<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch master-next
at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/77674077b4e1e6ff2d2608ad0661704d4a47ac41">77674077</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-04T13:14:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0cb8f065ac7bcf814c4991aeca3be8b590c7b5f6">0cb8f065</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-04T22:31:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Correct SELinux policy requirements
freeipa-selinux subpackage is used by both client and server but
requires freeipa-server subpackage unconditionally. This needs to be
removed.
Originally, upstream spec file did not have this bug. It was brought
in with unification of the specfiles.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1883005
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f2bc3f1c5baff68e4c8d5f1e5c38b5647eac4cf4">f2bc3f1c</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-12-10T13:44:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">xmlrpctests: remove harcoded expiration date from test_user_plugin
The test test_user_plugin is using a hardcoded date for
password expiration and started failed since we passed this date.
Replace the hardcoded date with now + 1 year.
Fixes: https://pagure.io/freeipa/issue/8616
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7d1a6886538360fb340eb4423660d11ee4af7e39">7d1a6886</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-10T16:02:51+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.
The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.
Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.
Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.
Fixes: https://pagure.io/freeipa/issue/8613
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cc51feb106d6dee655c55adb802b3cfdac778fca">cc51feb1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-10T16:02:51+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">upgrade: provide DOMAIN to the server upgrade dictionary
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
in the dictionary. Regression was introduced with
e731b2725a3772cd037683ff2e08c514fd02019f.
Fixes: https://pagure.io/freeipa/issue/8615
Related: https://pagure.io/freeipa/issue/8595
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/184997e85d03c30a34fbe268d1e9f39206178a1e">184997e8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-10T17:39:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">systemd: enforce en_US.UTF-8 locale in systemd units
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.
When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:
locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet..
Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cf30cc3f63fbce2a3ff9c53ae4cd177a3bf4e527">cf30cc3f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-12-10T17:57:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve PKI subsystem detection
The dogtaginstance.is_installed() method currently relies on
the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},
even if it is empty.
An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA
is installed and crashing when trying to upgrade a not-installed
component.
The fix relies on the command "pki-server subsystem-show {ca|kra}" to
detect if a subsystem is installed. The command does not require PKI
to be running (hence can be called anytime) and is delivered by
the pki-server package which is already required by ipa server pkg.
Fixes: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/24f6a36b82d2a8bd8f2283457fcb415e5898a1b1">24f6a36b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-12-10T17:57:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test for PKI subsystem detection
Add a new upgrade test. Scenario:
- create an empty /var/lib/pki/pki-tomcat/kra directory
- call ipa-server-upgrade
With issue 8596, the upgrade fails because it assumes KRA is
installed. With the fix, ipa-server-upgrade completes successfully.
Related: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/502d29107a458717b4ae1b3f7b17fb1159e3a135">502d2910</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-10T18:05:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.9.0rc3
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f5cd9d0792328e0070457a96b8bd32aa365a7892">f5cd9d07</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-10T18:06:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d41bfea4b67701ac2de8a0dc46fe7466423ffece">d41bfea4</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2020-12-17T11:47:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test for IPATrustDomainsCheck with external trust to AD
This testcase checks that when external trust is configured
between IPA and AD subdomain, IPATrustDomainsCheck
doesnot display ERROR
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/184fa80917b120f5aef07e523e993cc012446a84">184fa809</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2020-12-17T11:47:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Modified YAML files
Currently the TestIpaHealthCheckWithADtrust trust required
only one root AD Domain for testing.
Replaced the existing topology with adroot_adchild_adtree_master_1client
so that trust tests can be run with child/tree root AD domains.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2efc44d00266d844cbac26381eea2340a2c8dfe4">2efc44d0</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-12-17T14:32:37+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix spelling mistake: filen ame -> filename
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3c965a07f6cca68a039bbaae5d6a54067f5f38c5">3c965a07</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-12-18T17:47:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: make sure dns_lookup_kdc is always true
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Make sure dns_lookup_kdc is always set to true.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/352f2beeb77b3a08fabc94ccb08d0b561b457408">352f2bee</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-12-18T17:47:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: unilaterally set dns_lookup_kdc to True
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.
Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into /etc/krb5.conf realm entries.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2d1594c3c6136559de7df88fb2a9895a3c47463a">2d1594c3</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-18T18:11:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: use predefined filters for a wild-card searches
In case we've got a principal name as '*', we don't need to specify
the principal itself, use pre-defined filter for a wild-card search.
Previously, we had to escape the '*' as specifying it with an explicit
matching rule would have violated RFC 4515 section 3. However, since we
don't really need to specify a different matching rule for a wild-card
search, we can remove this part completely.
Use this change as an opportunity to simplify the code and reduce
number of duplicated filter constants -- if extra filter is NULL, we can
simply pass "" and use _EXTRA filter constants to format the final
filter.
Fixes: https://pagure.io/freeipa/issue/8624
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06fbb8b42e29de23b9e9ae9e212a9ce39f09e407">06fbb8b4</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-18T19:01:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">service: handle empty list of services to update their state
When there are no services in LDAP that have specified states, we don't
need to update their state.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/59432e92a54b2d4881af882b559aa33793c4558e">59432e92</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-18T19:01:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">upgrade: do not overshadow service module in upgrade_configuration
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/56c8b174d183fe7c4001ec3eb3fab650a0695994">56c8b174</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-18T19:01:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">upgrade: ensure service state is synchronized with the server state
Convert configuredService to either enabledService or hiddenService
depending on the state of the server role. This is to fix situations
when deployment has happened before introduction of hidden replicas
as those services will stay as configuredService and will not get
started after upgrade, rendering the system non-functioning.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/38cb763d3d981e3f4e45643b805b4f42429359d3">38cb763d</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-12-19T11:00:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Debian: Fix paths and service names for bind 9.16
Got changed for 9.16 and up.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/efe767c4a40adce54407502f93a693c9f698e421">efe767c4</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-12-19T11:00:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Debian: Fix chrony service name
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b46fa4e4b30743836b612785031e345fe15ed94f">b46fa4e4</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-12-19T11:00:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaplatform: Use gpg instead of gpg2
'gpg2' is a convenience symlink on Debian, provided by a package that
will go away eventually. 'gpg' is available everywhere.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/18721cc83035359a2f7d49cfe09e7f4b1376b090">18721cc8</a></strong>
<div>
<span>by Slava Aseev</span>
<i>at 2020-12-19T11:02:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: handle dates up to 2106-02-07 06:28:16
krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.
This commit:
- adds some helper functions for working with krb5_timestamp as
unsigned (actually copied from
https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
- replaces operations with krb5_timestamp's by these new functions
Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f3a1b4af001bf843fbb07bad0b2b8cc37c49fa66">f3a1b4af</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-12-19T14:49:13+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Change mkdir logic in DNSSEC
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8f6b4a0780c704dfb58675f367ff8bb50e5e1788">8f6b4a07</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/bn_IN translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/57b41e0dd587e605dce34241d8e6053ccf43e7a8">57b41e0d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/ca translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7b63b5b84213731a3d324aac2988398bcde2111d">7b63b5b8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/cs translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9c166cfca6bc3bbe92bf0a9384b67e95ff70b266">9c166cfc</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/de translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/09f97d2e1e5e6105a44be4e76b1e6570d7093de1">09f97d2e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/en_GB translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/03cf8ffe144e373c70145c01869b0f7e0c4977b9">03cf8ffe</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/es translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0b02b0514abe5393f64590436598f8b7a2cc09c4">0b02b051</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/eu translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/33f4e6588f70aeef415260dd176b77e2c9ea285c">33f4e658</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/fr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fa4ac630669200e84da69f150a6e3304fcc5751f">fa4ac630</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/hi translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9d4d4d278887ad89657c1832eb2486da85968964">9d4d4d27</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/hu translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/036c96754dd0dca5cda2ecb07b1514c65c4a73fe">036c9675</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/id translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/12de97fca7600e1d01dc5289387064845043a7b7">12de97fc</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/ja translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/162aa652295a46e1dafbe8102a9d8f3b0b36018c">162aa652</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/kn translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/58d201715287ee2784da85d760c88609f0ca9f3c">58d20171</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/mr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5ea6048240cd4dc5add0bb9b09a0c3276d3e0459">5ea60482</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/nl translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4bf0a13a85411307d5430a1b5483770f90884c6c">4bf0a13a</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/pa translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ed9eb7c85209717c574fb815629bfcdac7fc6e6">9ed9eb7c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/pl translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/970c4050abd6813d0a1817f57be06135b4e7cfab">970c4050</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/pt_BR translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/acd2f3054af5ada3b3efb0f0a035775ffa8452a7">acd2f305</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/pt translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ad37d39ea4ccd7860adc98de11db33e45c92bede">ad37d39e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/ru translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/badd9551f3406109efa24a927ee73ca4861b9413">badd9551</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/sk translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1bf4b41f1198388c039292d71c41e131fae3fa88">1bf4b41f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/tg translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/29f797d442b4c9753ed6b789b9bb297df2019d51">29f797d4</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/tr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bdb759ac7e23cedc19b91ddd2712ddf4f8bd2648">bdb759ac</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/uk translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6c58f825ec84016753c89e8c573d7731181776d4">6c58f825</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update po/zh_CN translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4db85bed81ba9a8cca0f34ca067312d15c9f2868">4db85bed</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-19T14:50:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update IPA translation template before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e2f9912b78d723441f241abb453971dd78cf5d6e">e2f9912b</a></strong>
<div>
<span>by Vit Mojzis</span>
<i>at 2020-12-19T23:08:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: Fix/waive issues reported by SELint
- order permissions alphabeticaly
- do not use semicollon after interfaces
- gen_require should only be used in interfaces
-- to resolve this issue, corresponding changes have to be made in
distribution policy instead of ipa module - disabling check
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0b3f87196dedbfb207dccb70893f5c1d466e96f7">0b3f8719</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-12-19T23:08:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">set SELinux to Enforcing in gating.xml
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2244a7a2922176c6930a23261883d53c5e0b9c49">2244a7a2</a></strong>
<div>
<span>by Carl George</span>
<i>at 2020-12-21T16:51:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use uglifyjs on CentOS too
Only checking for ID to equal "rhel" causes build failures on CentOS
Stream. Instead check both ID and ID_LIKE. This should also work later
on when rebuilds like CentOS Linux get this update.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6f8e48863549f387658ed82d00a1a1cffc015084">6f8e4886</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-12-21T22:33:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">set SELinux back to Permissive in gating.xml
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d9bdd3e93048ff4f08c2d53f1fd89b05dcd7861c">d9bdd3e9</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-22T00:12:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests_webui: flip leading and trailing space password test
With commit 809d9cb80f5f4471f125823888f37875aa37809e we now allow
leading and trailing space in passwords. Fix Web UI tests to follow this
change.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7d13d704b9552ab8ec1c7c5428655297fbdbf09c">7d13d704</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-22T00:12:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests_webui: fix wrong user name key for trail space case
User name for trail space key was using the name for lead space key.
As a result, when both tests were transformed, second one was
unsuccessful as the original user was already created.
Fix the user name data according to the test.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eb42b1097a89c5e863bd4fd1714d5ce84a47b718">eb42b109</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-22T16:17:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">opendnssecinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eae9f0d80c8fe67fdd44a9c772ce2c4234b35ba0">eae9f0d8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-22T16:17:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnskeysyncinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eca22818c911646a111d2257213ee22737e2555f">eca22818</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-22T16:17:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">odsexporterinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.
We use common pattern of checking the service during uninstall:
svc = SVCClass()
if svc.is_configured():
svc.uninstall()
Thus, service class constructor must not do UID/GID resolution
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a3058d528a0f7a647f5090b4bcd3b2a19e7b54fd">a3058d52</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-23T16:10:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1354031def399ea79d6cbb7ed7e35f707a38f3ec">1354031d</a></strong>
<div>
<span>by Weblate</span>
<i>at 2020-12-23T16:30:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44914cf1faaf3704c55c0ef39fe680e63710d3f0">44914cf1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-23T16:33:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.9.0
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0fd4a8936f5b41e83ffdbe00f88309e5a2e94f9f">0fd4a893</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-23T16:35:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Get back to git snapshots
Track 4.9.1 development
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8c7d1fbad15c5a906ffa261329dd49be048549ed">8c7d1fba</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-23T20:22:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaplatform: add constant for systemd-run binary
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6fe573b3d953913bc94fd06c230703dac70f0e8d">6fe573b3</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-12-23T20:22:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix race condition in finalizer of encrypted backup test
When using a fixture, we get a temporary directory created and then
removed by pytest. Pytest uses `shutil.rmtree` call which collects all
files in the directory being removed and then removes them one by one.
At the point of removal of our GNUPGHOME directory, gpg daemon is being
shut down and there might still be an agent UNIX domain socket. The
removal actually overlaps in time with shut down of the gpg daemon, thus
causing `shutil.rmtree()` to fail when an agent UNIX domain socket is
removed by the daemon.
Change the way how we run the gpg agent to use a temporary systemd
service. Stop the service in the finalizer method so that systemd would
send SIGTERM signal and the gpg agent would clean itself up.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8bc341868f9154a625b7aae2604a7aa7b6cd0696">8bc34186</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-12-23T20:25:21+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix expected error message in test_commands
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa-nis-manage is provided a
wrong password, the error message contains less info
as in the past and needs to be fixed.
Fixes: https://pagure.io/freeipa/issue/8631
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dd1b596b5711aefd87fd6ec340c3713ee5932425">dd1b596b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-12-23T20:27:08+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: remove test_acme from gating
test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed
Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/27cc011ac286db20a4cd9dbdd65d4a8fd1cb7e3a">27cc011a</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-01-06T16:36:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: ipahealthcheck remove test skipped in pytest run
TestIpaHealthCLI::test_input_file test was skipped due to
bz1866558. Removed the below statement so that the test can
now run as the bug is fixed.
@pytest.mark.xfail(reason='BZ 1866558', strict=False)
Also changed the assert statement to search text in
stdout_text rather than sdterr_text
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2035ba9925ae738d2dbdd1274168cb99a2364db0">2035ba99</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-01-06T16:37:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test for IPATrustControllerPrincipalCheck
This testcase checks when trust between IPA-AD is established
successfully, IPATrustControllerPrincipalCheck displays
result as SUCCESS
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/286d0680a6d4ae53b79596e545f9291791e36aa5">286d0680</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-07T09:52:05+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: clear initgroups cache in clear_sssd_cache
The tasks module provides a method to clear sssd cache,
but the method does not remove the file /var/lib/sss/mc/initgroups.
Update the method to also remove this file.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/33481a1a58a104502bc941f6e06e448a798a0fa3">33481a1a</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-01-07T11:05:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'upstream' into master-next
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d323cfd5ec78c5df709fbf1ba25bda8edce78638">d323cfd5</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-01-07T11:07:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/420067e108b8803d41e0b3863a7491dbec5184a1">420067e1</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-01-07T11:09:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rules: Build only the client for bullseye.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/956aab357efd013c40c7c3c2cc307a852ef0c7fe">956aab35</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-01-07T11:15:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">drop upstreamed patches
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/068131ea95f9c4948ef5ad98a0685ac3d97dfd81">068131ea</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-01-07T11:29:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rules: ipasphinx files are only built on server build
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/10ba43ad35acecdd1c4b7981db31a90cce1b9fab">10ba43ad</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-07T16:10:22+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't change the CA profile when modifying request in ipa_certupdate
The CA tracking request is modified (it calls renew but it doesn't
actually do a renewal) as part of ipa-certupdate and it dropped
the profile. ipa-healthcheck discovered this condition.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ad1764a1fff885e1c386b0a9f50517b2e0725e03">ad1764a1</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-07T16:10:22+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test that no errors are reported after ipa-certupdate
The CA tracking request was modified to drop the profile which
was caught by ipa-healthcheck. Run ipa-certupdate then
ipa-healthcheck to confirm that no problems are introduced.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8d7697af269e68e051ce969ae9cc835f5ba6a3b7">8d7697af</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-01-07T16:16:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: do not set dns_lookup to true
dns_lookup was set to false during ipa client installation which prevented
searches for SRV records for Kerberos servers.
Since https://pagure.io/freeipa/issue/6523 is fixed, dns_lookup is always True
now and the fixture is not needed anymore.
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f36e518b5704b02b81a4b80a1b84c429594cf5ce">f36e518b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-08T09:47:08+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add a test for ipa-cert-fix
Add a new test for ipa-cert-fix issue 8618. When the CSR for one
of the certs to be renewed is missing from /etc/pki/pki-tomcat/{ca|kra}/CS.cfg
ipa-cert-fix fails to renew the certificates.
Test scenario:
move the date in the future to expire PKI system certificates (+3 years)
delete the directive ca.sslserver.certreq from CS.cfg
call ipa-cert-fix and ensure that the CSR was found
Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eb711f781322657b0b3d77332f2462ecfb27db95">eb711f78</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-08T09:47:08+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cert-fix: do not fail when CSR is missing from CS.cfg
When the CSR for an expired cert is not found in
/etc/pki/pki-tomcat/{ca|kra}/CS.cfg, ipa-cert-fix fails to
renew the certificate and repair the installation.
The CSR can be found using certmonger as it is stored in
/var/lib/certmonger/requests/<ID> in the "csr" attribute.
Prior to calling pki-server cert-fix, make sure that the
CSR is present in CS.cfg, or update CS.cfg with the content
found using certmonger.
Fixes: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f2be8a45a1d4baff0074cf4d8c446e3d08db795">7f2be8a4</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-08T09:47:08+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test_ipa_cert_fix to the nightly definitions
Add the new test test_integration/test_ipa_cert_fix.py to the
nightly definitions.
Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/071b71290601d4a5f6a65adf2b55c34d3865172d">071b7129</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-09T18:09:39+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove invalid test case for DNS SRV priority
Upstream dnspython 2.1.0 introduced additional error checking
on SRV values and now rejects invalid priorities.
Remove the sorting test for priority of -1.
https://pagure.io/freeipa/issue/8650
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/952b6bdcceda9f460e17075404084f1f3ddb5eaa">952b6bdc</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-10T11:05:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: modify policy to allow one-way trust
In selinux enforcing mode, the command ipa trust-add fails
to establish a one-way trust, during the step fetching the remote
domains.
This step calls a script over DBus and oddjob, that is executed
with oddjob_t context. The policy must allow noatsecure.
Currently the optional_policy is defined in selinux-policy
repo but is ineffective as ipa_helper_noatsecure is not defined
in this repo. When the optional_policy is defined in our own
module, it is taken into account and ipa trust-add succeeds.
Fixes: https://pagure.io/freeipa/issue/8508
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ae744254dd845f9a459601cb8a1468aeaad028a">9ae74425</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-13T17:42:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove virtual attributes before rolling back a permission
On a failed permission update if the generated ACI is
invalid then the updated permission is rolled back.
Add the virtual relationship attributes to list of attributes
to be ignored when rolling back the entry.
This relies on the current order in the LDAPObject
relationships field where member and memberof are the first
two values.
https://pagure.io/freeipa/issue/8646
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bdc383a1a906f97c06b2bfa281a4b290fb4b04b3">bdc383a1</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-13T17:42:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test that modifying a permission attrs handles failure
Add a test to ensure that a change to a permission that will
result in an invalid ACI is rolled back.
https://pagure.io/freeipa/issue/8646
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/df411f00a3d1db2fcb0d122a54b9e13a57e35f3f">df411f00</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2021-01-14T10:01:46+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set client keytab location for 389ds
Handles behavior change in
https://github.com/389ds/389-ds-base/pull/4523
Fixes: https://pagure.io/freeipa/issue/8656
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/753246f4e82af5697ee51bdc7f667959e1824be1">753246f4</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-14T10:05:12+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/dcerpc: use Samba-provided trust helper to establish trust
When establishing trust to Active Directory forest, RC4 is used to
encrypt trusted domain object credentials as an application-specific
material in a secure channel based on AES session key.
In FIPS mode it is not possible to use RC4 directly.
Samba 4.14 and backports to 4.13 in Fedora 33+ and RHEL 8.4+ now
provide a helper that wraps LSA RPC call CreateTrustedDomainEx2.
This helper ensures that in FIPS mode we first check that LSA session
key is AES before allowing RC4 use internally in Samba bindings. Thus,
it becomes possible to establish trust to Active Directory forest in
FIPS mode.
Adopt FreeIPA code to use the helper provided by Samba when it is
available. If neither the helper nor unprotected arcfour_encrypt utility
is available from Samba bindings, fail import of the ipaserver.dcerpc
module.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8ab9bf68a4d12c8763c1669d0c14b7771a3289da">8ab9bf68</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-14T10:05:12+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/dcerpc.py: use Kerberos authentication for discovery
In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure
Kerberos is used by Samba Python libraries. This is achieved by
requiring credentials objects to always use Kerberos authentication.
Additionally, we have to normalize the principal used to authenticate.
In case it was passed without realm, add forest root domain as a realm.
In case it was passed with NetBIOS domain name, remove it and replace
with a realm. Since we only know about the forest root domain as a
realm, require that for other domains' users a real Kerberos principal
is specified.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3fa07a108030265dc89921a37216a1184e1e7516">3fa07a10</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-14T10:05:12+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available
We want to always use SMB encryption if it is possible on LSA pipe as we
are going to pass what accounts to a plain-text content within
CreateTrustedDomainEx2 call.
The catch is that older Samba version might not have a way to enforce
this and we need fall back to work with existing connection then.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ca9f8d1c9feda6fd58220f1424970dcca5b730e0">ca9f8d1c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-14T11:08:49+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: See if nologin supports -c before asserting message
Per the ssh_config(5) man page under ProxyCommand:
"The command string extends to the end of the line, and is
executed using the user's shell ‘exec’ directive to avoid a
lingering shell process."
<shell> -c <proxy command>
Some older versions of nologin (RHEL/CentOS) do not support
the -c option so will still fail but since nologin doesn't
actually execute properly it doesn't include the output
'This account is currently not available' so don't assert
in that case. The returncode of 1 is sufficient to know
that the login is denied.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0db289695c8225cad5c17c6a5846ff0a373c3ce6">0db28969</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-15T09:57:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection
Modify the test scenario in order to be independant from PKI
behavior. The aim of the test is to ensure that the KRA
detection is not based on the presence of the directory
/var/lib/pki/pki-tomcat/kra/.
Previously the test was calling ipa-server-upgrade but this cmd
may fail even with the kra detection fix because of an issue in
pki (https://github.com/dogtagpki/pki/issues/3397).
Instead of exercising the whole ipa-server-upgrade command, the
test now checks the output of the API kra.is_installed() to validate
KRA detection mechanism.
Fixes: https://pagure.io/freeipa/issue/8653
Related: https://pagure.io/freeipa/issue/8596
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3aeb9b8e40cc526fd5c5162158b9cc5755670f66">3aeb9b8e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-15T14:01:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "Remove test for minimum ACME support and rely on package deps"
This reverts commit 81c97bb9928a88a595b3afe6fa70fcfb267b1440.
This is to make IPA installable again with older versions of dogtag
so it will install on CentOS 8 Stream.
ACME will not be deployed but on upgrade, if pki 10.10.x is available
then it will be.
https://pagure.io/freeipa/issue/8634
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ec4511ec12dfeff2cc2f3a23171089bd32c5add0">ec4511ec</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-15T14:04:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add missing break statement to password quality switch
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f0de557063b6db143fd0d2ff47b08610edb39706">f0de5570</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-15T14:04:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: Change mspac base RID logic from OR to AND
The purpose is to set a default if the RID doesn't match
expectations.
Discovered by coverity
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/93f8840ed8f484c7880534b86aaad3d1f8fb0d2e">93f8840e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-15T14:04:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: Fix logic to prevent NULL pointer dereference
Discovered by coverity
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/df0c2d7e0ca8c3620093a47c9592de4f37e86608">df0c2d7e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-15T14:04:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_kdb: Fix memory leak
ipadb_get_principal() allocates client_actual. Call
ipadb_free_principal to release it.
Rather than spreading the free() amongst the code introduce
done as a target to match behavior in similar functions.
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f6cfbffc8f2e45d0e8e6057e6ead6d35e99bf48a">f6cfbffc</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-15T14:04:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_pwd: Remove unnecessary conditional
It is already confirmed that item_data is not NULL so there
is no need to check it again.
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06ffc7aae7f37bbd03dbd145e30c13f2234ed071">06ffc7aa</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-15T10:48:21-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-rmkeytab: convert numeric return values to #defines
This makes it clearer what the return value means.
Replace closing of keytab based on the numeric return value
and do it based on whether the keytab was opened at all.
https://pagure.io/freeipa/issue/8658
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7b380969241b7f28b2aa275ff1a71fdf78912580">7b380969</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-15T10:48:21-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get
The return value of functions managing the cursor in the keytab
were not checked or reported in a consistent way. This should
assure a reasonable error message in case something goes wrong.
https://pagure.io/freeipa/issue/8658
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ccdecaa984ef6ebcc63d754e896b2229bcba3b88">ccdecaa9</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2021-01-19T11:27:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Update PR-CI definitions for ipa-4-9
Adding PR-CI definitions for gating, "previous" and "latest" nightly runs..
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bd3bad88ee4d4535416ad5fc5f97b55a939534ef">bd3bad88</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-19T16:13:15+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa ping is executed with an AD user
the error message contains less info as in the past and needs to be fixed..
Fixes: https://pagure.io/freeipa/issue/8668
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/56b84973b9f02e74f2518bd58694b673f88f8d5e">56b84973</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-01-19T17:48:41+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add ccache sweeper files to gitignore
See: https://pagure.io/freeipa/issue/8589
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/41a9cc637b4ea8794fc17f9fc06c6cf8d3a31caa">41a9cc63</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-01-19T17:51:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Raise log level of 389-ds replication
- change log level for replication debugging
According to the docs:
```
default level of logging(16384) used for critical errors and other
messages that are always written to the error log. Messages at this
level are always included in the error log, regardless of the log
level setting.
```
- always flush the access logs to filesystem
During the testing access logs may be written with delay, this
results in logs are not collected by this test node, but for example,
the next one.
- as of now, the changes on `cn=config` are made after the installation
of server or replica. If an error occurs during these stages, then the
actual log level will be the default and not as expected.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a86a93e560e1d9ade2f78b0cf82d93b8833eb39">2a86a93e</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-01-19T17:52:47+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test that IPA certs are removed on server uninstall
Test that IPA certs are removed after the server uninstall
process. This is needed since if these certs are not
removed from the system store, further installations
will fail.
Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2715fbd4a73115949264298858ed0835fe982164">2715fbd4</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-01-19T17:52:47+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check that IPA cert is added to trust store after server install
Checking that IPA cert has been added to trust
store is needed to verify that installation
of the server is correct. This cert should also
be removed on uninstall to prevent failures
on further installations.
Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a207918521b474a39c1689837db146800624af8">2a207918</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-20T15:56:29+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix healthcheck test for ipahealthcheck.ds.encryption
389ds is combining the value set in dse.ldif and the current crypto
policy to evaluate the min TLS version that it will be using.
The test needs to change the crypto policy to LEGACY in order to allow
TLS 1.0, because the DEFAULT policy prevents TLS 1.0 on fc33+.
Fixes: https://pagure.io/freeipa/issue/8670
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1dd4501a9fe1e83964b1f008b91d20b4afe5051a">1dd4501a</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-21T13:43:11+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add support for cgroup v2 to the installer memory checker
Support both the case where there is a limit imposed on the
container and when there isn't.
https://pagure.io/freeipa/issue/8635
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/85d944cea13725511973fa00c9db6a1ebeb90efa">85d944ce</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-21T13:43:11+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test the cgroup v2 memory restrictions
Also rename a few tests to hopefully make their purpose clearer.
https://pagure.io/freeipa/issue/8635
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/34add4a2e091dc7bc6031f8fc6cc80904b1bea20">34add4a2</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-01-22T08:43:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_ipahealthcheck: fix units
df uses 1024 bytes as its default display value, but this can be
tweaked by environment variables or a CLI knob.
Force the output unit to 1024 bytes using the CLI and parse it
accordingly.
Fixes: https://pagure.io/freeipa/issue/8674
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f8bf37422b7c49a4a39b4704b18158b37ee9ef80">f8bf3742</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: provide correct logon time in MS-PAC from authentication time
When MS-PAC structure is created, we get passed the time of
authentication from KDC. Use this to record logon time in MS-PAC
structure.
Set allow password change time to the last password change. We need to
refer to the actual password policy here in future.
Also use INT64_MAX to represent the resulting value for logoff
and kickoff times according to MS-PAC 2.6.
Fixes: https://pagure.io/freeipa/issue/8659
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/962052a0567b6878843272b1882d0a0b3b2debd1">962052a0</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipasam: implement PASSDB getgrnam call
ipasam already implemented retrieval of groups for MS-SAMR calls.
However, it did not have implementation of a group retrieval for the
path of lookup_name() function in Samba. The lookup_name() is used in
many places in smbd and winbindd.
With this change it will be possible to resolve IPA groups in Windows UI
(Security tab) and console (net localgroup ...). When Global Catalog
service is enabled, it will be possible to search for those groups as
well.
In Active Directory, security groups can be domain, domain local, local
and so on. In IPA, only domain groups exposed through ipasam because
SID generation plugin only supports adding SIDs to POSIX groups and
users. Thus, non-POSIX groups are not going to have SIDs associated and
will not be visible in both UNIX and Windows environments.
Group retrieval in Samba is implemented as a mapping between NT and
POSIX groups. IPA doesn't have explicit mapping tables. Instead, any
POSIX group in IPA that has a SID associated with it is considered a
domain group for Samba.
Finally, additional ACI is required to ensure attributes looked up by
ipasam are always readable by the trust agents.
Fixes: https://pagure.io/freeipa/issue/8660
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2e8eb0f5fe82be58be88fa0d9b07ee7af69d8829">2e8eb0f5</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipasam: allow search of users by user principal name (UPN)
lookup_name() in Samba may call PASSDB API to search by a UPN (e.g.
username@suffix). Support this call by detecting '@' in the passed name
and setting up filter to be
(&(objectClass=ipaNTUserAttrs)(objectClass=krbPrincipalAux)(krbPrincipalName:caseIgnoreIA5Match:=%s))
instead of
(&(objectClass=ipaNTUserAttrs)(uid=%s))
The result of the search would still contain a proper user entry as we
always have krbPrincipalName in LDAP entries of IPA users. Note that the
match must be case-insensitive because otherwise krbPrincipalName is
matched with exact case in the schema. We use the same matching override
in KDB driver already.
Fixes: https://pagure.io/freeipa/issue/8661
Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e8f927db7da00d1671f871d3b2e89429aec3beb9">e8f927db</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipasam: free trusted domain context on failure
The context is hanging off a talloc memory context passed into the
function so it will eventually be freed. It is better, though, to free
it immediately when we exit from the fill_pdb_trusted_domain() function.
Related: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f103172954c259443f0c5b4ac89474e66cf3a1d6">f1031729</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipasam: derive parent domain for subdomains automatically
[MS-ADTS] 6.1.6.7.13 defines 'trustPartner' attribute as containing a
FQDN of the trusted domain. In practice, for a subdomain of a forest, it
would be FQDN of the subdomain itself in the trusted domain entry in the
parent domain. This is reflected as ipaNTTrustPartner attribute in
FreeIPA.
Remove ipaNTTrustPartner from the searches that use NetBIOS name. We
match cn of that entry already.
Use RDN value of the entry to derive DNS domain name in case
ipaNTTrustPartner is missing.
For subdomains, set trust attributes to 0 and trust flags to mark them
as being within the forest. This will trigger winbindd to not ask for
credentials to reach those domain controllers directly.
Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3d706b6f57309ec394df617cecb9a73d021fc2f7">3d706b6f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/dcerpc: store forest topology as a blob in ipasam
winbindd expects forest topology information blob to find out child
domains. We should store it in LDAP and let ipasam to retrieve it.
In fact, ipasam already supports updating and loading this information
but during 'ipa trust-fetch-domains' we didn't provide it.
Make sure the blob is preserved after it was retrieved and also updated
when we fetch forest topology information.
Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dc16c2484c1006bc249848383d86ef828abd921a">dc16c248</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use fully qualified name for AD admin when establishing trust
Changes in https://pagure.io/freeipa/issue/8655 made it impossible
to use AD admin name without domain part in "ipa trust-add" command to
establish external trust with an AD tree domain.
Also use fully qualified admin name by default in all trust related tests
to reduce abiguity
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b53592492879f87465774eb9a4d6c02a8ba26a5e">b5359249</a></strong>
<div>
<span>by JoeDrane</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update ipa_sam.c
fixed typo in debug message on line 4040.
Signed-off-by: JoeDrane <joe@drane.io>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c842d4b5c2404d263d56aa0c4ba33fe32b2ca61e">c842d4b5</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">trust-fetch-domains: use custom krb5.conf overlay for all trust operations
Operations in FIPS mode make impossible use of NTLMSSP when
authenticating to trusted Active Directory domain controllers because
RC4 cipher is not allowed. Instead, Kerberos authentication have to be
used. We switched to enforce Kerberos authentication when communicating
with trusted domains' domain controllers everywhere.
Kerberos library uses system wide configuration which in IPA defaults to
resolving location of KDCs via DNS SRV records. Once trust is
established, SSSD will populate a list of closest DCs and provide them
through the KDC locator plugin. But at the time the trust is established
performing DNS SRV-based discovery of Kerberos KDCs might fail due to
multiple reasons. It might also succeed but point to a DC that doesn't
know about the account we have to use to establish trust.
One edge case is when DNS SRV record points to an unreachable DC,
whether due to a firewall or a network topology limitations. In such
case an administrator would pass --server <server> option to
'ipa trust-add' or 'ipa trust-fetch-domains' commands.
'ipa trust-fetch-domains' runs a helper via oddjobd. This helper was
already modified to support --server option and generated custom
krb5.conf overlay to pin to a specific AD DC. However, this
configuration was removed as soon as we finished talking to AD DCs.
With switch to always use Kebreros to authenticate in retrieval of the
topology information, we have to use the overlay everywhere as well.
Convert the code that generated the overlay file into a context that
generates the overlay and sets environment. Reuse it in other
trust-related places where this matters.
Oddjob helper runs as root and can write to /run/ipa for the krb5.conf
overlay.
Server side of 'ipa trust-add' code calls into ipaserver/dcerpc.py and
runs under ipaapi so can only write to /tmp. Since it is a part of the
Apache instance, it uses private /tmp mounted on tmpfs.
Fixes: https://pagure.io/freeipa/issue/8664
Related: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9f63afb4408e308c2ee972a72875525afefa5d54">9f63afb4</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-22T21:10:58-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">use a constant instead of /var/lib/sss/keytabs
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dc2a52abe256d2de09eafe8a07898b0cbea3404b">dc2a52ab</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-22T21:13:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix expected output for ipahealthcheck.ipa.files
With ipa-healthcheck 0.8, the test ipahealthcheck.ipa.files is able
to return a list of possible owners/groups as a comma-separated string
instead of a single owner/group (see commit 930ec5f).
The test output needs to be fixed accordingly.
Fixes: https://pagure.io/freeipa/issue/8662
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/89eba7d38db2f510554b3365f9d099190ce80c51">89eba7d3</a></strong>
<div>
<span>by Antonio Torres Moríñigo</span>
<i>at 2021-01-26T12:53:36-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow leading/trailing whitespaces in passwords
kwargs is redefined to set the `noextrawhitespace` parameter
from the Str class to `False`.
Fixes: https://pagure.io/freeipa/issue/7599
Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3f3762ef92a809059f196e5553f1c31e9f1180e7">3f3762ef</a></strong>
<div>
<span>by Antonio Torres Moríñigo</span>
<i>at 2021-01-26T12:53:36-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test that trailing/leading whitespaces in passwords are allowed
Add test to ensure that strings with trailing or leading
whitespaces are allowed as valid passwords.
Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/16b30cbe5e4f1fd8965ed27ba2ca9b4b7b295e9c">16b30cbe</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add design document for using AD users/groups in SUDO rules
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/132d7fb0ed21e2e7cc69366e2141ae69e7864afb">132d7fb0</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">baseldap: refactor validator support in add_external_pre_callback
baseldap.py:add_external_pre_callback() allows to redefine validators
used to validate member names. Originally this was done to allow
hostname validation and reused default validators associated with other
parameter types.
Provide extension of the validator callbacks to allow fine grained
validation strategy. This is helpful in case we want to apply an
alternative validation strategy in case default validator fails.
New validators can be added to 'member_validator' registry in a similar
way to how API objects are registered:
from .baseldap import member_validator
@member_validator(membertype='foo')
def my_new_validator(ldap, dn, keys, options, value):
<validate value here>
Arguments passed to the validator are arguments passed to the
add_external_pre_callback() augmented with the value to validate.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ffc2edf61efccbcbd4294fbc8a8613decea299a3">ffc2edf6</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">baseldap: when adding external objects, differentiate between them and failures
It was possible to add external members without any validation. Any
object that was not found in IPA LDAP was considered an external object
and a command such as sudorule could have added it to the list of values
for externalUser attribute.
With member validator support, real external members from trusted
domains can be differentiated from the objects that were not found in
IPA and in trusted domains.
Use information from the ID Views plugin to treat external objects
accordingly. Not found objects will be part of the error messaging
instead.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a3563d1c35fbe9e6e96199ead211ec3b4ff1d2d2">a3563d1c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">idviews: add extended validator for users from trusted domains
Register extended validator for users from trusted domains to be called
through add_external_pre_callback() in sudorules and other plugins.
The callbacks allow to validate user names as following:
- if user name passes basic user name validator it is accepted, otherwise
- if user name can be resolved to any user in IPA or in a trusted
domain, it is accepted
- otherwise the name is rejected
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/054a068f4705cd715789ceda75fa709404d5f884">054a068f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudorule-add-user: allow to reference users and groups from trusted domains directly
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-user` family of commands.
SSSD uses single attribute 'externalUser' for IPA to pull 'external'
objects referenced in SUDO rules. This means both users and groups are
represented within the same attribute, with groups prefixed with '%',
as described in sudoers(5) man page.
Add member type validators to 'ipa sudorule-add/remove-user' family
commands and rely on member type validators from 'idviews' plugin to
resolve trusted objects.
Referencing fully qualified names for users and groups from trusted
Active Directory domains in 'externalUser' attribute of SUDO rules is
supported in SSSD 2.4 or later.
RN: IPA now supports adding users and groups from trusted Active
RN: Directory domains in SUDO rules without an intermediate non-POSIX
RN: group membership
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/78043bfb5e2a3b1fc0fae6d55ba605ba469ce5ae">78043bfb</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudorule runAs: allow to add users and groups from trusted domains directly
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-runasuser/runasgroup` family of
commands.
IPA provides 'ipasudorunasextuser' and 'ipasudorunasextusergroup' LDAP
attributes to record 'external' objects referenced in SUDO rules for
specifying the target user and group to run the commands allowed in the
SUDO rule.
Use member type validators to 'ipa sudorule-add/remove-runasuser/runasgroup'
family of commands and rely on member type validators from 'idviews'
plugin to resolve trusted objects.
Referencing fully qualified names for users and groups from trusted
Active Directory domains in IPA SUDOERs schema attributes is supported
in SSSD 2.4 or later.
RN: IPA now supports users and groups from trusted Active Directory
RN: domains in SUDO rules to specify runAsUser/runAsGroup properties
RN: without an intermediate non-POSIX group membership
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f4d3c91e7f80659268e006dffa5f064b29b45c98">f4d3c91e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix test_sudorule_plugin's wrong argument use
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a7c56fde7727bfad3f885cf50e21182cdc46024e">a7c56fde</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_trust: add tests for using AD users and groups in SUDO rules
Tests test_integration/test_trust.py::TestTrust::test_sudorules_ad_*
check that a user from a trusted AD domain can perform SUDO
authentication without a password for any command based on a direct user
reference or on indirect AD group reference. The test suite also ensures
an AD user and group can be used for runAsUser/runAsGroup settings.
Due to https://github.com/SSSD/sssd/issues/5475 anything added to
'ipaSudoRunAsExtUserGroup' attribute will be prefixed with '%' and thus
any relying on the value of this attribute displayed by 'sudo -l'
command will fail. The test only validates that a proper group name
appears in the 'sudo' output, so we handle both prefixes in the
corresponding test check. It is not possible to differ by the SSSD
version as a fix to the issue is only a patch on top of 2.4.0 in RHEL.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/64b70be65698b12927795a7a8b79ef7aada010b8">64b70be6</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: when talking to AD DCs, use FQDN credentials
Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
authentication. This means user name used for authentication must be
mapped to a target realm.
We have to remove trust on AD side first before removing it locally or
otherwise MIT Kerberos might not be able to locate DCs from AD as
removal of the trust information would cause SSSD to clear the details
for a KDC locator plugin as well.
For the test that modifies AD DNS zone on IPA side to inject unreachable
DCs addresses, the configuration has to be reverted first, to allow
plain 'kinit' during removal of trust to reach AD DCs directly.
Fixes: https://pagure.io/freeipa/issue/8678
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/51ca38772f41d3a26a4253a732338d09a69f9647">51ca3877</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-26T16:31:25-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">baseldap: allow rejecting unknown objects instead of adding to an external attr
IPA traditionally allowed to add names not found in IPA LDAP to external
attributes. This is used to allow, for example, a local system user or
group be present in a SUDO rule.
With membership validator, we can actually check validity of the names
against both IPA users/groups and users/groups from trusted domains.
If in future we decide to reject a local system's objects, then all it
would take is to switch reject_failures to True.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bb78693405aab603203e60a174b04cd3264e1855">bb786934</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-01-27T09:44:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix discrepancies in nightly defs
- Build is using a prio of 100 while tests use 50, use consistent
values
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cbe7d2258d6c900b2e02b2373e720275d9917316">cbe7d225</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-01-27T09:46:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Don't assume sshd flush its logs immediately
sshd logs are not displayed immediately in journalctl, this results
in the tests checked the corresponding system logs are racy. I can't
find a way to flush ones. So, the best is the periodical reading of
the system log.
Related: https://pagure.io/freeipa/issue/8682
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2ac8028e1f8dca4b8bc37bd4995043da647dbfb8">2ac8028e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-27T10:38:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update contributors list
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6f6dd6240c91b8a4a6c9e6f1090db33ec37c7857">6f6dd624</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-27T10:38:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation po/de.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a1c43ac3c91ae045f402610c88141d7f3d387011">a1c43ac3</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-27T10:38:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation po/hu.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cb583ac18e33698f9bd950490482a722cc993a06">cb583ac1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-27T10:38:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation po/ipa.pot
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a97967ff3b56ba3c3894a5aadffbef68961b3581">a97967ff</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-27T10:38:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation po/uk.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aa58fad8eb98b0e8e248eb76b107b5e1faac4aeb">aa58fad8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-27T10:53:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.9.1
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9690659ddf57e32a9255d8eed8d27b3ffa8a90cf">9690659d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-01-27T10:55:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git commits
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5517aa691805cccfa4d19a28a6dbf3319845c4a6">5517aa69</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-01-27T16:26:47-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fix collecting log files which are symlinks
One of the files that are collected after each test is /etc/resolv.conf.
In Fedora 33 this file is actually a symlink. `tar` does not follow
symlinks by default which results in either a broken link in test
artifacts or a symlink pointing to local file on the tests controller
machine.
Fixed by instructing `tar` to resolve the symlinks, so that actual file
pointed by symlink is stored in test artifacts.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0d9f988f5eb5f07965582b84f1b3ac812125b63f">0d9f988f</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-01-29T22:32:46+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: rewrite test for requests routing to subordinate suffixes
The original test had some issues:
* it was doing many actions not related to the tested issue which obscured
actual test scenario
* subordinate suffix was hard coded in the test which prevented the test
from checking original issue in case AD domain name did not match this
hard coded value
* Invocation of commands on AD controller was failing in some environments
Other improvements:
* added docstring with test details
* added guard assertions for test preliminary conditions
Related to https://pagure.io/freeipa/issue/8554
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c48897ed1700725d3cd07a4a106e40f62d76c47">2c48897e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-01-31T14:57:59+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix cert_request for KDC cert
ca_kdc_check() expects an API object, not an LDAP connection. Issue was
introduced in commit 8f4abf7bc1607fc44f528b8a443b69cb82269e69.
See: https://pagure.io/freeipa/issue/6739
Fixes: https://pagure.io/freeipa/issue/8686
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5ab290a048d34b03821716b1606f9a33f62964d9">5ab290a0</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-01-31T15:02:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Ensure that KDC cert has SAN DNS entry
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.
* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs
Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b71c0c678430c38cbd22663cbf48229a23f19c8e">b71c0c67</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-31T15:07:57+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Report the NSS database directory if it cannot be opened
If the system lacks DBM support and an older database is
opened then an exception is raised. Include the directory in
the exception so it is clearer which database cannot be opened.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/348d4eef6f974c75cb546fc690bb3a20a789de28">348d4eef</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-31T15:07:57+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Ignore database errors when trying to extract ipaCert on upgrade
If NSSDatabase() throws a ValueError it means we can't open it
to look for an existing ipaCert to migrate. Chances are there is
no certificate to migrate at this point in Fedora so don't let
it blow up the entire installation/upgrade. Warn the user and let
them figure it out.
We have no real path forward on this and by proceeding it could
lead to more errors (like no RA) but it is extremely unlikely and
would require a user to upgrade from very old Fedora to very
new Fedora in one step.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f1849e74a7c81213ec658058aec97033c84e038">7f1849e7</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-01-31T15:07:57+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Update NSSDatabase DBM test on non-DBM-capable installs
The string was updated to include the directory the for the database
but this was not reflected in the test and not picked up because
the tests were executed on Fedora 32 which supports dbm so the
test wasn't executed.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6eff5b9527d5d187922eed6f569d3e63d67e094d">6eff5b95</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-01T14:33:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provide more detailed logging around memory detection
This should make it easier to troubleshoot low memory installation
failures from the logs.
https://pagure.io/freeipa/issue/8404
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5fb0cc43eab329e8cb0020ca96f70a05fa9bb4bd">5fb0cc43</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-01T14:33:45-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Only build the UI with uglifyjs on RHEL 8
The previous expression tested for RHEL or RHEL-like
systems to use uglifyjs. Tighten that up to only RHEL 8
so future RHEL can use rjsmin.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8a4cf2187a6298a46b52ba12ff04648b73f8dd56">8a4cf218</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-03T08:58:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-sam: return NetBIOS domain name instead of DNS one
[MS-NRPC] section 2.2.1.4.11 requires that the structure
NETLOGON_VALIDATION_SAM_INFO has the same values as defined in the
KERB_VALIDATION_INFO structure from [MS-PAC] section 2.5.
Samba's netr_SamBaseInfo.domain_name corresponds to
KERB_VALIDATION_INFO.LogonDomainName and must be a NetBIOS name of the
domain, not a DNS one.
Failure to provide NetBIOS name here actually breaks
netr_LogonSamLogonEx call issued by IPA-enrolled Samba domain member
which is confused by the returned value:
[2021/01/30 16:36:36.636010, 0, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_util.c: 175(add_trusted_domain)
add_trusted_domain: SID [S-1-5-21-3342930694-1632731913-1318603033]
already used by domain [INTERNAL], expected [internal.example.test]
[2021/01/30 16:36:36.636050, 10, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_util.c:362(add_trusted_domain_from_auth)
add_trusted_domain_from_auth: Adding domain [internal.example.test]
with sid [S-1-5-21-3342930694-1632731913-1318603033] failed
[2021/01/30 16:36:36.636060, 0, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_pam_auth_crap.c:169(winbindd_pam_auth_crap_done)
winbindd_pam_auth_crap_done: add_trusted_domain_from_auth failed
[2021/01/30 16:36:36.636079, 10, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd.c:814(process_request_done)
process_request_done: [smbd(1650):PAM_AUTH_CRAP]: NT_STATUS_LOGON_FAILURE
Fixes: https://pagure.io/freeipa/issue/8636
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/85674f16a18a6d4917dcf56330dc122902b53475">85674f16</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-02-03T09:02:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test if server setup without dns uninstall properly
IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls properly.
related: https://pagure.io/freeipa/issue/8630
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/29377901f7bc74baceda1bf42617dd69dacf10a2">29377901</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-02-03T17:41:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add a tests-oriented wrapper for pexpect module
The pexpect module can be used for controlling and testing interactive
command-line programs. The wrapper adds testing-oriented features like
logging and automatic process termination and default check for process
exit status.
Related to: https://pagure.io/freeipa/issue/8690
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1c15447e1345a3c93932e70dea1177f6a42fb2d4">1c15447e</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-02-03T17:41:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use pexpect to invoke ktutil
`ktutil` is a REPL-style utility that can be controlled only interactively.
The common approach of sending commands to stdin does not work with it on
systems where `readline` library has version less then 8.0 due to a bug
in that version.
With `pexpect` we avoid this bug because it emulates the terminal
when interacting with spawned process instead of simply sending all input
to stdin.
Related to: https://pagure.io/freeipa/issue/8690
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/34d72d16ee3ac4e3979eed5be7ddf31997a485b8">34d72d16</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-02-03T17:41:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use pexpect to control inetractive session of ipa-adtrust-install
During interactive session of `ipa-adtrust-install` the user needs to
answer several questions. This was done by sending all answers to
the processes stdin without analyzing the questions.
If the installation scenario changes at some point we can get on of the
following results:
* the test fails in the end and the root cause is not obvious
* if a new question was added
* test does not fail but answers are provided for wrong questions -
in this case scope of test case changes without being noticed
If we use `pexpect` for controlling the session, the test will fail
immediately when it encounters unexpected question.
Related to: https://pagure.io/freeipa/issue/8690
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5a1ad476e04859e68809435a8098beef1d38c76d">5a1ad476</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-04T01:22:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">client: synchronize ignored return codes with ipa-rmkeytab
Refactoring ipa-rmkeytab with commit
f3f9672d527008dc741ac90aa465bac842eea08d led to new error code 7 when
MIT Kerberos fails to iterate through the keys. It appears now in places
where in past error code 3 was returned.
Related: https://pagure.io/freeipa/issue/8658
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b99bc2d8b1e5226f61a7c980cfb7576dac222466">b99bc2d8</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-04T14:14:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Change CA profile migration message from info to debug
This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4d26ce5061c5b7f9383286a108fc48b19b5bc65a">4d26ce50</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-04T14:14:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use the new API introduced in PKI 10.8
https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ddb5414d56f57fdd18ad66fbc6a53410725dd9cd">ddb5414d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-04T14:14:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipactl: support script status 3, program is not running
Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.
https://pagure.io/freeipa/issue/8588
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/87ede26cc2bcbe543cb970a5e55cf1901791a100">87ede26c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-04T14:14:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Ensure IPA is running (ideally) before uninstalling the KRA
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.
1. Move the KRA uninstall call prior to stopping all IPA
services
2. Try to start IPA if it isn't running and a KRA is configured
It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/302f9377e5c760bcf38be2b0503915ccadef8b67">302f9377</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-04T14:14:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add exit status to the ipactl man page
The existing return codes were undocumented but basically
followed the LSB. Document those along with the new
options for status.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/00226adaa68935fbc1d85508eadafa420027edb5">00226ada</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-04T14:14:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Handle non-zero return code in test_ipactl_scenario_check
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2b64a4e8ad5563030650f6d293d4b0537d72cd2c">2b64a4e8</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-02-04T14:29:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update samba configuration on IPA master to explicitly use 'server role' setting
The default for this setting is 'auto', which may affect
IPA Samba configuration on future Samba versions. By explicitly
setting this parameter in the template, future manual
intervention is prevented.
Fixes: https://pagure.io/freeipa/issue/8452
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44762369fb05b67855a8dc81d647c8880d642902">44762369</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-05T09:05:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnssec: fix the key type with OpenDNSSEC 2.1
The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".
With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql
INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
strftime('%s', REMOTE.keypairs.generate)
ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
locator VARCHAR(255) NOT NULL,
candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
bits INT UNSIGNED DEFAULT 2048,
policy VARCHAR(255) DEFAULT 'default',
algorithm INT UNSIGNED DEFAULT 1,
role VARCHAR(3) DEFAULT 'ZSK',
inception INT UNSIGNED,
isrevoked TINYINT UNSIGNED DEFAULT 0,
key_type VARCHAR(255),
repository VARCHAR(255),
backmeup TINYINT UNSIGNED DEFAULT 0,
backedup TINYINT UNSIGNED DEFAULT 0,
requirebackup TINYINT UNSIGNED DEFAULT 0,
id INTEGER PRIMARY KEY AUTOINCREMENT
);
Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dd21d068cb4500b0d8a8af14b0371f95cc40c974">dd21d068</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-05T09:05:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add a test for ZSK/KSK keytype in DNSKEY record
When DNS is enabled for a zone, 2 DNSKEYs should be created:
one KSK and one ZSK.
Add a test ensuring that they can be queried on the master and
the replica.
Related: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a51892ab9688b6bc5282098a426003932462549">2a51892a</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-05T09:05:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">OpenDNSSEC: fix timezone in key creation date
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b784e1f8d4e393e31616430f74ccc3d158418619">b784e1f8</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-08T09:53:21+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix ipahealthcheck fixture _modify_permission
The test is storing the initial file permissions obtained with 'stat',
then modifies them, calls ipa-healthcheck and reverts the permissions
to the original value.
When the file is a symlink, stat returns the permissions of the link,
not of the pointed-to file. But chmod modifies the permissions of the
pointed-to file, not of the link.
As a consequence, the fixture does not properly restore the original
file permissions.
The fix consists in calling 'stat -L' because the command follows
links.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8d30629801a88a8f03c94f2274ed93a1ff0a38be">8d306298</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-09T09:40:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: ipactl status now exits with 3 when a service is stopped
Some tests are individually stopping a service and call
ipactl status to ensure it is stopped. They need to use
run_command with raiseonerr=False as ipactl status now
exits with 3 when one of the IPA services is down
(since commit 928ab51).
Related: https://pagure.io/freeipa/issue/8588
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f05ee29d10f2be294d707bd34bfc8399c06b63c5">f05ee29d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e35bec9a5214a836d938eae6c577a4f33fe5e4f9">e35bec9a</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove support for csrgen
This was never feature complete and currently has issues and
we lack the resources to maintain it.
Drop it for now. It can be revived from git history in the
future if we see the need.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1478db894844ca4527e0017a7204d4d6f5695752">1478db89</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove references to rjsmin in UI compile.sh
It specifically referenced using Python rjsmin while the
actual script would pick the minimizer based on the underlying
distribution.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/de3510211537f116a097d1212d2586f4b0726467">de351021</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't install csrgen extra dependencies
See: https://pagure.io/freeipa/issue/8669
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7d00ad4b767eb17e218e03544aa53881c9333330">7d00ad4b</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation po/de.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d8398815b10c53e678d96ea31afc9a0eb671f57b">d8398815</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation po/es.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cf054fc169879fcd3987b97ccec163402c706392">cf054fc1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation po/fr.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e77d68900a1e8d0476670b0d59b13cea6e1b7f80">e77d6890</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation po/id.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/12d92fe517504ac9bec2d76bc15e7303af2f89e5">12d92fe5</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation after FreeIPA to IPA change: po/es.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fc9652107e4424f0567bc5a010cad15047db7212">fc965210</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation after FreeIPA to IPA change: po/fr.po
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/936f98e93e43f1e30d3109d37009654db349a241">936f98e9</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-09T09:48:23-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Force-update translation after FreeIPA to IPA change: po/ipa.pot
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dffe69573e1ee5a14af12d83c9c86084cfa3a58d">dffe6957</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-10T08:21:15+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add RHEL 9 UI branding patch reference
The UI in RHEL has a different set of logos and different
background colors. Some direct adjustments were made that
are not buildable so apply them as a patch.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/55180f6e9141bca391a7e2c9d9727948624c307f">55180f6e</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-02-10T08:23:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">configure: ipaplatform falls back to ID_LIKE
The auto-detection code for IPAPLATFORM now falls back to ID_LIKE.
CentOS platform will now be treated as rhel-like, Ubuntu platforms as
debian-like automatically.
Fixes: https://pagure.io/freeipa/issue/8689
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ca2797eaca963fe94f7396353569f7f8ed6d09d">7ca2797e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-11T12:45:33+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_installutils: run gpg-agent under a specific SELinux context
system_u:system_r:init_t:s0 cannot execute gpg=agent when SELinux is in
enforcing mode. Use SELinux context that allows this execution:
system_u:system_r:initrc_t:s0 and wrap the whole execution into a bash
run to make sure init_t -> initrc_t transition.
Fixes: https://pagure.io/freeipa/issue/8699
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/45d7d15c1186bc563393ae0bf131ccf94b1d12c4">45d7d15c</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-15T10:01:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cert plugin: propagate the error for non-existent cert
ipa cert-show, ipa cert-revoke and ipa cert-remove-hold do not
print meaningful info when called on a non-existent cert id:
Certificate operation cannot be completed: Unable to communicate
with CMS
Propagate the reason from the HTTP message in order to print
'Certificate ID 0x.. not found'
Fixes: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/55c7e2121ea78eec102560d176ccb2c74146caf7">55c7e212</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-15T10:01:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">xmlrpc tests: add a test for cert-remove-hold
Add tests for the ipa cert-remove-hold command.
Scenario 1:
add host entry, request cert, revoke cert with "hold" reason, remove hold
Scenario 2:
call ipa cert-move-hold with a non-existent cert ID and ensure that
the exception mentions 'Certificate ID .. not found'
Related: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4f63dc994522243fde1cb932f6a8b5a26a171933">4f63dc99</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-02-15T10:02:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: change FreeIPA naming to IPA in About dialog
As part of the effort for reducing differences between
upstream and downstream releases, product naming in WebUI
About dialog is changed from FreeIPA to IPA.
Related: https://pagure.io/freeipa/issue/8669
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a16dc59447bceab9df7d0597e81af2f1a525ce4c">a16dc594</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-15T13:11:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set the ACME baseURL in order to pin a client to a single IPA server
ACME uses nonce values to prevent replay attacks. Since the
ipa-ca name can go to any of the IPA servers in order to verify the
nonce the servers need to know the value that was set which
relies on replication. Sometimes the client is faster than
replication so a request can fail.
This change returns the baseURL to the client as the name of the
ACME server during discovery which should pin all requests to this
one IPA server and alleviate the replication issue.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/31061c60af065d7251a7aaf6d5c93e86434d12f2">31061c60</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-15T13:11:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add versions to the ACME config templates and update on upgrade
Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6526ab48a36b068de1970a2685dcedcf4b278bd3">6526ab48</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-15T13:11:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add some logging around initial ACME deployment
>From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/63b14839aff23db7977decbeb742949bd05a8219">63b14839</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-02-15T13:47:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Populate containers with self-AAAA records
IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.
In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.
In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
"when": "20210120055054Z",
"duration": "0.032740",
"kw": {
"msg": "Got {count} ipa-ca AAAA records, expected {expected}",
"count": 1,
"expected": 2
}
}
]
```
where `ipa-ca` record exists only for replica.
Note: since the most of the code in setup_containers was touched it has
been reformatted.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/151fa5040af0f044fe7bf0154c2dcfc58506a499">151fa504</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-02-15T13:47:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check
This test assumes that the current environment has only IPv4, but
for example, Azure Pipelines provides both IPv4 and IPv6.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0b11a7ce5542fae4d3d2ab0584d3dfe0f67ef617">0b11a7ce</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-02-15T13:47:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rpm-spec: Require crypto-policies-scripts
`update-crypto-policies` tool from RPM package `crypto-policies-scripts`
is required for tests.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/602a4fa321560c69407d1c6d0a04f190a5350038">602a4fa3</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-02-15T13:52:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudocmd: ensure command doesn't contain trailing dot before adding it
Trailing dots aren't permitted in sudo commands, as
enforced explicitly in `get_dn`. Performing this check
before adding the command prevents the user from
entering invalid commands, which would otherwise trigger
errors when accessing them afterwards.
RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot.
RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object.
RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/029daa5ffad5ee5f7be9c3661d88c98fe20398cb">029daa5f</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-02-15T13:52:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test addition of invalid sudo command
Check that sudocmd-add fails when trying to add
a command containing a trailing dot.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b290bc12b25938db5e29b7742989a1a0c99f15f4">b290bc12</a></strong>
<div>
<span>by Thorsten Scherf</span>
<i>at 2021-02-15T14:24:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: fix ipa-client-samba.1 typos
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9872610f7df6576813715f5de239957042ca2c9d">9872610f</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-15T19:06:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove the option stop_certmonger from stop_tracking_*
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.
https://pagure.io/freeipa/issue/8506
https://pagure.io/freeipa/issue/8533
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9854c399da83a30259ccec9cf9277ffd97f7cd67">9854c399</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-15T20:29:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: update expected error message
With commit ec6698f , the error message has changed from
Unable to communicate with CMS (503)
to
Request failed with status 503: Non-2xx response from CA REST API: 503. (503)
Related: https://pagure.io/freeipa/issue/8704
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d1313a595d63ced25b2df029029ef501e88ea596">d1313a59</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-15T20:35:53+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po: update translations template
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/66ffc9a612e932578b609061a5f1b38fc1c46c50">66ffc9a6</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-15T20:36:53+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po: refresh translations to remove outdated strings
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/34600a0ecac3ad3fbe7b7b5767c3a4c1a455dc45">34600a0e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-15T20:38:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.9.2
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/811d130c66880208a244741b90a5e6de2429004a">811d130c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-15T20:40:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git commits
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b590dcef10680b4ea3181ae1caec183e5967562b">b590dcef</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-02-16T12:51:11-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add TestInstallWithoutSudo
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0c2741af9f353d2fbb21a5768e6433c0e99da0e9">0c2741af</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-02-16T12:51:11-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: tasks: handle uninstalling packages with nodeps
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.
Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fe157ca349e3146a53884e90e6e588efb4e97eeb">fe157ca3</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-02-16T12:51:11-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: output a warning if sudo is not present
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e">ee0ba2df</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-02-16T12:51:11-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec: client: depend on libsss_sudo and sudo
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/584151d1277f60e1db116992fbd98f3421391254">584151d1</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-19T08:39:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Suppress error message if the CRL directory doesn't exist
If the CA fails to deploy then the CRL directory will not exist
but will report an error that it has failed to be removed.
There is no need to try to navigate a directory if it doesn't exist.
Related: https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f1e12c75f12a739599c07ffe88aea82df635fabd">f1e12c75</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-19T08:39:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't double-report any errors from pki-spawn failures
The output from pki-spawn is already displayed to the user
as well as a short traceback so re-displaying the CalledProcess
error provides no value and only provokes confusion,
particularly because it is condensed and includes embedded
newlines.
Re-raise the exception from None so that the traceback is
removed and while there is still an immense traceback from
the admintool class it is significantly shorter than before
and removes:
"During handling of the above exception, another exception occurred"
The handling is in fact expected.
This changes the user-facing installer output from:
[1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpr5x2l0gm', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldap://ipa.example.test:389\nINFO: Connecting to LDAP server at ldap://ipa.example.test:389\nDEBUG: Installing Maven dependencies: False\nERROR: KeyError: \'CA\'\n File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main\n raise KeyError(\'CA\')\n\n')
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
to
[1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The output is similarly reduced in the installer log. There is no
reason to acknowledge that a CalledProcessError was raised since
the output is already available and it's just an intermediary.
Hopefully this will encourage users to focus on the logs rather than
the malformed traceback.
https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6b25cd3241a5609b4d903d5697b8947fab403c90">6b25cd32</a></strong>
<div>
<span>by Kaleemullah Siddiqui</span>
<i>at 2021-02-19T08:42:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.
related: https://pagure.io/freeipa/issue/8550
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fe4b1545b6f288f10aa11f4dd8ff32b14d337fc1">fe4b1545</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-19T08:44:08+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove a remaining file used with csrgen
This file was missed in the first pass to remove support for
csrgen.
This was never feature complete and currently has issues and
we lack the resources to maintain it.
Drop it for now. It can be revived from git history in the
future if we see the need.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1">6d7b2d7d</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-02-19T16:14:11+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: skip tests for AD trust with shared secret in FIPS mode
Related to https://pagure.io/freeipa/issue/8715
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2fae28f974ccdbcf021cb506b31761cf04547c64">2fae28f9</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-22T23:55:41+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: fix inconsistent-return-statements
pylint 2.7.0 now emits inconsistent-return-statements if one of
try/except statement is not returning explicitly while the other do.
Fixes: https://pagure.io/freeipa/issue/8720
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1bcacd800a4fdba3899bf1358bc532e717ad335c">1bcacd80</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-23T13:19:18+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Update PRCI templates for ipa-4-9
The new templates include updated versions of pki and 389ds.
- pki 10.10.3-3
- 389-ds 1.4.3.18-1 on fc32 and 1.4.4.12-1 on fc33
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a0626e09b3eaf5d030982e2ff03e95841ad1b4b9">a0626e09</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-23T16:05:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cert-fix: Don't hardcode the NSS certificate nickname
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.
Instead pull the nickname from the DS configuration and
retrieve it based on that.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/660507fda2394b17d709c47a05ce5df548a47990">660507fd</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-23T16:05:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4cb6f0ba0df928eea60b20892a6fc85373627946">4cb6f0ba</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-23T16:05:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f3463728f2196589d36e14cedccb26c03730a7c0">f3463728</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-02-23T16:05:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't renew non-IPA issued certs in ipa-cert-fix
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.
Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/026e0ca89b48d0d2aa948c9769e6b7701906b13c">026e0ca8</a></strong>
<div>
<span>by Troy Dawson</span>
<i>at 2021-02-23T13:18:36-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">platform-python only on RHEL8
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1c1c469fc94b3c6b26a73173bfba7698108ec69c">1c1c469f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-02-25T18:41:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec: bump the required version of 389ds
In order to get the fix for sync_repl, the following versions
are required:
on fedora32: 1.4.3.19-1
on fedora33 and above: 1.4.4.12-1
on rhel 8.4: 1.4.3.16-11
Note: the fix is not available yet on fedora32 as the build has
been marked as obsolete due to a pkispawn regression
(https://github.com/dogtagpki/pki/issues/3458).
The version will need to be updated in a later commit.
Fixes: https://pagure.io/freeipa/issue/8496
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f2b1b5b07c1b7e813ee5dbe342ff24ebbc939bb9">f2b1b5b0</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2021-03-01T15:06:31+11:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
'pki-server cert-fix' has a known and expected failure when the DS
certificate is expired. 'ipa-cert-fix' handles this by
optimistically ignoring the CalledProcessError and continuing when
the DS certificate was up for renewal.
This heuristic is a bit too optimistic. If 'pki-server cert-fix'
fails due and returns nonzero due to some other, more serious error
(as has been seen in the wild[1]), 'ipa-cert-fix' continues then
fails later with a more confusing error, for example:
[Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/27-renewed.crt'
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586
Improve the heuristic by also checking whether output files
corresponding ot all of the "extra" certificate that we asked
'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates.
Fixes: https://pagure.io/freeipa/issue/8721
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/80ccac79b9d123e158a5ba60f9853611d0854188">80ccac79</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-01T15:37:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test Samba mount with NTLM authentication
Related to https://pagure.io/freeipa/issue/8636
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/20bb855a57080145d0d5555294381c890ef605bb">20bb855a</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-02T11:52:03+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver: don't ignore zonemgr option on install
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.
Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/82043e1fd052618608d3b7786473a632478795ee">82043e1f</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-02T11:52:03+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: check that zonemgr is set correctly during server install
Add test to check that zonemgr is correctly
set when installing IPA server.
Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2832810891acfaca68142df7271d6f0a50a588eb">28328108</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-02T13:44:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.
ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/8681
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0da9de495ca41a1bf0926aef7c9c75c3e53dcd63">0da9de49</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-02T13:44:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: fix compiler warnings
There are few fields in KDB structures that have 'conflicting' types but
need to be compared. They come from MIT Kerberos and we have no choice
here.
In the same way, SID structures have own requirements.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c7ce801b590e29263e9b1904995c603735007771">c7ce801b</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-02T13:44:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: add missing prototypes
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
about function prototypes missing. If -Werror is specified, this breaks
compilation.
We also default to -Werror=implicit-function-declaration
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f340baa4283c76957d9e0a85896c7fa3a994bba6">f340baa4</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-02T13:44:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: reformat ipa_kdb_certauth
Add prototype to the exported function
Replace few tabs by spaces and mark static code as static.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2968609fd9f8f91b704dc8167d39ecc67beb8ddd">2968609f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-02T13:44:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: mark test functions as static
No need to define missing prototypes to single use test functions.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459">7f30ddb1</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-03-02T13:52:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test if ipa-cert-fix renews expired certs
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/36a60dbb35cb4429f00528f79bec8b7982a30c74">36a60dbb</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-03-02T13:52:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move fixture outside the class and add setup_kra capability
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2">c84e0547</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-03-02T13:52:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test if ipa-cert-fix renews expired certs with kra installed
This test check if ipa-cert-fix renews certs with kra
certificate installed.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/260fbcb03297ef1ed5418b16c0df0587d2989b22">260fbcb0</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-03-02T13:52:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: update nightly definition for ipa_cert_fix suite
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f6204b0d5e6f82827249e09ff2e4598ea4e7f69e">f6204b0d</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-03-02T18:50:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-replica-manage: always display nsds5replicalastinitstatus
If nsds5replicalastinitstatus is none, the status is not displayed.
Always displaying the last init status is more useful to the end-user.
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/85484d312cf0e9da563ea97166ea24dfd6833702">85484d31</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-03-02T18:50:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-replica-manage: handle missing attributes
If nsds5replicalastupdateend is not yet present,
ipa-replica-manage will backtrace as it tries to retrieve that
attribute unconditionally.
Gracefully handle that situation.
Fixes: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5f2f97a698fc8278b3bc908e9bfc0d452575afa5">5f2f97a6</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-03-02T18:50:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipalib/util.py: add print_replication_status
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/25cbae4d0248fd289fb9cc6dbe55ca8fd88b5513">25cbae4d</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-03-02T18:50:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-csreplica-manage, ipa-replica-manage: refactor
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/caf748860860293e010e695d72f6b3b3d8509f8a">caf74886</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-03-02T18:52:27+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use whole date when calling journalctl --since
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
The fix provides a complete date with year-month-day hours:min:sec.
Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c5b70643d5408fbe5aae1135392842824b1e49d">2c5b7064</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-04T20:00:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: collect config files for NetworkManager and systemd-resolved
Those config files are valuable for debugging issues relate to DNS
resolvers.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a394c6a016b21c5427fce9bad81f4c718ddeb45">1a394c6a</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-04T20:00:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add utility for managing domain name resolvers
Many test scenarios need to configure resolvers on test machines. Most
notable patterns are:
* using IPA master as DNS resolver on clients and replicas
* intentionally breaking name resolution
Now it is done by directly editing /etc/resolv.conf file. While being
simple this approach has following issues:
* NetworkManager restores this file periodically and on specific events
* This is not how users are expected to manage resolvers on modern
systems with NetworkManager and systemd-resolved.
This patch introduces three classes for main types of resolvers management:
* plain file
* NetworkManager
* systemd-resolved
For each resolver manager the native way of configuring of nameserves is
used: direct editing for /etc/resolv.conf or drop-in config files for
NM and resolved.
The type of resolver is automatically detected for each host and an
appropriate instance is added to Host object.
The Resolver class (and it's subclasses) provide convenience functions
for changing nameservers and restoring the original config.
During all operations (backup, modify, restore) it checks that resolver
configuration has not been altered unexpectedly and raises exception if it
was. This helps to detect unexpected changes in resolvers.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/64f2a408ef5bc408c7c99a224c596dcf68037dd7">64f2a408</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-04T20:00:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: setup resolvers during replica and client installations
Set IPA master as nameserver on replica and client machines during default
installation. This will help to avoid manual configuration in test cases
which require members of IPA domain to be resolvable.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f5d7f85b9280e6a0fae942e25e47db5e16ae49e4">f5d7f85b</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-04T20:00:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: do not manually modify /etc/resolv.conf in tests
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/28af45425ba2612cc0e2e612768b74bc0314d242">28af4542</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-04T20:00:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: disable systemd-resolved cache
systemd-resolved enables positive and negative cache by default which
affects test scenarios where dns records are being created and deleted and
then verified using any tools that utilize default system resolver
(i.e. `dig` or `curl`).
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b3abb2c696afeccd1f6eb8d3235d999cee53dfca">b3abb2c6</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-04T20:00:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: mock resolver factory
test_testconfig is using hardcoded hostnames which do not match ones
provided in real test config. This causes resolver factory to fail
when trying to detect resolver type of the host.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b0ee8e00aaad8d89baf3a751dd0f55f405d66394">b0ee8e00</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-04T20:00:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: always try to create A records for hosts in IPA domain
Do not check that host is resolvable.
systemd-resolved creates synthetic records for hosts in /etc/hosts.
If test hosts are listed in /etc/hosts on controller, no A records will
be created.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1ca7cb6585828312864eae6f5264e313be697bbf">1ca7cb65</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-04T20:00:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: do not configure nameserver when installing client and replica
When IPA master is installed without DNS, using it as nameserver creates
invalid configuration.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cf80bb33baa79ba93987ee7e63109ece4b37bbd0">cf80bb33</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-05T08:42:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ccache_sweeper: Add gssproxy service
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.
Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/99a65e3e720d0de94abfcbfa1c2619a709d3c8db">99a65e3e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-05T08:42:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cleanup: Drop never used path for httpd's ccache
`HTTP_CCACHE` path was introduced in [0], but hasn't been set as
gssproxy's cred_store option(`ccache`) and nowhere is really
used besides the removing of this not existed path. It is safe to
drop all referencies for `HTTP_CCACHE`.
As of 0.8.0[1] gssproxy uses `MEMORY` credentials type for cred_store
as default.
[0]: https://github.com/freeipa/freeipa/commit/d2f5fc304f1938d23171ae330fa20b213ceed54e
[1]: https://github.com/gssapi/gssproxy/commit/0e1b4a0c8400f1c9c6cc4915942a8df47e0c1410
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9fb266882ea824f8b77bf1f049462850cdbdc4fe">9fb26688</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-03-05T10:40:12+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test to check sosreport collects healthcheck.log file
This test creates healthcheck.log file in /var/log/ipa/healthcheck/
directory if its not present and then checks that when sosreport command
is run it collects the healthcheck log file by checking the console log
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fbbfce1151b6c7dd95dea1a2438cd11c1b22e7b7">fbbfce11</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-05T13:47:15+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix expectation about GSS error in test for healthcheck
As of 1.19.1 MIT krb changed the error returned if no valid
credentials could be obtained(GSS_S_CRED_UNAVAIL->GSS_S_NO_CRED).
To be compatible with previous versions of krb the new expected
error message has been added.
Fixes: https://pagure.io/freeipa/issue/8737
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0dfd4b7ea38ffd6f8fe7a57660ef36b225fb377a">0dfd4b7e</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2021-03-09T12:47:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Update gating to Fedora 33
Bump template image to include updated packages.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cc3e3cd849f0dafed4ebc63dafe4cfdacd48ffe5">cc3e3cd8</a></strong>
<div>
<span>by Thorsten Scherf</span>
<i>at 2021-03-09T16:50:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix lgtm file classification
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9cfcbc67e12c2ce6e98d3ed1645bc592a573199e">9cfcbc67</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-03-10T09:31:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnssec: fix ipa-ods-exporter crash when master key missing
When a master key is missing from the local HSM, ipa-ods-exporter crashes..
This can happen when the DNSSEC master role is moved from one node to
another with the following scenario:
- install server1 with dns + dnssec
- install server2 without dns
- disable dnssec from server1
- install dns + dnssec on server2
With the above scenario, server2 never had the opportunity to get
the master key (this happens only when the replica is already
configured as DNS server and has put its public replica key in LDAP +
the current DNSSEC master wraps its master key with the replica key).
ipa-ods-exporter can only log an error instead of crashing.
Related: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7616f1dad2b478c5e4f850587da1bd4e52108fa1">7616f1da</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-03-10T09:31:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnssec: concurrency issue when disabling old replica key
When dnssec role is removed from the local node, the uninstaller
creates a new replica key and marks the older replica keys as disabled
(both in the local HSM and in LDAP).
If ipa-ods-exporter runs in the middle of this operation, the old replica
key may be disabled in the local HSM but not yet in LDAP and
ipa-ods-exporter believes that it is a new replica key that needs to be
imported from LDAP to local hsm. The op fails as there is already the key
in the local HSM.
The error can be ignored, ipa-ods-exporter simply needs to log a warning.
Fixes: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3ce45cec0973e88d76de6d7e16d0fa3116784c8c">3ce45cec</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-10T14:44:46+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use proper template for TestMaskInstall
TestMaskInstall is a usual integration tests and should
install freeipa server during test run.
"ipaserver" template provides pre-install freeipa server and
is intended for use with webui and xmlrpc tests.
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a63c6e0252ba82233839ad33ca9331be2b7aba95">a63c6e02</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-10T14:46:23+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec: synchronize with Fedora for 389-ds and PKI versions
- 389-ds fixes an information disclosure during unsuccessful LDAP BIND
operation, CVE-2020-35518, https://github.com/389ds/389-ds-base/issues/4609
- Dogtag PKI adopted to work with 389-ds with the fix,
https://github.com/dogtagpki/pki/issues/3458
FreeIPA needs to require new Dogtag and 389-ds versions on all Fedora
and RHEL versions.
RHEL 8 version is set to 1.4.3.16-12 which is the official build after
pki-core was fixed to work with the CVE fixes.
In order to avoid excessive %if/%endif conditionals in the spec file, I
have added a short Lua table with 389-ds versions for F32-33. F34 and
Rawhide will fallback to the same newer 389-ds 2.0.3 version. We do not
support building on F31 or older Fedora anymore as they are EOLed
already.
Fixes: https://pagure.io/freeipa/issue/8705
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f6aac4d5cb9e2d724b71f8445a43e3c103a3f402">f6aac4d5</a></strong>
<div>
<span>by Thorsten Scherf</span>
<i>at 2021-03-11T10:04:02-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update 10-ssh-key-management.rst
Removing conclusion statement since we now have more than 10 units.
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/061e0b63ef3a72ba3261b42ec5f2ce290070c613">061e0b63</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-03-17T08:41:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: output a warning if sudo is not present (2)
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4b917833fdd62cce2fd72809fd5c963194efba3e">4b917833</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-03-17T08:41:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: check for the "no sudo present" string absence
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1b8de48f1cce81277e63c104adc6c5f485e70418">1b8de48f</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-03-17T10:32:05+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: introduce wait_for_replication in test_rolecheck_Trust
Test was randomly failing if the query for the server role is
executed before the replication had time to replicate the
changes on cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test,
as the server role is read using this entry.
related: https://pagure.io/freeipa/issue/8553
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5221f4c2a08094e15f516bbef8a722c0869ba53a">5221f4c2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-03-17T20:08:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: filter_users belongs to nss section
In the test test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered
the config file sssd.conf is modified with a parameter
filter_users written in the [domain/..] section but
the parameter should appear in [nss] section instead.
Fixes: https://pagure.io/freeipa/issue/8747
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab23ecdad53d2095d9534a4c941dab7e205f286c">ab23ecda</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-03-18T08:30:14+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating
The test was temporarily removed because of a known issue
but the issue is now fixed.
Related: https://pagure.io/freeipa/issue/8496
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5af574326bd60c52ddcaf7f7cfe73f4e810bc04a">5af57432</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-03-18T08:30:14+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic
The test test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf
checks that /etc/resolv.conf points to the localhost and
fails on fedora33 because systemd-resolved is in place
(and /etc/resolv.conf contains 127.0.0.53).
The test logic needs to be adapted. When systemd-resolved is
used, the test can check the output of "resolvectl dns".
Fixes: https://pagure.io/freeipa/issue/8695
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/462dc75f8ea3435a42ad80e8fbbbe3092c706637">462dc75f</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-18T15:36:07+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: return result of kinit_as_user, pass raiseonerr parameter
Similar to kinit_admin, this allows to check for error values returned
by kinit.
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/643a70a2442702d23492823ae1809d5dc392289d">643a70a2</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-18T15:36:07+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test for kdcproxy handling reply split to several TCP packets
This is a regression test for the bug in python-kdcproxy mentioned in
https://github.com/latchset/kdcproxy/pull/44
When the reply from AD is split into several TCP packets the kdc
proxy software cannot handle it and returns a false error message
indicating it cannot contact the KDC server.
This could be observed as login failures of AD user on IPA clients
when:
* IPA client was configured to use kdcproxy to communicate with AD
* kdcproxy used TCP to communicate with AD
* response from AD to kdcproxy was split into several packets
This patch also refactors and improves existing tests:
* switch to using pytest fixtures for test setup and cleanup steps to make
them isolated and reusable
* simulate a much more restricted network environment: instead of blocking
single 88 port we now block all outgoing traffic except few essential
ports
* add basic tests for using kdcproxy to communicate between IPA client
and AD DC.
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/305d6f227fd28eee16c817c5eb32a3d33a94153d">305d6f22</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-18T15:36:07+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: update prci definitions for test_http_kdc_proxy
the new tests require an AD instance
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e880d38beb95cd15311d49c8a1e748d5dfe45ca6">e880d38b</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-23T08:37:57+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Extend logging to include execution time
Adding execution time in logs provides useful information
for identifying API operations that impact IPA performance.
Related: https://pagure.io/freeipa/issue/8759
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44d7cce3a032b7b793708a84198414fba8a276bd">44d7cce3</a></strong>
<div>
<span>by Jan Pazdziora</span>
<i>at 2021-03-23T10:17:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Avoid comparing 'max' with 'max\n'.
Fixes https://pagure.io/freeipa/issue/8764.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/339152c1ca5e0d3b7f11a03390003a57328d0d6d">339152c1</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-03-24T08:20:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Enable certbot test on rhel
With this change, certbot test will be running on rhel.
certbot is not avilable on rhel through repository.
Plan is to install certbot using pip/epel on rhel and increase the
test coverage on rhel
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/60389f538429c943d7b1056a3743faae2eecc59d">60389f53</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2021-03-26T10:57:55+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle multiple AJP adapters during upgrade
In this patch, we ensure we upgrade all AJP adapters with the same
secret value if any are missing. This ensures that both IPv4 and IPv6
adapters have the same secret value, so whichever httpd connects to
will be in sync. This is consistent with what Dogtag does when
provisioning them.
Notably missing from this patch is handling of multiple unrelated AJP
adapters. In an IPA scenario (and default PKI scenario) this shouldn't
be necessary. However, with external load balancing, this might happen.
This patch benefits IPA in the scenario when:
1. pkispawn runs on an older PKI version (pre-AJP secret, so ~8.2?)
2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
resulting in split IPv4/IPv6 adapters -- this would only happen
on a direct migration from 8.2 -> 8.4
3. ipa upgrade script then runs to provision an AJP secret value for
use with both Dogtag and IPA.
Without this patch, only the first (IPv4) adapter would have a secret
value provisioned in the above scenario.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d3e4bd9ec450c6ea5285c76fee60a7c6601b58f3">d3e4bd9e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-03-26T10:57:55+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow overriding is_newer_tomcat_version()
This is needed so we can mock the DogtagInstance class
and have control over the version of tomcat.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/16fbe095ff54e4b560a81c0cc0453c939f2c58a8">16fbe095</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-03-26T10:57:55+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test secure_ajp_connector works with multiple connectors
There may be both IPv4 and IPv6 AJP connectors. Test that both
are upgraded with the new tomcat attribute and the passwords are
kept in sync.
The Apache password will be updated if needed elsewhere in the
upgrade process.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8defcb0cee32eedda28a0adb6d7745c6fbdbf355">8defcb0c</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-03-26T10:59:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Don't rely on certmonger's assigned request id
There are failure observed in test_rekey_keytype_DSA(test_cert.py)
It is due to the fact that there is no guarantee that the request id
will match the filename that certmonger assigns.
This fix assigns the request id with -I option to command (and make
use of existing fixture) and get the file name by grepping the
certmonger's directory with specified req id.
fixes: https://pagure.io/freeipa/issue/8725
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b70e30dbf011fd918c4f2955dda0fc2bc12a35ea">b70e30db</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-03-26T18:14:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Uninstall without starting the CA in cert expiration test
Some certificates may have started renewal so returning to
present time can bind the server up with trying to renew.
certmonger fires off helpers when it's time to renew
certificates. This scenario puts the time within the renewal
window. If certmonger notices while the test is running it
will kick off renewal for all 12 certificates.
A lock is used to serialize things. The CA was shut down prior
to changing time so there is no chance of issuing new certs.
A fixture was used to ensure that things restarted when
the test was over. This was for chronyd and the CA. By restarting
the CA we allow the chance that it will be able to do some
work, versus returning a connection error and letting
certmonger just error out (CA_UNREACHABLE).
During uninstallation we call certmonger remove_request over
DBus (the equivalent to stop-tracking). As part of this
certmonger waits for any child (helper) processes to go away.
This used to do it via SIGKILL but that caused other problems
so it was changed to waitpid(). We know that it isn't going to
return for a while because the CA isn't up. DBus has a
hardcoded 25 second timeout. So we're guaranteed to get a
DBus timeout. We *could* try to play with it and change the
timeout, or retry a bunch of times, but it isn't worth the
hassle.
This is a contrived scenario that uninstalls immediately after
tweaking time forward. So rather than trying to make this
succesful, uninstall at the future time with the CA stopped
so that helpers won't be hanging around and certmonger can
remove the certs.
This is the last test so also the last time we need the replica
so to avoid replication bogging things down remove that prior
to executing the test. It's one less moving part during the
uninstall phase.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d15e577bc1b6f9d98b1ac424d1c0df4ef9839c91">d15e577b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-03-26T18:14:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase timeout for TestIpaHealthCheck to 5400s
During development of a fix to workaround certmonger effectivly
hanging server uninstallation the test was re-worked to force
uninstall during the test execution itself.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8272da74041330b500425847b8f4dc84aba01b56">8272da74</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-03-29T11:09:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adapt redhat ipaplatform to RHEL9/ELN
On RHEL8, ipa is using named-pkcs11.service but RHEL9 is based on
fedora34 and uses named.service instead. There is already some support
for this distinction in ipaplatform, and the patch relies on the
specific settings that can be configured in ipaplatform/xx/services.py
and ipaplatform/xx/constants.py
On RHEL9 ipa also needs to define NAMED_OPENSSL_ENGINE for named
to use openssl's okcs11 engine.
Fixes: https://pagure.io/freeipa/issue/8753
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c441397b33fad0b5d03561763851efb6bcff4643">c441397b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-29T13:55:19+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">configure: Make rpmlint optional
Distributions may want to run comprehensive fastcheck or lint tasks,
but rpmlint tool is mandatory for these targets while some platforms
don't have it at all.
With this change the rpmlint becomes optional for fastcheck, devcheck
and lint make targets.
Note: rpmlint option is disabled by default.
To enable: ./configure --enable-rpmlint
To explicitly disable: ./configure --disable-rpmlint
Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8c38c57f77a455d6e5c257d4397011157f4f33e3">8c38c57f</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-29T13:55:19+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Run rpmlint on Fedora
Template the autoconf phase.
Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/39153f9b8a9af7537cd594e5d708abecef9217c8">39153f9b</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-29T13:56:35+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Return nsaccountlock in user-add as boolean
The `nsaccountlock` attribute was being returned as a
list of string ("TRUE"/"FALSE") instead of a boolean.
Use the convert function used in `user-find` and `user-mod`
for consistency, since these commands return the parameter as a boolean.
Fixes: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cfff1f6710e1c0a857e913c8545b9a4b0a0e05f9">cfff1f67</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-29T13:56:35+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: expect boolean type for nsaccountlock in user module
user-add now returns the `nsaccountlock` parameter as
a boolean instead of as a list of string, meaning tests
have to be adapted to expect the correct type.
Related: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/28d310d5b0f84d5769c2ccada7ab48c6138b14de">28d310d5</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-29T14:00:53+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enhance error message when adding non-posix group with a GID
Enhance error message when adding non-posix group
with a GID so the user knows that a GID should not
be passed when adding a group with the --nonposix option.
Fixes: https://pagure.io/freeipa/issue/8155
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d8bc3e401ea83d845ce11b19d9b14e28676a9a33">d8bc3e40</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-29T14:00:53+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test for group creation with GID and nonposix option
Add test to ensure group creation fails when passing the --nonposix
option and a GID number at the same time. Failure shows a message
to warn the user that this is not allowed.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3dc58965fa7ba6080ba0c281567ac6d9b211953e">3dc58965</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-29T14:51:48+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow multiple permitopen/permitlisten in SSH keys
SSH keys allow to have multiple entries for
the permitopen and permitlisten options. Prior
to this change, only one of each could be configured.
Fixes: https://pagure.io/freeipa/issue/8423
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dc799a5f9602099be048abda319023cda9d466c7">dc799a5f</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-29T14:51:48+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test for multiple permitopen entries in SSH keys
Add test to ensure that IPA allows to introduce multiple
permitopen and permitlisten entries.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/74638edb4387b570b545f0c0e3067a3fc10c703b">74638edb</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-29T14:53:18+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa passwd: make help for `--otp` option clearer
Update help for the `--otp` option in `ipa passwd`
to actually explain its usage.
Fixes: https://pagure.io/freeipa/issue/8244
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9f0c4830d0d53fda99e4a856099019efea11b177">9f0c4830</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-29T18:25:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: allocate pseudo-terminal only for specific command
While "ktutil" does require a pseudo-terminal on particular systems to
operate, majority of programs do not need it.
At the same time invoking `ssh` with forced pseudo-terminal allocation
interferes with sessions multiplexing feature and increases connection
time. The increase can be as large as 10 seconds in certain cases which
leads to unexpected EOFs of pexpect utility.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c52cf2130ac9610bb5ad9a964ff8ea6b86f86227">c52cf213</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-03-29T18:25:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: log command spawned by pexpect
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c9ed627288a5319719b94dc9b8c0fea692a827b4">c9ed6272</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-03-30T09:56:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: update expected message
The test TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
is expecting a specific message for the RIPluginCheck
but the message has been updated to fix
4656 - Remove problematic language from UI/CLI/lib389
("enable referint on all suppliers" instead of
"enable referint on all masters").
Shorten the expected msg so that it fits both situations.
Fixes: https://pagure.io/freeipa/issue/8779
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/380336d6d26228c237c1ef7e7e61ed472fd66e0d">380336d6</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Make it possible to pass additional Pytest args
Some tests require its specific Pytest args. With this change
they can be specified in tests definitions.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/adc4d8d7f674d159ea8f17395013859474af3290">adc4d8d7</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Show disk usage
Collect disk usage information may be helpful, for example, for
debugging code required free space such as healthcheck tests.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e80ff6f9d43731d8c1943cd154ef5f317f380414">e80ff6f9</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Template docs build
The distros may use different sphinx builder paths,
for example, by exporting of SPHINXBUILD env var.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/255be047ff5ac8e79428c70c2a3b7c8ed026c965">255be047</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Run chronyd in Docker
The syncing time stuff is required by IPA NTP tests.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8cdc7bf070d90e0d641f32513c9ea3a709166d5d">8cdc7bf0</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Collect Host's systemd journal
The journal of Host is useful for AVC/SECCOMP analyzing.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d47847b1a2b983a41099a63954df9b569d414959">d47847b1</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Warn about Host's AVC and SECCOMP
Azure's VM distro is Ubuntu, which has enabled AppArmor.
This security module sometimes interferes with CI Docker containers,
but to be completely disabled it requires reboot(this is impossible,
at least for now). So, Azure will warn about AVC records in Host's
journal as a possible clue.
It will be equally important to be warned about SECCOMP records to
see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in
seccomp profile).
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/572f203c96baea3a086bea4e0846347b6f116bee">572f203c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Disable AppArmor profile for chrony
The security option 'apparmor:unconfined' tells Docker to not
apply AppArmor profiles for containers at all. This will not
replace or remove any existing profile. For example, this happens
on Ubuntu 20.04 which switched to chrony and brings its AppArmor
profile. Container's chronyd get blocked by AppArmor:
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=2 capname="dac_read_search"
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=1 capname="dac_override"
So, any of AppArmor profiles can block container's processes by
matching executable name. There are two ways:
1) prepare custom AppArmor unconfined profile, load it on Host and
reference it in container's configuration. This requires the
knowledge of profile syntax at least, not to difficult, but
potentially hard to maintain.
2) disable conflicting profile on Host;
Azure will warn about AVC in either case.
The second one was chosen as more simple.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6c1dc1b226254003dda882f7856c4e3b3e5b3767">6c1dc1b2</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Don't install pypi's docker
Ubuntu 20.04's docker meets the requirement(4+).
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2bec09aa038d2ef8f3819f11e67ba81d70cb5fe4">2bec09aa</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Fix several warnings
Fixes Pylint warnings:
- R1729(use-a-generator)
- R1710(inconsistent-return-statements)
- R1727(condition-evals-to-constant)
Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/188a279c5bf14b7cbd7cc0d65cc294fc6862b8d3">188a279c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-30T13:18:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Run Lint task as separate job
Lint task uses PyPI to get the latest Pylint, which may pull in
any other packages as dependencies. For distro isolation the Lint
job should not produce any meaningful artifacts or they should not
be used in subsequent jobs. So, this job have to be isolated from
the others.
Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8552faba077f5ef7ef3c6f9b2281564df553dbc7">8552faba</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-03-31T09:04:43+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudorule: reduce number of LDAP searches during modification
Combining the existence check with the sudoorder handling
allows to reduce the number of searches during a sudorule
modification by removing a call to sudorule-show.
Related: https://pagure.io/freeipa/issue/8780
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3eb8b304c612500218806c04486efd79b2495ba2">3eb8b304</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-03-31T09:07:47+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Skip test_jsplugins in server less environments
This test assumes that IPA server is installed and configured.
But test_jsplugins is the subtask of fasttest which is designed
(unittest) to be run in server less environment.
Note: `needs_ipaapi` is not completely suitable because there is
no direct IPA API usage. `xmlrpc_setup` fixture is also not
suitable because it assumes XMLRPC.
Fixes: https://pagure.io/freeipa/issue/8781
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ef4a2f30b458db9487ebf724bdd3ba1f4e7f9d99">ef4a2f30</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-31T09:14:35+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update ipa.pot translations file
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8cb32381347e643a389ad5b0dce429087ba37bea">8cb32381</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-31T09:15:33+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dab3706c0d0bb0137ad3f742fd4a687649f5d216">dab3706c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-31T09:17:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.9.3
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/50d986b98196c540d38916b0410910e5450f4871">50d986b9</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-31T09:18:24+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4334438136dbc3dfcfb07f60f50dfb5a63c0618e">43344381</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-01T08:53:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: collect PKI config files and NSSDB
To ease debugging, also collect:
- /etc/pki/pki-tomcat/server.xml
- /etc/pki/pki-tomcat/ca/CS.cfg
- /etc/pki/pki-tomcat/kra/CS.cfg
- /etc/pki/pki-tomcat/alias
- /etc/pki/pki-tomcat/alias/pwdfile.txt
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8c5eb88f7e5c3275fa94260b52c417e197a906e7">8c5eb88f</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-04-01T18:17:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test to check ipa-healthcheck tool displays warning when run on ipa-client
The testcase checks that when ipa-healthcheck tool is run
on ipa-client it will display warning message "IPA is not configured"
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f598c8d8306f847c0c9ded165d33b8c6435d759">7f598c8d</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-04-02T09:48:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: tasks.py: add wait_for_ipa_to_start
wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all
IPA services on the specified host.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/18b03506d3f1f85656219699a0e9dda305b6885b">18b03506</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-04-02T09:48:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: tasks.py: add dns_update_system_records
Add a frontend to "ipa dns-update-system-records" to tasks.py.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ad9c38ee00e46444e54c73b7ec5da16c66d4b93">9ad9c38e</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-04-02T09:48:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: hiddenreplica: use wait_for_ipa_to_start after restore
Use wait_for_ipa_to_start to wait until the restored replica is online.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/834adfc2b1cfcdb3486da2eabf0e9a1ee1ad96cc">834adfc2</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-04-02T09:48:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use wait_for_replication for hidden replica checks
Previously, hidden replica checks were run without waiting for replication
to complete, potentially leading to unstable behavior.
Use wait_for_replication.
Fixes: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b1fef6b80a2102b2a28ab33e84e1bb827fddeeac">b1fef6b8</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-04-02T09:48:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: hidden replica: use dns_update_system_records
Use dns_update_system_records after restoring the replica
to force-update the DNS records.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/45fa10434e1ee4c36ef0e3a0c3f88d447c71ba35">45fa1043</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-04-02T09:48:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: hidden replica: misc fixes
Rename a test and split a test in two.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0ffaf29a370d42d62ae4701fe7c1f5f885a7df2c">0ffaf29a</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-04-02T09:48:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: mark test_ipahealthcheck_hidden_replica as expected failure
test_ipahealthcheck_hidden_replica fails due to:
https://pagure.io/freeipa/issue/8582
Mark it as expected failure.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a8c3f5f4374fdcdcca05ece7cdbcd8a769cc7c55">a8c3f5f4</a></strong>
<div>
<span>by Carl George</span>
<i>at 2021-04-02T09:51:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Also use uglifyjs on CentOS Stream 8
This conditional was recently changed to match VERSION_ID "8." to only
apply to RHEL 8 releases, but it should also match CentOS Stream 8 which
has VERSION_ID "8".
https://pagure.io/freeipa/c/43f344b931db3f72f50e1620443be9f21623e29a
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c7271ea2ba40a4d0ff0d4d0b9bac9a237b747ef0">c7271ea2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-07T08:27:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: call server-del before replica uninstall
The test test_replica_promotion.py::TestRenewalMaster::
test_automatic_renewal_master_transfer_ondelete is calling
ipa-server-install --uninstall directly without performing first
ipa server-del. This can lead to incomplete uninstallation and
test failures.
Call tasks.uninstall_replica instead of tasks.uninstall_master.
This is equivalent to ipa-replica-manage del + uninstall
(ipa-replica-manage del works in DL0 and DL1 and internally calls
ipa server-del in DL1).
Fixes: https://pagure.io/freeipa/issue/8792
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/03dfd01ee78c495c0ee21c6ea9fcef1148eb1053">03dfd01e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-07T08:30:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: TestIpaHealthCheck now needs 1 client
The test TestIpaHealthCheck has been updated with commit
e86ff48 and now needs 1 master, 1 replica and 1 client
in order to execute.
Update the nightly definitions accordingly.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/de5fffd3c34560bd51d78deabcdf35529ca90a32">de5fffd3</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-07T09:22:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bumps openssl requires
openssl-1.1.1i introduced a regression preventing WebUI
login when the server is installed with --no-pkinit option.
On fedora 32/33/34/rawhide openssl-1.1.1k-1 is now available.
On RHEL8, openssl-1.1.1g is still shipped and doesn't have the
issue.
Fixes: https://pagure.io/freeipa/issue/8632
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/07fe32e2ada5dae5e218b0a0ca9962fd42fd698d">07fe32e2</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-04-07T12:40:30-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Better mod_wsgi configuration
* Remove WSGIImportScript
* Configure process-group in WSGIScriptAlias
* Run WSGI app in main interpreter of daemon script
See: https://github.com/GrahamDumpleton/mod_wsgi/issues/642#issuecomment-749498828
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b7700b9c5e2cf156fbecb15201ab26d562302b3b">b7700b9c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-04-07T12:40:30-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve wsgi app loading
* move WSGI app code to main code base so it can be used with other
WSGI servers that expect a Python package.
* populate LDAP schema early to speed up first request by ~200ms
* gc.collect() and gc.freeze() to improve memory handling and GC
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b8bea216c6d43eceb4b4e10cc91014eeee204a90">b8bea216</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-04-12T17:46:08+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "rules: Build only the client for bullseye."
This reverts commit 420067e108b8803d41e0b3863a7491dbec5184a1.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aea2c9fb02e07935524c7998ff265a22057eceb5">aea2c9fb</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-04-13T17:53:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/install/dns: handle SERVFAIL when checking reverse zone
systemd-resolved in Fedora 34+ returns SERVFAIL for reverse zone that
does not yet exist when we attempt to look it up before installation.
Assume that this is OK -- we are going to create the zone ourselves
during installation.
Fixes: https://pagure.io/freeipa/issue/8794
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7fa80acf5fda9ba06c81bed97f1a0c33346574a6">7fa80acf</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-15T18:30:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">client install: do not capture sudo -V stdout
ipa-client-install is checking if the sudo command is available
by calling 'sudo -V'. The call is currently using subprocess.popen
which redirects the output to the default stdout.
Use ipautil.run instead of subprocess.popen as this does not
capture stdout (the command output is just logged in the debug file).
Fixes: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3499fdeec2391b9d2d06a6c073ac0cc2b5f02989">3499fdee</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-15T18:30:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: check that the output of sudo -V is not displayed
During client installation, the installer calls sudo -V
to check if sudo command is installed. The output must not
be displayed in stdout.
Related: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b3488b21319ad6ec800796313fdb7cd23ae17c23">b3488b21</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-04-16T22:38:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: test_user: test if user is enabled by default
Test checks if the user is enabled, able to reset their password and
authentication types in both CA and CA-less environment.
Related: https://pagure.io/freeipa/issue/8203
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7e0626a922f63779836026f5aa7872177be08eef">7e0626a9</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-04-19T09:13:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add pkey_only to the service_find calls in host del and disable
The pkey of services is krbprincipalname. The host plugin passes
this full value to service_del and service_disable if the service
hostname matches the requested host.
This limits the amount of data and post-processing done
when host_del and host_disable call service_find. It also saves
a presence query for keytab in each service found.
https://pagure.io/freeipa/issue/8787
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/74130f863f76c11b6705cde886804a60ea11f64f">74130f86</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-04-19T09:15:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cache the value of ca_is_enabled in the request context
This may be called multiple times in a request and should
be impossible to change.
https://pagure.io/freeipa/issue/8797
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/58c73a71ba296380e10ffc28a2c360ef8341d53d">58c73a71</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-04-19T19:38:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Retrieve the user objectclasses when checking for existence
This saves at least one search per user-mod because the current
set of objectclasses are verified to ensure they are complete
on each update.
So always retrieve them in get_either_dn(). They are used by
every call but there is negligible overhead in retrieving
this from LDAP.
https://pagure.io/freeipa/issue/8801
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9d3414287068189be896c280f9ea1a6c8bc9d32d">9d341428</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-19T15:04:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Design doc for idrange option "auto-private-groups"
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/42b8fa60cfbf1551e916816b6d738b44fdff509a">42b8fa60</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-19T15:04:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP schema: new attribute ipaautoprivategroups
Add definition for a new attributeType: ipaautoprivategroups
Add the new attribute to ipaTrustedADDomainRange objectclass
as optional attribute
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cada918c7849dfff61eeef0c6ef1de420288bff0">cada918c</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-19T15:04:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Trust: add auto private groups option
Add a new option --auto-private-groups to the command
ipa idrange-add / ipa idrange-mod.
The option can take true/false/hybrid values.
Fixes: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ddc191491f9d06ebe28688fe9fb2d1dd80b711e">7ddc1914</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-04-19T15:04:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">xmlrpc tests: add test for idrange auto-private-groups option
Scenarii:
- idrange-add prevents --auto-private-groups with a local id range
- idrange-mod prevents --auto-private-groups with a local id range
- auto-private-groups accepts only true/false/hybrid/empty values
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/33404a62c01053c6a25b21445bb2731249064618">33404a62</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-04-23T17:55:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-otpd: handle LDAP timeout in a better way
When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.
Fixes: https://pagure.io/freeipa/issue/6587
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bd2a14a2e8d36735d5c2051a06fb62f3f1c6c682">bd2a14a2</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-04-24T14:04:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Handle assertion if multiple notifications are present
If multiple notifications of the same type are shown at the same
time, assertion works for only the first one. This change enables to
search for notification's content in all shown notifications.
Fixes: https://pagure.io/freeipa/issue/8641
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0244a060f2a521548bae0f8fb1287bbed14b8653">0244a060</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-04-26T15:51:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use PyCA crypto provider for KRAClient
The Dogtag KRA backend now uses CryptographyCryptoProvider instead of
NSSCryptoProvider for KRAClient connections. The
CryptographyCryptoProvider uses PyCA cryptography to provide wrapping
and unwrapping. The change will allow Dogtag to remove the
NSSCryptoProvider and drop python-nss as a dependency.
The code in ipaserver.plugins.dogtag creates a Certificate object to
work around a bug in Dogtag. Dogtag supports paths but passes the wrong
type to PyCA cryptography.
Fixes: https://pagure.io/freeipa/issue/8814
See: https://github.com/dogtagpki/pki/issues/3499
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eefbe8558b25ca9e9da10b391ec41e2987b8bd2d">eefbe855</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-04-27T18:08:59-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Adapt to new Pylint 2.8
- globally ignore `consider-using-with`
- fix `consider-using-max-builtin`
- explicitly enable pylint on project configuration
- unpin Pylint
- added transformation for IntegrationTest attributes(will work
unless explicitly defined)
Fixes: https://pagure.io/freeipa/issue/8818
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0c3a2dbfeaa73db868bacd4042de02a20b714d05">0c3a2dbf</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-04-28T17:11:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add max/min safe integer
JSON cannot safely handle integers outside range ``-(2**53) - 1`` to
``(2**53) - 1``. Add constants for safe integers and limit the Int
parameter to safe JSON values.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
See: https://pagure.io/freeipa/issue/8802
See: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5afe830e541296aad3d43598898bf335be8f6dd9">5afe830e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-06T15:31:37-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pkispawn: Make timeout consistent with IPA's startup_timeout
This is the experimental fix to workaround the issue with
PKI on Azure Pipelines. PKI is the most sensitive to slow
systems(at least, appropriate delays and timeouts should be
adjusted for such).
Somehow Azure's test envs became slower then they were earlier
(for example, CA subsystem start changed
~(20-30)sec -> ~(45-60)sec). This triggered various issues with
subsystems of PKI in CI.
PKI honors `PKISPAWN_STARTUP_TIMEOUT_SECONDS` env variable (if
not set the timeout is 60sec) for pkispawn tool. The default
timeout is inconsistent with IPA's one (startup_timeout=120sec), which in
particular, is used in ipa-pki-wait-running tool).
Related: https://pagure.io/freeipa/issue/8830
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a7ff4089437ee20bbce7fc55d43a7702dd7540a7">a7ff4089</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-05-06T15:40:40-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test if ACME renews the issued cert with cerbot
This test is to check if ACME certificate renews upon
reaching expiry
related: https://pagure.io/freeipa/issue/4751
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
ipatests: remove skipif for minimum pki dependency
Remove skipif from ACME tests as required pki version
updated in freeipa.spec file (pki 10.10.5)
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
ipatests: move common code to separate method
Move the code from prepare_acme_client, TestACME/test_certbot_register
and TestACME/test_certbot_certonly_standalone to separate method so
that it can be re-used in TestACMERenew.
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/35198bedf42f7142df3986b3ddef1d22029fbcab">35198bed</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-05-06T15:43:16-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Constrain pylint to supported versions
Two, three times a year PR-CI starts failing because tox tests pull in a
newer version of pylint with new warnings. To reduce breakage this
change constraints pylint (and indirectly astroid) to latest tested
minor version. The constraint should be updated when FreeIPA starts to
support a new Fedora version with more recent pylint.
Related: https://pagure.io/freeipa/issue/8818
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a21311095d3b918fcb0f5fe28669e385103c31eb">a2131109</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-05-07T08:48:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_installation: add install test scenarios
test_hostname_parameter: Test for issue 2692 ipa-server-install ignores --hostname:
check whether hostname provided in `--hostname` parameter is being taken into account and set as new hostname without prompting for it again
test_ad_subpackage_dependency: Test for issue 4011 ipa-server-install crashes when AD subpackage is not installed:
test if ipa-server installation succeeds without `freeipa-ipa-server-trust-ad` installed
test_backup_of_cs_cfg_should_be_created: Test for issue 4166 Backup CS.cfg before modifying it:
test if ipa-server installer backs up CS.cfg before modifying it
test_installer_wizard_should_prompt_for_DNS: Test for issue 2575 [RFE] Installer wizard should prompt for DNS:
test if installer is asking for DNS setup details if not provided as parameter
Related: https://pagure.io/freeipa/issue/2692
Related: https://pagure.io/freeipa/issue/4011
Related: https://pagure.io/freeipa/issue/4166
Related: https://pagure.io/freeipa/issue/2575
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/046012ecfa9731bc98ef2103645ad99cfd0baa32">046012ec</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-05-07T10:53:13+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">hbacrule: reduce number of LDAP searches during deletion
The `hbacrule` module performs a call to `selinuxusermap-find`
during entry deletion. This can be optimized by passing pkey_only=True
to the search, skipping the post-callback function. Passing the full
DN of the hbacrule and detecting it in the selinuxusermap find
also saves one call to hbacrule-show, further reducing the searches.
Related: https://pagure.io/freeipa/issue/8784
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bae02a7edad6cb291d7610fae3465119a3b72b65">bae02a7e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-07T10:59:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Parse Apache log etime and display average per command
Including execution time (etime) was added in commit
4d716d3fbc69760bc0f7bd1a7c83ab14f1a62f18
This is a parser that will collect API executions and
average them by command.
If > 5 requests of the same type then the fastest and slowest
results will be dropped to try to smooth the average.
These averages will be used for two purposes:
1. Identify potential bottlenecks in API performance
2. Provide a baseline so that future performance changes can be
measured.
It is included in contrib because this is not going to be shipped
with a distribution but is useful to have with the code.
A sample execution is:
Successful commands:
Mean user_show: 12234152.5 of 2 executions
Mean command_defaults: 3284363.0 of 3 executions
Mean user_add: 594369554.5 of 2 executions
Exceptions:
Mean user_del: 232540327 ns of 2 executions
The parselog command was successful
Times are in nanoseconds.
https://pagure.io/freeipa/issue/8809
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4dd9d079fbc190ebcce54c427898c67d83066d1e">4dd9d079</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-05-07T11:00:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Spec file: bump augeas-libs version
Older augeas does not support new options provided by chrony:
sourcedir /run/chrony-dhcp
ntsdumpdir /var/lib/chrony
and is failing to update /etc/chrony.conf in ipa installer.
Bump augeas-libs version to require the fix:
1.12.0-6 on fedora 33+
1.12.0-3 otherwise
Fixes: https://pagure.io/freeipa/issue/8676
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1aa3f7a7fd24c651aafde150351328148fd517be">1aa3f7a7</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-12T11:22:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Only attempt to upgrade ACME configuration files if deployed
This can happen on upgrades from older deployments that lack
an ACME installation and don't meet the minimum requirements
to deploy one automatically.
Also don't consider missing ACME schema a total failure, just
log and skip it.
https://pagure.io/freeipa/issue/8832
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d6637b2feb2008b4a9538518d5d08a0de79c5a68">d6637b2f</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-12T11:55:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Call the LDAPClient layer when modifying values
For add/remove member and remove_principal the LDAP connection
was being used directly, bypassing the LDAPClient overlay.
Related: https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/63767ec067a63811bf73a7314786123b2e89d5ff">63767ec0</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-12T11:55:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Unify installer context to be 'installer'
'install' was being used in some places.
The context can be used to limit what configuration is
used for a given request so having consistency is
valuable.
This affected the force_schema_updates value in LDAPClient
which looks for api.env.context in ('installer', 'updates')
Related: https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b37d679f1dad9fc93f2a8431b4aa62b25f48bcb7">b37d679f</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-12T11:55:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Implement simple LDAP cache layer
Insert a class before LDAPClient to cache the return value
of get_entry() and certain exceptions (NotFound and
EmptyResult). The cache uses an OrderedDict for the cases
where a large cache might result an LRU model can be used.
The cache be enabled (default) or disabled using
ldap_cache=True/False.
This cache is per-request so is not expected to grow
particularly large except in the case of a large batch
command.
The key to the cache entry is the dn of the object
being requested.
Any write to or referencing a cached dn is evicted from
the cache.
The set of attributes is somewhat taken into consideration.
"*" does not always match everything being asked for by
a plugin so unless the requested set of attributes is a
direct subset of what is cached it will be re-fetched. Err
on the side of safety.
Despite this rather conserative approach to caching 29%
of queries are saved with ipatests/xmlrpc_tests/*
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/00c99cceb43d97a5331e0407337e845c710a51d4">00c99cce</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-12T11:55:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add LDAP cache options to the default.conf man page
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/951720d4e66d313c537b003200efc3b33fe4b045">951720d4</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-12T11:55:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a unit test for the LDAP cache layer
This mostly confirms that when an entry is added, modified or
deleted it is expunged from the cache.
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0307d222acb8a6c675b985463f56f1071a4e5364">0307d222</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-12T11:55:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Parse the debugging cache log to determine the read savings
Read the FINAL lines from the Apache error log, optionally from
a start time, and calculate the total cache hits and misses and
calculate the average read savings.
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1647afa9f7c153eea12aa4947102d1883d5be1c8">1647afa9</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2021-05-12T15:22:28-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Bump PR-CI templates to Fedora 34
Move 'latest' to Fedora 34 and 'previous' Fedora 33 for nightly runs.
Keep gating on Fedora 33 for now.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a1ed05d7f91cf78e6d704dbf6051c72314973140">a1ed05d7</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-05-18T14:36:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: increase timeout for test_commands up to 1.5 hours
Normally it takes 50 minutes for test_commands test suite
to complete. But due to fluctuations in virtualized environment
sometimes it exceeds 60 minutes which produces random failures
in nightly runs.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/74889cf3ffa39e7988ebf7fc9c4480c3a0346a20">74889cf3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-05-18T15:15:53+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix update_dna_shared_config to wait for both entries
update_dna_shared_config plugin now waits for presence of both
``dnaHostname=fqdn+dnaPortNum=0`` and
``dnaHostname=fqdn+dnaPortNum=389`` entries before it updates the
entries.
The commit also refactors the code of update_dna_shared_config for
subordinate id support.
Fixes: https://pagure.io/freeipa/issue/8831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7e9407d9d6c3d09263c70f805f360c6894a72262">7e9407d9</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-05-18T15:15:53+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move constants, document timeout loop
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9d37d077fd16871b15e2c39ca586e0eb9cc8403a">9d37d077</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2021-05-19T11:25:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: fix typos in ipa-epn.1
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8799df5383c5e93a014f05dd6d3befddefa49173">8799df53</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2021-05-19T11:27:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add -d option to match in the ipa-client-samba usage and man-page
The ipa-client-samba man-page describes the -d option, but the -d option cannot actually be used.
Fix ipa-client-samba to enable the -d option.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7c17e27b7ff728a034863ac353602f75ebf82e41">7c17e27b</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2021-05-19T11:28:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix the option to match in the ipa-client-automount usage and man-page
The command usage and man-page options may not match.
In ipa-client-automount, fix to match usage and man-page.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/25c4da9e89fd70a257e91ec35fb70e41cff37dd9">25c4da9e</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2021-05-19T11:30:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add arguments to the description of OPTIONS in ipa-winsync-migrate.1
ipa-winsync-migrate.1 has an explanation of options, but no arguments.
Therefore, add the arguments for --realm and --server.
Also, add a short option -U for --unattended.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7239864be38f13b5d6968552ea565a8dfedcf0dd">7239864b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-19T14:16:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Load dogtag RA plugin in installers so profiles can be loaded
In order to call import_included_profiles the dogtag RA plugin
needs to have been loaded. Modify the requirements to also allow
the installer context along with the ra_plugin value.
This lets us add missing profiles during a replica installation.
This is needed for ACME when installing a new replica in a
cluster of older servers that don't have support for ACME.
https://pagure.io/freeipa/issue/8738
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/190f8b62cddae49eeecf84728ec08e74e6dae7ae">190f8b62</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2021-05-20T15:59:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add argument for --schema-file option in ipa-ldap-updater.1
There are no arguments in the --schema-file option,
but the Schema file in LDIF format must actually be specified.
Therefore, add FILE.ldif as an argument
In addition, the --schema option no longer exists, so remove the description.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6031b8a2109ab1963d395a63541ddb3a8799fd9f">6031b8a2</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-21T08:54:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add ability to search on certificate revocation status
This can be used to narrow the candidate list of
certificates when deleting objects like hosts and
service.
Related: https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/25e0f4af667de5a665bc6702927d25ef58d4a22c">25e0f4af</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2021-05-21T09:15:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove -s option from ipa-ldap-updater usage
The -s option no longer exists, so remove it from the command usage.
Also, due to this fix, E128 occurred in pycodestyle, so the coding style was changed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9a9373d5dce2610cee6e1b74c348138407bc8789">9a9373d5</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2021-05-21T09:34:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add argument for --entry option in ipa-managed-entries.1
There are no arguments in the --entry option,
but DN for the managed entry definition must actually be specified.
Therefore, add MANAGED_ENTRY as an argument.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bfd7b6e00d00efea637f0f575570ac7abd6c5fbc">bfd7b6e0</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-05-21T10:27:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: kinit on server for test_proxycommand_invalid_shell
We've seen some intermittent failures of this test with warnings
about passwords about to expire. We suspect there may be a time
difference between the client and server so set the passwords
on the server instead to be sure that time is correct.
https://pagure.io/freeipa/issue/8785
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b9fd47a7ae58085be49bcf6772d688779b492748">b9fd47a7</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: bump F32->F34
Fixes: https://pagure.io/freeipa/issue/8848
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/18563bc87b07fd7aca6f9d3af534fdc2c42bb8aa">18563bc8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec: do not use jsl for linting on Fedora 34+
jsl package is orphaned in Fedora 34+ as it cannot be built.
Related: https://pagure.io/freeipa/issue/8847
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c711292bcf5a0cb2ce02cd470be6a37b67200b25">c711292b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Collect systemd boot log
If an error occured while containers setup phase then no logs will
be collected and it is hard(impossible?) to debug such issues on
remote Azure host. With this change in case of such error all the
container's journals will be collected in `systemd_boot_logs`.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c26907bc020afc4d54826606f2c00889a15bf06f">c26907bc</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Enforce multi-user.target as default systemd's target
This may speed up boot process.
For example, 'fedora:34' set graphical.target as default,
while multi-user one will be more appropriate.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eb0a5db3043ead31194143926a56923dec593349">eb0a5db3</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Wait for systemd booted
The calling of systemd's utils during systemd boot may lead to
unpredictable results. For example, if DBus(dbus-broker) service
is not started then DBus request goes nowhere and eventually will
be timeouted. So, it's safer to wait fully booted system.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e243b956f4fb04adbbee80a8ffdaca92f9eabf7c">e243b956</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Remove no longer needed repo
libseccomp2 2.5.1 is on focal-updates(Ubuntu 20.04LTS):
https://packages.ubuntu.com/focal-updates/libseccomp2
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4d53d9fdf2339307033a14e2214bfb98923f4e9d">4d53d9fd</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Mask systemd-resolved
The initial value of NS of resolv.conf is 127.0.0.11, this
is the embedded NS of docker-compose. The disabling of
this feature is not currently supported by Docker.
On startup systemd-resolved caches the /etc/resolv.conf
(docker-compose version), which is later modified by
setup_containers.py script.
This results in resolving error occurs:
```console
[root@replica1 /]# getent ahosts master1.ipa.test
... can't resolve
[root@replica1 /]# grep 'hosts:' /etc/nsswitch.conf
hosts: files myhostname resolve [!UNAVAIL=return] dns
[root@replica1 /]# resolvectl status
Global
LLMNR setting: resolve
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 127.0.0.11
DNS Servers: 127.0.0.11
Fallback DNS Servers: 1.1.1.1
8.8.8.8
1.0.0.1
8.8.4.4
2606:4700:4700::1111
2001:4860:4860::8888
2606:4700:4700::1001
2001:4860:4860::8844
```
According to docs:
https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html#/etc/resolv.conf
our case is 4(managed by other packages).
So, restart of systemd-resolved is enough for its re-initialization,
but not for services that already received DNS results. To speed up
the overall process and to no restart each service which wants
internet connection(or wait until service retries connection)
systemd-resolved is masked.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c90a3636a4bb1b424f916a4498dd8aeef5d37dde">c90a3636</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Update expectations for test_detect_container
Since https://github.com/systemd/systemd/pull/17902/commits/a4a9a6f7c6e9cd9e219c56d08434a04bc2f395ff
systemd improves the detection of Docker and Podman containers based
on the presence of files-markers.
```console
[slev@test systemd]$ git describe --contains --tags a4a9a6f7c6e9cd9e219c56d08434a04bc2f395ff
v248-rc1~155^2~1
```
Note: on Azure unit tests are run as non-privileged user in non-systemd
inited container.
This worked on F32 because:
```console
[root@6d2aad38f62c /]# rpm -q systemd
systemd-245.9-1.fc32.x86_64
```
So, actual comparison in test was `assert None == None`.
But F34 has:
```console
[root@1ff1325f5a61 /]# rpm -q systemd
systemd-248-2.fc34.x86_64
```
So, the test's expectations should be updated.
Unfortunately, this is incompatible with older versions of systemd
(< v248).
See https://github.com/systemd/systemd/pull/17902 for details.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aa0c8c832350cad0de1bfa99e7b23f8c6cadb4de">aa0c8c83</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Add workaround for PhantomJS against OpenSSL 1.1.1
WebUI unit tests fail with:
```
PhantomJS threw an error:ERROR
>> Auto configuration failed 0 [
>> 'Auto configuration failed',
>> '140613066520384:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory',
>> '140613066520384:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:',
>> '140613066520384:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:285:module=ssl_conf, path=ssl_conf',
>> '140613066520384:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:222:module=ssl_conf'
>> ]
...
Warning: PhantomJS exited unexpectedly with exit code 1. Use --force to continue.
Aborted due to warnings.
```
See https://github.com/wch/webshot/pull/93 for details.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6164bfb56ad6d3acce9ea778cebf6694a15dd3d8">6164bfb5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Warn about memory issues
The nonzero number of memory/memory+Swap usage hits limits may
indicate the possible env instability(crashes, random failures, etc.).
> memory.failcnt # show the number of memory usage hits limits
memory.memsw.failcnt # show the number of memory+Swap hits limits
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0932c9217ff343d788b13ee1845fecb9666cbea8">0932c921</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BIND: Setup logging
- allow BIND's logging customization
- preconfig logging with ISC recommendations:
https://kb.isc.org/docs/aa-01526
Fixes: https://pagure.io/freeipa/issue/8856
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/64c0f900306295d1e9832ed58844bb9b2338a339">64c0f900</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Setup and collect BIND logs
For Base/XMLRPC tests BIND's logs are already collected.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5501fda5617739d1514e09eb0edebbda1fcf77b1">5501fda5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Run Base and XMLRPC tests is isolated network
The tests in these envs make DNS requests to wild(internet) NSs,
though usually tests assume the opposite making requests to
`test.` zone. This makes CI unstable and dependent on wild
resolvers and logically wrong.
In future there can be tests which may want to check BIND as
resolver(cache) for external networks. In this case such tests
should be placed on not isolated mode.
By default, a test env is not isolated from internet(as it was
before), but it may be a good idea to change this default in
future.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a192c21b2ce7e6167aba4132ed9504a46aeebf4e">a192c21b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Handle network-isolated mode
Since the dns plugin's tests have no access to wild resolvers
nobody answer such requests but authoritative NS.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b487629262671714b5e36c74c8dbc193b008ce7d">b4876292</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnsutil: Improvements for IPA DNS Resolver
- check only IPv6 address of local NS if specified
- increase request timeout(2sec is too small, BIND resolver's
default 10sec)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9e1531180336083fe1b873045a06647ae9074633">9e153118</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dns: get_reverse_zone: Ignore resolver's timeout
The DNS server may not process a query in a its internal timeout for
a some reason or don't answer for a query at all. This may indicate
a high load on DNS server. For example, if IPA DNS server is
configured with 'none' forward policy (read as resolver), then
SERVFAIL/Timeout errors will be normal until the hot cache for zones.
Resolver's timeout in turn, indicates that it queried a server, but
didn't received an answer in specified timeout.
Related: https://pagure.io/freeipa/issue/7397
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/645f90a835d8ba8080ffdd9a7a3f98f40a3ac550">645f90a8</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pytest: Show extra summary information for all except passed tests
By default pytest reports in summary section about tests failures and errors.
It will be helpful to see skipped, xfailed and xpassed tests.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/535131d633f80f3dd07206df9082b200b1d257c5">535131d6</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Ignore warnings on failed to read files on tarring
There are tons of useless warnings about missing files on collecting
logs, such as:
```
tar: /var/log/ipaserver-kra-install.log: Warning: Cannot stat: No such file or directory
tar: /var/log/ipaepn.log: Warning: Cannot stat: No such file or directory
tar: /etc/NetworkManager/NetworkManager.conf: Warning: Cannot stat: No such file or directory
tar: /var/log/ipabackup.log: Warning: Cannot stat: No such file or directory
tar: /var/log/iparestore.log: Warning: Cannot stat: No such file or directory
...
```
Since `--ignore-failed-read` option is passed to tar the caller
doesn't care about not readable(mostly missing) files and these warnings
may be filtered out.
This improves the readability of test logs.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c92f10029b08b31969d1e1da9dfe6f4b6c1b7dff">c92f1002</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Suppress list trust or certificates
There are tons of useless information in test's runner log on
server uninstallation about list trust and certificates, such
as:
```
RUN ['trust', 'list']
pkcs11:id=%D2%87%B4%E3%DF%37%27%93%55%F6%56%EA%81%E5%36%CC%8C%1E%3F%BD;type=cert
type: certificate
label: ACCVRAIZ1
trust: anchor
category: authority
pkcs11:id=%F7%7D%C5%FD%C4%E8%9A%1B%77%64%A7%F5%1D%A0%CC%BF%87%60%9A%6D;type=cert
type: certificate
label: AC RAIZ FNMT-RCM
trust: anchor
category: authority
pkcs11:id=%52%D8%88%3A%C8%9F%78%66%ED%89%F3%7B%38%70%94%C9%02%02%36%D0;type=cert
type: certificate
label: Actalis Authentication Root CA
trust: anchor
category: authority
...
```
This improves the readability of test logs.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3049b9587f0ded768ba3a61ec0e98368a6316a0a">3049b958</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Collect installed packages
The list of installed packages may be useful for checking the
versions of packages for analysis. Previously, only the newly
installed packages can be observed on Build phase.
This is convenient for experienced users of PR-CI.
Note: the read-only access provided for non-master containers
to be able to execute Azure scripts. The logs are still collected
only on controller.
Only RPM-based collection is implemented for Fedora. By default
nothing is collected.
Users may want to override `installed_packages` function
in the corresponding `ipatests/azure/scripts/variables-DISTRO.sh`.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3ada2d983fa136016c94cf827f3c3ef1d65a8323">3ada2d98</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: dnssec: Add alternative approach for checking chain of trust
drill is currently broken on F34. Fortunately, there are another
tools for checking DNSSEC trust. One of them is `delv`:
> delv is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as named.
delv sends to a specified name server all queries needed to fetch and
validate the requested data; this includes the original requested query,
subsequent queries to follow CNAME or DNAME chains, queries for DNSKEY,
and DS records to establish a chain of trust for DNSSEC validation. It
does not perform iterative resolution, but simulates the behavior of a
name server configured for DNSSEC validating and forwarding.
Related: https://pagure.io/freeipa/issue/8793
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0dd0631b21ce768d5624128983e7eb1c953297a3">0dd0631b</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Warn about extra and missing gating tests compared to PR-CI
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d4d27947a80c8b530ae8b4b962543929db4a8999">d4d27947</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Re-balance tests envs
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/692f42dc7d887d3f89a0915529aed4d5380079ea">692f42dc</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: coredump: Wait for systemd fully booted
Otherwise, 'Check for coredumps' task fails with:
```
Verifying : samba-debugsource-2:4.14.4-0.fc34.x86_64 20/20
[Errno 2] No such file or directory: '/var/lib/dnf/rpmdb_lock.pid'
Finishing: Check for coredumps
```
This is due to systemd-tmpfiles(not ready yet).
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/391ca8b90b6610b16023602a30b451bdcb5a1e6f">391ca8b9</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-05-25T16:45:37+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Make it possible to adjust Docker resources per test env
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/986e2d7d78d0026f01269b192770a45dc5f1b772">986e2d7d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-05-27T09:15:48+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pkispawn: override AJP connector address
Since commit 1906afbeb3c8b7140601be7f9bee2f7fef5b0a5e, in order to fix
rhbz#1780082, pki defines AJP connectors using localhost4 and localhost6:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1" secret="..."/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost6" name="Connector2" secret="..."/>
When /etc/hosts only defines the following:
127.0.0.1 localhost
::1 localhost
the connector initialization may fail with
java.net.BindException: Address already in use
The installer can add the following definitions to pkispawn cfg file:
pki_ajp_host_ipv4=127.0.0.1
pki_ajp_host_ipv6=::1
in order to force the value to an IP address instead of localhost4/6.
Fixes: https://pagure.io/freeipa/issue/8851
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab5aba2b78caace61079c229f30dd81e501446ef">ab5aba2b</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-05-29T13:21:06+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update IRC links to point to Libera.chat
Update documentation now that we moved IRC channels #freeipa and #sssd
to Libera.chat network.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/519328382b678ae2b3330c4dfd7460768aa6121e">51932838</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2021-05-29T13:21:52+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add --keyfile option to ipa-otptoken-import.1
ipa-otptoken-import.1 describes the -k option.
However, the long option --keyfile option is also available.
Therefore, add the --keyfile option to ipa-otptoken-import.1.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/04a6583ce3c1304907d092b19e5c7cc915f6952a">04a6583c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-01T21:12:14+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ds: Support renaming of a replication plugin in 389-ds
IPA topology plugin depends on the replication plugin but
389-ds cannot handle older alias querying in the plugin
configuration with 'nsslapd-plugin-depends-on-named: ..' attribute
See https://github.com/389ds/389-ds-base/issues/4786 for details
Fixes: https://pagure.io/freeipa/issue/8799
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d933123eda92b7259ce8d67c6d95fa00c8f683bd">d933123e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:49:28+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/bn_IN.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7cb4ee0d1282cd1c292421585f92b07647aa2642">7cb4ee0d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:49:28+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/ca.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/626c7f7d15de71ca78018d8ae339b35cb1af7a2e">626c7f7d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:49:28+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/cs.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5ed8987fba831154746f3131650f1efa83a5e7d8">5ed8987f</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:49:28+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/de.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9c34f7eac57395be459d417f58650e3ca7a1b835">9c34f7ea</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:49:28+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/en_GB.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f9c667e81a204c5db68ccf9276faf17d1d6d584d">f9c667e8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:49:28+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/es.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4f68174c09a1bad858bde69e9170a9057c31e5e9">4f68174c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:49:28+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/eu.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/00a0cb3abfcd9c38d202bde548868feddaee65cc">00a0cb3a</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/fr.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1de25fb8047f99fa45d9095e584086bc3ee1393b">1de25fb8</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/hi.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3eca1f9127ec67c9fb94f199c36f9ee78103690a">3eca1f91</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/hu.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/87150c2b6f95f34fc4efa9ffd01b716335961e24">87150c2b</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/id.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0feda3dd7601da90109b5c303b6da0915faf6b9d">0feda3dd</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/ipa.pot: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44c57c274489a2c2da155bb58d74f6f63c07d6d9">44c57c27</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/ja.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8c5ca861e15720661b9edbcc74ab2f678a407102">8c5ca861</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/kn.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a4679b8bc592af77b9619e4472ed3cf8c5f9ae2b">a4679b8b</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/mr.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fa15bf13d56789e6250172bbe12e2af2aaea20d5">fa15bf13</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/nl.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e8ba917032624e348d3f6ec864350633abd228c3">e8ba9170</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/pa.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e7bfe72c155859b0ea315d7c24ff415fdf8f82fb">e7bfe72c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:40+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/pt.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/468c4852fee883f4769d1d4787822e5fa55f6aaf">468c4852</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:40+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/pt_BR.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d3ef07ad5165d94bc399fb96d6b19d785e9a11ca">d3ef07ad</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:40+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/ru.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9905e38311e9e065a98176b2f5eb71eec0fd5ef3">9905e383</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:53+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/sk.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3f74383c98a367abdfcb7afd02c84299c7c0b8d0">3f74383c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:53+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/tg.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5cf1340132a4f015e28cd1325e45eba8d1c0d581">5cf13401</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:50:53+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/tr.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/94831c341962d20c5a3ba9d5a293db9b69b7e331">94831c34</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T09:51:22+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/zh_CN.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8e05170f82c00d7873564cd6e811430a9fdc32da">8e05170f</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-03T13:07:10+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fetch sudo rules without time offset
As of 2.5.0 SSSD introduces a random timeout for the refresh
of the SUDO rules [0]. With that change it's no longer possible
to immediate fetch of SUDO rules unless the feature is disabled
[1].
[0]: https://github.com/SSSD/sssd/issues/5609
[1]: https://github.com/SSSD/sssd/issues/5635
Related: https://pagure.io/freeipa/issue/8844
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d7f3c1ff4cbfc7840ca7c3015ca13eaeceee18ca">d7f3c1ff</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-03T14:58:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">service: enforce keytab user when retrieving the keytab
HTTP service uses different user for keytab ownership than the service
user. On Fedora this leads to http.keytab being owned by 'apache' user
after IPA deployment while it should be owned by 'root' to allow
GSSPROXY configuration to work correctly.
The situation is fixed during upgrade (ipa-server-upgrade) but it means
for new deployments there might be a period of unexplained Web UI
authentication failures.
Fixes: https://pagure.io/freeipa/issue/8872
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/15b47c8b0c7bb484240726f29a126411a2483393">15b47c8b</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2021-06-03T20:10:57+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Add support of 'ipaautoprivategroups' LDAP attribute on 'ID Ranges' page
Add 'Auto private groups' field on 'Add ID range' form with the following options: true, false, hybrid.
The field is optional and can be omitted.
Its value can be also modified on 'Range Settings' page after the range is added.
Ticket: https://pagure.io/freeipa/issue/8837
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dfbafafc3e38fd5b07fc3843c28fa019900a0ee7">dfbafafc</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2021-06-03T20:10:57+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Add test for 'ipaautoprivategroups' field on 'ID Ranges' page
Add test_range_auto_private_groups test case to test_trust WebUI test suite to cover the field.
Ticket: https://pagure.io/freeipa/issue/8837
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/63d20c44760849a7ef65b234e7e231f9a073f61f">63d20c44</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-06-04T10:57:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Catch ValueError when trying to retrieve existing credentials
get_credentials() was changed to raise ValueError instead of
gssapi.exceptions.GSSError as part of the sweeper to clean up
expired credentials caches.
For WebUI users, this will prevent a 500 error if their
associated credentials cache is expired or missing.
https://pagure.io/freeipa/issue/8873
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3dd8c4d5134f7997ee75b18b282b83ff56ae5bbc">3dd8c4d5</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-04T12:23:16+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Depend on system-logos-ipa on RHEL/CentOS Stream
Fedora ELN represents itself as a RHEL but it does not have
redhat-logos-ipa package. CentOS Stream does not have redhat-logos-ipa
but has centos-logos-ipa package. Both RHEL and CentOS Stream provide
system-logos-ipa so we can depend on it instead.
This allows to make IPA packages installable on CentOS Stream and on
Fedora ELN.
Fixes: https://pagure.io/freeipa/issue/8874
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1157c5b14f994bce1a2f31fc0e0c7da139dd14fe">1157c5b1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-04T12:25:16+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/es.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/45232145d9ad3aa3ac45e2ccf63593ca2e61e50c">45232145</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-04T12:25:16+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/ipa.pot: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d6de84e711021dfd3477a5db5b7f9fde393d09d7">d6de84e7</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-04T12:25:16+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/ru.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5b6a656147612d26003fa8aab6d0d033a1dfa2ac">5b6a6561</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-04T12:25:16+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po/uk.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d64d74df6fa75bea0a014083f1a9c815c6a6a3b8">d64d74df</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-04T12:26:34+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.9.4
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b25f5bd9109b87916e097dd8353ea5f0dc49e398">b25f5bd9</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-04T12:27:55+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5238651da06547bb004de2434ae7d357422ba735">5238651d</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-04T15:38:36+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">get_credentials: return ValueError for missing creds
Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/79e0919132adf0df764400f9c27268cbadd2578b">79e09191</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2021-06-07T10:54:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Bump PR-CI boxes
Update Fedora 34 and 33 boxes to include new packages.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/13b257d7a05fd255df472144712edb34604dbe06">13b257d7</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-06-08T08:31:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: set selinux context for fips mode
In order to test FIPS mode, the test is faking a user-space
FIPS environment by creating a file /var/tmp/userspace-fips
and bind-mounting this file as /proc/sys/crypto/fips_enabled
The security context needs to be properly set otherwise
/proc/sys/crypto/fips_enabled inherits the security context
unconfined_u:object_r:user_tmp_t:s0 and cannot be read,
resulting in the test seeing fips_mode=false.
Fixes: https://pagure.io/freeipa/issue/8868
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2b22450dfdc1657b463683b09b9c69816f9152d9">2b22450d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-06-08T10:48:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: delete the replica before uninstallation
The test
test_installation.py::TestInstallWithCA1::test_install_with_bad_ldap_conf
is uninstalling a replica by calling ipa-server-install --uninstall
directly, instead of deleting the replica first.
Use tasks.uninstall_replica instead of tasks.uninstall_master
to perform a proper uninstallation.
Fixes: https://pagure.io/freeipa/issue/8876
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6ee14f513711ae9be799cfa2bd009f13c5248932">6ee14f51</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-06-09T09:18:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: temporary disable execution of test_nfs.py::TestNFS in nightly runs
During test run on Fedora 34 and 35 sssd produces multi-gigabyte log file
which causes test runners to run out of disk space.
Related to https://pagure.io/freeipa/issue/8877
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6eb535334d33f8f375b856e3a2d0b8853b318b4d">6eb53533</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-06-10T09:38:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec: bump 389-ds version
IPA depends on the 389-ds version with the fix for
https://github.com/389ds/389-ds-base/issues/4700
Regression in winsync replication agreement
The same 389-ds version also fixes
https://github.com/389ds/389-ds-base/issues/4670
389ds coredump in IPA nightly test
test_caless.py::TestReplicaInstall::test_wildcard_http
Fixes: https://pagure.io/freeipa/issue/8691
Fixes: https://pagure.io/freeipa/issue/8756
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c9f5acc0d281f1a27471091648c36f94528c5a29">c9f5acc0</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-06-10T20:55:30+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: disable test_nfs.py::TestNFS in nightly runs on Fedora 33
Also disable in Fedora 33 as it also has the faulty version of sssd
which produces multi-gigabyte log file
Related to https://pagure.io/freeipa/issue/8877
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06a445aff10c1ab84e8784ab41b0a838e500e617">06a445af</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-06-12T11:21:04+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cert-fix man page: add note about certmonger renewal
ipa-cert-fix man page needs to explain that certmonger may
trigger a renewal right after ipa-cert-fix completes because
certmonger does not notice the updated certificates.
Also add a similar note at the end of ipa-cert-fix.
Fixes: https://pagure.io/freeipa/issue/8702
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/700be74975cad998e7dbcc4fb437e6b0bbd77305">700be749</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-14T10:14:34+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb_utils: Simplify get_credentials
Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.
With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.
Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0fd06f33b83aec19a88c594d3750bc476157ab83">0fd06f33</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-14T10:14:34+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">gssproxy: Don't refresh expired delegated credentials
`mod_auth_gssapi` exports delegated credentials into `/run/ipa/ccaches`
and pass down that path as `KRB5CCNAME` env variable to WSGI worker.
GSSProxy in turn, protects these credentials from direct usage of
`ipa-api`. But the configuration of `service/ipa-api` (in particular,
'cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab') and
default GSS name ('=None') dictates to refresh expired credentials
with the client's keytab overwriting the origin credentials with
initial credentials of keytab's principal.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e045f118c87346bfab5b5634fd23f3054f082f7f">e045f118</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-14T15:51:15+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.9.5
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9f16174c5f929a0884fcafb3da357a27e963b9bc">9f16174c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-14T15:52:10+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/22f0d8c50ab4618b05d0263380f594b23153724b">22f0d8c5</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-06-15T13:24:29-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">When loading certificates verify that it is X.509 v3
Simple version enforcement. A v1 certificate won't have the
extensions that are assumed available later during the validation
process.
https://pagure.io/freeipa/issue/8817
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7b278b63b417edea74ca9344688e02b70e64b8bf">7b278b63</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-06-17T08:11:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CA-less install: non-ASCII chars in CA cert subject
In a CA-less install, if the CA cert subject contains
non-ascii characters, ipa-server-install fails when
configuring SSL for httpd.
The issue happens when calling ipautil.run to extract the keys
from a p12file. The code is using the raw output of the command
and doesn't need to specify capture_output=True, as this option
breaks if the output contains non-ascii characters.
The raw_output contains bytes, the output is a str built by decoding
the raw_output and may fail if non-ascii characters are present.
Fixes: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4b040e10d3fac2cfb5ce057718e537ecbe8e2ac1">4b040e10</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-06-17T08:11:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use non-ascii chars in CA-less install
The CA-less installation creates an external CA with the
subject CN=CA,O=Example Organization.
In order to test non-ascii subjects, use
CN=CA,O=Example Organization España
instead.
Related: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1be15d2024f327bc846e5fe324dc24fb2a96a828">1be15d20</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add Custodia 0.6.0 to ipaserver package
Incorporate Custodia into IPA.
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d804f1feeddd31957bc3d88dfb79e9bd119813cb">d804f1fe</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unused Custodia modules
The CLI, IPA integration and storage backends are not used by IPA.
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/02ece292ada0da25864bc71ed4f2f16d01933df5">02ece292</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Custodia imports
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0ec775fcfa15f1da20841111484e1e25d9f13d38">0ec775fc</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix Custodia pylint issues
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7cb2c89d5900dc02df1e587dd87d7f820404cd92">7cb2c89d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove more unused Custodia code
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cde5e2d4d7c36fadad492a7a753547297ffbaf60">cde5e2d4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add Custodia tests
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/62647ff3217331339e66170a0665b529e204be2e">62647ff3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-06-17T09:51:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Also drop Custodia client and forwarder
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3698c620029a0ab196872d5bce6661fc36ee861d">3698c620</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-06-17T13:00:32+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'upstream'
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0a952abd71b98737ec59ad37071a1aba41e8fd73">0a952abd</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-06-17T13:01:14+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2b0c6fe0d209ab72905b175a1b58eb0ab80c1e4c">2b0c6fe0</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-06-17T13:11:43+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">client: Drop csrgen
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/acee2a296ba8235df3a43053e9a5c77420d75ae5">acee2a29</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-06-17T13:33:15+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Drop dependency on custodia, not needed.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e911f28d86d70b78c1ff33de58851eb9e94fbfc8">e911f28d</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-06-17T16:59:24+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">add wsgi to python3-ipaserver
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7bed7e4b06e70b04e16410878ad269564291eec4">7bed7e4b</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-06-18T10:43:39-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server
When upgrading from a server with IPA CA before PKINIT was introduced
(4.5), PKINIT would not be enabled and there wasn't any way to enable it
since upgrade code only issues self-signed certificates when
certificates are missing. With these change there is a way to enable
PKINIT when coming from a IPA server with a pre-PKINIT version (4.4 and
before).
Fixes: https://pagure.io/freeipa/issue/8532
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/48370cb3e8fa928dcc51406a4a5e7dbe5bf8243f">48370cb3</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-06-21T10:54:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">host: try to resolve FQDN before command execution
Trying to resolve the FQDN before command execution (during
pre-callback) helps detect cases where the host specified by the user
does not exist, saving execution time. Aside from this, resolving the
FQDN is useful when only the shortname of the host is passed, as this
would cause issues when trying to update the DNS records during
modification of the entry.
Fixes: https://pagure.io/freeipa/issue/8726
Fixes: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/27a65a1a352b50304fa6765a535443993b445044">27a65a1a</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-06-21T10:54:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test host update using shortname
Add test to ensure that host-mod resolves the FQDN when passing the
shortname of the host being modified.
Related: https://pagure.io/freeipa/issue/8726
Related: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/45d8118e6c94f25c0971fe2fe07d8f6eb7eb6f7c">45d8118e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-06-22T09:26:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use get_replication_plugin_name in LDAP updater
This allows for a consistent way to retrieve the value from
LDAP. The method is used to find an existing entry. It is not usable
to add or remove entries.
Moving it in the code allows the value to always be set in the
substitution dictionary and not rely on a specific caller.
It was moved to installutils.py to avoid circular import.
https://pagure.io/freeipa/issue/8885
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2aa77992090499b2706ca077cc8ca980f47abbc0">2aa77992</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-06-23T10:00:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test to check that ResponseNotReady error is not displayed when user session cache is deleted
Pagure: https://pagure.io/freeipa/issue/7752
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d744ff3caef509af8d3c25393aac6c2d83fdb78c">d744ff3c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-25T13:35:28-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: healthcheck: Update IPAHostKeytab assumptions
As of 0.9 freeipa-healthcheck requires running `dirsrv` service
for `IPAHostKeytab` check. So, previous assumption about the
triggering the GSSAPI error no longer works. For example, this can
be achieved by deletion of host's keytab.
Fixes: https://pagure.io/freeipa/issue/8889
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/52e60889ff85b0129503d086214419fc2f9700d8">52e60889</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2021-06-25T21:33:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix certificate serial number representation
Big numbers are automatically translated to scientific notation in JavaScript.
It causes an issue with some certificate serial numbers.
The fix normalizes the notation base on original value from serial_number_hex.
The implementation works only for browsers that support BigInt.
It would not work for old browsers like Internet Explorer.
Ticket: https://pagure.io/freeipa/issue/8754
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/32eb409cf6c4bf03d4ae3451001c81d175310a7c">32eb409c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-28T15:47:29+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">plugins: Don't treat keys of api as bytes
The plugin `plugins` iterates over the keys of API instance,
__iter__ of which is a generator of class.__name__ from
(Command, Object, Method, Backend, Updater). So, the allowed type
is str, not bytes.
Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/15d710247d389e992844637fdb8a35610b595ba2">15d71024</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-28T15:47:29+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add tests for `plugins` plugin
Previously there were no tests for `ipalib.misc` module.
Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0abae79183207a4bdc7a6147eb143319806ad567">0abae791</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-06-28T15:47:29+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add tests for `env` plugin
Previously there were no tests for `ipalib.misc` module.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e82f2538326af62802a587dbd66ff1a06514af60">e82f2538</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-06-29T10:01:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: remove fsync in do_nsupdate()
No need to flush buffers on the nsupdate file as it will get
removed at the end of the function.
Related: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a8588c5006a61855cb178643916a02513df3fa31">a8588c50</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-06-29T10:01:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.
Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3cbd24dd04ece7ab24c5cbd3448a46aeb02363f8">3cbd24dd</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-06-29T10:01:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.
Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5d995b8c2ae7fd6902107f1566d59e00a16adcd9">5d995b8c</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-06-29T11:06:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase timeout for test_commands.py
test_commands.py testsuite is failing due to
'RunPytest timed out after 4800s'
Hence the timeout has been increased from 4800 to 5400
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ae4478de1f0e9e35098d1bbbfae1b3506bcf3672">ae4478de</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-06-29T11:04:56-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Return a copy of cached entries, only with requested attributes
Some plugins, notably dns, modifies a returned entry in order
to compare it to the user-provided info (e.g. dnsrecord-del).
This modification was done on the cached entry directly rather
than a copy which caused unexpected results, mostly
EmptyResult because the cached entry was changed directly so
the next get_entry returned the same modified entry.
In addition, on a hit in the LDAP cache the entire cached entry
was returned regardless of what attributes were requested.
The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:
old_entry = ldap.get_entry(dn, [attr])
for regex in old_entry.keys():
if not isinstance(entry_attrs[regex], (list, tuple)):
old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.
To return a copy of the entry and requested attributes on a
search HIT.
Also be more careful when storing the attributes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.
This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.
Adjust the expected test results as well. In test_get_testuser()
the first request asks for all attributes (default) so ensure
that is successful since a user_add gets all attributes in
the post_callback. Next request a subset of the attributes which
is also a hit and confirm that only those requested were returned.
https://pagure.io/freeipa/issue/8897
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6b3496a7b3f6aaf23b8364e41c10a2689dc6e513">6b3496a7</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-29T18:27:20+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA v.4.9.6
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2b7e8841824b44fc41581717c51ccd4b0fc553ff">2b7e8841</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-06-29T18:29:14+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e713c227bb420a841ce3ae146bca55a84a1b0dbf">e713c227</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-02T11:47:02-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">paths: add IPA_SERVER_CONF
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ee4be290e1583834a573c3896ee1d97b3fbb6c24">ee4be290</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-02T11:47:02-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: smoke test for server debug mode.
Add a smoke test to make sure the server can be set in debug mode
without issue.
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1539c7383116647ad9c5b125b343f972e9c9653b">1539c738</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-02T11:47:02-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rpcserver.py: perf_counter_ns is Python 3.7+
perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.
Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9cfae2623420356fd99e09bf8559b11da66e2ccd">9cfae262</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-05T16:45:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove unneeded dependency on python-coverage
The spec file requires python3-coverage although it is not
used in the project.
Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a5d2857297cfcf87ed8973df96e89ebcef22850d">a5d28572</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-07-06T17:36:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add checks to prevent adding auth indicators to internal IPA services
Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.
Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/28484c3dee225662e41acc691bfe6b1c1cee99c8">28484c3d</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-07-06T17:36:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: ensure auth indicators can't be added to internal IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06468b2f604c56b02231904072cb57412966a701">06468b2f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-06T18:12:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">stageuser: add ipauserauthtypeclass when required
The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.
There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.
Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc">4a5a0fe7</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-06T18:12:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">XMLRPC test: add a test for stageuser-add --user-auth-type
Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/076e499f6f1223458cb896f1e90296e511c922d7">076e499f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-08T17:32:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">augeas: bump version for rhel9
augeas 1.12.1-0.1 adds support for the new chony configuration
settings.
Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/195035cef51a132b2b80df57ed50f2fe620244e6">195035ce</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-08T18:10:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.
Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c0a123e99d943f115cc726e391f5d79b5bfb70e">2c0a123e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-08T22:44:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Server install: do not use unchecked ip addr for ipa-ca record
At the end of a server installation, the DNS records for
ipa-ca.$DOMAIN are created/updated with the IP addresses of the
new server.
The current code resolves the IP addresses of the new server
but doesn't check them. This can result in the addition of
a link-local address to ipa-ca record.
For each address, make sure that it's neither reserved nor a
link-local address.
Fixes: https://pagure.io/freeipa/issue/8810
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ca8c7010e8aa0f87bde11c36947fefd549bae8fd">ca8c7010</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-12T09:01:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SHA384withRSA as a certificate signing algorithm
It required support in dogtag which was added in 10.5.0.
This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg
The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.
So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.
https://pagure.io/freeipa/issue/8906
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b2e6292337c6f7f68ac383db8aa54a1abfa3f6b4">b2e62923</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-12T12:48:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use whole date when calling journalctl --since
The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/26be7ffdba87e0e6294ea035ab3dc9bd933fba43">26be7ffd</a></strong>
<div>
<span>by Sudhir Menon</span>
<i>at 2021-07-12T13:43:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Related: https://pagure.io/freeipa/issue/8889
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3540986a11d4f3401ba4918f25229a79283d9dbd">3540986a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount
New self-service permission to add subids.
New command user-auto-subid to auto-assign subid
The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.
Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5d4fe06663c3e66b1da73c01ce022790634a3e3b">5d4fe066</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Redesign subid feature
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ef115b04182d572bf61e32e2405bbb68ff65e928">ef115b04</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use 389-DS' dnaInterval setting to assign intervals
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e6e3fb606d08b0dc57bfa360a0f0082052441db6">e6e3fb60</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ipa-server-upgrade
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44ccc0f64bac9fc2e7e3264984af26635bb34742">44ccc0f6</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix oid of ipaUserDefaultSubordinateId
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9f4b8982cd06011df8daac480a726637fc52649e">9f4b8982</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Improve subordinate ids user workflow
- add "Subordinate ID Statistics" page
- add button for generating subid in "Subordinate ids" tab of user details page
- allow to navigate directly to owner details from subordinate id page
- adjust i18n strings
Ticket: https://pagure.io/freeipa/issue/8361
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b53a52a1fafa94e0129e6e3e55fddd59909f0f0a">b53a52a1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-07-12T17:17:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test DNA plugin configuration
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f910eb2dda8595da435b4aed6e759a2916df813">7f910eb2</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-07-13T09:29:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_ipahealthcheck: print a message if a system is healthy
Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).
Related: https://pagure.io/freeipa/issue/8892
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e5df4dc4884f1a66ccbca79b9a0d83874c996d1d">e5df4dc4</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-07-13T19:30:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.
Related: https://pagure.io/freeipa/issue/8795
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8ad535b618d60fa016061212ff85d0ad28ccae59">8ad535b6</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-14T09:54:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fall back to krbprincipalname when validating host auth indicators
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d456649feb40d462f73321a4a220b4aff7adb443">d456649f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-14T10:05:59-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pr-ci definitions: add subid-related jobs
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/40e4ccf1ea943aba4d10e8126ffa49feddd2e683">40e4ccf1</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-15T08:02:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui tests: close notification when revoking cert
When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.
Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/02c0da3ef74948579106aab4b669f6e64dd60b24">02c0da3e</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-07-15T08:25:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a4f459b81bc77cdf233b65f41d0f76dbb5f2fce">1a4f459b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-15T18:22:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec file: Trust controller role should pull sssd-winbind-idmap package
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a5159b216455070eb51b6a11ceaf0033fc8ce4c">1a5159b2</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-07-16T19:18:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rhel platform: add a named crypto-policy support
RHEL 8+ provides bind system-wide crypto policy support, enable it.
Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b132956e42a88ab39bb8d6a854e7c5d28d544a11">b132956e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-17T16:20:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Index: Fix definition for memberOf
The index definition for memberOf is inconsistent:
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex
The cn attribute should be memberOf, not member. Fix the definition.
Fixes: https://pagure.io/freeipa/issue/8920
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f7997ed0b7d5b915c0184bf8e8864ff935cd6232">f7997ed0</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-07-18T14:00:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui tests: fix algo for finding available idrange
The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.
With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.
Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/161d5844eb1214e60c636bdb73713c6a43f1e75c">161d5844</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-20T13:58:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: smbclient "-k" => "--use-kerberos=desired"
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/86869364a30f071ee79974b301ff68e80c0950ba">86869364</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-22T13:26:45-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_acme: refactor with tasks
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/701adb9185c77194ba1ad0c5fd2f13484417ef6f">701adb91</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-22T13:26:45-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_acme: make password renewal more robust
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.
Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5b826ab3582566b15a618f57cb2e002a9c16ef64">5b826ab3</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-22T14:36:55-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tasks.py: fix flake8-reported issues
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0b9adf1d8d5efb48e734650e4101e8816b01e1d3">0b9adf1d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-22T18:19:58-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use new method in check to prevent removal of last KRA
It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.
Use server roles instead to determine if the last KRA server
is to be removed.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8ea8f8b68b5a7217518f68065a5fc1df16126314">8ea8f8b6</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-22T18:19:58-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test removing last KRA when it is not running
Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eb1d509fd5271d39cc899838b57e5398683401f7">eb1d509f</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-23T11:21:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: temporarily disable problematic tests, #1
test_installation.TestInstallMaster, test_advise,
and test_integration.test_commands.TestIPACommand rely on DNS
forwarders and hit a known BIND bug:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
quite often.
This is blocking gating nearly completely.
Disable these tests in gating until the bug is fixed and
the related build is available in Fedora.
Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/18ccaea7cb36b3d1069f0d12a15b06357b3f94f0">18ccaea7</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-23T11:21:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: temporarily disable problematic tests, #2
test_cert and test_SubCAkeyReplication are randomly failing.
The suspect for test_SubCAkeyReplication is an nss bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1985061
The reason for test_cert failures was not identified, the only
relevant line in the log contains:
2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98
2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1
Disable these tests in gating until the NSS bug is fixed and
the related build is available in Fedora.
Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/33c561dcd30dc346ccbaa00933bcd1cac5e994b6">33c561dc</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-07-23T11:21:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">gating.yaml: Fix TestInstallMaster timeout
test_integration/test_installation.py::TestInstallMaster 's
timeout is 10800 on all nightlies but it timeouts in gating with a
timeout of 3600. Use 7200 in gating so that it has some chance of
completing.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/89ca5c8836333aece9caf2ac433ccab1140f909a">89ca5c88</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-26T13:11:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Display all orphaned keys in automountlocation-tofiles
Only the first key was being displayed for any orphaned map.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dbe4159e27d44550085cb3ce0629d1e525c9b30e">dbe4159e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-26T13:11:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add test for ipa automountlocation-tofiles
Only the first key of orphaned automount keys was being
displayed.
tofiles was created because making sense of LDAP automount
information is a brain squeezer. The purpose is not to
display in a precise file format but to display it in
a sensible and understandable way.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ded3cd3fc8490561e44310e8f89efc3e13e82884">ded3cd3f</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-07-26T13:11:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix automountlocation-tofiles expected output in xmlrpc test
The previous output matched the bad behavior of only displaying
one orphaned key.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/02447762a3f62383313f0b8cd7c5d129dc2c6213">02447762</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2021-07-27T15:23:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: bump prci boxes + move gating to f34
Bump template box version to latest to include recently updated
dependencies and move gating and temp definitions to latest Fedora
release.
Issue: https://pagure.io/freeipa/issue/8935
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab4720d9c2bae059e8f622cd4a331510fefe27ae">ab4720d9</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-07-27T17:38:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kra-install: exit if ca_host is overriden
ipa-kra-install should exit if ca_host line is present
in /etc/ipa/default.conf, as it may lead to a misconfigured
setup.
Fixes: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a4e13a33247fb14145c632fb53b4480fc5fb10ea">a4e13a33</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-07-27T17:38:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test if KRA install fails when ca_host is overriden
KRA install on a replica should fail if ca_host is
overriden in /etc/ipa/default.conf.
Related: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a1eb13cdbc109da8c028bb886a1207ea2cc23cee">a1eb13cd</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-08-02T09:53:36-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix ldapupdate.get_sub_dict() for missing named user
The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.
Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Co-authored-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e0e1d6f94dd16c8066be8ce3c75ef306890a3e2b">e0e1d6f9</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-03T08:17:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec.in: remove python3-pexpect from Requires
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fbbff3edc0fcc8bf2624283ccd88848eedaac8d7">fbbff3ed</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-03T08:23:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provide more information in ipa-certupdate on ccache failure
ipa-certupdate obtains host credentials to operate. If this
fails with a ccache error this can be confusing if the user
executing it already has admin credentails.
Include the principal being retrieved and the keytab being
used.
This basically intercepts the exception to log additional
information and lets the exception be handled at a higher
level.
https://pagure.io/freeipa/issue/8257
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/42206df69adc9c1eefa3ee576891b2ae3ac269e0">42206df6</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-03T08:53:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-getkeytab: add option to discover servers using DNS SRV
The basic flow is:
- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0114d24ea160676b784ef7010c19bbacc67ceea0">0114d24e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-03T08:53:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-getkeytab: fix compiler warnings
Make read_ipa_config and filter_keys static to avoid
"no previous prototype" warnings.
Use correct datatype of return value for ber_scanf to
correct different signedness comparision.
Fixed while working on https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7a13200fd8b92dd90ebc4b6416ef25659df8aa71">7a13200f</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-03T08:53:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test ipa-getkeytab server option
Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/25a4acf3ad5964eacddbcb83ddf9f84432968918">25a4acf3</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-04T08:39:03+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test for OTP when the LDAP connection timed out.
Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.
Related : https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/018ee09ccbe7fc0a5b0909592eadd168224b2409">018ee09c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-04T08:42:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise: if p11-kit provides opensc, don't add to NSS db
p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.
https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9a4a6cdd27781573351595e38d38eeadc8ab090d">9a4a6cdd</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-04T08:42:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-advise: Define the domain used when looking up ipa-ca
The error message if ipa-ca can't be resolved included the
undefined variable ${domain_name}. Since this is static anyway
change to a python format string and hardcode the string in
the resulting script as api.env.domain.
Discovered while working on https://pagure.io/freeipa/issue/8934
Related: https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/826b5825bd644fc69a9bee17626d71fe03cc0190">826b5825</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-04T08:44:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: verify that getcert output includes the issued date
certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.
Verify that it is present in the output.
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4c0dcabd6e2163dfa80a4d2a18064824934274fa">4c0dcabd</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-08-04T15:25:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnszone: deprecate option for setting SOA serial
Since IPA 3 [1] SOA serial is managed automatically via autoincrement,
and the option of disabling this behavior was deprecated in IPA 3.3.3 [2]..
As a result, the option '--serial' during DNS zone addition would be
ignored as it is set during the creation. This commit adds a deprecation
warning if this option is used.
[1]: https://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation
[2]: https://www.freeipa.org/page/Releases/3.3.3
Fixes: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1d7512495d3e7f933d95707f74a6b6f0aeecd00f">1d751249</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-08-04T15:25:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: expect SOA serial option deprecation warning
Tests must be updated to expect the new deprecation warning.
Related: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/96dd8ac1cd2e7fb8177d83e7ba5c6d79f4216ea3">96dd8ac1</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-08-04T15:30:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Look for warning into stderr instead of stdout
In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0526174971017aebfb9d9fcb29c6dde6e67438fe">05261749</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-04T16:28:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add index for sudoorder
sudorule-mod <rule> --order=<num> does a search for an existing
order and this search is unindexed.
https://pagure.io/freeipa/issue/8939
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ae23e1257478bfee04b08b54f36dda7f5850348">9ae23e12</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-05T14:38:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use krb5_trace in TestIpaAdTrustInstall
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.
Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/97a2a925348d3bd732e582108feb02d644ba011a">97a2a925</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-05T17:54:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't assume that plugin attributes and objectclasses are lowercase
A user wrote their own plugin to add custom attributes which was
failing with an incorrect error that the attribute wasn't allowed.
It wasn't allowed because it wasn't being treated as case-insensitive
so wasn't being found in the schema.
https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e28e45402c7edb007e356a59cf09ed8e10cd14d9">e28e4540</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-05T17:54:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add suite for testing custom plugins
Ensure that attributes and objectclasses are case-insensitive.
https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/78c48199782743e619463cefa7411817f4fe4a14">78c48199</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-05T17:54:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pr-ci definitions: add custom plugin-related jobs
Related: https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7fb95cc638b1c9b7f2e9a67dba859ef8126f2c5f">7fb95cc6</a></strong>
<div>
<span>by Chris Kelley</span>
<i>at 2021-08-06T07:57:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Parse getStatus as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON, getStatus will
return JSON in PKI 11.0+
The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3674
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c5b5bc9099fc26b863d7c964e47dbdcd0ff008c8">c5b5bc90</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-08-09T14:53:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix string check in uninstall helper
The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.
Also check for 'debian' platform.
Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a3d71eb72a6125a80a9d7b698f34dcb95dc25184">a3d71eb7</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-09T14:24:28-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test ldapsearch with base scope works with compat tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d4062e407d242a72b9d4e32f4fdd6aed086ce005">d4062e40</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-09T14:24:28-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/40f76a53f78267b4d2b890defa3e4f7d27fdfb7a">40f76a53</a></strong>
<div>
<span>by Chris Kelley</span>
<i>at 2021-08-09T14:26:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Parse cert chain as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON in PKI 11.0+
The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3677
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eac03d6828d0bac1925c897090fc77e250eaee04">eac03d68</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-10T13:50:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Refactor test_check_otpd_after_idle_timeout
Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.
Related: https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74">4fdab0c9</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2021-08-13T08:14:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c9bc471e063f2865d6423e4f1c9b81e73a45e43f">c9bc471e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-08-13T08:17:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.
Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/488ac7e3ba9f36d6b187687d120920d2d80d8b7f">488ac7e3</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-08-15T10:01:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.
Resolves: https://pagure.io/freeipa/issue/8949
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/be3a0f3201bbb060a9d53fb65cbbccf6c7bf9bb4">be3a0f32</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-17T17:48:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Clean up the PKI securitydomain when removing a server
PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.
Removing entries is straightforward using the PKI REST API.
In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.
Related commits are b3c2197b7e4ed18a7febe3efa6396c2272ebccca
and ba4df6449aaa0843ab43a1a2b3cb1df8bb022c24.
These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.
In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.
https://pagure.io/freeipa/issue/8930
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a417810df5500b5780396ab88d53eaea74f74ccc">a417810d</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-17T17:48:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Verify that securitydomain is updated on server-del
For every server-del ensure that the server being deleted is
also removed from the PKI securitydomain.
https://pagure.io/freeipa/issue/8930
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3cb6b5c801b04922c3a23070e79aab20399d033b">3cb6b5c8</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-18T17:56:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update list of contributors
Signed-off-by: François Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/da1d543c2bfa9e4acb6fde170e66c88e521ac232">da1d543c</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-08-18T12:03:35-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Only call add_agent_to_security_domain_admins() when CA is installed
This allows the RA agent to manage the pki security domain and is
only needed if a CA has been configured. Only call it in a CA-ful
installation.
https://pagure.io/freeipa/issue/8956
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d2df13d8f0e8b417356fef2af7310b75e46e2699">d2df13d8</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-19T16:13:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.9.7
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/60745116a2bc71bef508be5a7a2e1f6082f24bca">60745116</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-19T19:00:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Back to git snapshots
Signed-off-by: François Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/210c53dd41a85b7619eb7a2ad427055c994ee1e5">210c53dd</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-20T16:02:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec.in: update 389-DS version
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e0aef5296b66c0b460f7e10993610fe68b312241">e0aef529</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-08-20T16:04:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: test to renew certs on replica using ipa-cert-fix
This test checks if ipa-cert-fix renews the certs on replica
after cert renewal on master.
related: https://pagure.io/freeipa/issue/7885
ipatests: refactor expire_cert_critical fixture
Defined method to move the date and refactor
expire_cert_critical fixture using it
ipatests: PEP8 fixes
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a620e5e9e152defe144705913521c3cf556faa0e">a620e5e9</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-08-20T16:04:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: wait while http/ldap/pkinit cert get renew on replica
LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.
This test adds check for replication before calling ipa-cert-fix
on replica.
Fixes: https://pagure.io/freeipa/issue/8815
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1b38afc0487efde57f04cf4a8c15f03be46971f3">1b38afc0</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-08-20T16:04:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: update the timemout for test_ipa_cert_fix.py in nightlies
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4a3a15f45aad016730252c09e3e173a18184603e">4a3a15f4</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-08-20T16:04:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: refactor test_ipa_cert_fix with tasks
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0b359fbdef8174b9f53d4af0770a6a2e72198e3b">0b359fbd</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-08-24T18:32:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Run pycodestyle check in Lint job
- previously, fastlint make's target includes both the Pylint task
and pycodestyle one. The purpose of this target is a fast checking
only for changed Python files. This makes sense for pycodestyle, but
limits Pylint due to a context(file) checking. The clients which
call the code being linted are not checked at all. In Azure Pylint
(for the whole codebase) is run in the Lint task, this makes fastlint
extra for Azure.
- `Quick code style check` task used distro's Pylint, while `Lint`
task PyPI's one. This may cause different results and confuse a
user.
- `Build` task takes time longer than `Lint` one, so this change
doesn't lead to increased CI time.
- all Azure tests depend on Build and Lint tasks. Mostly it's no need
to run tests due to a probably broken code.
Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/31afc004bc034f3170247d4c7ccd3a7cc0d32551">31afc004</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-08-24T18:32:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pycodestyle: Check *.in Python files
Many of IPA Python scripts are shebang configurable scripts and
have special suffix '.in' for that. Pycodestyle by default check
only '*.py' files [0].
[0]: https://pycodestyle.pycqa.org/en/latest/intro.html
Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b5036b5ce9ae4fab011e57fe2b37a35fdd098a70">b5036b5c</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-08-25T13:59:07+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.
If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.
Fixes: https://pagure.io/freeipa/issue/8953
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/939d0f5df67aa39cd31f68a6da4153460066ca66">939d0f5d</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-08-25T18:54:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">schema plugin: Generate stable fingerprint
If some Param defines several values for `exclude` or `include`
attributes then API schema hash will be unstable.
First, these Param's attributes are converted to frozenset
(ipalib/parameters.py), then `ipaserver.plugins.schema` plugin
converts `exclude` and `include` attrs to list. Set/frozenset in
turn, is unordered collection [0]. So, the end order of values is
undefined.
But due to the nature of sets:
> two sets are equal if and only if every element of each set is
contained in the other (each is a subset of the other)
the order of values can be ignored.
Note: other Param's attrs with type frozenset are not affected because
they are not processed by the schema plugin.
[0]: https://docs.python.org/3/library/stdtypes.html#set-types-set-frozenset
Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/14ad52238543ab845a8d6dadd65ff2fb6e67d8df">14ad5223</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-08-25T18:54:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add tests for `schema` Command
- the base testing of this command is made by ipaclient `schema`
remote plugin, but some specifics are not covered
- allow testing of the plugin in `development` mode(locked API).
Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5abf1bc79f8b32c6638ff98fbe2e4a8dec9a5010">5abf1bc7</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2021-08-27T09:46:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Specify PKI installation log paths
The DogtagInstance.spawn_instance() and uninstall() have
been modified to specify the paths of PKI installation
logs using --log-file option on PKI 11.0.0 or later.
This allows IPA to have a full control over the log files
instead of relying on PKI's default log files.
Fixes: https://pagure.io/freeipa/issue/8966
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/07e2bf732f54f936cccc4e0c7b468d77f97e911a">07e2bf73</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-08-31T16:47:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux policy: allow custodia to access /proc/cpuinfo
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.
audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };
but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.
Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2cf0ad5cfd2d558c844bc9640c121fa35ebb1c30">2cf0ad5c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2021-09-01T09:18:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add URI system records for KDC
MIT KRB5 1.15 introduced KDC service discovery with URI records.
_kerberos and _kpasswd URI records can provide TCP, UDP, and Kerberos
KDC-Proxy references. URI lookups take precedence over SRV lookups,
falling back to SRV lookups if no URI records are found.
Also reduce TTL for system records from one day to one hour. It allows
users to remove or update discovery entries in a timely fashion.
See: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery
Fixes: https://pagure.io/freeipa/issue/8968
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4fca95751ca32a1ed16a6d8a4e557c5799ec5c78">4fca9575</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-09-02T20:48:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">extdom: return LDAP_NO_SUCH_OBJECT if domains differ
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a6e708ab4006d6623c37de1692de5362fcdb5dd6">a6e708ab</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-09-02T21:09:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Catch and log errors when adding CA profiles
Rather than stopping the installer entirely, catch and report
errors adding new certificate profiles, and remove the
broken profile entry from LDAP so it may be re-added later.
It was discovered that installing a newer IPA that has the
ACME profile which requires sanToCNDefault will fail when
installing a new server against a very old one that lacks
this class.
Running ipa-server-upgrade post-install will add the profile
and generate the missing ipa-ca SAN record so that ACME
can work.
https://pagure.io/freeipa/issue/8974
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4785a90946ec694ccc082f062b2181b23c7099e3">4785a909</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-09-03T09:33:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">subid: subid-match: display the owner's ID not DN
Previously, the subid-match command would output the full
DN of the owner of the matched range.
With this change, the UID of the owner is displayed, just like
for other subid- commands.
Fixes: https://github.com/freeipa/freeipa/pull/6001
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3fb0f5333613beabeead3feb73dc0fea9694bcdc">3fb0f533</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-09-05T11:53:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Increase default limit on LDAP searches to 100k
A similar change was attempted years ago in commit
9724251292e4c0797367fcc351a9f16f30c6aefe but it was
never applied because it used the wrong DN and because
nsslapd-timelimit is already present in the entry
the default keyword won't trigger.
Use replace instead to increase the value to 100k from
the default as originally intended.
nsslapd-sizelimit can be changed only with a MOD_REPLACE
otherwise a LDAP_NO_SUCH_ATTRIBUTE error is thrown. IPA
only uses MOD_REPLACE for single-value attributes but
nsslapd-sizelimit is not yet in schema. Add it to
the known set of exceptions for single-value attributes.
https://pagure.io/freeipa/issue/8962
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/10dfc43743d80dadb125085c4263e191c800b278">10dfc437</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-09-06T11:50:34+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'upstream'
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/13627cb28f3f40f48a3fbba46bbd27bb2d79a8bc">13627cb2</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-09-06T11:50:48+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5aa83b9696cc9d661026f1a693fb2e1722d1076e">5aa83b96</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-09-07T16:41:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Bump 389-ds-base depends.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/427b6f95c87c4d6b074d37043fd8381cef5d7022">427b6f95</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-09-07T16:45:53+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Drop python3-coverage depends, it's not used.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d56fd209dc36c0cece1e5ef298c6cd288bb14043">d56fd209</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-09-07T16:55:07+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add new files for the server
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9d6821c8edcf965b8b11096b325e3e0675a83750">9d6821c8</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-09-07T17:24:04+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Bump dogtag depends.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8acdf1f125c4163731291a6983a6b62ebc4f0942">8acdf1f1</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-09-07T17:25:06+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Drop more of custodia.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/395b0d26d0b042d5384bc8e7272f0121db0989ed">395b0d26</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-09-08T10:34:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: rpcclient now uses --use-kerberos=desired
The integration tests are using rpcclient delivered
by samba package. With samba 4.15, the options have
been renamed and "--use-kerberos=desired" must be
used instead of "-k".
(see
https://download.samba.org/pub/samba/rc/samba-4.15.0rc4.WHATSNEW.txt)
Adapt the test to be compatible with both old and new versions.
Fixes: https://pagure.io/freeipa/issue/8979
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3c4f9e7347965ff9a887147df34e720224ffa7cc">3c4f9e73</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-09-08T14:47:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">migrate-ds: workaround to detect compat tree
Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.
Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.
Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4f569c68cde408865389c61f9befb2ea23bd6d30">4f569c68</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-09-09T07:53:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix logic waiting for repl in TestIPACommand
The logic of test_reset_password_unlock is twisted.
Currently it's doing:
- reset password on replicas[0]
- wait for replication on master
- kinit on master
The call to wait_for_replication should be done on
replicas[0], not on master, according to the method doc:
Note that this waits for updates originating on this host, not those
coming from other hosts.
Fixes: https://pagure.io/freeipa/issue/8975
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d1343e8f539679227c8dbfb58ba634810d3857da">d1343e8f</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-09-09T07:56:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">docs: Make use of `text` highlighting
As of 4.9.7 FreeIPA makes use of raw lexer in doc/designs/subordinate-ids.md.
raw alias has been removed in Pygments 2.8.0:
https://pygments.org/docs/changelog/#version-2-8-0
https://github.com/pygments/pygments/pull/1643
This causes the failure of Azure Docs job.
I think that the original goal of `raw` was the disabling of block
highlighting, which can be done with `text` lexer:
https://pygments.org/docs/lexers/#pygments.lexers.special.TextLexer
Fixes: https://pagure.io/freeipa/issue/8985
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ef58efe7e4c3f8ed3e31623035eba2a3bdba6e46">ef58efe7</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-09-15T09:50:09+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix expected msg in tasks.run_ssh_cmd
OpenSSH 8.7p1 changed the message logged on successful
authentication (see commit 9e1882ef6489a7dd16b6d7794af96629cae61a53).
As a result, the method run_ssh_cmd is failing and needs to be
adapted in order to be compatible with old and new openssh versions.
Fixes: https://pagure.io/freeipa/issue/8989
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dfe94640ed8befbf29e3c35f0cb57e702211ef44">dfe94640</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-09-15T12:08:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Ignore tar errors
Sometimes tar fails on changed in process files:
```
[2021-09-07 11:03:33] + tar --ignore-failed-read -czf ipaserver_install_logs.tar.gz --warning=no-failed-read /var/log/dirsrv /var/log/httpd2 /var/log/ipa /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log /var/log/ipaserver-install.log /var/log/krb5kdc.log /var/log/pki /var/log/samba /var/lib/bind/data systemd_journal.log
[2021-09-07 11:03:33] tar: Removing leading `/' from member names
[2021-09-07 11:03:33] tar: Removing leading `/' from hard link targets
[2021-09-07 11:03:33] tar: /var/log/dirsrv/slapd-IPA-TEST/access: file changed as we read it
[2021-09-07 11:03:33] + tests_result=1
```
This is expected failure since processes are not stopped during logs
collection and can flush their logs.
Fixes: https://pagure.io/freeipa/issue/8983
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8fcc0f077bc24e0c7d0c7434fbd4e91372021217">8fcc0f07</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-09-15T12:10:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5: Pin kpasswd server to a primary one
There are time gaps in which kinit requests may fail due to
offlined SSSD's locator and replication delays.
Since `IPA` provider or SSSD offline the locator plugin for libkrb5
(man 8 sssd_krb5_locator_plugin) can do nothing about this and kinit
fallbacks to the standard libkrb5 algorithm described in `man 5 krb5.conf`.
`krb5.conf` on IPA server doesn't include `kpasswd_server` and kinit
fallbacks to DNS way. DNS (URI or SRV) RRs don't preserve any order
and kinit may contact either master or replica kpasswd servers.
This may result in a password was changed on a replica but was not
replicated to master:
master(kinit)->master(initial)->replica(kpasswd)->master(can't
obtain initial creds with new password)
So, `kpasswd_server` serves as fallback for the offlined locator.
Note: primary_kdc(the former master_kdc) doesn't help here because
it is only used if the initial credentials obtaining fails (see
`krb5_get_init_creds_password` in libkrb5) and not a password change.
Fixes: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/12ebc658a8bcde3cf5a9665e10981f822fa00dad">12ebc658</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-09-15T12:10:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Log debug messages for locator plugin
SSSD provides Kerberos plugin
> to tell the Kerberos libraries what Realm and which KDC to use.
It's useful to see what is happening during kinit in case of any
issues.
Related: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/be1e3bbfc13aff9a583108376f245b81cc3666fb">be1e3bbf</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-09-16T15:04:41-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.
What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.
I'm not comfortable with simply treating them the same because
in LDAP they are not.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/86588640137562b2016fdb0f91142d00bc38e54a">86588640</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-09-16T15:04:41-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Test that a user can be issued multiple certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a9f7300732f1be90bfb736a8ec3e5fb58c8ce288">a9f73007</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-09-21T08:28:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">schema plugin: Fix commands without metaobject arg
Previously, all the commands of schema plugin derived from
BaseMetaSearch require metaobject as their argument
(by implementation), but the spec for some of them only optionally
asks for search criteria arg. This patch fixes this inconsistency.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e4839b048040877cc7d780d2d98b25233db62537">e4839b04</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-09-21T08:28:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">command_defaults: Don't crash on nonexistent command
It's common for ipa commands to raise NotFound in such a case.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/83405a75c2496c8728f9560823738f8ad51cdc33">83405a75</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-09-21T08:28:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_schema_plugin: Drop dependency on Tracker
Tracker is the best for testing plugins dealing with LDAP.
The tests in test_schema_plugin are not used LDAP at all.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/973334c9fc247ce6334bcd67f5cd9c3c6b35c660">973334c9</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-09-21T08:28:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_schema_plugin: Add missing tests for command, class and topic commands
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bdf479e8cdab14a3985d8acc9fe234e13820108a">bdf479e8</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-09-22T13:02:02+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">kdb: fix typo in ipa_kdcpolicy_check_as
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/186497cb790a81d43c35659f81fab2eb47ea65cd">186497cb</a></strong>
<div>
<span>by Vit Mojzis</span>
<i>at 2021-09-27T11:45:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: Fix file context definition for /var/run
There is a file context equivalence rule assigning /run the same
contexts as /var/run. Because of it it's necessary to use /var/run
instead of /run in file context definitions.
See:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#File_contexts_and_equivalency_rules
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/01dfce68d97f373c92dd82e355392e5123df8f07">01dfce68</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-09-29T17:31:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: update expected error message for openssl verify
The test TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
needs to be adapted with the new error message returned by
openssl verify when the provided certificate file does not exist.
The message changed with openssl3.
Fixes: https://pagure.io/freeipa/issue/8999
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fc384b0773c92e1743152b6c04af12b0f17e842b">fc384b07</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-09-30T09:08:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: increase sosreport verbosity
With the new version sos-4.2-1, sos report -v prints the
debug messages into sos.log only. In order to see the debug
messages in the console, -vv is needed.
For more info refer to sos report commit
https://github.com/sosreport/sos/commit/1d0729a9dcfe3f3cebb961114c9bc05136cf8cfb
Since the test is looking for messages in stdout, use -vv to
make sure the expected messages are printed in the console.
Fixes: https://pagure.io/freeipa/issue/9000
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b706483c827a971aeae855199b9d4ce6005e53b1">b706483c</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-10-04T17:47:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui test: close notification after selinux user map update
The test test_undo_refresh_reset_update_cancel is sometimes
failing because a notification obscures the selinuxmap record.
After saving the modification on the record, close any notification
to make sure the test succeeds.
Fixes: https://pagure.io/freeipa/issue/8846
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e60076690cc02105d4a6abd9afb6aba5dd70b6bd">e6007669</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-10-05T12:39:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: check for message in sssd log only during actual test action
Get size of the log file immediately before main test action to avoid
capturing messages written to log during environment preparation.
Fixes https://pagure.io/freeipa/issue/8987
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bbda3590bb20a2915261f2fd9b8a8e0b169f93f4">bbda3590</a></strong>
<div>
<span>by Chris Kelley</span>
<i>at 2021-10-08T10:44:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make Dogtag return XML for ipa cert-find
Using JSON by default within Dogtag appears to cause ipa cert-find to
return JSON, when the request was made with XML. We can request that XML
is returned as before by specifying so in the request header.
Fixes: https://pagure.io/freeipa/issue/8980
Signed-off-by: Chris Kelley <ckelley@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/34d6f51fb8ddc97d21470db9a638386127c4c581">34d6f51f</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-10-08T14:10:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Update the subca used in TestIPACommand::test_cacert_manage
The above test is installing 2 Let's Encrypt certificates:
the root ISRG Root X1 and a subca. The subca expired Oct 6 and needs to
be replaced with a valid one, otherwise ipa-cacert-manage install
refuses to install it.
Fixes: https://pagure.io/freeipa/issue/9006
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f2d46b66d366cef92aa691c723358d49ce12920">7f2d46b6</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-10-13T15:30:13+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package freeipa version 4.9.7-1
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/30cf9dc90a1189618daaefc6034ba782e2f1ac93">30cf9dc9</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-10-13T15:45:44+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">lintian: Drop override on python-script-but-no-python-dep, which doesn't exist anymore.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dda9a60f9f2d51b8363c228de5882bb56a52fff1">dda9a60f</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-10-13T16:23:09+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">rules: Add fortify flag to CFLAGS, as CPPFLAGS isn't used by the project..
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c835560a3f3ef380fc73d25cf340d1579f8db6d1">c835560a</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-10-13T16:44:38+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: Drop allowed failure for blhc, it passes now.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b3ae6b9d2c6b95e7c78ef5ff336571ce3f857f89">b3ae6b9d</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-10-14T20:47:10+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Build-depend on libcurl4-openssl-dev.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/488fb1049397c3adc10a2b80737374cff5a87af4">488fb104</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-10-19T14:01:05-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">seccomp profile: Default to ENOSYS instead of EPERM
This allows application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.
More about motivation for ENOSYS over EPERM:
https://github.com/opencontainers/runc/issues/2151
https://github.com/opencontainers/runc/pull/2750
See about defaultErrnoRet introduction:
https://github.com/opencontainers/runtime-spec/pull/1087
Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json
Fixes: https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3f36ae2ac5dcc91ee66d714b829229de317ff2f7">3f36ae2a</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-10-20T00:13:50+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fix-paths.diff: Fix some paths in ipaplatform/base.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/799d5e3f1f526baec32caf7a6b8657d5748b4542">799d5e3f</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-10-20T01:20:28+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fix-apache-group.diff: Fix apache group name in ipa.conf tmpfile.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8dd788daf9fbf694754771082db9ee1d7f64fef0">8dd788da</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-10-21T12:38:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">azure: Don't customize pip's builddir
As of 21.3 pip:
> Remove the --build-dir option and aliases, one last time. (pypa/pip#10485)
https://pip.pypa.io/en/stable/news/#v21-3
Previous versions warn about deprecation.
The builddir is provided to pip via env variable PIP_BUILD in Tox task.
The purpose of changing of default builddir was noexec mount option for
/tmp in Travis (see 17d571c961). Since Travis is no longer used and
Azure lacks this issue the PIP_BUILD can be safely removed.
Note: pip 21.3 just ignores this env variable, which is more than can be
said for the command line option. It's better to clean it up, since the
behaviour may be changed in future.
This is effectively the revert of 17d571c961.
Fixes: https://pagure.io/freeipa/issue/9011
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/17ba2732f90a69b860f70662133e6904d7373b04">17ba2732</a></strong>
<div>
<span>by Michal Polovka</span>
<i>at 2021-10-21T12:40:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: webui: Specify configuration loader
Default YAML loader has been deprecated in PyYAML-6.0, specify loader explicitly.
Fixes: https://pagure.io/freeipa/issue/9009
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/82eaa2eac454aed75a498d2c6ccd9e921f9c8a89">82eaa2ea</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-10-21T15:58:19-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-samba uninstall: remove tdb files
ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6302769b83af75f267c76fe6f854d5b42b6b80f5">6302769b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-10-21T15:58:19-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-server-install uninstall: remove tdb files
ipa-server-install uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Related: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4afdb7f24bc346691dc0ee74c9b052c285c101c9">4afdb7f2</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-10-23T11:54:38+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Depend on gpg instead of gnupg.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b3bee9b52a037b8ae44ceb6c7d40608a352325a7">b3bee9b5</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2021-11-01T15:14:05+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use AD domain name from config instead of hardcoded value
The test fails when test config contains AD domain value other than one
hardcoded in the test code.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c1baae842529d89b7fda78ace5ffcff165a995ce">c1baae84</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-11-01T11:51:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">On redhat-based platforms rely on authselect to enable sudo
The default platform task enable_sssd_sudo() writes directly
to nsswitch.conf to enable sudo. This isn't necessary to do on
systems with authselect where we already pass in with-sudo as a
profile option.
Override the default function with does a direct write with a no-op.
https://pagure.io/freeipa/issue/8755
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7480844765e029ccb5e7149059efd4c56e400982">74808447</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-11-01T11:55:13-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: TestMultipleExternalCA: Create tempfiles on remote host
Previously, `test_master_install_ca1` and `test_master_install_ca2`
attempt to create tempdirs on local host and later write some
content into the returned paths on remote host. This fails if
a remote host is a local one.
The existent `create_temp_file` function has been extended to
support `suffix` option of `mktemp`.
Fixes: https://pagure.io/freeipa/issue/9013
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dd07db29eec92b421569a194a1d2294852cd6a5c">dd07db29</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SID generation: define SIDInstallInterface
Move the SID-related options into a separate InstallInterface
(--add-sids, --netbios-name, --rid-base and --secondary-rid-base),
make ADTrustInstallInterface inherit from SIDInstallInterface.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e527857d000e558b3288a7a210400abaf2171237">e527857d</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Installers: configure sid generation in server/replica installer
ADTRUSTInstance performs only sid configuration when it is
called without --setup-adtrust.
Update man pages for ipa-server-install and ipa-replica-install
with the SID-related options.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a91e6712e80a19070cb9f201b2d2f15ac8b28ff4">a91e6712</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">adtrust install: define constants for rid bases
Define constants for DEFAULT_PRIMARY_RID_BASE = 1000 and
DEFAULT_SECONDARY_RID_BASE = 100000000
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b98ecabba196107c692825e081fd1c7a6123c2aa">b98ecabb</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME
The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.
--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.
This command can be run multiple times.
Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5bb56f910c39b3db762b6802a6dfaa25a0e77c76">5bb56f91</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test ensuring SIDs are generated for new installs
The standard installer now configures all the items needed
for SID generation. Add a new test with the following scenario:
- install IPA server
- create an active user
- ensure the user's entry has an attribute ipantsecurityidentifier
- ensure that the kerberos ticket for the user contains PAC data
by using the utility ipa-print-pac
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/31d095eac1aa7158761de29aa4f3c42604e83f17">31d095ea</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: interactive install prompts for netbios name
The interactive server installation now prompts for netbios
name confirmation.
Add expected prompt and send response to the installer.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/efc9df086725a151e15fc93b7550bc01df8d1151">efc9df08</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: adapt expected output with SID
>From now on, new users/groups automatically get a SID.
Update the expect test outputs.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/86d1683e0966a5d33e570b9cc2bb032e9af98bf0">86d1683e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">User lifecycle: ignore SID when moving from preserved to staged
When a preserved user entry is moved to staged state, the SID
attribute must not be provided to user-stage command (the option
does not exist and the SID will be re-generated anyway).
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c6fd0d00bacf56f1c3bffb2674042058a4608f10">c6fd0d00</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: backup-reinstall-restore needs to clear sssd cache
The integration tests that check backup-reinstall-restore
scenario need to clear sssd cache before checking the uid
of the admin user. For instance:
backup: saves the original admin uid
reinstall: creates a new admin uid, potentially cached by SSSD
restore: restores the original admin uid
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9c7e8c669740528812a06f9af73fe927313270c9">9c7e8c66</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Webui tests: new idrange now requires base RID
Now that SID are always generated, the creation of a new
local idrange is refused if baserid is missing.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/61f42aefe35d60432d5542ed5fa3f546e6d71f0b">61f42aef</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">User plugin: do not return the SID on user creation
The SID is not part of the default user attributes and does not
need to be returned in the user-add output.
Related: https://pagure.io/freeipa/issue/8995
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/009a8cdfcba78ab6153e132ef653792018e1662b">009a8cdf</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-03T11:02:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: update the expected output of user-add cmd
The SID is not expected to be returned by ipa user-add.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/331cadd8f25ab627fc419c48f2db6cc9cafafe40">331cadd8</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-11-04T09:44:39+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make the schema cache TTL user-configurable
The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.
This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.
If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.
Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.
https://pagure.io/freeipa/issue/8492
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d3edc039419e9a944ee37dd9e02edfd6a627db5a">d3edc039</a></strong>
<div>
<span>by Mohammad Rizwan</span>
<i>at 2021-11-04T09:49:18+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: remove redundant kinit from test
Fixture issue_and_expire_cert() kinit after moving the date to
expire certs. This fix is to rely on kinit from fixture.
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4c14b8cfddf78d4e792eb944ef1a765a115e3f10">4c14b8cf</a></strong>
<div>
<span>by Sumedh Sidhaye</span>
<i>at 2021-11-09T10:25:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test to verify if the case of a request for /ca/rest/authority/{id}/cert (or .../chain)
where {id} is an unknown authority ID.
Test Steps:
1. Setup a freeipa server and a replica
2. Stop ipa-custodia service on replica
3. Create a LWCA on the replica
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/421e12468d3ebaf8e259789bdba173a785c9e5d4">421e1246</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-10T17:17:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix get_user_result method
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the get_user_result method to work in all the cases.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ded98b66ed62a2edc7b27c02e0b94a6e6fa8ae9">9ded98b6</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: store SID in the principal entry
If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.
Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Robert Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ecbdd8e5968b1b4033bedb90fccdd0f05720b40">9ecbdd8e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: enforce SID checks when generating PAC
Check that a domain SID and a user SID in the PAC passed to us are what
they should be for the local realm's principal.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Robert Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eb5a93ddbe0ab17c36d5c78e5c0fcf020745484a">eb5a93dd</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: use entry DN to compare aliased entries in S4U operations
When working with aliased entries, we need a reliable way to detect
whether two principals reference the same database entry. This is
important in S4U checks.
Ideally, we should be using SIDs for these checks as S4U requires PAC
record presence which cannot be issued without a SID associated with an
entry. This is true for user principals and a number of host/service
principals associated with Samba. Other service principals do not have
SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
is issued for these principals, they get SID of a domain computer or
domain controller depending on their placement (IPA client or IPA
server).
Since 389-ds always returns unique entry DN for the same entry, rely on
this value instead. We could have used ipaUniqueID but for Kerberos
principals created through the KDB (kadmin/kdb5_util) we don't have
ipaUniqueID in the entry.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8b5e496101963c7059fac2a4a5c8b5e15ad9f726">8b5e4961</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: S4U2Proxy target should use a service name without realm
According to new Samba Kerberos tests and [MS-SFU] 3.2.5.2.4
'KDC Replies with Service Ticket', the target should not include the
realm.
Fixes: https://pagure.io/freeipa/issue/9031
Pair-programmed-with: Andreas Schneider <asn@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Andreas Schneider <asn@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4cafdac1dfbd95087c3d0510cbf2638fc31c4d94">4cafdac1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: add support for PAC_UPN_DNS_INFO_EX
CVE-2020-25721 mitigation: KDC must provide the new HAS_SAM_NAME_AND_SID
buffer with sAMAccountName and ObjectSID values associated with the
principal.
The mitigation only works if NDR library supports the
PAC_UPN_DNS_INFO_EX buffer type. In case we cannot detect it at compile
time, a warning will be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/879ef1b1a69ed187fcfa8fff007ab95ec72a1a65">879ef1b1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: add support for PAC_REQUESTER_SID buffer
CVE-2020-25721 mitigation: KDC must provide the new PAC_REQUESTER_SID
buffer with ObjectSID value associated with the requester's principal.
The mitigation only works if NDR library supports the PAC_REQUESTER_SID
buffer type. In case we cannot detect it at compile time, a warning will
be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b71467e2fe5942688d2d988999340ef398b97a29">b71467e2</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: add PAC_ATTRIBUTES_INFO PAC buffer support
PAC_ATTRIBUTES_INFO PAC buffer allows both client and KDC to tell
whether a PAC structure was requested by the client or it was provided
by the KDC implicitly. Kerberos service then can continue processing or
deny access in case client explicitly requested to operate without PAC.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/adf5ab7344b810106cb4b493c798af597d14a080">adf5ab73</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: Use proper account flags for Kerberos principal in PAC
As part of CVE-2020-25717 mitigations, Samba expects correct user
account flags in the PAC. This means for services and host principals we
should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
run on IPA clients ("workstation" or "domain member") or IPA servers
("domain controller").
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/693c165ce83df9e21a4928cde64bdea9f997d1a6">693c165c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-11T16:11:05-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SMB: switch IPA domain controller role
As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
operations. This is the role that IPA domain controller was using for
its hybrid NT4/AD-like operation.
Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
Samba. Switch to this role for new installations and during the upgrade
of servers running ADTRUST role.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a95ccd908f9e04375380f5dba1110f6c55a93638">a95ccd90</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-15T14:51:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: honor SID from the host or service entry
If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5213c1e42cdedf4a862bf7173d7c632d0c1460b5">5213c1e4</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-15T14:51:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.
In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ed8174854c861bb04e2ebd9fba00c3f88bb12d0f">ed817485</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-17T15:31:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Drop libwbclient-sssd from freeipa-client-samba Depends.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a0d1c51fdcb3d4b14b46bc8fdd358688f4fa6a15">a0d1c51f</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-17T15:39:07+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">patches: Import a patch to fix ipa cert-find. (Closes: #997952)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/832131bf220af3b0ccc620e388ceb0caf7f7dafe">832131bf</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-17T15:41:37+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package freeipa version 4.9.7-2
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/19261b379d2405384c293f15073652ee02a7bb76">19261b37</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-17T16:34:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: Set KRB5_TRACE to use stderr.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b086da4d6d75401f86cbc84efd7457f1f27c6169">b086da4d</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-17T16:36:02+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">wrap a changelog entry
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0428e800ac1372765124de2982aa7048fbd13070">0428e800</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-18T10:59:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">patches: Fix apache group properly.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/118b06e97cb20b76daa6ea5662724288cd26c773">118b06e9</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-18T11:15:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">client: Move .tmpfile -> .tmpfiles.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2644cba68bc43380200b73bd634c1383fe1bcf99">2644cba6</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-18T11:16:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Bump debhelper to 13, gain dh_installtmpfiles being run.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/038c24afcc564a96130f7e4bd1b0a37025067406">038c24af</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-18T17:25:29+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control, rules: Add --without-ipa-join-xml and drop libxmlrpc from depends.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2b5cb6c3019cf5ea3449ec690f4988624919d45a">2b5cb6c3</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-18T18:50:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">server.postinst: Drop creating old ccaches for mod_auth_gssapi, obsolete..
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7bba5e75bb6fc0f8b32ea6781acc87ffc6fa7b87">7bba5e75</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-18T18:52:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">server.postinst: Drop old upgrade rules.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/97062538dc441523452cb397f04d1c71405fde2d">97062538</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-18T19:11:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">patches: Fix named keytab name.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9fe1b05eb0aa7f074425c0990e756a6411a773e3">9fe1b05e</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-18T21:20:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package freeipa version 4.9.7-3
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8ca5b094f829f47b0629301c23818096a5834609">8ca5b094</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-18T20:24:03+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: mark test_installation_TestInstallWithCA_DNS3 as xfail
The test failure is a known issue, happening on f33+. Mark as xfail
until 8700 is fixed.
Related: https://pagure.io/freeipa/issue/8700
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c850cd52dcee8d2e5107af5ddf33e79b4e33527f">c850cd52</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-11-18T20:25:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec.in: -server subpackage should require samba-client-libs
KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.
There used to be %requires_eq macros in RPM but it was removed from
Fedora some time ago. We need greater than or equal version of it, thus
%ipa_requires_gt is defined in the spec file.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d97250fac563c4a41dc0c4dddc84502c0af16ff6">d97250fa</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2021-11-18T19:59:18-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Bump PR-CI latest templates to Fedora 35
Moving 'latest' to Fedora 35 and 'previous' to Fedora 34.
Based on https://github.com/freeipa/freeipa-pr-ci/pull/445.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bb5ef716070cb564b3455ddf7a6656de5e228d0e">bb5ef716</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2021-11-19T22:14:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Fix UI_driver method after Selenium upgrade
`WebDriver.switch_to_active_element()` was deprecated in favour of
`driver.switch_to.active_element`.
Method was deprecated a long time ago, however deprecation message and
proxy method were removed recently and are not present in latest
version.
https://selenium-python.readthedocs.io/api.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to_active_element
https://www.selenium.dev/selenium/docs/api/py/webdriver_remote/selenium.webdriver.remote.webdriver.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to
Issue: https://pagure.io/freeipa/issue/9029
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/76afa643f4afd0167fd670142aa70369d91d7af2">76afa643</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-11-22T12:35:55+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pwpolicy: change lifetime error message
ipa pwpolicy-mod --minlife $min --maxlife $max
accepts $max >= $min, yet the error message says:
"Maximum password life must be greater than minimum."
Change the error message so that it conveys the
actual logic.
Fixes: https://pagure.io/freeipa/issue/9038
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4f5ed837b43d378ed9e003c279e311656b1773ab">4f5ed837</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2021-11-22T17:58:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">fix(webui): create correct PTR record when navigated from host page
In scenario:
1. make sure that reverse zone doesn't have the desired PTR record
2. open host page of the host with matchnig the A record, e.g.: https://server.pvoborni.test/ipa/ui/#/e/host/details/test2.pvoborni.test
3. click on the "Host name" link, it will bring us to it's DNS record page. E.g., https://server.pvoborni.test/ipa/ui/#/e/dnsrecord/details/pvoborni.test&test2
! notice the missing '.' in the URL after zone name (pvoborni.test)
4. click on the A record , dialog will show up, saying "record not found"
5. click on the "create DNS record"
PTR record created by Web UI doesn't have trailing '.' (is not fully
qualified record) even if the DNS zone is.
This patch is fixing the link to the DNS Record page so that the
page then correctly gets the DNS Zone name and thus creates a correct
fully qualified PTR record.
https://bugzilla.redhat.com/show_bug.cgi?id=2009114
https://pagure.io/freeipa/issue/9036
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a286cd31ec031e07b4d196715ae501f873a4bde2">a286cd31</a></strong>
<div>
<span>by Petr Vobornik</span>
<i>at 2021-11-22T17:58:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">webui tests: remove unnecessary code in add_record
Pkeys are not used anywhere in the method thus can be removed.
Related: https://pagure.io/freeipa/issue/9036
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1c66226e83bb8797122d3925b555516201edb8bd">1c66226e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2021-11-23T10:23:09+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't limit role-find by hostname when searching for last KRA
The "is this the last KRA" test did a role-find including the
current server. This skewed the result if the server to be
removed has a KRA installed, it would always return "not allowed"
because len(roles) == 1 and the name matched, regardless of
whether other servers also provided a KRA.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1660cfa3d2ec4a27c0456b3545a40eadbae45cfb">1660cfa3</a></strong>
<div>
<span>by Jochen Kellner</span>
<i>at 2021-11-23T16:13:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove duplicate _() in the error path
When running IPA in locale de_DE.UTF-8 I got an internal error:
jochen@freeipa1:~$ ipa server-del freeipa4.example.org
Removing freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Ein interner Fehler ist aufgetreten
This is not the complete messages. Using en_US.UTF-8 would be ok.
In the httpd error_log:
] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext'
] Traceback (most recent call last):
] File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute
] result = command(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__
] return self.__do_call(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call
] ret = self.run(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run
] return self.execute(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute] return self.execute(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute
] delete_entry(pkey)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry
] dn = callback(self, ldap, dn, *nkeys, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback
] self._ensure_last_of_role(
] File
"/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line
520, in _ensure_last_of_role
] handler(
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler
] raise errors.ServerRemovalError(reason=_(msg))
] File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__
] messages.process_message_arguments(self, format, message, **kw)
] File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments
] kw[key] = unicode(value)
] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__
] return unicode(self.as_unicode())
] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode
] return t.gettext(self.msg)
] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext
] tmsg = self._catalog.get(message, missing)
] TypeError: unhashable type: 'Gettext'
] ipa: INFO: [jsonserver_session] admin@EXAMPLE.ORG:
server_del/1(['freeipa4.example.org'], version='2.245'): InternalError
Alexander suggested to remove _() in local handler() function in
_ensure_last_of_role():
else:
raise errors.ServerRemovalError(reason=_(msg))
Looks like all the callers give already gettext-enabled message (wrapped
with _() already).
At least for my case I now get a complete error message.
Fixes: https://pagure.io/freeipa/issue/9046
Signed-off-by: Jochen Kellner <jochen@jochen.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a9c080734cb533d7a494b7259ac8d1ef89394d2c">a9c08073</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2021-11-23T17:41:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: remove xfail on f35+ for test_number_of_zones
systemd-resolved fixed the issue on f35+
Related: https://pagure.io/freeipa/issue/8700
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f89d59b6e18b54967682f6a37ce92ae67ab3fcda">f89d59b6</a></strong>
<div>
<span>by François Cami</span>
<i>at 2021-11-25T18:35:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">freeipa.spec: depend on bind-dnssec-utils
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.
With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Antonio Torres Moríñigo <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c587db883df9ae28a6d2500dbe32de14c6c4c119">c587db88</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-11-25T18:50:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b4f9026e80cd936f2e21420a9b6d233f53cb894a">b4f9026e</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-11-25T18:53:53+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a9620a5d7171de49f176a9504d1bb32db2d9650e">a9620a5d</a></strong>
<div>
<span>by Antonio Torres</span>
<i>at 2021-11-25T19:17:03+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become IPA 4.9.8
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d19214ab8dab8f4eea749ee72b741c6c55ae17ad">d19214ab</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-26T09:43:46+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'upstream'
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/01d1c90e4768cd92e92409853ad890dfa63c3e96">01d1c90e</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-26T09:45:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">patches: Drop upstreamed patch.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bc3519e3dbd854c69ce441e28cd95b3f26df8a98">bc3519e3</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-26T09:49:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">server.install: Updated.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dfae1514cbf0d42f2361444a82eb14b84468b1e8">dfae1514</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-11-26T09:54:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b813540e02f7f0bd06fef394515850577969ac98">b813540e</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-12-15T16:32:08+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Build only the client, in order to be able to backport to bullseye. (Closes: #996946)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/90ebba0407137cb0a870623b550095b6c58758a1">90ebba04</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-12-15T16:33:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">control: Depend on librpm9 instead of librpm8.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/10646b644effa5d1d9b7d60dfbcf1a63120a944e">10646b64</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-12-15T16:37:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: Disabled for a client-only build.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/99aa1043d0f76fa92e94ffb6f6fff034542a6d57">99aa1043</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-12-15T16:41:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package freeipa version 4.9.8-1
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5fac11530cc04b8b89100582a33d61298567b7c7">5fac1153</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-12-15T16:44:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Upload to experimental, build the server and enable tests.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ae0ca69844cdfbf92735368cae934c0e5513d790">ae0ca698</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2021-12-15T16:44:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package freeipa version 4.9.8-1+exp1
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#a5cc2925ca8258af241be7e5b0381edf30266302">
.gitignore
</a>
</li>
<li class="file-stats">
<a href="#5da93d3ebfbadd620ae081fc5aa64ac8ac77097b">
.lgtm.yml
</a>
</li>
<li class="file-stats">
<a href="#736f0a5824e80bc5bc350a146522854b95f1d407">
.tox-install.sh
</a>
</li>
<li class="file-stats">
<a href="#8a8f67e18c8ed61c36e2901c12e37c094f6cd519">
.wheelconstraints.in
</a>
</li>
<li class="file-stats">
<a href="#4831b637d596df850dfe2919331d9904c0403eaa">
ACI.txt
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#d7ed7e35d7791778850754d99281016a9bacb652">
Contributors.txt
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d">
README.md
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#521b4492ed13326bcb633dcdd0e7a0b876d266aa">
client/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#8a84dc1127a684b319557e6204cc81b9909b144c">
client/ipa-getkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#d9dd0d81d3f1f170011d4803fb3de849a9a6ddf9">
client/ipa-rmkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#26616f952ef398b6ae9eb7d8687721b05028074d">
client/man/default.conf.5
</a>
</li>
<li class="file-stats">
<a href="#afe90542f4b6de49a3da1dff8d7667da4892974e">
client/man/epn.conf.5
</a>
</li>
<li class="file-stats">
<a href="#86d0871079809bc274cf7bd2c747d3c7aeb1371c">
client/man/ipa-certupdate.1
</a>
</li>
<li class="file-stats">
<a href="#8a35d0bcf77b8ab072d502e1bdbfe353a823c769">
client/man/ipa-client-automount.1
</a>
</li>
<li class="file-stats">
<a href="#24d08149069d49a01ad6ec82eec3333757be12bf">
client/man/ipa-client-install.1
</a>
</li>
<li class="file-stats">
<a href="#f3153553f731ca55143d7f62256680c5de12e00a">
client/man/ipa-client-samba.1
</a>
</li>
<li class="file-stats">
<a href="#5bb28820be8979ff1f083ff242278cf186827464">
client/man/ipa-epn.1
</a>
</li>
<li class="file-stats">
<a href="#e5d2277e0d16da52a4ae8ec255fb546233366f49">
client/man/ipa-getkeytab.1
</a>
</li>
<li class="file-stats">
<a href="#f70f207ef425c21231653c53e989b0e96a0fc938">
client/man/ipa-join.1
</a>
</li>
<li class="file-stats">
<a href="#f4a901afc59cf36806c9813f72f69e1245153228">
client/man/ipa-rmkeytab.1
</a>
</li>
<li class="file-stats">
<a href="#2c2a403acbc45950144a2c61e3eaaa2b9e3fe8ed">
client/man/ipa.1
</a>
</li>
<li class="file-stats">
<a href="#76c99459095faf3fe417b3097322bdd0050dadb7">
client/systemd/ipa-epn.service.in
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#3a8ac5718fa25b966bf1e6d3bafee466cb12b8e9">
<span class="new-file">
+
contrib/cachelog
</span>
</a>
</li>
<li class="file-stats">
<a href="#96166f28db470121b0cb62714b780100b60880e2">
<span class="new-file">
+
contrib/perflog
</span>
</a>
</li>
<li class="file-stats">
<a href="#09410d1e7a9c3c252ce75e1581c97028d44b3103">
daemons/dnssec/ipa-dnskeysyncd.service.in
</a>
</li>
<li class="file-stats">
<a href="#d805817179e0c32b5f17229eae03defa6e20e212">
daemons/dnssec/ipa-ods-exporter.in
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">
—
<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/-/compare/d63a654c38b747c49adb867697693195f9799a66...ae0ca69844cdfbf92735368cae934c0e5513d790">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>