or later for ID views support
       Support idviews in compat tree
       Change ipaOverrideTarget OID to avoid conflict with DNSSEC feature
       updater: enable uid uniqueness plugin for posixAccounts
       Default to use TLSv1.0 and TLSv1.1 on the IPA server side

  Ana Krivokapić (1):
       Remove internaldb password from password.conf

  David Kupka (20):
       Fix ipa-client-install --uninstall crash
       Always record that pkicreate has been executed.
       Improve password validity check.
       Fix group-remove-member crash when group is removed from a 
protected group
       test group: remove group from protected group.
       Verify otptoken timespan is valid
       Add record(s) to /etc/host when IPA is configured as DNS server.
       Use certmonger D-Bus API instead of messing with its files.
       Do not restart apache server when not necessary.
       Allow user to force Kerberos realm during installation.
       Fix typo causing ipa-upgradeconfig to fail.
       Add 'host' setting into default.conf configuration file on 
client. Fix description in man page.
       Detect and configure all usable IP addresses.
       Do not require description in UI.
       Fix example usage in ipa man page.
       Check that port 8443 is available when installing PKI.
       Set IPA CA for freeipa certificates.
       Stop dogtag when updating its configuration in ipa-upgradeconfig.
       Fix printing of reverse zones in ipa-dns-install.
       Fix typo causing certmonger is provided with wrong path to 

  Gabe Alford (5):
       Fix typos in dns.py
       Enable debug pid in smb.conf
       ipa trust-add command should be interactive
       Fix hardcoded lib dir in freeipa.spec
       Missing requires on python-dns in spec file

  Jakub Hrozek (1):
       CLIENT: Explicitly require python-backports-ssl_match_hostname

  Jan Cholasta (100):
       Check if /root/ipa.csr exists when installing server with 
external CA.
       Exclude attributelevelrights from --raw result processing in 
       Add function for checking if certificate is self-signed to 
       Support CA certificate renewal in dogtag-ipa-ca-renew-agent.
       Allow IPA master hosts to update CA certificate in LDAP.
       Automatically update CA certificate in LDAP on renewal.
       Track CA certificate using dogtag-ipa-ca-renew-agent.
       Add method for setting CA renewal master in LDAP to CAInstance.
       Provide additional functions to ipapython.certmonger.
       Move external cert validation from ipa-server-install to 
       Add method for verifying CA certificates to NSSDatabase.
       Add permissions for CA certificate renewal.
       Add CA certificate management tool ipa-cacert-manage.
       Alert user when externally signed CA is about to expire.
       Load sysupgrade.state on demand.
       Pick new CA renewal master when deleting a replica.
       Remove master ACIs when deleting a replica.
       Do not use ldapi in certificate renewal scripts.
       Check that renewed certificates coming from LDAP are actually 
       Allow IPA master hosts to read and update IPA master information.
       Do not treat the IPA RA cert as CA cert in DS NSS database.
       Remove certificate "External CA cert" from /etc/pki/nssdb on 
client uninstall.
       Allow specifying trust flags in NSSDatabase and CertDB method 
       Fix trust flags in HTTP and DS NSS databases.
       Add LDAP schema for wrapped cryptographic keys.
       Add LDAP schema for certificate store.
       Add container for certificate store.
       Configure attribute uniqueness for certificate store.
       Add permissions for certificate store.
       Add functions for extracting certificates fields in DER to 
       Add function for extracting extended key usage from certs to 
       Add certificate store module ipalib.certstore.
       Upload CA chain from DS NSS database to certificate store on 
server install.
       Upload CA chain from DS NSS database to certificate store on 
server update.
       Rename CertDB method add_cert to import_cert.
       Add new add_cert method for adding certificates to NSSDatabase 
and CertDB.
       Import CA certs from certificate store to DS NSS database on 
replica install.
       Import CA certs from certificate store to HTTP NSS database on 
server install.
       Upload renewed CA cert to certificate store on renewal.
       Refactor CA certificate fetching code in ipa-client-install.
       Support multiple CA certificates in /etc/ipa/ca.crt in 
       Add function for writing list of certificates to a PEM file to 
       Get CA certs for /etc/ipa/ca.crt from certificate store in 
       Allow overriding NSS database path in RPCClient.
       Get CA certs for /etc/pki/nssdb from certificate store in 
       Add functions for DER encoding certificate extensions to ipalib.x509.
       Get CA certs for system-wide store from cert store in 
       Get up-to-date CA certificates from certificate store in 
       Add client certificate update tool ipa-certupdate.
       Export full CA chain to /etc/ipa/ca.crt in ipa-server-install.
       Allow multiple CA certificates in replica info files.
       Add new NSSDatabase method get_cert for getting certs from NSS 
       Allow changing chaining of the IPA CA certificate in 
       Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert.
       Allow adding CA certificates to certificate store in 
       Allow upgrading CA-less to CA-full using ipa-ca-install.
       Update external CA cert in Dogtag NSS DB on IPA CA cert renewal.
       Enable NSS PKIX certificate path discovery and validation for Dogtag.
       Add test for baseldap.entry_to_dict.
       Fix parsing of long nicknames in certutil -L output.
       Convert external CA chain to PKCS#7 before passing it to pkispawn.
       Allow changing CA renewal master in ipa-csreplica-manage.
       Normalize external CA cert before passing it to pkispawn
       Make CA-less ipa-server-install option --root-ca-file optional.
       Backup CS.cfg before modifying it
       Use autobind when updating CA people entries during certificate 
       Fix certmonger code causing the ca_renewal_master update plugin 
to fail
       Allow RPM upgrade from ipa-* packages
       Include ipaplatform in client-only build
       Include the ipa command in client-only build
       Allow specifying signing algorithm of the IPA CA cert in 
       Add NSSDatabase.import_files method for importing files in 
various formats
       External CA installer options usability fixes
       CA-less installer options usability fixes
       Allow choosing CA-less server certificates by name
       Do stricter validation of CA certificates
       Introduce NSS database /etc/ipa/nssdb
       Move NSSDatabase from ipaserver.certs to ipapython.certdb
       Add NSSDatabase.has_nickname for checking nickname presence in a 
       Use NSSDatabase instead of direct certutil calls in client code
       Use /etc/ipa/nssdb to get nicknames of IPA certs installed in 
       Check if IPA client is configured in ipa-certupdate
       Get server hostname from jsonrpc_uri in ipa-certupdate
       Remove ipa-ca.crt from systemwide CA store on client uninstall 
and cert update
       Fix certmonger.wait_for_request
       Fix certmonger search for the CA cert in ipa-certupdate and 
       Add missing imports to ipapython.certdb
       Remove misleading authorization error message in cert-request 
with --add
       Split off generic Red Hat-like platform code from Fedora platform 
       Add RHEL platform module
       Support building RPMs for RHEL/CentOS 7.0
       Support MS CS as the external CA in ipa-server-install and 
       Allow specifying signing algorithm of the IPA CA cert in 
       Fix CA cert validity check for CA-less and external CA installer 
       Fix certmonger.request_cert
       Add ipa-client-install switch --request-cert to request cert for 
the host
       Do not create ipa-pki-proxy.conf if CA is not configured in 
       Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig
       Check LDAP instead of local configuration to see if IPA CA is enabled
       DNSSEC: remove container_dnssec_keys

  Ludwig Krispenz (2):
       Update SSL ciphers configured in 389-ds-base
       Ignore irrelevant subtrees in schema compat plugin

  Lukáš Slebodník (2):
       Fix warning: Using uninitialized value ld.
       Add missing break

  Martin Bašti (48):
       Fix DNS upgrade plugin should check if DNS container exists
       FIX: named_enable_dnssec should verify if DNS is installed
       Allow to add host if AAAA record exists
       Tests: host tests with dns
       Fix dnsrecord-mod raise error if last record attr is removed
       DNSSEC: fix DS record validation
       Tests: DNS dsrecord validation
       DNS fix NS record coexistence validator
       Test: DNS NS validation
       Fix DNS record rename test
       FIX DNS wildcard records (RFC4592)
       Tests: DNS wildcard records
       dnszone-remove-permission should raise error
       DNS: remove --class option
       WebUI: DNS: remove --class option
       FIX: ldap schmema updater needs correct ordering of the updates
       Fix DNS plugin to allow to add root zone
       DNS test: allow '.' as zone name
       Deprecation of --name-server and --ip-address option in DNS
       Add correct NS records during installation
       DNS: autofill admin email
       WebUI: DNS: Remove ip-address, admin-email options
       DNS tests: tests update to due to change in options
       Remove --ip-address, --name-server otpions from DNS help
       Refactoring of autobind, object_exists
       LDAP disable service
       DNS missing tests
       Fix ipactl service ordering
       Add missing attributes to named.conf
       Make named.conf template platform independent
       Remove ipaContainer, ipaOrderedContainer objectclass
       Add mask, unmask methods for service
       DNSSEC: dependencies
       DNSSEC: schema
       DNSSEC: add ipapk11helper module
       DNSSEC: DNS key synchronization daemon
       DNSSEC: opendnssec services
       DNSSEC: platform paths and services
       DNSSEC: validate forwarders
       DNSSEC: modify named service to support dnssec
       DNSSEC: installation
       DNSSEC: uninstallation
       DNSSEC: upgrading
       DNSSEC: ACI
       DNSSEC: add files to backup
       DNSSEC: change link to ipa page
       fix DNSSEC restore named state
       fix forwarder validation errors

  Martin Košek (8):
       Do not require dogtag-pki-server-theme
       Allow hashed passwords in DS
       Do not crash client basedn discovery when SSF not met
       ipa-adtrust-install does not re-add member in adtrust agents group
       Sudorule RunAsUser should work with external groups
       Raise better error message for permission added to generated tree
       Remove changetype attribute from update plugin
       Update contributors

  Nathaniel McCallum (13):
       Fix login password expiration detection with OTP
       Update freeipa-server krb5-server dependency to 1.11.5-5
       Fix ipa-getkeytab for pre-4.0 servers
       Add TOTP watermark support
       Ensure ipaUserAuthTypeClass when needed on user creation
       Update qrcode support for newer python-qrcode
       Use stack allocation when writing values during otp auth
       Move OTP synchronization step to after counter writeback
       Remove token ID from self-service UI
       Remove token vendor, model and serial defaults
       Display token type when viewing token
       Create ipa-otp-counter 389DS plugin
       Configure IPA OTP Last Token plugin on upgrade

  Petr Viktorin (34):
       baseldap: Return empty string when no effective rights are found
       ldap2 indirect membership processing: Use global limits if 
greater than per-query ones
       test_xmlrpc: Update tests
       Update API.txt
       test_ipagetkeytab: Fix assertion in negative test
       Support delegating RBAC roles to service principals
       service: Normalize service principal in get_dn
       freeipa.spec.in: Add python-backports-ssl_match_hostname to 
       permission plugin: Make --target available in the CLI
       permission plugin: Improve description of the target option
       Add managed read permissions for compat tree
       Fix: Add managed read permissions for compat tree and operational 
       Update referential integrity config for DS 1.3.3
       permission plugin: Auto-add operational atttributes to read 
       Allow deleting obsolete permissions; remove operational attribute 
       ipaserver.install: Consolidate system user creation
       ipa_restore: Split the services list
       backup,restore: Don't overwrite /etc/{passwd,group}
       ipa_backup: Log where the backup is be stored
       Add basic test for backup & restore
       Add test for backup/delete system users/restore
       JSON client: Log pretty-printed request and response with -vv or 
       test_permission_plugin: Check legacy permissions
       upgradeinstance: Restore listeners on failure
       ipa-replica-prepare: Wait for the DNS entry to be resolvable
       Move setting SELinux booleans to platform code
       ipa-restore: Set SELinux booleans when restoring
       ipaserver.install.service: Don't show error message on SystemExit(0)
       VERSION,Makefile: Rename "pre" to "alpha"
       Become IPA 4.1.0 Alpha 1
       test_service_plugin: Do not lowercase memberof_role
       test_forced_client_reenrollment: Don't check for host certificates
       backup/restore: Add files from /etc/ipa/nssdb
       sudo integration test: Remove the local user test

  Petr Voborník (81):
       webui: capitalize labels of undo and undo all buttons
       webui: improve usability of attributes widget
       webui: add filter to attributes widget
       webui: optimize (re)creation of option widget
       webui: custom attr in attributes widget
       webui: attr widget: get list of possible attrs from 
       webui: option_widget_base: sort options
       webui: reflect readonly state
       webui: fix add of input group class
       webui: show managed fields as readonly and not disabled
       webui: fix selection of empty value in a select widget
       webui: disable ipapermbindruletype if permission in a privilege
       webui: fix disabled state of service's PAC type
       baseldap: return 'none' attr level right as unicode string
       webui: support wildcard attribute level rights
       webui: fix nested items creation in dropdown list
       webui: internet explorer fixes
       webui: detach facet nodes
       webui: replace action_buttons with action_widget
       webui: remove remaining action-button-disabled occurrences
       webui: add bounce url to reset_password.html
       webui-ci: fix reset password check
       webui: better error reporting
       webui-ci: fix table widget add
       webui: display expired session notification in a more visible area
       webui: improved info msgs on login/token sync/reset pwd pages
       webui: login screen - improved button switching
       webui: rename tooltip to title
       webui: tooltip support
       webui: better authentication types description
       webui: convert widget.less indentation to spaces
       webui: improve rule table css
       webui: sshkey widget - usability fixes
       webui: disable batch action buttons by default
       webui: fix group type padding
       webui: extract complex pkey on Add and Edit
       webui: adjust behavior of bounce url
       webui: do not show login error when switching back from otp sync 
       webui: switch associators if default doesn't work
       webui: notify psw change success only once
       webui: append network.negotiate-auth.trusted-uris
       install: create ff krb extension on every install, replica 
install and upgrade
       webui: add measurement unit to otp token time fields
       webui: better otp token type label
       webui: add token from user page
       webui: add i18n for the rest of QR code strings
       webui: display fields based on otp token type
       webui: better value-change reporting
       webui: widget initialization
       webui: hide empty fields and sections
       webui: hide non-readable fields
       webui: hide otp fields based on token type
       webui: fix regression in association facet preop
       webui-ci: case-insensitive record check
       webui: do not offer ipa-ad-winsync and ipa-ipa-trust range types
       webui: improve breadcrumb navigation
       webui: treat value as pkey in link widget
       webui: do not show internal facet name to user
       webui: allow to skip link widget link validation
       webui: add simple link column support
       webui: new ID views section
       webui: facet group labels for idview's facets
       webui: list only not-applied hosts in "apply to host" dialog
       webui: add link from host to idview
       webui-ci: adjust dnszone-add test to recent DNS changes
       dns: fix privileges' memberof during dns install
       keytab manipulation permission management
       tests: management of keytab permissions
       idviews: error out if appling Default Trust View on hosts
       webui: add link to OTP token app
       webui: add new iduseroverride fields
       webui: management of keytab permissions
       webui: allow --force in dnszone-mod and dnsrecord-add
       webui: make Evented a part of base IPA.object
       webui: change order of idview's facet groups
       webui: hide applied to hosts tab for Default Trust View
       webui: hide (un)apply buttons for Default Trust View
       webui: do not offer ipa users to Default Trust View
       webui: do not show closed dialog
       webui: update combobox input on list click
       Become IPA 4.1.0

Petr Špaček (1):
       DNSSEC: add ipa dnssec daemons

Rob Crittenden (1):
       No longer generate a machine certificate on client installs

Stephen Gallagher (1):
       Change BuildRequires for Java

Sumit Bose (4):
       ipa-kdb: fix unit tests
       extdom: add support for new version
       extdom: add support for sss_nss_getorigbyname()
       extdom: remove unused dependency to libsss_idmap

Tomáš Babej (44):
       trusts: Validate missing trust secret properly
       ipatests: tasks: Fix dns configuration for trusts
       trusts: Make cn=adtrust agents sysaccount nestedgroup
       baseldap: Remove redundant search from LDAPAddReverseMember and 
       ipalib: idrange: Make non-implemented range types fail the validation
       ipatests: test_trust: Add test to cover lookup of trusdomains
       ipa-client-install: Do not add already configured sources to 
nsswitch.conf entries
       ipalib: host_del: Extend LDAPDelete's takes_options instead of 
       Set the default attributes for RootDSE
       baseldap: Properly handle the case of renaming object to the same 
       idviews: Add necessary schema for the ID views
       idviews: Create container for ID views under cn=accounts
       idviews: Add ipaAssignedIDVIew reference to the host object
       ipalib: Remove redundant and star imports from host plugin
       ipalib: PEP8 fixes for host plugin
       idviews: Create basic idview plugin structure
       idvies: Add managed permissions for idview and idoverride objects
       hostgroup: Add helper that returns all members of a hostgroup
       hostgroup: Remove redundant and star imports
       hostgroup: Selected PEP8 fixes for the hostgroup plugin
       idviews: Add ipa idview-apply and idview-unapply commands
       idviews: Extend idview-show command to display assigned 
idoverrides and hosts
       trusts: Add conversion from SID to object name
       idviews: Support specifying object names instead of raw anchors only
       idviews: Split the idoverride object into iduseroverride and 
       idviews: Split the idoverride commands into iduseroverride and 
       idviews: Alter idoverride methods to work with splitted objects
       idviews: Change format of IPA anchor to include domain
       idviews: Raise NotFound errors if object to override could not be 
       idviews: Resolve anchors to object names in idview-show
       ipatests: Add xmlrpc tests for idviews plugin
       idviews: Add ipaOriginalUid
       idviews: Update the referential plugin config to watch for 
       idviews: Fix casing of ID Views to be consistent
       idviews: Make description optional for the ID View object
       idviews: Add Default Trust View as part of adtrustinstall
       idviews: Handle Default Trust View properly in the framework
       idviews: Make sure the dict.get method is not abused for MUST 
       idviews: Catch errors on unsuccessful AD object lookup when 
resolving object name to anchor
       idviews: Display the list of hosts when using --all
       idviews: Make sure only regular IPA objects are allowed to be 
       idviews: Create Default Trust View for upgraded servers
       idviews: Fix typo in upgrade handling of the Default Trust View
       spec: Bump SSSD requires to 1.12.2

Petr Vobornik

More information about the Freeipa-users mailing list