[Freeipa-users] Announcing FreeIPA 4.5.0
Aly Khimji
aly.khimji at gmail.com
Wed Mar 15 18:50:09 UTC 2017
Congratulations on the release! Also for your continued efforts and hard
work !
Aly
On Mar 15, 2017 2:34 PM, "Martin Basti" <mbasti at redhat.com> wrote:
> Release date: 2017-03-15
>
> The FreeIPA team would like to announce FreeIPA 4.5.0 release!
>
> It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
> for
> Fedora 25 and Fedora 26 will be available soon in the official COPR
> repository: <https://copr.fedorainfracloud.org/coprs/g/
> freeipa/freeipa-4-5/>
>
>
> This announcement is also available at
> <http://www.freeipa.org/page/Releases/4.5.0>.
>
>
> == Highlights in 4.5.0 ==
>
> === Enhancements ===
> ==== AD User Short Names ====
> Support for AD users short names has been added. Short names can be
> enabled from CLI by setting `ipa config-mod
> --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"`
> or from WebUI under ''Configuration'' tab. No manual configuration on
> SSSD side is required.
>
> Please note that this feature is not supported by SSSD yet and the work
> is tracked with <https://pagure.io/SSSD/sssd/issue/3210>
> * <https://www.freeipa.org/page/V4/AD_User_Short_Names>
>
> ==== FIPS 140-2 Support ====
> FreeIPA server and client can be installed on FIPS enabled systems. MD5
> fingerprints have been replaced with SHA256. Variable ''fips_mode'' has
> been added to env that indicates whether FIPS is turned on the server.
>
> Please note that FIPS 140-2 support may not work on some platforms
> because all dependencies of FreeIPA must support FIPS 140-2 what we
> cannot guarantee. (Should work with RHEL 7.4+.) The FreeIPA code itself
> is FIPS 140-2 compatible.
> * <https://www.freeipa.org/page/V4/FreeIPA-on-FIPS>
>
> ==== Certificate Identity Mapping ====
> Support for multiple certificates on Smart cards has been added. User
> can choose which certificate is used to authenticate. This allows to
> define multiple certificates per user.
> The same certificate can be used by different accounts, and the mapping
> between a certificate and an account can be done through binary match of
> the whole certificate or a match on custom certificate attributes (such
> as Subject + Issuer).
> * <https://www.freeipa.org/page/V4/Certificate_Identity_Mapping>
>
> ==== Improvements for Containerization ====
> AD trust and KRA can be installed in one step in containers without need
> to call subsequent ipa-adtrust-install and ipa-kra-install in containers.
> Option ''--setup-adtrust'' has been added to ''ipa-server-install'' and
> ''ipa-replica-install'', and option ''--setup-kra'' has been added to
> ''ipa-server-install''.
> * <https://pagure.io/freeipa/issue/6731>
> * <https://pagure.io/freeipa/issue/6630>
>
> ==== Semi-automatic Integration with External DNS ====
> Option "--out" has been added to command "ipa
> dns-update-system-records". This option allows to store IPA system DNS
> records in nsupdate format in specified file and can be used with
> nsupdate command to update records on an external DNS server. For more
> details see this howto
> <https://www.freeipa.org/page/Howto/Updating_FreeIPA_system_
> DNS_records_on_a_remote_DNS_server>
> * <https://pagure.io/freeipa/issue/6585>
>
> === Known Issues ===
> * CLI doesn't work after ''ipa-restore''
> <https://pagure.io/freeipa/issue/6748>
> * AD Trust doesn't work with enabled FIPS mode
> <https://pagure.io/freeipa/issue/6697>
> * ''cert-find'' does not find all certificates without sizelimit=0
> <https://pagure.io/freeipa/issue/6716>
>
> === Bug fixes ===
> Contains all bugfixes and enhacements of 4.4.1, 4.4.2, 4.4.3 releases
>
> ==== Installers Refactoring ====
> Installers code base has been migrated into modules and many code
> duplication has been removed.
> * <https://www.freeipa.org/page/V4/Installers_refactoring>
>
> ==== "Normal" group has been renamed to "Non-POSIX" in WebUI ====
> In the web UI, the group type label "Normal" has been changed to
> "Non-POSIX" to be compatible with CLI options. The semantics of group
> types is unchanged.
> * <https://pagure.io/freeipa/issue/6334>
>
> ==== Build System Refactoring ====
> Several improvements of FreeIPA build system have been done. In case you
> are package maintainer please read the following design document.
> * <https://www.freeipa.org/page/V4/Build_system_refactoring>
>
> ==== LDAP Connection Management Refactoring ====
> LDAP connection management has been standardized across FreeIPA and
> should prevent LDAP connection issues during installation and upgrades
> in future.
> * <https://www.freeipa.org/page/V4/LDAP_Connection_Management_Refactoring>
>
> ==== Do not fail when IPA server has shortname first in /etc/hosts ====
> Kerberos client library is now instructed to not attempt to canonicalize
> hostnames when issuing TGS requests. This improves security by avoiding
> DNS lookups during canonicalization and also improves robustness of
> service principal lookups in more complex DNS environments (clouds,
> containerized applications). Due to this change in behavior, care must
> be taken to specify correct FQDN in host/service principals as no
> attempt to resolve e.g. short names will be made.
> * <https://pagure.io/freeipa/issue/6584>
>
> ==== Replica Connection Check Improvements ====
> Improved connection check reduces possibility of failure in further
> installation steps. Now ports on both IPv4 and IPv6 addresses are
> checked (if available).
> * <https://www.freeipa.org/page/V4/Replica_Conncheck>
>
> ==== Replace NSS with OpenSSL ====
> Should reduce number of issues related to HTTPS connections. This change
> was also needed to support FIPS.
> * <https://www.freeipa.org/page/V4/Replace_NSS_with_OpenSSL>
>
> ==== Fully customisable CA name ====
>
> The CA subject name is now fully customisable, and is no longer
> required to be related to the certificate subject base. The
> ''ipa-server-instal'' and ''ipa-ca-install'' commands learned the
> ''--ca-subject'' and ''--subject-base'' options for configuring these
> values.
>
> * <https://pagure.io/freeipa/issue/2614>
>
> == Upgrading ==
> Upgrade instructions are available on [[Upgrade]] page.
>
> == Feedback ==
> Please provide comments, bugs and other feedback via the freeipa-users
> mailing
> list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa
> channel on Freenode.
>
>
> == Resolved tickets ==
> * 6764 debian: python modules should be installed under dist-packages
> * 6759 replica prepare broken on KDC cert export
> * 6755 [certs.py] - "ipa-replica-prepare" command fails when trying to
> unlink non-existing "tmpcert.der" file in /var/lib/ipa/
> * 6750 Web page ipa/config/ssbrowser.html refers to missing
> ipa/config/ca.crt file
> * 6739 Cannot login to replica's WebUI
> * 6735 The ipa-managed-entries command failed, exception:
> AttributeError: ldap2
> * 6734 vaultconfig-show throws internal error
> * 6731 ipa-server-install: allow to in install KRA in one step
> * 6730 Harden client HTTPS connections
> * 6724 [test_csrgen.py] - comparison test scripts not reflected changes
> in "openssl_base.tmpl"
> * 6723 ipa systemd unit should define Wants=network instead of
> Requires=network
> * 6718 SessionMaxAge in /etc/httpd/conf.d/ipa.conf introduces regression
> * 6717 WebUI: change structure of Identity submenu
> * 6714 ipaclient.csrgen depends on ipaplatform
> * 6713 ipa: Insufficient permission check for ca-del, ca-disable and
> ca-enable commands (CVE-2017-2590)
> * 6712 WebUI: Arbitrary certificates on {user|host|service} details
> pages are not displayed in WebUI
> * 6707 Removal of IPAConfig broke Ipsilon's FreeIPA integration
> * 6701 Add SHA256 fingerprints
> * 6698 User with ticket gets GSS failure when calling freeipa CLI command
> * 6694 ipa-client-install command failed, TypeError: list found
> * 6690 Plugin schema cache is slow
> * 6686 ipa-replica-install fails promotecustodia.create_replica with
> cert errors (untrusted) after adding externally signed CA cert
> * 6685 logout does not work properly
> * 6682 session logout should not remove ccache
> * 6680 kra-agent.pem file is not auto-renewed by certmonger
> * 6676 unable to parse cookie header
> * 6675 KRA_AGENT_PEM file is missing
> * 6674 ipactl: noise error from pki-tomcatd start
> * 6673 httpd unit files deletes root ccache
> * 6670 PKINIT upgrade process is incomplete
> * 6661 Move ipa session data from keyring to ccaches
> * 6659 ipa-backup does not include /root/kracert.p12
> * 6650 [vault] Replace nss crypto with cryptography
> * 6648 Make ipa-cacert-manage man page more clear
> * 6647 batch param compatibility is incorrect
> * 6646 IdM Server: list all Employees with matching Smart Card
> * 6643 [RFE] Add ipa-whoami command
> * 6640 DS certificate request during replica install fails due to
> bytes/string mismatch
> * 6639 Rewrite the code handling discovery and adding of AD trust agents
> in AD trust installer
> * 6638 AD trust installer should be able to configure samba instance
> also without admin credentials
> * 6637 Build fails on Fedora 26
> * 6636 UnboundLocalError during ipa-client-install
> * 6634 --ignore-last-of-role is not in man page
> * 6633 IPA replica install log shows password in plain text
> * 6631 Use Python warnings for development
> * 6630 Merge AD trust installer to server/replica install
> * 6629 Migrate AD trust installer on the new-style installer framework
> * 6625 WSGI fails with internal server error when mode != production
> (locked attribute)
> * 6623 Stageuser is missing -{add,remove}-{cert,principal} commands
> * 6620 Remove ipa-upgradeconfig command
> * 6619 krb5 1.15 broke DAL principal free
> * 6608 IPA server installation should check if IPv6 stack is enabled
> * 6607 Deprecate SSLv2 from API config
> * 6606 Full backup and restore prevents KRA from installing
> * 6601 [RFE] WebUI: Certificate Identity Mapping
> * 6600 Legacy client tests doesn't have tree domain role.
> * 6598 [webui] Show "CA replica warning" only if there one or more
> replicas but only 1 CA
> * 6597 ipapython.version.DEFAULT_PLUGINS is not configured
> * 6596 Update ETAs in installers
> * 6588 replication race condition prevents IPA to install
> * 6586 Minor string fixes in dsinstance.py
> * 6585 [RFE] nsupdate output format in dns-update-system-records command
> * 6584 ipa-client-install fails to get CA cert via LDAP when non-FQDN
> name of IPA server is first in /etc/hosts
> * 6578 IPA CLI will eventually stop working when invoked in parallel
> * 6575 ipa-replica-install fails on requesting DS cert when master is
> not configured with IPv6
> * 6574 description of --domain and --realm is confusing
> * 6573 CA-less replica installation fails due to attempted cert issuance
> * 6570 Duplicate PKINIT certificates being tracked after restoring IPA
> backup on re-installed master
> * 6565 FreeIPA server install fails (and existing servers probably fail
> to start) due to changes in 'dyndb' feature on merge to upstream BIND
> * 6564 IPA WebUI certificates are grayed out on overview page but not on
> details page
> * 6559 [py3] switch to PY3 causes warnings from IPA schema cache
> * 6558 [Py3] http session cookie doesn't work under Py3
> * 6551 Upgrade Samba configuration to not include keytab prefix
> * 6550 Refactor PKCS #7 parsing to use pyasn1_modules
> * 6548 [RFE] Mention ipa-backup in warning message before uninstalling
> IPA server
> * 6547 [RFE] Certificates issued by externally signed IdM CA should
> contain full trust chain
> * 6546 Delete option shouldn't be available for hosts applied to view.
> * 6542 [RFE] Certificate Identity Mapping
> * 6541 ipa-replica-install fails to import DS cert from replica file
> * 6540 Migration from ipa-3.0 fails due to crashing copy-schema-to-ca.py
> * 6539 ipa vault operations are not possible with an older server
> * 6538 KRA: add checks to prevent removing the last instance of KRA in
> topology
> * 6534 topology should not include A<->B segment "both" and B->A "left
> right" at the same time.
> * 6532 replica installation incorrectly sets
> nsds5replicabinddngroup/nsds5replicabinddngroupcheckinterval on IPA 3.x
> instance
> * 6526 remove "request certificate with subjectaltname" permission
> * 6522 ipa-replica-conncheck should check for open ports on all IPs
> resolved from hostname
> * 6518 Can not install IPA server when hostname is not DNS resolvable
> * 6514 replica install: request_service_cert doesn't raise error when
> certificate isuance failed
> * 6513 `ipa plugins` command crashes with internal error
> * 6512 Improve the robustness FreeIPA's i18n module and its tests
> * 6510 Wrong error message during failed domainlevel 0 installations
> without a replica file
> * 6508 ipa-ca-install on promoted replica hangs on creating a temporary
> CA admin
> * 6505 Make ipapython.kerberos.Principal.__repr__ show the actual
> principal name
> * 6504 Create a test for uniqueness of CA renewal master
> * 6503 IPA upgrade of replica without DNS fails during restart of
> named-pkcs11
> * 6500 ipa-server-upgrade fails with AttributeError
> * 6498 Build system must regenerate file when template changes.
> * 6497 Misleading error message in replica_conn_check()
> * 6496 remove references to ds_newinst.pl
> * 6495 DNSSEC: ipa-ods-expoter.socket creates incorrect socket and
> breaks DNSSEC signing
> * 6492 Register entry points of Custodia plugins
> * 6490 Add local-env subcommand to ipa script
> * 6489 Provide legacy client test coverage with tree root domain
> * 6487 ipa-replica-conncheck fails randomly (race condition)
> * 6486 Add NTP server list to ipaplatform
> * 6481 Create a test for instantiating rules with service principals
> * 6480 Update man page for ipa-adtrust-install by removing --no-msdcs
> option
> * 6474 Remove ipaplatform dependency from ipa modules
> * 6472 cert-request no longer accepts CSR with extraneous data
> surrounding PEM data
> * 6469 Use xml.etree instead of lxml in odsmgr.py
> * 6466 [abrt] krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV
> * 6461 LDAP Connection Management refactoring
> * 6460 NSSNickname enclosed in single quotes causes
> ipa-server-certinstall failure
> * 6457 ipa dnsrecord-add fails with Keyerror stack trace
> * 6455 Add example of RDN order for ipa-server-install --subject
> * 6451 Automate managed replication topology 4.4 features
> * 6448 Tests: Stageuser tracker creation of user with minimal values,
> with uid not specified
> * 6446 Create test for kerberos over http
> * 6445 Traceback seen in error_log when trustdomain-del is run
> * 6439 Members of nested netgroups configured in IdM cannot be seen by
> getent on clients
> * 6435 Fix zanata.xml config to skip testing ipa.pot file
> * 6434 Installers: perform host enrollment also in domain level 0
> replica install
> * 6433 Refactor installer code requesting certificates
> * 6420 Pretty print option of pytest makes tracker fail when used in ipa
> console
> * 6419 cert-show default output does not show validity
> * 6417 Skip topology disconnect/last of role checks when uninstalling
> single domain level 1 master
> * 6415 replica-install creates spurious entries in cn=certificates
> * 6412 Create tests for certs in idoverrides feature
> * 6410 Tests: Verify that cert commands show CA without --all
> * 6409 [RFE] extend ipa-getkeytab to support other LDAP bind methods
> * 6406 Use common mechanism for setting up initial replication in both
> domain levels
> * 6405 unify domain level-specific mechanisms for replica's DS/HTTP
> keytab generation
> * 6402 IPA Allows Password Reuse with History value defined when admin
> resets the password.
> * 6401 Revert expected returncode in replica_promotion test
> * 6400 Add file_exists method as a member of transport object
> * 6399 Object-Signing cert is unused; don't create it
> * 6398 Refactor certificate inspection code to use python-cryptography
> * 6397 WebUI: Services are not displayed correctly after upgrade
> * 6396 Cleanup AD trust information after tests
> * 6394 WebUI: Update Patternfly and Bootstrap to newer versions
> * 6393 Make httpd publish CA certificate on Domain Level 1
> * 6392 Installers refactoring tracker
> * 6388 WebUI: Adder dialog cannot be reopened in case that it is closed
> using ESC and dropdown field was focuseded
> * 6386 Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
> * 6384 Web UI: Lowercase "b" in the "API browser" subtab label
> * 6381 ipa-cacert-manage man page should mention to run ipa-certupdate
> * 6375 ipa-replica-install fails when replica file created after
> ipa-ca-install on domain level 0
> * 6372 [RFE] allow managing prioritized list of trusted domains for
> unqualified ID resolution
> * 6369 [tracker] raise 389 requires when "Total init may fail if the
> pushed schema is rejected" is part of update
> * 6365 Custodia compatibility: add iSecStore.span method
> * 6359 test_0003_find_OCSP will never fail
> * 6358 ipa migrate-ds fails when it finds a referral
> * 6357 ipa-server-install script option --no_hbac_allow should match
> other options
> * 6354 regression: certmap.conf file is not backedup during
> ipa-server-upgrade
> * 6352 replica promotion with OTP: add additional info to ""Insufficient
> privileges" error message
> * 6347 Tests: provide trust test coverage for tree root domains
> * 6344 [RFE] support URI resource records
> * 6343 [RFE] Allow login to WebUI using Kerberos aliases/enterprise
> principals
> * 6340 IPA client ipv6 - invalid --ip-address shows traceback
> * 6335 Set priority as required filed in password policy
> * 6334 "Normal" group type in the UI is confusing
> * 6331 Reason is lost when CheckedIPAddress returns ValueError in
> ipa-client-install
> * 6308 [webui] Does not handle uppercase authentication indicators.
> * 6305 host/service-mod with --certificate= (remove all certs) does not
> revoke certs
> * 6295 cert-request is not aware of Kerberos principal aliases
> * 6269 cert-find --all does not show information about revocation
> * 6263 ipa-server-certinstall does not update all certificate stores and
> doesn't set proper trust permissions
> * 6226 ipa-replica-install in CA-less environment does not configure DS
> TLS - ipa-ca-install then fails on replica
> * 6225 [RFE] Web UI: allow Smart Card authentication - finalization
> * 6202 ipa-client-install - document that --server option expects FQDN
> * 6178 Add options to retrieve lightweight CA certificate/chain
> * 6169 ipa dnsforwardzone-add w/o arguments fails
> * 6144 RPC code should be agnostic to display layer
> * 6132 Broken setup if 3rd party CA certificate conflicts with
> system-wide CA certificate
> * 6128 Tests: Base tracker contains leftover attributes from host tracker
> * 6126 Tests: User tracker does not enable creation of user with minimal
> values
> * 6125 Tests: unaccessible variable self.attrs for entries that are not
> created via standard create method in Tracker
> * 6124 Tests: remove --force option from tracker base class
> * 6123 Tests: Tracker enables silent deleting and creating entries
> * 6114 Traceback message seen when ipa is provided with invalid
> configuration file name
> * 6088 test_installation.py tests involving KRA installation on replicas
> fail in domain level 0
> * 6005 Create an automated test for Certs in idoverrides feature
> * 5949 ipa-server-install: improve prompt on interactive installation
> * 5935 [py3] DNSName.ToASCII broken with python3
> * 5742 [RFE] [webui] Configurable page size / User config page
> * 5695 [RFE] FreeIPA on FIPS enabled systems
> * 5640 Framework does not respect sizelimit passed via webUI in some
> searches
> * 5348 [tracker] dig + dnssec does not display signature of freshly
> created root zone
> * 4821 UI drops "Unknown Error" when the ipa record in /etc/hosts changes
> * 4189 [RFE] Use GSS-Proxy for the HTTP service
> * 3461 [RFE] Extend freeipa's sudo to support selinux transition roles
> * 157 Python 3.2a1 in rawhide
>
> == Detailed changelog since 4.4.4 ==
> === Jan Barta (8) ===
> * pylint: fix bad-mcs-method-argument
> * pylint: fix bad-mcs-classmethod-argument
> * pylint: fix bad-classmethod-argument
> * pylint: fix old-style-class
> * pylint: fix redefine-in-handler
> * pylint: fix pointless-statement
> * pylint: fix unneeded-not
> * pylint: fix simplifiable-if-statement warnings
>
> === Alexander Bokovoy (7) ===
> * ipaserver/dcerpc.py: use arcfour_encrypt from samba
> * add whoami command
> * pkinit: make sure to have proper dictionary for Kerberos instance on
> upgrade
> * ipa-kdb: support KDB DAL version 6.1
> * ipa-kdb: search for password policies globally
> * adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
> * trustdomain-del: fix the way how subdomain is searched
>
> === Abhijeet Kasurde (11) ===
> * Minor typo fix in DNS install plugin
> * Update warning message for replica install
> * Add fix for ipa plugins command
> * Update man page of ipa-server-install
> * Remove deprecated ipa-upgradeconfig command
> * Update warning message for ipa server uninstall
> * Fix for handling CalledProcessError in authconfig
> * Enumerate available options in IPA installer
> * Provide user hint about IP address in IPA install
> * Add fix for no-hbac-allow option in server install
> * Added a fix for setting Priority as required field in Password Policy
> Details facet
>
> === Ben Lipton (8) ===
> * csrgen: Support encrypted private keys
> * csrgen: Allow overriding the CSR generation profile
> * csrgen: Automate full cert request flow
> * tests: Add tests for CSR autogeneration
> * csrgen: Use data_sources option to define which fields are rendered
> * csrgen: Add a CSR generation profile for user certificates
> * csrgen: Add CSR generation profile for caIPAserviceCert
> * csrgen: Add code to generate scripts that generate CSRs
>
> === Christian Heimes (88) ===
> * Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb
> * Make pylint and jsl optional
> * Ignore ipapython/.DEFAULT_PLUGINS
> * Run test_ipaclient test suite
> * Chain CSR generator file loaders
> * Move csrgen templates into ipaclient package
> * Use https to get security domain from Dogtag
> * Cleanup certdb
> * Default to pkginstall=true without duplicated definitions
> * pylint: ignore pypi placeholders
> * Python build: use --build-base everywhere
> * Add with_wheels global to install wheel and PyPI packaging dependencies
> * Add placeholders for ipaplatform, ipaserver and ipatests
> * Add python-wheel as build requirement
> * Packaging: Add placeholder packages
> * Vault: port key wrapping to python-cryptography
> * Remove NSPRError exception from platform tasks
> * Remove import nss from test_ldap
> * certdb: Don't restore_context() of new NSSDB
> * Finish port to PyCA cryptography
> * Drop in-memory copy of schema zip file
> * Speed up client schema cache
> * C compilation fixes and hardening
> * lite-server: validate LDAP connection and cache schema
> * Add --without-ipatests option
> * Add missing include of stdint.h for uint8_t
> * Client-only builds with --disable-server
> * New lite-server implementation
> * Explain more performance tricks in doc string
> * Fix test, nested lists are no longer converted to nested tuples
> * Pretty print JSON in debug mode (debug level >= 2)
> * Convert list to tuples
> * Faster JSON encoder/decoder
> * Backup /root/kracert.p12
> * Ditch version_info and use version number from ipapython.version
> * test_StrEnum: use int as bad type
> * Stable _is_null check
> * cryptography has deprecated serial in favor of serial_number
> * Enable additional warnings (BytesWarning, DeprecationWarning)
> * Print test env information
> * Clean / ignore make check artefact
> * ipapython: Add dependencies on version.py
> * pytest: set rules to find test files and functions
> * Fix used before assignment bug in host_port_open()
> * Use pytest conftest.py and drop pytest.ini
> * Catch ValueError raised by pytest.config.getoption()
> * Silence pylint import errors of ipaserver in ipalib and ipaclient
> * Relax check for .git to support freeipa in submodules
> * Ignore backup~ files like config.h.in~
> * Fetch correct exception in IPA_CONFDIR test
> * Use env var IPA_CONFDIR to get confdir
> * Set explicit confdir option for global contexts
> * Remove import of ipaplatform.paths from test_ipalib
> * Remove BIN_FALSE and BIN_TRUE
> * Add pylint guard to import of ipaplatform in ipapython.certdb
> * Require python-gssapi >= 1.2.0, take 2
> * Backwards compatibility with setuptools 0.9.8
> * Require python-cryptography >= 1.3.1
> * Wheel bundles fixes
> * Require python-gssapi >= 1.2.0
> * Adjustments for setup requirements
> * wrap long line
> * Silence import warnings for Samba bindings
> * Fix Python 3 bugs discovered by pylint
> * Python3 pylint fixes
> * Add main guards to a couple of Python scripts
> * Break ipaplatform / ipalib import cycle of hell
> * Replace LooseVersion
> * Don't ship install subpackages with wheels
> * Minor fixes for IPAVersion class
> * Pylint: whitelist packages with extension modules
> * Add 'ipa localenv' subcommand
> * ipapython and ipatest no longer require lxml
> * Register entry points of Custodia plugins
> * Use xml.etree in ipa-client-automount script
> * Port ipapython.dnssec.odsmgr to xml.etree
> * Add install requirements to Python packages
> * Make api.env.nss_dir relative to api.env.confdir
> * Don't modify redhat_system_units
> * Use correct classifiers to make setup.py files PyPI compatible
> * Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
> * Add __name__ == __main__ guards to setup.pys
> * Remove ipapython/ipa.conf
> * Port all setup.py to setuptools
> * Replace ipaplatform's symlinks with a meta importer
> * Move ipa.1 man file
> * Add iSecStore.span
> * Use RSA-OAEP instead of RSA PKCS#1 v1.5
>
> === David Kupka (20) ===
> * rpcserver: x509_login: Handle unsuccessful certificate login gracefully
> * Bump required version of gssproxy to 0.7.0
> * tests: Add tests for kerberos principal aliases in stageuser
> * tests: kerberos_principal_aliases: Deduplicate tests
> * tests: Stageuser-{add,remove}-cert
> * tests: add-remove-cert: Use harcoded certificates instead of
> requesting them
> * ipalib.x509: Handle missing SAN gracefully
> * stageuser: Add stageuser-{add,remove}-principal
> * stageuser: Add stageuser-{add,remove}-cert
> * build: Add missing dependency on libxmlrpc{,_util}
> * ipaclient: schema cache: Handle malformed server info data gracefully
> * schema_cache: Make handling of string compatible with python3
> * installer: Stop adding distro-specific NTP servers into ntp.conf
> * tests: Expect krbpwdpolicyreference in result of
> {host,service}-{find,show} --all
> * password policy: Add explicit default password policy for hosts and
> services
> * ipaclient.plugins: Use api_version from internally called commands
> * tests: Mark 389-ds acceptance tests
> * tests: Mark Dogtag acceptance tests
> * UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper
> (un)pickling
> * schema cache: Store and check info for pre-schema servers
>
> === Florence Blanc-Renaud (20) ===
> * Installation must publish CA cert in /usr/share/ipa/html/ca.crt
> * IdM Server: list all Employees with matching Smart Card
> * ipa systemd unit should define Wants=network instead of Requires=network
> * Support for Certificate Identity Mapping
> * Define template version in certmap.conf
> * Fix ipa.service unit re. gssproxy
> * Do not configure PKI ajp redirection to use "::1"
> * ipa-kra-install must create directory if it does not exist
> * ipa-restore must stop tracking PKINIT cert in the preparation phase
> * Increase the timeout waiting for certificate issuance in installer
> * Check the result of cert request in replica installer
> * Fix ipa-replica-install when upgrade from ca-less to ca-full
> * Fix ipa migrate-ds when it finds a search reference
> * Fix renewal lock issues on installation
> * Refactor installer code requesting certificates
> * Use autobind instead of host keytab authentication in
> dogtag-ipa-ca-renew-agent
> * Fix ipa-cacert-manage man page
> * Add cert checks in ipa-server-certinstall
> * Fix regression introduced in ipa-certupdate
> * Fix ipa-certupdate for CA-less installation
>
> === Fraser Tweedale (52) ===
> * rabase.get_certificate: make serial number arg mandatory
> * Extract method to map principal to princpal type
> * Remove redundant principal_type argument
> * dogtag: remove redundant property definition
> * ca: correctly authorise ca-del, ca-enable and ca-disable
> * replica install: relax domain level check for promotion
> * Fix reference before assignment
> * private_ccache: yield ccache name
> * Add sanity checks for use of --ca-subject and --subject-base
> * Indicate that ca subject / subject base uses LDAP RDN order
> * Allow full customisability of IPA CA subject DN
> * Reuse self.api when executing ca_enabled_check
> * dsinstance: extract function for writing certmap.conf
> * ipa-ca-install: add missing --subject-base option
> * Extract function for computing default subject base
> * installer: rename --subject to --subject-base
> * installutils: remove hardcoded subject DN assumption
> * Refactor and relocate set_subject_base_in_config
> * dsinstance: minor string fixes
> * Set up DS TLS on replica in CA-less topology
> * Remove "Request Certificate with SubjectAltName" permission
> * Fix DL1 replica installation in CA-less topology
> * certprofile-mod: correctly authorise config update
> * Fix regression in test suite
> * Add options to write lightweight CA cert or chain to file
> * certdb: accumulate extracted certs as list of PEMs
> * Add function for extracting PEM certs from PKCS #7
> * cert-request: match names against principal aliases
> * Remove references to ds_newinst.pl
> * cert-request: accept CSRs with extraneous data
> * Ensure correct IPA CA nickname in DS and HTTP NSSDBs
> * Remove __main__ code from ipalib.x509 and ipalib.pkcs10
> * x509: use python-cryptography to process certs
> * x509: use pyasn1-modules X.509 specs
> * x509: avoid use of nss.data_to_hex
> * pkcs10: remove pyasn1 PKCS #10 spec
> * pkcs10: use python-cryptography for CSR processing
> * dn: support conversion from python-cryptography Name
> * cert-show: show validity in default output
> * Do not create Object Signing certificate
> * Add commentary about CA deletion to plugin doc
> * spec: require Dogtag >= 10.3.5-6
> * sudorule: add SELinux transition examples to plugin doc
> * Fix cert revocation when removing all certs via host/service-mod
> * cert-request: raise error when request fails
> * Make host/service cert revocation aware of lightweight CAs
> * cert-request: raise CertificateOperationError if CA disabled
> * Use Dogtag REST API for certificate requests
> * Add HTTPRequestError class
> * Allow Dogtag RestClient to perform requests without logging in
> * Add ca-disable and ca-enable commands
> * Track lightweight CAs on replica installation
>
> === Ganna Kaihorodova (7) ===
> * Tests: Basic coverage with tree root domain
> * User Tracker: Test to create user with minimal values
> * User Tracker: creation of user with minimal values
> * Stage User: Test to create stage user with minimal values
> * Tests: Stage User Tracker implementation
> * Tests: Add tree root domain role in legacy client tests
> * Unaccessible variable self.attrs in Tracker
>
> === Jan Cholasta (106) ===
> * spec file: always provide python package aliases
> * spec file: support client-only build
> * spec file: support build without ipatests
> * slapi plugins: fix CFLAGS
> * spec file: add unconditional python-setuptools BuildRequires
> * httpinstance: disable system trust module in /etc/httpd/alias
> * csrgen: hide cert-get-requestdata in CLI
> * cert: include certificate chain in cert command output
> * cert: add output file option to cert-request
> * Travis CI: run tests in development mode
> * backend plugins: fix crashes in development mode
> * vault: cache the transport certificate on client
> * rpc: fix crash in verbose mode
> * install: re-introduce option groups
> * install CLI: remove magic option groups
> * client install: split off SSSD options into a separate class
> * server install: remove duplicate knob definitions
> * install: add missing space in realm_name description
> * server install: remove duplicate -w option
> * certmap: load certificate from file in certmap-match CLI
> * pylint_plugins: add forbidden import checker
> * ipapython: fix DEFAULT_PLUGINS in version.py
> * config: re-add `init_config` and `config`
> * dns: fix `dnsrecord_add` interactive mode
> * server install: do not attempt to issue PKINIT cert in CA-less
> * compat: fix `Any` params in `batch` and `dnsrecord`
> * scripts, tests: explicitly set confdir in the rest of server code
> * server upgrade: uninstall ipa_memcached properly
> * server upgrade: always upgrade KRA agent PEM file
> * server upgrade: fix upgrade from pre-4.0
> * server upgrade: fix upgrade in CA-less
> * client install: create /etc/ipa/nssdb with correct mode
> * ipaldap: preserve order of values in LDAPEntry._sync()
> * replica install: do not log host OTP
> * tests: add test for PEM certificate files with leading text
> * ipa-ca-install: do not fail without --subject-base and --ca-subject
> * cert: fix search limit handling in cert-find
> * dogtag: search past the first 100 certificates
> * ipaldap: properly escape raw binary values in LDAP filters
> * client install: correctly report all failures
> * cainstance: do not configure renewal guard
> * dogtaginstance: track server certificate with our renew agent
> * renew agent: handle non-replicated certificates
> * ca: fix ca-find with --pkey-only
> * spec file: revert to the previous Release tag
> * x509: use PyASN1 to parse PKCS#7
> * server install: fix KRA agent PEM file not being created
> * spec file: do not define with_lint inside a comment
> * certdb: fix PKCS#12 import with empty password
> * server install: fix external CA install
> * replica install: track the RA agent certificate again
> * ipaclient: remove hard dependency on ipaplatform
> * ipaclient: move install modules to the install subpackage
> * ipalib: remove hard dependency on ipapython
> * constants: remove CACERT
> * ipalib: move certstore to the install subpackage
> * ipapython: remove hard dependency on ipaplatform
> * ipautil: move file encryption functions to installutils
> * ipautil: move kinit functions to ipalib.install
> * ipautil: move is_fips_enabled() to ipaplatform.tasks
> * ipautil: remove the timeout argument of run()
> * ipautil: remove get_domain_name()
> * ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
> * certdb: use a temporary file to pass password to pk12util
> * certdb: move IPA NSS DB install functions to ipaclient.install
> * ipapython: move certmonger and sysrestore to ipalib.install
> * ipapython: move dnssec, p11helper and secrets to ipaserver
> * custodiainstance: automatic restart on config file update
> * paths: remove DEV_NULL
> * install: migrate client install to the new class hierarchy
> * install: allow specifying verbosity and console log format in CLI
> * install: migrate server installers to the new class hierarchy
> * install: introduce installer class hierarchy
> * install: fix subclassing of knob groups
> * install: make knob base declaration explicit
> * install: declare knob CLI names using the argparse convention
> * install: use standard Python classes to declare knob types
> * install: introduce updated knob constructor
> * install: simplify CLI option parsing
> * install: improve CLI positional argument handling
> * install: use ldaps for pkispawn in ipa-ca-install
> * replica install: fix DS restart failure during replica promotion
> * replica install: merge KRA agent cert export into KRA install
> * replica install: merge RA cert import into CA install
> * server install: do not restart httpd during CA install
> * install: merge all KRA install code paths into one
> * install: merge all CA install code paths into one
> * replica install: use one remote KRA host name everywhere
> * replica install: use one remote CA host name everywhere
> * spec file: bump minimal required version of 389-ds-base
> * pwpolicy: do not run klist on import
> * client: remove unused libcurl build dependency
> * makeapi, makeaci: do not fail on missing imports
> * ipaserver: remove ipalib import from setup.py
> * pylint: enable the import-error check
> * spec file: do not include BuildRequires for lint by default
> * spec file: clean up BuildRequires
> * cert: add revocation reason back to cert-find output
> * test_plugable: update the rest of test_init
> * dns: re-introduce --raw in dnsrecord-del
> * client: remove hard dependency on pam_krb5
> * cert: fix cert-find --certificate when the cert is not in LDAP
> * dns: fix crash in interactive mode against old servers
> * dns: prompt for missing record parts in CLI
> * dns: normalize record type read interactively in dnsrecord_add
> * cli: use full name when executing a command
>
> === Lenka Doudova (23) ===
> * Document make_delete_command method in UserTracker
> * Tests: Providing trust tests with tree root domain
> * Tests: Verify that validity info is present in cert-show and cert-find
> command
> * Add file_exists method as a member of transport object
> * Tests: Provide AD cleanup for legacy client tests
> * Tests: Provide AD cleanup for trust tests
> * Tests: Fix integration sudo test
> * Tests: Verify that cert commands show CA without --all
> * Tests: Certificate revocation
> * Tests: Remove invalid certplugin tests
> * Tests: Fix failing test_ipalib/test_parameters
> * Tests: Remove silent deleting and creating entries by tracker
> * Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
> * Tests: Fix host attributes in ipa-join host test
> * Tests: Update host test with ipa-join
> * Tests: Add krb5kdc.service restart to integration trust tests
> * Tests: Remove unnecessary attributes from base tracker
> * Tests: Remove --force options from tracker base class
> * Tests: Remove SSSD restart from integration tests
> * Tests: Fix integration sudo tests setup and checks
> * Tests: Fix failing ldap.backend test
> * Tests: Add cleanup to integration trust tests
> * Tests: Fix regex errors in integration trust tests
>
> === Ludwig Krispenz (1) ===
> * Check for conflict entries before raising domain level
>
> === Lukas Slebodnik (6) ===
> * CONFIGURE: Improve detection of xmlrpc_c flags
> * CONFIGURE: Properly detect libpopt on el7
> * ipa_pwd: remove unnecessary dependency on dirsrv plugins
> * SPEC: Fix build in mock
> * CONFIGURE: Update help message for jslint
> * CONFIGURE: Fix detection of pylint
>
> === Martin Babinsky (113) ===
> * Try out anonymous PKINIT after it is configured
> * check for replica's KDC entry on master before requesting PKINIT cert
> * check that the master requesting PKINIT cert has KDC enabled
> * Make wait_for_entry raise exceptions
> * Move PKINIT configuration to a later stage of server/replica install
> * Request PKINIT cert directly from Dogtag API on first master
> * Make PKINIT certificate request logic consistent with other installers
> * idviews: correctly handle modification of non-existent view
> * Re-use trust domain retrieval code in certmap validators
> * idview: add domain_resolution_order attribute
> * ipaconfig: add the ability to manipulate domain resolution order
> * Short name resolution: introduce the required schema
> * ipa-managed-entries: only permit running the command on IPA master
> * ipa-managed-entries: use server-mode API
> * Allow login to WebUI using Kerberos aliases/enterprise principals
> * Provide basic integration tests for built-in AD trust installer
> * Update server/replica installer man pages
> * Fix erroneous short name options in ipa-adtrust-install man page
> * Merge AD trust configurator into replica installer
> * Merge AD trust configurator into server installer
> * expose AD trust related knobs in composite installers
> * Add AD trust installer interface for composite installer
> * check for installed dependencies when *not* in standalone mode
> * print the installation info only in standalone mode
> * adtrust.py: Use logging to emit error messages
> * Refactor the code searching and presenting missing trust agents
> * only check for netbios name when LDAP backend is connected
> * Refactor the code checking for missing SIDs
> * use the methods of the parent class to retrieve CIFS kerberos keys
> * httpinstance: re-use parent's methods to retrieve anonymous keytab
> * Make request_service_keytab into a public method
> * allow for more flexibility when requesting service keytab
> * Move AD trust installation code to a separate module
> * Replace exit() calls with exceptions
> * Remove unused variables in exception handling
> * ipa-adtrust-install: format the code for PEP-8 compliance
> * Travis CI: Upload the logs from failed jobs to transfer.sh
> * Explicitly handle quoting/unquoting of NSSNickname directive
> * Delegate directive value quoting/unquoting to separate functions
> * installutils: improve directive value parsing in `get_directive`
> * Fix the installutils.set_directive docstring
> * disable hostname canonicalization by Kerberos library
> * Travis CI: actually return non-zero exit status when the test job fails
> * Trim the test runner log to show only pytest failures/errors
> * Add license headers to the files used by Travis CI
> * Travis CI: use specific Python version during build
> * introduce install step to .travis.yml and cache pip installs
> * split out lint to a separate Travis job
> * Travis: offload test execution to a separate script
> * Travis CI: a separate script to run test tasks
> * Put the commands informing and displaying build logs on single line
> * travis: mark FreeIPA as python project
> * Bump up ipa-docker-test-runner version
> * Add a basic test suite for `kadmin.local` interface
> * Make `kadmin` family of functions return the result of ipautil.run
> * gracefully handle setting replica bind dn group on old masters
> * add missing attribute to ipaca replica during CA topology update
> * Revert "upgrade: add replica bind DN group check interval to CA
> topology config"
> * bindinstance: use data in named.conf to determine configuration status
> * Use ipa-docker-test-runner to run tests in Travis CI
> * Configuration file for ipa-docker-test-runner
> * Add 'env_confdir' to constants
> * Fix pep-8 transgressions in ipalib/misc.py
> * Make `env` and `plugins` commands local again
> * Revert "Add 'ipa localenv' subcommand"
> * Enhance __repr__ method of Principal
> * replication: ensure bind DN group check interval is set on replica config
> * upgrade: add replica bind DN group check interval to CA topology config
> * Improve the robustness FreeIPA's i18n module and its tests
> * Use common procedure to setup initial replication in both domain levels
> * ensure that the initial sync using GSSAPI works agains old masters
> * replication: refactor the code setting principals as replica bind DNs
> * replication: augment setup_promote_replication method
> * Turn replication manager group into ReplicationManager class member
> * Fix the naming of ipa-dnskeysyncd service principal
> * installutils: remove 'install_service_keytab' function
> * domain-level agnostic keytab retrieval in httpinstance
> * installers: restart DS after KDC is configured
> * dsinstance: use keytab retrieval method from parent class
> * use DM credentials to retrieve service keytab only in DLO
> * Service: common method for service keytab requests
> * Turn Kerberos-related properties to Service class members
> * Make service user name a class member of Service
> * service installers: clean up the inheritance
> * fix incorrect invocation of ipa-getkeytab during DL0 host enrollment
> * do partial host enrollment in domain level 0 replica install
> * Separate function to purge IPA host principals from keytab
> * certs: do not re-create NSS database when requesting service cert
> * initialize empty /etc/http/alias during server/replica install
> * CertDB: add API for non-destructive initialization from PKCS#12 bundle
> * test_ipagetkeytab: use system-wide IPA CA cert location in tests
> * Extend keytab retrieval test suite to cover new options
> * Modernize ipa-getkeytab test suite
> * extend ipa-getkeytab to support other LDAP bind methods
> * ipa-getkeytab: expose CA cert path as option
> * server-del: fix incorrect check for one IPA master
> * Revert "Fix install scripts debugging"
> * do not use keys() method when iterating through dictionaries
> * remove trailing newlines form python modules
> * mod_nss: use more robust quoting of NSSNickname directive
> * Move character escaping function to ipautil
> * Make Continuous installer continuous only during execution phase
> * use separate exception handlers for executors and validators
> * ipa passwd: use correct normalizer for user principals
> * trust-fetch-domains: contact forest DCs when fetching trust domain info
> * netgroup: avoid extraneous LDAP search when retrieving primary key from
> DN
> * advise: Use `name` instead of `__name__` to get plugin names
> * Use Travis-CI for basic sanity checks
> * ldapupdate: Use proper inheritance in BadSyntax exception
> * raise ValidationError when deprecated param is passed to command
> * Always fetch forest info from root DCs when establishing one-way trust
> * factor out `populate_remote_domain` method into module-level function
> * Always fetch forest info from root DCs when establishing two-way trust
>
> === Martin Basti (134) ===
> * Become IPA 4.5.0
> * Update 4.5 translations
> * Add copy-schema-to-ca for RHEL6 to contrib/
> * Remove copy-schema-to-ca.py from master branch
> * pylint: bump dependency to version >= 1.6
> * backup: backup anonymous keytab
> * tests: use --setup-kra in tests
> * KRA: add --setup-kra to ipa-server-install
> * man: add missing --setup-adtrust option to manpage
> * ipactl restart: log httplib failues as debug
> * Tests: search for disabled users
> * Test: DNS nsupdate from dns-update-system-records
> * DNS: dns-update-system-record can create nsupdate file
> * py3: ipa_generate_password: do not compare None and Int
> * py3: change_admin_password: use textual mode
> * py3: create DNS zonefile: use textual mode
> * py3: upgradeinstance: use bytes literals with LDIF operations
> * py3: upgradeinstance: decode data before storing them as backup...
> * py3: upgradeinstance: open dse.ldif in textual mode
> * custodia: kem.set_keys: replace too-broad exception
> * py3: kem.py: user bytes with ldap values
> * py3: custodia: basedn must be unicode
> * py3: configparser: use raw keyword
> * py3: modify_s: attribute name must be str not bytes
> * py3: ldapupdate: fix logging str(bytes) issue
> * DNSSEC: forwarders validation improvement
> * py3: test_ipaserver: fix BytesWarnings
> * py3: get_memberofindirect: fix ByteWarnings
> * py3: DN: fix BytesWarning
> * Tests: fix wait_for_replication task
> * py3: send Decimal number as string instead of base64 encoded value
> * py3: ipaldap: properly encode DNSName to bytes
> * py3: _convert_to_idna: fix bytes/unicode mistmatch
> * py3: DNS: get_record_entry_attrs: do not modify dict during iteration
> * py3: _ptrrecord_precallaback: use bytes with labels
> * py3: remove_entry_from_group: attribute name must be string
> * py3: base64 encoding/decoding returns always bytes don't mix it
> * pki-base: use pki-base-python2 as dependency
> * pki: add missing depedency pki-base[-python3]
> * py3: x509.py: return principal as unicode string
> * py3: tests_xmlrpc: do not call str() on bytes
> * py3: normalize_certificate: support both bytes and unicode
> * py3: strip_header: support both bytes and unicode
> * py3: fingerprint_hex_sha256: fix encoding/decoding
> * py3: fix CSR encoding inside framework
> * Principal: validate type of input parameter
> * Use dict comprehension
> * py3: can_read: attributelevelrights is already string
> * py3: get_effective_rights: values passed to ldap must be bytes
> * py3: ipaldap: update encode/decode methods
> * py3: rpcserver fix undefined variable
> * py3: WSGI executioners must return bytes in list
> * py3: session: fix r/w ccache data
> * Py3: Fix undefined variable
> * py3: rpcserver: decode input because json requires string
> * py3: session.py decode server name to str
> * Use proper logging for error messages
> * wait_for_entry: use only DN as parameter
> * py3: decode bytes for json.loads()
> * dogtag.py: fix exception logging of JSON data
> * py3: convert_attribute_members: don't use bytes as parameter for DN
> * py3: make_filter_from_attr: use string instead of bytes
> * py3: __add_acl: use standard ipaldap methods
> * py3: add_entry_to_group: attribute name must be string not bytes
> * py3: HTTPResponse has no 'dict' attribute in 'msg'
> * py3: _httplib_request: don't convert string to bytes
> * py3: cainstance: replace mkstemp with NamedTemporaryFile
> * py3: write CA/KRA config into file opened in text mode
> * py3: CA/KRA: config parser requires string
> * py3: ipautil: open tempfiles in text mode
> * py3: ldap modlist must have keys as string, not bytes
> * py3: open temporary ldif file in text mode
> * py3: service.py: replace mkstemp by NamedTemporaryFile
> * py3: create_cert_db: write to file in a compatible way
> * _resolve_records: fix assert, nameserver_ip can be none
> * Remove duplicated step from DS install
> * py3: enable py3 pylint
> * Py3: Fix ToASCII method
> * fix: regression in API version comparison
> * ipactl: pass api as argument to services
> * DNS: URI records: bump python-dns requirements
> * remove Knob function
> * KRA: don't add KRA container when KRA replica
> * Zanata: exlude testing ipa.pot file
> * client: use correct code for failed uninstall
> * client: use exceptions instead of return states
> * client: move install part to else branch
> * client: move install cleanup from ipa-client-install to module
> * client: move clean CCACHE to module
> * client: fix script execution
> * client: Remove useless except in ipa-client-install
> * client: move custom env variable into client module
> * client: extract checks from uninstall to uninstall_check
> * client: extract checks from install to install_check
> * client: move checks to client.install_check
> * client: make statestore and fstore consistent with server
> * IPAChangeConf: use constant for empty line
> * client: import IPAChangeConf directly instead the module
> * client: remove extra return from hardcode_ldap_server
> * client: install function: return constant not hardcoded number
> * client: remove unneded return from configure_ipa_conf
> * client: remove unneded return configure_krb5_conf
> * ipa-client-install: move client install to module
> * CI: Disable KRA install tests on DL0
> * CI: use --setup-kra with replica installation
> * CI: extend replication layouts tests with KRA
> * CI: workaround: wait for dogtag before replica-prepare
> * Pylint: fix the rest of unused local variables
> * Pylint: remove unused variables in tests
> * Pylint: remove unused variables in ipaserver package
> * Pylint: remove unused variables from installers and scripts
> * Fix: find OSCP certificate test
> * Pylint: enable check for unused-variables
> * Remove unused variables in tests
> * Remove unused variables in the code
> * test_text: add test ipa.pot file for tests
> * Pylint: enable global-variable-not-assigned check
> * Pylint: enable cyclic-import check
> * Test: dont use global variable for iteration in test_cert_plugin
> * Use constant for user and group patterns
> * Fix regexp patterns in parameters to not enforce length
> * Add check for IP addresses into DNS installer
> * Fix missing config.ips in promote_check
> * Abstract procedures for IP address warnings
> * Catch DNS exceptions during emptyzones named.conf upgrade
> * Start named during configuration upgrade.
> * Tests: extend DNS cmdline tests with lowercased record type
> * Show warning when net/broadcast IP address is used in installer
> * Allow multicast addresses in A/AAAA records
> * Allow broadcast ip addresses
> * Allow network ip addresses
> * Fix parse errors with link-local addresses
> * Fix ScriptError to always return string from __str__
> * Bump master IPA devel version to 4.4.90
>
> === Martin Kosek (1) ===
> * Update Contributors.txt
>
> === Milan Kubík (4) ===
> * ipatests: Fix assert_deepequal outside of pytest process
> * ipatests: Implement tests with CSRs requesting SAN
> * ipatests: Fix name property on a service tracker
> * ipatests: provide context manager for keytab usage in RPC tests
>
> === Michal Reznik (1) ===
> * test_csrgen: adjusted comparison test scripts for CSRGenerator
>
> === Michal Židek (1) ===
> * git: Add commit template
>
> === Nathaniel McCallum (3) ===
> * Migrate OTP import script to python-cryptography
> * Use RemoveOnStop to cleanup systemd sockets
> * Properly handle LDAP socket closures in ipa-otpd
>
> === Oleg Fayans (45) ===
> * Test: uniqueness of certificate renewal master
> * Test: basic kerberos over http functionality
> * Test: made kinit_admin a returning function
> * tests: Added basic tests for certs in idoverrides
> * Created idview tracker
> * Test for installing rules with service principals
> * Test: integration tests for certs in idoverrides feature
> * Added interface to certutil
> * Automated ipa-replica-manage del tests
> * tests: Automated clean-ruv subcommand tests
> * Reverted the essertion for replica uninstall returncode
> * Test: disabled wrong client domain tests for domlevel 0
> * tests: Fixed code styling in caless tests to make pep8 happy
> * tests: Reverted erroneous asserts in 4 tests
> * tests: fixed certinstall method
> * tests: fixed super method invocation
> * tests: added verbose assert to test_service_disable_doesnt_revoke
> * tests: Standardized replica_preparation in test_no_certs
> * tests: Implemented check for domainlevel before installation verification
> * tests: Fixed Usage of improper certs in ca-less tests
> * tests: fixed expects of incorrect error messages
> * tests: Replaced unused setUp method with install
> * tests: Replaced hardcoded certutil with imported from paths
> * tests: Enabled negative testing for cleaning replication agreements
> * tests: Made unapply_fixes call optional at master uninstallation
> * tests: Updated master and replica installation methods to enable
> negative testing
> * tests: Added necessary xfails
> * tests: Added necessary getkeytabs calls to fixtures
> * tests: Removed outdated command options test
> * tests: Applied correct teardown methods
> * tests: Fixed incorrect assert in verify_installation
> * tests: Adapted installation methods to utilize methods from tasks
> * tests: Removed call for install method from parent class
> * tests: Added teardown methods for server and replica installation
> * tests: Create a method that cleans all ipa certs
> * tests: Updated ipa server installation stdin text
> * tests: Added generation of missing certs
> * tests: Added basic constraints extension to the CA certs
> * tests: Fixed method failures during second call for the method
> * Xfailed a test that fails due to 6250
> * Fixed segment naming in topology tests
> * Xfailed the tests due to a known bug with replica preparation
> * Changed addressing to the client hosts to be replicas
> * Several fixes in replica_promotion tests
> * Removed incorrect check for returncode
>
> === Petr Čech (1) ===
> * ipatests: nested netgroups (intg)
>
> === Petr Spacek (126) ===
> * ipa_generate_password algorithm change
> * Remove named-pkcs11 workarounds from DNSSEC tests.
> * Build: forbid builds in working directories containing white spaces
> * Build: always use Pylint from Python version used for rest of the build
> * Build: specify BuildRequires for Python 3 pylint
> * Build: makerpms.sh generates Python 2 & 3 packages at the same time
> * Accept server host names resolvable only using /etc/hosts
> * Build: properly integrate ipa.pot into build system tests
> * Build: properly integrate ipasetup.py into build system
> * Build: properly integrate version.py into build system
> * Build: properly integrate loader.js into build system
> * Build: properly integrate freeipa.spec.in into build system
> * Build: properly integrate ipa-version.h.in into build system
> * Build: workaround bug while calling parallel make from rpmbuild
> * Build: remove ipa.pot from Git as it can be re-generated at any time
> * Build: integrate translation system tests again
> * Build: automatically generate list of files to be translated in configure
> * Build: clean in po/ removes *~ files as well
> * Build: support strip-po target for translations
> * Build: use standard infrastructure for translations
> * Build: fix path in ipa-ods-exporter.socket unit file
> * Build: fix file dependencies for make-css.sh
> * Build: update makerpms.sh to use same paths as rpmbuild
> * Build: remove incorrect use of MAINTAINERCLEANFILES
> * Build: enable silent build in makerpms.sh
> * Build: support --enable-silent-rules for Python packages
> * Build: workaround bug 1005235 related to Python paths in
> auto-generated Requires
> * Build: document what should be in %install section of SPEC file
> * Build: move web UI file installation from SPEC to Makefile.am
> * Build: move server directory handling from SPEC to Makefile.am
> * Build: move client directory handling from SPEC to Makefile.am
> * Update man page for ipa-adtrust-install by removing --no-msdcs option
> * Build: pass down %{release} from SPEC to configure
> * Build: update IPA_VERSION_IS_GIT_SNAPSHOT to comply with PEP440
> * Build: add make srpms target
> * Build: IPA_VERSION_IS_GIT_SNAPSHOT re-generates version number on RPM
> build
> * Build: use POSIX 1003.1-1988 (ustar) file format for tar archives
> * Build: IPA_VERSION_IS_GIT_SNAPSHOT checks if source directory is Git repo
> * Build: remove unused and redundant code from configure.ac and
> po/Makefile.in
> * Build: fix make clean to remove build artifacts from top-level directory
> * Build: fix make clean for web UI
> * Build: add polint target for i18n tests
> * Build: add makeapi lint target
> * Build: add makeaci lint target
> * Build: add JS lint target
> * Build: add Python lint target
> * Build: remove obsolete instructions about BuildRequires from BUILD.txt
> * Build: add make rpms target and convenience script makerpms.sh
> * Build: fix KDC proxy installation and remove unused kdcproxy.conf
> * Build: remove unused dirs /var/cache/ipa/{sysupgrade,sysrestore} from
> SPEC
> * Build: do not compress manual pages at install time
> * Build: distribute doc directory
> * Build: create /var/run directories at install time
> * Build: integrate init and init/systemd into build system
> * Build: remove init/SystemV directory
> * Build: integrate contrib directory into build system
> * Build: remove ancient checks/check-ra.py
> * Build: integrate daemons/dnssec into build system
> * Build: fix distribution of daemons/ipa-slapi-plugins/topology files
> * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-winsync files
> * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-sidgen files
> * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-pwd-extop files
> * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-lasttoken
> files
> * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-counter
> files
> * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-exdom-extop
> files
> * Build: fix distribution of daemons/ipa-slapi-plugins/ipa-cldap files
> * Build: fix distribution of ipa-slapi-plugins/common files
> * Build: fix distribution of daemon/ipa-kdb files
> * Build: fix distribution of client header file
> * Build: fix distribution of asn1/asn1c files
> * Build: fix distribution of install/REDME.schema file
> * Build: fix distribution of oddjob files
> * Build: Remove spurious EXTRA_DIST from install/share/Makefile.am
> * Build: cleanup unused LDIFs from install/share
> * Build: fix distribution of libexec scripts
> * Build: fix distribution and installation of update LDIFs
> * Web UI: Remove offline version of Web UI
> * Build: fix distribution of static files for web UI
> * Build: stop build when a step in web UI build fails
> * Build: fix distribution and installation of static files in top-level
> directory
> * Build: fix man page distribution
> * Build: fix distdir target for translations
> * Build: rename project from ipa-server to freeipa
> * Build: remove non-existing README files from Makefile.am
> * Build: fix Makefile.am files to separate source and build directories
> * Build: respect --prefix for systemdsystemunitdir
> * Build: fix make install in asn1 subdirectory
> * Build: fix ipaplatform detection for out-of-tree builds
> * Build: Makefiles for Python packages
> * Build: fix module name in ipaserver/setup.py
> * Build: replace hand-made Makefile with one generated by Automake
> * Build: move version handling from Makefile to configure
> * Docs: update docs about ipaplatform to match reality
> * Build: replace ipaplatform magic with symlinks generated by configure
> * Build docs: update platform selection instructions
> * Build: split out egg-info Makefile target from version-update target
> * Build: split API/ACI checks into separate Makefile targets
> * Build: use default error handling for PKG_CHECK_MODULES
> * Build: use libutil convenience library for client
> * Build: cleanup INI library detection
> * Build: modernize XMLRPC-client library detection
> * Build: modernize CURL library detection
> * Build: modernize SASL library detection
> * Build: modernize POPT library detection
> * Build: merge client/configure.ac into top-level configure.ac
> * Build: remove Transifex support
> * Build: move translations from install/po/ to top-level po/
> * Build: merge install/configure.ac into top-level configure.ac
> * Build: merge ipatests/man/configure.ac to top-level configure.ac
> * Build: merge asn1/configure.ac to top-level configure.ac
> * Build: transform util directory to libutil convenience library
> * Build: promote daemons/configure.ac to top-level configure.ac
> * Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c
> * Build: pass down LIBDIR definition from RPM SPEC to Makefile
> * Build: remove deprecated AC_STDC_HEADERS macro
> * Build: require Python >= 2.7
> * Build: remove traces of mozldap library
> * Build: modernize crypto library detection
> * Build: modernize UUID library detection
> * Build: modernize Kerberos library detection
> * Build: add missing KRB5_LIBS to daemons/ipa-otpd
> * Tests: print what was expected from callables in xmlrpc_tests
> * DNS: Improve field descriptions for SRV records
> * DNS: Support URI resource record type
> * Fix compatibility with python-dns 1.15.0
> * Raise errors from service.py:_ldap_mod() by default
>
> === Petr Vobornik (6) ===
> * permissions: add permissions for read and mod of external group members
> * webui: do not warn about CAs if there is only one master
> * webui: fixes normalization of value in attributes widget
> * Change README to use Markdown
> * Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used
> * replicainstall: log ACI and LDAP errors in promotion check
>
> === Pavel Vomacka (69) ===
> * Remove allow_constrained_delegation from gssproxy.conf
> * WebUI: Add support for management of user short name resolution
> * WebUI: add link to login page which for login using certificate
> * Support certificate login after installation and upgrade
> * TESTS WebUI: Vaults management
> * TESTS: Add support for sidebar with facets
> * TESTS: Add support for KRA in ui_driver
> * WebUI: add vault management
> * WebUI: allow to show rows with same pkey in tables
> * WebUI: search facet's default actions might be overriden
> * Add possibility to hide only one tab in sidebar
> * Possibility to set list of table attributes which will be added to
> _del command
> * Extend _show command after _find command in table facets
> * Add possibility to pass url parameter to update command of details page
> * Add property which allows refresh command to use url value
> * Added optional option in refreshing after modifying association table
> * Possibility to skip checking writable according to metadata
> * Allow to set another other_entity name
> * Additional option to add and del operations can be set
> * WebUI: Add cermapmatch module
> * WebUI: Add Adapter for certmap_match result table
> * WebUI: Possibility to choose object when API call returns list of objects
> * WebUI: Add possibility to turn of autoload when details.load is called
> * WebUI: don't change casing of Auth Indicators values
> * WebUI: Allow disabling lowering text in custom_checkbox_widget
> * Add support for custom table pagination size
> * Make singleton from config module
> * Add javascript integer validator
> * WebUI: Add certmap module
> * WebUI: Add Custom command multivalued adder dialog
> * WebUI: Create non editable row widget for mutlivalued widget
> * WebUI: Add possibility to set field always writable
> * WebUI: Change structure of Identity submenu
> * WebUI: add sizelimit:0 to cert-find
> * WebUI: fix incorrect behavior of ESC button on combobox
> * WebUI: add default on_cancel function in adder_dialog
> * Coverity: removed useless semicolon which ends statement earlier
> * Coverity: Fix possibility of access to attribute of undefined
> * Change activity text while loading metadata
> * Refactoring of rpc module
> * WebUI: update Patternfly and Bootstrap
> * WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
> * Lowered the version of gettext
> * Add python-pyasn1-modules into dependencies
> * Adjustments for setup requirements v2
> * TESTS: Update group type name
> * Coverity - null pointer dereference
> * Coverity - accessing attribute of variable which can point to null
> * Coverity - opens dialog which might not be created
> * Coverity - iterating over variable which could be null
> * Coverity - null pointer dereference
> * Coverity - true branch can't be executed
> * Coverity - true branch can't be executed
> * Coverity - removed dead code
> * Coverity - Accesing attribute of null
> * Coverity - identical code for different branches
> * Coverity - not initialized variable
> * Coverity - null pointer exception
> * Coverity - null pointer exception
> * WebUI: services without canonical name are shown correctly
> * WebUI: fix API Browser menu label
> * Add tooltip to all fields in DNS record adder dialog
> * WebUI: hide buttons in certificate widget according to acl
> * WebUI: Change group name from 'normal' to 'Non-POSIX'
> * WebUI: Add handling for HTTP error 404
> * Add 'Restore' option to action dropdown menu
> * WebUI add support for sub-CAs while revoking certificates
> * WebUI: Fix showing certificates issued by sub-CA
> * Add support for additional options taken from table facet
>
> === Gabe (1) ===
> * Allow nsaccountlock to be searched in user-find command
>
> === Simo Sorce (31) ===
> * Store session cookie in a ccache option
> * Add support for searching policies in cn=accounts
> * Add code to retrieve results from multiple bases
> * Use GSS-SPNEGO if connecting locally
> * Limit sessions to 30 minutes by default
> * Remove non-sensical kdestroy on https stop
> * Fix session logout
> * Deduplicate session cookies in headers
> * Change session logout to kill only the cookie
> * Insure removal of session on identity change
> * Explicitly pass down ccache names for connections
> * Allow rpc callers to pass ccache and service names
> * Fix uninstall stopping ipa.service
> * Rationalize creation of RA and HTTPD NSS databases
> * Add a new user to run the framework code
> * Always use /etc/ipa/ca.crt as CA cert file
> * Simplify NSSDatabase password file handling
> * Separate RA cert store from the HTTP cert store
> * Configure HTTPD to work via Gss-Proxy
> * Use Anonymous user to obtain FAST armor ccache
> * Drop use of kinit_as_http from trust code
> * Generate tmpfiles config at install time
> * Change session handling
> * Use the tar Posix option for tarballs
> * Add compatibility code to retrieve headers
> * Configure Anonymous PKINIT on server install
> * Properly handle multiple cookies in rpc lib.
> * Properly handle multiple cookies in rpcclient
> * Support DAL version 5 and version 6
> * Fix install scripts debugging
> * Fix error message encoding
>
> === Stanislav Laznicka (78) ===
> * Remove pkinit from ipa-replica-prepare
> * Backup KDC certificate pair
> * Don't fail more if cert req/cert creation failed
> * Fix ipa-replica-prepare server-cert creation
> * Don't allow standalone KRA uninstalls
> * Add message about last KRA to WebUI Topology view
> * Add check to prevent removal of last KRA
> * Don't use weak ciphers for client HTTPS connections
> * We don't offer no quickies
> * Fix cookie with Max-Age processing
> * Fix CA-less upgrade
> * Fix replica with --setup-ca issues
> * Moving ipaCert from HTTPD_ALIAS_DIR
> * Added a PEMFileHandler for Custodia store
> * Refactor certmonger for OpenSSL certificates
> * Workaround for certmonger's "Subject" representations
> * Remove ipapython.nsslib as it is not used anymore
> * Remove NSSConnection from otptoken plugin
> * Remove pkcs12 handling functions from CertDB
> * Remove NSSConnection from Dogtag
> * Move publishing of CA cert to cainstance creation on master
> * Don't run kra.configure_instance if not necessary
> * Move RA agent certificate file export to a different location
> * Remove NSSConnection from the Python RPC module
> * Remove md5_fingerprints from IPA
> * Remove DM password files after successfull pkispawn run
> * Remove ra_db argument from CAInstance init
> * Fix ipa-server-upgrade
> * Use newer Certificate.serial_number in krainstance.py
> * Fix error in ca_cert_files validator
> * Don't prepend option names with additional '--'
> * Bump python-cryptography version in ipasetup.py.in
> * custodiainstance: don't use IPA-specific CertDB
> * Add password to certutil calls in NSSDatabase
> * Explicitly remove support of SSLv2/3
> * Add FIPS-token password of HTTPD NSS database
> * Bump required python-cryptography version
> * Remove is_fips_enabled checks in installers and ipactl
> * Generate sha256 ssh pubkey fingerprints for hosts
> * Unify password generation across FreeIPA
> * Clarify meaning of --domain and --realm in installers
> * replicainstall: give correct error message on DL mismatch
> * Fix permission-find with sizelimit set
> * Generalize filter generation in LDAPSearch
> * permission-find: fix a sizelimit off-by-one bug
> * fix permission_find fail on low search size limit
> * Make get_entries() not ignore its limit arguments
> * Do not log DM password in ca/kra installation logs
> * Fix CA replica install on DL1
> * Offer more general way to check domain level in replicainstall
> * Use same means of checking replication agreements on both DLs
> * replicainstall: move common checks to common_check()
> * Take advantage of the ca/kra code cleanup in replica installation
> * Use updated CA certs in replica installation
> * Use os.path.join instead of concatenation
> * Remove redundant CA cert file existance check
> * Use host keytab to connect to remote server on DL0
> * Split install_http_certs() into two functions
> * First step of merging replica installation of both DLs
> * Properly bootstrap replica promotion api
> * Move the pki-tomcat restart to cainstance creation
> * Move httpd restart to DNS installation
> * Import just IPAChangeConf instead of the whole module
> * Added file permissions option to IPAChangeConf.newConf()
> * Fix to ipachangeconf docstrings
> * replicainstall: Unify default.conf file creation
> * Replaced EMPTY_LINE constant with a function call
> * client: Making the configure functions more readable
> * Moved update of DNA plugin among update plugins
> * Move ds.replica_populate to an update plugin
> * Remove redundant dsinstance restart
> * Fix missing file that fails DL1 replica installation
> * Make httpd publish its CA certificate on DL1
> * Make installer quit more nicely on external CA installation
> * Fix test_util.test_assert_deepequal test
> * Pretty-print structures in assert_deepequal
> * Remove update_from_dict() method
> * Updated help/man information about hostname
>
> === Thierry Bordaz (1) ===
> * IPA Allows Password Reuse with History value defined when admin resets
> the password.
>
> === Timo Aaltonen (8) ===
> * ipaplatform/debian/paths: Add some missing values.
> * ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB.
> * ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.
> * ipaplatform/debian/services: Fix is_running arguments.
> * ipaplatform: Add Debian platform module.
> * client, platform: Use paths.SSH* instead of get_config_dir().
> * Move ipa-otpd to $libexecdir/ipa
> * Purge obsolete firefox extension
>
> === Tomas Krizek (68) ===
> * installer: update time estimates
> * server install: require IPv6 stack to be enabled
> * Add SHA256 fingerprints for certs
> * man: update ipa-cacert-manage
> * test_config: fix fips_mode key in Env
> * Env __setitem__: replace assert with exception
> * FIPS: perform replica installation check
> * replicainstall: add context manager for rpc client
> * check_remote_version: update exception and docstring
> * test_config: fix tests for env.fips_mode
> * Add fips_mode variable to env
> * Bump required version of bind-dyndb-ldap to 11.0-2
> * bindinstance: fix named.conf parsing regexs
> * PEP8: fix line length for regexs in bindinstance
> * bump required version of BIND, bind-dyndb-ldap
> * named.conf template: update API for bind 9.11
> * Remove obsolete serial_autoincrement from named.conf parsing
> * certdb: remove unused valid_months property
> * certdb: remove unused keysize property
> * Fix coverity issue
> * ipautil: check for open ports on all resolved IPs
> * replica-conncheck: improve message logging
> * replica-conncheck: improve error message during replicainstall
> * ipa-replica-conncheck: fix race condition
> * ipa-replica-conncheck: do not close listening ports until required
> * upgrade: ldap conn management
> * services: replace admin_conn with api.Backend.ldap2
> * upgrade: do not explicitly set principal for services
> * Build: ignore rpmbuild for lint target
> * cainstance: use correct certificate for replica install check
> * dns: check if container exists using ldapi
> * ipaldap: remove do_bind from LDAPClient
> * gitignore: ignore tar ball
> * libexec scripts: ldap conn management
> * ldap2: modify arguments for create_connection
> * replicainstall: use ldap_uri in ReplicationManager
> * replicainstall: correct hostname in ReplicationManager
> * install tools: ldap conn management
> * ldap2: change default bind_dn
> * ipa-adtrust-install: ldap conn management
> * install: remove adhoc dis/connect from services
> * ldapupdate: use ldapi in LDAPUpdate
> * replicainstall: properly close adhoc connection in promote
> * install: ldap conn management
> * install: remove adhoc api.Backend.ldap2 (dis)connect
> * install: add restart_dirsrv for directory server restarts
> * upgradeinstance: ldap conn management
> * dsinstance: conn management
> * ldap2: change default time/size limit
> * cainstall: add dm_password to CA installation
> * replicainstall: set ldapi uri in replica promotion
> * dsinstance: enable ldapi and autobind in ds
> * install: remove dirman_pw from services
> * ipaldap: merge IPAdmin to LDAPClient
> * ipaldap: merge gssapi_bind to LDAPClient
> * ipaldap: merge external_bind into LDAPClient
> * ipaldap: merge simple_bind into LDAPClient
> * ipaldap: remove wait/timeout during binds
> * ipa: check if provided config file exists
> * ipa: allow relative paths for config file
> * Prompt for forwarder in dnsforwardzone-add
> * Update man/help for --server option
> * Update ipa-server-install man page for hostname
> * Add help info about certificate revocation reasons
> * Add log messages for IP checks during client install
> * Show error message for invalid IPs in client install
> * Keep NSS trust flags of existing certificates
> * Don't show error messages in bash completion
>
> === Thorsten Scherf (2) ===
> * added ssl verification using IPA trust anchor
> * added help about default value for --external-ca-type option
>
> === shanyin (1) ===
> * fix missing translation string
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170315/197f46a7/attachment.htm>
More information about the Freeipa-users
mailing list