<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>



<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream-next
at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b7be4cf2be89ab94525db6365cfc8135156e3cfe">b7be4cf2</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-12T09:33:02+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Python dependencies

Fix typo in dependencies and require release of python-ldap.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/afc0d4b62d043cd568ce87400f60e8fa8273495f">afc0d4b6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-12T20:29:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add nsds5ReplicaReleaseTimeout to replica config

The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.

See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5041b13fc99b227efc9fea19ffd3e0f494118538">5041b13f</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-13T10:30:51+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09

Commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09 should not be pushed,
because it was not the intention to add a new test to .freeipa-pr-ci.
This commits reverts its change.

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7c8fd5630da2de5d3c88cd5fec7787427259f123">7c8fd563</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-16T12:16:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix upgrade (update_replica_config) in single master mode

Commit afc0d4b62d043cd568ce87400f60e8fa8273495f added an upgrade
step that add an attribute to a replica config entry.  The entry
only exists after a replica has been added, so upgrade was broken
for standalone server.  Catch and suppress the NotFound error.

Related to: https://pagure.io/freeipa/issue/7488

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e16ea525e249aa3aaeb14a2c56380815d5067131">e16ea525</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-17T08:18:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">upgrade: treat duplicate entry when updating as not an error

When we attempt to update an entry during upgrade, it may have already
contain the data in question between the check and the update. Ignore
the change in this case and record it in the log.

Fixes: https://pagure.io/freeipa/issue/7450
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1dbc6ded723dd1729d69b605f3998d4a9e71f48f">1dbc6ded</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-17T08:49:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replication: support error messages from 389-ds 1.3.5 or later

389-ds 1.3.5 changed the error message format for
nsds5ReplicaLastUpdateStatus value. Now it produces
"Error (%d) %s" instead of "%d %s".

Change the check_repl_update() to handle both formats.

Fixes: https://pagure.io/freeipa/issue/7442
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/64ffd117d2b4938e0935f9ea00d5eb90c0e7b3e6">64ffd117</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-17T14:28:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install: validate AD trust-related options in installers

We already validate that --setup-dns is specified when any of
DNS-related options provided by a user. Do the same for --setup-adtrust
case.

Fixes: https://pagure.io/freeipa/issue/7410
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/692a9931da326d2de00255c494786f90929843eb">692a9931</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-04-17T16:25:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix format string passed to pytest-multihost

Integration trust test suit failed with error trying to
start chronyd because of bad formating of passed string

See: https://pagure.io/python-pytest-multihost/issue/15
Resolves: https://pagure.io/freeipa/issue/7487
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d4dd2b1ccb065e464ed28fc097b4d06d474617e9">d4dd2b1c</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-04-18T09:31:02+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix for integration tests dns_locations

Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore

https://pagure.io/freeipa/issue/7499

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b43c2f8ab4769a473ba81b23321acda7fd57e94c">b43c2f8a</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-04-19T12:11:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui: refresh complex pages after modification

Details facet for user, hosts, service, user override entities require
complex reload as they gather information from multiple sources - e.g.
all of them do cert-find. On update only $entity-mod is execute and its
result doesn't have all information required for refresh of the page
therefore some fields are missing or empty.

This patch modifies the facets to do full refresh instead of default
load and thus the pages will have all required info.

https://pagure.io/freeipa/issue/5776

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/105d7d7f2efa6368ca7f7ff9a219540f4e008ea7">105d7d7f</a></strong>
<div>
<span>by Varun Mylaraiah</span>
<i>at 2018-04-19T12:59:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Extend user group tests with more scenarios

1) Extended webui group automation test with below scenarios
        Scenarios
         *Add user group with invalid names
         *Add multiple groups records at one shot
         *Select and delete multiple records
         *Find and delete records etc...
2) Improved add_record method to support additional use cases:
         *confirm by additional buttons: 'Add', 'Add and add another', 'Add and Edit,' 'Cancel'
         *add multiple records in one call (uses 'Add and add another' behavior)

https://pagure.io/freeipa/issue/7485

Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1a6e36011933e2bb1ef853b10052959b92decc10">1a6e3601</a></strong>
<div>
<span>by Varun Mylaraiah</span>
<i>at 2018-04-19T12:59:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags

Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a7b18372ed0f6be95e382194ad599b8a35113351">a7b18372</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-19T08:57:53-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certprofile: reject config with multiple profileIds

In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID.  This leads to:

- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)

To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).

https://pagure.io/freeipa/issue/7503

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0f8593354d8008a501a6e7fa5f142d970face65a">0f859335</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-19T08:57:53-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certprofile: add tests for config profileId scenarios

Update the certprofile tests to cover the various scenarios
concerning the profileId property in the profile configuration.
The scenarios now explicitly tested are:

- profileId not specified (should succeed)
- mismatched profileId property (should fail)
- multiple profileId properties (should fail)
- one profileId property, matching given ID (should succeed)

https://pagure.io/freeipa/issue/7503

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2de1aa27f981060acd6a867c89ef963a18cc27df">2de1aa27</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-19T08:59:45-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ACL: Allow hosts to remove services they manage

Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.

Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.

Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/b5bdd07bc54ca557491652ce61011ae6aa3eb592">b5bdd07b</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-04-20T09:43:37+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add absolute_import future imports

Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/41352ef9388dbba408762d64b60a6a1f53048bcd">41352ef9</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-20T08:51:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c

Only certutil creates files in the local directory. Changing the
directory for pk12util breaks ipa-server-certinstall if the
PKCS#12 file is not passed in as an absolute path.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/138ae4abe7d4737ae2e1c6526476b8be009178db">138ae4ab</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-20T08:51:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-certinstall failing, unknown option realm

The option realm was being passed in instead of realm_name.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3384147ca1b69f64d197869577e39e7c056bcd51">3384147c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-20T08:51:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Some PKCS#12 errors are reported with full path names

This is related to change in certutil which does a cwd
to the location of the NSS database. certutil is used as part
of loading a PKCS#12 file to do validation.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/4919bd9dae0222509af6ebf4f50ff7602b48c334">4919bd9d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-20T08:51:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove xfail from CALes test test_http_intermediate_ca

The full chain is not required by mod_ssl.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6c4635e779e8f1c171396c9ffb12948c0878bd79">6c4635e7</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2018-04-24T11:20:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding test-cases for ipa-cacert-manage

    File     :  ipatests/test_integration/test_external_ca.py

    Scenario1:  Manual renew external CA cert with invalid file
                when ipa-server is installed with external-ca
                and renew with invalid cert file the renewal
                should fail.

    Scenario2:  install CA cert manually
                Install ipa-server. Create rootCA, using
                ipa-cacert-manage install option install
                new cert from RootCA

Signed-off-by: Anuja More <amore@redhat.com>

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9d73e4a0f169acc3db6388ae8b8e2ecb1e1c62aa">9d73e4a0</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-25T08:23:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow dot as a valid character in an selinux identity name

Both of these are legal: unconfined_u and unconfined.u

https://pagure.io/freeipa/issue/7510

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5165afd50124b057f8ff5bef565bf65f19235656">5165afd5</a></strong>
<div>
<span>by Ganna Kaihorodova</span>
<i>at 2018-04-25T11:52:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix trust tests for Posix Support

Test ecxpects auto-detection of trust type, Windows Server 2016 doesn't have
support for MFU/NIS (SFU - Services for Unix), so auto detection doesn't work
Fix is to pass extra arguments to the trust-add command,
such as --range-type="ipa-ad-trust-posix" to enforce a particular range type

https://pagure.io/freeipa/issue/7508

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/07be3306c16c0c8eb729b980c5bd7fdba8343433">07be3306</a></strong>
<div>
<span>by amitkuma</span>
<i>at 2018-04-25T12:06:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RFE: ipa client should setup openldap for GSSAPI

The IPA client installer currently edits /etc/openldap/ldap.conf, setting up
the client to consume LDAP data from IPA.  It currently sets:
URI
BASE
TLS_CACERT

This PR makes ipa-client to add this AV pair:
SASL_MECH GSSAPI

Resolves: https://pagure.io/freeipa/issue/7366
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ad2eb3d09b8336008d7f04c3d134c707530d9eb6">ad2eb3d0</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-25T12:14:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CA replica PKCS12 workaround for SQL NSSDB

CA replica installation fails, because 'caSigningCert cert-pki-ca' is
imported a second time under a different name. The issue is caused
by the fact, that SQL NSS DB handles duplicated certificates differently
than DBM format.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1561730
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/04e1ae7bf14e5da12cf094e901a73c379657eaf5">04e1ae7b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-25T12:14:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require 389-ds-base >= 1.4.0.8-1

1.4.0.8-1 contains a bug fix for an error in SASL connection handling.

See: https://pagure.io/389-ds-base/issue/49639
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/236fa61eebc62ece1e17add0d0e5b82a35afeadb">236fa61e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-25T13:58:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create users in server-common pre hook

The ipaapi user was created in the server package but referenced by a
config file in the server-common package. The server-common package can
be installed without the server package. This caused an error

   Unknown user 'ipaapi'

with systemd-tmpfiles --create. The users are now created in the
server-common package.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/13b9608d5c0715e9afb98362112c45bc346bad8b">13b9608d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-25T14:02:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add augeas dependency to client package

Commit 5d9c749e830819e0e12bdd9388b6b0c2542cf906 add dependency on augeas
Python package, but freeipa.spec was not updated. The python[23]-ipaclient
packages now correctly depend on python[23]-augeas.

Fixes: https://pagure.io/freeipa/issue/7512
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/53f87ee5cd9d19f6fb91a9a1eafc8ea798095954">53f87ee5</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-25T14:41:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">py3: fix csrgen error handling

csrgen error handling marshalls an error string from libcrypto.
This is not handled correctly under python3.  Fix the error
handling.

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7633d62d858c14523a99143aa0ff36f76bb4ff68">7633d62d</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-25T14:41:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: support initialising OpenSSL adaptor with key object

As a convenience for using it with the test suite, update the csrgen
OpenSSLAdaptor class to support initialisation with a
python-cryptography key object, rather than reading the key from a
file.

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0ac1d3ea62efd9751fcc59cea46bcdafe1f11c37">0ac1d3ea</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-25T14:41:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: drive-by docstring

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/852618fd6529fbdd7b03077fae37c6fbbe45b51b">852618fd</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-04-25T14:41:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">csrgen: fix when attribute shortname is lower case

OpenSSL requires attribute short names ("CN", "O", etc) to be in
upper case, otherwise it fails to add the attribute.  This can be
triggered when FreeIPA has been installed with --subject-base
containing a lower-case attribute shortname (e.g.
--subject-base="o=Red Hat").

Explicitly convert the attribute type string to an OID
(ASN1_OBJECT *).  If that fails, upper-case the type string and try
again.

Add some tests for the required behaviour.

Fixes: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9d838210bba10e0033d09826023d66e9fa2374c7">9d838210</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-25T15:53:58-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding GSSPROXY_CONF to be backed up on ipa-backup

Without GSSPROXY_CONF being backed up, we would get this error
"ipa: ERROR: No valid Negotiate header in server response"
when running any ipa command after a backup restore.

This commit also fixes the tests:
- TestBackupAndRestore::test_full_backup_and_restore
- TesttBackupAndRestore::test_full_backup_and_restore_with_selinux_booleans_off

https://pagure.io/freeipa/issue/7473

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/415578a199a221a3ed78cbf4d629c3e4ff6f39ec">415578a1</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-04-25T15:53:58-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users

The test as it was, was testing the backup and restore based on previous
backups and restore, not with an actual installation.

Now, with a clear setup for each test, the test mentioned above will not
fail to do a lookup (using the host command, in check_dns method) for
the master domain.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2d5245cebcb498cf7c3c98f38784ed4d7d641c38">2d5245ce</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-26T08:31:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise config-server-for-smart-card-auth: use mod-ssl

ipa-advise config-server-for-smart-card-auth produces a script that
was still using /etc/httpd/conf.d/nss.conf instead of
/etc/httpd/conf.d/ssl.conf for setting the Apache SSLOCSPEnable Directive.

The fix replaces references to nss.conf with ssl.conf.

https://pagure.io/freeipa/issue/7515

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/84e60e5f998a0c934d1992538a2e3b90b10a2af3">84e60e5f</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-04-26T14:30:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix typo in ipa-getkeytab --help

Fix the typo in ipa-getkeytab -k option description by
replacing the text with the one from man

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/994f71ac8a1bb7ba6bc9caf0f6e4f59af44ad9c4">994f71ac</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-26T21:19:53+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use single Custodia instance in installers

Installers now pass a single CustodiaInstance object around, instead of
creating new instances on demand. In case of replica promotion with CA,
the instance gets all secrets from a master with CA present. Before, an
installer created multiple instances and may have requested CA key
material from a different machine than DM password hash.

In case of Domain Level 1 and replica promotion, the CustodiaInstance no
longer adds the keys to the local instance and waits for replication to
other replica. Instead the installer directly uploads the new public
keys to the remote 389-DS instance.

Without promotion, new Custodia public keys are still added to local
389-DS over LDAPI.

Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/fc371b651e5512cf06dd5de932632444f519376c">fc371b65</a></strong>
<div>
<span>by Thierry Bordaz</span>
<i>at 2018-04-27T10:26:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Hardening of topology plugin to prevent erronous deletion of a replica agreement

When a segment is deleted, the underlying replica agreement is also deleted.
An exception to this is if the status of the deleted segment is "obsolete" (i.e. merged segments)
The status should contain only one value, but to be protected against potential
bugs (like https://pagure.io/389-ds-base/issue/49619) this fix checks if
"obsolete" is in the status values.

https://pagure.io/freeipa/issue/7461

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1df1786b06485139918e412b2e20164a0726d387">1df1786b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-27T14:01:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Migration from authconfig to authselect

The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration

Fixes:
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c36bd38360dd833ed657666d52e243e66b3c0dd5">c36bd383</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-27T14:01:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">New tests for authselect migration

Add new test for client and server installation when authselect tool
is used instead of authconfig

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e442464509049240bdb05a8bae09ce1291ca6b86">e4424645</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-27T14:01:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a

Commit d705320 was temporarily disabling authconfig backup and restore
because of issue 7478.
With the migration to authselect this is not needed any more

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8fe5f8d2e73c5ada6f9f8149d1410c7e26acacf5">8fe5f8d2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-04-27T14:01:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise: adapt config-client-for-smart-card-auth to authselect

ipa-advise config-client-for-smart-card-auth was producing a shell script
calling authconfig.
With the migration from authconfig to authselect, the script needs to
be updated and call authselect enable-feature with-smartcard instead.

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/00a8d00ea9f3ac2ce595670f2791b9b6bf20f5e4">00a8d00e</a></strong>
<div>
<span>by Varun Mylaraiah</span>
<i>at 2018-04-27T14:08:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Extend netgroup tests with more scenarios

Extended webui group automation test with below scenarios
Scenarios
 *add netgroup with invalid names
 *add and delete records in various scenarios
 *verify button's action in various scenarios.

https://pagure.io/freeipa/issue/7505

Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e16a76ad9713afb6b906c7534a5af246b10a3d49">e16a76ad</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-04-27T14:19:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: extend test_user suite

Extend WebUI test_user suite with the following test cases:

test_add_user_special
test_user_misc
test_ssh_keys
test_add_delete_undo_reset
test_disable_delete_admin
test_login_without_username

https://pagure.io/freeipa/issue/7507

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e43cfaeb5259af20209f986e69769dd6a15b31d9">e43cfaeb</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-04-27T14:19:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_driver: extension and modifications related to test_user

In this patch we tune login() in order to test login without
username.

Then we add edit_multivalued and undo_multivalued to test "undo"
and "reset" buttons.

Also there is a new boolean "negative" in mod_record() to switch
button assertion.

Later ssh_key methods were fine-tuned a little to add more keys,
delete all of them and to extend their usage to hosts and id views.

Lastly new method assert_value_checked() was introduced to assert
whether a particular record is checked.

https://pagure.io/freeipa/issue/7507

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/61dc15e5ef7cb70f6653d15dc5779c29b88a6348">61dc15e5</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-04-27T14:19:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: introduce new test_misc cases file

By this commit we introduce new test_misc cases file to
test various miscellaneous cases that do not fit to other suites.

In this cases that "version" is present in profile`s "about".

https://pagure.io/freeipa/issue/7507

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/51b9a82f7cb251ef4ca6e4fa15cac22f7ef1b4e3">51b9a82f</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2018-04-27T18:06:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding test-cases for ipa-cacert-manage

Scenario1:      Setup external CA1 and install ipa-server with CA1.
                Setup exteranal CA2 and renew ipa-server with CA2.
                Get information to compare CA change for ca1 and CA2
                it should show different Issuer between install
                and renewal.

Scenario2:      Renew CA Cert on Replica using ipa-cacert-manage
                verify that replica is caRenewalMaster

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2d6d768d1aaa958ae77b5941a4f268e12894c226">2d6d768d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-04-28T08:44:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">idoverrideuser-add: allow adding ssh key in web ui

CLI already allows to pass public SSH key when creating an ID override
for a user. Web UI allows to add public SSH keys after the ID override
was created.

Add SSH key field to allow passing public SSH key in one go when
creating an ID override for a user.

Fixes: https://pagure.io/freeipa/issue/7519
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3d30cf6034cacceb978ae3bcf918900bcbdece1f">3d30cf60</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-28T09:06:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update project metadata in ipasetup.py.in

Point mailing list to lists.fedorahosted.org
Use HTTPS for all URLs
Drop Solaris and Unix from platforms

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6856a9f46cf7418b4188dbc27bc8c20841739542">6856a9f4</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-04-28T09:07:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Log service start/stop/restart message

It wasn't apparent in the logs if a service stop or restart
was complete so in the case of a hang it wasn't obvious which
service was responsible. Including start here for completeness.

https://pagure.io/freeipa/issue/7436

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/792adebfabb456d154164387fb7e60acb30f4325">792adebf</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2018-04-28T16:35:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable SPAKE support using krb5.conf.d snippet

Because krb5 silently ignores unrecognized options, this is safe on
all versions.  It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.

Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/73c3495db2dc1df38407aa7b49fed2f222e85bbe">73c3495d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-28T16:35:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use shutil to copy file

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/d5e5bd501c8ed8df72562a9acdef922eaa00206e">d5e5bd50</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-04-30T11:04:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add absolute_import to test_authselect

This is to keep backward compatibility with Python 2

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/3c66e388dea5d272735dfea53a4329000e90b3c8">3c66e388</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-30T14:13:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Compatibility with pytest 3.4

The nose_compat plugin uses internal pytest APIs to suspend and resume
the capture manager. In pytest 3.4, the internal APIs have changed and a
public API was added.

The fix is required to run integration tests under Fedora 28.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a4418963ce2fcb56712fce157d877003833fccc5">a4418963</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-30T19:39:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove contrib/nssciphersuite

The directory contained a script to generate mod_nss configuration
snippet. Since FreeIPA moved to mod_ssl, it is no longer of use.

Fixes: https://pagure.io/freeipa/issue/5673
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c925b44f4348baf674fa8637be21ba0addfe2487">c925b44f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-04-30T20:42:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Load certificate files as binary data

In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.

certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.

Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/6659392a0a5064b25f8d0b5a2fe805a172b7e586">6659392a</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2018-05-02T11:15:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install: fix reported external CA configuration

The installer reports the CA configuration that will be used,
including whether the CA is self-signed or externally-signed.

Installation with external CA takes two steps. The first step
correctly reports the externally signed configuration (like the
above), but the second step reports a self-signed configuration.

The CA *is* externally signed, but the configuration gets reported
incorrectly at step 2.  This could confuse the administrator.  Fix
the message.

Fixes: https://pagure.io/freeipa/issue/7523
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/0653d2a17e67a32c9adcca8145afa231f228b855">0653d2a1</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-02T11:18:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Validate the Directory Manager password before starting restore

The password was only indirectly validated when trying to
disable replication agreements for the restoration.

https://pagure.io/freeipa/issue/7136

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ae6c8d2c7a65a85fe64a45b9430a91f9ab97e1d7">ae6c8d2c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-02T14:12:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle whitespace, add separator to regex in set_directive_lines

We added the separator to the regex in set_directive_lines to avoid
grabbing just a prefix. This doesn't allow for whitespace around
the separator.

For the Apache case we expected that the separator would be just
spaces but it can also use tabs (like Ubuntu 18). Add a special
case so that passing in a space separator is treated as whitespace
(tab or space).

https://pagure.io/freeipa/issue/7490

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e16e5cd0a67012feb8ea4bdf316dbce943c56cc2">e16e5cd0</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-02T14:12:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use a regex in installutils.get_directive instead of line splitting

This will allow for whitespace around the separator and changes the
default space separator into white space (space + tabs) to be more
generic and work better on Ubuntu which uses tabs in its Apache
configuration.

https://pagure.io/freeipa/issue/7490

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5929d5d87255a6d8a00a35c4dd4ad2f75b022cac">5929d5d8</a></strong>
<div>
<span>by Tibor Dudlák</span>
<i>at 2018-05-02T16:44:54-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use temporary pid file for chronyd -q task

chrony is causing an SELinux denial because of chronyd
was not spawned using systemd and the command creates
a pidfile for unconfined proccess in /var/run with SELinux label:
unconfined_u:object_r:var_run_t:s0
Following chronyd daemon enablement with systemd will fail
due to mismatched SELinux labels on chronyd pidfile.
chronyd pidfile should be labeled with the following label:
system_u:object_r:chronyd_var_run_t:s0
This also changes bindcmdaddress to not touch /var/run/chrony.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/606af69bbd0f0c24c5f52a20041cec147e9cd3f9">606af69b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-03T08:36:51+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make ipatests' create_external_ca a script

The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.

Usage:

   ipa-server-install --external-ca ...
   python3 -m ipatests.create_external_ca
   ipa-server-install --external-cert-file=/tmp/rootca.pem \
       --external-cert-file=/tmp/ipaca.pem

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ce3819c3b7fdb511b7e4c38a365629a187d65f75">ce3819c3</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2018-05-03T10:18:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move krb5 snippet into freeipa-client-common

Also move /usr/share/ipa into freeipa-common by necessity.

https://pagure.io/freeipa/issue/7524

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1c1089c44df34c04d5ba4572191a49962e859a92">1c1089c4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-03T14:25:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client package needs sssd-tool

Commit ccec8c6c4193a204428b7ba0f93dac6f0eb26020 add a call to sssctl but
the providing package sssd-tools was not added to ipa-client package.
The tool is not need to build packages.

See: https://pagure.io/freeipa/issue/7376
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/63a5feb19f60e46d3ba22ea2d3231eff88002f2a">63a5feb1</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-05-03T16:39:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">authselect test: skip test if authselect is not available

Currently, the test is skipped if the platform is fedora-like. The
decision to skip should rather be based on authselect command
availability (i.e. when ipaplatform.paths.paths.AUTHSELECT is None).

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/aa64ef03a04b6e2509924a9f968724232123be3a">aa64ef03</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2018-05-03T16:39:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">authselect migration: use stable interface to query current config

The code currently parses the output of "authselect current" in order
to extract the current profile and options. Example:
$ authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir

It is easier to use the output of "authselect current --raw". Example:
$ authselect current --raw
sssd with-mkhomedir

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/1adc941d1f1caeffa8cf490783b7819298e828ce">1adc941d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-05-03T16:44:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">group-del: add a warning to logs when password policy could not be removed

When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.

This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.

Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.

Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/648d7c0d38ef99196531e94cd9803c630e7fb05c">648d7c0d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-03T17:34:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Disable message about log in ipa-backup if IPA is not configured

Introduce server installation constants similar to the client
but only tie in SERVER_NOT_CONFIGURED right now.

For the case of not configured don't spit out the "See <some log>
for more information" because no logging was actually done.

In the case of ipa-backup this could also be confusing if the
--log-file option was also passed in because it would not be
used.

https://pagure.io/freeipa/issue/6843

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/880d9b413477c308eca830818b736164f6b06409">880d9b41</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-04T12:03:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require nss with fix for nickname bug

nss 3.36.1-1.1 addresses a bug in the shared SQL database layer. A nicknames
of certificates are no longer changed when a certificate is imported
multiple times under different name.

Partly revert commit ad2eb3d09b8336008d7f04c3d134c707530d9eb6 with fix
for https://pagure.io/freeipa/issue/7498. The root cause for the bug has
been addressed by the NSS release.

See: https://pagure.io/freeipa/issue/7516
See: https://pagure.io/freeipa/issue/7498
See: https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/573f13228da7d711d3b22fa7f78f4a78e199288b">573f1322</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-04T16:08:47-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix certificate retrieval in ipa-replica-prepare for DL0

The NSSDatabase object doesn't know the format of an NSS database
until the database is created so an explcit call to nssdb.create_db.

https://pagure.io/freeipa/issue/7469

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/c17ba11cbae8ffcd852371c21dd0142932861564">c17ba11c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-07T16:21:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require Dogtag 10.6.1

Dogtag 10.6.1 contains fixes for external CA support.

See: http://pagure.io/dogtagpki/issue/3005
See: http://pagure.io/dogtagpki/issue/3007
See: http://pagure.io/dogtagpki/issue/3008
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1573094
Fixes: https://pagure.io/freeipa/issue/7516
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/5e4da703245870bed22162cc41236c4261cc65e7">5e4da703</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-07T16:21:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Only run subset of external CA tests

All tests are taking over an hour to execute, which is too long for
PR-CI.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/49b4a057f1b0459331bcec2c8d760627d00e4571">49b4a057</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-07T16:22:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create missing /etc/httpd/alias for ipasession.key

The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
longer depends on mod_nss, the directory is no longer created on fresh
systems.

Note: At first I wanted to move the file to /var/lib/ipa/private/ or
/var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
going to move the file after a new SELinux policy is available.

See: https://pagure.io/freeipa/issue/7529
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/2a58fe6a3231f070dc979ab64a1deb10b8f085fd">2a58fe6a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2018-05-07T16:23:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "Validate the Directory Manager password"

This reverts commit 0653d2a17e67a32c9adcca8145afa231f228b855. The commit
broke full ipa-restore.

See: https://pagure.io/freeipa/issue/7469
See: https://pagure.io/freeipa/issue/7535
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/9e8fb94e87339b9908ec05fe5274ca51df3a82cf">9e8fb94e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-05-08T16:39:22-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">service: allow creating services without a host to manage them

Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/e64286571739d27822b118c780fbb8825038ae1c">e6428657</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2018-05-08T16:39:22-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">group: allow services as members of groups

Allow services to be members of the groups, like users and other groups
can already be.

This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/392f44a38a7e97242cfd2145592fbf6038191d09">392f44a3</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-05-10T10:03:02+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">mod_ssl: add SSLVerifyDepth for external CA installs

mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.

https://pagure.io/freeipa/issue/7530

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/a885f07d1388deb7c126e7f01b6c0db0085ccaf8">a885f07d</a></strong>
<div>
<span>by Stanislav Laznicka</span>
<i>at 2018-05-10T10:05:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow user administrator to change user homedir

https://pagure.io/freeipa/issue/7427

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8a8b641c722ad5ca6ef466605f95e98b27551291">8a8b641c</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-05-10T16:52:42-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs

This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/23c23a3cc17288b1fdacc73cca316fd427bcc517">23c23a3c</a></strong>
<div>
<span>by Felipe Barreto</span>
<i>at 2018-05-10T16:52:42-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixing tests on TestReplicaManageDel

This commit fixes the tests on class TestReplicaManageDel:
- test_replica_managed_del_domlevel1
- test_clean_dangling_ruv_multi_ca
- test_replica_managed_del_domlevel0

Given that domain level 0 doest not have autodiscovery, we need to
configure /etc/resolv.conf with the master data (search <domain> and
nameserver <master_ip>) in order to ipa-replica-install succeed.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/ef3f0851f43e733c489a704ca973ba133c6532d4">ef3f0851</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-05-15T12:56:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: checkbox click fix

We check a box with clicking on label by default however sometimes
when a label is too short (1-2 letters) we are hitting an issue
that the checkbox obscures the label.

https://pagure.io/freeipa/issue/7547

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/897f1cda930d33d32137de3d9a9742336be6531e">897f1cda</a></strong>
<div>
<span>by Michal Reznik</span>
<i>at 2018-05-15T12:57:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ui_tests: improve "field_validation" method

Often when trying to check e.g. required field we pass the
method another element as parent in order to narrow down a scope
for validation. This way we can just pass "field" name to make the
process easier.

https://pagure.io/freeipa/issue/7546

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/8328a555ae5d6e9e0da2b297fbae0065185cd24e">8328a555</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-15T14:13:35-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update 4.7 translations

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/7c5ee4e8fc19e5f5ac4076430d571cd60c51fb12">7c5ee4e8</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-05-15T14:15:34-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">server-del do not return early if CA renewal master cannot be changed

Early return prevented adding last warning message in the method:
   "Ignoring these warnings and proceeding with removal"

And thus `check_master_removal` in `test_server_del` did not work.

https://pagure.io/freeipa/issue/7517

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/60e992ca569543b7cf74366a7feece71f62f2db3">60e992ca</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2018-05-15T14:15:34-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix test_server_del::TestLastServices

The reason why the test started to fail is probably commit be3ad1e where the checks
were reordered. TestLastServices relies on execution of tests in a specific order.
So it fails given that checks were changed but tests weren't.

Given that master is installed with DNS and CA and replica with anything and given
that checks in server-del command are in order: DNS, DNSSec, CA, KRA then the test
should be something like:
* install master (with DNS, CA)
* install replica
* test test_removal_of_master_raises_error_about_last_dns
* test_install_dns_on_replica1_and_dnssec_on_master (installing DNS and
  DNSSec will allow DNSSec check)
* test_removal_of_master_raises_error_about_dnssec
* test_disable_dnssec_on_master (will allow CA check)
* test_removal_of_master_raises_error_about_last_ca
* test_forced_removal_of_master

https://pagure.io/freeipa/issue/7517

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/commit/021b2f6e97fcb4e7390d871faaa28a9d6ab8bfe5">021b2f6e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2018-05-15T14:56:52-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.6.90.pre2
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#5d64d06edc9d8bbe57163be94e8577297e96e47f">
.freeipa-pr-ci.yaml
</a>
</li>
<li class="file-stats">
<a href="#4831b637d596df850dfe2919331d9904c0403eaa">
ACI.txt
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#8a84dc1127a684b319557e6204cc81b9909b144c">
client/ipa-getkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#2264b8029063cc2836d645cad992338ae884132a">
contrib/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#7f991cf2882b1a540658c02435a0aa3032022295">
<span class="deleted-file">

contrib/nssciphersuite/README.txt
</span>
</a>
</li>
<li class="file-stats">
<a href="#190262f0f94510e6b1789b0a83672b50a4a9b384">
<span class="deleted-file">

contrib/nssciphersuite/nssciphersuite.py
</span>
</a>
</li>
<li class="file-stats">
<a href="#d2405484cd3ed94b45ccfa86969ad8a4a80ed2b5">
daemons/ipa-slapi-plugins/topology/topology_post.c
</a>
</li>
<li class="file-stats">
<a href="#866dc5074431bae6d800558b8ed5d65496e9d7d8">
freeipa.spec.in
</a>
</li>
<li class="file-stats">
<a href="#f65573ff5be51cdf0ba01f77379990ecbce2de29">
install/migration/migration.py
</a>
</li>
<li class="file-stats">
<a href="#caf04c57303b16d460d27dfe013cc85ba80217f6">
install/share/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#3ee495d8d95c1cc6d5d9ac87e3cd38f631cb3465">
<span class="new-file">
+
install/share/freeipa.template
</span>
</a>
</li>
<li class="file-stats">
<a href="#7b70ec45f77a880998e5e48b9b8ad92f62a3f6e8">
install/share/kdc.conf.template
</a>
</li>
<li class="file-stats">
<a href="#eeca3fe50a55cb2fe36384b3a25b98d9b0d1da60">
install/share/wsgi.py
</a>
</li>
<li class="file-stats">
<a href="#d202fb41dcd026d5c1a9c9de514e537d12bc602c">
install/tools/ipa-ca-install
</a>
</li>
<li class="file-stats">
<a href="#fce7b66ec8f6835c062f73c9ed93edc16d26e987">
install/tools/man/ipa-backup.1
</a>
</li>
<li class="file-stats">
<a href="#21a342d8b6a319303bdf4da395e40fb68a53b40d">
install/ui/src/freeipa/group.js
</a>
</li>
<li class="file-stats">
<a href="#abb9580cadb31ba65271ff890361ec0f1547ebda">
install/ui/src/freeipa/host.js
</a>
</li>
<li class="file-stats">
<a href="#a16a32996c22b1f697aea283a3456149cb388324">
install/ui/src/freeipa/idviews.js
</a>
</li>
<li class="file-stats">
<a href="#43148309a36649ea3fc8aff0046ca0de9b1aa9a6">
install/ui/src/freeipa/service.js
</a>
</li>
<li class="file-stats">
<a href="#9c80ab12bb5de37eb3304d5fba90b3eaa589c9a8">
install/ui/src/freeipa/user.js
</a>
</li>
<li class="file-stats">
<a href="#943f39bd54bf059d04a61dfaba5a008854266469">
install/updates/20-aci.update
</a>
</li>
<li class="file-stats">
<a href="#016985d27494eff4f97c529ee116b9f235b86f0e">
install/wsgi/plugins.py
</a>
</li>
<li class="file-stats">
<a href="#2c07d7e935c11cc3b09a9fbf86c026b70a74c99d">
ipaclient/csrgen.py
</a>
</li>
<li class="file-stats">
<a href="#45899710d9d53cb5e992af804a8ef5e23dc22d7b">
ipaclient/csrgen_ffi.py
</a>
</li>
<li class="file-stats">
<a href="#b45fae25573119cb28af94564fae7ce054efd2a5">
ipaclient/install/client.py
</a>
</li>
<li class="file-stats">
<a href="#84c37fce66a206ab3d2509cfd3a47d53320d9bac">
ipaclient/install/ipa_certupdate.py
</a>
</li>
<li class="file-stats">
<a href="#72db2d296c0996ac97b741e2880a15cbf17bfe3f">
ipaclient/install/ipa_client_install.py
</a>
</li>
<li class="file-stats">
<a href="#16ed1bcaaf128d50ceb50bc29d7037431b8be595">
ipaclient/install/ipadiscovery.py
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/compare/1b320ac3e7ab763d932512f2c497288711bc09e8...021b2f6e97fcb4e7390d871faaa28a9d6ab8bfe5">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.

</p>
</div>
</body>
</html>