<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style data-premailer="ignore" type="text/css">
a { color: #1068bf; }
</style>
<style>img {
max-width: 100%; height: auto;
}
body {
font-size: .875rem;
}
body {
-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;
}
body {
font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;
}
</style>
</head>
<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>
<div class="content">
<h3 style="margin-top: 20px; margin-bottom: 10px;">
Timo Aaltonen pushed to branch upstream at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
Commits:
</h4>
<ul>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1251c15faef9800f3ef48105afe8df4f5c361dd0">1251c15f</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-08-21T16:39:16+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Bump to IPA 4.12
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8d081ce8942b15d926525f66a049ef2c383cfc8f">8d081ce8</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2023-08-23T13:10:02-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: accommodate DST in ACME cert expiry
There is one hour time difference between expiry of ACME cert if
the certificate is issued while daylight saving is start and
expires after DST ends. For 2023 daylight saving time start at
Sunday 12 March and ends at Sunday 5 November. Every certificate
which is expiring after November 5th will have 1 hour difference in
expiry.
Fix is to use 90days+2hours to expire the cert.
Fixes: https://pagure.io/freeipa/issue/9428
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ed52142c400576820cca7486b28f6db62abde78a">ed52142c</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-08-28T10:21:48-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Use the PKI REST API wherever possible instead of XML
The XML API is already deprecated and will be removed in some
future release.
All but the updateCRL API has an equivalent in REST. The upstream
dogtag project documents most of the API at
https://github.com/dogtagpki/pki/wiki/REST-API . I say most
because not every API includes sample input/output. The
pki ca-cert command is a good substitute for seeing how the API
is used by their own tooling.
This changes no pre-existing conventions. All serial numbers are
converted to decimal prior to transmission and are treated as
strings to avoid previous limitations with sizing (which would
have been exacerbated by random serial numbers).
Fixes: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/317e7061d0f68e6fed671c0fe56cf4db61f3e2d9">317e7061</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-08-28T10:21:48-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Adjust test to handle revocation reason REMOVE_FROM_CRL
The dogtag REST API has a change of behavior regarding
revocation reason 8, REMOVE_FROM_CRL. The XML interface
accepts it blindly and marks the certifiate as revoked.
This is complicated within RFC 5280 but the jist is that
it only affects a certificate on hold and only for delta
CRLs.
So this modifies the behavior of revocation 8 so that
the certificate is put on hold (6) first.
Fixes: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0654fb3737febf3d9836cdd2a98352c34c447a6f">0654fb37</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-08-30T09:13:23-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>idp: add the ipaidpuser objectclass when needed
The ipaidpuser objectclass is required for the attribute ipaidpsub.
When a user is created or modified with --idp-user-id, the operation
must ensure that the objectclass is added if missing.
Add a test for user creation and user modification with --idp-user-id.
Fixes: https://pagure.io/freeipa/issue/9433
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8f25b2a74a587548976f3d29f0b69d566d70125d">8f25b2a7</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2023-08-30T09:18:17-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.
Related: https://pagure.io/freeipa/issue/9272
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/45fa43540f6a436c94f0484cec6e252e99d06fa7">45fa4354</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-09-01T13:13:02-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Configure affinity during server installation
Write a new krb5.conf in case any values changed finding the
right server to configure against (e.g. for CA, KRA) and
ensure the API connection is to the remote server that
will be installed against.
When finding a CA or KRA during initial replica installation
set the remote master as well. The order is:
- existing server value in /etc/ipa/default.conf
- the chosen CA host if the server doesn't provide one
- the chosen KRA host if the server doesn't provide one
This is more or less heirarchical. If a server is provided
then that is considered first. If it provides all the
optional services needed (CA and/or KRA) then it will
be used. Otherwise it will fall back to a server that provides
all the required services.
In short, providing --server either at client install or
with ipa-replica-install is no guarantee that it will
define all topology. This may be unexpected behavior.
For the case of adding a CA or KRA things are effectively
unchanged. This type of install does not appear to be
impacted by affinity issues.
Fixes: https://pagure.io/freeipa/issue/9289
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/953c7cc0762c4b50e9fb30701be663e1da40607d">953c7cc0</a></strong>
<div>
<span> by Viktor Ashirov </span> <i> at 2023-09-01T13:16:15-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>BDB tuning should be applied only when BDB backend is used
389DS supports BDB and LMDB backends. FreeIPA installation fails with
LMDB backend since it tries to apply tuning for BDB backend.
Instead, tuning for BDB should be applied only when 389DS uses BDB
backend.
Fixes: https://pagure.io/freeipa/issue/9435
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2bc247d8310596c96e13236d9393f0c2e725f091">2bc247d8</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-09-11T09:12:51+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: rename 'ipatuura' directory to 'scim' in bridge tests
A recent commit [1] in ipa-tuura project renamed the 'ipatuura' django app
to 'scim'. Change it in IPA side as well to fix tests.
[1]: https://github.com/freeipa/ipa-tuura/commit/f12592cea496818af782f953e0e9643c9ea440b5
Fixes: https://pagure.io/freeipa/issue/9447
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d355761f23fae412bb01a1d737cee342c7bd04f9">d355761f</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-09-11T09:24:31+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-client-install: enable SELinux for SSSD
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.
Fixes: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f123b01d81696c52e9a4008d46e549864e4a8069">f123b01d</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-09-11T09:51:51+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>updates: add ACIs for RBCD self-management
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6aa3c3b6284967bd7d4d27afd9f82d3f7f679428">6aa3c3b6</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-09-12T14:32:00-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Restore selinux states if they exist at uninstall time
Related: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dade02d5bb575764e700b78686fa8a03cc0fe3c4">dade02d5</a></strong>
<div>
<span> by Alexandra Nikandrova </span> <i> at 2023-09-12T21:41:57+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc: typo in basic_usage.md
Reviewed-By: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f248b22ef4d98293224b49576f5e6a1b8d672d76">f248b22e</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-09-14T07:59:44+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Don't assume KRB5CCNAME is in the environment in replica install
The replica install was unilaterally removing KRB5CCNAME from
os.environ in some cases. Instead check first to see if it is
present and only remove in that case.
Fixes: https://pagure.io/freeipa/issue/9446
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/32721c4132c9836c95c83d000614550bb43d4665">32721c41</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-09-18T17:36:40+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Allow ipa-otpd to access USB devices for passkeys
Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.
Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.
Related: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ddf7711f32e176c75582f39ed73e9bcd9991d5b">7ddf7711</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2023-09-18T17:46:24+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Use find_spec() in meta importer
The `find_module()` method of meta importers has been deprecated for a
long time. Python 3.12 no longer falls back to `find_module()`.
See: https://docs.python.org/3.12/whatsnew/3.12.html#removed
Related: https://pagure.io/freeipa/issue/9437
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/496e3ace8537cc86d4faae30204105e3c1863cfd">496e3ace</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2023-09-18T17:51:30+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: restart ipa services after moving date
When system date is moved into future, it have unprecedented
behavior i.e CA becomes irresponsive or unexpected certificcate
state. Hence restart the ipa service after moving the date to
gracefully serve the request.
Fixes: https://pagure.io/freeipa/issue/9379
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4af05dde4819c6dd9926baacb4f642e7d1c5bde9">4af05dde</a></strong>
<div>
<span> by Francisco Trivino </span> <i> at 2023-09-26T11:30:33+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Workshop: fix broken Sphinx cross-references.
Many of the workshop pages links are directing to URLs that end with
".rst" instead of ".html", as a result, these links are broken.
This commit introduces explicit targets and references to ensure that
the pages are correctly linked.
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8b70ee1ea8bfa84a35448148431ce54c1ac81bef">8b70ee1e</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-09-29T12:05:48+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Covscan issues: deadcode and Use after free
Covscan detected an unused value in ipa_kdb_principals.c
and a use-after-free in ipa-print-pac.c.
Fixes: https://pagure.io/freeipa/issue/9431
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6aebfe74fbcb970d5052ac7eedd310bd3cf5a277">6aebfe74</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2023-09-29T12:57:06+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add context manager to ipalib.API
`ipalib.API` instances like `ipalib.api` now provide a context manager
that connects and disconnects the API object. Users no longer have to
deal with different types of backends or finalize the API correctly.
```python
import ipalib
with ipalib.api as api:
api.Commands.ping()
```
See: https://pagure.io/freeipa/issue/9443
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a2cd7f408a274759584ddadd358360d39b3c4fa">1a2cd7f4</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-09-29T15:06:33-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Use datetime.timezone.utc instead of newer datetime.UTC alias
datetime.UTC alias was added in Python 3.11:
https://docs.python.org/3/library/datetime.html#datetime.UTC
datetime.timezone.utc was present since Python 3.2.
Since RHEL 9 is using Python 3.9, use more compatible variant.
Fixes: https://pagure.io/freeipa/issue/9454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/843f4a74580178da08e0f5621a0ae34faf632564">843f4a74</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-10-03T14:56:42+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fe223cde95a2a4230782ee342a313faea561ce53">fe223cde</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-10-03T14:57:20+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/48cfe6848ccfd55d945531fbd2b34221e153adee">48cfe684</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-10-04T08:37:28-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Increase memory usage for Azure CI upgrade test
The test often fails when running in parallel to other tests as very
little memory is left. 389-ds memory autotuning causes database backend
to refuse working in such cases. 389-ds team suggested more memory has
to be made available.
Increate RAM for this test to 2.5GB instead of 2.2GB.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b22605ee54ec82b9a4b6a435be06fe8b39f2fe23">b22605ee</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-10-04T08:37:28-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Azure CI: increase memory for forced reenrollment test
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f9075f9f77ec2c8b595210a5de478f8650943733">f9075f9f</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-10-04T09:15:29-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix healthcheck test without DNS
ipa-healthcheck has added a new check for ipa-ca record
missing. The test needs to be adapted to handle the new check.
Fixes: https://pagure.io/freeipa/issue/9459
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e459e5b8bc81c4bb3b39dc51a50f388a8c8dd34d">e459e5b8</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-10-04T09:17:52-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix healthcheck test for --indent option
ipa-healthcheck --indent option expects an integer. The error
message changed with ipa-healthcheck 0.13.
Recent versions also check that the value is in the range 0-32.
The test must be compatible with old and new versions.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/430054db4102c6bde873414fc2f25e650baaebb6">430054db</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-10-04T09:20:44-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix test_ipactl_scenario_check
The test is comparing the PID of services before and after
calling ipactl start, expecting to have the same value.
It should not compare the pid for ipa-dnskeysyncd as this service
is automatically restarted upon failure.
Fixes: https://pagure.io/freeipa/issue/9415
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fe005dd3880baff72bda2c2857f9445d3b129b87">fe005dd3</a></strong>
<div>
<span> by Viktor Ashirov </span> <i> at 2023-10-05T07:38:05+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>WebUI: update favicon.ico
I noticed that FreeIPA favicon is a bit squished. I would like to unsquish it.
And resize it to 32x32 pixels as it would look a bit better on HiDPI screens.
Fixes: https://pagure.io/freeipa/issue/9449
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/62454574a1504354935e69e3769fb1b2451d72b9">62454574</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-10-16T13:23:20-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Allow password policy minlength to be removed like other values
This is a side-effect of adding the libpwquality options. It
imposes its own hardcoded minimum password length so some care
was needed to ensure that it isn't set too low.
So if there are no libpwquality options used then it's fine to
have no minlength in the policy.
Fixes: https://pagure.io/freeipa/issue/9297
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b6af3a43c7bf7ef632c60cfd633b9cb98b31dcd8">b6af3a43</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-10-16T14:46:45-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipalib: fix the IPACertificate validity dates
The class IPACertificate builds objects from x509 Certificate
objects and creates the not_valid_before and not_valid_after values
by converting to a timestamp + applying timezone delta to UTC + reading
from the timestamp. This results in applying twice the delta.
Use a simpler method that replaces the timezone info with UTC in the
datetime object.
Fixes: https://pagure.io/freeipa/issue/9462
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a8a923033bf764b744496199d8f86ff7a7fe183e">a8a92303</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-10-19T07:40:47+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-client: correct directory location by using constants instead
If something in the client sysrestore.state wasn't removed by
the installer a warning message was printed with an incorrect
location. Fix this by using constants instead.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5270d58a049560458be62e1c6a17bbc8163926d5">5270d58a</a></strong>
<div>
<span> by Endi Sukma Dewata </span> <i> at 2023-10-19T07:42:28+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Enable LWCA monitor explicitly
Currently LWCA is only supported in IPA since the key
replication depends on Custodia, so LWCA is not actually
supported in regular PKI installation. However, currently
the AuthorityMonitor is enabled by default and it executes
a persistent search to monitor LWCA replication so it is
wasting resources in non-IPA environment.
To reduce unnecessary resource consumption the LWCA monitor
will be disabled by default in PKI, so IPA will need to
enable it explicitly for new and existing installations.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44349cfa76a860314292120b00fe3814a6fed892">44349cfa</a></strong>
<div>
<span> by Endi Sukma Dewata </span> <i> at 2023-10-19T07:44:27+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Remove unused hierarchy.select
The hierarchy.select param has been removed in PKI 11.5 so
it doesn't need to be updated in renew_ca_cert.in.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1202d0149bbf82c2183896c86764d818e8b2f02c">1202d014</a></strong>
<div>
<span> by Endi Sukma Dewata </span> <i> at 2023-10-19T07:44:27+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Replace subsystem.select with CAInstance.is_crlgen_enabled()
The subsystem.select is not a reliable indicator to determine
whether the CA is a renewal master since there is no process in
PKI to update the param when the role of the instance changes
(from master to clone and vice versa) so the param has been
removed in PKI 11.5.
Instead, it's better to use CAInstance.is_crlgen_enabled() since
CRL generation is only enabled in a renewal master.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9d49f403c2f23e13991d1cd5f109f4f0e056d96f">9d49f403</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2023-10-19T12:27:01+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Skip the test failing due to FIPS policy
1. test_certmonger_reads_token_HSM test in test_installaton.py
is failing in FIPS/STIG mode with the below error.
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
Error attempting to import private key in STIG mode
2. Adding the posfix config change, because there was a crash
seen in smtpd in FIPS mode.
ie. postconf -e smtpd_tls_fingerprint_digest=sha256
KCS: https://access.redhat.com/solutions/6958957
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d50624dce932d02ea03a00d3ac2ec1be69e8d3b6">d50624dc</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-10-19T13:57:40-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>group-add-member fails with an external member
The command ipa group-add-member --external aduser@addomain.test
fails with an internal error when used with samba 4.19.
The command internally calls samba.security.dom_sid(sid) which
used to raise a TypeError but now raises a ValueError
(commit 9abdd67 on https://github.com/samba-team/samba).
IPA source code needs to handle properly both exception types.
Fixes: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ed6fa6029d863aed1522b449d3360e6c4028e066">ed6fa602</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-10-23T13:35:01+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Handle samba changes in samba.security.dom_sid()
samba.security.dom_sid() in 4.19 now raises ValueError instead of
TypeError. Fix the expected exception.
Related: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/56a2bc5775ae104c27353d8fac4abafcc58324bf">56a2bc57</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-11-02T14:47:50+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>The PKI JSON API the revocation reason key may be case-sensitive
PKI 11.4.0 changed the reason keyword in the REST API from lower-case
to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6
Use Reason instead of reason as the keyword for revocations
for PKI 11.4.0+
Related: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/caccd6c693fe86e09a84f7fe7263a08d34a22d7e">caccd6c6</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-11-02T14:47:50+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>WIP: Get the PKI version from the remote to determine the argument
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/07e5637269e470f5c2fd24ec62949af81c66bee5">07e56372</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-11-13T16:39:52-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix expected output for ipahealthcheck.meta.services
ipa-healthcheck commit 31be12b introduced a change in the output
message when pki-tomcatd is not running.
With versions <= 0.12, the service name is displayed as
pki_tomcatd (with an underscore), but with 0.13+ it is
pki-tomcatd (with a dash).
Fixes: https://pagure.io/freeipa/issue/9460
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c63fe925fb3173f5845664627499f3f0f0cadcec">c63fe925</a></strong>
<div>
<span> by Jeremy Frasier </span> <i> at 2023-11-16T15:06:26-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fixes: Python SyntaxWarnings about invalid escape sequences
Otherwise we get some SyntaxWarnings about invalid escape sequences
such as '\d' and '\{', e.g.:
/usr/sbin/ipa-replica-manage:393: SyntaxWarning: invalid escape sequence '\{'
data = re.match('\{replica (\d+) (ldap://.*:\d+)\}(\s+\w+\s+\w*){0,1}', ruv)
/usr/sbin/ipa-replica-manage:721: SyntaxWarning: invalid escape sequence '\d'
(re.sub(':\d+', '', x), y)
/usr/sbin/ipa-replica-manage:726: SyntaxWarning: invalid escape sequence '\d'
(re.sub(':\d+', '', x), y)
Fixes: https://pagure.io/freeipa/issue/9483
Signed-off-by: Jeremy Frasier <jeremy.frasier@gwe.cisa.dhs.gov>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d659d21b432cde9fb3a6e1fe4ba65014587a127f">d659d21b</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-11-16T15:51:03-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
Log buffering is disabled in the integration tests so we can have all
the logs at the end. This is causing a warning to show in the 389-ds
checks and causing tests to fail that expect all SUCCESS.
Add an exclude for this specific key so tests will pass again.
We may eventually want a more sophisiticated mechanism to handle
excludes, or updating the config in general, but this is fine for now.
Fixes: https://pagure.io/freeipa/issue/9400
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f00b52ce6dbc1a4008974e118f252d90e26301a1">f00b52ce</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-11-16T15:51:03-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix expected output for ipahealthcheck.ipa.host
ipa-healthcheck commit e69589d5 changed the output when a service
keytab is missing to not report the GSSAPI error but to report
that the keytab doesn't exist at all. This distinguishes from real
Kerberos issues like kvno.
Fixes: https://pagure.io/freeipa/issue/9482
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d97d62dead0a7b75929dec89ab072b87a0d889dd">d97d62de</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2023-11-17T11:56:19-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>docs: Mention that Keycloak requires openid scope
See: https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/519685823bd4173e9fc5d9307602c0917e7ecdfb">51968582</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2023-11-20T14:44:56+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5e17c134aa67abbcee788f4ab4ea0b7f694aed5a">5e17c134</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-11-27T18:15:44+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Remove ipaserver.custodia.__init__.py
Use native Python namespaces instead.
Related: https://pagure.io/freeipa/issue/9467
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/60fe752da468e84a642af51090b27468446606f7">60fe752d</a></strong>
<div>
<span> by Rafael Guterres Jeffman </span> <i> at 2023-11-27T18:17:34+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipaserver/dcerpc: avoid logging stack trace in retrieve_anonymously
If an error occured when searching foc a DC a stack trace was logged,
and execution was aborted.
This patch allows execution to continue and log the error message that
caused the 'finddc' do fail.
Fixes: https://pagure.io/freeipa/issue/9484
Related: https://issues.redhat.com/browse/RHEL-12149
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6bc9e9d06ec33a1fbeb8d06a2ce30d0ca2e555d3">6bc9e9d0</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-11-28T17:02:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Remove upgrade test from Azure CI
It is already running in PR CI for all kinds of targets:
ipatests/prci_definitions/gating.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_389ds.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_pki.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_selinux.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_testing.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_testing_selinux.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_previous.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_rawhide.yaml: test_suite: test_integration/test_upgrade.py
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ee2d7d359a80876ae536f3427caaae20d03af17">7ee2d7d3</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-11-28T17:02:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc/designs: add description of identity mapping in IPA
Fixes: https://pagure.io/freeipa/issue/9477
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5c8614157d5546033528f92700f5abfebd4e5838">5c861415</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-11-28T17:09:32+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 3656 - Extend schema function to return MAY or MUST attrs
Add new paramters to get_allowed_attributes() to return just MAY or MUST
attributes
Related: https://pagure.io/freeipa/issue/3656
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5deeee31c0ebbbf15642a928d9c30e42150bbfc2">5deeee31</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2023-12-01T09:46:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add 'cache_dir' option to api.env
`api.env` now has a `cache_dir` option, which defaults to
`os.path.join(USER_CACHE_PATH, 'ipa')`. Schema cache, server info, and
KRA key cache use `api.env.cache_dir` as base directory. The option
allows application to set a custom cache directory.
Related: https://pagure.io/freeipa/issue/9438
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1513934
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5028b391f16a9dcb275037a430a6e3c6f3eed872">5028b391</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-12-04T15:58:07+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Integration tests: disable test_sso
Changes in ipa-tuura project are breaking the test
(removal of a script required for test preparation).
Disable the test until a solution is found in ipa-tuura.
Related: https://pagure.io/freeipa/issue/9476
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d61d1b059c8d760b37c7aae9ea47cb06674c76cd">d61d1b05</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-12-11T09:49:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Make test_external_ca.py compatible with crypto 41.0.0
The integration test test_external_ca.py is not compatible with
python-cryptography 41.0.0+.
The test is installing ipa server with an externally-signed CA cert
using a Microsoft Certificate Service profile:
ipa-server-install --external-ca --external-ca-type ms-cs
--external-ca-profile "1.2.3.4:10:200"
The command generates a CSR in /root/ipa.csr. The test reads the CSR,
extracts the extensions and compares with the requested extension
for the Microsoft Template.
With python-cryptography 41.0.0+, the extension can be decoded as
cryptography.x509.MSCertificateTemplate while with older version
the extension is decoded as cryptography.x509.UnrecognizedExtension.
Handle both cases properly.
Fixes: https://pagure.io/freeipa/issue/9490
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/53951ca860db1564666b2eb6886389ff0f85e46c">53951ca8</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-12-11T09:52:05+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>test_external_idp: update code for selenium 4.10
The integration test is using selenium web driver to simulate a
user authentication with an external IdP. The user performs kinit
and is provided with a URL where he needs to authenticate.
The test was written for selenium API 4.9 and must be adapted to
the changes introduced in 4.10:
- the headless method has been deprecated
- executable_path argument has been deprecated
Fixes: https://pagure.io/freeipa/issue/9493
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9abb50eb1e9a186161e1f3a9d2f1d07763f5e279">9abb50eb</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-12-11T09:55:20+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>test_install: restart services after date change
The test TestKRAinstallAfterCertRenew is moving the
date in the future in order to reach the grace period where
certmonger detects some certificates need to be renewed.
Restart the services after the date change.
Fixes: https://pagure.io/freeipa/issue/9405
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/25b58e6dea2b3ff7237eea5600891f8e72054531">25b58e6d</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-12-11T11:51:43+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Webui: use service options to init Firefox driver
With selenium driver 4.10 and above, the API for Firefox driver
initialization has changed and does not use any more the
log_path argument.
The log path is now provided through a FirefoxService option
in the webdriver initialization.
Fixes: https://pagure.io/freeipa/issue/9492
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3fd5d57ed670232fc03aef1feed4fe04f3d996d9">3fd5d57e</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - Add new password policy logging function
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1a16130a9a98f4d735fc76129f4cb434eafc3e67">1a16130a</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - Update logging in ipa_enrollment
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8a6361dc755b97b19380a96050c474e4d7eb4c15">8a6361dc</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - update debug logging in ipa_graceperiod
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/23ead1dc2388947a254cecf4cf90147a317bcefc">23ead1dc</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - update debug logging in ipa_lockout
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/79b08556a4b4a5750bc53eb29be67c7e018213b4">79b08556</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - update debug logging in ipa_modrdn
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a1d454c748792434d6d27306c1330e6d518a6c3">2a1d454c</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - update debug logging in ipa_otp_counter
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6cd5a0847a49083da7d76525142880628931078d">6cd5a084</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - update debug logging in ipa_otp_lasttoken
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0007876f4205c289018fd6828f87529890c9ba2f">0007876f</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - update debug logging in ipa-pwd-extop
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6d3d191825f4da5b2f4e98845b0be9770172f71c">6d3d1918</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2023-12-14T09:24:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9497 - update debug logging in ipa_uuid
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dc2ab91681f890b876191fcfe139c33c4f0dee61">dc2ab916</a></strong>
<div>
<span> by Endi Sukma Dewata </span> <i> at 2023-12-19T12:51:46+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Remove unused pki_theme_* params
The pki_theme_enable and pki_theme_server_dir params are not
used by pkispawn so they can be removed.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/48846e98e5e988d600ddf81c937f353fcecdea1a">48846e98</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-12-19T12:58:50+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>hbactest was not collecting or returning messages
hbactest does a number of internal searches, one of which
can exceed the configured sizelimit: hbacrule-find
Collect any messages returned from thsi call and display them
to the user on the cli.
Fixes: https://pagure.io/freeipa/issue/9486
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d1e09c68af8ac77f656dd639af5d9a7f07c41f9d">d1e09c68</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2023-12-19T12:58:50+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Verify that hbactest will return messages
Limit the sizelimit of the hbactest request to confirm that
the output includes a SearchResultTruncated message.
Fixes: https://pagure.io/freeipa/issue/9486
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a177121af66516deed7c6794b92f15a74cc30bd3">a177121a</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2023-12-19T14:59:42+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: disable dnssec validation in tests using dnf
The 2 following tests rely on dnf install and use
mirrors.fedoraproject.org which has a broken trust chain.
Disable dnssec validation so that dnf succeeds.
Fixes: https://pagure.io/freeipa/issue/9498
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/821259f069941ec1bf38a417bd029c13932314b1">821259f0</a></strong>
<div>
<span> by Thorsten Scherf </span> <i> at 2023-12-19T16:24:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-client: Check if IPA CA cert is empty
IPA CA file should not be used when file is empty.
Fixes: https://pagure.io/freeipa/issue/9499
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/00f8ddbfd2795228b343e1c39c1944b44d482c18">00f8ddbf</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-12-22T10:34:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: add better detection of allowed user auth type
If default user authentication type is set to a list that does not
include a password or a hardened credential, the resulting configuration
might be incorrect for special service principals, including a krbtgt/..
one.
Add detection of special principals to avoid these situations and always
allow password or hardened for services.
Special handling is needed for the following principals:
- krbtgt/.. -- TGT service principals
- K/M -- master key principal
- kadmin/changepw -- service for changing passwords
- kadmin/kadmin -- kadmin service principal
- kadmin/history -- key used to encrypt history
Additionally, implicitly allow password or hardened credential use for
IPA services and IPA hosts since applications typically use keytabs for
that purpose.
Fixes: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/69ae9febfb4462766b3bfe3e07e76550ece97b42">69ae9feb</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-12-22T10:34:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: when applying ticket policy, do not deny PKINIT
PKINIT differs from other pre-authentication methods by the fact that it
can be matched indepedently of the user authentication types via certmap
plugin in KDC.
Since PKINIT is a strong authentication method, allow its authentication
indicator and only apply the ticket policy.
Fixes: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/62c44c9e69aa2721990ca3628434713e1af6f59b">62c44c9e</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-12-22T10:34:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD
Related: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c3bc938650b19a51706d8ccd98cdf8deaa26dc28">c3bc9386</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2023-12-22T10:34:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: make sure PKINIT enrollment works with a strict policy
Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.
We set admin user authentication type to PASSWORD to simplify
configuration in the test.
What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.
Related: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8981ede1a2d62e61d24b0c500016212e20c31a13">8981ede1</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-01-09T08:40:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>azure tests: move to fedora 39
Update python3 to ensure the fix for BZ 2252567 is pulled.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/020af153db23b37da6370a5cc70ba967245f42c0">020af153</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-01-09T08:40:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: updates related to deprecations
pylint 3.0 has deprectated a few functions:
- check_messages: Use utils.only_required_for_messages
- The config attribute of BaseChecker has been deprecated. You can
use checker.linter.config to access the global configuration object
instead of a checker-specific object
- Everything related to the __implements__ construct was removed.
- Checker should only inherit BaseChecker or any of the other checker
types from pylint.checkers.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f485ba7dcd627ba8ae62ead1f13fb26bd90088c">7f485ba7</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-01-09T08:40:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: disable new checks
pylint 3.0 introduces new checks that raise too many errors:
use-implicit-booleaness-not-comparison-to-string,
use-implicit-booleaness-not-comparison-to-zero,
broad-exception-raised,
Disable the new checks in pylintrc
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8d7bd6c6ab68a4ef3fed2620ef8e07a03aa92d34">8d7bd6c6</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-01-09T08:40:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: fix errors
Fix the following errors:
I0021(useless-suppression)
R1710(inconsistent-return-statements)
E1101(no-member)
Ignore the following errors:
E0601(used-before-assignment)
The variable is imported when the code is run in_server.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bf1110bda1e8b47869c210b596c12369f2242e49">bf1110bd</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-01-09T08:40:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Tox: use sitepackages
Tox is creating a virtual environment before execution.
With python 3.12 the virtual env does not include any
more setuptools, so use setuptools from the globally
installed packages.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/11877d59030ef3cd158aefb298c3a6a334047412">11877d59</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-09T16:15:23-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Include supported migration scenarios in the ipa-to-ipa docs
Lay out the supported migration paths. Users are likely to get
creative with migration so we need to narrow the path for which
we can provide support.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/13778d88ca2ac73b729821bdea844172a18c0cb9">13778d88</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-10T10:26:51+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Check the HTTP Referer header on all requests
The referer was only checked in WSGIExecutioner classes:
- jsonserver
- KerberosWSGIExecutioner
- xmlserver
- jsonserver_kerb
This left /i18n_messages, /session/login_kerberos,
/session/login_x509, /session/login_password,
/session/change_password and /session/sync_token unprotected
against CSRF attacks.
CVE-2023-5455
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/86b073a7f03ba0edf4dd91f85b96c89107e9e673">86b073a7</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-10T10:27:06+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Integration tests for verifying Referer header in the UI
Validate that the change_password and login_password endpoints
verify the HTTP Referer header. There is some overlap in the
tests: belt and suspenders.
All endpoints except session/login_x509 are covered, sometimes
having to rely on expected bad results (see the i18n endpoint).
session/login_x509 is not tested yet as it requires significant
additional setup in order to associate a user certificate with
a user entry, etc.
This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf
and adding:
Satisfy Any
Require all granted
Then comment out Auth and SSLVerify, etc. and restart httpd.
With a valid Referer will fail with a 401 and log that there is no
KRB5CCNAME. This comes after the referer check.
With an invalid Referer it will fail with a 400 Bad Request as
expected.
CVE-2023-5455
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a44cb097137453aa13bbc1b9e206a7e70628ef88">a44cb097</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-10T13:35:51-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ACME: Don't treat pki-server ca-config-show failures as fatal
Up to PKI 11.5.0 even when a pki-server call failed it had a
return value of 0. This was fixed in 11.5.0 which breaks
ipa-acme-manage pruning. If a configuration value is not set
then the call fails and the tool gives up with an error like:
ERROR: No such parameter: jobsScheduler.job.pruning.certRetentionUnit
In previous versions this resulted in an empty string so the tool
displayed the default value.
So now upon failure look in the stderr output for "No such parameter"
and return an empty string so the behavior is consistent between
both old and new PKI server versions.
Fixes: https://pagure.io/freeipa/issue/9503
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8ef3d6ce5c6538756f8eef3e6d89b36baebc88e7">8ef3d6ce</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2024-01-10T14:58:49-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Skip ds_encryption tests on RHEL9 SUT.
test_ipahealthcheck_ds_encryption tests are failing
in RHEL9 SUT because in this test tls protocol version
is set to TLS1.0 using the below command, but its
reset to TLS1.2 causing the test to fail.
'dsconf', 'slapd-TESTREALM-TEST', 'security', 'set', '--tls-protocol-min=TLS1.0'
Hence the test is skipped to be run on RHEL9.0 SUT.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e4420624ffed47c42b3bd0dfd580cd98f667e843">e4420624</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-11T17:13:35+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fix ipa-client-automount install/uninstall with new install states
Issue 8384 introduced a new installation state for the statestore
to identify when client/server installation is completely finished
rather than relying on has_files().
The problem is that ipa-client-automount may be called during
ipa-client-install and since installation is not complete at that
point the automount install was failing with "IPA client not
configured".
Add a new state, 'automount', to designate that automount installation
is in process. If check_client_configuration() fails it checks to
see if [installation] automount is True. If so it continues with the
installation.
This also addresses an issue where the filestore and statestore are
shared between the client and automount installers but the client
wasn't refreshing state after automount completed. This resulted in
an incomplete state and index file of backed-up files which caused
files to not be restored on uninstall and the state file to be
orphaned.
Fixes: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ce811db6be532a9f258d7429234028975eb99f50">ce811db6</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-11T17:13:35+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Test client install/uninstall with automount enabled
The automount installation was failing. Confirm that it is fixed.
The uninstall was not restoring all files/configuration. Verify
that the index and state files are gone which means that all state
and files were restored.
Fixes: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/54fb1173f9ab1025c12a77b3a5bf205afa8f63e2">54fb1173</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-11T17:13:35+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-client-automount: Don't use deprecated ipadiscovery.IPADiscovery
This class was moved to ipaclient/discovery.py in e6d560af66 to make
it available to PyPI.
Related: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2a95a05f9e2b965d0a5f5946d59f614d8baea8e2">2a95a05f</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-11T17:15:53+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Server affinity: Retain user-requested remote server
We want to avoid splitting a replica server installation between
two hosts where possible so if a CA or KRA is requested then
we only try to install against a remote server that also provides
those capabilities. This avoids race conditions.
If a CA or KRA is not requested and the user has provided a
server to install against then use that instead of overriding it.
Extend the logic of picking the remote Custodia mode
(KRA, CA, *MASTER*) to include considering whether the
CA and KRA services are requested. If the service(s) are
not requested the the associated hostname may not be
reliable.
Fixes: https://pagure.io/freeipa/issue/9491
Related: https://pagure.io/freeipa/issue/9289
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e5a9e46138041876c650bc2c3eab4b5dde28b2ea">e5a9e461</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-11T17:19:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>get_directive: don't error out on substring mismatch
This function is designed to retrieve a value from an
ini-like file. In particular PKI CS.cfg.
In an attempt to be more efficient a substring search,
using startswith(), is used before calling a regular
expression match.
The problem is that if the requested directive is a
substring of a different one then it will pass the
startswith() and fail the regular expression match
with a ValueError, assuming it is malformed.
There is no need for this. The caller must be able to
handle None as a response anyway. So continue if
no match is found.
This was seen when PKI dropped storing certificate blobs
in CS.cfg. The CA certificate is stored in ca.signing.cert.
If it isn't present then ca.signing.certnickname will match
the substring but not the directive. This should not be
treated as an error.
Fixes: https://pagure.io/freeipa/issue/9506
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c0fe1dd924b428eef1fcc4ebf209a1f0dfe3de1">2c0fe1dd</a></strong>
<div>
<span> by zoedong </span> <i> at 2024-01-12T08:36:20-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipaplatform: add opencloudos/tencentos support
Fixes:https://pagure.io/freeipa/issue/9501
Signed-off-by: zoedong <zoedong@tencent.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/49c090b97655cf1b845a270503bd6cbe75a48278">49c090b9</a></strong>
<div>
<span> by 007hacky007 </span> <i> at 2024-01-12T15:26:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>webui: Unify user group members columns with users columns
Adds 'givenname', 'sn' and 'nsaccountlock' columns to the user group members
and makes columns in the users view and user group members unified.
i.e. Makes easy to see disabled users in the group.
Fixes: https://pagure.io/freeipa/issue/9390
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2874823c12fc05692352129c406e2a1b592a28ea">2874823c</a></strong>
<div>
<span> by Carla Martinez </span> <i> at 2024-01-12T15:26:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: test new columns in group details
Test for checking the new columns 'givenname', 'sn' and 'nsaccountlock'.
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a5d38ca17100fc2d0550e8ebda9347acafd1398b">a5d38ca1</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-01-12T18:41:01-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>host: update System: Manage Host Keytab permission
Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
operation to get a keytab is supposed to be used. This keytab
setting/retrieval extended operation checks access rights of the bound
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.
If the write isn't allowed, the operation is rejected and ipa-getkeytab
tool falls back to an older code that generates the keytab on the client
and forcibly sets to the LDAP entry. For the latter, a check is done to
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.
This fallback should never happen for newer deployments. When enrollemnt
operation is delegated to non-administrative user with the help of 'Host
Enrollment' role, a host can be pre-created or created at enrollment
time, if this non-administrative user has 'Host Administrators' role. In
the latter case a system permission 'System: Manage Host Keytab' grants
write access to 'krbPrincipalKey' attribute but lacks any access to the
virtual attributes expected by the new extended operation.
There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
that allows to retrieve existing keys for a host. However, during
initial enrollment we do not allow to retrieve and reuse existing
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
the existing key, 'ipa-join' has no way to trigger that operation.
Hence, permission 'System: Manage Host Keytab' will not grant the right
to read the Kerberos key via extended operation used by 'ipa-getkeytab
-r'. Such operation can be done later by utilizing 'ipa
service/host-allow-retrieve-keytab' commands.
Fix 'System: Manage Host Keytab' permission and extend a permission test
to see that we do not fallback to the old extended operation.
Fixes: https://pagure.io/freeipa/issue/9496
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/717ae87a756f9a4859804bbe09057c90381db668">717ae87a</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-01-12T18:46:41-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Nightly tests: test on f38 and f39
Fedora 39 is now officically available. Update the test definitions:
- lastest now uses f39
- previous now uses f38
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9b456101a3072cdf7f48dfdcfea1002d10d35597">9b456101</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-01-17T19:32:47+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>adtrustinstance: make sure NetBIOS name defaults are set properly
Some tools may pass None as NetBIOS name if not put explicitly by a
user. This meant to use default NetBIOS name generator based on the
domain (realm) name. However, this wasn't done properly, so None is
passed later to python-ldap and it rejects such LDAP entry.
Fixes: https://pagure.io/freeipa/issue/9514
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3645543670562f9c7c0b9ac04721f146844e07de">36455436</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-18T11:51:18+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Server affinity: Don't rely just on [ca|kra]_enabled for installs
ca_enable and kra_enabled are intended to be used to identify that
a CA or KRA is available in the topology. It was also being used
to determine whether a CA or KRA service is desired on a replica
install, rather than options.setup_[ca|kra]
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c740cb84ba1e5cab871ae4f197a04d87f40c5b9e">c740cb84</a></strong>
<div>
<span> by Masahiro Matsuya </span> <i> at 2024-01-23T07:57:56+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: wait for replica update in test_dns_locations
test_ipa_ca_records and test_adtrust_system_records can fail with
NXDOMAIN, because it doesn't wait enough for the update on replica.
It can be resolved by waiting for the update with wait_for_replication.
Fixes: https://pagure.io/freeipa/issue/9504
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e399232a78a60cd4ab895c9c2cb363fafbb84198">e399232a</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-01-23T13:19:37+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipasam: make krbtgt TDO principal canonical
For the trusted domain object for remote realm, we have to use
krbtgt/REMOTE-FLAT-NAME@OUR-REALM as a canonical name.
Fixes: https://pagure.io/freeipa/issue/9471
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5adc07ae55ff83332f7eeddc4a0eb2a9e4c07c29">5adc07ae</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-01-23T13:19:37+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc/Makefile: run sphinx in serial mode
Unfortunately, using pydata_sphinx_theme extension generates warnings in
sphix processing. These warnings cause documentation build to be
considered a failure:
WARNING: the pydata_sphinx_theme extension is not safe for parallel writing
WARNING: doing serial write
....
build finished with problems, 2 warnings.
make: *** [Makefile:24: html] Error 1
Since the build is already doing a serial write, enforce it from start.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e6014a5c1996528b255480b67fe2937203bff81b">e6014a5c</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-01-23T16:32:58+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Server affinity: call ca.install() if there is a CA in the topology
This should not have been gated on options.setup_ca because we need
the RA agent on all servers if there is a CA in the topology otherwise
the non-CA servers won't be able to communicate with the CA.
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a45a7a20d96af51d463a285cb9318582720be708">a45a7a20</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2024-01-24T14:54:24+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Compatibility fix for PyCA cryptography 42.0.0
Cryptography 42.0.0 introduced two new abstract properties
`not_valid_before_utc` and `not_valid_after_utc`, which are non-naive UTC
variants of the `not_valid_before` and `not_valid_after` properties.
The old properties are deprecated. The changeset also modifies code and
tests to use the new `_utc` variants.
Fixes: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/22875ea2c61039163766332dd9eb4a524d9d3c75">22875ea2</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2024-01-25T18:07:20+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>test_acme: Use ipalib.x509
Use IPA's x509 module instead of `cryptography.x509`. This fixes a
regression which was introduced in commit a45a7a20.
Related: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d002a4d7c991966ccb73e4ab34d0288b90f033ab">d002a4d7</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2024-01-30T07:43:57+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipapython: Clean up krb5_error
`krb5_error` has different definition in MIT krb.
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html
> Error message structure.
>
> Declaration:
> typedef struct _krb5_error krb5_error
While `krb5_error_code`
https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/refs/types/krb5_error_code.html#c.krb5_error_code
> krb5_error_code
> Used to convey an operation status.
>
> The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error.
>
> Declaration
> typedef krb5_int32 krb5_error_code
And this is what was actually used.
To prevent confusion of types `krb5_error` was replaced with
`krb5_error_code`.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6cd04875dea09c83e01261a805aa27360768d46f">6cd04875</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2024-01-30T07:43:57+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipapython: Correct return type of krb5_free_cred_contents
According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html
> krb5_free_cred_contents - Free the contents of a krb5_creds structure.
>
> void krb5_free_cred_contents(krb5_context context, krb5_creds * val)
> param:
> [in] context - Library context
>
> [in] val - Credential structure to free contents of
>
> This function frees the contents of val , but not the structure itself.
https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166
This leads to undefined behavior and `krb5_free_cred_contents` can
raise KRB5Error (because of garbage data) while actually its foreign
function doesn't.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9802e852cb29fdbc43b056816ade27f453001706">9802e852</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2024-01-30T07:43:57+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipapython: Propagate KRB5Error exceptions on iterating ccache
`ipapython.session_storage.get_data` iterates over
credentials in a credential cache till `krb5_cc_next_cred` returns
an error. This function doesn't expect any error on calling
other kerberos foreign functions during iteration. But that can
actually happen and KRB5Error exceptions stop an iteration while
they should be propagated.
With this change iteration will exactly stop on `krb5_cc_next_cred`
error as it was supposed to be.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/75afdfea5d0aa7540fa20f6e8ad15625d56513b6">75afdfea</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2024-01-30T07:50:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: Fix memory leak during PAC verification
Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak
during the copy of some PAC buffers, because of an unfreed memory
allocation context.
Fixes: https://pagure.io/freeipa/issue/9520
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d4ffc53b2a3534d4f6c12e150fdfb3cfcb11cbae">d4ffc53b</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-01-30T10:11:47-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc/designs/id-mapping.md: expand on ID range allocation details
Related: https://pagure.io/freeipa/issue/9477
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2d0a088f93ec27ddb55c82e43c33bcc425a759ef">2d0a088f</a></strong>
<div>
<span> by Francisco Trivino </span> <i> at 2024-01-30T10:18:02-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Vault: add support for RSA-OAEP wrapping algo
None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS
approved mechanism. This commit adds support for RSA-OAEP padding as a
fallback.
Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4cc6b9cd1791e1a5fdbcd8e28904a5856e1f0b41">4cc6b9cd</a></strong>
<div>
<span> by Francisco Trivino </span> <i> at 2024-01-30T10:18:02-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Vault: improve vault server archival/retrieval calls error handling
If a vault operation fails, the error message just says "InternalError". This commit
improves error handling of key archival and retrieval calls by catching the PKIException
error and raising it as an IPA error.
Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/305fcc25b4dd0aea4f87a0508c5f47c7634cfb82">305fcc25</a></strong>
<div>
<span> by Francisco Trivino </span> <i> at 2024-01-30T10:18:02-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>kra: set RSA-OAEP as default wrapping algo when FIPS is enabled
Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved
FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS
is enabled. It also handles upgrade path.
Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f8dcd78873cc098d5a60e2c56ea4102009631fd6">f8dcd788</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-01-30T16:25:29+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>sidgen: ignore staged users when generating SIDs
Staged users have
uidNumber: -1
gidNumber: -1
ipaUniqueID: autogenerate
We cannot generate ipaSecurityIdentifier based on those UID/GID numbers.
However, '-1' value will trigger an error
find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 483]: ID value too large.
And that, in turn, will cause stopping SID generation for all users.
Detect 'ipaUniqueID: autogenerate' situation and ignore these entries.
Fixes: https://pagure.io/freeipa/issue/9517
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/89d945fe6f9265c5667e825554b2663cc63db3e3">89d945fe</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-01-30T16:25:29+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>sidgen: fix missing prototypes
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ed977a6e8206366a33fe90ba97844834068f56c8">ed977a6e</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-01-30T16:25:29+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>kdb: PAC generator: do not fail if canonical principal is missing
krbCanonicalName is mandatory for services but IPA services created
before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done
to set krbCanonicalName; services created after that version were
upgraded to do have krbCanonicalName.
Accept krbPrincipalName alone since they have no alias either */
Fixes: https://pagure.io/freeipa/issue/9465
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/677d30806662856595289525ef529a77adbf2272">677d3080</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-01-30T18:25:10+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-backup: adapt for 389ds switch to LMDB
ipa-backup is relying on the presence of the directory
/var/lib/dirsrv/slapd-<INSTANCE>/db/ipaca/
to detect if the CA is installed on the server and backup
the ipaca backend.
With the switch to LMDB, this directory does not exist and the
backup is missing ipaca information.
Use lib389.cli_ctl.dblib.run_dbscan utility instead to
check if ipaca backend is present (this method has been
introduced in 389ds 2.1.0 and works with Berkeley DB and LMDB).
Fixes: https://pagure.io/freeipa/issue/9516
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9c470d10a59f18c2861f39c74c3ae928e7909b26">9c470d10</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-01-30T18:27:12+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: test_idp fails calling yum list wget
On rawhide, the package wget has been replaced with wget2
(more info in https://bugzilla.redhat.com/show_bug.cgi?id=2254790).
The test test_idp is checking that the sudo command is working
for a keycloak user, by creating a sudo rule for the yum command
and calling sudo yum list wget.
As the wget package does not exist any more on Rawhide, the command
returns an error:
Error: No matching Packages to list
and the test fails.
Replace the call "sudo yum list wget" with a call to "sudo yum list yum"
as the yum package is always present.
Fixes: https://pagure.io/freeipa/issue/9522
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f849956df3301a10b5b5bafba17fb5869ab4858">7f849956</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2024-02-02T11:03:00+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Skip tests for ipahealtcheck tests for specific pki version
CADogtagCertsConfigCheck is no more available on RHEL9, hence the
respective tests are skipped.
Check 'CADogtagCertsConfigCheck' not found in Source 'pki.server.healthcheck.meta.csconfig'
Ref: https://issues.redhat.com/browse/RHEL-21367
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bd04dc28c829649e27ee0ceb207f24a56edd35c4">bd04dc28</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-02-06T10:57:08+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: support Samba 4.20 private libraries
Samba 4.20 will change name extension of the private libraries from
'samba4' to 'private-samba'. Detect private extension through configure
step and make sure to use the right library name in Makefile.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/41bc6fc3825644cf3d7fc29dd4c5575a94c6caa7">41bc6fc3</a></strong>
<div>
<span> by Temuri Doghonadze </span> <i> at 2024-02-06T15:14:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/abc48e285e1a12efc953d51533b1aed3a212fe36">abc48e28</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-06T15:14:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c3cb63e5823b59213f9968449319807bd667dfda">c3cb63e5</a></strong>
<div>
<span> by Jan Kuparinen </span> <i> at 2024-02-06T15:14:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Finnish)
Co-authored-by: Ricky Tigg <ricky.tigg@gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9e31e7043499cfb6f3f3fc0a12bb17df0c2c1dc2">9e31e704</a></strong>
<div>
<span> by Piotr Drąg </span> <i> at 2024-02-06T15:14:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Polish)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/591bbee847f03450540e54101bbf07475c61f303">591bbee8</a></strong>
<div>
<span> by Yuri Chornoivan </span> <i> at 2024-02-06T15:14:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Ukrainian)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b9552bcb71085cb963553a56eba2938e6ec2dc85">b9552bcb</a></strong>
<div>
<span> by Andika Triwidada </span> <i> at 2024-02-06T15:14:45+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Indonesian)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6a59110947cb682d56f73f54ec71f76c72952799">6a591109</a></strong>
<div>
<span> by Weblate </span> <i> at 2024-02-07T09:46:12+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f3a3d29117bfefb6d01db68d648ab1c3b88079ff">f3a3d291</a></strong>
<div>
<span> by Emilio Herrera </span> <i> at 2024-02-08T15:35:22+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Spanish)
Currently translated at 58.1% (2834 of 4877 strings)
Co-authored-by: Emilio Herrera <ehespinosa57@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d6aaa626a6fb88b1658fa6c934a8adb5ffb95a0d">d6aaa626</a></strong>
<div>
<span> by Rafael Fontenelle </span> <i> at 2024-02-08T15:35:22+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Portuguese (Brazil))
Currently translated at 4.5% (223 of 4877 strings)
Co-authored-by: Rafael Fontenelle <rafaelff@gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bea9614b126fd69a7851d7fcdc8b758e6f4a1df8">bea9614b</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-08T15:35:22+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.4% (216 of 4877 strings)
Co-authored-by: 김인수 <simmon@nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dfb5099e7f5abfbacf8ac1abc57630da845e433f">dfb5099e</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-02-12T08:32:20+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: remove xfail thanks to sssd 2.9.4
SSSD 2.9.4 fixes some issues related to auto-private-group
Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/908ef6a17946b75c69bf48486f43fddb9158b993">908ef6a1</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-02-12T08:32:20+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: add xfail for autoprivate group test with override
Because of SSSD issue 7169, secondary groups are not
retrieved when autoprivate group is set and an idoverride
replaces the user's primary group.
Mark the known issues as xfail.
Related: https://github.com/SSSD/sssd/issues/7169
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8b48c5f9067718128755268b0d283b5e0ab26c72">8b48c5f9</a></strong>
<div>
<span> by Rafael Fontenelle </span> <i> at 2024-02-13T15:35:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Portuguese (Brazil))
Currently translated at 4.6% (227 of 4877 strings)
Co-authored-by: Rafael Fontenelle <rafaelff@gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/05f8eaea6317725d6a13dd5fd0d714995ad8147d">05f8eaea</a></strong>
<div>
<span> by Temuri Doghonadze </span> <i> at 2024-02-13T15:35:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 11.7% (572 of 4877 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2750637544a3fc8d936d173d0c1aa27f1fb8af25">27506375</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-13T15:35:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 11.7% (572 of 4877 strings)
Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b29f2e23073da62a60b33645651d9dbafd048203">b29f2e23</a></strong>
<div>
<span> by Temuri Doghonadze </span> <i> at 2024-02-13T15:35:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 27.8% (1358 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5b182399514380035c6f6bfca8d7d518e79d0149">5b182399</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-13T15:35:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 27.8% (1358 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5c91cb2f47ecbdfeb3009b48f7c899763b99ee08">5c91cb2f</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-13T15:35:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 30.0% (1466 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e2cab8e90026945f221cb8226ca494f144bbaf57">e2cab8e9</a></strong>
<div>
<span> by Temuri Doghonadze </span> <i> at 2024-02-13T15:35:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 30.0% (1466 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4ab602a61fde9fb746d0212336455274ab5b6a34">4ab602a6</a></strong>
<div>
<span> by Temuri Doghonadze </span> <i> at 2024-02-13T15:35:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 35.0% (1708 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e5bb0f392a5f0a6e49c92b2da953b12c5cd66ffc">e5bb0f39</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-02-14T09:26:00+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix tasks.wait_for_replication method
With the fix for https://pagure.io/freeipa/issue/9171, the
method entry.single_value['nsds5replicaupdateinprogress'] now
returns a Boolean instead of a string "TRUE"/"FALSE".
The method tasks.wait_for_replication needs to be fixed so that
it properly detects when replication is not done.
Fixes: https://pagure.io/freeipa/issue/9530
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/835929353d935613ae3dd6fc6f70b21d3252fbc8">83592935</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2024-02-16T09:38:02+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: Rework ipadb_reinit_mspac()
Modify ipadb_reinit_mspac() to allocate and initialize ipactx->mspac
only if all its attributes can be set. If not, ipactx->mspac is set to
NULL. This makes easier to determine if the KDC is able to generate PACs
or not.
Also ipadb_reinit_mspac() is now able to return a status message
explaining why initialization of the PAC generator failed. This message
is printed in KDC logs.
Fixes: https://pagure.io/freeipa/issue/9535
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dc3e902b0bf9f817f7aafb606f1d5d3287873ab2">dc3e902b</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2024-02-20T16:33:59+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-kdb: Fix double free in ipadb_reinit_mspac()
Fixes: https://pagure.io/freeipa/issue/9535
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/404fe1018e08e546fd14c83741e00b900c1cd208">404fe101</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-02-21T17:07:33-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>rpcserver: validate Kerberos principal name before running kinit
Do minimal validation of the Kerberos principal name when passing it to
kinit command line tool. Also pass it as the final argument to prevent
option injection.
Accepted Kerberos principals are:
- user names, using the following regexp
(username with optional @realm, no spaces or slashes in the name):
"(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
- service names (with slash in the name but no spaces). Validation of
the hostname is done. There is no validation of the service name.
The regular expression above also covers cases where a principal name
starts with '-'. This prevents option injection as well.
This fixes CVE-2024-1481
Fixes: https://pagure.io/freeipa/issue/9541
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/33af154b7f2c92e199d10a36a48310da9b7e77a8">33af154b</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-02-22T14:35:59-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>validate_principal: Don't try to verify that the realm is known
The actual value is less important than whether it matches the
regular expression. A number of legal but difficult to know in
context realms could be passed in here (trust for example).
This fixes CVE-2024-1481
Fixes: https://pagure.io/freeipa/issue/9541
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3766fb98637254110db04b086299e2eefd59cca6">3766fb98</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-02-23T14:11:25+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-restore: adapt for 389-ds switch to LMDB
ipa-restore is relying on the presence of specific directories,
e.g. /var/lib/dirsrv/slapd-/db/ipaca, to detect
which backends are in use (userRoot or ipaca).
With the switch to LMDB, these directories do not exist and the
restore fails finding the ipaca backend.
Use lib389.cli_ctl.dblib.run_dbscan utility instead to
check which backends are present.
This method was been introduced in 389ds 2.1.0 and works with
Berkeley DB and LMDB.
Add a --data option to the ipa-backup and ipa-restore tasks to do
only an LDIF backup and restore. Also add the ability to restore by
backend.
Add new tests to do a data-only backup and restore.
Fixes: https://pagure.io/freeipa/issue/9526
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/150050eda3f6b73509b4bf09cef64088d46baba0">150050ed</a></strong>
<div>
<span> by Temuri Doghonadze </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 35.0% (1708 of 4877 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/da8ab4b54fd902f9ebfee2c18df84a948f17a662">da8ab4b5</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.5% (223 of 4877 strings)
Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/633ea8ba62d10fd30e96ba4d6a33adab26aa07c8">633ea8ba</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.5% (223 of 4877 strings)
Co-authored-by: 김인수 <simmon@nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cb073530fa0c378b56357e5972f647d9ba805e34">cb073530</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.6% (226 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b4da6896d6f8d76423f96bc036079d4cb12ef76c">b4da6896</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.6% (227 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2959bec776cbcf18cf68a55291ae26d4ae004cd3">2959bec7</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.6% (227 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/655b13193a37b79beb3a2c72d1e0ac365e1f9ea7">655b1319</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.6% (228 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f18db3abd7981a0487e7ebe3b0525de191bf5324">f18db3ab</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.6% (228 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cd1a36f23332515e63747085e83d30d97302724f">cd1a36f2</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.7% (230 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/20b01b09f2a784d34d663b37f134611cf12e99c3">20b01b09</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 4.7% (230 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/23d64942e1a2f9926a053bedb6983e8d8ec034b9">23d64942</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 5.5% (270 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f7a56eb35c24298306ad3c6858d997fd8bedadb4">f7a56eb3</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 5.5% (270 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/049a56d603ff4f629da19b9932c2936d32f42a4b">049a56d6</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 6.0% (295 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bc3085cd015d9c38c59e6fa8246c84263fff8d2c">bc3085cd</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 6.0% (295 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f4504e1e918ff80d8dda0d1e2ef3e2aadc6994fa">f4504e1e</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 6.4% (317 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/da9f2294e60c64bfb8ac990b7e586fd38d840327">da9f2294</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 6.4% (317 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c6aae2042d593120dd4f0c49dd3014339cfa985b">c6aae204</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 6.7% (327 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2877cae09ff74672a1ba28b5e9b2dea4215c2def">2877cae0</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 6.7% (327 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1ce532d5a892e691b7bb0231c9d5d419afc33b6a">1ce532d5</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 6.7% (327 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/282b55153327b354623532312d84a82db48cc9f0">282b5515</a></strong>
<div>
<span> by Temuri Doghonadze </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Georgian)
Currently translated at 35.0% (1709 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d9afa62814e29a385557cc98a21a5cacd811461e">d9afa628</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 7.0% (342 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/78d86ba060f314ffdd0979f06226307f4a0ead66">78d86ba0</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 7.5% (370 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/86aae371fa0cda75dfc4ef27d23cc103d332f219">86aae371</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 7.5% (370 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/99922e99635645d1d6f184f86acbc39f371156ff">99922e99</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 8.4% (412 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7b2ac6a293bac4064a7780edb18702a4749d3f88">7b2ac6a2</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 8.4% (412 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f2befb494410a3fd68a310b721e38ad0b99a72a3">f2befb49</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 10.6% (520 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f4a1696a3b9cdf9526b77ec156e377add8209ab8">f4a1696a</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-02-28T13:13:19+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 10.6% (520 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/558a7de8b7fa920c2c597e0a10d8480f3e66e1c6">558a7de8</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-03-01T11:53:48+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: some tests are date-sensitive and fail Feb 29
A few tests are changing the date back and forth using for
instance date -s +3Years+1day and date -s -3Years-1day.
This method does not bring the system back to the current date
if executed around Feb 28 or 29 on a leap year, and may result
in de-synchronized server and client.
Add a note in the test to warn about potential future failures.
Related: https://pagure.io/freeipa/issue/9548
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9ad27c954e35be2767f1215efab6aded06f4907a">9ad27c95</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-03-04T08:44:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 13.4% (655 of 4877 strings)
Co-authored-by: 김인수 <simmon@nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ee6ff01b46e5bc3f33c8a400943b0fed1d4ff8a9">ee6ff01b</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-03-04T08:44:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 13.4% (655 of 4877 strings)
Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e60072fe8996daad9528f41389b8d64a11eff8af">e60072fe</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-03-04T08:44:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 14.5% (712 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d8a4bde2c65791a97b70160193f39ef1040748c8">d8a4bde2</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-03-04T08:44:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 14.5% (712 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/04ac64a4eda9fbb531814a03909eed839e62b702">04ac64a4</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-03-04T08:44:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 18.4% (899 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/05f1bf9e2c0acafb60499ff999b814fb19e0037c">05f1bf9e</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-03-04T08:44:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 18.4% (899 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bf5c9892e9bcf6eca500bf8537a7ee0becbe461f">bf5c9892</a></strong>
<div>
<span> by 김인수 </span> <i> at 2024-03-04T08:44:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 18.9% (922 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ca776b6a9ca9f6b9884491909eb7e01522aef58b">ca776b6a</a></strong>
<div>
<span> by Weblate Translation Memory </span> <i> at 2024-03-04T08:44:31+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Translated using Weblate (Korean)
Currently translated at 18.9% (922 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c3d228d4a3c99f8eaf3d9f1d5825fed5cdff5810">c3d228d4</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-03-05T15:46:01-05:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Vault: add additional fallback to RSA-OAEP wrapping algo
There is a fallback when creating the wrapping key but one was missing
when trying to use the cached transport_cert.
This allows, along with forcing keyWrap.useOAEP=true, vault creation
on an nCipher HSM.
This can be seen in HSMs where the device doesn't support the
PKCS#1 v1.5 mechanism. It will error out with either "invalid
algorithm" or CKR_FUNCTION_FAILED.
Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1d2897e3d7cc88c2c5698126ecb1e59fff396bbc">1d2897e3</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-03-12T13:53:11+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).
This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.
Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.
Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/23b224d7ad2e90d03543a0001f9a83731a8a14a5">23b224d7</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-03-12T13:53:11+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP
In case there is a successful OTP authentication attempt, register it as
an operation note on the BIND operation in LDAP. 389-ds then will print
a multi-factor authentication note in both access and security logs
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e431ce0ce7699a3857ee4ef1e6b4e27d57874370">e431ce0c</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-03-14T13:53:16+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-pwd-extop: declare operation notes support from 389-ds locally
The function slapi_pblock_set_flag_operation_notes(); is defined in
ldap/servers/slapd/pblock.c in 389-ds but is only available through
slapi-private.h header, not through slapi-plugin.h public API.
It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349.
Since we only use it with an MFA note, all versions of the 389-ds that
will support MFA note will have this function.
Fixes: https://pagure.io/freeipa/issue/9554
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/557f0a5639e65b952ed0ce82e4ef42683bf75178">557f0a56</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-03-14T13:59:48+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9547 - Update IPA to IPA migration design doc
Update the ipa to ipa migration doc in regards to the new IPA migration tool
Fixes: https://pagure.io/freeipa/issue/9547
Signed-off-by: Mark Reynolds <mreynolds@redhatr.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f9a1d74f5ea63a63880abf8d4b5568664c372417">f9a1d74f</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-03-19T15:20:39+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>dcerpc: invalidate forest trust info cache when filtering out realm domains
When get_realmdomains() method is called, it will filter out subdomains
of the IPA primary domain. This is required because Active Directory
domain controllers are assuming subdomains already covered by the main
domain namespace.
[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
method of validating the forest trust information. They are the same as
rules in [MS-ADTS] section 6.1.6. Specifically,
- A top-level name must not be superior to an enabled top-level name
for another trusted domain object, unless the current trusted domain
object has a corresponding exclusion record.
In practice, we filtered those subdomains already but the code wasn't
invalidating a previously retrieved forest trust information.
Fixes: https://pagure.io/freeipa/issue/9551
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/64861a0cf9a8ac18d83a206c11fd3b42be3c578c">64861a0c</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-03-20T13:59:21+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>idrange-add: add a warning because 389ds restart is required
After the addition of a new idrange, the sidgen plugin is not
immediately aware of the new idrange and a restart of 389ds is
required. Otherwise the creation of new user/group with a uid/gid
inside the new range fails to grant a SID to the user/group.
Fixes: https://pagure.io/freeipa/issue/9558
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/adf95dcf86239f7d4145509303a01f0518134b0f">adf95dcf</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2024-03-25T12:27:43+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases.
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
which causes error in STIG mode.
[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
Incorrect password/PIN entered.
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a57b665be027bd67b582cba784aca5f2f8399459">a57b665b</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-03-27T18:04:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>idrange: only issue warning to restart services for a local range
SIDGEN plugin only uses local ID ranges and thus a restart is really
needed only when a local range is added, modified or removed.
Also fix the SSSD warning because removal of any range requires restart
everywhere, not just on a specific server.
Fixes: https://pagure.io/freeipa/issue/9558
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6cc668ffeb7ddd4ebd75304f14adaa3aaf3b4cb0">6cc668ff</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-03-27T18:04:26+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>xmlrpc: adapt range plugin test
A warning is added in ipa idrange-add/mod/del for
local ranges. Adapt the test expectation.
Related: https://pagure.io/freeipa/issue/9558
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/38d0e74b6da63deedf3380a04dda2f6fe7c75d82">38d0e74b</a></strong>
<div>
<span> by Christian Heimes </span> <i> at 2024-03-27T18:07:17+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Move ipalib.install.kinit to ipalib
- kinit helpers are now in `ipalib.kinit`.
- helpers can now use default ccache locations like many other similar
helpers
- helpers return the result from `run` for debugging
- constants are now in `krb_utils`
- helpers pass `KRB5*` and `GSS*` env vars along, so `KRB5_TRACE` works
- document how to kinit for `ipalib.api`
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a9bb811296b99d21a150adf0c7a0282df3337c7c">a9bb8112</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-04-02T23:06:43+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Check for file permissions after the ca/cert-show is complete
The commands ca-show and cert-show provide the ability to direct
the certificate output to a file. If the requested object was
not present then this resulted in a zero-length file.
This is because the check to determine if the file was writable,
by opening it, was done prior to the operation to retrieve
the entry.
So move the check after the data retrieval.
Also convert cert-show to be more consistent with ca-show.
I considered cleaning up the empty file afterward but IMHO we
shouldn't touch the file until we're ready to write. This
costs an API roundtrip but its a small price to pay for
potentially protecting existing data.
Fixes: https://pagure.io/freeipa/issue/9562
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5d3c6b761b9d59ce6640d1141848eb66585795f7">5d3c6b76</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-04-02T23:06:43+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Return 2 when certificates are not found during requests
The ipa tool has nearly since epoch returned 2 for the case of
entry not found.
The certificate processing raises a separate error,
CertificateOperationsError, when something goes wrong.
This returns 1.
With the introduction of the JSON API most requests will get
a proper HTTP return code representing what went wrong. In this
case we can use 404 to determine if the request resulted in
a NotFound therefore can eventually return a 2 and be
consistent in return values.
Related: https://pagure.io/freeipa/issue/9562
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ca6604b58be0448e45b2a68d03d4f8dacbceab7b">ca6604b5</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-04-03T10:43:55-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Use raw strings for Python 3 compatibility in old API client code
Python 3 enforces checks on \ sequences in strings. Instead of copying
over the new mix of normal and raw strings from the server side, turn
those strings in the remote plugins to raw mode.
Fixes: https://pagure.io/freeipa/issue/9565
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fc7c2cb6243468d150e6be7c78a0e3f906a7e291">fc7c2cb6</a></strong>
<div>
<span> by Erik Belko </span> <i> at 2024-04-04T15:56:25+01:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>xmlrpc tests: Create user with manager option set using user-add
Related: https://pagure.io/freeipa/issue/9515
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1df2abbd5f3d758d494a196567cc2323bf2ab91c">1df2abbd</a></strong>
<div>
<span> by Stanislav Levin </span> <i> at 2024-04-04T11:42:24-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ap: Migrate to docker compose V2
Azure Pipelines started to roll 20240401.4 Ubuntu image that doesn't
include docker-compose v1:
https://github.com/actions/runner-images/blob/ubuntu20/20240401.4/images/ubuntu/Ubuntu2004-Readme.md
See https://github.com/actions/runner-images/issues/9557
Compose V1 to V2 migration guide:
https://docs.docker.com/compose/migrate/
Fixes: https://pagure.io/freeipa/issue/9566
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cbe18735913aa1d033937088c1f2628a962a9254">cbe18735</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-04-04T15:49:42-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>IPA-to-IPA migration tool (beta)
Tool for migrating one remote IPA server to a local IPA server.
This should still be considered the beta version as it has not gone
through any QE yet
Fixes: https://pagure.io/freeipa/issue/3656
signed-off: Mark Reynolds (mreynolds@redhat.com)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6294b93e14e3b538061a2892bc48edcb31866928">6294b93e</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-04-04T16:30:09-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Ignore spacing in OpenSSL validation error message
The error message format changed between releases of OpenSSL.
The updated version has dropped spaces around equal signs
between RDN elements in the subject.
e.g. In 3.1.1 it reports O = EXAMPLE.TEST, CN = IPA RA
and in 3.2.1 reports O=EXAMPLE.TEST, CN=IPA RA
So ignore all spacing in the error message so it works on all
versions.
I saw this in openssl-3.1.1-4.fc39.x86_64 vs
openssl-3.2.1-3.fc41.x86_64
Fixes: https://pagure.io/freeipa/issue/9567
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8084b94c17d2d2e83288cae5aa9ab96dc7c32ce4">8084b94c</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-04-04T17:25:04-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9568 - Update IPA to IPA migration design doc
The usage for migrating DNS changed. It went from "--skip-dns",
to "--migrate-dns"
Fixes: https://pagure.io/freeipa/issue/9568
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/182dca38c2bb84acce8ab5dcfab6fb5e4abf31da">182dca38</a></strong>
<div>
<span> by Thomas Woerner </span> <i> at 2024-04-05T10:05:56+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>principal_has_privilege: Check also idoverriseuser (ipaOriginalUid)
The current filter in principal_has_privilege is only working for normal
IPA users where krbprincipalname is matching the principal. An idoverride
user (for example from AD) is not found with this filter.
A new filter for the principal as an ipaOriginalUid has been added as a
second try if a match with krbprincipalname was not found.
principal_has_privilege is used in the replica connection check. The
additional check enables to deploy replicas using an AD user/administrator
that has been added to the "admins" group.
Fixes: https://pagure.io/freeipa/issue/9542
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6b0f6ff19e4b56b775cca91435be0a612600f837">6b0f6ff1</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-04-10T09:26:47+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Allow the admin user to be disabled
A previous change made it not possible to remove the admin
user. This also included disabling the admin user. The user can
be disabled, just not deleted because it is required.
Move the test test_ipa_cacert_manage_prune to the end of the
class because it changes time which can break replication.
Fixes: https://pagure.io/freeipa/issue/9489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d16c34997f2223bd3f3d00a734c3372552bd8863">d16c3499</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-04-10T09:30:53+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>internal: fix 'tokensfor' typo and regenerate pot file
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dda223668acf76f19efc6b85829139beba424cd6">dda22366</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-04-12T15:59:04+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>webui test: Update message for admin disable
An admin can be disabled if he is not the last member of the
admins group. Update the expecrted error message.
Fixes: https://pagure.io/freeipa/issue/9574
Related: https://pagure.io/freeipa/issue/9489
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f78d25fc972813f500c4ccfcf0faa2c6aa0d48b2">f78d25fc</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-04-15T16:03:10+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-crlgen-manage: manage the cert status task execution time
ca.certStatusUpdateInterval manages how frequently to update
the certificate status in LDAP (expired, etc).
By default this is not set on the initial master and pkispawn sets
it to 0 on replicas. This can lead to no server running this
task and therefore the status attribute not reflecting the current
state.
On enabling CRL generation remove any value which will cause PKI
to use its default. On disabling set it to 0.
Only one server should run the update status task to prevent
unnecessary replication.
Fixes: https://pagure.io/freeipa/issue/9569
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f9f96ac4a802e9b38d156fddbc98592ac0981726">f9f96ac4</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-04-15T16:06:23+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9570 - migrate nsaccountlock
IPA migration tool, when retrieving a remote entry from the
source/remote server request the operational attribute 'nsaccountlock'
Fixes: https://pagure.io/freeipa/issue/9570
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cce8dc4da87a934644712158b97242960a8d138e">cce8dc4d</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-04-30T14:26:55-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9579 - Remove bash_completions_dir for RHEL
RHEL 9 does not support the bach_completions_dir macro, but it is still
needed for Fedora builds
Fixes: https://pagure.io/freeipa/issue/9579
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6c6b9354b5f970983655ca5423c726763d9015fa">6c6b9354</a></strong>
<div>
<span> by Rafael Guterres Jeffman </span> <i> at 2024-05-03T16:35:19-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Replace netifaces with ifaddr
Python netifaces has been unmaintained and its main repository has been
archived since June, 2021.
Python ifaddr is an alternative to netifaces, is currently maintained,
and provides an API which requires little change for FreeIPA current
usage.
This patch modifies FreeIPA to rely on ifaddr instead of neitfaces, due
to its current maintainance status.
Fixes: https://pagure.io/freeipa/issue/9555
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9e1e22d46b19a4728bf8e67633613fa71bd8acaa">9e1e22d4</a></strong>
<div>
<span> by Pavel Březina </span> <i> at 2024-05-06T17:10:18-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipaserver: fix incorrect double negative in exception message
Signed-off-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bb8dd0bfcd42f9221e12f4a675b54432848db441">bb8dd0bf</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-05-07T14:33:04+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Spec file: depend on nfs-utils or nfsv4-client-utils
The freeipa-client package currently requires nfs-utils.
The requirement can be relaxed and modified into nfs-utils or
nfsv4-client-utils.
Fixes: https://pagure.io/freeipa/issue/9586
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/cba3094c9af5ceac66dd2c11839acbab80c6e9d3">cba3094c</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Support the certmonger nss-user option
Some certificate operations need to be executed as a specific
user so that underlying files will have the correct ownership.
certmogner normally runs as root. The nss-user option defines
a user to switch to when saving NSS certifciates so if a
software token (e.g. SoftHSM) then the files created will be
owned by the token owner.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e6078c639c332e0079fa0cbff3fa54882d79b3bd">e6078c63</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Don't generate a cafile on HSM instalations
We don't export the CA certificates on an HSM installation
because an HSM won't allow the private keys to leave the
HSM, by design.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/34f28f06db291c7408fbeb7276dcdaae5f0ef18a">34f28f06</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add token support to installer certificate handling
Pass along the user-provided password file, if any, to the
underlying NSS database. This will provide for per-token
passwords.
If a token is in a nickname then break it out and pass it to
certutil separately.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/73d52a613518ca1e2d2303b660f9dc439987f90f">73d52a61</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Only generate kracert.p12 when not installing with HSM
The private keys are not retrievable from an HSM by
design so don't try during KRA install.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e3234708ac356065641ce1ea4d6460c7fd50c815">e3234708</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Don't move KRA keys when key backup is disabled
The KRA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys
is set to False. This is the case IPA is configured with HSM
support.
With an HSM you don't export private keys.
Related: https://pagure.io/freeipa/issue/7677
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f658a264f9cbdb190aa4ff6ab21903da0a7e84c8">f658a264</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>doc: Add token-password-file to HSM design, set new OID
Clarify when the user will be prompted interactively during
installation.
Set the OID for ipaCaHSMConfiguration.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d9efa728c5c93e232eaf03b432b0699804189012">d9efa728</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add LDAP attribute ipaCaHSMConfiguration to store HSM state
This will be used so that when a replica is created it can
configure the HSM without relying on the user to pass in
the same token, library name, etc.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/82c0b19acce147b3f82183b561883c7ca9137403">82c0b19a</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add HSM configuration options to installer scripts
The bulk of the installer effort to enable HSM support without
having to provide an override file.
This pulls the HSM configuration from a remote server when installing
a replica so that the token name and library don't need to be
passed with every installation.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a99091adc0bf8dd745ef3f5980a5bc66294e8c06">a99091ad</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add attribute ipacahsmconfiguration to the "Read CAs" ACI
This will allow the HSM stored configuration to be read.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ad3b489f6272e5b041d410f8098f454b584209e">7ad3b489</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update SELinux policy to allow certmonger to PKI config files
Needed so the helper renew_ca_cert can read password.conf in order
to get the token password. These files are already readable with
FS permissions.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/93622005ba0f14e68010a84b07cc050cfdc4bedc">93622005</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add token support to the renew_ca_cert certmonger helper
The certificates live on the token so need to be retrieved
from there with the token name. The certificates are visible
in NSS softoken but operations need to be done on the HSM
version. The right password is necessary so retrieve it from
the PKI password store.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d0c489e28228f4ce5f92c2dfc2c7b9e86c7fcb36">d0c489e2</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>If HSM is configured add the token name to config-show output
A token can only be set in an HSM installation so this is implicit:
if a token exists then HSM is enabled, if not then it isn't.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0708f603e2d632db77a95d135e28242c6d1a7ee7">0708f603</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>renew_ca_cert: skip removing non-CA certs, fix nickname
This script deletes all CA certificates so a new chain
can be loaded. It identified CA certs by those that did
not have private keys. This change adds the ca_flags test
in as well. It is probably sufficient on its own but it
is left for compatibility.
An HSM-based NSS database when not accessing it with the
token will not contain the private keys so removing all
certificates without a private key will remove certificates
that it shouldn't. The NSS softoken stores the certifcate
trust so the certificates will be visible but they lack
private keys because those reside in the HSM. Therefore
deleting any certificate without a private key removed
nearly everything.
Preserve the nickname 'caSigningCert cert-pki-ca'. The
certstore uses the nickame format '{REALM} IPA CA' and
will replace the PKI-named key if we don't act to
preserve it.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b89aa919778a048fbb54f0a3426423d23f6c38df">b89aa919</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>renew_ca_cert: set peer trust on the KRA audit certificate
The PKI audit certificates require that trusted peer (P) be
set on the certificate. This is done already for the CA audit
certificate. Also set this on the KRA audit certificate on
renewal.
https://pagure.io/freeipa/issue/9353
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06a8791b9beec5a95a5072e9a02a4379ac46770d">06a8791b</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: helper to copy files from one host to another
Simple function that takes a list of file names and copies
them from one host to another.
It isn't the most efficient but for a small number of files it
should be sufficient.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/36dbc6b0258f3e21a3fe6c72cd55bf0c141c0946">36dbc6b0</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: test software HSM installation with server & replica
Use SoftHSM2 to install an IPA CA to store the keys in an HSM.
Whenenver new keys are generated either in the initial install
or if a KRA is installed then the token needs to be synced
between all servers prior to installing a new CA or KRA.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6b894f28b5ac07fff3863cc4fec6b9a2383b615e">6b894f28</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>After installing a KRA, copy the updated token to other machines
This can be eventually squashed into the main "test" patch but
keeping it separate to make it easier to see what has happened.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/31d66bac64501efd54afe2041b9d00da66ac0ae3">31d66bac</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Validate the HSM token library path and name during installation
It would fail eventually with the output in the CA logs but it
wasn't always very obvious and you had to wait a while to find
out about a typo.
Scraping modutil output is a bit ugly but it is guaranteed
to be installed and this should work both with p11-kit and
without.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c6dd21f04e9f14b0c1e5c064e87b3266ff02f60f">c6dd21f0</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Remove caSigningCert from list of certs to renew
This certificate should not be renewed this way.
ipa-cacert-manage renew should be used.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/87ecca0f180fb0cd7ffefb1d9c1b200683a2e38a">87ecca0f</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add SELinux subpackage for nCipher nfast HSM support
A number of files that need to be managed by certmonger
have unconfined_u:object_r:pki_common_t:s0.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f8798b3e16d9f51a3ae355a2270f7346754301dc">f8798b3e</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add SELinux subpackage for Thales Luna HSM support
This is simple, a port needs to be available to certmonger
to communicate during renewals of CA subsystem certificats.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1ec875c6fe677357d4dfb50090dc18ae902328a1">1ec875c6</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: test software HSM installation with server & replica
Use SoftHSM2 to install an IPA CA to store the keys in an HSM.
Whenenver new keys are generated either in the initial install
or if a KRA is installed then the token needs to be synced
between all servers prior to installing a new CA or KRA.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b63103c88a57b1320ce2e38f7483ef37692feebd">b63103c8</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>tests: Fix failing test test_testconfig.py with missing token variables
Arguments were added to the configuration file to allow specifying
the token option values. These needed to be included into the
defaults as well.
This should be merged into the tests prior to pushing.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c6f2d0212bf9aa2ed816779540d69233fe7110a5">c6f2d021</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs
On a non-HSM, non-renewal-server replica we look in LDAP for
an updated certificate. If the certificates don't match then we
have a new one and write it out. If they match the assumption is
that it hasn't been renewed yet so go into CA_WORKING.
The problem is that for networked HSMs the cert will already be
visible in the database so certmonger will always be in CA_WORKING.
In this case we can assume that if the certs are the same then
that's just fine.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/31fda79a0e3f34dcf71a9e2687faa958ecb91ab8">31fda79a</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Prompt for token password if not provided in replica/ipa-ca-install
If the password wasn't provided by --token-password then an empty
value would be passed into the CA installer which promptly failed.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b9ec2fb0a91034934b48d419c2d0eaa2c36faef1">b9ec2fb0</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>KRA: force OAEP for some HSM-based installations
Not all HSMs support PKCS#1 v1.5. The nShield nFast is one we know
of so force the KRA to use OAEP in this case..
This can be seen in HSMs where the device doesn't support the
PKCS#1 v1.5 mechanism. It will error out with either "invalid
algorithm" or CKR_FUNCTION_FAILED.
There is currently no good way to test for this capability in
advance of configuration. Testing for mechanisms alone is
insufficient. The only real way to test would be to attempt a
wrap/unwrap but it is very complex.
If the list of affected HSMs increases we can use a table
instead based on "best guess" of some sort of property but
looking for a unique string inside the library path is a
pretty straigthforward way.
Note that this doesn't preclude someone from wanting to require
OAEP directly by modifying the KRA CS.cfg and it won't impact
FIPs mode which requires OAEP.
Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ea0bf4020ce0b1e32572e128e9323c5af60ec93d">ea0bf402</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>After an HSM replica install ensure all certs are visible
If a certificate on a token does not have NSS trust set then
it won't be visible in the softoken. This can be disconcerting
for those used to seeing all the certificates.
Loop through the possibilities and set no trust (or Peer) for
all the certificates on the token.
Also ensure that the CA certificate has the correct nickname.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bcd8d2d90a41eb94422ad5fad730bd0570108f91">bcd8d2d9</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Require certmonger 0.79.17+ for required HSM changes
* Switch to CA user when saving NSS certificates
* Add new certs to internal token, try harder to remove on renewal
* Don't restrict tokens to CKM_RSA_X_509
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/879a937dddf17478378d9e855317ee199ac645c9">879a937d</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Include the HSM tests in the nightlies
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6b6c1879c5174869128ae28048673995242b18c1">6b6c1879</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Call hsm_validator on KRA installs and validate the HSM password
hsm_validator was validating that the token was available but
not that the provided password worked. Add that capability.
Also call it early in the CA and KRA installation cycle so that
it errors out early. This is particularly important for the KRA
because there is no uninstaller.
Bump the minimum PKI release to 11.5.0 as that contains important
fixes for the HSM.
Remove an unused arguments to hsm_version and hsm_validator.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c861ce5a1634b43b04c3d38d49d5b3e4e599b7d7">c861ce5a</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add SELinux module checking to hsm_validator
Don't blow up if the expected module is not installed but warn
about it. Hopefully users will actually read the output and/or the
installation log.
This is done by looking for strings in the path. Not great but
it's at least something.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6af8577d58c4b2bed04ec0bd02042ba7122ab518">6af8577d</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-16T08:46:32-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>docs: Add a section on SELinux modules to the HSM design
Additional SELinux rules are necessary for the HSM to be
managed by IPA and certmonger. Given the infinite possible
naming combinations of library paths and modules this is
a best effort. A message is logged if a missing module
is detected.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7d54a6daaf0ef91d608d67b3c70e2d566868be05">7d54a6da</a></strong>
<div>
<span> by Francisco Trivino </span> <i> at 2024-05-17T09:53:53+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-client-install: add support for sss_ssh_knownhosts
sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts.
With this update, if the file /usr/bin/sss_ssh_knownhosts is present,
KnownHostsCommand will be used instead of ProxyCommand. Also, GlobalKnownHostsFile
is disabled as it is no longer needed.
Fixes: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b34525c76e9f8182950bbbdd6fa3ae62f5301064">b34525c7</a></strong>
<div>
<span> by Francisco Trivino </span> <i> at 2024-05-17T09:53:53+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Spec file: add support for sss_ssh_knownhosts
sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts. This commit
implements a mechanism to apply the change when upgrading from older versions.
Fixes: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f225b3df17a4c01e62f659fe70fc5427bab1f387">f225b3df</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-20T14:46:55-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Don't try to validate the HSM arguments on a non-HSM installation
If there is no token name it is safe to assume that an HSM
installation is not requested. The validator assumes that if
there is a token name then the library and password are also
provided.
Fixes: https://pagure.io/freeipa/issue/9593
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/544652aae43506ef974fc7331ce8612884a7d01e">544652aa</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-05-20T14:52:12-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9591 - Allow get_ruv() to handle incomplete RUV elements
Sometimes RUV's are missing the LDAP Url and max/min csns. This prevents
cleanallruv task from running. However, cleanallruv doesn't need to
know the LDAP URL or min/max csns. Added a new paramter to get_run()
called "strict", and when set to False it will still process and
include incomplete RUVs.
Fixes: https://pagure.io/freeipa/issue/9591
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/47920e78c81380c0a40986e55f05246aac132fbb">47920e78</a></strong>
<div>
<span> by Erik Belko </span> <i> at 2024-05-21T14:50:46+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Update ipa-adtrust-install test
update after change in implementation of `krb_utils.get_principal()` now using GSSAPI
Related: https://pagure.io/freeipa/issue/9575
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9dc57ef77e276773b91c567f83498a69d382ba13">9dc57ef7</a></strong>
<div>
<span> by Thomas Woerner </span> <i> at 2024-05-22T09:59:34+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors
SID anchors are only resolvable on servers with DCERPC bindings
installed. On non agent replica these bindings are not installed and
therefore group and role management if there are AD user idoverride
members.
If there is an ipaUserOverride for the anchor, the ipaoriginaluid is
returned.
Fixes: https://pagure.io/freeipa/issue/9544
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6fc35156d91ce2265f02ed12224bce08c21b99e6">6fc35156</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-05-22T10:00:39+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add permissions for topologysegment
I don't know why these weren't added originally when the
topology plugin was created.
Add them all to the 'Replication Administrators' privilege
Fixes: https://pagure.io/freeipa/issue/9594
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/295ac6385c33d28502396ffeb9e7a5297b63a005">295ac638</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>privilege: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
In principal_has_privilege() we can take None principal object as a sign
that currently bound LDAP DN has to be checked for the privilege. This
allows to match any type of account to the privilege, with exception of
the cn=Directory Manager which is never added to privileges explicitly.
cn=Directory Manager will be allowed any privilege because it already
can write to any LDAP entry.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3608b2b63de736186176f8da0fad36ce3b0d57a3">3608b2b6</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>batch: account for auto-binding in server context
When batch runs under server context, we have no context.principal set
because we talk directly to LDAPI endpoint and authenticate using
auto-binding, not GSSAPI. Account to that in the logger.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/71d886f0713b2c58d8eb57f2267d59cc0be39345">71d886f0</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>config: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
Make sure to reject requests unless we are operating as a Directory
Manager in such cases.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab5465639d5c083d6396551f06c450fe4d349d1b">ab546563</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>server: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
Make sure to reject requests unless we are operating as a Directory
Manager in such cases.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/08f1e6f2fdb19db681c0560db53a7a5fa1ce3784">08f1e6f2</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>trust: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
Make sure to reject requests unless we are operating as a Directory
Manager in such cases.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b6131b57371f6eade697125a4500c140997478c0">b6131b57</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>trust: handle stray pylint warning
We only get to this code path when running in the server context. At
that point _bindings_installed will be defined. Pylint cannot track this
and always fails with this check.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e386e22046fec4de062116245a3cd9e79c457499">e386e220</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>cert: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
When processing certificate issuance requests a care has to be done to
match operations done as LDAP auto-bind to actual principals for
validation. This is a tough one as we have no principal to match for
cn=Directory Manager. Use fake principal to fail validation here and
rely on LDAP ACIs instead.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/902c8b0bae90b04d3f1d91f0703c2a0eca4e39f1">902c8b0b</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>passwd: handle LDAP auto-bind use case as well
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c325f9c045787a4c4e18096e23cb2f84f514b28e">c325f9c0</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>user: handle LDAP auto-bind for whoami case
In LDAP auto-bind situation we will not have a Kerberos principal
available, so we should be using a different mechanism to find the
object. Since we already have a valid bound LDAP DN, use it as a base DN
here and simply require presence of the POSIX account.
This will not match 'cn=Directory Manager' but none of the code we have
uses LDAP auto-bind as root when calling 'ipa user-find --whoami'.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6cc0a0b9a8439f97cfc688e5610c25b5e494ba0b">6cc0a0b9</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>pylint: use yield_from for trivial cases
Follow pylint recommendations (turned errors in recent pylint updates)
and use PEP-380 syntax for subgenerators. This is supported by all
Python 3 versions since ~2011.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9e861693fcb79d256af6d0cfe26f27c7f7ff8e13">9e861693</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T10:03:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>batch: add keeponly option
batch(methods=Dict(), keeponly=list) will allow to execute batch of
commands and remove from the output everything but the attributes which
names were passed in the keeponly list.
This can be useful if you are only interested in getting names and
assigned random passwords, for example.
Fix batch API test in test_integration/test_idm_api.py and use it to
validate keeponly option.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fd0f432fec692a2db25c270b2e69b3f423ba7f4a">fd0f432f</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T17:06:23-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipalib: move json formatter to a separate file
To prevent cyclic imports, move JSON handling code to a separate file.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/145e33174d99e4826d388b4796ecadb73698cf47">145e3317</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T17:06:23-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipalib/rpc: Reformat after moving json code around
Context changes cause linters to complain for older code formatting
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/84eed2a67fb515f4d5d0af3479c077bf5b788d56">84eed2a6</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-22T17:06:23-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>frontend: add systemd journal audit of executed API commands
For each executed command in server context, send the information about
the command to the systemd journal. The resulting string is similar to
what is recored in httpd's error_log for API requests coming through the
RPC layer.
In server mode operations are performed directly on the server over
LDAPI unix domain socket, so httpd end-point is not used and therefore
operations aren't recorded in the error_log.
With this change any IPA API operation is sent as an audit event to the
journal, alog with additional information collected by the journald
itself.
To aid with identification of these messages, an application name is
replaced with IPA.API and the actual name from api.env.script is made a
part of the logged message. The actual application script name is
available as part of the journal metadata anyway.
If no Kerberos authentication was used but rather LDAPI autobind was in
use, the name of the authenticated principal will be replaced with
[autobind].
Messages sent with syslog NOTICE priority.
More information is available in the design document 'audit-ipa-api.md'
Fixes: https://pagure.io/freeipa/issue/9589
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/536812080502baa51818d9a33ea6533675800b30">53681208</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-23T15:12:27-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>custodia: do not use deprecated jwcrypto wrappers
jwcrypto has turned JWK object into a dict-like structure in 2020 and
marked data wrappers as deprecated. The only exception for direct
foo['bar'] access is a key ID -- some keys might have no 'kid' property,
thus it is best to use jwk.get('kid') instead for those.
Fixes: https://pagure.io/freeipa/issue/9597
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1223016ef29aef4009a0d976af0d0b2bca871013">1223016e</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-05-28T11:14:35+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>console: for public errors only print a final one
By default, interactive console prints full traceback in case of an
error. This looks weird in the console when LDAP errors pop up.
Instead, process PublicError exceptions as if they are final ones and
only print their message.
As a result, calls like api.Command.user_show('unknown') would
result in a concise message:
>>> api.Command.user_show('unknown')
IPA public error exception: NotFound: unknown: user not found
>>>
rather than a two-screen long traceback.
Fixes: https://pagure.io/freeipa/issue/9590
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/69c6a817ce84a9c2bd111158bec4b10850dba544">69c6a817</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-05-28T14:39:33+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-replica-manage list-ruvs: display FQDN in the output
The behavior of ipa-replica-manage list-ruv was modified with
the commit 544652a and now displays host short names instead
of FQDN:port.
Fix the regular expression in order to return the FQDN:port again.
Fixes: https://pagure.io/freeipa/issue/9598
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b3789876b89ef663d91f7da2618dd9ce47add394">b3789876</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2024-05-28T16:11:04+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c250b1a7e45fd17317bd7b505368149e76091855">c250b1a7</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2024-05-28T16:13:33+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/407408e9a83d2ba09cf4229672cb1cac61f30876">407408e9</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2024-05-28T16:19:49+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Become IPA 4.12.0
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ea375937861375f9052c17fe1ded2cdd2caad288">ea375937</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2024-05-28T16:26:57+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Back to git snapshots
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f77c0a573c613fe541a040b938ae00524724584c">f77c0a57</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2024-06-10T12:46:05+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>kdb: fix vulnerability in GCD rules handling
The initial implementation of MS-SFU by MIT Kerberos was missing a
condition for granting the "forwardable" flag on S4U2Self tickets.
Fixing this mistake required adding special case for the
check_allowed_to_delegate() function: if the target service argument is
NULL, then it means the KDC is probing for general constrained
delegation rules, not actually checking a specific S4U2Proxy request.
In commit e86807b5, the behavior of ipadb_match_acl() was modified to
match the changes from upstream MIT Kerberos a441fbe3. However, a
mistake resulted in this mechanism to apply in cases where target
service argument is set AND unset. This results in S4U2Proxy requests to
be accepted regardless of the fact there is a matching service
delegation rule or not.
This vulnerability does not affect services having RBCD (resource-based
constrained delegation) rules.
This fixes CVE-2024-2698
Signed-off-by: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4a61184da640759e9cd8907eaf975a8bfe9a1263">4a61184d</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2024-06-10T12:46:05+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>kdb: apply combinatorial logic for ticket flags
The initial design for ticket flags was implementing this logic:
* If a ticket policy is defined for the principal entry, use flags from
this policy if they are set. Otherwise, use default ticket flags.
* If no ticket policy is defined for the principal entry, but there is a
global one, use flags from the global ticket policy if they are set.
Otherwise, use default ticket flags.
* If no policy (principal nor global) is defined, use default ticket
flags.
However, this logic was broken by a1165ffb which introduced creation of
a principal-level ticket policy in case the ticket flag set is modified.
This was typically the case for the -allow_tix flag, which was set
virtually by the KDB driver when a user was locked until they initialize
their password on first kinit pre-authentication.
This was causing multiple issues, which are mitigated by the new
approach:
Now flags from each level are combined together. There flags like
+requires_preauth which are set systematically by the KDB diver, as
well as -allow_tix which is set based on the value of "nsAccountLock".
This commit also adds the implicit -allow_svr ticket flag for user
principals to protect users against Kerberoast-type attacks. None of
these flags are stored in the LDAP database, they are hard-coded in the
KDB driver.
In addition to these "virtual" ticket flags, flags from both global and
principal ticket policies are applied (if these policies exist).
Principal ticket policies are not supported for hosts and services, but
this is only an HTTP API limitation. The "krbTicketPolicyAux" object
class is supported for all account types. This is required for ticket
flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".
It is possible to ignore flags from the global ticket policy or default
flags like -allow_svr for a user principal by setting the
"final_user_tkt_flags" string attribute to "true" in kadmin. In this
case, any ticket flag can be configured in the principal ticket policy,
except requires_preauth and allow_tix.
When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB
argument), all the system described above is disabled and ticket flags
are written in the principal ticket policy as they are provided. This is
required to initialize the Kerberos LDAP container during IPA server
installation.
This fixes CVE-2024-3183
Signed-off-by: Julien Rische <jrische@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5b3735b09df0bc44ebaa59c5d8d1f3893b8dc33f">5b3735b0</a></strong>
<div>
<span> by Antonio Torres </span> <i> at 2024-06-10T12:46:37+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Bump minor version number
Signed-off-by: Antonio Torres <antorres@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/584d0cecbcb99a09b09d5698fc906b4849a7234c">584d0cec</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-06-10T14:59:18-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Use a unique task name for each backend in ipa-backup
The name used to be "export_%Y_%m_%d_%H_%M_%S" so if the tasks
were added within the same second the second backend would fail.
Add the backend name to the task name to ensure uniqueness.
export_{backend}_%Y_%m_%d_%H_%M_%S
Fixes: https://pagure.io/freeipa/issue/9584
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ebccaac3cf8a5688739d76426924469d5b4df6b1">ebccaac3</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-06-12T16:43:25-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Add iparepltopoconf objectclass to topology permissions
The domain and ca objects were unreadable which caused
the conneciton lines between nodes in the UI to not be
visible.
Also add a manual ACI to allow reading the min/max
domain level.
Fixes: https://pagure.io/freeipa/issue/9594
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9de053ef02db8cb63e14edc64ac22ec2d3d7bbc9">9de053ef</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-06-18T08:46:14+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-otptoken-import: open the key file in binary mode
ipa-otptoken-import provides an option (-k KEYFILE) to import
an encrypted PSKC file but this option does not work with python3
in RHEL8 and above, because the key should be passed in binary
format to the cryptography functions instead of string format.
Open the keyfile in binary mode to pass the expected format.
Fixes: https://pagure.io/freeipa/issue/9609
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/09e66dc936cf2d99bcc44d60d6851aafa9ede46a">09e66dc9</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-06-24T14:51:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>spec file: do not create /etc/ssh/ssh_config.orig if unchanged
The upgrade removes the line
HostKeyAlgorithms ssh-rsa,ssh-dss
if present in /etc/ssh/ssh_config and creates a backup in
/etc/ssh/ssh_config.orig, even if no change was applied.
Create the backup file only if the file was changed.
Fixes: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4d51446bd3cd9ab222f9978f8f5def1f3a37fa0e">4d51446b</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-06-24T14:51:38+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: add test for ticket 9610
Test scenario:
- ensure there is no /etc/ssh/ssh_config.orig file
- force ipa-client package reinstallation
- ensure no backup file is created in /etc/ssh/ssh_config.orig
Related: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c8e3fdeb0015f9c52c64816d6cd39279c5d3ad5a">c8e3fdeb</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-06-26T07:36:53+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>PKINIT certificate: fix renewal on hidden replica
The renewal of PKINIT cert on hidden replica is failing because
of a test ensuring that the KDC service is either enabled or
configured. The test needs to be extended and allow hidden, too.
Fixes: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/467ec04f93a29fd31ba037cef348c09547541fe7">467ec04f</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-06-26T07:36:53+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: add test for PKINIT renewal on hidden replica
Test scenario: on a hidden replica, force the renewal of
PKINIT cert by calling getcert resubmit.
Related: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/58154be74fa950b3356712e60687930abb6480f1">58154be7</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-06-26T09:50:34+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: configure gating and nightly tests on ipa-4-12 branch
Update the pipelines for ipa-4-12 branch:
- run tests on fedora 40
- use the vagrant image freeipa/ci-ipa-4-12-f40
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4521fe5f9125c74b4ad6e4e51f8c66c009079281">4521fe5f</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-06-26T09:50:34+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: mark test_ca_show_error_handling as xfail
With PKI 11.5.0, the test
test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling
is failing with an exception and a different error message.
Mark as xfail until PKI provides a fix
Related: https://pagure.io/freeipa/issue/9606
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/60c127d197f79fa4ed612f7173e752d156885415">60c127d1</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-06-26T09:50:34+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix / permissions to allow ssh with private key
The test test_ssh_key_connection is performing a ssh login
with a private and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)
Ensure that / has 755 before launching the test.
Fixes: https://pagure.io/freeipa/issue/9607
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9e364910f537413cfce2b6ee2434579a5acf5c16">9e364910</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-06-26T13:30:48+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Clean up more files and directories created by the installer(s)
Ideally all files created during an IPA server installation are
removed by the uninstaller. Some files are purposefully left,
like token passwords, private keys, logs and more. Add an
allow list for those files.
Include a test to catch any additional files that may be created
and left behind.
Fixes: https://pagure.io/freeipa/issue/8080
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/48ff7da5cb7ca8c3a5c21ce57f7c51e3e19958c8">48ff7da5</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-07-02T08:53:03+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: fix / permissions for test_nested_group_members
The test test_nested_group_members is performing a ssh login
with a private key and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)
Ensure that / has 755 before launching the test.
Fixes: https://pagure.io/freeipa/issue/9615
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/52ea4ad46e5579bd41939680d75bf02c76ab119d">52ea4ad4</a></strong>
<div>
<span> by TAKAHASHI Masatsuna </span> <i> at 2024-07-04T17:48:04+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-advise ipa-backup ipa-restore: Fix --v option of the manual.
Specifying the --v option results in an error.
The --v option is incorrect and should be -v.
Fixes: https://pagure.io/freeipa/issue/9617
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/90b22ff888cc55132c78024d08ffcf0ce8021cea">90b22ff8</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2024-07-08T15:21:04+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Tests for ipa-ipa migration tool
This patch includes tests for ipa-ipa migration
tool
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2f902efd0e47eb2461429ce658f89d2a11f0891e">2f902efd</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-07-08T15:26:24+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-ods-enforcer: stop must also stop the socket
ipa-ods-enforcer is a socket-activated service. In order to fully stop
the service, IPA needs to call
systemctl stop ipa-ods-enforcer.service ipa-ods-enforcer.socket
otherwise the socket remains active (listening) and can restart the
service.
A consequence of the issue is the backup / uninstall / restore
scenario that is failing to sign the zones. The uninstaller removes
the socket /run/opendnssec/engine.sock but leaves the ipa-ods-enforcer.socket
active. A subsequent restore or install will not re-create the socket.
Fixes: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6fe268af5bc6c5296f7a380917e3134f8fa46fda">6fe268af</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-07-08T15:26:24+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Uninstall: stop sssd-kcm before removing KCM ccaches database
The service is socket-activated and will be restarted whenever
needed. It must be stopped before the database is removed
otherwise it fails to recreate the file.
Fixes: https://pagure.io/freeipa/issue/9616
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d635d701100c9d3bdc179bae1f0d715fce30b461">d635d701</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-07-08T15:26:24+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>test_replica_install_after_restore: kinit after restore
After uninstall and restore, kinit is required before
launching any ipa command.
Related: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a8e75bbb77e15e3a42adb2d30933cf9e1edd2f0b">a8e75bbb</a></strong>
<div>
<span> by Thomas Woerner </span> <i> at 2024-07-08T16:39:16+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa_sidgen: Allow sidgen_task to continue after finding issues
find_sid_for_ldap_entry could fail in several ways if a Posix ID can not
be converted to an unused SID. This could happen for example for ducplicate
IDs or user/group out of range.
This change enables ipa_sidgen_task to continue in the error case to try
to convert the entries without errors. The error messages have been
extended to additionally show the DN string for the bad entries.
Fixes: https://pagure.io/freeipa/issue/9618
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/06c02f5f2c524928b23ae3deeb42c6c57d3e47aa">06c02f5f</a></strong>
<div>
<span> by Shunsuke matsumoto </span> <i> at 2024-07-11T10:30:59+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>The -d option of the ipa-advise command was able to used.
The -d option of the ipa-advise command was unavailable, so the default value was changed to True to enable its use.
Fixes: https://pagure.io/freeipa/issue/9625
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/efa57193630f244185b3f295ed0de17c6d08f75a">efa57193</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-07-11T13:59:16+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-migrate - remove -V option
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.
Fixes: https://pagure.io/freeipa/issue/9620
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1b278de4ab9c5e00fb48dc2de1ea31d9bdfc94bc">1b278de4</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-07-12T08:32:35+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fix syntax error in the selinux-luna %postun script
It was missing a trailing fi.
This bad syntax was preventing cleanup of the
{free}ipa-selinux-luna SELinux module:
Running scriptlet: freeipa-selinux-luna-4.12.0.dev202402211727+git0ee 34/44
/var/tmp/rpm-tmp.qoCDFi: line 16: syntax error: unexpected end of file
warning: %postun(freeipa-selinux-luna-4.12.0.dev202402211727+git0eeecdcec-0.fc37.noarch) scriptlet failed, exit status
Fixes: https://pagure.io/freeipa/issue/9629
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ab1bcb2d364c26024db4ec99c707ebefffcd3e7">7ab1bcb2</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-07-15T10:26:54-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Re-organize HSM validation to be more consistent/less duplication
hsm_validator() was more or less bolted in place late in the
development cycle in in order to catch some of the more common
problems: bad token name, bad password, etc.
There was a fair bit of duplication and had the side-effect of not
reading in the token password from the --token-password-file option
in some cases.
This patch also re-adds a lost feature where an exception is raised if
both the --token-password and --token-password-file options are passed
in.
This also needs to be enforced on initial server, replica and when
called by ipa-kra-install. Given that each has a unique subject of
options some duplication remains.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4ea1ad6acae910574a524403bc82c80d24b525d6">4ea1ad6a</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2024-07-15T10:26:54-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: tests related to --token-password-file
Test automation added around the --token-password-file
option for server/replica/kra install.
Related: https://pagure.io/freeipa/issue/9603
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6c53a22a2cacf7807df11e51492d1a2c42aeeda1">6c53a22a</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-07-15T10:26:54-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Include token password options in ipa-kra-install man page
Related: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eeade50933cb2251b43ee34c642bcae69a216655">eeade509</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-07-15T17:22:19-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-migrate - starttls does not work
We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail. Instead just use the file path provided.
Fixes: https://pagure.io/freeipa/issue/9619
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab47696fa69499bedc393f61909fd5675815123e">ab47696f</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2024-07-15T17:26:53-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Added new testsuite(ipa_ipa_migration) in prci definitions
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/051d61fdc301f2768ac78c45e93a5f9eeff8aa28">051d61fd</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-07-17T09:06:14+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-pwd-extop: differentiate OTP requirements in LDAP binds
For users who has no OTP tokens defined (yet), a missing token should
not be seen as a failure. This is needed to allow a basic password
change.
The logic around enforcement of OTP over LDAP bind is the following:
----------------------------------------------------------------------
- when LDAP OTP control is requested by the LDAP client, OTP is
explicitly required
- when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly
required, regardless of the state of LDAP client
In either case, only users with 'user-auth-type: otp' are allowed to
authenticate.
If these users have no OTP token associated yet, they will be allowed to
authenticate with their password. This is to allow initial password
change and adding an OTP token.
----------------------------------------------------------------------
Implement test that simulates lifecycle for new user who get to change
their password before adding an OTP token.
Related: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8b703150a47bf509f37856bdc27cfa99e85e5e6b">8b703150</a></strong>
<div>
<span> by Anuja More </span> <i> at 2024-07-17T09:11:13+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Test replica installation using AD admin.
Test to verify that replica connection check is not failing when
the AD administrator Administrator@AD.EXAMPLE.COM is
used for the deployment or promotion of a replica
Related: https://pagure.io/freeipa/issue/9542
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/85a853ba93c1d23d5bad13a1ae2bee802dc90131">85a853ba</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-07-17T09:17:17+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Issue 9621 - ipa-migrate - should not update mapped attributes in managed entries
We should not migrate mmapped attributes (uidNumber, gidNumber) from
managed entries
We should also not migrate DNA ranges in staging mode
Fixes: https://pagure.io/freeipa/issue/9621
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/de940802bb6631fbbc97afd11869d87cba18f47f">de940802</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-07-19T08:39:21-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: remove xfail for test_ipa_migrate_version_option
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1::
test_ipa_migrate_version_option is now passing, issue has been fixed.
The -V option has been removed.
Related: https://pagure.io/freeipa/issue/9620
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6eb6a929308c2916df9aed2da9ee6ef9d98e2438">6eb6a929</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-07-19T08:39:21-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: remove xfail for test_ipa_migrate_stage_mode
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1
::test_ipa_migrate_stage_mode is now passing, the issue has been fixed.
Related: https://pagure.io/freeipa/issue/9621
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d1a485a435ea9dba7587d1998451a09d3aa4077b">d1a485a4</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2024-07-19T08:44:49-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Unconditionally add MS-PAC to global config on update
Fixes: https://pagure.io/freeipa/issue/9632
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9f88188204e443dd5d1d22ebe65b947452558f66">9f881882</a></strong>
<div>
<span> by Julien Rische </span> <i> at 2024-07-19T08:44:49-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Remove RC4 and 3DES default encryption types on update
Fixes: https://pagure.io/freeipa/issue/9633
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fdd471d55c73503456683b1dea55769700730b16">fdd471d5</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-07-22T09:57:34-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fix a copy/paste issue when detecting the HSM SELinux subpackage
I made a mistake when trying to detect which HSM is being used
to ensure that the appropriate SELinux subpackage is installed.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2ddca5d5d57a877fbd598d8bdc29d0fe032621e8">2ddca5d5</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-07-31T08:25:30+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>spec file: do not use nodejs-22 on f39 and f40
Nodejs22 has been released on f39 and f40 and freeipa fails
to build with this version. Nodejs22 will be the default version
in f41+ and adds a symlink from /usr/bin/node-22 to /usr/bin/node
but on older fedora versions, the symlink is not created.
As our build is using /usr/bin/node command, it fails with
command not found.
Stick to Nodejs 20 on these older versions.
Fixes: https://pagure.io/freeipa/issue/9643
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0e4fbc3b0d15fd219d831b0b49f5312894448206">0e4fbc3b</a></strong>
<div>
<span> by Mark Reynolds </span> <i> at 2024-07-31T16:14:49-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipa-migrate - properly handle invalid certificates
A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.
Fixes: https://pagure.io/freeipa/issue/9642
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f03a96a7b914eb5130552cea626fd28e26b2108d">f03a96a7</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-07-31T16:17:27-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Fix usage of token_password_file
There were a few hardcoded places where it was set to
/tmp/token_passwd instead of using the class variable.
Don't rely on previous running tests installing the token
password file so they can be run individually.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/38b83c2b9329b8b16096d63e83f186c91d578ce8">38b83c2b</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-07-31T16:19:02-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Run HSM validation as pkiuser to verify token permissions
Run all commands as pkiuser when validating that the HSM token
is available, that the token library path is correct and that
the password can read keys. This will avoid issues where the
initial validation is ok but the pkiuser is not granted read
access to some part of the token. This is very possible
when using softhsm2.
Fixes: https://pagure.io/freeipa/issue/9626
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/531bd05de9b3764b90804fcdad3b0b49ceb06110">531bd05d</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-07-31T16:20:31-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipalib/x509.py: support Cryptography 43
Cryptography 43 added two new abstract methods to Certificate class of
which we are using one, public_key_algorithm_oid.
Fixes: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7f9c890c049f1151d3225e154fcde9bfed8cebb3">7f9c890c</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-07-31T16:20:31-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipalib/x509.py: get rid of unicode helper
Pylint started to complain that 'unicode' variable is accessed before
definition. This is clearly a bug in how 'six' and pylint are working
together.
Replace use of 'unicode()' by 'str()'.
Fixes: https://pagure.io/freeipa/issue/9644
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fc029043401bb852d2bfe8e8eccb926f50627b3b">fc029043</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-07-31T16:20:31-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipalib/constants.py: factor out TripleDES use
Cryptography 43 started to warn that in version 48 it will remove
TripleDES support. Change the code to detect missing TripleDES algorithm
and do not fail.
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7b5f3d79712a84f88ced6e9055bc96c9980b0b20">7b5f3d79</a></strong>
<div>
<span> by Alexander Bokovoy </span> <i> at 2024-07-31T16:20:31-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Get rid of unicode and long helpers in ipa-otptoken-import
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aadb8051d4a3172aac3790f47ff4d241a245bab4">aadb8051</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-08-01T09:51:11+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Replica CA installation: ignore time skew during initial replication
During a replica CA installation, the initial replication step may fail
if there is too much time skew between the server and replica.
The replica installer already takes care of this for the replication of
the domain suffix but the replica CA installer does not set
nssldapd-ignore-time-skew to on for o=ipaca suffix.
During a replica CA installation, read the initial value of
nssldapd-ignore-time-skew, force it to on, start replication and
revert to the initial value.
Apply the same logic to dsinstance and ipa-replica-manage force-sync.
Fixes: https://pagure.io/freeipa/issue/9635
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ffba69648aa6b20cdc3d8950a982b49fd8004aa2">ffba6964</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-08-05T14:50:10+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Force a logout in KerberosSession if a login is needed
Remove the client side cookie if a user possesses an IPA session
cookie and the associated credentials can't be found on the
server.
This handles the case where the ccaches are removed for some reason
(maybe cleanup, maybe a container was restarted) and allows for
a successful SSO if the user's Kerberos ticket is still valid.
Without this change the user is always dropped into a the
username/password dialog. The only workaround is to remove
the cookie on the client side.
Fixes: https://pagure.io/freeipa/issue/9624
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e83d949c7f1734dff70379e360e9bbf626149c61">e83d949c</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-08-05T14:52:12+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Log errors reported by adtrustinstance.check_inst() using logger
It previously only printed the issue which made troubleshooting
after the fact difficult. Using logger.error() provides the same
visual functionality but also logs to the server install log.
Fixes: https://pagure.io/freeipa/issue/9637
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/81401e6c010a05b52bcc10306400dee9075b0e91">81401e6c</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-08-05T21:23:27+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: increase the timeout for test_hsm.py::TestHSMInstall
The test is often failing on timeout. Add 15min to the test definitions.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ee96c129a6034d02245a41c58fa3398c12c9ee75">ee96c129</a></strong>
<div>
<span> by Mohammad Rizwan </span> <i> at 2024-08-08T13:37:42+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Verify that SIDgen task continue even if it fails to assign sid
related: https://pagure.io/freeipa/issue/9618
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8046023fc46c628c099d84b026ab866f7c6e16d6">8046023f</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2024-08-08T16:20:26+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: ipa-migrate tool with -Z option (CACERTFILE)
This patch add tests to check the scenarios associated with
pagure tickets
https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates
https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/84751a26a95ee7bda541122c921a9c7fe4eb13d7">84751a26</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-08-12T07:42:33+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: skip HSM test if pki < 11.5.9
The test TestHSMNegative should be skipped if PKI is too old,
but its uninstall method does not check the PKI version.
Add a call to check_version in the class uninstall method.
Fixes: https://pagure.io/freeipa/issue/9648
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1fc63e2b5150548edb3e910aa270e49c8b35223b">1fc63e2b</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-08-14T17:05:16+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>HSM: fix the module name
During the server installation, the installer checks if the
SElinux policy module for the specific hardware is detected. The
current code mixed up SElinux policy module name and RPM
package name and resulted in a false warning that the module
was missing.
The module name is ipa-nfast or ipa-luna, not ipa-selinux-nfast
or ipa-selinux-luna.
The name is defined in the spec file as %{module}-nfast
and module=ipa.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f37c2eb8782ec06e538d8964bf904f1b7e79c15e">f37c2eb8</a></strong>
<div>
<span> by Florence Blanc-Renaud </span> <i> at 2024-08-14T18:34:48+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>trust-add: handle unavailable domain
When ipa trust-add fails to retrieve the remote domain information,
it exits with "an internal error has occurred".
Handle the case with a better error message.
Fixes: https://pagure.io/freeipa/issue/9488
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5cc7941f30f14964abe14f7907e480e91a612ba2">5cc7941f</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-08-15T10:03:40+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Correct usage of public_key_algorithm_oid in ipalib/x509
public_key_algorithm_oid is property of underlying Certificate object
that is not supposed to be callable. I missed that it contained
() at the end.
Fixes: https://pagure.io/freeipa/issue/9641
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d0684a7ecf474fcaf468816f4d9892ea5f2dc897">d0684a7e</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-08-15T10:03:40+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Ignore TripleDES python-cryptography import warnings
TripleDES will be deprecated in python-cryptography 48.0.0. We
have code that uses it if it is available and otherwise ignores
it.
Because this gets imports in constants.py this warning is promiment
pretty much everywhere. So let's ignore it since we already handle
the issue.
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/21c6ccc982b54e13b8058f9af130ce64426bd4bb">21c6ccc9</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-08-16T07:18:33+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Fix some resource leaks identified by a static analyzer
Fixes: https://pagure.io/freeipa/issue/9367
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ed813fe6f0716906c8b9cd09c27e3acfb8b21e43">ed813fe6</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2024-08-16T17:14:03+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py
Test 'test_hsm_negative_bad_token_dir_permissions'
was failing in RHEL because of the below error.
"ipa: ERROR: stderr: usermod: invalid option -- 'r'"
Hence replaced the usermod with gpasswd command which does the same and
works on both RHEL and Fedora.
Ref: https://pagure.io/freeipa/issue/9626
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f5c723720417f85a218e753c39659cae01a33a96">f5c72372</a></strong>
<div>
<span> by Sudhir Menon </span> <i> at 2024-08-21T16:59:22+02:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>ipatests: Test to check that the configured value for "nsslapd-ignore-time-skew" remains on even after a "force-sync" is done
Related: https://pagure.io/freeipa/issue/9635
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c7da7e0dc979c2ecd834a0727114f53cdf878297">c7da7e0d</a></strong>
<div>
<span> by Rob Crittenden </span> <i> at 2024-08-21T11:06:37-04:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #28272d; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>Become IPA v4.12.2
</pre>
</li>
</ul>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
30 changed files:
</h4>
<ul>
<li class="file-stats">
<a href="#5da93d3ebfbadd620ae081fc5aa64ac8ac77097b">
.lgtm.yml
</a>
</li>
<li class="file-stats">
<a href="#8a8f67e18c8ed61c36e2901c12e37c094f6cd519">
.wheelconstraints.in
</a>
</li>
<li class="file-stats">
<a href="#4831b637d596df850dfe2919331d9904c0403eaa">
ACI.txt
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#d7ed7e35d7791778850754d99281016a9bacb652">
Contributors.txt
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#8a84dc1127a684b319557e6204cc81b9909b144c">
client/ipa-getkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#d9dd0d81d3f1f170011d4803fb3de849a9a6ddf9">
client/ipa-rmkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#2c2a403acbc45950144a2c61e3eaaa2b9e3fe8ed">
client/man/ipa.1
</a>
</li>
<li class="file-stats">
<a href="#801e1375da2cfb3db0564195728c067892580de6">
client/share/ssh_ipa.conf.template
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#96f5d965b3079864645cf1040eb80568a0ce9454">
daemons/ipa-kdb/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#035cbf98ae398c94e70da35373b5c293d371d571">
daemons/ipa-kdb/README.s4u2proxy.txt
</a>
</li>
<li class="file-stats">
<a href="#f0271fb7276ac522759270297c9c6f748b9764aa">
daemons/ipa-kdb/ipa-print-pac.c
</a>
</li>
<li class="file-stats">
<a href="#c353f68be99056278f9117d02e4294a759188b14">
daemons/ipa-kdb/ipa_kdb.c
</a>
</li>
<li class="file-stats">
<a href="#4776aa1d1d01bef820f34e6c2aa41644aa3f18df">
daemons/ipa-kdb/ipa_kdb.h
</a>
</li>
<li class="file-stats">
<a href="#0c848c43b4c9e603873356f62e631332101ecf3d">
daemons/ipa-kdb/ipa_kdb_delegation.c
</a>
</li>
<li class="file-stats">
<a href="#1d425595ea8a5a85f3b1f5486032a0dc5592315b">
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
</a>
</li>
<li class="file-stats">
<a href="#802b9419e8b735ec9553dc46fca0f6d2cc715aec">
daemons/ipa-kdb/ipa_kdb_mspac.c
</a>
</li>
<li class="file-stats">
<a href="#11946c8f50029f8ef82d6057b1d66f8240b5e3bf">
daemons/ipa-kdb/ipa_kdb_mspac_private.h
</a>
</li>
<li class="file-stats">
<a href="#54e1f32627b3e8736ca5623c351bf93b56b7be48">
daemons/ipa-kdb/ipa_kdb_mspac_v6.c
</a>
</li>
<li class="file-stats">
<a href="#818413fd7a6a1dd5672f7c7bb28901894672e3d1">
daemons/ipa-kdb/ipa_kdb_mspac_v9.c
</a>
</li>
<li class="file-stats">
<a href="#5cd6be5f06d1be10ed72f46efdd12433a8fda6c0">
daemons/ipa-kdb/ipa_kdb_principals.c
</a>
</li>
<li class="file-stats">
<a href="#5a6d31b7dce6d8d3f878edea0732d2000b7270c5">
daemons/ipa-otpd/bind.c
</a>
</li>
<li class="file-stats">
<a href="#4443fe072ab3b7c5ec5db6fdb515ea8f15cd2bfb">
daemons/ipa-otpd/forward.c
</a>
</li>
<li class="file-stats">
<a href="#746ffa215f638ca3b4a3e16b220a52d85a13b4c0">
daemons/ipa-sam/ipa_sam.c
</a>
</li>
<li class="file-stats">
<a href="#955a588b7cbcb9855cf9a319b7d2cc9f5237a848">
daemons/ipa-slapi-plugins/common/util.h
</a>
</li>
<li class="file-stats">
<a href="#5e63c0f5a30df56cecd289899d46e1bee6cb5092">
daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
</a>
</li>
<li class="file-stats">
<a href="#0eb43f01b42afccfb561758deacfc8ba1fe6228c">
daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
</a>
</li>
</ul>
<h5 style="margin-top: 10px; margin-bottom: 10px; font-size: .875rem;">
The diff was not included because it is too large.
</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #737278;">
—
<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/-/compare/e18ac3538e2f06f82a1f4eda7980e56e91017d47...c7da7e0dc979c2ecd834a0727114f53cdf878297">View it on GitLab</a>.
<br>
You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://salsa.debian.org">salsa.debian.org</a>. <a href="https://salsa.debian.org/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://salsa.debian.org/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>
</p>
</div>
</body>
</html>