Petr Vobornik
2016-06-21 17:56:20 UTC
== FreeIPA 4.4.0 Alpha 1 ===
The FreeIPA team would like to announce FreeIPA v4.4.0 alpha1 release!
A tarball can be downloaded from http://www.freeipa.org/page/Downloads
== Highlights in 4.4.0 Alpha 1 ==
Enhancements:
* Improved Topology Management
<http://www.freeipa.org/page/V4/Manage_replication_topology_4_4>
* Added Overview of IPA server roles:
<http://www.freeipa.org/page/V4/Server_Roles>
* Added support certificates for AD users:
<http://www.freeipa.org/page/V4/Certs_in_ID_overrides>
* Added support of UPN for trusted domains
<http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains>
* Added support for Kerberos Authentication Indicators
<http://www.freeipa.org/page/V4/Authentication_Indicators>
* Added DNS Location Mechanism
<http://www.freeipa.org/page/V4/DNS_Location_Mechanism>
* Several performance improvements
<http://www.freeipa.org/page/V4/Performance_Improvements>
* Refactored IPA command line tool
<http://www.freeipa.org/page/V4/Thin_Client>
* Added support for Sub-CAs <http://www.freeipa.org/page/V4/Sub-CAs>
== Detailed Changelog since 4.3.1 ==
Abhijeet Kasurde (12):
Added kpasswd_server directive in client krb5.conf
Fixed login error message box in LoginScreen page
Added fix for notifying user about Kerberos principal expiration
in WebUI
Added description related to 'status' in ipactl man page
Added warning to user for Internet Explorer
Added fix for notifying user about locked user account in WebUI
Updated ipa command man page
Fix added to ipa-compat-manage command line help
Removed custom implementation of CalledProcessError
Replaced find_hostname with api.env.host
Added exception handling for mal-formatted XML Parsing
Added missing translation to automount.py method
Alexander Bokovoy (11):
slapi-nis: update configuration to allow external members of IPA
groups
extdom: do not fail to process error case when no request is specified
otptoken: support Python 3 for the qr code
trusts: Add support for an external trust to Active Directory domain
adtrust: remove nttrustpartner parameter
adtrust: remove nttrustpartner parameter
adtrust: support GSSAPI authentication to LDAP as Active Directory
user
adtrust: support UPNs for trusted domain users
webui: show UPN suffixes in trust properties
webui: support external flag to trust-add
adtrust: optimize forest root LDAP filter
Christian Heimes (3):
Require Dogtag 10.2.6-13 to fix KRA uninstall
Modernize mod_nss's cipher suites
Move user/group constants for PKI and DS into ipaplatform
David Kupka (28):
installer: Propagate option values from components instead of
copying them.
installer: Fix logic of reading option values from cache.
ipa-dns-install: Do not check for zone overlap when DNS installed.
ipa-replica-prepare: Add '--auto-reverse' and
'--allow-zone-overlap' options
installer: Change reverse zones question to better reflect reality.
Fix: Use unattended parameter instead of options.unattended
CI: Add '2-connected' topology generator.
CI: Add simple replication test in 2-connected topology.
CI: Add test for 2-connected topology generator.
CI: Fix pep8 errors in 2-connected topology generator
CI: add empty topology test for 2-connected topology generator
CI: Add double circle topology.
CI: Add replication test utilizing double-circle topology.
CI: Add test for double-circle topology generator.
CI: Make double circle topology python3 compatible
upgrade: Match whole pre/post command not just basename.
dsinstance: add start_tracking_certificates method
httpinstance: add start_tracking_certificates method
Look up HTTPD_USER's UID and GID during installation.
test: test_cli: Do not expect defaults in kwargs.
man: Decribe ipa-client-install workaround for broken D-Bus
enviroment.
installer: positional_arguments must be tuple or list of strings
installer: index() raises ValueError
Remove unused locking "context manager"
schema: Add fingerprint and TTL
schema: Add known_fingerprints option to schema command
schema: Cache schema in api instance
schema: return fingerprint as unicode text
Filip Skola (9):
Refactor test_user_plugin, use UserTracker for tests
Refactor test_replace
Refactor test_attr
Refactor test_sudocmd_plugin
Refactor test_sudocmdgroup_plugin
Refactor test_group_plugin, use GroupTracker for tests
Refactor test_nesting, create HostGroupTracker
Refactor test_hostgroup_plugin
Refactor test_automember_plugin, create AutomemberTracker
Florence Blanc-Renaud (5):
Add missing CA options to the manpage for ipa-replica-install
Add the culprit line when a configuration file has an incorrect format
add context to exception on LdapEntry decode error
batch command can be used to trigger internal errors on server
Always qualify requests for admin in ipa-replica-conncheck
Fraser Tweedale (22):
Do not decode HTTP reason phrase from Dogtag
Remove workaround for CA running check
caacl: correctly handle full user principal name
Prevent replica install from overwriting cert profiles
Detect and repair incorrect caIPAserviceCert config
Remove service and host cert issuer validation
Allow CustodiaClient to be used by arbitrary principals
Load server plugins in certmonger renewal helper
Add ACIs for Dogtag custodia client
Optionally add service name to Custodia key DNs
Setup lightweight CA key retrieval on install/upgrade
Authorise CA Agent to manage lightweight CAs
Add custodia store for lightweight CA key replication
Add 'ca' plugin
Add IPA CA entry on install / upgrade
Update 'caacl' plugin to support lightweight CAs
Add CA argument to ra.request_certificate
Update cert-request to allow specifying CA
Add issuer options to cert-show and cert-find
replica-install: configure key retriever before starting Dogtag
upgrade: do not try to start CA if not configured
restart scripts: bootstrap api with in_server=True
Gabe Alford (1):
ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
Jakub Hrozek (1):
sudo: Fix a typo in the --help output of sudocmdgroup
James Groffen (1):
Set close button type attribute to 'button'.
Jan Barta (1):
pylint: fix: multiple-statements
Jan Cholasta (112):
ipautil: remove unused import causing cyclic import in tests
ipalib: assume version 2.0 when skip_version_check is enabled
ipapython: remove default_encoding_utf8
ipapython: port p11helper C code to Python
ipapython: use python-cryptography instead of libcrypto in p11helper
spec file: package python-ipalib as noarch
cert renewal: import all external CA certs on IPA CA cert renewal
replica install: validate DS and HTTP server certificates
replica promotion: fix AVC denials in remote connection check
cacert install: fix trust chain validation
client: stop using /etc/pki/nssdb
ipalib: provide per-call command context
ipalib: add convenient Command method for adding messages
certdb: never use the -r option of certutil
spec file: bump minimum required pki-core version
build: fix client-only build
makeapi: use the same formatting for `int` and `long` values
replica install: do not set CA renewal master flag
rpc: do not crash when unable to parse JSON
parameters: remove unused ConversionError and ValidationError
arguments
rpc: include structured error information in responses
frontend: re-raise remote RequirementError using CLI name in CLI
frontend: remove the unused Command.soft_validate method
frontend: perform argument value validation only on server
batch: do not crash when no argument is specified
ipalib: make optional positional command arguments actually optional
frontend: do not forward unspecified positional arguments to server
user: do not assume the preserve flags have value in user_del
frontend: do not forward argument defaults to server
makeapi: optimize API.txt
ipalib: remove the unused `csv` argument of Param
makeaci: load additional plugins using API.add_module
plugable: replace API.import_plugins with new API.add_package
ipalib, ipaserver: migrate all plugins to Registry-based registration
ipalib, ipaserver: fix incorrect API.register calls in docstrings
plugable: remove the unused deprecated API.register method
plugable: switch API to Registry-based plugin discovery
frontend: merge baseldap.CallbackRegistry into Command
frontend: move the interactive_prompt callback type to Command
automount: do not inherit automountlocation_import from LDAPQuery
dns: move code called on client to the module level
dns: do not rely on server data structures in code called on client
otptoken: fix import of DN
otptoken_yubikey: fix otptoken_add_yubikey arguments
vault: move client-side code to the module level
vault: copy arguments of client commands from server counterparts
ipalib: use relative imports for cross-plugin imports
frontend: allow commands to have an argument named `name`
cli: make optional positional command arguments actually optional
dns: fix dnsrecord interactive mode
ipaclient: introduce ipaclient.plugins
ipalib: move client-side plugins to ipaclient
help, makeapi: allow setting command topic explicitly
help, makeapi: specify module topic by name
help, makeapi: do not use hardcoded plugin package name
plugable: turn Plugin attributes into properties
plugable: simplify API plugin initialization code
plugable: remember overriden plugins in API
frontend: turn Method attributes into properties
ipaclient: add client-side command override class
dns: move code shared by client and server to separate module
ipalib: split off client-side plugin code into ipaclient
parameters: introduce cli_metavar keyword argument
parameters: introduce no_convert keyword argument
ipalib: replace DeprecatedParam with `deprecated` Param argument
ipalib: introduce API schema plugins
rpc: respect API config in RPCClient.create_connection
rpc: allow overriding NSS DB directory in API config
rpc: specify connection options in API config
rpc: optimize JSON-RPC response handling
rpc: do not validate command name in RPCClient.forward
client install: finalize API after CA certs are available
ipactl: use server API
ipalib: move File command arguments to ipaclient
misc: hide the unused --all option of `env` and `plugins` in CLI
ipaclient: implement thin client
ipalib: move server-side plugins to ipaserver
frontend: do not check API minor version of the client
schema: do not validate unrequested params in command_defaults
replica install: use remote server API to create service entries
schema: fix topic command output
schema: fix typo
spec file: require correct packages to get API plugins
plugable: allow plugins to be non-classes
plugable: initialize plugins on demand
schema: generate client-side commands on demand
batch, schema: use Dict instead of Any
misc: fix empty CLI output of `env` and `plugins` commands
dns, passwd: fix outputs of `dns_resolve` and `passwd` commands
frontend: call `execute` rather than `forward` in Local
schema: exclude local commands
schema: fix client-side dynamic defaults
makeaci, makeapi: use in-server API
frontend: don't copy command arguments to output params
frontend: skip `value` output in output_for_cli
frontend: do not crash on missing output in output_for_cli
automember: add object plugin for automember_rebuild
dns: do not rely on custom param fields in record attributes
misc: skip `count` and `total` output in env.output_for_cli
passwd: handle sort order of passwd argument on the client
permission: handle ipapermright deprecated CLI alias on the client
schema: add object class schema
schema: remove output_params
schema: merge command args and options
schema: remove redundant information
schema: remove `no_cli` from command schema
replica install: fix thin client regression
ldap: fix handling of binary data in search filters
cert: add object plugin
cert: add owner information
cert: allow search by certificate
dns: fix dns_update_system_records to work with thin client
Jérôme Fenal (1):
Fix the man page part for shorter sentences, to avoid dual
understanding, and punctuation, all spotted while translating to French.
Lenka Doudova (5):
WebUI tests: fix failing of tests due to unclicable label
WebUI test: ID views
WebUI: Test creating user without private group
Test fix: Cleanup for host certificate
Test: Maximum username length higher than 255 cannot be set
Ludwig Krispenz (2):
prevent moving of topology entries out of managed scope by modrdn
operations
v2 - avoid crash in topology plugin when host list contains host
with no hostname
Lukáš Slebodník (6):
extdom: Remove unused macro
IPA-SAM: Fix build with samba 4.4
CONFIGURE: Replace obsolete macros
ipa-sam: Do not redefine LDAP_PAGE_SIZE
SPEC: Remove unused build dependency on libwbclient
BUILD: Remove detection of libcheck
Martin Babinsky (44):
raise more descriptive Backend connection-related exceptions
harden domain level 1 topology connectivity checks
ipalib/x509.py: revert deletion of ipalib api import
prevent crash of CA-less server upgrade due to absent certmonger
use FFI call to rpmvercmp function for version comparison
tests for package version comparison
fix Py3 incompatible exception instantiation in replica install code
ipa-csreplica-manage: remove extraneous ldap2 connection
IPA upgrade: move replication ACIs to the mapping tree entry
uninstallation: more robust check for master removal from topology
correctly set LDAP bind related attributes when setting up replication
disable RA plugins when promoting a replica from CA-less master
fix standalone installation of externally signed CA on IPA master
reset ldap.conf to point to newly installer replica after promotion
always start certmonger during IPA server configuration upgrade
upgrade: unconditional import of certificate profiles into LDAP
CI tests: use old schema when testing hostmask-based sudo rules
use LDAPS during standalone CA/KRA subsystem deployment
test_cert_plugin: use only first part of the hostname to construct
short name
only search for Kerberos SRV records when autodiscovery was requested
spec: add conflict with bind-chroot to freeipa-server-dns
spec: require python-cryptography newer than 0.9
ipa-replica-manage: print traceback on unexpected error when in
verbose mode
otptoken-add: improve the robustness of QR code printing
differentiate between limit types when LDAP search exceeds
configured limits
specify type of exceeded limit when warning about truncated search
results
replica-prepare: do not add PTR records if there is no IPA managed
reverse zone
Server Roles: definitions of server roles and attributes
Server Roles: Backend plugin to query roles and attributes
Test suite for `serverroles` backend
Server Roles: public API for server roles
Server Roles: make server-{show,find} utilize role information
Server Roles: make *config-show consume relevant roles/attributes
Server Roles: provide an API for setting CA renewal master
Add NTP to the list of services stored in IPA masters LDAP subtree
Introduce "NTP server" role
ipaserver module for working with managed topology
delegate removal of master DNS record and replica keys to separate
functions
server-del: perform full master removal in managed topology
CI test suite for `server-del`
ipa-replica-manage: use `server_del` when removing domain level 1
replica
remove the master from managed topology during uninstallation
Fix listing of enabled roles in `server-find`
Do not update result of *-config-show with empty server attributes
Martin Bašti (147):
Fix DNS tests: dns-resolve returns warning
Remove unused code in server installer related to KRA
Fix version comparison
Fix: replace mkdir with chmod
Use module variables for timedate_services
Remove empty test file
Remove unused imports
Remove wildcard imports
Enable multiple warnings checks in Pylint
Enable pylint lost exception check
Enable pylint duplicated-key check
Enable pylint trailing-whitespace check
Enable pylint missing-final-newline check
Enable pylint unused-format-string-key check
Enable pylint expression-not-assigned check
Enable pylint empty-docstring check
Enable pylint unnecessary-pass check
update_uniqueness plugin: fix referenced before assigment error
Allow to used mixed case for sysrestore
Upgrade: Fix upgrade of NIS Server configuration
DNSSEC test: fix adding zones with --skip-overlap-check
DNSSEC CI: add missing ldns-utils dependency
Enable pylint unpacking-non-sequence check
Enable pylint unbalanced-tuple-unpacking check
CI test: fix regression in task.install_kra
Warn about potential loss of CA, KRA, DNSSEC during uninstall
Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
Exclude o=ipaca subtree from Retro Changelog (syncrepl)
Fix DNSSEC test: add glue record
Warn user when ipa *-find reach limit
DNSSEC CI: fix zone delegations
make lint: use config file and plugin for pylint
Upgrade: log to ipaupgrade.log when IPA server is not installed
Disable new pylint checks
Py3: do not use dict.iteritems()
upgrade: fix config of sidgen and extdom plugins
trusts: use ipaNTTrustPartner attribute to detect trust entries
Warn user if trust is broken
fix upgrade: wait for proper DS socket after DS restart
Revert "test: Temporarily increase timeout in vault test."
Remove duplicated except
Pylint: add missing attributes of errors to definitions
fix permission: Read Replication Agreements
Make PTR records check optional for IPA installation
Fix connections to DS during installation
pylint: supress false positive no-member errors
CI: allow customized DS install test to work with domain levels
fix suspicious except statements
Remove unused arguments from update_ssh_keys method
Configure 389ds with "default" cipher suite
krb5conf: use 'true' instead of 'yes' for forwardable option
stageuser-activate: Normalize manager value
Remove redundant parameters from CS.cfg in dogtaginstance
Use platform path constant for SSSD log dir
Fix broken trust warnings
spec: Add missing dependencies to python*-ipalib package
client: enable ChallengeResponseAuthentication in sshd_config
pylint: remove bare except
Pylint: fix definition of global variables
Pylint: enable pointless-except check
Pylint: enable reimported check
Pylint: use list comprehension instead of iteration
Pylint: import max one module per line
Pylint: remove unnecessary-semicolon
Pylint: enable invalid-name check
SPEC: do not run upgrade when ipa server is not installed
Fix: catch Exception instead of more specific exception types
Fix stageuser-activate - managers test
Add missing pre_common_callback to stageuser_add
host_del: fix removal of host records
host_del: replace dns-record find command with show
host_del: remove unneeded dnszone-show command call
host_del: split removing A/AAAA and PTR records to separate functions
host_del: remove only A, AAAA, SSHFP, PTR records
host_del: update help for --updatedns option
host-del --updatedns: print warnings instead of error
Use netifaces module instead of 'ip' command
Limit max username length to 255 in config-mod
Increase API version for 'ipamaxusernamelength' attribute change
Configure httpd service from installer instead of directly from RPM
Performace: don't download password attributes in host/user-find
Do not do extra search for ipasshpubkey to generate fingerprints
Always set hostname
Remove deprecated hostname restoration from Fedora18
Remove unused hostname variables
Log errors from backup_and_replace hostname to logger
Tasks: raise NotImplementedError for not implemented methods
fix stageuser tests (removal of has_keytab and has_password from find)
make: fail when ACI.txt or API.txt differs from values in source code
ipactl: advertise --ignore-service-failure option
Remove unused variable and finally block in SchemaCache
Fix referenced before assigment variables in except statements
Upgrade: always start CA
Remove unused variables in automount plugin
fix pylint false positive errors
Translations: remove deprecated locale configuration
Make option --no-members public in CLI
Performance: Find commands: do not process members by default
Test: fix failing host_test
Fix: replace incorrect no_cli with no_option flag
Fix: topologysuffix_find doesn't have no_members option
DNS Locations: Always create DNS related privileges
DNS Locations: add new attributes and objectclasses
DNS Locations: location-* commands
DNS Locations: API tests
Allow to use non-Str attributes as keys for members
DNS Locations: extend server-* command with locations
DNS Location: location-show: return list of servers in location
DNS Locations: when removing location remove it from servers first
DNS Locations: extend tests with server-* commands
Upgrade mod_wsgi socket-timeout on existing installation
Exclude unneeded dirs and files from pylint check
Fix resolve_rrsets: RRSet is not hashable
Revert "adtrust: remove nttrustpartner parameter"
Fix: Local variable s_indent might be referenced before defined
Revert "Switch /usr/bin/ipa to Python 3"
Use python2 for ipa cli
DNS Locations: add index for ipalocation attribute
DNS Locations: fix location-del
DNS Locations: add idnsTemplateObject objectclass
DNS Locations: DNS data management
DNS Locations: permission: allow to read status of services
DNS Locations: add ACI for template attribute
DNS Locations: command dns-update-system-records
DNS Locations: use dns_update_service_records in installers
DNS Locations: adtrustinstance simplify dns management
DNS Locations: use automatic records update in ipa-adtrust-install
DNS Locations: server-mod: add automatic records update
DNS Locations: dnsservers: add required objectclasses
DNS Locations: dnsserver-* commands
DNS Locations: dnsserver: put server_id option into named.conf
DNS Locations: dnsserver: use the newer config way in installer
DNS Locations: dnsserver: remove config when replica is removed
DNS Locations: set proper substitution variable
DNS Locations: require to restart named-pkcs11 affter location change
DNS Locations: show warning if there is no DNS servers in location
DNS Locations: prevent to remove used locations
DNS Locations: do not generate location records for unused locations
DNS Locations: location-del: remove location record
DNS Locations: Rename ipalocationweight to ipaserviceweight
DNS Locations: generate NTP records
upgrade: don't fail if zone does not exists in in find
DNS Location: add list of roles and DNS servers to location-show
DNS Locations: dnsserver: print specific error when DNS is not
installed
Fix possibly undefined variable in ipa_smb_conf_exists()
Updated IPA translations
Replica promotion: use the correct IPA domain for replica
Martin Košek (1):
Update Developers in Contributors.txt
Matt Rogers (1):
ipa_kdb: add krbPrincipalAuthInd handling
Michael Simacek (1):
Fix bytes/string handling in rpc
Milan Kubík (11):
ipatests: replace the test-example.com domain in tests
ipatests: Roll back the forwarder config after a test case
ipatests: Fix configuration problems in dns tests
ipatests: Make the A record for hosts in topology conditional
ipatests: fix the install of external ca
ipatests: Add missing certificate profile fixture
ipatests: extend permission plugin test with new expected output
spec file: rename the python-polib dependency name to python2-polib
ipatests: fix for change_principal context manager
ipatests: Add test case for requesting a certificate with full
principal.
spec: Add python-sssdconfig dependency for python-ipatests package
Nathaniel McCallum (7):
Don't error when find_base() fails if a base is not required
Rename syncreq.[ch] to otpctrl.[ch]
Ensure that ipa-otpd bind auths validate an OTP
Return password-only preauth if passwords are allowed
Enable authentication indicators for OTP and RADIUS
Migrate from #ifndef guards to #pragma once
Enable service authentication indicator management
Oleg Fayans (26):
CI tests: Enabled automatic creation of reverse zone during master
installation
CI tests: Added domain realm as a parameter to master installation
in integration tests
Fixed install_ca and install_kra under domain level 0
fixed an issue with master installation not creating reverse zone
Enabled recreation of test directory in apply_common_fixes function
Updated connect/disconnect replica to work with both domainlevels
Removed --ip-address option from replica installation
Removed messing around with resolv.conf
Integration tests for replica promotion feature
Enabled setting domain level explicitly in test class
Removed a constantly failing call to prepare_host
Made apply_common_fixes call at replica installation independent
on domain_level
Workaround for ticket 5627
Added copyright info to replica promotion tests
rewrite a misprocessed teardown_method method as a custom decorator
Reverted changes in mh fixture causing some tests to fail
Fixed a bug with prepare_host failing upon existing ipatests folder
Added a kdestroy call to clean ccache at master/client uninstallation
Added 5 more tests to Replica Promotion testsuite
Fixed a failure in legacy_client tests
Add test if replica is working after domain upgrade
Improve reporting of failed tests in topology test suite
Bugfixes in managed topology tests
A workaround for ticket N 5348
Added necessary A record for the replica to root zone
Increased certmonger timeout
Patrice Duc-Jacquet (2):
Incorrect message when KRA already installed
Add more information regarding where to find revocation reason in
"ipa cert_revoke -h" and "ipa cert_find -h".
Pavel Vomacka (41):
Add tool tips for Revert, Refresh, Undo, and Undo All
Add support for the 'user' url parameter for the reset_password.html
Add validation to Issue new certificate dialog
Add pan and zoom functionality to the topology graph
Nodes stay fixed after initial animation.
Add field for group id in user add dialog
Resize topology graph canvas according to window size
Add X-Frame-Options and frame-ancestors options
Add activate option to stage user details page
Add 'skip overlap check' checkbox into add zone dialog
Add 'skip overlap check' checkbox to the add dns forward zone dialog
Add option to show OTP when adding host
Update the delete dialog on details user page
Add ability to stage multiple users
Add option to stage user from details page
Change lang.hitch to javascript bind method
Change 'Restore' to 'Remove Hold'
Extend the certificate request dialog
Auth Indicators WebUI part
Fix bad searching of reverse DNS zone
Add adapter attribute for choosing record
DNS Locations: WebUI part
Add lists of hosts allowed to create or retrieve keytabs
Correct a jslint warning
Association table can be read only
Extend table facet
Add server roles on topology page
Search facet can be without search field
Add ability to review cert request dialog
Add new webui plugin - ca
Extend certificate entity page
Extend caacl entity
Make Actions string translatable
Extend DNS config page
Extend trust config page
Add creating a segment using mouse
Add listener which opens add segment dialog
Add placeholder to add segment dialog
Add DNS default TTL field
Allow to set weight of a server without location
DNS Servers: Web UI part
Peter Lacko (1):
Ping module tests.
Petr Viktorin (46):
Package ipapython, ipalib, ipaplatform, ipatests for Python 3
Use explicit truncating division
Don't index exceptions directly
Use print_function future definition wherever print() is used
Alias "unicode" to "str" under Python 3
Avoid builtins that were removed in Python 3
dnsutil: Rename __nonzero__ to __bool__
Remove deprecated contrib/RHEL4
make-lint: Allow running pylint --py3k to detect Python3 issues
Split ipa-client/ into ipaclient/ (Python library) and client/ (C,
scripts)
test_parameters: Ignore specific error message
ipaldap, ldapupdate: Encoding fixes for Python 3
ipautil.run, kernel_keyring: Encoding fixes for Python 3
tests: Use absolute imports
ipautil: Use mode 'w+' in write_tmp_file
test_util: str/bytes check fixes for Python 3
p11helper: Port to Python 3
cli: Don't encode/decode for stdin/stdout on Python 3
Package python3-ipaclient
Move get_ipa_basedn from ipautil to ipadiscovery
ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
ipapython.sysrestore: Use str methods instead of functions from
the string module
ipalib.x809: Accept bytes for make_pem
dns plugin: Fix zone normalization under Python 3
sysrestore: Iterate over a list of dict keys
test_xmlrpc: Use absolute imports
xmlrpc_test: Rename exception instance before working with it
radiusproxy plugin: Use str(error) rather than error.message
xmlrpc_test: Expect bytes rather than strings for binary attributes
ipalib.rpc: Send base64-encoded data as string under Python 3
range plugin tests: Use bytes with MockLDAP under Python 3
radiusproxy plugin tests: Expect bytes, not text, for
ipatokenradiussecret
certprofile plugin: Use binary mode for file with binary data
test_add_remove_cert_cmd: Use bytes for base64.b64encode()
Switch /usr/bin/ipa to Python 3
Fix remaining relative import and enable Pylint check
ipalib.cli: Improve reporting of binary values in the CLI
test_cert_plugin: Encode 'certificate' for comparison with
'usercertificate'
ipaldap: Keep attribute names as text, not bytes
ipapython.secrets.kem: Use ConfigParser from six.moves
test_topology_plugin: Don't rely on order of an attribute's values
test_rpcserver: Expect updated error message under Python 3
ipaplatform.redhat: Use bytestrings when calling rpm.so for
version comparison
test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
ipaldap: Convert dict items to list before iterating
test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView
Petr Voborník (16):
Bump 4.4 development version to 4.3.90
webui: add examples to network address validator error message
webui: pwpolicy cospriority field was marked as required
spec: do not require arch specific ipalib package from noarch packages
webui: dislay server suffixes in server search page
stop installer when setup-ds.pl fail
webui: crash nicely if sessionStorage is not available
webui: remove moot error from webui build
webui: use API call ca_is_enabled instead of enable_ra env variable.
webui: fixed showing of success message after password change on login
advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap
plugins
cookie parser: do not fail on cookie with empty value
fix incorrect name of ipa-winsync-migrate command in help
webui: fail nicely if cookies are disabled
ipa-client-install: fix typo in nslcd service name
Become IPA 4.4.0 Alpha 1
Petr Špaček (51):
dns: Handle SERVFAIL in check if domain already exists.
DNSSEC: Improve error reporting from ipa-ods-exporter
DNSSEC: Make sure that current state in OpenDNSSEC matches key
state in LDAP
DNSSEC: Make sure that current key state in LDAP matches key state
in BIND
DNSSEC: remove obsolete TODO note
DNSSEC: add debug mode to ldapkeydb.py
DNSSEC: logging improvements in ipa-ods-exporter
DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
DNSSEC: ipa-ods-exporter: add ldap-cleanup command
DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
DNSSEC: Log debug messages at log level DEBUG
Fix --auto-reverse option in --unattended mode.
Fix dns_is_enabled() API command to throw exceptions as appropriate
Fix DNS zone overlap check to allow ipa-replica-install to work
Fix ipa-adtrust-install to always generate SRV records with FQDNs
Fix URL for reporting bugs in strings
Pylint: enable parallelism
Makefile: replace perl with sed
Remove function ipapython.ipautil.host_exists()
Extend installers with --forward-policy option
Move automatic empty zone list into ipapython.dnsutil and make it
reusable
Add assert_absolute_dnsname() helper to ipapython.dnsutil
Move function is_auto_empty_zone() into ipapython.dnsutil
Use shared sanity check and tests
ipapython.dnsutil.is_auto_empty_zone()
Add function ipapython.dnsutil.inside_auto_empty_zone()
Auto-detect default value for --forward-policy option in installers
ipa-nis-manage: Replace text references to compat plugin with NIS
ipa-nis-manage: mention return code 3 in man page
DNS: Fix upgrade - master to forward zone transformation
DNS installer: accept --auto-forwarders option in unattended mode
Remove unused file install/share/fedora-ds.init.patch
Batch command: avoid accessing potentially undefined context.principal
pylint: replace Refactor category with individual check names
ipa-nis-manage: add status option
DNS: Warn if forwarding policy conflicts with automatic empty zones
Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
Use root_logger for verify_host_resolvable()
Move IP address resolution from ipaserver.install.installutils to
ipapython.dnsutil
Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
Add ipaDNSVersion option to dnsconfig* commands and use new attribute
DNS upgrade: separate backup logic to make it reusable
Add function ipapython.dnsutil.related_to_auto_empty_zone()
DNS upgrade: change forwarding policy to = only for conflicting
forward zones
DNS upgrade: change global forwarding policy in LDAP to "only" if
private IPs are used
DNS upgrade: change global forwarding policy in named.conf to
"only" if private IPs are used
Require 389-ds-base >= 1.3.5.6
DNS Locations: make ipa-ca record generation more robust
DNS: Support default TTL setting for master DNS zones
DNS: Warn about restart when default TTL setting DNS is changed
DNS: Fix realm domains integration with DNS zone add.
Simo Sorce (6):
Use only AES enctypes by default
Always verify we have a valid ldap context.
Improve keytab code to select the right principal.
Convert ipa-sam to use the new getkeytab control
Allow admins to disable preauth for SPNs.
Allow to specify Kerberos authz data type per user
Stanislav Laznicka (21):
Listing and cleaning RUV extended for CA suffix
Automatically detect and remove dangling RUVs
Cosmetic changes to the code
Fixes minor issues
replica-manage: fail nicely when DM psswd required
ipa-replica-manage refactoring
abort-clean/list/clean-ruv now work for both suffixes
Moved password check from clean_dangling_ruv
Fix to clean-dangling-ruv for single CA topologies
Added pyusb as a dependency
Added some attributes to Modify Users permission
Deprecated the domain-level option in ipa-server-install
Increased mod_wsgi socket-timeout
Added <my_hostname>=<IPA REALM> mapping to krb5.conf
Decreased timeout for IO blocking for DS
fixes premature sys.exit in ipa-replica-manage del
Remove dangling RUVs even if replicas are offline
Added krb5.conf.d/ to included dirs in krb5.conf
Removed dead code from LDAP{Remove,Add}ReverseMember
Fixes CA always being presented as running
Increase nsslapd-db-locks to 50000
Sumit Bose (3):
ipa-kdb: get_authz_data_types() make sure entry can be NULL
ipa-kdb: map_groups() consider all results
extdom: add certificate request
Thierry Bordaz (3):
configure DNA plugin shared config entries to allow connection
with GSSAPI
DS deadlock when memberof scopes topology plugin updates
Make sure ipapwd_extop takes precedence over passwd_modify_extop
Thorsten Scherf (1):
Fixed typo in service-add
Timo Aaltonen (6):
Use HTTPD_USER in dogtaginstance.py
Move freeipa certmonger helpers to libexecdir.
ipa_restore: Import only FQDN from ipalib.constants
ipaplatform: Move remaining user/group constants to
ipaplatform.constants.
Use ODS_USER/ODS_GROUP in opendnssec_conf.template
Fix kdc.conf.template to use ipaplatform.paths.
Tomáš Babej (10):
py3: Remove py3 incompatible exception handling
logger: Use warning instead of warn
Loggger: Use warning instead of warn - dns plugin
ipa-getkeytab: Handle the possibility of not obtaining a result
ipa-adtrust-install: Allow dash in the NETBIOS name
spec: Bump required sssd version to 1.13.3-5
adtrustinstance: Make sure smb.conf exists
l10n: Remove Transifex configuration
ipalib: Fix user certificate docstrings
idviews: Add user certificate attribute to user ID overrides
Yuri Chornoivan (3):
Fix minor typo
Fix minor typos
Fix minor typos
The FreeIPA team would like to announce FreeIPA v4.4.0 alpha1 release!
A tarball can be downloaded from http://www.freeipa.org/page/Downloads
== Highlights in 4.4.0 Alpha 1 ==
Enhancements:
* Improved Topology Management
<http://www.freeipa.org/page/V4/Manage_replication_topology_4_4>
* Added Overview of IPA server roles:
<http://www.freeipa.org/page/V4/Server_Roles>
* Added support certificates for AD users:
<http://www.freeipa.org/page/V4/Certs_in_ID_overrides>
* Added support of UPN for trusted domains
<http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains>
* Added support for Kerberos Authentication Indicators
<http://www.freeipa.org/page/V4/Authentication_Indicators>
* Added DNS Location Mechanism
<http://www.freeipa.org/page/V4/DNS_Location_Mechanism>
* Several performance improvements
<http://www.freeipa.org/page/V4/Performance_Improvements>
* Refactored IPA command line tool
<http://www.freeipa.org/page/V4/Thin_Client>
* Added support for Sub-CAs <http://www.freeipa.org/page/V4/Sub-CAs>
== Detailed Changelog since 4.3.1 ==
Abhijeet Kasurde (12):
Added kpasswd_server directive in client krb5.conf
Fixed login error message box in LoginScreen page
Added fix for notifying user about Kerberos principal expiration
in WebUI
Added description related to 'status' in ipactl man page
Added warning to user for Internet Explorer
Added fix for notifying user about locked user account in WebUI
Updated ipa command man page
Fix added to ipa-compat-manage command line help
Removed custom implementation of CalledProcessError
Replaced find_hostname with api.env.host
Added exception handling for mal-formatted XML Parsing
Added missing translation to automount.py method
Alexander Bokovoy (11):
slapi-nis: update configuration to allow external members of IPA
groups
extdom: do not fail to process error case when no request is specified
otptoken: support Python 3 for the qr code
trusts: Add support for an external trust to Active Directory domain
adtrust: remove nttrustpartner parameter
adtrust: remove nttrustpartner parameter
adtrust: support GSSAPI authentication to LDAP as Active Directory
user
adtrust: support UPNs for trusted domain users
webui: show UPN suffixes in trust properties
webui: support external flag to trust-add
adtrust: optimize forest root LDAP filter
Christian Heimes (3):
Require Dogtag 10.2.6-13 to fix KRA uninstall
Modernize mod_nss's cipher suites
Move user/group constants for PKI and DS into ipaplatform
David Kupka (28):
installer: Propagate option values from components instead of
copying them.
installer: Fix logic of reading option values from cache.
ipa-dns-install: Do not check for zone overlap when DNS installed.
ipa-replica-prepare: Add '--auto-reverse' and
'--allow-zone-overlap' options
installer: Change reverse zones question to better reflect reality.
Fix: Use unattended parameter instead of options.unattended
CI: Add '2-connected' topology generator.
CI: Add simple replication test in 2-connected topology.
CI: Add test for 2-connected topology generator.
CI: Fix pep8 errors in 2-connected topology generator
CI: add empty topology test for 2-connected topology generator
CI: Add double circle topology.
CI: Add replication test utilizing double-circle topology.
CI: Add test for double-circle topology generator.
CI: Make double circle topology python3 compatible
upgrade: Match whole pre/post command not just basename.
dsinstance: add start_tracking_certificates method
httpinstance: add start_tracking_certificates method
Look up HTTPD_USER's UID and GID during installation.
test: test_cli: Do not expect defaults in kwargs.
man: Decribe ipa-client-install workaround for broken D-Bus
enviroment.
installer: positional_arguments must be tuple or list of strings
installer: index() raises ValueError
Remove unused locking "context manager"
schema: Add fingerprint and TTL
schema: Add known_fingerprints option to schema command
schema: Cache schema in api instance
schema: return fingerprint as unicode text
Filip Skola (9):
Refactor test_user_plugin, use UserTracker for tests
Refactor test_replace
Refactor test_attr
Refactor test_sudocmd_plugin
Refactor test_sudocmdgroup_plugin
Refactor test_group_plugin, use GroupTracker for tests
Refactor test_nesting, create HostGroupTracker
Refactor test_hostgroup_plugin
Refactor test_automember_plugin, create AutomemberTracker
Florence Blanc-Renaud (5):
Add missing CA options to the manpage for ipa-replica-install
Add the culprit line when a configuration file has an incorrect format
add context to exception on LdapEntry decode error
batch command can be used to trigger internal errors on server
Always qualify requests for admin in ipa-replica-conncheck
Fraser Tweedale (22):
Do not decode HTTP reason phrase from Dogtag
Remove workaround for CA running check
caacl: correctly handle full user principal name
Prevent replica install from overwriting cert profiles
Detect and repair incorrect caIPAserviceCert config
Remove service and host cert issuer validation
Allow CustodiaClient to be used by arbitrary principals
Load server plugins in certmonger renewal helper
Add ACIs for Dogtag custodia client
Optionally add service name to Custodia key DNs
Setup lightweight CA key retrieval on install/upgrade
Authorise CA Agent to manage lightweight CAs
Add custodia store for lightweight CA key replication
Add 'ca' plugin
Add IPA CA entry on install / upgrade
Update 'caacl' plugin to support lightweight CAs
Add CA argument to ra.request_certificate
Update cert-request to allow specifying CA
Add issuer options to cert-show and cert-find
replica-install: configure key retriever before starting Dogtag
upgrade: do not try to start CA if not configured
restart scripts: bootstrap api with in_server=True
Gabe Alford (1):
ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
Jakub Hrozek (1):
sudo: Fix a typo in the --help output of sudocmdgroup
James Groffen (1):
Set close button type attribute to 'button'.
Jan Barta (1):
pylint: fix: multiple-statements
Jan Cholasta (112):
ipautil: remove unused import causing cyclic import in tests
ipalib: assume version 2.0 when skip_version_check is enabled
ipapython: remove default_encoding_utf8
ipapython: port p11helper C code to Python
ipapython: use python-cryptography instead of libcrypto in p11helper
spec file: package python-ipalib as noarch
cert renewal: import all external CA certs on IPA CA cert renewal
replica install: validate DS and HTTP server certificates
replica promotion: fix AVC denials in remote connection check
cacert install: fix trust chain validation
client: stop using /etc/pki/nssdb
ipalib: provide per-call command context
ipalib: add convenient Command method for adding messages
certdb: never use the -r option of certutil
spec file: bump minimum required pki-core version
build: fix client-only build
makeapi: use the same formatting for `int` and `long` values
replica install: do not set CA renewal master flag
rpc: do not crash when unable to parse JSON
parameters: remove unused ConversionError and ValidationError
arguments
rpc: include structured error information in responses
frontend: re-raise remote RequirementError using CLI name in CLI
frontend: remove the unused Command.soft_validate method
frontend: perform argument value validation only on server
batch: do not crash when no argument is specified
ipalib: make optional positional command arguments actually optional
frontend: do not forward unspecified positional arguments to server
user: do not assume the preserve flags have value in user_del
frontend: do not forward argument defaults to server
makeapi: optimize API.txt
ipalib: remove the unused `csv` argument of Param
makeaci: load additional plugins using API.add_module
plugable: replace API.import_plugins with new API.add_package
ipalib, ipaserver: migrate all plugins to Registry-based registration
ipalib, ipaserver: fix incorrect API.register calls in docstrings
plugable: remove the unused deprecated API.register method
plugable: switch API to Registry-based plugin discovery
frontend: merge baseldap.CallbackRegistry into Command
frontend: move the interactive_prompt callback type to Command
automount: do not inherit automountlocation_import from LDAPQuery
dns: move code called on client to the module level
dns: do not rely on server data structures in code called on client
otptoken: fix import of DN
otptoken_yubikey: fix otptoken_add_yubikey arguments
vault: move client-side code to the module level
vault: copy arguments of client commands from server counterparts
ipalib: use relative imports for cross-plugin imports
frontend: allow commands to have an argument named `name`
cli: make optional positional command arguments actually optional
dns: fix dnsrecord interactive mode
ipaclient: introduce ipaclient.plugins
ipalib: move client-side plugins to ipaclient
help, makeapi: allow setting command topic explicitly
help, makeapi: specify module topic by name
help, makeapi: do not use hardcoded plugin package name
plugable: turn Plugin attributes into properties
plugable: simplify API plugin initialization code
plugable: remember overriden plugins in API
frontend: turn Method attributes into properties
ipaclient: add client-side command override class
dns: move code shared by client and server to separate module
ipalib: split off client-side plugin code into ipaclient
parameters: introduce cli_metavar keyword argument
parameters: introduce no_convert keyword argument
ipalib: replace DeprecatedParam with `deprecated` Param argument
ipalib: introduce API schema plugins
rpc: respect API config in RPCClient.create_connection
rpc: allow overriding NSS DB directory in API config
rpc: specify connection options in API config
rpc: optimize JSON-RPC response handling
rpc: do not validate command name in RPCClient.forward
client install: finalize API after CA certs are available
ipactl: use server API
ipalib: move File command arguments to ipaclient
misc: hide the unused --all option of `env` and `plugins` in CLI
ipaclient: implement thin client
ipalib: move server-side plugins to ipaserver
frontend: do not check API minor version of the client
schema: do not validate unrequested params in command_defaults
replica install: use remote server API to create service entries
schema: fix topic command output
schema: fix typo
spec file: require correct packages to get API plugins
plugable: allow plugins to be non-classes
plugable: initialize plugins on demand
schema: generate client-side commands on demand
batch, schema: use Dict instead of Any
misc: fix empty CLI output of `env` and `plugins` commands
dns, passwd: fix outputs of `dns_resolve` and `passwd` commands
frontend: call `execute` rather than `forward` in Local
schema: exclude local commands
schema: fix client-side dynamic defaults
makeaci, makeapi: use in-server API
frontend: don't copy command arguments to output params
frontend: skip `value` output in output_for_cli
frontend: do not crash on missing output in output_for_cli
automember: add object plugin for automember_rebuild
dns: do not rely on custom param fields in record attributes
misc: skip `count` and `total` output in env.output_for_cli
passwd: handle sort order of passwd argument on the client
permission: handle ipapermright deprecated CLI alias on the client
schema: add object class schema
schema: remove output_params
schema: merge command args and options
schema: remove redundant information
schema: remove `no_cli` from command schema
replica install: fix thin client regression
ldap: fix handling of binary data in search filters
cert: add object plugin
cert: add owner information
cert: allow search by certificate
dns: fix dns_update_system_records to work with thin client
Jérôme Fenal (1):
Fix the man page part for shorter sentences, to avoid dual
understanding, and punctuation, all spotted while translating to French.
Lenka Doudova (5):
WebUI tests: fix failing of tests due to unclicable label
WebUI test: ID views
WebUI: Test creating user without private group
Test fix: Cleanup for host certificate
Test: Maximum username length higher than 255 cannot be set
Ludwig Krispenz (2):
prevent moving of topology entries out of managed scope by modrdn
operations
v2 - avoid crash in topology plugin when host list contains host
with no hostname
Lukáš Slebodník (6):
extdom: Remove unused macro
IPA-SAM: Fix build with samba 4.4
CONFIGURE: Replace obsolete macros
ipa-sam: Do not redefine LDAP_PAGE_SIZE
SPEC: Remove unused build dependency on libwbclient
BUILD: Remove detection of libcheck
Martin Babinsky (44):
raise more descriptive Backend connection-related exceptions
harden domain level 1 topology connectivity checks
ipalib/x509.py: revert deletion of ipalib api import
prevent crash of CA-less server upgrade due to absent certmonger
use FFI call to rpmvercmp function for version comparison
tests for package version comparison
fix Py3 incompatible exception instantiation in replica install code
ipa-csreplica-manage: remove extraneous ldap2 connection
IPA upgrade: move replication ACIs to the mapping tree entry
uninstallation: more robust check for master removal from topology
correctly set LDAP bind related attributes when setting up replication
disable RA plugins when promoting a replica from CA-less master
fix standalone installation of externally signed CA on IPA master
reset ldap.conf to point to newly installer replica after promotion
always start certmonger during IPA server configuration upgrade
upgrade: unconditional import of certificate profiles into LDAP
CI tests: use old schema when testing hostmask-based sudo rules
use LDAPS during standalone CA/KRA subsystem deployment
test_cert_plugin: use only first part of the hostname to construct
short name
only search for Kerberos SRV records when autodiscovery was requested
spec: add conflict with bind-chroot to freeipa-server-dns
spec: require python-cryptography newer than 0.9
ipa-replica-manage: print traceback on unexpected error when in
verbose mode
otptoken-add: improve the robustness of QR code printing
differentiate between limit types when LDAP search exceeds
configured limits
specify type of exceeded limit when warning about truncated search
results
replica-prepare: do not add PTR records if there is no IPA managed
reverse zone
Server Roles: definitions of server roles and attributes
Server Roles: Backend plugin to query roles and attributes
Test suite for `serverroles` backend
Server Roles: public API for server roles
Server Roles: make server-{show,find} utilize role information
Server Roles: make *config-show consume relevant roles/attributes
Server Roles: provide an API for setting CA renewal master
Add NTP to the list of services stored in IPA masters LDAP subtree
Introduce "NTP server" role
ipaserver module for working with managed topology
delegate removal of master DNS record and replica keys to separate
functions
server-del: perform full master removal in managed topology
CI test suite for `server-del`
ipa-replica-manage: use `server_del` when removing domain level 1
replica
remove the master from managed topology during uninstallation
Fix listing of enabled roles in `server-find`
Do not update result of *-config-show with empty server attributes
Martin Bašti (147):
Fix DNS tests: dns-resolve returns warning
Remove unused code in server installer related to KRA
Fix version comparison
Fix: replace mkdir with chmod
Use module variables for timedate_services
Remove empty test file
Remove unused imports
Remove wildcard imports
Enable multiple warnings checks in Pylint
Enable pylint lost exception check
Enable pylint duplicated-key check
Enable pylint trailing-whitespace check
Enable pylint missing-final-newline check
Enable pylint unused-format-string-key check
Enable pylint expression-not-assigned check
Enable pylint empty-docstring check
Enable pylint unnecessary-pass check
update_uniqueness plugin: fix referenced before assigment error
Allow to used mixed case for sysrestore
Upgrade: Fix upgrade of NIS Server configuration
DNSSEC test: fix adding zones with --skip-overlap-check
DNSSEC CI: add missing ldns-utils dependency
Enable pylint unpacking-non-sequence check
Enable pylint unbalanced-tuple-unpacking check
CI test: fix regression in task.install_kra
Warn about potential loss of CA, KRA, DNSSEC during uninstall
Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
Exclude o=ipaca subtree from Retro Changelog (syncrepl)
Fix DNSSEC test: add glue record
Warn user when ipa *-find reach limit
DNSSEC CI: fix zone delegations
make lint: use config file and plugin for pylint
Upgrade: log to ipaupgrade.log when IPA server is not installed
Disable new pylint checks
Py3: do not use dict.iteritems()
upgrade: fix config of sidgen and extdom plugins
trusts: use ipaNTTrustPartner attribute to detect trust entries
Warn user if trust is broken
fix upgrade: wait for proper DS socket after DS restart
Revert "test: Temporarily increase timeout in vault test."
Remove duplicated except
Pylint: add missing attributes of errors to definitions
fix permission: Read Replication Agreements
Make PTR records check optional for IPA installation
Fix connections to DS during installation
pylint: supress false positive no-member errors
CI: allow customized DS install test to work with domain levels
fix suspicious except statements
Remove unused arguments from update_ssh_keys method
Configure 389ds with "default" cipher suite
krb5conf: use 'true' instead of 'yes' for forwardable option
stageuser-activate: Normalize manager value
Remove redundant parameters from CS.cfg in dogtaginstance
Use platform path constant for SSSD log dir
Fix broken trust warnings
spec: Add missing dependencies to python*-ipalib package
client: enable ChallengeResponseAuthentication in sshd_config
pylint: remove bare except
Pylint: fix definition of global variables
Pylint: enable pointless-except check
Pylint: enable reimported check
Pylint: use list comprehension instead of iteration
Pylint: import max one module per line
Pylint: remove unnecessary-semicolon
Pylint: enable invalid-name check
SPEC: do not run upgrade when ipa server is not installed
Fix: catch Exception instead of more specific exception types
Fix stageuser-activate - managers test
Add missing pre_common_callback to stageuser_add
host_del: fix removal of host records
host_del: replace dns-record find command with show
host_del: remove unneeded dnszone-show command call
host_del: split removing A/AAAA and PTR records to separate functions
host_del: remove only A, AAAA, SSHFP, PTR records
host_del: update help for --updatedns option
host-del --updatedns: print warnings instead of error
Use netifaces module instead of 'ip' command
Limit max username length to 255 in config-mod
Increase API version for 'ipamaxusernamelength' attribute change
Configure httpd service from installer instead of directly from RPM
Performace: don't download password attributes in host/user-find
Do not do extra search for ipasshpubkey to generate fingerprints
Always set hostname
Remove deprecated hostname restoration from Fedora18
Remove unused hostname variables
Log errors from backup_and_replace hostname to logger
Tasks: raise NotImplementedError for not implemented methods
fix stageuser tests (removal of has_keytab and has_password from find)
make: fail when ACI.txt or API.txt differs from values in source code
ipactl: advertise --ignore-service-failure option
Remove unused variable and finally block in SchemaCache
Fix referenced before assigment variables in except statements
Upgrade: always start CA
Remove unused variables in automount plugin
fix pylint false positive errors
Translations: remove deprecated locale configuration
Make option --no-members public in CLI
Performance: Find commands: do not process members by default
Test: fix failing host_test
Fix: replace incorrect no_cli with no_option flag
Fix: topologysuffix_find doesn't have no_members option
DNS Locations: Always create DNS related privileges
DNS Locations: add new attributes and objectclasses
DNS Locations: location-* commands
DNS Locations: API tests
Allow to use non-Str attributes as keys for members
DNS Locations: extend server-* command with locations
DNS Location: location-show: return list of servers in location
DNS Locations: when removing location remove it from servers first
DNS Locations: extend tests with server-* commands
Upgrade mod_wsgi socket-timeout on existing installation
Exclude unneeded dirs and files from pylint check
Fix resolve_rrsets: RRSet is not hashable
Revert "adtrust: remove nttrustpartner parameter"
Fix: Local variable s_indent might be referenced before defined
Revert "Switch /usr/bin/ipa to Python 3"
Use python2 for ipa cli
DNS Locations: add index for ipalocation attribute
DNS Locations: fix location-del
DNS Locations: add idnsTemplateObject objectclass
DNS Locations: DNS data management
DNS Locations: permission: allow to read status of services
DNS Locations: add ACI for template attribute
DNS Locations: command dns-update-system-records
DNS Locations: use dns_update_service_records in installers
DNS Locations: adtrustinstance simplify dns management
DNS Locations: use automatic records update in ipa-adtrust-install
DNS Locations: server-mod: add automatic records update
DNS Locations: dnsservers: add required objectclasses
DNS Locations: dnsserver-* commands
DNS Locations: dnsserver: put server_id option into named.conf
DNS Locations: dnsserver: use the newer config way in installer
DNS Locations: dnsserver: remove config when replica is removed
DNS Locations: set proper substitution variable
DNS Locations: require to restart named-pkcs11 affter location change
DNS Locations: show warning if there is no DNS servers in location
DNS Locations: prevent to remove used locations
DNS Locations: do not generate location records for unused locations
DNS Locations: location-del: remove location record
DNS Locations: Rename ipalocationweight to ipaserviceweight
DNS Locations: generate NTP records
upgrade: don't fail if zone does not exists in in find
DNS Location: add list of roles and DNS servers to location-show
DNS Locations: dnsserver: print specific error when DNS is not
installed
Fix possibly undefined variable in ipa_smb_conf_exists()
Updated IPA translations
Replica promotion: use the correct IPA domain for replica
Martin Košek (1):
Update Developers in Contributors.txt
Matt Rogers (1):
ipa_kdb: add krbPrincipalAuthInd handling
Michael Simacek (1):
Fix bytes/string handling in rpc
Milan Kubík (11):
ipatests: replace the test-example.com domain in tests
ipatests: Roll back the forwarder config after a test case
ipatests: Fix configuration problems in dns tests
ipatests: Make the A record for hosts in topology conditional
ipatests: fix the install of external ca
ipatests: Add missing certificate profile fixture
ipatests: extend permission plugin test with new expected output
spec file: rename the python-polib dependency name to python2-polib
ipatests: fix for change_principal context manager
ipatests: Add test case for requesting a certificate with full
principal.
spec: Add python-sssdconfig dependency for python-ipatests package
Nathaniel McCallum (7):
Don't error when find_base() fails if a base is not required
Rename syncreq.[ch] to otpctrl.[ch]
Ensure that ipa-otpd bind auths validate an OTP
Return password-only preauth if passwords are allowed
Enable authentication indicators for OTP and RADIUS
Migrate from #ifndef guards to #pragma once
Enable service authentication indicator management
Oleg Fayans (26):
CI tests: Enabled automatic creation of reverse zone during master
installation
CI tests: Added domain realm as a parameter to master installation
in integration tests
Fixed install_ca and install_kra under domain level 0
fixed an issue with master installation not creating reverse zone
Enabled recreation of test directory in apply_common_fixes function
Updated connect/disconnect replica to work with both domainlevels
Removed --ip-address option from replica installation
Removed messing around with resolv.conf
Integration tests for replica promotion feature
Enabled setting domain level explicitly in test class
Removed a constantly failing call to prepare_host
Made apply_common_fixes call at replica installation independent
on domain_level
Workaround for ticket 5627
Added copyright info to replica promotion tests
rewrite a misprocessed teardown_method method as a custom decorator
Reverted changes in mh fixture causing some tests to fail
Fixed a bug with prepare_host failing upon existing ipatests folder
Added a kdestroy call to clean ccache at master/client uninstallation
Added 5 more tests to Replica Promotion testsuite
Fixed a failure in legacy_client tests
Add test if replica is working after domain upgrade
Improve reporting of failed tests in topology test suite
Bugfixes in managed topology tests
A workaround for ticket N 5348
Added necessary A record for the replica to root zone
Increased certmonger timeout
Patrice Duc-Jacquet (2):
Incorrect message when KRA already installed
Add more information regarding where to find revocation reason in
"ipa cert_revoke -h" and "ipa cert_find -h".
Pavel Vomacka (41):
Add tool tips for Revert, Refresh, Undo, and Undo All
Add support for the 'user' url parameter for the reset_password.html
Add validation to Issue new certificate dialog
Add pan and zoom functionality to the topology graph
Nodes stay fixed after initial animation.
Add field for group id in user add dialog
Resize topology graph canvas according to window size
Add X-Frame-Options and frame-ancestors options
Add activate option to stage user details page
Add 'skip overlap check' checkbox into add zone dialog
Add 'skip overlap check' checkbox to the add dns forward zone dialog
Add option to show OTP when adding host
Update the delete dialog on details user page
Add ability to stage multiple users
Add option to stage user from details page
Change lang.hitch to javascript bind method
Change 'Restore' to 'Remove Hold'
Extend the certificate request dialog
Auth Indicators WebUI part
Fix bad searching of reverse DNS zone
Add adapter attribute for choosing record
DNS Locations: WebUI part
Add lists of hosts allowed to create or retrieve keytabs
Correct a jslint warning
Association table can be read only
Extend table facet
Add server roles on topology page
Search facet can be without search field
Add ability to review cert request dialog
Add new webui plugin - ca
Extend certificate entity page
Extend caacl entity
Make Actions string translatable
Extend DNS config page
Extend trust config page
Add creating a segment using mouse
Add listener which opens add segment dialog
Add placeholder to add segment dialog
Add DNS default TTL field
Allow to set weight of a server without location
DNS Servers: Web UI part
Peter Lacko (1):
Ping module tests.
Petr Viktorin (46):
Package ipapython, ipalib, ipaplatform, ipatests for Python 3
Use explicit truncating division
Don't index exceptions directly
Use print_function future definition wherever print() is used
Alias "unicode" to "str" under Python 3
Avoid builtins that were removed in Python 3
dnsutil: Rename __nonzero__ to __bool__
Remove deprecated contrib/RHEL4
make-lint: Allow running pylint --py3k to detect Python3 issues
Split ipa-client/ into ipaclient/ (Python library) and client/ (C,
scripts)
test_parameters: Ignore specific error message
ipaldap, ldapupdate: Encoding fixes for Python 3
ipautil.run, kernel_keyring: Encoding fixes for Python 3
tests: Use absolute imports
ipautil: Use mode 'w+' in write_tmp_file
test_util: str/bytes check fixes for Python 3
p11helper: Port to Python 3
cli: Don't encode/decode for stdin/stdout on Python 3
Package python3-ipaclient
Move get_ipa_basedn from ipautil to ipadiscovery
ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
ipapython.sysrestore: Use str methods instead of functions from
the string module
ipalib.x809: Accept bytes for make_pem
dns plugin: Fix zone normalization under Python 3
sysrestore: Iterate over a list of dict keys
test_xmlrpc: Use absolute imports
xmlrpc_test: Rename exception instance before working with it
radiusproxy plugin: Use str(error) rather than error.message
xmlrpc_test: Expect bytes rather than strings for binary attributes
ipalib.rpc: Send base64-encoded data as string under Python 3
range plugin tests: Use bytes with MockLDAP under Python 3
radiusproxy plugin tests: Expect bytes, not text, for
ipatokenradiussecret
certprofile plugin: Use binary mode for file with binary data
test_add_remove_cert_cmd: Use bytes for base64.b64encode()
Switch /usr/bin/ipa to Python 3
Fix remaining relative import and enable Pylint check
ipalib.cli: Improve reporting of binary values in the CLI
test_cert_plugin: Encode 'certificate' for comparison with
'usercertificate'
ipaldap: Keep attribute names as text, not bytes
ipapython.secrets.kem: Use ConfigParser from six.moves
test_topology_plugin: Don't rely on order of an attribute's values
test_rpcserver: Expect updated error message under Python 3
ipaplatform.redhat: Use bytestrings when calling rpm.so for
version comparison
test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
ipaldap: Convert dict items to list before iterating
test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView
Petr Voborník (16):
Bump 4.4 development version to 4.3.90
webui: add examples to network address validator error message
webui: pwpolicy cospriority field was marked as required
spec: do not require arch specific ipalib package from noarch packages
webui: dislay server suffixes in server search page
stop installer when setup-ds.pl fail
webui: crash nicely if sessionStorage is not available
webui: remove moot error from webui build
webui: use API call ca_is_enabled instead of enable_ra env variable.
webui: fixed showing of success message after password change on login
advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap
plugins
cookie parser: do not fail on cookie with empty value
fix incorrect name of ipa-winsync-migrate command in help
webui: fail nicely if cookies are disabled
ipa-client-install: fix typo in nslcd service name
Become IPA 4.4.0 Alpha 1
Petr Špaček (51):
dns: Handle SERVFAIL in check if domain already exists.
DNSSEC: Improve error reporting from ipa-ods-exporter
DNSSEC: Make sure that current state in OpenDNSSEC matches key
state in LDAP
DNSSEC: Make sure that current key state in LDAP matches key state
in BIND
DNSSEC: remove obsolete TODO note
DNSSEC: add debug mode to ldapkeydb.py
DNSSEC: logging improvements in ipa-ods-exporter
DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
DNSSEC: ipa-ods-exporter: add ldap-cleanup command
DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
DNSSEC: Log debug messages at log level DEBUG
Fix --auto-reverse option in --unattended mode.
Fix dns_is_enabled() API command to throw exceptions as appropriate
Fix DNS zone overlap check to allow ipa-replica-install to work
Fix ipa-adtrust-install to always generate SRV records with FQDNs
Fix URL for reporting bugs in strings
Pylint: enable parallelism
Makefile: replace perl with sed
Remove function ipapython.ipautil.host_exists()
Extend installers with --forward-policy option
Move automatic empty zone list into ipapython.dnsutil and make it
reusable
Add assert_absolute_dnsname() helper to ipapython.dnsutil
Move function is_auto_empty_zone() into ipapython.dnsutil
Use shared sanity check and tests
ipapython.dnsutil.is_auto_empty_zone()
Add function ipapython.dnsutil.inside_auto_empty_zone()
Auto-detect default value for --forward-policy option in installers
ipa-nis-manage: Replace text references to compat plugin with NIS
ipa-nis-manage: mention return code 3 in man page
DNS: Fix upgrade - master to forward zone transformation
DNS installer: accept --auto-forwarders option in unattended mode
Remove unused file install/share/fedora-ds.init.patch
Batch command: avoid accessing potentially undefined context.principal
pylint: replace Refactor category with individual check names
ipa-nis-manage: add status option
DNS: Warn if forwarding policy conflicts with automatic empty zones
Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
Use root_logger for verify_host_resolvable()
Move IP address resolution from ipaserver.install.installutils to
ipapython.dnsutil
Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
Add ipaDNSVersion option to dnsconfig* commands and use new attribute
DNS upgrade: separate backup logic to make it reusable
Add function ipapython.dnsutil.related_to_auto_empty_zone()
DNS upgrade: change forwarding policy to = only for conflicting
forward zones
DNS upgrade: change global forwarding policy in LDAP to "only" if
private IPs are used
DNS upgrade: change global forwarding policy in named.conf to
"only" if private IPs are used
Require 389-ds-base >= 1.3.5.6
DNS Locations: make ipa-ca record generation more robust
DNS: Support default TTL setting for master DNS zones
DNS: Warn about restart when default TTL setting DNS is changed
DNS: Fix realm domains integration with DNS zone add.
Simo Sorce (6):
Use only AES enctypes by default
Always verify we have a valid ldap context.
Improve keytab code to select the right principal.
Convert ipa-sam to use the new getkeytab control
Allow admins to disable preauth for SPNs.
Allow to specify Kerberos authz data type per user
Stanislav Laznicka (21):
Listing and cleaning RUV extended for CA suffix
Automatically detect and remove dangling RUVs
Cosmetic changes to the code
Fixes minor issues
replica-manage: fail nicely when DM psswd required
ipa-replica-manage refactoring
abort-clean/list/clean-ruv now work for both suffixes
Moved password check from clean_dangling_ruv
Fix to clean-dangling-ruv for single CA topologies
Added pyusb as a dependency
Added some attributes to Modify Users permission
Deprecated the domain-level option in ipa-server-install
Increased mod_wsgi socket-timeout
Added <my_hostname>=<IPA REALM> mapping to krb5.conf
Decreased timeout for IO blocking for DS
fixes premature sys.exit in ipa-replica-manage del
Remove dangling RUVs even if replicas are offline
Added krb5.conf.d/ to included dirs in krb5.conf
Removed dead code from LDAP{Remove,Add}ReverseMember
Fixes CA always being presented as running
Increase nsslapd-db-locks to 50000
Sumit Bose (3):
ipa-kdb: get_authz_data_types() make sure entry can be NULL
ipa-kdb: map_groups() consider all results
extdom: add certificate request
Thierry Bordaz (3):
configure DNA plugin shared config entries to allow connection
with GSSAPI
DS deadlock when memberof scopes topology plugin updates
Make sure ipapwd_extop takes precedence over passwd_modify_extop
Thorsten Scherf (1):
Fixed typo in service-add
Timo Aaltonen (6):
Use HTTPD_USER in dogtaginstance.py
Move freeipa certmonger helpers to libexecdir.
ipa_restore: Import only FQDN from ipalib.constants
ipaplatform: Move remaining user/group constants to
ipaplatform.constants.
Use ODS_USER/ODS_GROUP in opendnssec_conf.template
Fix kdc.conf.template to use ipaplatform.paths.
Tomáš Babej (10):
py3: Remove py3 incompatible exception handling
logger: Use warning instead of warn
Loggger: Use warning instead of warn - dns plugin
ipa-getkeytab: Handle the possibility of not obtaining a result
ipa-adtrust-install: Allow dash in the NETBIOS name
spec: Bump required sssd version to 1.13.3-5
adtrustinstance: Make sure smb.conf exists
l10n: Remove Transifex configuration
ipalib: Fix user certificate docstrings
idviews: Add user certificate attribute to user ID overrides
Yuri Chornoivan (3):
Fix minor typo
Fix minor typos
Fix minor typos
--
Petr Vobornik
Petr Vobornik