<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en" style='--code-editor-font: var(--default-mono-font, "Menlo"), DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style data-premailer="ignore" type="text/css">
a { color: #1068bf; }
</style>
<style>img {
max-width: 100%; height: auto;
}
body {
font-size: 0.875rem;
}
body {
-webkit-text-shadow: rgba(255,255,255,0.01) 0 0 1px;
}
body {
font-family: var(--default-regular-font, -apple-system),BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;
}
</style>
</head>
<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,0.01) 0 0 1px; font-family: var(--default-regular-font, -apple-system),BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>
<div class="content">
<h3 style="margin-top: 20px; margin-bottom: 10px;">
Timo Aaltonen pushed to branch master at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
Commits:
</h4>
<ul>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/657a7b2556e22b70802809dd784fe576d3edea95">657a7b25</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2022-11-24T17:13:36+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Back to git snapshots
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/42957f9e7819ad76394b20337e65c7bee828dd8f">42957f9e</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-11-25T13:49:37+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>API reference: update vault doc
Update doc/api/vault_archive_internal.md and
doc/api/vault_retrieve_internal.md
after the change from commit 93548f2
(default wrapping algo is now des-ede3-cbc instead of aes-128-cbc).
Related: https://pagure.io/freeipa/issue/9259
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/660da9ab1d93fd8e561643728ae3821193953433">660da9ab</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-11-25T13:49:37+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>API reference: update dnszone_add generated doc
Update doc/api/dnszone_add.md after commit c74c701
(Set 'idnssoaserial' to deprecated)
Related: https://pagure.io/freeipa/issue/9249
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/42be04fe4ff317efe599dcbc2637f94ecc6fa220">42be04fe</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2022-11-28T18:53:51+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>updates: fix memberManager ACI to allow managers from a specified group
The original implementation of the member manager added support for both
user and group managers but left out upgrade scenario. This means when
upgrading existing installation a manager whose rights defined by the
group membership would not be able to add group members until the ACI is
fixed.
Remove old ACI and add a full one during upgrade step.
Fixes: https://pagure.io/freeipa/issue/9286
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aeb9cc9b622d3d4a40a7eb3fe5800649c68c3b96">aeb9cc9b</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-02T10:18:16+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>PRCI: update memory reqs for each topology
The memory requirements are defined in the vagrant templates in
https://github.com/freeipa/freeipa-pr-ci/tree/master/templates/vagrantfiles
They have been updated and the corresponding values must be kept
consistent in the topologies for PRCI.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c411c2e7b2e400829ffac250db81609ef3c56faa">c411c2e7</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-02T10:32:34+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>webui tests: fix assertion in test_subid.py
The test wants to check the error related to an
exception obtained inside a "with pytest.raises" instruction.
The object is an ExceptionInfo and offers a match method
to check the content of the string representation.
Use this match() method instead of str(excinfo) which now
returns
'<ExceptionInfo NoSuchElementException() tblen=10>'
Fixes: https://pagure.io/freeipa/issue/9282
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8e7d1ac4e4779cc15b39a9901bb26c5f5997eb5b">8e7d1ac4</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2022-12-02T13:28:04+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-certupdate: Update client certs before KDC/HTTPd restart
Apache HTTPd uses `/etc/ipa/ca.crt` to validate client certs.
`ipa-certupdate` now updates the file before it restarts HTTPd.
Fixes: https://pagure.io/freeipa/issue/9285
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a10627bdb90bb6eeaf6a156476253edc503c72df">a10627bd</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2022-12-02T14:24:05+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>API doc: add basic user management guide
Add basic user management guide that includes various examples on
performing common tasks related to the user module, such as adding an
user, modifying it, adding certificates for it, etc.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2d0a0cc40fb8674f30ba62980b1953cef840009e">2d0a0cc4</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-02T15:27:22+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Spec file: ipa-client depends on krb5-pkinit-openssl
Now that ipa-client-installs supports pkinit, the package
depends on krb5-pkinit-openssl.
Update the spec file, move the dependency from ipa-server
to ipa-client subpackage.
Fixes: https://pagure.io/freeipa/issue/9290
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9599e975bcdc0a58a32ccee6ad531c7298661a1d">9599e975</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-14T15:44:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: xfail on all fedora for test_ipa_login_with_sso_user
With the new fedora36 vagrant image, the test is also failing.
Mark xfail for all fedora versions.
Related: https://pagure.io/freeipa/issue/9264
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Scott Poore <spoore@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/65a14a36936b8ebfdb17560d5976447c6f4cdf7e">65a14a36</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2022-12-19T11:53:10+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fixes: ipa-otpd@.service: deprecated syslog setting
This patch updates the deprecated syslog setting i.e
StandardError=syslog with StandardError=journal
Pagure: https://pagure.io/freeipa/issue/9279
Ref: https://github.com/systemd/systemd/pull/15812
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/68f6574cb2bcf0b04840b4f62a8ac70b4d45cb1a">68f6574c</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-19T21:46:51+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: update the fake fips mode expected message
The test ipatests/test_integration/test_fips.py is faking
FIPS mode and calls "openssl md5" to ensure the algo is
not available in the fake FIPS mode.
The error message has been updated with openssl-3.0.5-5.
In the past the command used to return:
$ openssl md5 /dev/null
Error setting digest
140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147:
And now it returns:
$ openssl md5 /dev/null
Error setting digest
00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties ()
00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252:
To be compatible with all versions, only check the common part:
Error setting digest
Mark the test as xfail since installation is currently not working.
Related: https://pagure.io/freeipa/issue/9002
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c853cfde56fb56798424bd402012d78ed47647c0">c853cfde</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-19T21:46:51+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>cert utilities: MAC verification is incompatible with FIPS mode
The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
algorithm and cannot be supported by the FIPS provider.
Do not require mac verification in FIPS mode: append the option
--nomacver to the command openssl pkcs12 used to extract a pem file
or a key from a p12 file.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dfba6ebf9ab7b7d17e65f928c90ae63b31d9cae7">dfba6ebf</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-19T21:46:51+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>FIPS setup: fix typo filtering camellia encryption
The config file /var/kerberos/krb5kdc/kdc.conf is customized
during IPA server installation with a list of supported
encryption types.
In FIPS mode, camellia encryption is not supported and should
be filtered out. Because of a typo in the filtering method,
the camellia encryptions are appended while they should not.
Fix the typo (camelia vs camellia) in order to filter properly.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2904b15a94eebbb37ca6a289eccd6b95f063d7ca">2904b15a</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-19T21:46:51+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Spec file: bump krb5_kdb_version on rawhide
fedora 38 now uses krb5 1.20.1 which provides
krb5_kdb_version 9.0 instead of 8.0
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/304978924a09677805fd3b73614aad6a2de232a2">30497892</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2022-12-20T17:06:20+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: update the xfail annotation for test_number_of_zones
The test is failing on fedora 36+, update and simplify the
xfail condition.
Related: https://pagure.io/freeipa/issue/9135
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/782873a2277ca7defa5554d2b7859f1c14767d68">782873a2</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>azure tests: move to fedora 37
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fd21204559bd8fcac6a1b321adda163cd88aa149">fd212045</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: remove unneeded disable=unused-private-member
pylint fixed issue https://github.com/PyCQA/pylint/issues/4756
and we don't need anymore to disable this check.
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/51e0f751e9c3b5cade75360d24ba64c75ec926ba">51e0f751</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: remove useless suppression
The newer version of pylint has fixed false positives and
does not need anymore these suppressions:
- global-variable-not-assigned
- invalid-sequence-index
- no-name-in-module
- not-callable
- unsupported-assignment-operation
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/240b46db1451b8fed5f04244e9927b8fc03f10c0">240b46db</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable redefined-slots-in-subclass
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/081dd26376b8ff704a83e1c783d97c40951c43b3">081dd263</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable used-before-assignment
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/328fb642f6aba1a15040b7374a59cb6f7679f8f5">328fb642</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: replace deprecated distutils module
PEP 632 deprecates the distutils module. Replace
- distutils.spawn.find_executable with shutil.which
- distutils.log with logging
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ac69ad4ba5ec644fbb1b2768237fd2412d7e3101">ac69ad4b</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable modified-iterating-list
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/22f182ee9203be5e014d438f2a27b8721dd0c3ae">22f182ee</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: remove arguments-renamed warnings
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5434c12b6012f035528f0b137c1af5c1be113542">5434c12b</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable using-constant-test
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3336236ff1133ae86a5c9e2caeb90db7169fa454">3336236f</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable unnecessary-dunder-call message
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2b97c8caad267f97780d7ee8d940577c17ef1499">2b97c8ca</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: globally disable unnecessary-lambda-assignment message
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/84c4792bdbf82108771d796ae317e2cb1f1d2100">84c4792b</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable missing-timeout message
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/71496be75f6523b51f9316d3dcf7e0662d2cb606">71496be7</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: fix implicit-str-concat
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b9ea3fcbdb9ab07153873aeea7d3e1bd69e0d065">b9ea3fcb</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: fix duplicate-value
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/433599fdef1bf0608991d25ddbe6c891ae382ae0">433599fd</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: fix deprecated-class SafeConfigParser
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a95e11dbbff58804c5b85acaa4d70b72ce750ae0">a95e11db</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable invalid-sequence-index
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/07111438389fde4a74845f9f797656712335795f">07111438</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable unhashable-member
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4e998848f08b52760225c5bcb1afa9a6b2f6361b">4e998848</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: globally disable useless-object-inheritance
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3d211b4f9f6950a2810496f30e57a421eeb31e85">3d211b4f</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: fix consider-iterating-dictionary
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/015e25a581353aaf628f9e2ea8306fda89842cd5">015e25a5</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable comparison-of-constants
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/62e2d111fc3113aa5c9f22ae75068094403d1d39">62e2d111</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: fix comparison-of-constants
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/85037db2e1927c76fba963c6fde4ce17d2b95929">85037db2</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable deprecated-module message
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d673fdab6097ae783bd0075c0e990e42bc24f833">d673fdab</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Lint in single process mode
There are several known problems with multiprocess mode.
For example, https://github.com/PyCQA/pylint/issues/3232.
In other words the lint result depends on the number of jobs.
The most correct report is expected for single process.
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f9822697659f134146e1dcfce0c48e2279a8becb">f9822697</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: More allowed C extensions
Fixes:
```
[E0611(no-name-in-module), ] No name 'parse' in module 'lxml.etree'
[E0611(no-name-in-module), ] No name 'murmurhash3' in module 'pysss_murmur'
```
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/68ab438f5c2250d96733a0c1b47cbb3a1c518bed">68ab438f</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Replace deprecated extension-pkg-whitelist
`extension-pkg-whitelist` is deprecated in favour of
`extension-pkg-allow-list` since Pylint 2.7.3:
https://pylint.pycqa.org/en/latest/whatsnew/2/2.7/full.html#what-s-new-in-pylint-2-7-3
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c48c76e9d34bae09dc4eac1f3b33f7cb72355c25">c48c76e9</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Fix cyclic-import
Most of `cyclic-import` issues reported by Pylint are false-positive
and they are already handled in the code, but several ones are the
actual errors.
Fixes: https://pagure.io/freeipa/issue/9232
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1261bbf0016d4824f908a589d4943513e98f8b01">1261bbf0</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Replace deprecated pipes
`pipes` module is deprecated as of Python 3.11.
https://docs.python.org/3/library/pipes.html#module-pipes:
> Deprecated since version 3.11, will be removed in version 3.13: The
pipes module is deprecated (see PEP 594 for details).
IPA code used only `quote` function from `pipes` that in turn is
the alias for `shlex.quote` since Python 3.3:
https://github.com/python/cpython/commit/9bce311ea4f58ec04cab356a748e173ecfea381c
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b12376560da944b0845b9ac0d424adaf5435670f">b1237656</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Fix used-before-assignment
> Emitted when a local variable is accessed before its assignment took
place. Assignments in try blocks are assumed not to have occurred when
evaluating associated except/finally blocks. Assignments in except
blocks are assumed not to have occurred when evaluating statements
outside the block, except when the associated try block contains a
return statement.
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/acc2daf25f5c12ef1d9a823de15df080ba42d059">acc2daf2</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Fix modified-iterating-list
https://pylint.pycqa.org/en/latest/user_guide/messages/warning/modified-iterating-list.html:
> Emitted when items are added or removed to a list being iterated
through. Doing so can result in unexpected behaviour, that is why it is
preferred to use a copy of the list.
https://docs.python.org/3/tutorial/controlflow.html#for-statements:
> Code that modifies a collection while iterating over that same
collection can be tricky to get right. Instead, it is usually more
straight-forward to loop over a copy of the collection or to create a
new collection
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dc8c8a7824565178333ef7ae8ac7934467424691">dc8c8a78</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Fix unnecessary-lambda-assignment
https://pylint.pycqa.org/en/latest/user_guide/messages/convention/unnecessary-lambda-assignment.html:
> Used when a lambda expression is assigned to variable rather than
defining a standard function with the "def" keyword.
https://peps.python.org/pep-0008/#programming-recommendations:
> Always use a def statement instead of an assignment statement that
binds a lambda expression directly to an identifier:
def f(x): return 2*x
f = lambda x: 2*x
The first form means that the name of the resulting function object is
specifically ‘f’ instead of the generic ‘<lambda>’. This is more useful
for tracebacks and string representations in general. The use of the
assignment statement eliminates the sole benefit a lambda expression can
offer over an explicit def statement (i.e. that it can be embedded
inside a larger expression)
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bd7b5bf71c443daa3ac12ff194748845a84b08f0">bd7b5bf7</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Fix unhashable-member
https://pylint.pycqa.org/en/latest/user_guide/messages/error/unhashable-member.html:
> Emitted when a dict key or set member is not hashable (i.e. doesn't
define __hash__ method).
https://docs.python.org/3/library/stdtypes.html#dict.update:
> Update the dictionary with the key/value pairs from other, overwriting
existing keys. Return None.
update() accepts either another dictionary object or an iterable of
key/value pairs (as tuples or other iterables of length two). If keyword
arguments are specified, the dictionary is then updated with those
key/value pairs: d.update(red=1, blue=2).
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bccd3c942084c753543d63b4d409ac46f819d314">bccd3c94</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Fix useless-object-inheritance
https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/useless-object-inheritance.html:
> Used when a class inherit from object, which under python3 is
implicit, hence can be safely removed from bases.
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2009889d763ccc26479c966931ca1b60378496fd">2009889d</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-10T10:11:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: Replace deprecated cgi module
https://docs.python.org/3/library/cgi.html#module-cgi:
> Deprecated since version 3.11, will be removed in version 3.13: The
cgi module is deprecated (see PEP 594 for details and alternatives).
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b5f2b0b1b213149b5bfe2653c9e40de98249dc73">b5f2b0b1</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-11T12:55:04+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: mark test_smb as xfail
Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail.
Related: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/894dca12c120f0bfa705307a0609da47326b8fb2">894dca12</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-16T08:40:16+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>server install: remove error log about missing bkup file
The client installer code can be called in 3 different ways:
- from ipa-client-install CLI
- from ipa-replica-install CLI if the client is not already installed
- from ipa-server-install
In the last case, the client installer is called with
options.on_master=True
As a result, it's skipping the part that is creating the krb5
configuration:
if not options.on_master:
nolog = tuple()
configure_krb5_conf(...)
The configure_krb5_conf method is the place where the krb5.conf file is
backup'ed with the extention ".ipabkp". For a master installation, this
code is not called and the ipabkp file does not exist => delete raises
an error.
When delete fails because the file does not exist, no need to log an
error message.
Fixes: https://pagure.io/freeipa/issue/9306
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0fa95852c935c7b079f8ed966d4f194099217038">0fa95852</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-17T14:53:35+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Tests: force key type in ACME tests
PKI can issue ACME certs only when the key type is rsa.
With version 2.0.0, certbot defaults to ecdsa key type,
and this causes test failures.
For now, force rsa when requesting an ACME certificate.
This change can be reverted when PKI fixes the issue
on their side (https://github.com/dogtagpki/pki/issues/4273)
Related: https://pagure.io/freeipa/issue/9298
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7d1a35852fa53bcf3b88a8a80a2e86ef88a75795">7d1a3585</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-17T22:42:25+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Installer: create RID base before domain object
The installer is currently creating the samba domain object
before it adds the RID base and secondary RID base. As a consequence,
there is a window during which the sidgen plugin is active but
unable to generate SIDs (it requires the samba domain object to
find the domain SID and RID base to know where to start from).
There is no direct impact except the error log of 389ds that reports
ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
This fix configures the RID base and secondary RID base before the
domain object is created, thus removing this window.
Fixes: https://pagure.io/freeipa/issue/9309
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2520a7adff7a49ddcddaaf19f0e586425dc0d878">2520a7ad</a></strong>
<div>
<span> by Filip Dvorak </span> <i> at 2023-01-20T10:02:02+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa tests: Add LANG before kinit command to fix issue with locale settings
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/364116c25f68b6b21c0a64466bda09c70cf146ec">364116c2</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-01-24T14:54:37+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>API doc: validate generated reference
Extend 'makeapi --validate' to validate API Reference files too. If
differences are found between the generated and stored docs the
validation fails. This command is executed in our Azure pipelines, so
every time a developer opens a PR but forgets to update the API
Reference, the CI will fail.
Fixes: https://pagure.io/freeipa/issue/9287
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0e06786a44f8d12b08961fe0720a1b712e82c5cf">0e06786a</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-24T19:07:52+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Spec file: unify with RHEL9 spec
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a69d056176edd4ef0b1f4e59eb0548a483bc6e5">2a69d056</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-24T19:07:52+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Spec file: use %autosetup instead of %setup
This change fixes rpminspect issues reported when building
for RHEL, like the following one:
Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch)
is missing a corresponding %patch1001 macro, usually in %prep.
Waiver Authorization: Anyone
Suggested Remedy:
The named patch is defined in the source RPM header (this means it has a
PatchN: definition in the spec file) but is not applied anywhere in the
spec file. It is missing a corresponding %patch macro and the spec file
lacks the %autosetup or %autopatch macros. You can fix this by adding
the appropriate %patch macro in the spec file (usually in the %prep
section). The number specified with the %patch macro corresponds to the
number used to define the patch at the top of the spec file. So Patch47
is applied with a %patch47 macro.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/97fc368df2db3b559a9def236d3c3e0a12bcdd0a">97fc368d</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-01-25T13:45:53-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>trust-add: handle missing msSFU30MaxGidNumber
When ipa trust-add is executed with --range-type ad-trust-posix,
the server tries to find the max uidnumber and max gidnumber
from AD domain controller.
The values are extracted from the entry
CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix>
in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes.
msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber.
In case msSFU30MaxGidNumber is missing, the code is currently assigning
a "None" value and later on evaluates the max between this value and
msSFU30MaxUidNumber. The max function cannot compare None and a list
of string and triggers an exception.
To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber
is missing. This way, the comparison succeeds and max returns the
value from msSFU30MaxUidNumber.
Fixes: https://pagure.io/freeipa/issue/9310
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/51b1c22d025bf40e9ef488bb0faf0c8dff303ccd">51b1c22d</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-01-27T13:00:22+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc: Design for certificate pruning
This describes how the certificate pruning capability of PKI
introduced in v11.3.0 will be integrated into IPA, primarily for
ACME.
Related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1be3188e3168e7a097e44a97f86e29b7e42fcae6">1be3188e</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-01-31T11:21:34+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: healthcheck: Handle missing fips-mode-setup
freeipa-healthcheck prechecks existance of `fips-mode-setup` and
reports if it's missing:
> "fips": "missing /bin/fips-mode-setup"
Fixes: https://pagure.io/freeipa/issue/9315
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fb22c8e5bf9432b4a7c2866d5d210c353985ea50">fb22c8e5</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-02-01T10:54:12+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>spec: Drop no longer used build dependency on paste
With ff6e701b0077d9c8e2aacdcaecf70f885018db92 it was replaced
with `werkzeug`.
https://pypi.org/project/Paste/
> Paste is in maintenance mode and recently moved from bitbucket to
github. Patches are accepted to keep it on life support, but for the
most part, please consider using other options.
Fixes: https://pagure.io/freeipa/issue/9314
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ff31b0c40cc5e046f839b98b80bd16bb649205ac">ff31b0c4</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-02-01T17:47:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: Add ipa_ca_name checking to DNS system records
freeipa-healthcheck 0.12 includes a SUCCESS message if the
ipa-ca records are as expected so a user will know they
were checked. For that version and beyond test that it
is included.
Related: https://pagure.io/freeipa/issue/9291
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6ca119686aadfa72c0474f72758b63cd671952d4">6ca11968</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-02-01T17:47:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck
freeipa-healthcheck changed some messages related to ipa-ca
DNS record validation in IPADNSSystemRecordsCheck. Include support
for it and retain backwards compatibility.
Fixes: https://pagure.io/freeipa/issue/9291
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d662b125985369181a3ebcbad82a4a43215282f6">d662b125</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-02-02T07:31:15+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: Configure DNSResolver as platform agnostic resolver
Avoid reading platform specific `/etc/resolv.conf` in `TestDNSResolver`
unit tests. Systems (e.g. sandboxes) may not have `/etc/resolv.conf`
or this file may not contain any configured name servers.
`TestDNSResolver` unit tests check only customized `nameservers`
property and should not depend on existence of `/etc/resolv.conf`.
Resolver accepts `configure` option.
https://dnspython.readthedocs.io/en/latest/resolver-class.html :
> configure, a bool. If True (the default), the resolver instance is
configured in the normal fashion for the operating system the resolver
is running on. (I.e. by reading a /etc/resolv.conf file on POSIX
systems and from the registry on Windows systems.)
Fixes: https://pagure.io/freeipa/issue/9319
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9246a8a003b2b0062e07c289cd7cde8fe902b16f">9246a8a0</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-02-02T13:42:57+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-acme-manage: add certificate/request pruning management
Configures PKI to remove expired certificates and non-resolved
requests on a schedule.
This is geared towards ACME which can generate a lot of certificates
over a short period of time but is general purpose. It lives in
ipa-acme-manage because that is the primary reason for including it.
Random Serial Numbers v3 must be enabled for this to work.
Enabling pruning enables the job scheduler within CS and sets the
job user as the IPA RA user which has full rights to certificates
and requests.
Disabling pruning does not disable the job scheduler because the
tool is stateless. Having the scheduler enabled should not be a
problem.
A restart of PKI is required to apply any changes. This tool forks
out to pki-server which does direct writes to CS.cfg. It might
be easier to use our own tooling for this but this makes the
integration tighter so we pick up any improvements in PKI.
The "cron" setting is quite limited, taking only integer values
and *. It does not accept ranges, either - or /.
No error checking is done in PKI when setting a value, only when
attempting to use it, so some rudimentary validation is done.
Fixes: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f10d1a0f84ed0f16ab4a1469f16ffadb3e79e59e">f10d1a0f</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-02-02T13:42:57+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc: add the --run command for manual job execution
A manual method was mentioned with no specificity. Include
the --run command. Also update the troubleshooting section
to show what failure to restart the CA after configuration
looks like.
Import the IPA CA chain for manual execution.
Also fix up some $ -> # to indicate root is needed.
Related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2857bc69957bde7e59fff1c66c5a83c7f560616b">2857bc69</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-02-02T15:21:25+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>automember-rebuild: add a notice about high CPU usage
The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.
Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a965a3a6304607eb5acbdfee45843ebe8746c67">1a965a3a</a></strong>
<div>
<span> by David Pascual </span> <i> at 2023-02-04T17:14:08+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix (prci_checker) duplicated check & error return code
Fix 1: timeout field was being checked twice and did not return fail code on error
Fix 2: Tool did not return error code on single file check unsuccessful run
Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d24b69981d94fce7b1e1aa4a5c1ab88a123f96b5">d24b6998</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-02-05T10:31:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: add wrapper around ACME RSNv3 test
This test is located outside of the TestACMEPrune because
it enables RSNv3 while the server installed by TestACME doesn't.
It still needs a wrapper to enforce a version of PKI that
supports pruning because that is checked first in the tool.
Re-ordering that wouldn't be a good user experience.
https://pagure.io/freeipa/issue/9322
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a20acb6f833a22baad214a466848cb5833954532">a20acb6f</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-02-08T11:44:01+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>API doc: add note about ipa show-mappings to usage guide
As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list
command arguments and options directly through the CLI.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a786d3d584c8696df3b18858df1c429cba03721f">a786d3d5</a></strong>
<div>
<span> by Chris Kelley </span> <i> at 2023-02-09T14:52:33-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Check that CADogtagCertsConfigCheck can handle cert renewal
Renewal causes two certs to have the same nickname. Dogtag is
patched to allow for N certs with the same nickname, and this test
is to verify that CADogtagCertsConfigCheck still passes.
Related: https://github.com/dogtagpki/pki/pull/4285
Signed-off-by: Chris Kelley <ckelley@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/649c35aa3b46e6d2f034d9afdc4c7ae1542630da">649c35aa</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-02-09T16:12:56-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>API doc: add usage guides for groups, HBAC and sudo rules
Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/20ff7c16022793c707f6c2b8fb38a801870bc0e2">20ff7c16</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-02-09T21:46:16-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fix setting values of 0 in ACME pruning
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.
Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.
Also indicate that the search time limit is in seconds.
Fixes: https://pagure.io/freeipa/issue/9325
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4e0ad96fbd9f438c884eeeaa60c2fb0c910a2b61">4e0ad96f</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-02-09T21:48:55-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Wipe the ipa-ca DNS record when updating system records
If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.
This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.
Fixes: https://pagure.io/freeipa/issue/9195
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0206369eec8530e96c66986c4ca501d8962193ce">0206369e</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-02-09T21:51:43-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: PAC consistency checker needs to handle child domains as well
When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.
Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.
Fixes: https://pagure.io/freeipa/issue/9316
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a6cb905de74da38d62f9c3bd7957018924282521">a6cb905d</a></strong>
<div>
<span> by Anuja More </span> <i> at 2023-02-09T21:51:43-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add test for SSH with GSSAPI auth.
Added test for aduser with GSSAPI authentication.
Related : https://pagure.io/freeipa/issue/9316
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0f77b359e241fc4055fb8d785e18f96338451ebf">0f77b359</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2023-02-13T17:33:14-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: tests for certificate pruning
1. Test to prune the expired certificate by manual run
2. Test to prune expired certificate by cron job
3. Test to prune expired certificate with retention unit option
4. Test to prune expired certificate with search size limit option
5. Test to check config-show command shows set param
6. Test prune command shows proper status after disabling the pruning
related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/450e78f5f3be3064d7ee1c6be5103dfae2ebaf87">450e78f5</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-02-17T18:13:44+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: webui: Allow file access from files in tests
https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files
> By default, file:// URIs cannot read other file:// URIs. This is an
override for developers who need the old behavior for testing.
Fixes webui tests on CI:
```
Testing test/all_tests.html
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
>> Error: Error: Couldn't receive translations
```
Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/425cad6f114c981bfe41a30c7ad626164ac29be4">425cad6f</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-02-17T18:13:44+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: webui: Load qunit only once
webui unit tests fail with grunt-contrib-qunit:
```
Testing test/all_tests.html
>> Error: Error: QUnit has already been defined.
>> at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12)
>> at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3
>> at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2
>> Error: TypeError: Cannot set properties of undefined (setting 'reorder')
>> at <anonymous>:175:24
>> at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157)
>> at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541)
>> at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002
>> at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707)
>> at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854)
>> at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296)
>> at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209)
```
Load `qunit` with `dojo.require` that among other useful things helps
> Preventing loading Dojo packages twice.
dojo.require will simply return if the package is already loaded.
See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd
Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8fe8b262232ce65dddea8c92838200a1c5121f13">8fe8b262</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-02-17T18:13:44+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>AP: webui: List installed nodejs packages
It's helpful for debugging regressions.
Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9b8e8edc22ade3027a5c3da487783f598e0732fd">9b8e8edc</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-02-17T18:13:44+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: webui: Update vendored qunit
Updated qunit to latest supported version from
https://code.jquery.com/qunit.
See https://qunitjs.com/intro/#release-channels for details.
Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/41c32174b2b3cf71474ea74df32f1f763f4a2c5b">41c32174</a></strong>
<div>
<span> by David Pascual </span> <i> at 2023-02-20T08:12:20+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc: Use case examples for PR-CI checker tool
This document showcases common usecases for the user to
interact with the PR-CI checker tool.
Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/88b9be29036a3580a8bccd31986fc30faa9852df">88b9be29</a></strong>
<div>
<span> by mbhalodi </span> <i> at 2023-02-20T08:17:08+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: ensure that ipa automember-rebuild prints a warning
ipa automember-rebuild now prints a warning about CPU usage.
Ensure that the warning is properly displayed.
Related: https://pagure.io/freeipa/issue/9320
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a2132ccfd3cfb26f5da550a829b267ca0a4f6ae">2a2132cc</a></strong>
<div>
<span> by Anuja More </span> <i> at 2023-02-20T16:42:29+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>PRCI: update test_trust.py for nightly pipelines.
test_integration/test_trust.py is divided into two parts.
1: class TestTrust
2: class TestNonPosixAutoPrivateGroup, class TestPosixAutoPrivateGroup
Fixes: https://pagure.io/freeipa/issue/9326
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fe13baa0acdb885dd981cbd8fdf6cee5e5ef22e3">fe13baa0</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-02-21T08:18:07+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc: Update pruning design with implement enable/disable options
Instead of passing TRUE/FALSE to a single --enable option
use two flags instead, which IMHO is clearer.
So --enable=TRUE to --enable and --enable=FALSE to --disable
Fixes: https://pagure.io/freeipa/issue/9323
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e7c642bafcead5ce344f3b129d916045b00d0c1e">e7c642ba</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2023-02-22T09:11:24+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix tests in TestACMEPrune
When cron_minute + 5 > 59, cron job throwing error for it.
i.e 58 + 5 = 63 which is not acceptable value for cron minute.
Second fix is related to mismatch of confing setting and corresponding
assert.
Third fix is related to extending time by 60 minutes to properly
expire the certs.
related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cd07413cba37150b12d6b279510941aad49b5afb">cd07413c</a></strong>
<div>
<span> by mbhalodi </span> <i> at 2023-02-22T15:43:23+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: WebUI - ensure that ipa automember-rebuild prints a warning
ipa automember-rebuild now prints a warning about CPU usage
in the WebUI. Ensure that the warning is properly displayed.
Related: https://pagure.io/freeipa/issue/9320
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0a8a3922487b8029c509635c85b533474008bb9d">0a8a3922</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-02-23T07:43:05+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: increase timeout for test_acme
The test test_integration/test_acme.py times out frequently
and has a current timeout set to 2h, which is roughly
the average time for a successful run.
Increase by 15 minutes, so that even the tests requiring
packages update have enough time (for instance rawhide
run needs to update all the packages to the latest version).
Also create a separate job for the new test TestACMEPrune.
Fixes: https://pagure.io/freeipa/issue/9324
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a94f7bbf72c6f7a864f2e15b3fc9da1be52b1b58">a94f7bbf</a></strong>
<div>
<span> by Timo Aaltonen </span> <i> at 2023-02-27T12:09:25+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>copyright, watch: Filter prebuilt html documentation from the tarball.
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b0af80ed4bc626add73302d63b056ab64b273800">b0af80ed</a></strong>
<div>
<span> by Timo Aaltonen </span> <i> at 2023-02-27T12:09:42+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: Dump journalctl on fail
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7dbd57586e279320695e96a2c3c80a744a9a9e88">7dbd5758</a></strong>
<div>
<span> by Timo Aaltonen </span> <i> at 2023-02-27T12:10:28+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>fix-ldap-so-path.diff: Specify the path to ldap.so again, and use multiarch path.
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8ab6fd3005fffed647730b6d92e2017f8f889c5d">8ab6fd30</a></strong>
<div>
<span> by Timo Aaltonen </span> <i> at 2023-02-27T12:10:40+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: Dump journalctl for select services
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8803938570dfb70586fa89d2d2d7aad4b0965305">88039385</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2023-03-01T04:58:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Don't block when kinit_pkinit() fails
Installation of ipa-client with PKINIT authentication can block when
there is a problem with PKINIT, e.g. KDC does not accept the cert or the
anchor chain is incomplete. `kinit` falls back to password
authentication and asks the user to enter a password.
`kinit` does not have an option to force non-interactive mode. Sending
`\n` to stdin seems to be the only solution here.
Fixes: https://pagure.io/freeipa/issue/9333
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6a4d34fba90ede0a9d600daa24a8d95190a42495">6a4d34fb</a></strong>
<div>
<span> by Carla Martinez </span> <i> at 2023-03-03T04:55:48+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update 'Auth indicators' doc string
The doc string located in the 'Authentication
indicators' ('Services' settings page) was
missing the usage explanation for the 'ipd'
checkbox option.
Fixes: https://pagure.io/freeipa/issue/9338
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b152e8c3aea9f2c3ade319934fd7c81cb5432407">b152e8c3</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-03-03T05:01:33+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>dns: Fix support for dnspython 1.1x
`nameservers` was transformed into the property in dnspython 2:
https://github.com/rthalley/dnspython/commit/bbf0cfd239ffa6deeb67a4787bd292e9a972af74
This causes
> AttributeError: type object 'Resolver' has no attribute 'nameservers'
on the previous dnspython 1.1x.
Fixes: https://pagure.io/freeipa/issue/9339
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e3507563877f1d64567f24b7f2e33ade8c310f86">e3507563</a></strong>
<div>
<span> by Rafael Guterres Jeffman </span> <i> at 2023-03-03T05:04:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Migrated to SPDX license.
According to [1] all Fedora packages need to be updated to use a SPDX
expression. This patch updates the freeipa spec template to comply with
this change.
[1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1
Fixes: https://pagure.io/freeipa/issue/9342
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9323bafb645a377192efe17b489124a440c055c3">9323bafb</a></strong>
<div>
<span> by Thorsten Scherf </span> <i> at 2023-03-07T13:19:54+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>external-idp: change idp server name to reference name
When you run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server. Other files
are updated as well to reflect this change.
Additionally some typos are fixed with this patch too.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/34d048ede0c439b3a53e02f8ace96ff91aa1609d">34d048ed</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-03-14T17:50:25+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: adapt for new automembership fixup behavior
The automembership fixup task now needs to be called
with --cleanup argument when the user expects automember
to remove user/hosts from automember groups.
Update the test to call create a cleanup task equivalent to
dsconf plugin automember fixup --cleanup
when it is needed.
Fixes: https://pagure.io/freeipa/issue/9313
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/983a6516f147ae95a512435cd05d237233d0b5fc">983a6516</a></strong>
<div>
<span> by Anuja More </span> <i> at 2023-03-15T09:34:33+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Test ipa-advise is not failing with error.
The ipa-advise command should not fail
with error in command.
Related: https://pagure.io/freeipa/issue/6044
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e1f4f655a65777f5096e65b8e5c3e079f77f6ecc">e1f4f655</a></strong>
<div>
<span> by Erik Belko </span> <i> at 2023-03-15T18:30:08+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario
Testing if manager whose rights defined by the group membership
is able to add group members, after upgrade of ipa server.
Using ACI modification to demonstrate unability before upgrading
ipa server.
Related: https://pagure.io/freeipa/issue/9286
Also added some generally helpful functions to tasks.py
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b93f6b52a29659663fae65be51dafe350606eb6d">b93f6b52</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-03-22T13:59:40+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Don't fail if optional RPM macros file is missing
With fix for https://pagure.io/freeipa/issue/7951 we started to modify
RPM macros in Azure CI environment. Don't fail if the file does not
exist anymore like it happens now in Fedora.
Fixes: https://pagure.io/freeipa/issue/9347
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/84f5f87b1f77267aa4c6c13fbc2496793d06a3c7">84f5f87b</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-03-22T13:59:40+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Use system-wide chromium for webui tests
Fixes: https://pagure.io/freeipa/issue/9347
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aacaafce9d074342e383ad7007dee1b0e09d9b12">aacaafce</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-03-22T13:59:40+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fix tox in Azure CI
Fixes: https://pagure.io/freeipa/issue/9347
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/051bbe36dce57837bd1769aa4a88569e39565774">051bbe36</a></strong>
<div>
<span> by Anuja More </span> <i> at 2023-03-23T09:08:06+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Test that non admin user can search hbac rule.
Related : https://pagure.io/freeipa/issue/5130
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b1b7cbc08d96e125ce21113ba1793a592d0ba35a">b1b7cbc0</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-03-23T17:12:01+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipaserver: deepcopy objectclasses list from IPA config
We need to deepcopy the list of default objectlasses from IPA config
before assigning it to an entry, in order to avoid further modifications of the
entry affect the cached IPA config.
Fixes: https://pagure.io/freeipa/issue/9349
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e07ead943abf070107a9669fc4564c9dc7518832">e07ead94</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-03-30T08:11:22+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by
Added in Python Cryptography 40.0
Thanks to @tiran for the code
Fixes: https://pagure.io/freeipa/issue/9355
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ae014c6a3e17da7b0775be79a425d769a2717243">ae014c6a</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-03-30T14:57:57+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: increase timeout for test_trust
The timeout for test_trust is too short (6000s) and
the nightly tests often fail. Increase to 7200s.
Fixes: https://pagure.io/freeipa/issue/9326
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3eed25e92f951689658f6bbd178a5baca37442c6">3eed25e9</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-03-30T15:49:45+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc: allow notes on Param API Reference pages
The notes that Param pages will contain after #6733 are added manually,
and because of it we need to add markers to differentiate between
automated and manual content, equal to what we do for class pages.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/540262700d73b701b0fd5dd3b79e5b20f0fc84c3">54026270</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-03-30T16:16:42+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>fastlint: Correct concatenation of file lists
`printf` ignores excessive arguments unused in formatting.
This resulted in only the first file from two file lists was
linted/ stylechecked if both Python template files and Python
modules were changed.
Make use of formatting instead:
> The format is reused as necessary to consume all of the arguments
Fixes: https://pagure.io/freeipa/issue/9318
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/def07260da883b1d27330b308bd0337205bf53a8">def07260</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-04-05T09:27:45+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix test definition for test_trust
The nightly test test_trust.py has been split into 2 jobs,
one for test_trust.py::TestTrust (test_trust) and the other
for the remaining test classes from the same file
(test_trust_autoprivate).
The backport forgot to narrow down the first job definition
to the class test_trust.py::TestTrust in the 4-10_previous
pipeline. Fix this omission.
Related: https://pagure.io/freeipa/issue/9326
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6db9bbd85a837950d9244502507535c1f79ab64a">6db9bbd8</a></strong>
<div>
<span> by mbhalodi </span> <i> at 2023-04-05T09:40:25+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: add missing automember-cli tests
Revisit the bash tests and port the valid
tests to upstream.
Related: https://pagure.io/freeipa/issue/9332
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/03180bedcf99075d98f206d271a31ae7ceddc50d">03180bed</a></strong>
<div>
<span> by Jarl Gullberg </span> <i> at 2023-04-05T09:50:08+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipaplatform/debian: fix path to ldap.so
bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of
/usr/lib to prevent unintentional usage of an unversioned .so.
The default settings for FreeIPA on Debian used an incomplete
path, resulting in a failure to find ldap.so when bind attempts to
start with bind-dyndb-ldap configured.
This fixes the default path to use the appropriate location in its
multiarch-qualified path.
Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1b38ab1771944b51ddaeea972ea92a8e8ee5b92b">1b38ab17</a></strong>
<div>
<span> by Jarl Gullberg </span> <i> at 2023-04-05T09:52:52+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>install: Fix missing dyndb keytab directive
bind-dyndb-ldap uses the krb5_keytab directive to set the path to
the keytab to use. This directive was not being used in the
configuration template, resulting in a failure to start named if
the keytab path differed from the defaults.
This issue was discovered when packaging FreeIPA for Debian,
which is one of the platforms where the path is customized.
Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Fixes: https://pagure.io/freeipa/issue/9344
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e7506403a988b98cc3381d2d986b53aee48448cb">e7506403</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Ignore empty modification error in case cifs/.. principal already added
Constrained delegation target may already be configured by default.
Related: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/52e6da9056697e2210736d5528826ae424fec9b1">52e6da90</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>test_xmlrpc: adopt to automember plugin message changes in 389-ds
Another change in automember plugin messaging that breaks FreeIPA tests.
Use common substring to match.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7a7ba45c10a6da4f9e110f6cc57cfc47e0a16a16">7a7ba45c</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only
Confine search for S4U2Proxy access control lists to the subtree where
they created. This will allow to use a similar method to describe RBCD
access controls.
Related: https://pagure.io/freeipa/issue/5444
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/18cd909b4ad854147008a1010c97c75640a54177">18cd909b</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc: add design document for Kerberos constrained delegation
FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.
Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.
This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5b6ad0e65600a96bb4d6f3b1acf4e16773a03493">5b6ad0e6</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>IPA API changes to support RBCD
IPA API commands to manage RBCD access controls.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ac6adfaac30473b14b589a71fac42fe147bc0d9">7ac6adfa</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>kdb: implement RBCD handling in KDB driver
Resource-based constrained delegation (RBCD) is implemented with a new
callback used by the KDC. This callback is called when a server asks for
S4U2Proxy TGS request and passes a ticket that contains RBCD PAC
options.
The callback is supposed to take a client and a server principals, a PAC and a target
service database entry. Using the target service database entry it then
needs to decide whether a server principal is allowed to delegate the
client credentials to the target service.
The callback can also cross-check whether the client principal can be
limited in delegating own tickets but this is not implemented in the
current version.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7d68f4f08361760adab90ad4b44c6da2c4ea664d">7d68f4f0</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>RBCD: add basic test for RBCD handling
Add a test that uses IPA API to allow delegation of RBCD configuration
to a host and then use it to set up RBCD rule for a service.
Run RBCD check when the rule exists and when the rule is removed.
Since we only provide RBCD support on KDC side with Kerberos 1.20, skip
the test on Fedora versions prior to Fedora 38 and on RHEL versions
prior to RHEL 9.2.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b63e6a257006e846ef5d0a008d9c3c0f935c09bb">b63e6a25</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc/designs/rbcd.md: add usage examples
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cb18ca31697320a58ae23a67afbfe7a0ff9a55a5">cb18ca31</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-04-06T08:53:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc/designs/rbcd.md: document use of S-1-18-* SIDs
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9c6b4f4445dbd1eefffbfff191063980a2f3a342">9c6b4f44</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-04-06T17:36:18+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Extend API documentation
This includes:
* Section about command/param info in usage guide
* Section about metadata retrieval in usage guide
* Guide about differences between CLI and API
* Access control guide (management of roles, privileges and
permissions).
* Guide about API contexts
* JSON-RPC usage guide and JSON-to-Python conversion
* Notes about types in API Reference
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/304fd550613e83d120c72f0dad89f6a89d31231c">304fd550</a></strong>
<div>
<span> by mbhalodi </span> <i> at 2023-04-13T10:51:52+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Test for sequence processing failures with server context
1 : Test to verify that groups have correct userclass when
external is set to true or false with group-add.
2 : After creating a nonposix group verify that all
following group_add calls to add posix groups calls are
not failing with missing attribute.
Related: https://pagure.io/freeipa/issue/9349
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e2b08433cf7cf74dea81b88953a4b8daa4c38614">e2b08433</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-04-17T15:17:00-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: mark known failures for autoprivategroup
Two tests have known issues in test_trust.py with sssd 2.8.2+:
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
(when called with the "hybrid" parameter)
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
(when called with the "true" parameter)
Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d63756eb08759740fe8b03f48d0a240f9935e6aa">d63756eb</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2023-04-18T12:12:47+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Speed up installer by restarting DS after DNA plugin
DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or
DS is restarted. The DNA plugin creates its configuration entries with
some delay after the plugin is enabled.
DS is now restarted after the DNA plugin is enabled so it can create the
entries while Dogtag and the rest of the system is installing. The
updater `update_dna_shared_config` no longer blocks and waits for two
times 60 seconds for `posix-ids` and `subordinate-ids`.
Fixes: https://pagure.io/freeipa/issue/9358
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3b64eaa153d89920cbb0be87e5c2b512c4bf2008">3b64eaa1</a></strong>
<div>
<span> by Todd Zullinger </span> <i> at 2023-04-18T15:24:43+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>spec: verify upstream source signature
Per the Fedora packaging guidelines¹.
The GPG key was generated using details found on the wiki². The
following commands can be used to fetch the signing key via fingerprint
and extract it:
fpr=0E63D716D76AC080A4A33513F40800B6298EB963
gpg --keyserver keys.openpgp.org --receive-keys $fpr
gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc
¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
² https://www.freeipa.org/page/Verify_Release_Signature
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/90d0f04987b5477efa64d64416d89890e6bcda75">90d0f049</a></strong>
<div>
<span> by Todd Zullinger </span> <i> at 2023-04-18T15:24:43+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>spec: silence krb5 pkgconf errors in %krb5_base_version
Send stderr of pkgconf to /dev/null rather than printing the following
error text while parsing the spec file:
Package krb5 was not found in the pkg-config search path.
Perhaps you should add the directory containing `krb5.pc'
to the PKG_CONFIG_PATH environment variable
Package 'krb5', required by 'virtual:world', not found
`BuildRequires: pkgconfig(krb5)` ensures this won't happen when running
a real build. It simply avoids 4 lines of needless error output when
running something like `fedpkg prep`.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1f10aebcc5b3568a9992111e377c5caecc1e035f">1f10aebc</a></strong>
<div>
<span> by Michal Polovka </span> <i> at 2023-04-20T12:57:32+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatest: loginscreen: do not use hardcoded password
Use admin password obtained from local config instead of hardcoded
value, as the password may differ in different testing environments.
https://pagure.io/freeipa/issue/9226
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Erik Belko <ebelko@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e2576670e692117c11987118abd5e9381bb90b1f">e2576670</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-04-27T11:17:47-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Enforce sizelimit in cert-find
The sizelimit option was not being passed into the dogtag
ra_find() command so it always returned all available certificates.
A value of 0 will retain old behavior and return all certificates.
The default value is the LDAP searchsizelimit.
Related: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/50dd79d1a35549034bc281fbdffea4399baed3c7">50dd79d1</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-04-27T11:17:47-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Use the OpenSSL certificate parser in cert-find
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.
In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the python-cryptography engine to
decode a certificate automatically if you access
entry['usercertificate'].
The downside is that this is comparatively slow. Here is the
parse time in microseconds:
OpenSSL.crypto 175
pyasn1 1010
python-cryptography 3136
The python-cryptography time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates.
It's hard to overstate just how much better the cryptography
Python interface is. In the case of OpenSSL really the only
certificate fields easily available are serial number, subject
and issuer. And the subject/issuer are in the OpenSSL reverse
format which doesn't compare nicely to the cryptography format.
The DN module can correct this.
Fortunately for cert-find we only need serial number and issuer,
so the OpenSSL module fine. It takes ~2 seconds.
pyasn1 is also relatively faster but switch to it would require
subtantially more effort for less payback.
cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.
CLI times from before and after:
original:
-------------------------------
Number of entries returned 5011
-------------------------------
real 0m21.155s
user 0m0.835s
sys 0m0.159s
using OpenSSL:
real 0m5.747s
user 0m0.864s
sys 0m0.148s
OpenSSL is forcibly lazy-loaded so it doesn't conflict with
python-requests. See ipaserver/wsgi.py for the gory details.
Fixes: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bdb77a3d810837e3e349ce6b5625662be281f2cd">bdb77a3d</a></strong>
<div>
<span> by Timo Aaltonen </span> <i> at 2023-04-28T09:51:56+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Drop duplicate includedir from krb5.conf
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Add also a dependency on sssd-krb5 for freeipa-client.
https://pagure.io/freeipa/issue/9267
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/918b6e011795ba4854d178d18c86ad54f3cf75ab">918b6e01</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-04-29T13:49:09+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>cert_find: fix call with --all
When ipa cert-find --all is called, the function prints the
certificate public bytes. The code recently switched to OpenSSL.crypto
and the objects OpenSSL.crypto.X509 do not have the method
public_bytes(). Use to_cryptography() to transform into a
cryptography.x509.Certificate before calling public_bytes().
Related: https://pagure.io/freeipa/issue/9331
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3d787c2107ca10de15602afc757fc9b24fdd89bf">3d787c21</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2023-04-29T13:50:44+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipasphinx: Correct import of progress_message for Sphinx 6.1.0+
Pylint reports false-negative result for Sphinx 6.1.0+:
```
************* Module ipasphinx.ipabase
ipasphinx/ipabase.py:10: [E0611(no-name-in-module), ] No name 'progress_message' in module 'sphinx.util')
```
Actually `sphinx.util.progress_message` is still available in Sphinx 6.1
but it's deprecated and will be removed in 8.0:
https://www.sphinx-doc.org/en/master/extdev/deprecated.html#deprecated-apis
Related change:
https://github.com/sphinx-doc/sphinx/commit/8c5e7013ea5f6a50e3cc3130b22205a85ba87fab
Fixes: https://pagure.io/freeipa/issue/9361
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8a7c068300a80f14b4b2fa4d63b0512768d326ad">8a7c0683</a></strong>
<div>
<span> by Rafael Guterres Jeffman </span> <i> at 2023-04-29T13:52:12+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fix "no entry" condition when searching PAC info
Fix Covscan-discovered DEADCODE block when searching for PAC info,
caused by a wrong condition being evaluated when entry is a trusted
domain object.
Fixes: https://pagure.io/freeipa/issue/9368
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/76c788274a2ee3993ee36d12d91e22200817dfc9">76c78827</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2023-04-29T13:55:57+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: ipa-adtrust-install command test scenarios
This patch includes additional testcase that can be run
against ipa-adtrust-install CLI tool.
test_adtrust_install_with_incorrect_netbios_name
test_adtrust_install_as_regular_ipa_user
test_adtrust_install_with_incorrect_admin_password
test_adtrust_install_with_invalid_rid_base_value
test_adtrust_install_with_invalid_secondary_rid_base
test_adtrust_reinstall_updates_ipaNTFlatName_attribute
test_adtrust_install_without_ipa_installed
test_samba_credential_cache_is_removed_post_uninstall
test_adtrust_install_without_integrated_dns
test_adtrust_install_with_debug_option
test_adtrust_install_cli_without_smbpasswd_file
test_adtrust_install_enable_compat
test_adtrust_install_invalid_ipaddress_option
test_syntax_error_in_ipachangeconf
test_unattended_adtrust_install_uses_default_netbios_name
test_smb_not_starting_post_adtrust_install
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1c43d914d9a365097a80c5c2278017b91c619266">1c43d914</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-05-04T10:52:40+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Change doc theme to 'book'
RTD theam is not compatible with Sphinx 7.0+
https://github.com/readthedocs/readthedocs.org/issues/10279
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/717228c908816c72b98cee86abfe7c22cb07c44e">717228c9</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-05-04T14:31:59+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Nightly test: add +15min for test_ipahealthcheck
The test test_ipahealthcheck.py::TestIpaHealthcheck frequently
hits its 90min timeout. Extend by 15min to allow completion.
Fixes: https://pagure.io/freeipa/issue/9362
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/846c267f58ecfa4fc1a1a3be91c404e58074b1b3">846c267f</a></strong>
<div>
<span> by mbhalodi </span> <i> at 2023-05-04T16:12:25+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: add remove automember condition tests
Related: https://pagure.io/freeipa/issue/9332
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d95c4cf137574ffa79a191cbe5f6d0687b53cdc1">d95c4cf1</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-05-04T18:18:26+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>spec file: force nodejs < 20 on fedora < 39
On fedora < 39, nodejs 20 is not the default version. As
a consequence, the installation of nodejs20 adds the command
/usr/bin/node-20 instead of /usr/bin/node.
FreeIPA build is using the node command and fails if the
command is missing.
Force nodejs < 20 on fedora < 39 to make sure the node
command is installed.
Fixes: https://pagure.io/freeipa/issue/9374
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/16a81062ba1c92773eb6206d68af6a2b3ba1d54d">16a81062</a></strong>
<div>
<span> by s1341 </span> <i> at 2023-05-04T21:30:34+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipaplatform: add initial nixos support
Fixes: https://pagure.io/freeipa/issue/9299
Signed-off-by: Shmarya Rubenstein <github@shmarya.net>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3a9a5bdae7cb3dee65ba74b00169badb72fe6dda">3a9a5bda</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-05-08T13:55:15-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>idview: improve performance of idview-show
The command ipa idview-show NAME has a post callback
method that replaces the ID override anchor with the corresponding
user name.
For instance the anchor
ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114
is replaced with the name of the ad user aduser@ad.test.
The method loops on all the anchors and for each one performs the
resolution, which can be a costly operation if the anchor is for
a trusted user. Instead of doing a search for each anchor, it is
possible to read the 'ipaOriginalUid' value from the ID override
entry.
Fixes: https://pagure.io/freeipa/issue/9372
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/12d1aafe60de457815adb822bbef466926626d6f">12d1aafe</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-05-11T13:47:46+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Tests: test on f37 and f38
Fedora 38 is now available, move the testing pipelines to
- fedora 38 for the _latest definitions
- fedora 37 for the _previous definitions
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bc39443211e998d7088571f0ef70233b6e456e1d">bc394432</a></strong>
<div>
<span> by Michal Polovka </span> <i> at 2023-05-16T17:32:14+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: commands: Wait for the SSSD to become available
Previous test to test_ssh_key_connection is calling ipa-server-upgrade command,
which restarts all the associated services.
Especially on slower machine, SSSD is not yet online when the SSH connection is attempted.
This results to only cached users being available.
Wait for SSSD to become available before the SSH connection is attempted.
Fixes: https://pagure.io/freeipa/issue/9377
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/627c1101a08a281d07cd930193232e434a0cd9a0">627c1101</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-05-16T14:37:21-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>azure tests: move to fedora 38
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/81a6b9ad2d42fecdd94e17fa7c888bbdea2daf3c">81a6b9ad</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-05-16T16:23:47-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Return the <Message> value cert-find failures from the CA
If a cert-find fails on the CA side we get a Message tag
containing a string describing the failure plus the java stack
trace. Pull out the first part of the message as defined by the
first colon and include that in the error message returned to
the user.
The new message will appear as:
$ ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500)
vs the old generic message:
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)
This can be reproduced by setting nssizelimit to 100 on the
pkidbuser. The internal PKI search returns err=4 but the CA
tries to convert all values into certificates and it fails. The
value needs to be high enough that the CA can start but low
enough that you don't have to create hundreds of certificates
to demonstrate the issue.
https://pagure.io/freeipa/issue/9369
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/edcdcf83452dce837c1522c353c4a80c967ea57b">edcdcf83</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2023-05-22T08:02:30+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: wait for sssd-kcm to settle after date change
In order to expire the ACME cert, system is moved and while
issuing the kinit command, results into failure.
Hence run kinit command repeatedly untill things get settle.
This patch removes the sleep and adds tasks.run_repeatedly()
method instead.
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7830ab96cc295e4151ad3d86cbbaf400a7ab2016">7830ab96</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-05-23T20:59:03+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>user or group name: explain the supported format
The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $
The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.
Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/58173c021388dd31b4501d1c7bc1e6747cea8bb8">58173c02</a></strong>
<div>
<span> by Jerry James </span> <i> at 2023-05-24T14:08:45-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Change fontawesome-fonts requires to match fontawesome 4.x
fontawesome 6.x is not entirely compatible with 4.x version but in
Fedora the change was made to make 4.x bits FreeIPA depends on to be
forward-ported to 6.x build. This also allows to have common dependency
for all versions.
This patch switches to the common dependency using 'fonts(fontawesome)'.
This works on all Fedora and RHEL versions.
Signed-off-by: Jerry James <loganjerry@gmail.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/abe71fe145a3d16257043ccfbb43002607458cee">abe71fe1</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-05-24T17:57:22-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Mention in ipa-client-install that nscd is disabled
Also warn that similar services may also need to be disabled.
An example is an nscd replacement named unscd.
Fixes: https://pagure.io/freeipa/issue/9086
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a6f485fcade619980f6538edadf115dca69e1314">a6f485fc</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-05-25T08:32:59+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ACME tests: fix issue_and_expire_acme_cert method
The fixture issue_and_expire_acme_cert is changing the date
on master and client. It also resets the admin password as
it gets expired after the date change.
Currently the code is resetting the password by performing
kinit on the client, which leaves the master with an expired
ticket in its cache. Reset the password on the master instead
in order to have a valid ticket for the next operations.
Fixes: https://pagure.io/freeipa/issue/9383
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/630cda5c06428825dd5604493621b9cbdab70073">630cda5c</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2023-06-01T08:01:00+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>kdb: Use krb5_pac_full_sign_compat() when available
In November 2022, Microsoft introduced a new PAC signature type called
"extended KDC signature" (or "full PAC checksum"). This new PAC
signature will be required by default by Active Directory in July 2023
for S4U requests, and opt-out will no longer be possible after October
2023.
Support for this new signature type was added to MIT krb5, but it relies
on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
the code generating extended KDC signatures cannot be backported as it
is without backporting the full new KDB API code too. This would have
too much impact to be done.
As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
8 will include a downstream-only update adding the
krb5_pac_full_sign_compat() function, which can be used in combination
with the prior to 1.20 KDB API to generate PAC extended KDC signatures.
Fixes: https://pagure.io/freeipa/issue/9373
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bbe545ff9feb972e549c743025e4a26b14ef8f89">bbe545ff</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2023-06-01T08:01:00+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Tolerate absence of PAC ticket signature depending of server capabilities
Since November 2020, Active Directory KDC generates a new type of
signature as part of the PAC. It is called "ticket signature", and is
generated based on the encrypted part of the ticket. The presence of
this signature is not mandatory in order for the PAC to be accepted for
S4U requests.
However, the behavior is different for MIT krb5. Support was added as
part of the 1.20 release, and this signature is required in order to
process S4U requests. Contrary to the PAC extended KDC signature, the
code generating this signature cannot be isolated and backported to
older krb5 versions because this version of the KDB API does not allow
passing the content of the ticket's encrypted part to IPA.
This is an issue in gradual upgrade scenarios where some IPA servers
rely on 1.19 and older versions of MIT krb5, while others use version
1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will
be rejected when used by a service against a 1.20+ IPA KDC for S4U
requests.
On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or
newer, it will include a downstream-only update adding the
"optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the
absence of PAC ticket signatures, if necessary.
This commit adds an extra step during the installation and update
processes where it adds a "pacTktSignSupported" ipaConfigString
attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if
the MIT krb5 version IPA what built with was 1.20 or newer.
This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry
attribute. This means the value of the attribute is not actually stored
in the database (to avoid race conditions), but its value is determined
at the KDC starting time by search the "pacTktSignSupported"
ipaConfigString in the server list. If this value is missing for at
least of them is missing, enforcement of the PAC ticket signature is
disabled by setting "optional_pac_tkt_chksum" to true for the local
realm TGS KDB entry.
For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual
string attribute is set to true systematically, because, at least for
now, trusted AD domains can still have PAC ticket signature support
disabled.
Given the fact the "pacTktSignSupported" ipaConfigString for a single
server is added when this server is updated, and that the value of
"optional_pac_tkt_chksum" is determined at KDC starting time based on
the ipaConfigString attributes of all the KDCs in the domain, this
requires to restart all the KDCs in the domain after all IPA servers
were updated in order for PAC ticket signature enforcement to actually
take effect.
Fixes: https://pagure.io/freeipa/issue/9371
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ea3b86696f5451f1d227d365018ab7dc53024af">7ea3b866</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2023-06-01T08:01:00+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Filter out constrained delegation ACL from KDB entry
Commit f78dc0b163 was missing an exception for the constrained
delegation ACL TL data type during the principal entry update operation.
This ACL is not meant to be stored as encoded data in krbExtraData.
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3d0decd9efc4883328e95f9ff89002aec32462ec">3d0decd9</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-06-01T15:48:45+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT
>From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
--------
The KDC uses the first local TGT key for the privsvr and full PAC
checksums. If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer. This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
--------
Use MIT Kerberos 1.21+ facility to hint about proper enctype for
cross-realm TGT.
Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/803a44777f901217d634f8fd7feed8b66ece352a">803a4477</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-06-01T15:48:45+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: protect against context corruption
Early in startup LDAP server might not respond well yet and
should_support_pac_tkt_sign() will bail out with
KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time
being we should prevent a crash.
Crash happens because init_module() returns with an error and KDC then
calls fini_module() which will free the DB context which is already
corrupted for some reason.
Do not call any free() call because the whole context is corrupted as
tests do show.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fefa0248296413b6ee5ad2543d8feb1b31840aee">fefa0248</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-06-01T15:48:45+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: postpone ticket checksum configuration
Postpone ticket checksum configuration after KDB module was initialized.
This, in practice, should now happen when a master key is retrieved.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bd8fcd6f5bc62a4bfc544b69c0d960291be05d37">bd8fcd6f</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-06-01T15:48:45+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: process out of realm server lookup during S4U
Kerberos principal aliases lookup had a long-standing TODO item to
support server referrals for host-based aliases. This commit implements
server referrals for hosts belonging to trusted domains. The use-case is
a part of S4U processing in a two-way trust when an IPA service requests
a ticket to a host in a trusted domain (e.g. service on AD DC). In such
situation, the server principal in TGS request will be a normal principal
in our domain and KDC needs to respond with a server referral. This
referral can be issued by a KDB driver or by the KDC itself, using
'domain_realms' section of krb5.conf. Since KDB knows all suffixes
associated with the trusted domains, implement the logic there.
Fixes: https://pagure.io/freeipa/issue/9164
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1b55e9b1cb4f192635878b0b7242104d58a37d2b">1b55e9b1</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-06-01T15:48:45+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: skip verification of PAC full checksum
MIT Kerberos KDC code will do verification of the PAC full checksum
buffers, we don't need to process them. This change only applies to
newer MIT Kerberos version which have this buffer type defined, hence
using #ifdef to protect the use of the define.
This should have no functional difference.
Related: https://pagure.io/freeipa/issue/9371
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/11ce2b2133364916de06f4c42d8a19ce438bd41c">11ce2b21</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-06-01T15:48:45+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipalib/x509.py: Add signature_algorithm_parameters
Python-cryptography 41.0.0 new abstract method.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/325a13196b32c627854c8d7594e23b58167499f0">325a1319</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-06-02T10:00:57+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3
Only three remaining scripts used this form, two of which are
for developers only and not shipped.
The shebang in ipa-ccache-sweeper will be converted to
"#!$(PYTHON) -I" in the build process.
Fixes: https://pagure.io/freeipa/issue/8941
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f2b821abca72e0d444c96598799c4947e2173d3f">f2b821ab</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-06-02T16:01:41-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: be compatible with krb5 1.19 when checking for server referral
Related: https://pagure.io/freeipa/issue/9164
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/58017abeb88b2f2c8ee2e4f5a6ed808d28c672a4">58017abe</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-06-02T18:30:08-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Don't allow a group to be converted to POSIX and external
This condition was checked in group-add but not in group-mod.
This evaluation is done later in the pre_callback so that all
the other machinations about posix are already done to make
it easier to tell whether this condition is true or not.
Fixes: https://pagure.io/freeipa/issue/8990
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/283f5463f091ac9fcc733092fc6becff586ae97f">283f5463</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-06-05T14:00:17+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatest: remove xfail from test_smb
test_smb is now successful because the windows server version
has been updated to windows-server-2022 with
- KB5012170
- KB5025230
- KB5022507
- servicing stack 10.0.20348.1663
in freeipa-pr-ci commit 3ba4151.
Remove the xfail.
Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e3797ca2e03097a36bd3795fc1687a2ed4922e59">e3797ca2</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-06-06T09:40:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update translations to FreeIPA ipa-4-10 state
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/03b92fb42f173e9ba26d6d19f0d6f35f6c5f38b2">03b92fb4</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-06-06T09:43:34+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2fd9cbbe4492ec5dec06c36ce315c43120ef5fca">2fd9cbbe</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-06-06T10:01:01+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Become IPA 4.10.2
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1099db0fdb30a1902633fe8d62748d8f9bd92351">1099db0f</a></strong>
<div>
<span> by Timo Aaltonen </span> <i> at 2023-06-07T14:46:19+03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Merge branch 'upstream'
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f52e2b0a2c8c095c463ad5abee92b13c1ead0cc5">f52e2b0a</a></strong>
<div>
<span> by Timo Aaltonen </span> <i> at 2023-06-07T14:46:39+03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>version bump
</pre>
</li>
<li>
<strong style="font-weight: bold;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/78ec530871875bf4a94c49df01a4a1e145fc006f">78ec5308</a></strong>
<div>
<span> by Timo Aaltonen </span> <i> at 2023-06-07T14:49:16+03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 0.875rem; color: #333238; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>drop upstreamed patches
</pre>
</li>
</ul>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
30 changed files:
</h4>
<ul>
<li class="file-stats">
<a href="#8a8f67e18c8ed61c36e2901c12e37c094f6cd519">
.wheelconstraints.in
</a>
</li>
<li class="file-stats">
<a href="#4831b637d596df850dfe2919331d9904c0403eaa">
ACI.txt
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#d7ed7e35d7791778850754d99281016a9bacb652">
Contributors.txt
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#24d08149069d49a01ad6ec82eec3333757be12bf">
client/man/ipa-client-install.1
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#f7975a30b3715fc8b1d73399eb0b5de9a9cc1307">
contrib/lite-server.py
</a>
</li>
<li class="file-stats">
<a href="#51b512354cbd125ffc4cca6407e9540fe8c3a13d">
contrib/lite-setup.py
</a>
</li>
<li class="file-stats">
<a href="#2cdd2739f856d7dc0c06f9f717555b6ac7fc08c8">
daemons/dnssec/ipa-dnskeysyncd.in
</a>
</li>
<li class="file-stats">
<a href="#c353f68be99056278f9117d02e4294a759188b14">
daemons/ipa-kdb/ipa_kdb.c
</a>
</li>
<li class="file-stats">
<a href="#4776aa1d1d01bef820f34e6c2aa41644aa3f18df">
daemons/ipa-kdb/ipa_kdb.h
</a>
</li>
<li class="file-stats">
<a href="#e6e81c333807018770e0077a10a9030e631871fb">
daemons/ipa-kdb/ipa_kdb_common.c
</a>
</li>
<li class="file-stats">
<a href="#0c848c43b4c9e603873356f62e631332101ecf3d">
daemons/ipa-kdb/ipa_kdb_delegation.c
</a>
</li>
<li class="file-stats">
<a href="#802b9419e8b735ec9553dc46fca0f6d2cc715aec">
daemons/ipa-kdb/ipa_kdb_mspac.c
</a>
</li>
<li class="file-stats">
<a href="#54e1f32627b3e8736ca5623c351bf93b56b7be48">
daemons/ipa-kdb/ipa_kdb_mspac_v6.c
</a>
</li>
<li class="file-stats">
<a href="#5cd6be5f06d1be10ed72f46efdd12433a8fda6c0">
daemons/ipa-kdb/ipa_kdb_principals.c
</a>
</li>
<li class="file-stats">
<a href="#0d8bf0a88d58744c9656450ce1a66044a8ecb24a">
daemons/ipa-otpd/ipa-otpd@.service.in
</a>
</li>
<li class="file-stats">
<a href="#9c96da0e9f91d7d8937b69b524702c106258f0d1">
debian/changelog
</a>
</li>
<li class="file-stats">
<a href="#adb7f75f79e3bb85eb62912a2904c5d24af878fb">
debian/copyright
</a>
</li>
<li class="file-stats">
<a href="#58345e6f9c56b97424afbe78e11bd9297a4da7bc">
<span class="deleted-file">
−
debian/patches/install-fix-missing-dyndb-keytab-directive.diff
</span>
</a>
</li>
<li class="file-stats">
<a href="#bc34014ab4b9a49dd7a27bdd8d352912607c3a96">
debian/patches/series
</a>
</li>
<li class="file-stats">
<a href="#a059dddf69964f833fbfae5ea87cda208f0df89b">
debian/tests/server-install
</a>
</li>
<li class="file-stats">
<a href="#68ef9f98c01c7eecd4c605cc26048a06f3304b79">
debian/watch
</a>
</li>
<li class="file-stats">
<a href="#91da2300b6fdf5f2d3281e6f2759300efa5f4faa">
doc/api/A6Record.md
</a>
</li>
<li class="file-stats">
<a href="#6db7a078803aab7b4ee01f23efcd3e552e613f1d">
doc/api/AAAARecord.md
</a>
</li>
<li class="file-stats">
<a href="#1fc71cdcab40ec5d7b10b84ebec88065b5ceeba5">
doc/api/AFSDBRecord.md
</a>
</li>
<li class="file-stats">
<a href="#19496a260c06827dbfc16f16a9a9105a9703e66c">
doc/api/APLRecord.md
</a>
</li>
<li class="file-stats">
<a href="#904a4eefc86aa3c29622263403e05cdc1232ef9d">
doc/api/ARecord.md
</a>
</li>
</ul>
<h5 style="margin-top: 10px; margin-bottom: 10px; font-size: 0.875rem;">
The diff was not included because it is too large.
</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #737278;">
—
<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/-/compare/2da091cd0e848d5d533ff85334ed1976014b28c1...78ec530871875bf4a94c49df01a4a1e145fc006f">View it on GitLab</a>.
<br>
You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://salsa.debian.org">salsa.debian.org</a>. <a href="https://salsa.debian.org/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://salsa.debian.org/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>
</p>
</div>
</body>
</html>