<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch master
at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/57034ce28bb4e1287f9db467347815ab5f6ef938">57034ce2</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-06-10T22:30:07+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">VERSION: back to git snapshots
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f19fda0d1fbd4431b0bd704f5c242e499e66e98">7f19fda0</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-06-11T21:18:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix the disable_dnssec_validation method
Bind configuration now includes 2 snippet config files, in
/etc/named/ipa-ext.conf and /etc/named/ipa-options-ext.conf
When a test needs to disable dnssec-validation, it needs to edit
the snippet ipa-options-ext.conf instead of /etc/named.conf.
This commit fixes the method tasks.disable_dnssec_validation so that it
correctly updates the snippet.
Fixes: https://pagure.io/freeipa/issue/8364
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/77fae8c48bbe0f4499f4d8ed91b268568c64cd7c">77fae8c4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-06-11T21:03:47-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.
It's necesary to run pre/post installation hooks to make systemd aware
of new files.
Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/32c4df70e36a0aeafc12e2ade85ee9c915774c44">32c4df70</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-06-13T13:27:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive
ipa-replica-install currently accepts both --setup-ca and *-cert-file
even though the options should be mutually exclusive (either install
CA-less with *-cert-file options or with a CA).
Add a check enforcing the options are mutually exclusive.
Fixes: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0e325bd0c01eecc6d48b10f9b7f654b16068a522">0e325bd0</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-06-13T13:27:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add a test for ipa-replica-install --setup-ca --http-cert-file
The options *-cert-file are used for a CA-less replica installation and
are mutually exclusive with --setup-ca.
Add a test for this use case.
Related: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/930f4b3d1dc03f9e365b007b027d65e146a08f05">930f4b3d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-06-15T22:15:13+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.
root principal alias
-------------------
The principal "root@REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.
Modified user permissions
-------------------------
Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.
New user permission
-------------------
- System: Change Admin User password
The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.
Modified group permissions
--------------------------
Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.
- System: Modify Groups
- System: Remove Groups
The permission ``System: Modify Group Membership`` was already limited.
Notes
-----
Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.
Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.
Misc changes
------------
Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.
Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/71b8ecde882cba4882e41a529b50736f69500395">71b8ecde</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-06-15T22:27:40+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.8.8
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ca6129ffdcbe4c794aee669c96a96d2e59134d4">7ca6129f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-06-15T22:28:02+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Get back to git snapshots
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/691b3cddb275821630f443f22706fa75e7c7a5c8">691b3cdd</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2020-06-16T19:02:31-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui: hide user attributes for SMB services section if empty
This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.
Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.
We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.
For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.
fixes: https://pagure.io/freeipa/issue/8336
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/34b4d9bce56f62121e1e0ef0bf57cd1724aefe82">34b4d9bc</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2020-06-16T19:03:49-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test ipa user login with wrong password
When ipa user login to machine using wrong password, it
should log proper message in /var/log/secure
related: SSSD/sssd#5139
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/40804b5e06151fb0e73def2b9a6b706063205723">40804b5e</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2020-06-16T19:03:49-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Xfail test for sssd < 2.3.0
This fix is available in sssd 2.3.0+. On older version
test will fail. Hence added xfail.
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3f89bd2ca704dfe4ec80dc8bbc340bdf8153bf18">3f89bd2c</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-06-17T07:58:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: bump prci templates
New images were necessary to include updated `selinux-policy` package.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/60a58eac02ed2c0741fbce3c1fb3acceef61fdbc">60a58eac</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-06-17T10:08:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fix cert-find errors in CA-less deployment
Under some search conditions (in particular, when user is
specified), the CA sub-search of cert-find command throws an error
on CA-less deployments. Do not execute the CA sub-search on CA-less
deployments.
Fixes: https://pagure.io/freeipa/issue/8369
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a090b429fda35c5a9c3cfb672ab42a5985d00ff9">a090b429</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2020-06-17T10:10:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/351f3061514cb80faf644f4a067e5a596b087d7e">351f3061</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-06-18T14:41:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Build ipa-selinux package on RHEL 8
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6de941ce2c04c9ed6c8c33ed01c93fd6baa2fc5f">6de941ce</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-06-19T08:37:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">.mailmap: add fcami
Add myself to .mailmap.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/128500198d3782a76616cf1d971d5aeb17e8c1da">12850019</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-06-23T11:21:27+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fix iPAddress cert issuance for >1 host/service
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names. Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases). When a DNS name maps to a
"alternative" principal (i.e. not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.
To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.
Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5cefc6df114b162f3cd33622e87ba5a88dc03f0e">5cefc6df</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-06-23T10:18:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use old uglifyjs on RHEL 8
RHEL 8 buildroot does not have python3-rjsmin yet. Fall back to
uglifyjs.
See: https://pagure.io/freeipa/issue/8300
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/be48983558a560dadad410a70a4a1684565ed481">be489835</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-23T10:21:37+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Clarify AJP connector creation process
We do two things:
1. Fix the xpath for AJP connector verification. An AJP connector is
one which has protocol="AJP/1.3", NOT one that has port="8009". An
AJP connector can exist on any port and port 8009 can have any
protocol. Secrets only make sense on AJP connectors, so make the
xpath match the existing comment.
2. Add some background in-line documentation about AJP secret
provisioning. This should help future developers understand why this
was added to IPA and what limitations there are in what PKI or IPA
can do. Most notably, explain why Dogtag can't upgrade the AJP
connector to have a secret in the general case.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1e804bf19da4ee274e735fd49452d4df5d73a002">1e804bf1</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-23T10:21:37+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.
Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b317222d515e51504b4c8342008f2981b508c82a">b317222d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-06-23T14:52:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: use sshd drop-in configuration
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"
As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).
There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.
Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3ea611c98b1e01c54e5ce6c64fe108b140631722">3ea611c9</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-06-23T14:52:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">client install: fix broken sshd config
If ipa client was installed with openssh-server >= 8.2, the
configuration parameters for sshd were put in /etc/ssh/sshd_config
instead of in a snippet in /etc/ssh/sshd_config.d.
Upgrade to this new ipa version fixes the sshd conf by
moving the params to the snippet.
Related: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c3bf183634cb5615528daa88339e834e5400530">2c3bf183</a></strong>
<div>
<span>by Peter Keresztes Schmidt</span>
<i>at 2020-06-23T15:06:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: move OTP to be the last field in the PW reset form
Since TOTPs have a limited validity, let the user enter
them as the last item in the form.
This reduces the chance of the TOTP getting invalid while
the user is still filling out other fields.
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/82475aab31a5f8e06360d43b4e3d5e1aa2daf0fb">82475aab</a></strong>
<div>
<span>by Peter Keresztes Schmidt</span>
<i>at 2020-06-23T15:06:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: reword OTP info message displayed during PW reset
The message displayed before is now limited to the OTP
sync form, for which it was written originally.
A new message is introduced for the PW reset form,
which clarifies the usage of the OTP field.
Fixes: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0320de78571bb75ed17cd31727f7b25360941f67">0320de78</a></strong>
<div>
<span>by Peter Keresztes Schmidt</span>
<i>at 2020-06-23T15:06:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Unify spelling of "One-Time Password"
Spelling is in accordance with the HOTP
RFC 4226 and TOTP RFC 6238.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7473bd11f04f46f2d91068ec3ba4130386d6fc0a">7473bd11</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-06-24T18:28:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RHEL 8.3 has KRB5 1.18 with KDB 8.0
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/73df4e1bf83ecb209a580c79e73170ccd7cc1106">73df4e1b</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-06-24T18:31:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario
Tests for below checks are included
IPATrustDomainsCheck
IPATrustControllerConfCheck
IPAsidgenpluginCheck
IPATrustControllerServiceCheck
IPATrustAgentMemberCheck
IPATrustCatalogCheck
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2e8cd60bc1918508e79dbec84f5854aea749db11">2e8cd60b</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-06-24T18:31:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Modified YAML to include healthcheck IPA-AD trust scenario
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8c7f54d1ffbddbfabd4f4547edeeb38a24152518">8c7f54d1</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-06-24T18:34:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Unify spelling of "One-Time Password" (take 2)
The previous fix for the spelling of "One-Time Password"
missed a few lines.
Fixes: https://pagure.io/freeipa/issue/8381
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/437fc60639bedbac2e5af85244962f60f374961a">437fc606</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-06-25T10:42:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix the method adding ifp to sssd.conf
The test TestCertsInIDOverrides enables the ifp service in
sssd.conf by a sed command. If the service is already enabled,
the ifp service appears multiple times in the section
[sssd]
services = ..ifp...ifp
and sssd fails to start.
Use tasks.remote_sssd_config to properly configure the
services as this API properly handles the case when the
service is already configured.
Fixes: https://pagure.io/freeipa/issue/8371
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/23e2935e5c5cb402dd4f6f44eaa4b013e6a8188a">23e2935e</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-06-25T17:53:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">EPN: ship the configuration file.
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3b43950d35f78b28d4edde4fda475b5aa84f4587">3b43950d</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-06-25T17:53:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man pages: fix epn.conf.5 and ipa-epn.1 formatting
Fix formatting issues found with mandoc.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2648c218467792e907435eaa5267a0f3457f634f">2648c218</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-06-25T17:53:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: check that EPN's configuration file is installed.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06accac8906f66ebbb31849d6528b39ae006b124">06accac8</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-06-25T17:53:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5820573dc7932213ee74dc883239e2cecc8fb2eb">5820573d</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-06-26T16:48:36-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: bump prci templates
Remove all freeipa-* packages from template:
https://github.com/freeipa/freeipa-pr-ci/commit/bdd98c3b9dba2ce563535d0c91dad38b532441e8
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ffe7f7b35907f9adab004ce63ce78f67fbd7aed8">ffe7f7b3</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2020-06-29T12:12:07+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix "IPA Error 3007: RequirmentError" while adding idoverrideuser association
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
Ticket: https://pagure.io/freeipa/issue/8335
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7bfe6b261fa03ecc05d9f75ef24175f588d45e16">7bfe6b26</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-06-30T13:41:36+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Define errors_by_code in ipalib.errors
The errors_by_code mapping could be used in more places. In
particular it will be useful in the Dogtag GSS-API authentication
effort. Move to ipalib.errors.
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/494838e822dfd681e640cee0e140a224b8e67104">494838e8</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-06-30T11:49:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test that trusted AD users should not lose their AD domains.
When AD user is added customized idview and UID, GID
is overriden. Then SSSD should not fail to retrieve
AD domain details.
Related: https://pagure.io/SSSD/sssd/issue/4173
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/022cd49ef5f9043df805e19ed094dc4eebd615a5">022cd49e</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-06-30T11:49:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: xfail test with older versions of sssd
Related to: https://pagure.io/SSSD/sssd/issue/4173
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/766a80c14165e7eca99a44785f00f4b296e4cf62">766a80c1</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-01T14:57:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: increase test_caless_TestReplicaInstall timeout
test_caless_TestReplicaInstall timeout seems too short.
Extend it.
Fixes: https://pagure.io/freeipa/issue/8377
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f76c56c6072418c78f138678b1c4dd917fea6ee1">f76c56c6</a></strong>
<div>
<span>by Zdenek Pytela</span>
<i>at 2020-07-03T14:17:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow ipa-adtrust-install restart sssd and dirsrv services
Allow ipa_helper_t connect to init using /run/systemd/private socket.
Allow ipa_helper_t read init process state.
Allow ipa_helper_t manage sssd and dirsrv units.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c72ef1ed965aca79da4576d9579dec5459e14b99">c72ef1ed</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-03T14:17:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux: Backport dirsrv_systemctl interface
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/388e793d5c47befbea01c48cdd679c99348ccc85">388e793d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-07-03T14:17:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bump requires for selinux-policy
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c5abea2341b9e478625ea5a46c346550bc648a01">c5abea23</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-03T14:26:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: display SSSD kdcinfo in test_adtrust_install.py
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails at kinit in create_active_user:
```
kinit: Password has expired while getting initial credentials
```
krb5_strace shows that this happens when kinit changes servers
between password change and TGT requests.
Display SSSD's kdcinfo to see if kinit should be pinned to one
server.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/42dd1628a1211363c860917e474ecc5b9c1fdb84">42dd1628</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-07-06T12:32:13+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: allow oddjobd to set up ipa_helper_t context for execution
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
SELinux policy permission to use 'noatsecure'. This comes most likely
from execve() setup by glibc.
Add SELinux interface ipa_helper_noatsecure() that can be called by
oddjob's SELinux policy definition.
In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
access SELinux configuration and produce AVC for that. Allow reading
general userspace SELinux configuration.
Fixes: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0d70addbbf2a99e7398a518bc98d5fe109469bb5">0d70addb</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-07-06T12:32:13+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: support running ipa-custodia with PrivateTmp=yes
Related: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2afe21b884e330018281980004e8175c2f9a3624">2afe21b8</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-06T16:56:02+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: remove dnf workaround from test_epn.py
73c02f635 introduced a workaround to make sure the latest version
of (free)ipa-client-epn was installed.
Since cc624fb17 this should not be needed anymore.
Fixes: https://pagure.io/freeipa/issue/8391
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/42ad338c070096dbcab7facb70e57ba6ea63535e">42ad338c</a></strong>
<div>
<span>by Peter Keresztes Schmidt</span>
<i>at 2020-07-06T19:09:13+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix rendering of boolean_status_formatter
With commit "WebUI: Apply jQuery patch to fix htmlPrefilter issue" (bc9f3e0557)
jQuery's handling of self-closing elements.
DOM before the above mentioned commit:
<div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
and after:
<div name="nsaccountlock"><i class="fa fa-check"> Enabled</i></div>
Explicitly closing the <i> element fixes the issue:
<div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
Fixes: https://pagure.io/freeipa/issue/8396
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d13a33da6d472ed61ea0aaa9d050a8d5638beae5">d13a33da</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-07-07T12:11:08+10:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf
A failed ipa-ca-install left my installation in an inconsistent
state. Then, 'ipa-server-install --uninstall' also failed when
is_crlgen_enabled() tried to read ipa-pki-proxy.conf, which was
missing.
Update is_crlgen_enabled() to handle missing ipa-pki-proxy.conf, by
raising InconsistentCRLGenConfigException instead of RuntimeError.
As a result, missing ipa-pki-proxy.conf is handled gracefully
because the calling code already catches
InconsistentCRLGenConfigException.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cb5c094ba260d903fc02cfbe156cc9ef3c16c765">cb5c094b</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-07-07T14:12:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests : Test to verify override_gid works with subdomain.
When override_gid is set in sssd.conf in IPA domain section
Then it should also work for subdomain.
Related: https://pagure.io/SSSD/sssd/issue/4061
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/460fea3cc1ca9524acd22616b55a939564e0a973">460fea3c</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-07-07T14:12:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: xfail test with older versions of sssd
Related to: https://pagure.io/SSSD/sssd/issue/4061
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/068646f0b5379527d0f91efeecdf6d9f0a35811d">068646f0</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-07-07T14:12:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn
As tests was failing <= fedora31
Thus removed certmap-rule in cleanup as
subdomain lookup fails when certmaprule contains DN.
Related: https://pagure.io/SSSD/sssd/issue/3721
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e334415fc5c579f9faa1649b4f8e5ba0db0c7429">e334415f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-07T10:10:53-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add __signature__ to plugins
Auto-generate inspect.Signature from plugin arguments and options. The
signature is used by (amongst others) pydoc / help.
```
$ ipa console
>>> help(api.Command.group_add)
Help on group_add in module ipaserver.plugins.group object:
class group_add(ipaserver.plugins.baseldap.LDAPCreate)
| group_add(cn: str, *, description: str = None, gidnumber: int = None, setattr: List[str] = None, addattr: List[str] = None, nonposix: bool, external: bool, all: bool, raw: bool, version: str = None, no_members: bool) -> Dict[str, Any]
```
Fixes: https://pagure.io/freeipa/issue/8388
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c21d3cf001c886889c06facafc44f1f9230203c7">c21d3cf0</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-07T10:10:53-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make tab completion in console more useful
tab completion and dir() now show registered plugins in API name spaces.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ded9e2573a00c388533f2a09365c499a4e2961e">9ded9e25</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-08T12:49:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Specify cert_paths when calling PKIConnection
PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.
Point to IPA CA certificate during pkispawn
Bump pki_version to 10.9.0-0.4 (aka -b2)
Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/72d70fa27f61367a5fbc81b171b125ecf85d8fd8">72d70fa2</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-07-09T14:02:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certupdate: only add LWCA tracking requests on CA servers
ipa-certupdate throws an exception when executed on a non-CA server
in a CA-ful deployment with lightweight sub-CAs (LWCAs). Check that
we are on a CA server before attempting to create Certmonger
tracking requests for LWCAs.
HOW TO TEST
1. Install first server (with CA)
2. Install replica without CA
3. Create sub-CA (`ipa ca-add`)
4. Run `ipa-certupdate` on replica. Observe that no stack trace is
produced.
Fixes: https://pagure.io/freeipa/issue/8399
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/668fdc63e3e886208dca8bdc5a68a20972150985">668fdc63</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-07-09T15:51:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sshd template must be part of client package
The sshd_ipa.conf.template must be shipped with the client pkgs
in /usr/share/ipa/client but is currently delivered in /usr/share/ipa.
Fix the file location.
Fixes: https://pagure.io/freeipa/issue/8400
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/92ef9d1706c331b674eced04a3485de24c200998">92ef9d17</a></strong>
<div>
<span>by Peter Keresztes Schmidt</span>
<i>at 2020-07-09T14:23:54-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Populate nshardwareplatform and nsosversion during join operation
Fixes: https://pagure.io/freeipa/issue/8370
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5c44e2338ce8c49d5192d7dbd60c3833cfdc9836">5c44e233</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-07-10T10:11:02+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: bump pr-ci templates
New template images for ci-ipa-4-8-f32 and ci-ipa-4-8-f31 with updated
packages.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aa54002ce4fa4fb8d133e0367022b2bc7576b8a7">aa54002c</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-07-13T15:12:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: bump pr-ci templates
New template images for ci-ipa-4-8-f32 and ci-ipa-4-8-f31 to include
latest certmonger package (`certmonger-0.79.11-2`).
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4b8da1b7c7cd5686240b9c8e8c7e41fe9c604c57">4b8da1b7</a></strong>
<div>
<span>by Jeremy Frasier</span>
<i>at 2020-07-14T17:14:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replica: Ensure the ipaapi user is allowed to access ifp on replicas
ipa-server-install executes ipa-client-install with the --on-master
flag set, which causes the ipaclient.install.client.sssd_enable_ifp()
function to be called. This function configures sssd so that the
ipaapi user is allowed to access ifp. Any FreeIPA replica should also
have sssd configured like this, but in that case we cannot simply pass
the --on-master flag to ipa-client-install because it has other side
effects. The solution is to call the
ipaclient.install.client.sssd_enable_ifp() function from inside the
ipaserver.install.server.replicainstall.promote_sssd() function.
https://pagure.io/freeipa/issue/8403
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6de4b0fb85d9e2c51c60bc921cf6ee078ca1c219">6de4b0fb</a></strong>
<div>
<span>by Jeremy Frasier</span>
<i>at 2020-07-14T17:14:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas
https://pagure.io/freeipa/issue/8403
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d83b760d1f76a3ba8e527dd27551e51a600b22c0">d83b760d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-15T16:54:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add missing SELinux rule for ipa-custodia.sock
A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
from upstream rules. It breaks installations on systems that don't have
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
Fixes: https://pagure.io/freeipa/issue/8412
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/07d1b9d33b9515047dcd41f569a3dcf0b183260e">07d1b9d3</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-07-15T13:37:09-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Tests to check profile is displayed for getcert request.
test_getcert_list_profile
This test checks that the cert request generated using
getcert utility which is placed in /var/lib/certmonger/requests
directory displays profile name and issuer fields
test_getcert_list_profile_using_subca
This test checks that the cert request generated with -X as
subca and -T <profilename> displays correct profilename
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9281133c7c0d1bb3696fba036b5f79fb8e75828f">9281133c</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2020-07-15T13:38:03-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_epn: Fix package installation
EPN functionality is provided as separate package
freeipa-client-epn, but it is not installed during setup. This resolves
this behaviour.
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8318b2b37c821f90637e8b08fbaf6320f6f1f477">8318b2b3</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2020-07-15T13:44:40-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_epn: test_EPN_config_file: Package name fix
Fix package name to respect different conventions in particular streams.
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/abfe4bfe459ff4f7329d0b0ec674a8cb9c7d99cc">abfe4bfe</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-20T08:33:40-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Teach pylint how dnspython 2.x works
pylint does not understand pylint's
globals().update(RdataType.__members__) trick.
Fixes: https://pagure.io/freeipa/issue/8419
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab36d79adc3a061e34eeb528ac0ad2d35b417731">ab36d79a</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-07-21T14:39:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test for ipa-nis-manage CLI tool.
The testcases added check the various options of ipa-nis-manage CLI
tool as below
1. ipa-nis-mange enable
2. ipa-nis-manage disable
3. Enabling NIS pluging with invalid admin password
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f205b8946d071cb2d0e11977dfc1b5dc6d5e312">7f205b89</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-07-21T14:41:16-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Increase timeout value in test_getcert_list_profile_using_subca
test_getcert_list_profile_using_subca test had a timeout value of 50
waiting for the cert to be in MONITORING state, this has now been
replaced with 300, since the certmonger request was in state SUBMITTING
instead of MONITORING causing the test to fail.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a52aa06e1a6220c18a3b4c8f51f1b2efb3596bfa">a52aa06e</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-07-24T14:10:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed
This testcase checks that ERROR message is displayed
by IPACAChainExpirationCheck when ipa ca crt file is renamed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/020905338423f0539f79f61772f117764ef88717">02090533</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-24T14:11:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: xfail TestIpaClientAutomountFileRestore's final test
Due to a change in authselect, rolling back the installation
does not produce the same nsswitch.conf as on a clean install.
Mark the test xfail until ipa-client-install is enhanced to
use authselect profile backup/restore.
Related: https://pagure.io/freeipa/issue/8189
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/819bcacb81f942ac31691638beb64f77c0e74a40">819bcacb</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-07-28T09:00:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix TestUnprivilegedUserPermissions
A new test has been added to TestUnprivilegedUserPermissions that
duplicates the steps done in the precedent test. As the tests
are usually run sequentially, no need to duplicate.
Fixes: https://pagure.io/freeipa/issue/8413
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3c53c7036a8a214eeb93c241d730d5c737950cd1">3c53c703</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-07-28T09:00:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix TestReplicaPromotionLevel1
A new test was added to TestReplicaPromotionLevel1 but was run
after the replica uninstallation. As the new test checks
the content of /etc/sssd/sssd.conf on the replica, merge it with the
previous test, when the replica is still installed.
Fixes: https://pagure.io/freeipa/issue/8414
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cc06361907c8fdb986a581eb3e20abf8a7c1c476">cc063619</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-07-29T06:09:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add fips-mode-setup to ipaplatform.paths to determine FIPS status
This will be used by freeipa-healthcheck to report FIPS config
status. It is added here to avoid duplicating platform independence
in a sister project.
https://pagure.io/freeipa/issue/8429
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1502cb47df39f58082967012d4f9e227d6971652">1502cb47</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2020-07-29T17:11:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix issue with opening links in new tab/window
- fix table item links reference
- fix global menu links reference
- fix API browser side panel links
- fix tab links reference
Ticket: https://pagure.io/freeipa/issue/7137
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a9e3e40f6910d34aaabadeb4a4e1f30d83a29a5d">a9e3e40f</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2020-07-29T17:11:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Change navigation tests to find menu items using data-name instead of href
Since menu pseudo-links was replaced with real one, navigation tests must be changed to not use href
for searching items.
Ticket: https://pagure.io/freeipa/issue/7137
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/59ad3ae4227fa20f0cd0e76b446bb4cfdc08debf">59ad3ae4</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-29T17:17:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: re-enable test_sss_ssh_authorizedkeys
Re-enable test_sss_ssh_authorizedkeys.
Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cf6877a4864cebc15833b1b6638dcd53cc643712">cf6877a4</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-29T17:17:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_sss_ssh_authorizedkeys
Add debug information to the ssh invocation.
Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/64ef1a8e727689cd434888ba555a003934986d13">64ef1a8e</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-29T17:22:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_commands: test_login_wrong_password: look farther in time
Sometimes test_login_wrong_password fails because the log window the
string message is searched in is too narrow.
Broaden the window by looking at the past 10 seconds.
Fixes: https://pagure.io/freeipa/issue/8432
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/66216e908546b45974a4fbf81804b8184d603b78">66216e90</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-07-30T10:52:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Don't turn Pytest IPA deprecation warnings into errors
With new Pytest 6.0 [0]:
> PytestDeprecationWarning are now errors by default.
Following our plan to remove deprecated features with as little disruption as
possible, all warnings of type PytestDeprecationWarning now generate errors
instead of warning messages.
PytestWarnings are no longer marked as the part of public API, but as
internal warnings. It's unsafe to use bare PytestDeprecationWarning,
which is turned into the error on major releases.
[0]: https://github.com/pytest-dev/pytest/releases/tag/6.0.0
Fixes: https://pagure.io/freeipa/issue/8435
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/66a5a0efd538e31a190ca6ecb775bc1dfc4ee232">66a5a0ef</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-07-30T13:00:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace SSLCertVerificationError with CertificateError for py36
This exception was added in python 3.7. Use CertificateError
instead which is an alias and will work with older python releases.
https://bugzilla.redhat.com/show_bug.cgi?id=1858318
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/90ae22b8e54fc6108e39ad93f26035446ab728f1">90ae22b8</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-30T13:06:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow to override ipaplatform with env var
The ipaplatform provider module can now be overriden by setting
IPAPLATFORM_OVERRIDE environment variable.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/61807788f40c2596686b79f4bbd4e0e766e995dd">61807788</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-30T13:06:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add ipaplatform for Fedora and RHEL container
Container platforms for Fedora and RHEL simplify FreeIPA container
effort. Paths are based on patches from
https://github.com/freeipa/freeipa-container
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c3bf50b1b2611f0dfea699ae7ba134c2857187d9">c3bf50b1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-30T13:06:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Write state dir to smb.conf
smb.conf now sets state and cache directory, then includes the registry.
This also allows us to write the final smb.conf before importing
remaining settings into the Samba registry.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/305deb450c564e561b5facafee8ed6966de7bc83">305deb45</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-30T13:06:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Explicitly pass keytab to ipa-join
ipa-join defaults to /etc/krb5.keytab. Use ``-k paths.KRB5_KEYTAB`` to
write the keytab to /data share in containers.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c68d14b6be858523c06939c2e7f4f4e3de3221de">c68d14b6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-07-30T13:06:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Convert ipa-httpd-pwdreader into Python script
and use paths from ipaplatform.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06b33007a733861a4e262e001af0a3f10b7061b8">06b33007</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-07-30T15:53:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert
This test modifies the trust attribute of Server-Cert
and checks that healthcheck tool reports correct status
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ca880cfb117fc870a6e2710b9e31b2f67d5651e1">ca880cfb</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-07-30T15:54:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: use the authselect backup during uninstall
When ipa-client-install is run on a system with no existing
authselect configuration (for instance a fedora 31 new install),
uninstallation is picking sssd profile but this may lead to
a configuration with differences compared to the pre-ipa-client
state.
Now that authselect provides an option to backup the existing
configuration prior to setting a profile, the client install
can save the backup name and uninstall is able to apply the
backup in order to go back to the pre-ipa-client state.
Fixes: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3eaab97e317584bc47d4a27a607267ed90df7ff7">3eaab97e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-07-30T15:54:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: remove the xfail for test_nfs.py
Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4baf6b292f28481ece483bb8ecbd6a0807d9d45a">4baf6b29</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-07-30T15:54:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix test_authselect
Before the code fix, install/uninstall on a config without
any authselect profile was not able to restore the exact
state but configured sssd profile instead.
Now that the code is doing a pre-install backup, uninstall
restores the exact state and the test needs to be updated
accordingly.
Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/034526a4bd6a9547cd394d19e5275d24f7f00362">034526a4</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-30T18:02:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tasks: add run_ssh_cmd
Paramiko is not compatible with FIPS.
A replacement is needed, and since what clients use is "ssh",
create a shim over it so that tests can leverage it.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/326ddff25e8c45da5ae708e036bfa6315d449672">326ddff2</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-30T18:02:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_ssh_key_connection to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/26e58031d1f0c63f6e62a59c52d1da80a85ce9bd">26e58031</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-30T18:02:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_selinux_user_optimized to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/262a7121046132fbb7bb101ecf7d595814757819">262a7121</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-30T18:02:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_commands: test_ssh_from_controller: refactor
test_ssh_from_controller does not use methods provided by tasks.py.
Refactor using those methods.
Related: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ee57dd230191be40a39ef9677b308dee35fa183e">ee57dd23</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-30T18:02:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_ssh_from_controller to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/17759ec76aeac450ce9c85704b68100df75c8af5">17759ec7</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-30T18:02:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_login_wrong_password to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/027d0bbe1c0bafc326815b6ecc224a8f8fc5bd55">027d0bbe</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-30T18:02:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd
Paramiko is not compatible with FIPS.
Migrate run_cmd_on_ui_host to the OpenSSH CLI SSH(1) using
tasks.py's run_ssh_cmd.
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b0d4db548cfa14fbc596a40e742db96cd9ec00bb">b0d4db54</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-07-30T18:02:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd
Paramiko is not compatible with FIPS.
Migrate test_2fa_enable_single_prompt to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Also add a warning when test_2fa_disable_single_prompt is executed in FIPS mode.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3d3e8a4eabd8112954e7c6bfe9024595b02aee6a">3d3e8a4e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-07-30T18:09:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test cases for healthcheck File checker(s)
These check for modified file ownership (user and group) and
too permissive and restrictive permissions across the three
types of files checked by the healthcheck FileCheck.
This replaces an existing test for TomcatFileCheck which adds
more functionality and consolidates all file checks together.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f6c460aee8542d4d81cd9970d71051c240156973">f6c460ae</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2020-07-30T18:10:31+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix error "unknown command 'idoverrideuser_add_member'"
There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
as a result a wrong command was sent to the server.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e35739b7e9f6bb016b37abbd92bdaee71a59a288">e35739b7</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2020-07-30T18:10:31+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Add test case to cover user ID override feature
The test case includes adding an user ID override to Default Trust View
and adding the ID override to some IPA group.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/40fe3542054a8543f8ba1f2ec469ef2e44fcd576">40fe3542</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-07-30T17:24:49-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test that healthcheck detects and reports expiration
Set the date forward to while the certificates are still valid and
run healthcheck to confirm that an appropriate warning is made.
This validates two separate checks, one that relies on certmonger
to report expiration and one that relies on the data on disk to
determine expiration in case certmonger is out-of-date for some
reason (belt and suspenders).
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bdd0c4a7fc589124fa588288bed2c6982e6479e8">bdd0c4a7</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-07-31T09:11:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: verify that all services can be detected by healthcheck
Add fixture to handle restarting services so that if something
goes wrong in the test the service(s) will all be restarted
so that subsequent tests can pass. Services are restarted in
reverse order.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/81949c2dda7abb768c0dc23c885f45591d6b787f">81949c2d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-07-31T09:13:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add healthcheck test for FileSystemSpaceCheck
Create a large file in one of the checked filesystems beyond
the allowed threshold and ensure that both the minimum space
and minimum percent errors are reported.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d0cdae4836418272d69e572f0327a66a6fd81b35">d0cdae48</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-07-31T17:40:22-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: lib389 is now providing healthchecks, update naming
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e91c7bcd76cd41e6dd82bb5571a8299d4ccf67ee">e91c7bcd</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-07-31T17:40:22-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Use healthcheck namespacing in stopped server test
The test_run_with_stopped_master() test runs ipactl stop
and then verifies that all the errors relate to the services
not being available. The newly integrated PKI tests also
report errors in this case.
Use the namespacing introduced in freeipa-healthcheck-0.6
to limit the execution to the ipahealthcheck.meta checks
to avoid the spurious PKI errors.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/81c955e561dd42ab70a39bf636c90e82a9d7d899">81c955e5</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-08-04T09:56:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CAless installation: set the perms on KDC cert file
In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.
The fix makes sure that the KDC cert file is saved with 644 perms.
Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/295dd4235f693b7b4b4270b46a28cb6e7b3d00b4">295dd423</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-08-04T09:56:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: check KDC cert permissions in CA less install
The KDC certificate file must be stored with 644 permissions.
Add a test checking the file permissions on server + replica.
Related: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/55144ab6a18f275ec1472313755e2d07b71bee03">55144ab6</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-08-04T10:06:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: increase test_trust timeout
The integration test test_trust is often failing on timeout.
Add 30 minutes to increase the chances of completion.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0a83d8201a8a7ca56c6173fb643733b350ef5b9b">0a83d820</a></strong>
<div>
<span>by Mark Reynolds</span>
<i>at 2020-08-04T14:39:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Issue 8407 - Support changelog integration into main database
Description: Add support for both the old and new replication changelogs.
First try to get and update the new entry, if it's not found
then we know we need to update the old global changelog entry.
Fixes: https://pagure.io/freeipa/issue/8407
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Fix missing self, and missing arg
Fix copy/paste error
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2fa03c5f583dad5f654669eb59255b0fc2991837">2fa03c5f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-08-04T15:52:28-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck
test_ipa_healthcheck_expiring is assuming that it's executed
on a KRA-less installation, but the test is executed after
test_ipa_healthcheck_no_errors that configures the KRA.
With a KRA install, 12 certs are monitored instead of 9.
Fixes: https://pagure.io/freeipa/issue/8439
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/96aa09b947d2b1e50c694853debf2f349197d8a0">96aa09b9</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-08-04T15:53:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration
Unit tests for ipa-extdom-extop plugin use nss_files.so.2 module to test the
functionality instead of relying on SSSD API or nss_sss.so.2 module. The latter
two cannot be used in build environment.
nss_files.so.2 always tries to open /etc/passwd and /etc/group. In past, we
overloaded 'fopen()' to change the path to opened file but this stops working
after glibc consolidate file opening in nss_files with the code starting at
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=299210c1fa67e2dfb564475986fce11cd33db9ad,
this method is not usable anymore and builds against glibc 2.31.9000+ fail in
cmocka unit test execution in Rawhide.
Apply an alternative approach that uses a new user namespace to unshare the
test from its parent and chroot to the test data where expected /etc/passwd and
/etc/group are provided. This method works only on Linux, thus only run the
unit test on Linux.
In case unshare() or chroot() fail, we have to skip tests that use
nss_files.so.2.
Fixes: https://pagure.io/freeipa/issue/8437
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e4c753dc03c48b8c3509e6077dd7fa5074f73670">e4c753dc</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-05T11:33:42+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Fix warning and error
- fixed W0612(unused-variable)
- added missing dependency on python-yaml
Fixes: https://pagure.io/freeipa/issue/8442
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ea288b014414c62389d7b3a7572a665fefc11b0f">ea288b01</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-05T18:31:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test healthcheck revocation checker
Revoke the Apache certificate and ensure that healthcheck properly
reports the problem.
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ec2b1462899a6b0226dbb68fc7c5ee47db3e33f5">ec2b1462</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-08-05T21:39:32-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix password file permission
Invalid permission makes file unreadable by owner if he is not root.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4a97145c3a76a4d9ebf52b3905410a0bd7bec856">4a97145c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-06T10:10:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/da2079ce2cc841aec56da872131112eb24326f81">da2079ce</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-06T10:10:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Check permissions of /etc/ipa/ca.crt new installations
It should be 0644 root:root for both CA-ful and CA-less installs.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6926131f258d82b9a8634e3b292c6ecf83f2a5be">6926131f</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-08-06T18:46:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't configure authselect in containers
freeipa-container images come with authselect pre-configured. There is
no need to configure, migrate, or restore authselect. The --mkhomedir
option is not supported, too.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a55ccdb12de3f39c49513fea3ed695e4900916f5">a55ccdb1</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-06T18:49:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add compatibility against python-cryptography 3.0
The recently released python-cryptography 3.0 has backward incompatible
changes. One of them [0] breaks FreeIPA self-tests.
Note: this requires python-cryptography 2.7+.
[0] https://github.com/pyca/cryptography/commit/3b2102af549c1095d5478bb1243ee4cf76b9762b
Fixes: https://pagure.io/freeipa/issue/8428
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a47748499256544e6692ef0578073938015f7ea">1a477484</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-07T11:12:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplify determining if an IPA server installation is complete
When asking the quesiton "is my IPA server configured?" right now
we look at whether the installation backed up any files and set
any state. This isn't exactly precise.
Instead set a new state, installation, to True as soon as IPA
is restarted at the end of the installer.
On upgrades existing installations will automatically get this
state.
This relies on the fact that get_state returns None if no state
at all is set. This indicates that this "new" option isn't available
and when upgrading an existing installation we can assume the
install at least partly works.
The value is forced to False at the beginning of a fresh install
so if it fails, or is in a transient state like with an external
CA, we know that the installation is not complete.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/80a7e346a514530ea3af75d2cc338c18ec211537">80a7e346</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-07T11:12:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplify determining if IPA client configuration is complete
When asking the quesiton "is my IPA client configured?" right now
we look at whether the installation backed up any files and
/etc/ipa/default.conf exists.
Instead set a new state, installation, to True as soon as the
client installation finishes.
Unlike the server there is no upgrade process for clients so this
isn't going to be all that useful for quite some time unless that
changes because upgrading an existing install won't set this
to True.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ee755a580c1f136b2501a395116ddf7e43c913b6">ee755a58</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-07T11:12:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cb6c48b21118abb198066126647709b7c9e26e10">cb6c48b2</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-07T11:12:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't use the has_files() to know if client/server is configured
Use the is_ipa_configure() and is_ipa_client_configured() utilities
instead which are much more robust.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b9e4c686634f5ba41f50f0aa0f75b5e214e25a4d">b9e4c686</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-07T11:12:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update check_client_configuration to use new client fact
check_client_configuration differs from is_ipa_client_configured
in that it raises an exception if not configured so is a nice
convenience in AdminTool scripts. Port it to call to
is_ipa_client_configured() instead of determining the install
state on its own.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4454af4bf31b73550eb5be2ed14be3e15c585ca3">4454af4b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-07T11:12:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Address legacy pylint issues in sysrestore.py
These were triggered because of the movement of sysrestore.py in
the tree
https://pagure.io/freeipa/issue/8384
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b93f2a70d09f44a64a320ad558c76536e9b625ad">b93f2a70</a></strong>
<div>
<span>by Kaleemullah Siddiqui</span>
<i>at 2020-08-07T12:40:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests for fake_mname parameter setup
fake_mname can be set through dnsserver-mod's --soa-mname-override
option which was not doable through same parameter setup in
/etc/named.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1488732
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c89718a60113d1c72fecc3b1549341f2050d6922">c89718a6</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-07T14:23:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Switch to dockerhub provider
`registry.fedoraproject.org/f32/fedora-toolbox` image is used to build
packages on Azure Pipelines.
registry.fedoraproject.org experiences an availability problem and makes
unstable FreeIPA CI.
Fedora also distributes its official images on https://hub.docker.com/_/fedora.
`fedora:32` is already used by FreeIPA CI to build the image for tests.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/50cf90f09398c949797f7fe71ae2075799e14a7f">50cf90f0</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-07T14:23:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Skip keyring tests on containerized platforms
The kernel keyrings are not namespaced yet.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9479a393a71fe1de7d62ca2b50a7d3d8698d4ba1">9479a393</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-08-07T14:24:22-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: tasks.py: fix ipa-epn invocation
tasks.py::ipa_epn would previously fail to invoke ipa-epn with
from_nbdays=0.
Related: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3b8fdd87760cfb8ec739c67298f012cf0bd3ac39">3b8fdd87</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-08-07T14:24:22-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_epn: test_EPN_nbdays enhancements
Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
* illegal inputs for nbdays:
** from-nbdays > to-nbdays
** non-numerical input
** decimal input
Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/508c5e5d3bd003a854090bae7ebd3dccf74cd6a9">508c5e5d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-08-07T16:45:39-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Treat container subplatforms like main platform
ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:
```
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```
Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.
The patch also enhances debug logging for installer and upgrader.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a0518f7ff6ddc37887970af91c2575c15812fca8">a0518f7f</a></strong>
<div>
<span>by Peter Keresztes Schmidt</span>
<i>at 2020-08-07T16:48:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Make object_class_evaluator evaluator compatible with batch responses
Use data adapter in evaluator to be able to deal with batch
RPC responses.
Related: https://pagure.io/freeipa/issue/8336
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6f9c20ba7585e8f110806596806d292891682932">6f9c20ba</a></strong>
<div>
<span>by Peter Keresztes Schmidt</span>
<i>at 2020-08-07T16:48:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Unify adapter property definition for state evaluators
Move adapter property definition to IPA.state_evaluator since it
is used by all evaluators
Related: https://pagure.io/freeipa/issue/8336
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b95817e35716bbab000633043817202e17d7c53e">b95817e3</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-08-10T12:06:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA-EPN: Use a helper to retrieve LDAP attributes from an entry
Allow for empty attributes.
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8e810d8cf38ec60d76178bd673e218fb05d56c8e">8e810d8c</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-08-10T12:06:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA-EPN: fix configuration file typo
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1b1dbcbe9d83ba35f3cfdd01399f123816ec6e5b">1b1dbcbe</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-10T12:06:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA-EPN: Test that users without givenname and/or mail are handled
The admin user does not have a givenname by default, allow for that.
Report errors for users without a default e-mail address.
Update the SHA256 hash with the typo fix.
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c4bd1f17a8aaa65482a6b28c1d6ed0f8ee94f667">c4bd1f17</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-08-10T13:41:27+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix TestIpaHealthCheckWithoutDNS failure
TestIpaHealthCheckWithoutDNS is launched after
TestIpaHealthCheck::test_ipa_healthcheck_expiring that is playing with
the date. At the end of test_ipa_healthcheck_expiring, the date is
reset using systemctl start chronyd but the date may need time to adjust
and the subsequent tests may be launched with a system date set in the
future.
When this happens, dnf install fails because the certificate for
the package repo is seen as expired, and TestIpaHealthCheckWithoutDNS
fails.
In order to avoid this issue, reset the date to the value saved at the
beginning of the test.
Fixes: https://pagure.io/freeipa/issue/8447
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3cf7fb1014ae40fd5a5278f27577a8196a4af051">3cf7fb10</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-08-10T11:52:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_epn: add test_EPN_connection_refused
Add a test for EPN behavior when the configured SMTP does not
accept connections.
Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/53f330b053740b169d211aa16b3b36fb61157bbd">53f330b0</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-08-10T11:52:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA-EPN: Fix SMTP connection error handling
Enhance error message when SMTP is down.
Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8e460c68569074a59463771291dcff6a13fa9796">8e460c68</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-10T15:36:47-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: CLI validation of ipa-healthcheck command
Test for illegal input values.
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d6c425613f4a978bd77f6f6a6b94a910f9fa3fe0">d6c42561</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-10T15:36:47-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added negative test case for --list-sources option
Negative test test_append_arguments_to_list_sources added
to --list-sources
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b4266023e04729db12de2f7e0de4da9e1d00db38">b4266023</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-08-16T16:11:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_epn: update error messages
Update error messages in the test.
Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2809084a44e3b174fa48a611e79f04358e1d6dca">2809084a</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-08-16T16:11:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA-EPN: enhance input validation
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays
Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8f19233d910237fbfd68c2c50bd31e13a49f8ff3">8f19233d</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-08-17T09:59:24-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Tests for ipahealthcheck tool with IPA external
This testsuite checks whether the healthcheck tool reports
correct status in a scenario when IPA server is setup with
external self-signed CA. Below are the checks covered
IPACRLManagerCheck
IPACertmongerCA
IPAOpenSSLChainValidation
IPANSSChainValidation
IPARAAgent
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4da4dd8d7b03164c29e25e6a2b58c9e8fda39062">4da4dd8d</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-08-17T09:59:24-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Modified YAML files to include healthcheck externalCA tests
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dbf1d858449ff37dbbe73f3853f98578b236615a">dbf1d858</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-17T14:32:53-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rpm-spec: Don't fail on missing /etc/ssh/ssh_config
openssh-clients is not a strict requirement of freeipa-client
package and if it's missing then this case should be handled in
post scriptlet of freeipa-client package. Otherwise, the remaining
part of that scriptlet will not be run at all.
Fixes: https://pagure.io/freeipa/issue/8459
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c2f8c84a74c2aa007027261f052131fcc7041cb4">c2f8c84a</a></strong>
<div>
<span>by Mark Reynolds</span>
<i>at 2020-08-17T14:35:05-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Issue 8456 - Add new aci's for the new replication changelog entries
Description: We need a read and a write aci for the new changelog location,
which was moved from cn=changelog5,cn=config to
cn=changelog,cn=BACKEND,cn=ldbm database,cn=plguins,cn=config
The read aci allows the replica hostgroup entry to find and
read the changelog confguration, and the write allows the replica
to update the changelog with a proper trimming settings.
Fixes: https://pagure.io/freeipa/issue/8456
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3919c9c8d7c2187e4d2a00b8276b241bf23f52b0">3919c9c8</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-08-18T11:18:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: remove xfail from test_dnssec
The nightly test test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
used to fail because of https://github.com/rthalley/dnspython/issues/343,
but the issue has been fixed upstream and does not happen any more since
PRCI is using python3-dns-1.16.0-7.
Remove the xfail.
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6f09f97791035cad01e237ed084ffc44f1ff7e85">6f09f977</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-18T10:01:54-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">IPA-EPN: Test that EPN can be install, uninstalled and re-installed
Verify that no cruft is left over that will prevent reinstallation
if it is uninstalled.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/602f3f3151e58084ebd9b10d3997efeae5417d12">602f3f31</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-20T11:50:35+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">uninstall: Don't fail on missing /var/lib/samba
On some distros freeipa-server package may not depend on
`/var/lib/samba` directory. In this case an uninstallation of
ipaserver fails.
Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bba69960f6c26b5b97e72359bc382e25a8ca8ec9">bba69960</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-20T11:50:35+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">uninstall: Clean up no longer used flag
The `_server_trust_ad_installed` was added as a flag which
indicates that `freeipa-server-trust-ad` package is installed.
Later, `ipaserver/install/adtrustinstance.py` module was moved out
into `freeipa-server` package and the import became unconditionally
successful.
Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3084930e596b5d6e9b2b81cf9ce6532feb620b02">3084930e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-20T11:50:35+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package
This ns-slapd plugin is used as a CLDAP server which responses to
AD DCs with an information about IPA domain. So, logically it
belongs to freeipa-server-trust-ad package.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aac717988f63ab4b8b808a6d48ee01e8fcb0c9e7">aac71798</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-20T11:52:34+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve performance of ipa-server-guard
* Drop support for python 2
* Only import traceback and syslog when needed
* Only import ipaserver.install.certs when the lock is needed
* Only import ipautil when run is needed
For the unsupported operations case this improves performance by
95%
For the supported operations that don't require a lock the
improvement is about 50%.
For the supported operations that require a lock the improvement
is about 20%
When configuring a CA certmonger calls its helper with the
following operations:
IDENTIFY
FETCH-ROOTS
GET-SUPPORTED-TEMPLATES
GET-DEFAULT-TEMPLATE
GET-NEW-REQUEST-REQUIREMENTS
GET-RENEW-REQUEST-REQUIREMENTS
FETCH-SCEP-CA-CAPS
FETCH-SCEP-CA-CERTS
Only IDENTIFY, FETCH-ROOTS and GET-NEW-REQUEST-REQUIREMENTS are
supported by ipa-submit, along with the request options SUBMIT and
POLL.
Which means every time the IPA CA in certmonger is updated
eight calls to ipa-server-guard are made so the savings are
cumulative.
The savings when executing these eight operations is a 73% decrease
(.7 sec vs 2.5 sec).
https://pagure.io/freeipa/issue/8425
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/715ec234373fc8b4aa0d00a4e9e0126522f38de1">715ec234</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-20T11:53:56+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: stop the CA during healthcheck expiration test
Time is moved during the test to ensure that ipa-healthcheck
finds expired certificates. It's possible that certmonger will also
wake up and renew the certificates before ipa-healthcheck can
execute so shut down the CA during the test.
https://pagure.io/freeipa/issue/8463
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/14f27d284f4d9a37f2bd599f98602fb2eb84edd1">14f27d28</a></strong>
<div>
<span>by Mark Reynolds</span>
<i>at 2020-08-20T11:54:41+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase replication changelog trimming to 30 days
A long time ago the DS team recommended that the changelog trimming interval be set to 7 days. However, more recently we tend to see more time skews on certain platforms, and issues where it appears changes were trimmed too early (which can break replication).
It would be better to set the trimming interval to 30 days. This still prevents the changelog from getting too large, and it should help with some of the other issues we are now seeing.
Fixes: https://pagure.io/freeipa/issue/8464
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9b52ba606d2f0e3ff8f8f5dd7bbe87e6b9d2cfbe">9b52ba60</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2020-08-20T11:56:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test certmonger rekey command works fine
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8492ba16e31523db024b154eb30d81dcfecdadb7">8492ba16</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-08-20T13:10:25+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add alternative email to the mailmap for myself
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c1fb997e99a90e42118b9022eea95d07138a7fc">2c1fb997</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-08-20T13:10:25+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-4-8: update po/ipa.pot
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/26d8267244fd232b3c075677a10d41fada3484aa">26d82672</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-08-20T13:10:25+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-4-8: Add new contributors
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c409fc65df4108c7f8ba06bdcf5f61275a16c8d7">c409fc65</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-08-20T13:10:25+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.8.9
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/530af23af195f8d697b9f84fd2eb834ef8dfde5c">530af23a</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-09-02T09:47:13+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">copyright: Fix duplicate-globbing-patterns lintian error.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b0fa995326039e5dbb5095575f03195ff6008d89">b0fa9953</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-09-02T11:06:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package freeipa version 4.8.8-2
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9bb734a8bea050b0b5e401fa2b4ac78233b3a2ba">9bb734a8</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-09-14T14:40:04+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Build freeipa-client-epn only where nodejs is available. (Closes: #970230)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/54e61a228f17052b22d3f973ac2ebdccf94cda97">54e61a22</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-09-14T15:11:07+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install: ipa-print-pac belongs to the server instead of -client-epn.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/97c3d017e2556ffa1e4a93e8de1824031e40948b">97c3d017</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-09-17T12:23:43+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge tag 'release-4-8-8' into m
Tagging FreeIPA 4.8.8
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b84efa8282193c5be1cc689fa105607700cc025a">b84efa82</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-09-17T12:23:49+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'master' into m
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0610bcd0f3d3abccd2524ec9b659133d3ad698a4">0610bcd0</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-09-17T12:24:48+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#a5cc2925ca8258af241be7e5b0381edf30266302">
.gitignore
</a>
</li>
<li class="file-stats">
<a href="#d0e9cb1fab10296d90ef8e144f981f659bbd59ad">
.mailmap
</a>
</li>
<li class="file-stats">
<a href="#4831b637d596df850dfe2919331d9904c0403eaa">
ACI.txt
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#d7ed7e35d7791778850754d99281016a9bacb652">
Contributors.txt
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#521b4492ed13326bcb633dcdd0e7a0b876d266aa">
client/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#afe90542f4b6de49a3da1dff8d7667da4892974e">
client/man/epn.conf.5
</a>
</li>
<li class="file-stats">
<a href="#5bb28820be8979ff1f083ff242278cf186827464">
client/man/ipa-epn.1
</a>
</li>
<li class="file-stats">
<a href="#dd969454de251db1435d9fd37e48469170f6ca94">
client/share/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#79e414f3a775c24eef8c1a8120529706f624cee6">
<span class="new-file">
+
client/share/epn.conf
</span>
</a>
</li>
<li class="file-stats">
<a href="#8057967cece5ffb68e06c535c6039300ddb2b153">
install/share/expire_msg.template
→
client/share/expire_msg.template
</a>
</li>
<li class="file-stats">
<a href="#0df6aa4bb9dedfa2609b3e4f9a6c6bb1fcb33407">
<span class="new-file">
+
client/share/sshd_ipa.conf.template
</span>
</a>
</li>
<li class="file-stats">
<a href="#1d4e94b1c516e71796865fced857eeb0c205e468">
<span class="new-file">
+
client/systemd/Makefile.am
</span>
</a>
</li>
<li class="file-stats">
<a href="#76c99459095faf3fe417b3097322bdd0050dadb7">
init/systemd/ipa-epn.service.in
→
client/systemd/ipa-epn.service.in
</a>
</li>
<li class="file-stats">
<a href="#5b46996b06ef7cd142f70df7fd3ce35f1fd6a16b">
init/systemd/ipa-epn.timer.in
→
client/systemd/ipa-epn.timer.in
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#87da2a6db5a09c219886caa97c72fa12542be1ff">
daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#68b9e3d49c888f7dfab1fba6bd9ba4f18f303469">
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
</a>
</li>
<li class="file-stats">
<a href="#54fe9783eb5c5ea3a5d30a4e95cda5106fbb9b50">
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group
→
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/group
</a>
</li>
<li class="file-stats">
<a href="#298ced28b4211f838b768dc0ae955d4b02ec03a4">
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd
→
daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/passwd
</a>
</li>
<li class="file-stats">
<a href="#9c96da0e9f91d7d8937b69b524702c106258f0d1">
debian/changelog
</a>
</li>
<li class="file-stats">
<a href="#58ef006ab62b83b4bec5d81fe5b32c3b4c2d1cc2">
debian/control
</a>
</li>
<li class="file-stats">
<a href="#8d355cf67e84391e4194e2e9ab75c865f2e174d6">
debian/control.common
</a>
</li>
<li class="file-stats">
<a href="#adb7f75f79e3bb85eb62912a2904c5d24af878fb">
debian/copyright
</a>
</li>
<li class="file-stats">
<a href="#313e7cbf4e972c651b0ce52fe2e0928768dff229">
debian/freeipa-client-epn.install
</a>
</li>
<li class="file-stats">
<a href="#5c13d41c7f88f2041b80d3f1fadbbb2dc3e7f14b">
debian/freeipa-server.install
</a>
</li>
<li class="file-stats">
<a href="#866dc5074431bae6d800558b8ed5d65496e9d7d8">
freeipa.spec.in
</a>
</li>
<li class="file-stats">
<a href="#d28d84dd3806aca921e14cabe8ddd3a8bc80d283">
init/systemd/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#7973c0f48583ff96f636747fa5bbda9f7cce5625">
install/certmonger/ipa-server-guard.in
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/-/compare/30ec6c8e393697f97857a8dca0eb4a1dd11533c0...0610bcd0f3d3abccd2524ec9b659133d3ad698a4">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>