[Pkg-freeipa-devel] freeipa: Changes to 'refs/tags/debian/4.4.3-1'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Sat Jan 14 13:38:13 UTC 2017
Tag 'debian/4.4.3-1' created by Timo Aaltonen <tjaalton at debian.org> at 2017-01-14 13:37 +0000
tagging package freeipa version debian/4.4.3-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJYeimRAAoJEMtwMWWoiYTc75sP/R9pddl5c8HqRzQLgTD9O0cF
WGhjlhQ3CJvvLX+npaVDXi8DK+v8wUyS7upMPfScULeuVpRkUFeFbt8+sfaSdSMk
rFk0vS1KddMuY8MbsoV9L1llRpPTUJf+vmcbaCVIf5d7GNHTnPbGDQEwQp/PAdbK
u06A/3y9kz9jikDQWTwJ8jZho2TybSg//kWDyBr6m5yhc2ofYGN+2LgyBuaQTDtR
Xn5awMDP9g0D3ywkIvUP42jytn/OpL2oEfnv2Kwxd/i8aLxgA82UosK5kkPif2A7
GDbWE/I3v44is3f+yVN5iJElMFmY6eY+xqkcHYRu2fUVr1yY+lIxf51Frg2M4Lv+
PugCy+py2Jw6VwGrMq/S+bE2CSG8fPFof9CL72mwf+hl3nrAVScUPFqKp5jlzguH
vhaNzrS/iZFetNIUb0rBMwcopxZdv+w46M9PpSbCOKCmxfCpJi+aceMhlUbYxgVj
sp7gmyuEs8MR0AVU4o+2MpQamOtuHgDu6vlfqzcG3hBdbEpfyVVMq2BrmTk9U0FV
sUq8ze95h7luJAUMGmrFuMPrNLD/H1LNc6A4CPn3Qj2mBsX1GVDidbxX3m3o0i13
CNWSBF8hGzUspankbUBNqiY81Ux2mKhFoVuS8TMQmNS7UEozt1udR3IULBTg7iUs
bYA2KDAyLzwvMJHu/ICH
=TMcS
-----END PGP SIGNATURE-----
Changes since debian/4.3.2-5:
Abhijeet Kasurde (16):
Added kpasswd_server directive in client krb5.conf
Fixed login error message box in LoginScreen page
Added fix for notifying user about Kerberos principal expiration in WebUI
Added description related to 'status' in ipactl man page
Added warning to user for Internet Explorer
Added fix for notifying user about locked user account in WebUI
Updated ipa command man page
Fix added to ipa-compat-manage command line help
Removed custom implementation of CalledProcessError
Replaced find_hostname with api.env.host
Added exception handling for mal-formatted XML Parsing
Added missing translation to automount.py method
Minor fix in ipa-replica-manage MAN page
Corrected minor spell check in AD Trust information doc messages
Removed unwanted line break from RefererError Dialog message
Handled empty hostname in server-del command
Alexander Bokovoy (23):
slapi-nis: update configuration to allow external members of IPA groups
extdom: do not fail to process error case when no request is specified
otptoken: support Python 3 for the qr code
trusts: Add support for an external trust to Active Directory domain
adtrust: remove nttrustpartner parameter
adtrust: remove nttrustpartner parameter
adtrust: support GSSAPI authentication to LDAP as Active Directory user
adtrust: support UPNs for trusted domain users
webui: show UPN suffixes in trust properties
webui: support external flag to trust-add
adtrust: optimize forest root LDAP filter
service: add flag to allow S4U2Self
support schema files from third-party plugins
ipaserver/dcerpc: reformat to make the code closer to pep8
trust: automatically resolve DNS trust conflicts for triangle trusts
trust: make sure external trust topology is correctly rendered
trust: make sure ID range is created for the child domain even if it exists
ipa-kdb: simplify trusted domain parent search
support multiple uid values in schema compatibility tree
freeipa.spec.in: move ipa CLI utility to freeipa-client
trustdomain-del: fix the way how subdomain is searched
adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
ipa-kdb: search for password policies globally
Ben Lipton (3):
Fix several small typos
Use existing HostKey config to test sshd
Silence sshd messages during install
Christian Heimes (9):
Require Dogtag 10.2.6-13 to fix KRA uninstall
Modernize mod_nss's cipher suites
Move user/group constants for PKI and DS into ipaplatform
Correct path to HTTPD's systemd service directory
RedHatCAService should wait for local Dogtag instance
Remove Custodia server keys from LDAP
Secure permissions of Custodia server.keys
Require httpd 2.4.6-31 with mod_proxy Unix socket support
Use RSA-OAEP instead of RSA PKCS#1 v1.5
David Kupka (61):
installer: Propagate option values from components instead of copying them.
installer: Fix logic of reading option values from cache.
ipa-dns-install: Do not check for zone overlap when DNS installed.
ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options
installer: Change reverse zones question to better reflect reality.
Fix: Use unattended parameter instead of options.unattended
CI: Add '2-connected' topology generator.
CI: Add simple replication test in 2-connected topology.
CI: Add test for 2-connected topology generator.
CI: Fix pep8 errors in 2-connected topology generator
CI: add empty topology test for 2-connected topology generator
CI: Add double circle topology.
CI: Add replication test utilizing double-circle topology.
CI: Add test for double-circle topology generator.
CI: Make double circle topology python3 compatible
upgrade: Match whole pre/post command not just basename.
dsinstance: add start_tracking_certificates method
httpinstance: add start_tracking_certificates method
Look up HTTPD_USER's UID and GID during installation.
test: test_cli: Do not expect defaults in kwargs.
man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
installer: positional_arguments must be tuple or list of strings
installer: index() raises ValueError
Remove unused locking "context manager"
schema: Add fingerprint and TTL
schema: Add known_fingerprints option to schema command
schema: Cache schema in api instance
schema: return fingerprint as unicode text
env: Add 'server' variable to api.env
schema: Caching on schema on client
test: automember: Fix expected exception message
test: cert: Reflect change in behavior in tests
schema: Decrease schema TTL to one hour
schema: Perform the check for schema update when force_schema_check is True
Allow unexpiring passwords
schema: Fix subtopic -> topic mapping
help: Add dnsserver commands to help topic 'dns'
vault: Catch correct exception in decrypt
schema: Speed up schema cache
frontend: Change doc, summary, topic and NO_CLI to class properties
schema: Introduce schema cache format
schema: Generate bits for help load them on request
help: Do not create instances to get information about commands and topics
compat: Save server's API version in for pre-schema servers
schema cache: Do not reset ServerInfo dirty flag
schema cache: Do not read fingerprint and format from cache
Access data for help separately
frontent: Add summary class property to CommandOverride
schema cache: Read server info only once
schema cache: Store API schema cache in memory
client: Do not create instance just to check isinstance
schema cache: Read schema instead of rewriting it when SchemaUpToDate
schema check: Check current client language against cached one
compat: Fix ping command call
schema cache: Fallback to 'en_us' when locale is not available
otptoken, permission: Convert custom type parameters on server
schema cache: Store and check info for pre-schema servers
UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
ipaclient.plugins: Use api_version from internally called commands
password policy: Add explicit default password policy for hosts and services
tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all
Filip Skola (9):
Refactor test_user_plugin, use UserTracker for tests
Refactor test_replace
Refactor test_attr
Refactor test_sudocmd_plugin
Refactor test_sudocmdgroup_plugin
Refactor test_group_plugin, use GroupTracker for tests
Refactor test_nesting, create HostGroupTracker
Refactor test_hostgroup_plugin
Refactor test_automember_plugin, create AutomemberTracker
Florence Blanc-Renaud (16):
Add missing CA options to the manpage for ipa-replica-install
Add the culprit line when a configuration file has an incorrect format
add context to exception on LdapEntry decode error
batch command can be used to trigger internal errors on server
Always qualify requests for admin in ipa-replica-conncheck
Report missing certificate in external trust chain
Do not allow installation in FIPS mode
Fix ipa-server-certinstall with certs signed by 3rd-party CA
Do not log error when removing a non-existing file
Show full error message for selinuxusermap-add-hostgroup
server uninstall fails to remove krb principals
Fix session cookies
Fix ipa hbactest output
Fix ipa-certupdate for CA-less installation
Fix regression introduced in ipa-certupdate
Add cert checks in ipa-server-certinstall
Fraser Tweedale (60):
Do not decode HTTP reason phrase from Dogtag
Remove workaround for CA running check
caacl: correctly handle full user principal name
Prevent replica install from overwriting cert profiles
Detect and repair incorrect caIPAserviceCert config
Remove service and host cert issuer validation
Allow CustodiaClient to be used by arbitrary principals
Load server plugins in certmonger renewal helper
Add ACIs for Dogtag custodia client
Optionally add service name to Custodia key DNs
Setup lightweight CA key retrieval on install/upgrade
Authorise CA Agent to manage lightweight CAs
Add custodia store for lightweight CA key replication
Add 'ca' plugin
Add IPA CA entry on install / upgrade
Update 'caacl' plugin to support lightweight CAs
Add CA argument to ra.request_certificate
Update cert-request to allow specifying CA
Add issuer options to cert-show and cert-find
replica-install: configure key retriever before starting Dogtag
upgrade: do not try to start CA if not configured
restart scripts: bootstrap api with in_server=True
Require Dogtag >= 10.3.3
Fix IssuerDN presence check in cert search result
Set default OCSP URI on install and upgrade
ipaldap: turn LDAP filter utility functions into class methods
Skip CS.cfg update if cert nickname not known
Update lightweight CA serial after renewal
ipa-certupdate: track lightweight CA certificates
cert-find: fix 'issuer' option
cert-request: better error msg when 'add' not supported
Check for CA subject name collision before attempting creation
Add --ca option to cert-revoke and cert-remove-hold
Split CA replica installation steps for domain level 0
Fix migration from pre-lightweight CAs master
Add --cn option to cert-status
Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3
uninstall: untrack lightweight CA certs
caacl: expand plugin documentation
spec: require Dogtag >= 10.3.3-3
Create server and host certs with DNS altname
caacl: fix regression in rule instantiation
cert-revoke: fix permission check bypass (CVE-2016-5404)
Move GeneralName parsing code to ipalib.x509
x509: fix SAN directoryName parsing
x509: use NSS enums and OIDs to identify SAN types
x509: include otherName DER value in GeneralNameInfo
cert-show: show subject alternative names
Track lightweight CAs on replica installation
Add ca-disable and ca-enable commands
Allow Dogtag RestClient to perform requests without logging in
Add HTTPRequestError class
Use Dogtag REST API for certificate requests
cert-request: raise CertificateOperationError if CA disabled
Make host/service cert revocation aware of lightweight CAs
cert-request: raise error when request fails
spec: require Dogtag >= 10.3.5-6
Add commentary about CA deletion to plugin doc
cert-show: show validity in default output
certprofile-mod: correctly authorise config update
Gabe Alford (1):
ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
Ganna Kaihorodova (2):
Fix conflict between "got" and "expected" values
Fix for integration tests replication layouts
Jakub Hrozek (1):
sudo: Fix a typo in the --help output of sudocmdgroup
James Groffen (1):
Set close button type attribute to 'button'.
Jan Barta (1):
pylint: fix: multiple-statements
Jan Cholasta (168):
ipautil: remove unused import causing cyclic import in tests
ipalib: assume version 2.0 when skip_version_check is enabled
ipapython: remove default_encoding_utf8
ipapython: port p11helper C code to Python
ipapython: use python-cryptography instead of libcrypto in p11helper
spec file: package python-ipalib as noarch
cert renewal: import all external CA certs on IPA CA cert renewal
replica install: validate DS and HTTP server certificates
replica promotion: fix AVC denials in remote connection check
cacert install: fix trust chain validation
client: stop using /etc/pki/nssdb
ipalib: provide per-call command context
ipalib: add convenient Command method for adding messages
certdb: never use the -r option of certutil
spec file: bump minimum required pki-core version
build: fix client-only build
makeapi: use the same formatting for `int` and `long` values
replica install: do not set CA renewal master flag
rpc: do not crash when unable to parse JSON
parameters: remove unused ConversionError and ValidationError arguments
rpc: include structured error information in responses
frontend: re-raise remote RequirementError using CLI name in CLI
frontend: remove the unused Command.soft_validate method
frontend: perform argument value validation only on server
batch: do not crash when no argument is specified
ipalib: make optional positional command arguments actually optional
frontend: do not forward unspecified positional arguments to server
user: do not assume the preserve flags have value in user_del
frontend: do not forward argument defaults to server
makeapi: optimize API.txt
ipalib: remove the unused `csv` argument of Param
makeaci: load additional plugins using API.add_module
plugable: replace API.import_plugins with new API.add_package
ipalib, ipaserver: migrate all plugins to Registry-based registration
ipalib, ipaserver: fix incorrect API.register calls in docstrings
plugable: remove the unused deprecated API.register method
plugable: switch API to Registry-based plugin discovery
frontend: merge baseldap.CallbackRegistry into Command
frontend: move the interactive_prompt callback type to Command
automount: do not inherit automountlocation_import from LDAPQuery
dns: move code called on client to the module level
dns: do not rely on server data structures in code called on client
otptoken: fix import of DN
otptoken_yubikey: fix otptoken_add_yubikey arguments
vault: move client-side code to the module level
vault: copy arguments of client commands from server counterparts
ipalib: use relative imports for cross-plugin imports
frontend: allow commands to have an argument named `name`
cli: make optional positional command arguments actually optional
dns: fix dnsrecord interactive mode
ipaclient: introduce ipaclient.plugins
ipalib: move client-side plugins to ipaclient
help, makeapi: allow setting command topic explicitly
help, makeapi: specify module topic by name
help, makeapi: do not use hardcoded plugin package name
plugable: turn Plugin attributes into properties
plugable: simplify API plugin initialization code
plugable: remember overriden plugins in API
frontend: turn Method attributes into properties
ipaclient: add client-side command override class
dns: move code shared by client and server to separate module
ipalib: split off client-side plugin code into ipaclient
parameters: introduce cli_metavar keyword argument
parameters: introduce no_convert keyword argument
ipalib: replace DeprecatedParam with `deprecated` Param argument
ipalib: introduce API schema plugins
rpc: respect API config in RPCClient.create_connection
rpc: allow overriding NSS DB directory in API config
rpc: specify connection options in API config
rpc: optimize JSON-RPC response handling
rpc: do not validate command name in RPCClient.forward
client install: finalize API after CA certs are available
ipactl: use server API
ipalib: move File command arguments to ipaclient
misc: hide the unused --all option of `env` and `plugins` in CLI
ipaclient: implement thin client
ipalib: move server-side plugins to ipaserver
frontend: do not check API minor version of the client
schema: do not validate unrequested params in command_defaults
replica install: use remote server API to create service entries
schema: fix topic command output
schema: fix typo
spec file: require correct packages to get API plugins
plugable: allow plugins to be non-classes
plugable: initialize plugins on demand
schema: generate client-side commands on demand
batch, schema: use Dict instead of Any
misc: fix empty CLI output of `env` and `plugins` commands
dns, passwd: fix outputs of `dns_resolve` and `passwd` commands
frontend: call `execute` rather than `forward` in Local
schema: exclude local commands
schema: fix client-side dynamic defaults
makeaci, makeapi: use in-server API
frontend: don't copy command arguments to output params
frontend: skip `value` output in output_for_cli
frontend: do not crash on missing output in output_for_cli
automember: add object plugin for automember_rebuild
dns: do not rely on custom param fields in record attributes
misc: skip `count` and `total` output in env.output_for_cli
passwd: handle sort order of passwd argument on the client
permission: handle ipapermright deprecated CLI alias on the client
schema: add object class schema
schema: remove output_params
schema: merge command args and options
schema: remove redundant information
schema: remove `no_cli` from command schema
replica install: fix thin client regression
ldap: fix handling of binary data in search filters
cert: add object plugin
cert: add owner information
cert: allow search by certificate
dns: fix dns_update_system_records to work with thin client
schema: fix param default value handling
schema: do not crash in command_defaults if argument is None
automember: fix automember to work with thin client
schema: client-side code cleanup
misc: generate `plugins` result directly in the command
plugable: use plugin class as the key in API namespaces
plugable: support plugin versioning
schema: support plugin versioning
frontend: forward command calls using full name
schema: fix Flag arguments on the client
schema: properly fix Flag arguments on the client
backup: use in-server API in ipa-backup and ipa-restore
replica install: don't allow install against a newer server
session: move the session module from ipalib to ipaserver
session: do not initialize session manager on import
xmlserver: initialize RPC server plugins only in server context
makeaci, makeapi, oddjob: use the default API context
server: define missing virtual attributes
user: add object plugin for user_status
frontend: do not ignore client-side output params
cert: fix CLI output of cert_remove_hold
plugable: add option to ignore override errors
client: ignore override errors in command overrides
client: add placeholders for required remote plugins
server: exclude Local commands from RPC
client: do not crash when overriding remote command as method
client: add support for pre-schema servers
frontend: copy command arguments to output params on client
Revert "Enable vault-* commands on client"
client: fix hiding of commands which lack server support
compat: fix ping call
install: fix external CA cert validation
vault: add missing salt option to vault_mod
Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
parameters: move the `confirm` kwarg to Param
client: add missing output params to client-side commands
cert: speed up cert-find
cert: do not crash on invalid data in cert-find
server install: do not prompt for cert file PIN repeatedly
tests: fix test_ipalib.test_frontend.test_Object
custodia: include known CA certs in the PKCS#12 file for Dogtag
cert: add missing param values to cert-find output
cert: include CA name in cert command output
rpcserver: assume version 1 for unversioned command calls
custodia: force reconnect before retrieving CA certs from LDAP
rpcserver: fix crash in XML-RPC system commands
cli: use full name when executing a command
dns: normalize record type read interactively in dnsrecord_add
dns: prompt for missing record parts in CLI
dns: fix crash in interactive mode against old servers
cert: fix cert-find --certificate when the cert is not in LDAP
client: remove hard dependency on pam_krb5
dns: re-introduce --raw in dnsrecord-del
test_plugable: update the rest of test_init
cert: add revocation reason back to cert-find output
spec file: bump minimal required version of 389-ds-base
Jérôme Fenal (1):
Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French.
Lenka Doudova (58):
WebUI tests: fix failing of tests due to unclicable label
WebUI test: ID views
WebUI: Test creating user without private group
Test fix: Cleanup for host certificate
Test: Maximum username length higher than 255 cannot be set
Tests: Fix for failing location tests
Tests: Fix ipatests/test_ipaserver/test_rpcserver.py
Tests: Make ID views tests reflect new krbcanonicalname attribute
Tests: Fix failing ipatests/test_ipalib/test_errors.py
Tests: Remove DNS configuration from trust tests
Tests: Fix failing tests in ipatests/test_ipalib/test_frontend.py
Tests: Fix frontend tests
Tests: Tracker class for services
Tests: Authentication indicators xmlrpc tests
Tests: Authentication indicators integration tests
Tests: External trust
Tests: Support of UPN for trusted domains
Tests: Improve handling of rename operation by user tracker
Tests: IPA user can kinit using enterprise principal with IPA domain
Tests: Removing manipulation with /etc/hosts file from integration tests
Tests: Remove has_keytab from list of expected keys of update command
Tests: Add data attribute to messages
Tests: test_ipalib/test_output fails due to change of Output behaviour
Fix malformed or missing docstrings in ipalib/messages
Tests: Fix failing tests in test_ipalib/test_parameters
Tests: Fix failing tests in test_ipalib/test_frontend
Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute
Tests: Duplicate declaration on variables in ID views tests
Tests: ID views tests do not recognize krbcanonicalname attribute
Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute
Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute
Tests: Failing test_ipalib/test_rpc
Tests: Failing test_ipaserver/test_ldap test
Tests: Failing tests in test_ipalib/test_plugable
Raise error when running ipa-adtrust-install with empty netbios--name
Tests: Random issuer certificate can be added to a service
Tests: Add missing attributes to test_xmlrpc/test_trust tests
Tests: Avoid skipping tests due to missing files
Tests: Fix regex errors in integration trust tests
Tests: Add cleanup to integration trust tests
Tests: Fix failing ldap.backend test
Tests: Fix integration sudo tests setup and checks
Tests: Remove SSSD restart from integration tests
Tests: Add krb5kdc.service restart to integration trust tests
Tests: Update host test with ipa-join
Tests: Fix host attributes in ipa-join host test
Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
Tests: Remove invalid certplugin tests
Tests: Certificate revocation
Tests: Verify that cert commands show CA without --all
Tests: Fix failing test_ipalib/test_parameters
Tests: Fix integration sudo test
Tests: Provide AD cleanup for trust tests
Tests: Provide AD cleanup for legacy client tests
Add file_exists method as a member of transport object
Tests: Verify that validity info is present in cert-show and cert-find command
Tests: Providing trust tests with tree root domain
Document make_delete_command method in UserTracker
Ludwig Krispenz (3):
prevent moving of topology entries out of managed scope by modrdn operations
v2 - avoid crash in topology plugin when host list contains host with no hostname
Check for conflict entries before raising domain level
Lukáš Slebodník (10):
extdom: Remove unused macro
IPA-SAM: Fix build with samba 4.4
CONFIGURE: Replace obsolete macros
ipa-sam: Do not redefine LDAP_PAGE_SIZE
SPEC: Remove unused build dependency on libwbclient
BUILD: Remove detection of libcheck
ipa_pwd_extop: Fix warning declaration shadows previous local
ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
ipa-kdb: Allow to build with samba 4.5
ipa-kdb: Fix unit test after packaging changes in krb5
Martin Babinsky (110):
raise more descriptive Backend connection-related exceptions
harden domain level 1 topology connectivity checks
ipalib/x509.py: revert deletion of ipalib api import
prevent crash of CA-less server upgrade due to absent certmonger
use FFI call to rpmvercmp function for version comparison
tests for package version comparison
fix Py3 incompatible exception instantiation in replica install code
ipa-csreplica-manage: remove extraneous ldap2 connection
IPA upgrade: move replication ACIs to the mapping tree entry
uninstallation: more robust check for master removal from topology
correctly set LDAP bind related attributes when setting up replication
disable RA plugins when promoting a replica from CA-less master
fix standalone installation of externally signed CA on IPA master
reset ldap.conf to point to newly installer replica after promotion
always start certmonger during IPA server configuration upgrade
upgrade: unconditional import of certificate profiles into LDAP
CI tests: use old schema when testing hostmask-based sudo rules
use LDAPS during standalone CA/KRA subsystem deployment
test_cert_plugin: use only first part of the hostname to construct short name
only search for Kerberos SRV records when autodiscovery was requested
spec: add conflict with bind-chroot to freeipa-server-dns
spec: require python-cryptography newer than 0.9
ipa-replica-manage: print traceback on unexpected error when in verbose mode
otptoken-add: improve the robustness of QR code printing
differentiate between limit types when LDAP search exceeds configured limits
specify type of exceeded limit when warning about truncated search results
replica-prepare: do not add PTR records if there is no IPA managed reverse zone
Server Roles: definitions of server roles and attributes
Server Roles: Backend plugin to query roles and attributes
Test suite for `serverroles` backend
Server Roles: public API for server roles
Server Roles: make server-{show,find} utilize role information
Server Roles: make *config-show consume relevant roles/attributes
Server Roles: provide an API for setting CA renewal master
Add NTP to the list of services stored in IPA masters LDAP subtree
Introduce "NTP server" role
ipaserver module for working with managed topology
delegate removal of master DNS record and replica keys to separate functions
server-del: perform full master removal in managed topology
CI test suite for `server-del`
ipa-replica-manage: use `server_del` when removing domain level 1 replica
remove the master from managed topology during uninstallation
Fix listing of enabled roles in `server-find`
Do not update result of *-config-show with empty server attributes
server-del: harden check for last roles
perform case-insensitive principal search when canonicalization is requested
mark 'ipaKrbPrincipalAlias' attribute as deprecated in schema
add case-insensitive matching rule to krbprincipalname index
add krbCanonicalName to attributes watched by MODRDN plugin
ipa-kdb: set krbCanonicalName when creating new principals
ipa-enrollment: set krbCanonicalName attribute on enrolled host entry
IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities
set krbcanonicalname on host entry during krbinstance configuration
account for added krbcanonicalname attribute during xmlrpc tests
Fix incorrect construction of service principal during replica cleanup
keep setting ipakrbprincipal objectclass on new service entries
test_serverroles: ensure that test API is initialized with correct ldap_uri
test-{service,host}-plugin: only expect krbcanonicalname when all=True
ipapython module for Kerberos principal manipulation and parsing
Test suite for `ipapython/kerberos.py`
ipalib: introduce Principal parameter
Migrate management framework plugins to use Principal parameter
Add ACI for admins to modify principal attributes
replace an ACI relying on presence of deprecated objectclass
Allow for commands that use positional parameters to add/remove attributes
Make framework consider krbcanonicalname as service primary key
Provide API for management of host, service, and user principal aliases
Unify display of principal names/aliases across entities
Fix incorrect check for principal type when evaluating CA ACLs
ipa-nis-manage: Use server API to retrieve plugin status
ipa-compat-manage: use server API to retrieve plugin status
ipa-advise: correct handling of plugin namespace iteration
vault-add: set the default vault type on the client side if none was given
Preserve user principal aliases during rename operation
messages: specify message type for ResultFormattingError
DNS install: Ensure that DNS servers container exists
Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
allow 'value' output param in commands without primary key
allow multiple dashes in the components of server hostname
expose `--secret` option in radiusproxy-* commands
prevent search for RADIUS proxy servers by secret
trust-add: handle `--all/--raw` options properly
baseldap: Fix MidairCollision instantiation during entry modification
Create indexes for krbCanonicalName attribute
harden the check for trust namespace overlap in new principals
re-set canonical principal name on migrated users
add python-libsss_nss_idmap and python-sss to BuildRequires
do not use trusted forest name to construct domain admin principal
Always fetch forest info from root DCs when establishing two-way trust
factor out `populate_remote_domain` method into module-level function
Always fetch forest info from root DCs when establishing one-way trust
raise ValidationError when deprecated param is passed to command
ldapupdate: Use proper inheritance in BadSyntax exception
netgroup: avoid extraneous LDAP search when retrieving primary key from DN
trust-fetch-domains: contact forest DCs when fetching trust domain info
ipa passwd: use correct normalizer for user principals
use separate exception handlers for executors and validators
Make Continuous installer continuous only during execution phase
Move character escaping function to ipautil
mod_nss: use more robust quoting of NSSNickname directive
disable warnings reported by pylint-1.6.4-1
server-del: fix incorrect check for one IPA master
upgrade: add replica bind DN group check interval to CA topology config
replication: ensure bind DN group check interval is set on replica config
bindinstance: use data in named.conf to determine configuration status
gracefully handle setting replica bind dn group on old masters
Revert "upgrade: add replica bind DN group check interval to CA topology config"
add missing attribute to ipaca replica during CA topology update
Make `kadmin` family of functions return the result of ipautil.run
Add a basic test suite for `kadmin.local` interface
Martin Bašti (203):
Fix DNS tests: dns-resolve returns warning
Remove unused code in server installer related to KRA
Fix version comparison
Fix: replace mkdir with chmod
Use module variables for timedate_services
Remove empty test file
Remove unused imports
Remove wildcard imports
Enable multiple warnings checks in Pylint
Enable pylint lost exception check
Enable pylint duplicated-key check
Enable pylint trailing-whitespace check
Enable pylint missing-final-newline check
Enable pylint unused-format-string-key check
Enable pylint expression-not-assigned check
Enable pylint empty-docstring check
Enable pylint unnecessary-pass check
update_uniqueness plugin: fix referenced before assigment error
Allow to used mixed case for sysrestore
Upgrade: Fix upgrade of NIS Server configuration
DNSSEC test: fix adding zones with --skip-overlap-check
DNSSEC CI: add missing ldns-utils dependency
Enable pylint unpacking-non-sequence check
Enable pylint unbalanced-tuple-unpacking check
CI test: fix regression in task.install_kra
Warn about potential loss of CA, KRA, DNSSEC during uninstall
Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
Exclude o=ipaca subtree from Retro Changelog (syncrepl)
Fix DNSSEC test: add glue record
Warn user when ipa *-find reach limit
DNSSEC CI: fix zone delegations
make lint: use config file and plugin for pylint
Upgrade: log to ipaupgrade.log when IPA server is not installed
Disable new pylint checks
Py3: do not use dict.iteritems()
upgrade: fix config of sidgen and extdom plugins
trusts: use ipaNTTrustPartner attribute to detect trust entries
Warn user if trust is broken
fix upgrade: wait for proper DS socket after DS restart
Revert "test: Temporarily increase timeout in vault test."
Remove duplicated except
Pylint: add missing attributes of errors to definitions
fix permission: Read Replication Agreements
Make PTR records check optional for IPA installation
Fix connections to DS during installation
pylint: supress false positive no-member errors
CI: allow customized DS install test to work with domain levels
fix suspicious except statements
Remove unused arguments from update_ssh_keys method
Configure 389ds with "default" cipher suite
krb5conf: use 'true' instead of 'yes' for forwardable option
stageuser-activate: Normalize manager value
Remove redundant parameters from CS.cfg in dogtaginstance
Use platform path constant for SSSD log dir
Fix broken trust warnings
spec: Add missing dependencies to python*-ipalib package
client: enable ChallengeResponseAuthentication in sshd_config
pylint: remove bare except
Pylint: fix definition of global variables
Pylint: enable pointless-except check
Pylint: enable reimported check
Pylint: use list comprehension instead of iteration
Pylint: import max one module per line
Pylint: remove unnecessary-semicolon
Pylint: enable invalid-name check
SPEC: do not run upgrade when ipa server is not installed
Fix: catch Exception instead of more specific exception types
Fix stageuser-activate - managers test
Add missing pre_common_callback to stageuser_add
host_del: fix removal of host records
host_del: replace dns-record find command with show
host_del: remove unneeded dnszone-show command call
host_del: split removing A/AAAA and PTR records to separate functions
host_del: remove only A, AAAA, SSHFP, PTR records
host_del: update help for --updatedns option
host-del --updatedns: print warnings instead of error
Use netifaces module instead of 'ip' command
Limit max username length to 255 in config-mod
Increase API version for 'ipamaxusernamelength' attribute change
Configure httpd service from installer instead of directly from RPM
Performace: don't download password attributes in host/user-find
Do not do extra search for ipasshpubkey to generate fingerprints
Always set hostname
Remove deprecated hostname restoration from Fedora18
Remove unused hostname variables
Log errors from backup_and_replace hostname to logger
Tasks: raise NotImplementedError for not implemented methods
fix stageuser tests (removal of has_keytab and has_password from find)
make: fail when ACI.txt or API.txt differs from values in source code
ipactl: advertise --ignore-service-failure option
Remove unused variable and finally block in SchemaCache
Fix referenced before assigment variables in except statements
Upgrade: always start CA
Remove unused variables in automount plugin
fix pylint false positive errors
Translations: remove deprecated locale configuration
Make option --no-members public in CLI
Performance: Find commands: do not process members by default
Test: fix failing host_test
Fix: replace incorrect no_cli with no_option flag
Fix: topologysuffix_find doesn't have no_members option
DNS Locations: Always create DNS related privileges
DNS Locations: add new attributes and objectclasses
DNS Locations: location-* commands
DNS Locations: API tests
Allow to use non-Str attributes as keys for members
DNS Locations: extend server-* command with locations
DNS Location: location-show: return list of servers in location
DNS Locations: when removing location remove it from servers first
DNS Locations: extend tests with server-* commands
Upgrade mod_wsgi socket-timeout on existing installation
Exclude unneeded dirs and files from pylint check
Fix resolve_rrsets: RRSet is not hashable
Revert "adtrust: remove nttrustpartner parameter"
Fix: Local variable s_indent might be referenced before defined
Revert "Switch /usr/bin/ipa to Python 3"
Use python2 for ipa cli
DNS Locations: add index for ipalocation attribute
DNS Locations: fix location-del
DNS Locations: add idnsTemplateObject objectclass
DNS Locations: DNS data management
DNS Locations: permission: allow to read status of services
DNS Locations: add ACI for template attribute
DNS Locations: command dns-update-system-records
DNS Locations: use dns_update_service_records in installers
DNS Locations: adtrustinstance simplify dns management
DNS Locations: use automatic records update in ipa-adtrust-install
DNS Locations: server-mod: add automatic records update
DNS Locations: dnsservers: add required objectclasses
DNS Locations: dnsserver-* commands
DNS Locations: dnsserver: put server_id option into named.conf
DNS Locations: dnsserver: use the newer config way in installer
DNS Locations: dnsserver: remove config when replica is removed
DNS Locations: set proper substitution variable
DNS Locations: require to restart named-pkcs11 affter location change
DNS Locations: show warning if there is no DNS servers in location
DNS Locations: prevent to remove used locations
DNS Locations: do not generate location records for unused locations
DNS Locations: location-del: remove location record
DNS Locations: Rename ipalocationweight to ipaserviceweight
DNS Locations: generate NTP records
upgrade: don't fail if zone does not exists in in find
DNS Location: add list of roles and DNS servers to location-show
DNS Locations: dnsserver: print specific error when DNS is not installed
Fix possibly undefined variable in ipa_smb_conf_exists()
Updated IPA translations
Replica promotion: use the correct IPA domain for replica
Server-del: fix system records removal
Increase ipa-getkeytab LDAP timeout to 100sec
DNS Locations: server-mod: fix if statement
ipa-rmkeytab, ipa-join: don't fail if init of gettext failed
Revert "DNS Locations: do not generate location records for unused locations"
DNS Locations: hide option --no-msdcs in adtrust-install
DNS Locations: optimization: use server-find to get information
DNS Locations: cleanup of bininstance
CA replica promotion: add proper CA DNS records
Fix replica install with CA
cert.py split module docstring to multiple ugetext string
Add option --no-log for ipa-replica-conncheck script
Do not log to file in remote conncheck side
Bump SSSD version in requires
IPA 4.4.0 Translations
Enable vault-* commands on client
host-find: do not show SSH key by default
CI: DNS locations
Host-del: fix behavior of --updatedns and PTR records
DNS Locations: fix update-system-records unpacking error
Use copy when replacing files to keep SELinux context
CI tests: improve log collecting
CI tests: fix SSSD log collecting
idrange: fix unassigned global variable
Do not initialize API in ipa-client-automount uninstall
Increase default length of auto generated passwords
ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
Fix: container owner should be able to add vault
Remove forgotten print from DN.__str__ implementation
Raise DuplicatedEnrty error when user exists in delete_container
Update translations
Print to debug output answer from CA
Revert "Enable LDAPS in replica promotion"
Become IPA 4.4.1
Set zanata project-version fo 4.4 branch
Fix ScriptError to always return string from __str__
Fix parse errors with link-local addresses
Allow network ip addresses
Allow broadcast ip addresses
Allow multicast addresses in A/AAAA records
Show warning when net/broadcast IP address is used in installer
Tests: extend DNS cmdline tests with lowercased record type
Start named during configuration upgrade.
Catch DNS exceptions during emptyzones named.conf upgrade
Abstract procedures for IP address warnings
Fix missing config.ips in promote_check
Add check for IP addresses into DNS installer
Fix regexp patterns in parameters to not enforce length
Use constant for user and group patterns
Test: dont use global variable for iteration in test_cert_plugin
test_text: add test ipa.pot file for tests
CI: extend replication layouts tests with KRA
CI: use --setup-kra with replica installation
CI: Disable KRA install tests on DL0
Zanata: exlude testing ipa.pot file
freeipa-4.4.3: update translations
Martin Košek (2):
Update Developers in Contributors.txt
Update Contributors.txt
Matt Rogers (1):
ipa_kdb: add krbPrincipalAuthInd handling
Michael Simacek (1):
Fix bytes/string handling in rpc
Milan Kubík (26):
ipatests: replace the test-example.com domain in tests
ipatests: Roll back the forwarder config after a test case
ipatests: Fix configuration problems in dns tests
ipatests: Make the A record for hosts in topology conditional
ipatests: fix the install of external ca
ipatests: Add missing certificate profile fixture
ipatests: extend permission plugin test with new expected output
spec file: rename the python-polib dependency name to python2-polib
ipatests: fix for change_principal context manager
ipatests: Add test case for requesting a certificate with full principal.
spec: Add python-sssdconfig dependency for python-ipatests package
ipatests: Tracker implementation for Sub CA feature
ipatests: Extend CAACL suite to cover Sub CA members
ipatests: Test Sub CA with CAACL and certificate profile
ipatests: remove ipacertbase option from test CSR configuration
ipatests: Add tracker class for kerberos principal aliases
ipatests: Extend the MockLDAP utility class
ipatests: Provide a context manager for mocking a trust in RPC tests
ipatests: Move trust mock helper functions to a separate module
ipapython: Extend kinit_password to support principal canonicalization
ipatests: Allow change_principal context manager to use canonicalization
ipatests: Add kerberos principal alias tests
ipatests: Fix wrong fixture in kerberos principal alias test
ipatests: provide context manager for keytab usage in RPC tests
ipatests: Fix name property on a service tracker
ipatests: Implement tests with CSRs requesting SAN
Nathaniel McCallum (9):
Don't error when find_base() fails if a base is not required
Rename syncreq.[ch] to otpctrl.[ch]
Ensure that ipa-otpd bind auths validate an OTP
Return password-only preauth if passwords are allowed
Enable authentication indicators for OTP and RADIUS
Migrate from #ifndef guards to #pragma once
Enable service authentication indicator management
Add authentication indicators support to Host objects
Properly handle LDAP socket closures in ipa-otpd
Oleg Fayans (45):
CI tests: Enabled automatic creation of reverse zone during master installation
CI tests: Added domain realm as a parameter to master installation in integration tests
Fixed install_ca and install_kra under domain level 0
fixed an issue with master installation not creating reverse zone
Enabled recreation of test directory in apply_common_fixes function
Updated connect/disconnect replica to work with both domainlevels
Removed --ip-address option from replica installation
Removed messing around with resolv.conf
Integration tests for replica promotion feature
Enabled setting domain level explicitly in test class
Removed a constantly failing call to prepare_host
Made apply_common_fixes call at replica installation independent on domain_level
Workaround for ticket 5627
Added copyright info to replica promotion tests
rewrite a misprocessed teardown_method method as a custom decorator
Reverted changes in mh fixture causing some tests to fail
Fixed a bug with prepare_host failing upon existing ipatests folder
Added a kdestroy call to clean ccache at master/client uninstallation
Added 5 more tests to Replica Promotion testsuite
Fixed a failure in legacy_client tests
Add test if replica is working after domain upgrade
Improve reporting of failed tests in topology test suite
Bugfixes in managed topology tests
A workaround for ticket N 5348
Added necessary A record for the replica to root zone
Increased certmonger timeout
Test for incorrect client domain
Fixed import error
Fixed incorrect return code assert
Fixed incorrect domainlevel determination in tests
Fixed incorrect sequence of method calls in tasks.py
Added a sleep interval after domainlevel raise in tests
Disabled raiseonerr in kinit call during topology level check
Removed incorrect check for returncode
Several fixes in replica_promotion tests
Changed addressing to the client hosts to be replicas
Test: disabled wrong client domain tests for domlevel 0
Reverted the essertion for replica uninstall returncode
tests: Automated clean-ruv subcommand tests
Automated ipa-replica-manage del tests
Added interface to certutil
Test: integration tests for certs in idoverrides feature
Test for installing rules with service principals
Created idview tracker
tests: Added basic tests for certs in idoverrides
Patrice Duc-Jacquet (2):
Incorrect message when KRA already installed
Add more information regarding where to find revocation reason in "ipa cert_revoke -h" and "ipa cert_find -h".
Pavel Vomacka (88):
Add tool tips for Revert, Refresh, Undo, and Undo All
Add support for the 'user' url parameter for the reset_password.html
Add validation to Issue new certificate dialog
Add pan and zoom functionality to the topology graph
Nodes stay fixed after initial animation.
Add field for group id in user add dialog
Resize topology graph canvas according to window size
Add X-Frame-Options and frame-ancestors options
Add activate option to stage user details page
Add 'skip overlap check' checkbox into add zone dialog
Add 'skip overlap check' checkbox to the add dns forward zone dialog
Add option to show OTP when adding host
Update the delete dialog on details user page
Add ability to stage multiple users
Add option to stage user from details page
Change lang.hitch to javascript bind method
Change 'Restore' to 'Remove Hold'
Extend the certificate request dialog
Auth Indicators WebUI part
Fix bad searching of reverse DNS zone
Add adapter attribute for choosing record
DNS Locations: WebUI part
Add lists of hosts allowed to create or retrieve keytabs
Correct a jslint warning
Association table can be read only
Extend table facet
Add server roles on topology page
Search facet can be without search field
Add ability to review cert request dialog
Add new webui plugin - ca
Extend certificate entity page
Extend caacl entity
Make Actions string translatable
Extend DNS config page
Extend trust config page
Add creating a segment using mouse
Add listener which opens add segment dialog
Add placeholder to add segment dialog
Add DNS default TTL field
Allow to set weight of a server without location
DNS Servers: Web UI part
Add support for custom menu in multivalued widget
Extends functionality of DropdownWidget
Add working widget
Add ability to turn off activity icon
Add Object adapter
Refactored certificate view and remove hold dialog
Changed the way how to handle remove hold and revoke actions
Remove old useless actions - get and view
Add widget for showing multiple certificates
Add certificate widget
Add new certificates widget to the user details page
Add new certificates widget to the host details page. Also extends evaluator and add support for adapters.
Add new certificates widget to the service details page
Updated certificates table
Add new custom command multivalued widget
Add button for dns_update_system_records command
Add certificate widget to ID override user details page.
Add authentication identificator to host page
Change paths of strings in auth indicators widget on service page
Simplify the confirmation messages
Add support to change button css class on confirm dialog
Add button for server-del command
Change error handling in custom_command_multivalued_widget
Set default confirmation button label to 'Remove'
Add widgets for kerberos aliases
Add widget for kerberos aliases to user page
Add widget for kerberos aliases to hosts page
Add widget for kerberos aliases to service page
Close host adder dialog before showing 4304 dialog
Remove navigation using breadcrumb menus
Fix test_navigation tests
Fix test which checks removing of user
Set default delete action name to 'delete'
Remove full name from adding user to user group dialog
Add function which check whether the field is empty
Add jslint into Makefile
Fix unicode characters in ca and domain adders
Add warning about only one existing CA server
Set servers list as default facet in topology facet group
Add 'trusted to auth as user' checkbox
More information about the Pkg-freeipa-devel
mailing list