<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>



<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9f16174c5f929a0884fcafb3da357a27e963b9bc">9f16174c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-14T15:52:10+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/22f0d8c50ab4618b05d0263380f594b23153724b">22f0d8c5</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-06-15T13:24:29-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">When loading certificates verify that it is X.509 v3

Simple version enforcement. A v1 certificate won't have the
extensions that are assumed available later during the validation
process.

https://pagure.io/freeipa/issue/8817

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7b278b63b417edea74ca9344688e02b70e64b8bf">7b278b63</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-06-17T08:11:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CA-less install: non-ASCII chars in CA cert subject

In a CA-less install, if the CA cert subject contains
non-ascii characters, ipa-server-install fails when
configuring SSL for httpd.

The issue happens when calling ipautil.run to extract the keys
from a p12file. The code is using the raw output of the command
and doesn't need to specify capture_output=True, as this option
breaks if the output contains non-ascii characters.
The raw_output contains bytes, the output is a str built by decoding
the raw_output and may fail if non-ascii characters are present.

Fixes: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4b040e10d3fac2cfb5ce057718e537ecbe8e2ac1">4b040e10</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-06-17T08:11:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use non-ascii chars in CA-less install

The CA-less installation creates an external CA with the
subject CN=CA,O=Example Organization.
In order to test non-ascii subjects, use
CN=CA,O=Example Organization España
instead.

Related: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1be15d2024f327bc846e5fe324dc24fb2a96a828">1be15d20</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add Custodia 0.6.0 to ipaserver package

Incorporate Custodia into IPA.

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d804f1feeddd31957bc3d88dfb79e9bd119813cb">d804f1fe</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unused Custodia modules

The CLI, IPA integration and storage backends are not used by IPA.

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/02ece292ada0da25864bc71ed4f2f16d01933df5">02ece292</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Custodia imports

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0ec775fcfa15f1da20841111484e1e25d9f13d38">0ec775fc</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Custodia pylint issues

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7cb2c89d5900dc02df1e587dd87d7f820404cd92">7cb2c89d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove more unused Custodia code

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cde5e2d4d7c36fadad492a7a753547297ffbaf60">cde5e2d4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add Custodia tests

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/62647ff3217331339e66170a0665b529e204be2e">62647ff3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Also drop Custodia client and forwarder

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7bed7e4b06e70b04e16410878ad269564291eec4">7bed7e4b</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-06-18T10:43:39-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server

When upgrading from a server with IPA CA before PKINIT was introduced
(4.5), PKINIT would not be enabled and there wasn't any way to enable it
since upgrade code only issues self-signed certificates when
certificates are missing. With these change there is a way to enable
PKINIT when coming from a IPA server with a pre-PKINIT version (4.4 and
before).

Fixes: https://pagure.io/freeipa/issue/8532
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/48370cb3e8fa928dcc51406a4a5e7dbe5bf8243f">48370cb3</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-06-21T10:54:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">host: try to resolve FQDN before command execution

Trying to resolve the FQDN before command execution (during
pre-callback) helps detect cases where the host specified by the user
does not exist, saving execution time. Aside from this, resolving the
FQDN is useful when only the shortname of the host is passed, as this
would cause issues when trying to update the DNS records during
modification of the entry.

Fixes: https://pagure.io/freeipa/issue/8726
Fixes: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/27a65a1a352b50304fa6765a535443993b445044">27a65a1a</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-06-21T10:54:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test host update using shortname

Add test to ensure that host-mod resolves the FQDN when passing the
shortname of the host being modified.

Related: https://pagure.io/freeipa/issue/8726
Related: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/45d8118e6c94f25c0971fe2fe07d8f6eb7eb6f7c">45d8118e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-06-22T09:26:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use get_replication_plugin_name in LDAP updater

This allows for a consistent way to retrieve the value from
LDAP. The method is used to find an existing entry. It is not usable
to add or remove entries.

Moving it in the code allows the value to always be set in the
substitution dictionary and not rely on a specific caller.

It was moved to installutils.py to avoid circular import.

https://pagure.io/freeipa/issue/8885

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2aa77992090499b2706ca077cc8ca980f47abbc0">2aa77992</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-06-23T10:00:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test to check that ResponseNotReady error is not displayed when user session cache is deleted

Pagure: https://pagure.io/freeipa/issue/7752

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d744ff3caef509af8d3c25393aac6c2d83fdb78c">d744ff3c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-25T13:35:28-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: healthcheck: Update IPAHostKeytab assumptions

As of 0.9 freeipa-healthcheck requires running `dirsrv` service
for `IPAHostKeytab` check. So, previous assumption about the
triggering the GSSAPI error no longer works. For example, this can
be achieved by deletion of host's keytab.

Fixes: https://pagure.io/freeipa/issue/8889
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/52e60889ff85b0129503d086214419fc2f9700d8">52e60889</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2021-06-25T21:33:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix certificate serial number representation

Big numbers are automatically translated to scientific notation in JavaScript.
It causes an issue with some certificate serial numbers.
The fix normalizes the notation base on original value from serial_number_hex.

The implementation works only for browsers that support BigInt.
It would not work for old browsers like Internet Explorer.

Ticket: https://pagure.io/freeipa/issue/8754

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/32eb409cf6c4bf03d4ae3451001c81d175310a7c">32eb409c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-28T15:47:29+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">plugins: Don't treat keys of api as bytes

The plugin `plugins` iterates over the keys of API instance,
__iter__ of which is a generator of class.__name__ from
(Command, Object, Method, Backend, Updater). So, the allowed type
is str, not bytes.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/15d710247d389e992844637fdb8a35610b595ba2">15d71024</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-28T15:47:29+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add tests for `plugins` plugin

Previously there were no tests for `ipalib.misc` module.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0abae79183207a4bdc7a6147eb143319806ad567">0abae791</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-28T15:47:29+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add tests for `env` plugin

Previously there were no tests for `ipalib.misc` module.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e82f2538326af62802a587dbd66ff1a06514af60">e82f2538</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-06-29T10:01:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: remove fsync in do_nsupdate()

No need to flush buffers on the nsupdate file as it will get
removed at the end of the function.

Related: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a8588c5006a61855cb178643916a02513df3fa31">a8588c50</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-06-29T10:01:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)

ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3cbd24dd04ece7ab24c5cbd3448a46aeb02363f8">3cbd24dd</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-06-29T10:01:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: update sssd.conf if nsupdate requires -g

If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5d995b8c2ae7fd6902107f1566d59e00a16adcd9">5d995b8c</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-06-29T11:06:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase timeout for test_commands.py

test_commands.py testsuite is failing due to
'RunPytest timed out after 4800s'
Hence the timeout has been increased from 4800 to 5400

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ae4478de1f0e9e35098d1bbbfae1b3506bcf3672">ae4478de</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-06-29T11:04:56-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Return a copy of cached entries, only with requested attributes

Some plugins, notably dns, modifies a returned entry in order
to compare it to the user-provided info (e.g. dnsrecord-del).
This modification was done on the cached entry directly rather
than a copy which caused unexpected results, mostly
EmptyResult because the cached entry was changed directly so
the next get_entry returned the same modified entry.

In addition, on a hit in the LDAP cache the entire cached entry
was returned regardless of what attributes were requested.

The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:

    old_entry = ldap.get_entry(dn, [attr])
    for regex in old_entry.keys():
        if not isinstance(entry_attrs[regex], (list, tuple)):

old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.

To return a copy of the entry and requested attributes on a
search HIT.

Also be more careful when storing the attributes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.

This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.

Adjust the expected test results as well. In test_get_testuser()
the first request asks for all attributes (default) so ensure
that is successful since a user_add gets all attributes in
the post_callback. Next request a subset of the attributes which
is also a hit and confirm that only those requested were returned.

https://pagure.io/freeipa/issue/8897

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6b3496a7b3f6aaf23b8364e41c10a2689dc6e513">6b3496a7</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-29T18:27:20+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA v.4.9.6

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2b7e8841824b44fc41581717c51ccd4b0fc553ff">2b7e8841</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-29T18:29:14+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e713c227bb420a841ce3ae146bca55a84a1b0dbf">e713c227</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-02T11:47:02-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">paths: add IPA_SERVER_CONF

Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ee4be290e1583834a573c3896ee1d97b3fbb6c24">ee4be290</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-02T11:47:02-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: smoke test for server debug mode.

Add a smoke test to make sure the server can be set in debug mode
without issue.

Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1539c7383116647ad9c5b125b343f972e9c9653b">1539c738</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-02T11:47:02-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rpcserver.py: perf_counter_ns is Python 3.7+

perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.

Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9cfae2623420356fd99e09bf8559b11da66e2ccd">9cfae262</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-05T16:45:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unneeded dependency on python-coverage

The spec file requires python3-coverage although it is not
used in the project.

Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a5d2857297cfcf87ed8973df96e89ebcef22850d">a5d28572</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-07-06T17:36:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add checks to prevent adding auth indicators to internal IPA services

Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.

Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/28484c3dee225662e41acc691bfe6b1c1cee99c8">28484c3d</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-07-06T17:36:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: ensure auth indicators can't be added to internal IPA services

Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.

Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06468b2f604c56b02231904072cb57412966a701">06468b2f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-06T18:12:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">stageuser: add ipauserauthtypeclass when required

The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.

There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.

Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc">4a5a0fe7</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-06T18:12:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">XMLRPC test: add a test for stageuser-add --user-auth-type

Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/076e499f6f1223458cb896f1e90296e511c922d7">076e499f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-08T17:32:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">augeas: bump version for rhel9

augeas 1.12.1-0.1 adds support for the new chony configuration
settings.

Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/195035cef51a132b2b80df57ed50f2fe620244e6">195035ce</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-08T18:10:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man page: update ipa-server-upgrade.1

The man page needs to clarify in which case the command needs
to be run.

Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c0a123e99d943f115cc726e391f5d79b5bfb70e">2c0a123e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-08T22:44:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Server install: do not use unchecked ip addr for ipa-ca record

At the end of a server installation, the DNS records for
ipa-ca.$DOMAIN are created/updated with the IP addresses of the
new server.
The current code resolves the IP addresses of the new server
but doesn't check them. This can result in the addition of
a link-local address to ipa-ca record.

For each address, make sure that it's neither reserved nor a
link-local address.

Fixes: https://pagure.io/freeipa/issue/8810
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ca8c7010e8aa0f87bde11c36947fefd549bae8fd">ca8c7010</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-12T09:01:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SHA384withRSA as a certificate signing algorithm

It required support in dogtag which was added in 10.5.0.

This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg

The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.

So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.

https://pagure.io/freeipa/issue/8906

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b2e6292337c6f7f68ac383db8aa54a1abfa3f6b4">b2e62923</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-12T12:48:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use whole date when calling journalctl --since

The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/26be7ffdba87e0e6294ea035ab3dc9bd933fba43">26be7ffd</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-07-12T13:43:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab

Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab

Related: https://pagure.io/freeipa/issue/8889

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3540986a11d4f3401ba4918f25229a79283d9dbd">3540986a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add basic support for subordinate user/group ids

New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5d4fe06663c3e66b1da73c01ce022790634a3e3b">5d4fe066</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Redesign subid feature

Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ef115b04182d572bf61e32e2405bbb68ff65e928">ef115b04</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use 389-DS' dnaInterval setting to assign intervals

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e6e3fb606d08b0dc57bfa360a0f0082052441db6">e6e3fb60</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ipa-server-upgrade

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44ccc0f64bac9fc2e7e3264984af26635bb34742">44ccc0f6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix oid of ipaUserDefaultSubordinateId

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9f4b8982cd06011df8daac480a726637fc52649e">9f4b8982</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Improve subordinate ids user workflow

- add "Subordinate ID Statistics" page
- add button for generating subid in "Subordinate ids" tab of user details page
- allow to navigate directly to owner details from subordinate id page
- adjust i18n strings

Ticket: https://pagure.io/freeipa/issue/8361
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b53a52a1fafa94e0129e6e3e55fddd59909f0f0a">b53a52a1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test DNA plugin configuration

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f910eb2dda8595da435b4aed6e759a2916df813">7f910eb2</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-07-13T09:29:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_ipahealthcheck: print a message if a system is healthy

Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).

Related: https://pagure.io/freeipa/issue/8892

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e5df4dc4884f1a66ccbca79b9a0d83874c996d1d">e5df4dc4</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-07-13T19:30:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency

KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.

Related: https://pagure.io/freeipa/issue/8795

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8ad535b618d60fa016061212ff85d0ad28ccae59">8ad535b6</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-14T09:54:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fall back to krbprincipalname when validating host auth indicators

When adding a new host the principal cannot be determined because it
relies on either:

a) an entry to already exist
b) krbprincipalname be a component of the dn

As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.

Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.

https://pagure.io/freeipa/issue/8206

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d456649feb40d462f73321a4a220b4aff7adb443">d456649f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-14T10:05:59-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pr-ci definitions: add subid-related jobs

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/40e4ccf1ea943aba4d10e8126ffa49feddd2e683">40e4ccf1</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-15T08:02:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui tests: close notification when revoking cert

When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.

Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/02c0da3ef74948579106aab4b669f6e64dd60b24">02c0da3e</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-07-15T08:25:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg

Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a4f459b81bc77cdf233b65f41d0f76dbb5f2fce">1a4f459b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-15T18:22:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec file: Trust controller role should pull sssd-winbind-idmap package

ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a5159b216455070eb51b6a11ceaf0033fc8ce4c">1a5159b2</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-07-16T19:18:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rhel platform: add a named crypto-policy support

RHEL 8+ provides bind system-wide crypto policy support, enable it.

Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b132956e42a88ab39bb8d6a854e7c5d28d544a11">b132956e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-17T16:20:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Index: Fix definition for memberOf

The index definition for memberOf is inconsistent:

dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex

The cn attribute should be memberOf, not member. Fix the definition.

Fixes: https://pagure.io/freeipa/issue/8920
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f7997ed0b7d5b915c0184bf8e8864ff935cd6232">f7997ed0</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-18T14:00:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui tests: fix algo for finding available idrange

The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.

With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.

Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/161d5844eb1214e60c636bdb73713c6a43f1e75c">161d5844</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-20T13:58:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: smbclient "-k" => "--use-kerberos=desired"

Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt

As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".

Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/86869364a30f071ee79974b301ff68e80c0950ba">86869364</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-22T13:26:45-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_acme: refactor with tasks

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/701adb9185c77194ba1ad0c5fd2f13484417ef6f">701adb91</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-22T13:26:45-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_acme: make password renewal more robust

A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.

Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5b826ab3582566b15a618f57cb2e002a9c16ef64">5b826ab3</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-22T14:36:55-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tasks.py: fix flake8-reported issues

Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0b9adf1d8d5efb48e734650e4101e8816b01e1d3">0b9adf1d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-22T18:19:58-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use new method in check to prevent removal of last KRA

It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.

Use server roles instead to determine if the last KRA server
is to be removed.

https://pagure.io/freeipa/issue/8397

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8ea8f8b68b5a7217518f68065a5fc1df16126314">8ea8f8b6</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-22T18:19:58-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test removing last KRA when it is not running

Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.

https://pagure.io/freeipa/issue/8397

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eb1d509fd5271d39cc899838b57e5398683401f7">eb1d509f</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-23T11:21:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: temporarily disable problematic tests, #1

test_installation.TestInstallMaster, test_advise,
and test_integration.test_commands.TestIPACommand rely on DNS
forwarders and hit a known BIND bug:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
quite often.
This is blocking gating nearly completely.
Disable these tests in gating until the bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/18ccaea7cb36b3d1069f0d12a15b06357b3f94f0">18ccaea7</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-23T11:21:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: temporarily disable problematic tests, #2

test_cert and test_SubCAkeyReplication are randomly failing.
The suspect for test_SubCAkeyReplication is an nss bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1985061

The reason for test_cert failures was not identified, the only
relevant line in the log contains:
2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98
2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1

Disable these tests in gating until the NSS bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/33c561dcd30dc346ccbaa00933bcd1cac5e994b6">33c561dc</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-23T11:21:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">gating.yaml: Fix TestInstallMaster timeout

test_integration/test_installation.py::TestInstallMaster 's
timeout is 10800 on all nightlies but it timeouts in gating with a
timeout of 3600. Use 7200 in gating so that it has some chance of
completing.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/89ca5c8836333aece9caf2ac433ccab1140f909a">89ca5c88</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-26T13:11:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Display all orphaned keys in automountlocation-tofiles

Only the first key was being displayed for any orphaned map.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dbe4159e27d44550085cb3ce0629d1e525c9b30e">dbe4159e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-26T13:11:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add test for ipa automountlocation-tofiles

Only the first key of orphaned automount keys was being
displayed.

tofiles was created because making sense of LDAP automount
information is a brain squeezer. The purpose is not to
display in a precise file format but to display it in
a sensible and understandable way.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ded3cd3fc8490561e44310e8f89efc3e13e82884">ded3cd3f</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-26T13:11:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix automountlocation-tofiles expected output in xmlrpc test

The previous output matched the bad behavior of only displaying
one orphaned key.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/02447762a3f62383313f0b8cd7c5d129dc2c6213">02447762</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2021-07-27T15:23:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: bump prci boxes + move gating to f34

Bump template box version to latest to include recently updated
dependencies and move gating and temp definitions to latest Fedora
release.

Issue: https://pagure.io/freeipa/issue/8935

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab4720d9c2bae059e8f622cd4a331510fefe27ae">ab4720d9</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-07-27T17:38:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kra-install: exit if ca_host is overriden

ipa-kra-install should exit if ca_host line is present
in /etc/ipa/default.conf, as it may lead to a misconfigured
setup.

Fixes: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a4e13a33247fb14145c632fb53b4480fc5fb10ea">a4e13a33</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-07-27T17:38:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test if KRA install fails when ca_host is overriden

KRA install on a replica should fail if ca_host is
overriden in /etc/ipa/default.conf.

Related: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a1eb13cdbc109da8c028bb886a1207ea2cc23cee">a1eb13cd</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-08-02T09:53:36-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ldapupdate.get_sub_dict() for missing named user

The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.

Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Co-authored-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e0e1d6f94dd16c8066be8ce3c75ef306890a3e2b">e0e1d6f9</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-03T08:17:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec.in: remove python3-pexpect from Requires

python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.

Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fbbff3edc0fcc8bf2624283ccd88848eedaac8d7">fbbff3ed</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-03T08:23:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provide more information in ipa-certupdate on ccache failure

ipa-certupdate obtains host credentials to operate. If this
fails with a ccache error this can be confusing if the user
executing it already has admin credentails.

Include the principal being retrieved and the keytab being
used.

This basically intercepts the exception to log additional
information and lets the exception be handled at a higher
level.

https://pagure.io/freeipa/issue/8257

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/42206df69adc9c1eefa3ee576891b2ae3ac269e0">42206df6</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-03T08:53:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-getkeytab: add option to discover servers using DNS SRV

The basic flow is:

- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
  the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf

https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0114d24ea160676b784ef7010c19bbacc67ceea0">0114d24e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-03T08:53:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-getkeytab: fix compiler warnings

Make read_ipa_config and filter_keys static to avoid
"no previous prototype" warnings.

Use correct datatype of return value for ber_scanf to
correct different signedness comparision.

Fixed while working on https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7a13200fd8b92dd90ebc4b6416ef25659df8aa71">7a13200f</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-03T08:53:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test ipa-getkeytab server option

Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery

https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/25a4acf3ad5964eacddbcb83ddf9f84432968918">25a4acf3</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-04T08:39:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test for OTP when the LDAP connection timed out.

Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.

Related : https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/018ee09ccbe7fc0a5b0909592eadd168224b2409">018ee09c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-04T08:42:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise: if p11-kit provides opensc, don't add to NSS db

p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.

https://pagure.io/freeipa/issue/8934

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9a4a6cdd27781573351595e38d38eeadc8ab090d">9a4a6cdd</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-04T08:42:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise: Define the domain used when looking up ipa-ca

The error message if ipa-ca can't be resolved included the
undefined variable ${domain_name}. Since this is static anyway
change to a python format string and hardcode the string in
the resulting script as api.env.domain.

Discovered while working on https://pagure.io/freeipa/issue/8934

Related: https://pagure.io/freeipa/issue/8934

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/826b5825bd644fc69a9bee17626d71fe03cc0190">826b5825</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-04T08:44:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: verify that getcert output includes the issued date

certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.

Verify that it is present in the output.

https://bugzilla.redhat.com/show_bug.cgi?id=1940261

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4c0dcabd6e2163dfa80a4d2a18064824934274fa">4c0dcabd</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-08-04T15:25:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnszone: deprecate option for setting SOA serial

Since IPA 3 [1] SOA serial is managed automatically via autoincrement,
and the option of disabling this behavior was deprecated in IPA 3.3.3 [2]..
As a result, the option '--serial' during DNS zone addition would be
ignored as it is set during the creation. This commit adds a deprecation
warning if this option is used.

[1]: https://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation
[2]: https://www.freeipa.org/page/Releases/3.3.3

Fixes: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1d7512495d3e7f933d95707f74a6b6f0aeecd00f">1d751249</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-08-04T15:25:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: expect SOA serial option deprecation warning

Tests must be updated to expect the new deprecation warning.

Related: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/96dd8ac1cd2e7fb8177d83e7ba5c6d79f4216ea3">96dd8ac1</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-08-04T15:30:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Look for warning into stderr instead of stdout

In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0526174971017aebfb9d9fcb29c6dde6e67438fe">05261749</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-04T16:28:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add index for sudoorder

sudorule-mod <rule> --order=<num> does a search for an existing
order and this search is unindexed.

https://pagure.io/freeipa/issue/8939

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ae23e1257478bfee04b08b54f36dda7f5850348">9ae23e12</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-05T14:38:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use krb5_trace in TestIpaAdTrustInstall

tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.

Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/97a2a925348d3bd732e582108feb02d644ba011a">97a2a925</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-05T17:54:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't assume that plugin attributes and objectclasses are lowercase

A user wrote their own plugin to add custom attributes which was
failing with an incorrect error that the attribute wasn't allowed.

It wasn't allowed because it wasn't being treated as case-insensitive
so wasn't being found in the schema.

https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e28e45402c7edb007e356a59cf09ed8e10cd14d9">e28e4540</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-05T17:54:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add suite for testing custom plugins

Ensure that attributes and objectclasses are case-insensitive.

https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/78c48199782743e619463cefa7411817f4fe4a14">78c48199</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-05T17:54:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pr-ci definitions: add custom plugin-related jobs

Related: https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7fb95cc638b1c9b7f2e9a67dba859ef8126f2c5f">7fb95cc6</a></strong>
<div>
<span>by Chris Kelley</span>
<i>at 2021-08-06T07:57:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Parse getStatus as JSON not XML

On dogtagpki/pki master XML is being replaced by JSON, getStatus will
return JSON in PKI 11.0+

The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3674

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c5b5bc9099fc26b863d7c964e47dbdcd0ff008c8">c5b5bc90</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-08-09T14:53:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix string check in uninstall helper

The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.

Also check for 'debian' platform.

Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a3d71eb72a6125a80a9d7b698f34dcb95dc25184">a3d71eb7</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-09T14:24:28-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test ldapsearch with base scope works with compat tree.

Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d4062e407d242a72b9d4e32f4fdd6aed086ce005">d4062e40</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-09T14:24:28-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: skip test_basesearch_compat_tree on fedora.

slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/40f76a53f78267b4d2b890defa3e4f7d27fdfb7a">40f76a53</a></strong>
<div>
<span>by Chris Kelley</span>
<i>at 2021-08-09T14:26:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Parse cert chain as JSON not XML

On dogtagpki/pki master XML is being replaced by JSON in PKI 11.0+

The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3677

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eac03d6828d0bac1925c897090fc77e250eaee04">eac03d68</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-10T13:50:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Refactor test_check_otpd_after_idle_timeout

Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.

Related: https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74">4fdab0c9</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-13T08:14:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test unsecure nsupdate.

The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.

When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.

Related : https://pagure.io/freeipa/issue/8402

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c9bc471e063f2865d6423e4f1c9b81e73a45e43f">c9bc471e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-08-13T08:17:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser

Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.

Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/488ac7e3ba9f36d6b187687d120920d2d80d8b7f">488ac7e3</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-08-15T10:01:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files

Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.

Resolves: https://pagure.io/freeipa/issue/8949

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/be3a0f3201bbb060a9d53fb65cbbccf6c7bf9bb4">be3a0f32</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-17T17:48:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Clean up the PKI securitydomain when removing a server

PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.

Removing entries is straightforward using the PKI REST API.

In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.

Related commits are b3c2197b7e4ed18a7febe3efa6396c2272ebccca
and ba4df6449aaa0843ab43a1a2b3cb1df8bb022c24.

These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.

In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a417810df5500b5780396ab88d53eaea74f74ccc">a417810d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-17T17:48:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Verify that securitydomain is updated on server-del

For every server-del ensure that the server being deleted is
also removed from the PKI securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3cb6b5c801b04922c3a23070e79aab20399d033b">3cb6b5c8</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-18T17:56:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update list of contributors

Signed-off-by: François Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/da1d543c2bfa9e4acb6fde170e66c88e521ac232">da1d543c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-18T12:03:35-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Only call add_agent_to_security_domain_admins() when CA is installed

This allows the RA agent to manage the pki security domain and is
only needed if a CA has been configured. Only call it in a CA-ful
installation.

https://pagure.io/freeipa/issue/8956

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d2df13d8f0e8b417356fef2af7310b75e46e2699">d2df13d8</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-19T16:13:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.9.7
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#a5cc2925ca8258af241be7e5b0381edf30266302">
.gitignore
</a>
</li>
<li class="file-stats">
<a href="#4831b637d596df850dfe2919331d9904c0403eaa">
ACI.txt
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#d7ed7e35d7791778850754d99281016a9bacb652">
Contributors.txt
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#521b4492ed13326bcb633dcdd0e7a0b876d266aa">
client/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#8a84dc1127a684b319557e6204cc81b9909b144c">
client/ipa-getkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#24d08149069d49a01ad6ec82eec3333757be12bf">
client/man/ipa-client-install.1
</a>
</li>
<li class="file-stats">
<a href="#e5d2277e0d16da52a4ae8ec255fb546233366f49">
client/man/ipa-getkeytab.1
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#aed7da1aaefb30bdb502d8a8a6ded98ff1124f38">
doc/designs/index.rst
</a>
</li>
<li class="file-stats">
<a href="#76d13c50ff815dae36adc97d35e5e0fd02f77e55">
<span class="new-file">
+
doc/designs/subordinate-ids.md
</span>
</a>
</li>
<li class="file-stats">
<a href="#866dc5074431bae6d800558b8ed5d65496e9d7d8">
freeipa.spec.in
</a>
</li>
<li class="file-stats">
<a href="#366a97c6d1a374094a2bc5b6ca6e2ecd50bcd28f">
install/share/60basev2.ldif
</a>
</li>
<li class="file-stats">
<a href="#fe86a0a3fe51a214a68de9f2842948d6712d75f3">
<span class="new-file">
+
install/share/60basev4.ldif
</span>
</a>
</li>
<li class="file-stats">
<a href="#bf823330303ca9753bcbe11886fafea4c85dd077">
install/share/60ipaconfig.ldif
</a>
</li>
<li class="file-stats">
<a href="#caf04c57303b16d460d27dfe013cc85ba80217f6">
install/share/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#1b0815535199b14696842a1d17bc4db7b6c9f9ee">
install/share/bootstrap-template.ldif
</a>
</li>
<li class="file-stats">
<a href="#f6a2887a6d571e9aff78eb8f3776a00df89a8c40">
install/share/custodia.conf.template
</a>
</li>
<li class="file-stats">
<a href="#a77f7ea407573540825814f9e8d640a38cadc601">
install/share/dna.ldif
</a>
</li>
<li class="file-stats">
<a href="#5d8bd98d07c830ac6d98fc96d06fb978b7cfdda8">
install/share/memberof-conf.ldif
</a>
</li>
<li class="file-stats">
<a href="#5af9ba1e4beb4c6146293ca736d575434d8ba730">
install/share/profiles/IECUserRoles.cfg
</a>
</li>
<li class="file-stats">
<a href="#9b8ba39e0f6f60e9c18c7d661c09ec526f1d0ff9">
install/share/profiles/KDCs_PKINIT_Certs.cfg
</a>
</li>
<li class="file-stats">
<a href="#45810246cfcfc71513b49a554622b8063ff0142d">
install/share/profiles/acmeIPAServerCert.cfg
</a>
</li>
<li class="file-stats">
<a href="#86054787e794765bfb000469d01e4045b487fa2e">
install/share/profiles/caIPAserviceCert.UPGRADE.cfg
</a>
</li>
<li class="file-stats">
<a href="#f564da5cc756236846a044a525f9c6f64d64dd3f">
install/share/profiles/caIPAserviceCert.cfg
</a>
</li>
<li class="file-stats">
<a href="#a8ec467718e7e7c649043b5ff501ac763003649f">
install/tools/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#3c5f50edcf2a57552e09679a4cc79e374cee8ae4">
install/tools/ipa-ca-install.in
</a>
</li>
<li class="file-stats">
<a href="#b17882789dc4a0b9a3e38eeaf13bcaa5707e4874">
install/tools/ipa-custodia-check.in
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">

<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/-/compare/e045f118c87346bfab5b5634fd23f3054f082f7f...d2df13d8f0e8b417356fef2af7310b75e46e2699">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.



</p>
</div>
</body>
</html>