<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>



<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e058c4d47ce9bb66ad93421b73f85fd5954e95d0">e058c4d4</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-08-20T13:34:58+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Return to git snapshots

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8c7414a51ea1895292dccf203f8c5e0aa1c00d2c">8c7414a5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-24T09:58:24+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Teach pylint about more RRs types

There are many types of RRs which are provided by dnspython.
This is not all, but enough for now to fix linting errors
caused by new dnspython 2.0.

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a283196b3da8aaa537fd506c50edbddb0ff2f045">a283196b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-24T09:58:24+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Fix warning W0612(unused-variable)

New warnings were found by new pylint (2.5.3).

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/31e16f7216a5e66f372a1759c39a6a254a94a210">31e16f72</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-24T09:58:24+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Ignore `super-with-arguments`

Pylint 2.6.0 added new check:
> Add super-with-arguments check for flagging instances of Python 2
style super calls.

According to PEP 3135 this form of `super` is syntactic sugar and
is not mandatory. Right now there are 566 affected `super`s.

http://pylint.pycqa.org/en/latest/whatsnew/changelog.html#what-s-new-in-pylint-2-6-0
https://www.python.org/dev/peps/pep-3135/

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ffbbc30146e3f0f9e995a99031860e6130847a4c">ffbbc301</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-08-24T09:58:24+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Ignore `raise-missing-from`

Pylint 2.6.0 introduces new check:
> Add raise-missing-from check for exceptions that should have a
cause.

According to PEP 3134 the implicit exception chaining is valid and
can be used.

http://pylint.pycqa.org/en/latest/whatsnew/changelog.html#what-s-new-in-pylint-2-6-0
https://www.python.org/dev/peps/pep-3134/

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/32b1242549f8f558edfebd22b5ffbc0d84a8aa6a">32b12425</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2020-08-24T11:26:16+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add PTR record for IP SAN

If PTR record is missing for an IP address then cert request
with SAN option throws an error. This fix is to add the PTR
record so that cert request doesn't throw an error.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6b0f065729ecbb393ab79ce99d6e2cf83e62529c">6b0f0657</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2020-08-24T11:26:16+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add --skip-overlap-check option to prepare_reverse_zone()

add --skip-overlap-check in case it overlap with an existing zone
or with dnszone outside of IPA.

Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/19ec19c037a679a8320112800565ae7758599f08">19ec19c0</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2020-08-24T11:26:16+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PEP8 fixes

PEP8 fixes for visual indent, line > 79, blank line required etc

Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6662f5fdf5b1e65e786fb26a1f037deba0fbe283">6662f5fd</a></strong>
<div>
<span>by Sumedh Sidhaye</span>
<i>at 2020-08-24T17:05:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">This is a manual backport of https://github.com/freeipa/freeipa/pull/5053/

Increase test_cert.py timeout from 3600 to 5400
to accomodate newly added tests that need more time
to execute

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fc9840d83e2cd329281c1d42d75e4dbc4d4c0145">fc9840d8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-08-24T17:07:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_smb: make sure both smbserver and smbclient use IPA master for DNS

test_smb test suite sets up IPA master, AD forest, and two clients.
The clients are used as an SMB server and an SMB client and they need to
resolve and authenticate AD users with Kerberos.

Previously, the test only configured SMB client to use IPA master as its
DNS server. SMB server wasn't using IPA master and thus any attempt to
resolve SRV records from AD DNS zone was failing.

Make sure that both SMB client's and SMB server's DNS resolution is set
up in the same way.

Fixes: https://pagure.io/freeipa/issue/8344

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/57ea534c39232f65e8a4f0dc9917bd55331c8436">57ea534c</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-08-24T17:09:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Bump PR-CI templates

New template images for ci-ipa-4-8-f32 to include latest packages.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6f4f7c616628a6200f7d3b56969d6e6204d3aea5">6f4f7c61</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-25T12:38:11-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add option/arg parsing tests for the cli

A typo in passing in options would result in an exception.

For example -verbose was treated as: -v -e rbose

-v and -e are valid options. rbose on its own has no value in the
name-value pair so an exception would result.

https://pagure.io/freeipa/issue/6115

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dce5b1c854382058c62cb7c7155edf715088ca0a">dce5b1c8</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-25T12:38:11-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cli: When parsing options require name/value pairs

If single-option values are combined together with invalid options
an exception would be raised.

For example -verbose was treated as -v -e rbose. Since rbose isn't
a name/value pair things would blow up. This is now caught and
a somewhat more reable error returned. The -v and -e are consumed,
not much we can do about that, but at least a more usable error is
returned.

https://pagure.io/freeipa/issue/6115

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fe783b632a0649f1894416dbd74a2a074c64b5ba">fe783b63</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-26T11:12:07+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fall back to old server installation detection when needed

If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/774bbb1703cb37b5b0623a987738efd5207d65d6">774bbb17</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-26T11:12:07+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use is_ipa_configured from ipalib.facts

A couple of places still used the deprecated installutils version.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2057b330f8c3d89078ce2008660a799721ab3c57">2057b330</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-08-26T11:12:07+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add test for is_ipa_configured

Validate that is_ipa_configured() returns True when using either
the original and the new configuration methods. This will allow
older installs to successfully upgrade.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d560505567da92e749b08b8a0a4295a5b2d5d8f6">d5605055</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-08-27T10:45:21+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: refactor test for login using cifs alias principal

The test had two problems:
* if it was failing,  samba services were not started and all other
tests also failed
* Utility for copying keys obscured fatal problems i.e. if file does not
exist or can not be parsed.

Fixed by moving the check to separate test and raising exceptions in
KerberosKeyCopier on any unexpected problem.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f3c6fb3a6c03e8ef6586fb61acc2d66d2416d0ec">f3c6fb3a</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-08-27T10:45:21+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: simplify fixture

Fixture enable_smb_client_dns_lookup_kdc had an unobvious structure
"contextmanage inside pytest fixture". Replaced with simple pytest
fixture.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2ce880e900423cedbf7c7a9dd422585e8e1522b1">2ce880e9</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-08-31T09:41:02+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately

The test is changing the date back and forth. Due to PRCI
infra issue, chronyd is not able to connect to the default
NTP servers from the fedora pool, and the date is not
synchronized any more after this test.

To avoid polluting other tests, run this one separately.

Fixes: https://pagure.io/freeipa/issue/8472
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab6811a131190d89c5ef8c55a2edb8b73499280a">ab6811a1</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-08-31T09:41:02+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add missing healthcheck test in PRCI nightlies

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5d13ef9bfe52442af7d8d39113a8b0a01f5f0bff">5d13ef9b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-01T17:25:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Add Rawhide definitions

- allow override variables template file with an externally
provided one. This allows to add new Azure Pipeline which will
point to a custom platform definition. Note: Azure's WebUI
variables are runtime variables and not available at parsing time,
that's why it's impossible to override template from WebUI in
this case.

- add Rawhide templates

- add Dockerfile for build Rawhie Docker image for tests phase
Note: 'fedora:rawhide' is too old, use for now
'registry.fedoraproject.org/fedora:rawhide'.
See, https://bugzilla.redhat.com/show_bug.cgi?id=1869612

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ae219dffbcb71f6ab12b4e4831a1c02e4279f0b8">ae219dff</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-01T17:25:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Drop dependency on UsePythonVersion task

Python is provided by the Docker container image and it's no
longer needed to bind mount host's Python into container.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0ff6b6ee55bfb633b1aee7948c885dfa3f711168">0ff6b6ee</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-01T17:25:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: base: Collect both install and uninstall logs

Some applications remove their logs on uninstallation.
As a result of this, Azure lost `install` logs.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0a8997ff0be5b3ce67172da9b123a461be83f1e6">0a8997ff</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-01T17:25:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: Raise exception earlier on unsupported DB type

For now FreeIPA handles explicit migration of NSS DB (dbm->sql).
But Mozilla's NSS can be built without the support of legacy database
(DBM). This implies that neither implicit nor explicit DB migration
to SQL will work. So, eventually, this support will be removed from
FreeIPA.

With this patch, the instantiation of NSS with legacy db(if not
supported by NSS) is forbidden.

Fixes: https://pagure.io/freeipa/issue/8474
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ee661dc7223bf107d30dda39184c402964f2982f">ee661dc7</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-01T17:25:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">deps: Require `nss-tools` for make's fasttest target

Otherwise, tests fail with:
```
E               FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/certutil'
...
=================================== short test summary info ===================================
FAILED test_ipapython/test_certdb.py::test_dbm_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_sql_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_convert_db - FileNotFoundError: [Errno 2] No such...
FAILED test_ipapython/test_certdb.py::test_convert_db_nokey - FileNotFoundError: [Errno 2] N...
FAILED test_ipapython/test_certdb.py::test_auto_db - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_delete_cert_and_key - FileNotFoundError: [Errno 2...
FAILED test_ipapython/test_certdb.py::test_check_validity - FileNotFoundError: [Errno 2] No ...
...
```

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/428373f127f69b4fee45b356c765e7a227c8788b">428373f1</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-01T17:25:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Increase verbosity for Tox task

This allows to debug issues happened during packages installation:

> -v, --verbose     increase verbosity of reporting output.
-vv mode turns off output redirection for package installation,
above level two verbosity flags are passed through to pip (with two less
level) (default: 0)

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/76502144dd71c957954ac44002d034e691713cb3">76502144</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-01T17:25:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tox: Don't expand symlinks

`virtualenv` < 20.0.0 copies system python binary into virt
environment and then links `python` to it. While
`virtualenv` >= 20.0.0 directly links `python` to system python
binary (without copying).

`realpath` by default expands symlinks. Thereby, pip attempts to
install packages into the system's site-packages and
fails with 'Permission denied' (non-privileged user).

Fixes: https://pagure.io/freeipa/issue/8475
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ae8b723c1e0f5d66b0fa5e618b7274d872e918d3">ae8b723c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-01T17:25:54+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnspython: Add compatibility shim

`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/656aa91215d2c9142755fc0962dc13668e6f8f3c">656aa912</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-09-03T13:54:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dns: Make use of `resolve_address` of a current resolver instead of the global one

For now, `resolve_address` for dnspython < 2.0.0 is actually
the instance method of the global DNSResolver object and is not
the instance method of the corresponding object from which it was
called. This can result in unexpected behavior.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0a7fc535345892ee93aa736dcd94a4f23c544f61">0a7fc535</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2020-09-04T08:41:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust

Tests for TestIpaHealthCheckWithADtrust are failing since
package is not installed, this patch installs
healthcheck pkg on the IPA Master.

Patch to install healthcheck package for TestIpaHealthCheckWithExternalCA

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/438285470610dee4aa6a56523df22307840ede87">43828547</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-10T08:58:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux Policy: let custodia replicate keys

Enhance the SELinux policy so that custodia can replicate sub-CA keys
and certificates:
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t node_t:tcp_socket node_bind;
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
allow ipa_custodia_t self:process execmem;

Found by: test_replica_promotion::TestSubCAkeyReplication

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fefaeb4bf9f8ca0c64dd8ccb242ac7727ae4b70f">fefaeb4b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-09-10T11:32:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnsforwardzone-add: support dnspython 2.0

The command dnsforwardzone-add is assuming that the dns.rrset.RRset
type stores "items" as a list. With dnspython 2.0 this is not true
as a dict is used instead.

As a consequence, in order to get the first record, it is not possible
to use items[0]. As dict and list are both iterables, next(iter(items))
can be used in order to be compatible with dnspython 1.16 and 2.0.

Fixes: https://pagure.io/freeipa/issue/8481
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/099ab6c7156202cb1bd0fb6b27dc389dc56c82f7">099ab6c7</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-10T12:14:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test ipa_server_certinstall with an IPA-issued cert

ipa-server-certinstall takes a slightly different code path if
the replacement certificate is IPA-issued so exercise that path.

This replaces the Apache cert with itself which is a bit of a no-op
but it still goes through the motions.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a5a2a0bf3e99ab8aa11235c3d01fbac51e33176">2a5a2a0b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-10T12:14:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set the certmonger subject with a string, not an object

ipa-server-certinstall goes through a slightly different code path
if the replacement certificate is issued by IPA. This was setting
the subject using cert.subject which is a Name object and not the
string representation of that object. This was failing in the
dbus call to certmonger.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fe9f4a86ca27c56ec9f4db85f9aea0dae8880638">fe9f4a86</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-09-10T18:37:37+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Bump PR-CI templates

New templates with a previously working version of `geckodriver`.

Issue: https://pagure.io/freeipa/issue/8473

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ec8a560392c89da96a805e9779eaa2041dd992c1">ec8a5603</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-09-10T15:34:00-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: support getprincs request in kadmin.local

kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.

The whole filter looks like this

 (&(|
    (objectclass=krbprincipalaux)
    (objectclass=krbprincipal)
    (objectclass=ipakrbprincipal))
   (|(ipakrbprincipalalias=*)
     (krbprincipalname:caseIgnoreIA5Match:=*)))

There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:

      extensible     = ( attr [dnattrs]
                           [matchingrule] COLON EQUALS assertionvalue )
                       / ( [dnattrs]
                            matchingrule COLON EQUALS assertionvalue )

In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using <valueencoding> rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.

Fixes: https://pagure.io/freeipa/issue/8490

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f316d0118b8b00207e8d005f20d5de837c46a220">f316d011</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-09-10T15:34:00-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: test kadmin.local getprincs command

Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/be7efc4dfbe16cb8d700ec16bbc1177b4fcbe3df">be7efc4d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-11T15:55:30-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Only restart DS when duplicate cacrt was found

The update_fix_duplicate_cacrt_in_ldap plugin no longer restarts DS when
CA is disabled or no duplicate cacrt entry was dedected.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/93fff042f4bf78541e69371eeaef05c49e8f9463">93fff042</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-09-14T13:03:56-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Specify memory limits as strings for docker compose

Fixes the following error in Azure Pipelines CI after upgrade of Docker
setup:

[2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because:
[2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string

Fixes: https://pagure.io/freeipa/issue/8494
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a0c00c3c7bfa7b4270eb7a8b91fac2e8155140d">2a0c00c3</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-14T17:57:39-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't allow both a zone name and --name-from-ip to be provided

--name-from-ip will generate a zone name so there is no point in
the user providing one. If one is provided and doesn't match the
generated name then a validation exception is raised.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8f19411a2e166120b53155e9ae85896990750d2e">8f19411a</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-14T17:57:39-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test that a zone name and name-from-ip will be rejected

If a zone name is provided then name-from-ip makes little sense,
don't allow it.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1fd4440a2d49118c9be4f6a6bb9d90ca3abd7c53">1fd4440a</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-14T17:58:49-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require at least 1.6Gb of available RAM to install the server

Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.

Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).

There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.

Add a switch to skip this memory test if the user is sure they
know what they are doing.

is_hidepid() contributed by Stanislav Levin <slev@altlinux.org>

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9fa534c92c31488d7dbf7fb84ec0ed934e0376a8">9fa534c9</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-14T17:58:49-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add tests for checking available memory

The tests always force container or no container so they should
run the same in any environment.

The following cases are handled:

- container, no cgroups
- container, insufficent RAM
- container, sufficient RAM for no CA
- container, insufficient RAM with CA
- non-container, sufficient RAM
- non-container, insufficient RAM

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4e5ba24bcf99daa4764b43093ff6a6dbcde52485">4e5ba24b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-14T19:01:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">De-duplicate ACI attributes and permissions

Ensure uniqueuess in attributes and permissions in the ACI class.

A set() is not used because it doesn't guarantee order which ends up
causing cascading and unpredictable test failures. Since all we
really need is de-duplication and not a true mathematical set iterating
through the list is sufficiently fast, particularly since the number
of elements will always be low.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/939a72f47c4f9ddd55fd703fbe26dad847ab8d1e">939a72f4</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-14T19:01:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use ACI class set_permissions() method to set permissions

This will ensure uniqueuess and that the ACI has the right
datatype without the caller worrying about it.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a572df9616c1da69611ed5a172fd638011ba161f">a572df96</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-14T19:01:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add test for ACI attribute and permission uniqueness

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/53a952f0cb55c8bd9cc0cd13adf24303d036bafd">53a952f0</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-14T19:02:22-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add index for more trust-related attributes

Add index for ipaNTTrustPartner, ipaNTSecurityIdentifier and
krbprincipalname

https://pagure.io/freeipa/issue/8491

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/02698275bc2b0a39058329f9cb7060a35d896eb3">02698275</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-09-15T14:59:37-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add nightly definitions for enforcing mode

Duplicates the scenario for nightly_ipa-4-8_latest.yaml and
sets `selinux_enforcing` parameter as True.

Indentation for all definitions have been fixed.

Issue: freeipa/freeipa-pr-ci#391

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/672fe14dfa49b8a15fb3c0353415425302924e07">672fe14d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-16T11:17:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add krbPrincipalName pres index correctly

See: 20b55f4017ab42113f1ced829a4b4afa17839b55
See: https://pagure.io/freeipa/issue/8491
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d1c860e59b5237178066ed963cc2fa50d99cd690">d1c860e5</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-17T18:43:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: check that pkispawn log is not empty

Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048">97c6d2d2</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-17T18:43:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dogtaginstance.py: add --debug to pkispawn

Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d7f39287dac7ada64719330ac3da66c8cbbef757">d7f39287</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-21T18:11:00-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Duplicate CA CRT: ignore expected cert

When search for duplicate CA certs ignore the one expected entry.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/707823a3703c4777dba5a260c391dc5887ae69d3">707823a3</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-09-22T08:39:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_smb: skip test_smb_service_s4u2self for fed31

The test test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
is expected to fail in Fedora <= 31 as it requires krb >= 1.18
that is shipped from fedora 32 only.

Skip the test depending on the fedora version.

Fixes: https://pagure.io/freeipa/issue/8505
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/52929cbadf0252fcac1019b74663a2808061ea1b">52929cba</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-22T23:41:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: enhance TestSubCAkeyReplication

enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5a5962426d8174212f0b7efef1a9e53aaecb5901">5a596242</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-22T23:41:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux: Add dedicated policy for ipa-pki-retrieve-key

Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c126610ea6605a1ff36cecf2e2f5b2cb97130831">c126610e</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-22T23:41:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux Policy: let custodia_t map custodia_tmp_t

This is used by the JVM perf counters.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/310dbd6eec337f0747d73fa87363083a742fc5dc">310dbd6e</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-22T23:41:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t

Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
ipa_pki_retrieve_key_exec_t.
As suggested by Ondrej Mosnáček.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0518c63768b50973f3d3129547f5b4b95335f4a8">0518c637</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-22T23:41:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t

ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
ipa_custodia_pki_tomcat_t.
As suggested by Ondrej Mosnáček.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/25cf7af0d41bbd34621f37c95802675b42baeae9">25cf7af0</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-22T23:41:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ad04841245668e3126cb1718ef7ec1b744526e8">7ad04841</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-22T23:41:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux Policy: make interfaces for kernel modules non-optional

Interfaces for kernel modules do not need to be in an optional module.
Also make sure ipa_custodia_t can log.
Suggested by Lukas Vrabec.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6a31605c1d249416ed7627755bca23a1cc45a581">6a31605c</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-22T23:41:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux Policy: Allow tomcat_t to read kerberos keytabs

This is required to fix:
avc: denied  { search } for  pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

Macros suggested by: Ondrej Mosnacek

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/80f66b751fda25cc48f3cf4727c2b55f6aa39a33">80f66b75</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-22T22:50:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require a matching server package for the selinux subpackage

Ensure that the selinux subpackage is upgraded along with the
rest of IPA if it is built.

https://pagure.io/freeipa/issue/8511

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/58c3343a67a3922dcc84d3d4b1deca515c48a6f8">58c3343a</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-09-23T18:37:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SELinux: do not double-define node_t and pki_tomcat_cert_t

node_t and pki_tomcat_cert_t are defined in other modules.
Do not double-define them.

Fixes: https://pagure.io/freeipa/issue/8513
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c029eb7e732ee8b631c12ae17a154605ef2575e5">c029eb7e</a></strong>
<div>
<span>by Zdenek Pytela</span>
<i>at 2020-09-23T21:48:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add ipa_pki_retrieve_key_exec() interface

The ipa_pki_retrieve_key_exec() interface is needed to allow other
domains execute ipa-pki-retrieve-key.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/439170633f1e577561af289ec99d7426699adf95">43917063</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-24T08:15:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make git a build requirement

FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/202d7da8df37b9e5fb58d4546ef996825021137a">202d7da8</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-24T08:22:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Delay import of psutil to avoid AVC

Commit cfad7af35dd5a2cdd4081d1e9ac7c245f47f1dce added a check to ensure a
system has sufficient amount of memory. The feature uses psutil to get
available memory. On import psutil opens files in /proc which can result in
an SELinux violations and Python exception.

     PermissionError: [Errno 13] Permission denied: '/proc/stat'

Fixes: https://pagure.io/freeipa/issue/8512
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/489ddc6d872b00fe5cddd1e9234fbb3e26f4aa0f">489ddc6d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-24T09:04:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add helpers for resolve1 and nameservers

detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.

get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.

get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.

get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.

Also fixes setup.py to include D-Bus for ipalib instead of ipapython.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d6827f52b629d2a6afdd1b60ad190efae0d55a3e">d6827f52</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-24T09:04:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Configure NetworkManager to use systemd-resolved

zzz-ipa.conf now enables NetworkManager's systemd-resolved plugin when
systemd-resolved is detected.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6dc5566c7b1edfd40722a5740e9bf9f33d74a609">6dc5566c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-24T09:04:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use new API for auto-forwarders

Auto-forwarders and manual configuration now use the new API to get a
list of DNS servers. Manual installer refuses loopback, too.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c67aba230fafd1ad9aded64fdac25081b4cd532d">c67aba23</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-24T09:04:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Configure systemd-resolved to use IPA's BIND

IPA installer now instructs systemd-resolved to use IPA's BIND DNS
server as primary DNS server.

Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3b3cb99dc15d826b825701fd04b00d74617e526e">3b3cb99d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-24T09:04:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create systemd-resolved configuration on update

Create systemd-resolved drop-in and restart the service when the drop-in
config file is missing and /etc/resolv.conf points to stub resolver
config file.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8255bc7b92db44d375819857fed12faa85609c3a">8255bc7b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-24T10:38:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reduce the memory requirement from 1.6 to 1.2 GB

We know from practical experience in PR-CI and Azure that 1.2
is the absolute minimum necessary for a base installation.

https://pagure.io/freeipa/issue/8404

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ade428f51909b79a7ec0ced8f9810ce459aba1d3">ade428f5</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-24T11:35:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Clean up entire /run/ipa/ccaches directory not just files

If there are any sub-directories in the ccaches directory
then cleaning it up will fail.

Instead remove the whole directory and allow systemd-tmpfiles
to re-create it.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7cfd03db48060c61e6a7fecbb72d9995a7de2511">7cfd03db</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-09-24T11:35:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test that ccaches are cleaned up during installation

Create a random file and directory in the ccaches directory
prior to installation then confirm that they were removed.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/87e5c0500b76b7cbeecedc0c28d44095c7063186">87e5c050</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-09-24T18:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix nsslapd-db-lock tuning of BDB backend

nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.

Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.

Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.

Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/090a222879e5beb6a913821a903d49190401b847">090a2228</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2020-09-24T20:39:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix jQuery DOM manipulation issues

The commit includes the following jQuery patches:
- Manipulation: Make jQuery.htmlPrefilter an identity function
  (https://github.com/jquery/jquery/pull/4642)
- Manipulation: Skip the select wrapper for <option> outside of IE 9
  (https://github.com/jquery/jquery/pull/4647)

In addition there is included a script that helps to patch and build
the new version of jQuery:

  $ install/ui/util/make-jquery.js 3.4.1

Ticket: https://pagure.io/freeipa/issue/8507

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a44bb2e0682e0a1e061bdd6673d04f511807fb34">a44bb2e0</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-09-26T10:57:07+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.8.10

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#736f0a5824e80bc5bc350a146522854b95f1d407">
.tox-install.sh
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#5cd6be5f06d1be10ed72f46efdd12433a8fda6c0">
daemons/ipa-kdb/ipa_kdb_principals.c
</a>
</li>
<li class="file-stats">
<a href="#866dc5074431bae6d800558b8ed5d65496e9d7d8">
freeipa.spec.in
</a>
</li>
<li class="file-stats">
<a href="#caf04c57303b16d460d27dfe013cc85ba80217f6">
install/share/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#e878be544d16f7ef38adcd5a6d9e33536724146b">
install/share/indices.ldif
</a>
</li>
<li class="file-stats">
<a href="#fee63f186affdebc50b4b3d11bc887913faee6f3">
<span class="new-file">
+
install/share/ldbm-tuning.ldif
</span>
</a>
</li>
<li class="file-stats">
<a href="#f4a2d7b8b31122c7c455d8d86786f2812a115f78">
install/ui/src/libs/jquery.js
</a>
</li>
<li class="file-stats">
<a href="#ff411261dbfb9692a098ad6e1fc70ef3d08f34fb">
<span class="new-file">
+
install/ui/util/jquery-patches/3.4.1/gh-4642.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#3b7a8df374ecf00d000126736a8017c0561441e2">
<span class="new-file">
+
install/ui/util/jquery-patches/3.4.1/gh-4647.patch
</span>
</a>
</li>
<li class="file-stats">
<a href="#40fbf19d3c2ee457a925547c76b9e6e493e6db82">
<span class="new-file">
+
install/ui/util/make-jquery.sh
</span>
</a>
</li>
<li class="file-stats">
<a href="#6f84e142479b86b7308983a7f628d99b316c40d9">
<span class="new-file">
+
install/updates/10-db-locks.update
</span>
</a>
</li>
<li class="file-stats">
<a href="#fca77b5cef2eebd8408298fb25c382c8d7c386cb">
install/updates/20-indices.update
</a>
</li>
<li class="file-stats">
<a href="#4b4b2d4df8fd01cacf3568ff53dbb777887d6dae">
install/updates/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#77ebe75b26531b5e93303a30d59f597e9afc252b">
ipaclient/discovery.py
</a>
</li>
<li class="file-stats">
<a href="#b45fae25573119cb28af94564fae7ce054efd2a5">
ipaclient/install/client.py
</a>
</li>
<li class="file-stats">
<a href="#dcb61ac384de8434a4fdc13960dd117269a17e46">
ipalib/aci.py
</a>
</li>
<li class="file-stats">
<a href="#987da64e6dcf4ee6d9fae652b3fe266a97d73c2f">
ipalib/facts.py
</a>
</li>
<li class="file-stats">
<a href="#1de7bfac70ad9116d4f78359b8af8afa1d9eeddb">
<span class="new-file">
+
ipalib/install/dnsforwarders.py
</span>
</a>
</li>
<li class="file-stats">
<a href="#bb91e29c513d9f052b26a9cf9054378eae0c659d">
ipalib/plugable.py
</a>
</li>
<li class="file-stats">
<a href="#319484d770f7569faa731d2e6be58011b9313af5">
ipalib/setup.py
</a>
</li>
<li class="file-stats">
<a href="#d654d3095d14fa57e8fdf621e849b69a27a2c61d">
ipalib/util.py
</a>
</li>
<li class="file-stats">
<a href="#7c388ee0f04c897dcaf2ed0cdfa77a6e0ba4da3f">
ipaplatform/base/paths.py
</a>
</li>
<li class="file-stats">
<a href="#97bb9219998b9a58808f1a72ed574531845a3729">
ipaplatform/base/services.py
</a>
</li>
<li class="file-stats">
<a href="#b7e76d2f05c6aa357c7aaf097decdf3b2f4639c4">
ipaplatform/base/tasks.py
</a>
</li>
<li class="file-stats">
<a href="#bf7eb7b22e29f2fe8b70bd46b06ceb8f20bade8e">
ipaplatform/redhat/tasks.py
</a>
</li>
<li class="file-stats">
<a href="#18b89ec2cce17ae6c7fda8ac6eac7dd60df19bbb">
ipapython/certdb.py
</a>
</li>
<li class="file-stats">
<a href="#230b72e180bbf6a41ec654d44cb2562f0e53645f">
ipapython/dnsutil.py
</a>
</li>
<li class="file-stats">
<a href="#40635fd4cfad6edc8630503c32880c9afe343e2b">
ipapython/ipaldap.py
</a>
</li>
<li class="file-stats">
<a href="#f9d2bebac04f2cee44b22a249cac39e9c0cb2c92">
ipapython/ipautil.py
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">

<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/-/compare/c409fc65df4108c7f8ba06bdcf5f61275a16c8d7...a44bb2e0682e0a1e061bdd6673d04f511807fb34">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.



</p>
</div>
</body>
</html>