[Pkg-freeipa-devel] freeipa: Changes to 'refs/tags/debian/4.3.1-1'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Mon Apr 18 14:49:12 UTC 2016
Tag 'debian/4.3.1-1' created by Timo Aaltonen <tjaalton at debian.org> at 2016-04-18 14:47 +0000
tagging package freeipa version debian/4.3.1-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJXFPOQAAoJEMtwMWWoiYTc+k0QAK7g7Ew6h+plWc0b9cTsoSZe
pvJsc4Tkp7edYcROgbxZ0EXocPi7K9z/GqQKHkJwQOb+eIsuDfg9THtTVz5tualy
nzrp+TCM4ioUSyWEzwz8yrijXBql/gQ50CYWPrtwu6jW4DBofkas7LIwuIIelGJs
2mlrgbYZBQECpZAak/kxQzOHJebTcbiYdUmhYDs9NF9FRaSBBdv6mk53p7FE8GJ8
XeoxoBS02ln0xKw+j7w7Jlaj50gUGCmRwordmMAorJYJ5/h0jHbDd7f5j+gky9KO
3Tv97Uhv+NTxXGclTv1s+DQZV5F6YnPegqjnXeptQk2LnJt43DU5yyqZykB3sTx5
aTaxDHZI4UzgM6QFFeuXnTfAe+3ezTAIxNbbTjr9VWyTkD6bCTkSpAw2k/tL18H8
MUGD3SyNmgAx8zDL+dR3awl3DEca/4gtb1aJLcYAtlHmRaVZ6o40VMfH0oeHFLfu
krmyBIU64FzvurNGrANCFS4FQbF3pQk3nvuF1f5lAhj/zwtIyDFWjIYrBSwFtNaZ
/4dwV+OHvE+jU6QcQg8Zoa8qIjLUNCgoIDpRJP4s/C4280qKpEWvVBlfRvWjHAbw
zfbRQzjXOoenjUoMMC6tw/Zatq3T7Hhn5gRtWI+NyJ4Wi5d+J1J1kc9ZgSwqcoUG
GueIIU1GV1ofHC6eGbV1
=9tq5
-----END PGP SIGNATURE-----
Changes since debian/4.1.4-1:
Abhijeet Kasurde (6):
Added try/except block for user_input in ipautil
Updated number of legacy permission in ipatests
Updated number of legacy permission in ipatests
Added user friendly error message for dnszone enable and disable
Fixed small typo in stage-user documentation
Fixed login error message box in LoginScreen page
Ade Lee (3):
Add a KRA to IPA
Add man page for ipa-kra-install
Re-enable uninstall feature for ipa-kra-install
Ales 'alich' Marecek (1):
Ipatests DNS SOA Record Maintenance
Alexander Bokovoy (50):
ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC
ipaserver/dcerpc.py: make PDC discovery more robust
ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust
ipaserver/dcerpc.py: Make sure trust is established only to forest root domain
Support overridding user shell in ID views
Allow user overrides to specify SSH public keys
Allow user overrides to specify GID of the user
Allow override of gecos field in ID views
Update API version for ID views support
Require slapi-nis 0.54 or later for ID views support
Support idviews in compat tree
Change ipaOverrideTarget OID to avoid conflict with DNSSEC feature
updater: enable uid uniqueness plugin for posixAccounts
Default to use TLSv1.0 and TLSv1.1 on the IPA server side
Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
Update slapi-nis dependency to pull 0.54.1
AD trust: improve trust validation
Support Samba PASSDB 0.2.0 aka interface version 24
ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
ipa-kdb: when processing transitions, hand over unknown ones to KDC
ipa-kdb: reject principals from disabled domains as a KDC policy
fix Makefile.am for daemons
slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
ipaserver/dcerpc: Ensure LSA pipe has session key before using it
ipa-kdb: use proper memory chunk size when moving sids
ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
add one-way trust support to ipasam
ipa-adtrust-install: add IPA master host principal to adtrust agents
trusts: pass AD DC hostname if specified explicitly
ipa-sidgen: reduce log level to normal if domain SID is not available
ipa-adtrust-install: allow configuring of trust agents
trusts: add support for one-way trust and switch to it by default
ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
trust: support retrieving POSIX IDs with one-way trust during trust-add
selinux: enable httpd_run_ipa to allow communicating with oddjobd services
selinux: enable httpd_run_ipa to allow communicating with oddjobd services
oddjob: avoid chown keytab to sssd if sssd user does not exist
oddjob: avoid chown keytab to sssd if sssd user does not exist
Fix selector of protocol for LSA RPC binding string
Fix selector of protocol for LSA RPC binding string
trusts: harden trust-fetch-domains oddjobd-based script
trusts: harden trust-fetch-domains oddjobd-based script
trusts: format Kerberos principal properly when fetching trust topology
trusts: format Kerberos principal properly when fetching trust topology
client referral support for trusted domain principals
client referral support for trusted domain principals
spec file: depend on Dogtag 10.2.6-12 for tomcat 8 upgrade
slapi-nis: update configuration to allow external members of IPA groups
Ana Krivokapić (1):
Remove internaldb password from password.conf
Benjamin Drung (3):
Fix hyphen-used-as-minus-sign warning (found by lintian)
Fix manpage-has-errors-from-man warning (found by Lintian)
default.conf.5: Fix a typo
Christian Heimes (36):
Provide Kerberos over HTTP (MS-KKDCP)
Fix removal of ipa-kdc-proxy.conf symlink
Fix upgrade of HTTPInstance for KDC Proxy
Improve error handling in ipa-httpd-kdcproxy
Start dirsrv for kdcproxy upgrade
Start dirsrv for kdcproxy upgrade
Remove tuple unpacking from except clause contrib/RHEL4/ipachangeconf.py
Remove tuple unpacking from except clause ipa-client/ipaclient/ipachangeconf.py
Remove tuple unpacking from except clause ipalib/plugins/hbactest.py
Remove tuple unpacking from except clause ipaserver/dcerpc.py
Replace file() with open()
Fix selinux denial during kdcproxy user creation
Fix selinux denial during kdcproxy user creation
certprofile-import: improve profile format documentation
certprofile-import: improve profile format documentation
otptoken: use ipapython.nsslib instead of Python's ssl module
otptoken: use ipapython.nsslib instead of Python's ssl module
Require Dogtag PKI >= 10.2.6
Require Dogtag PKI >= 10.2.6
Replace M2Crypto RC4 with python-cryptography ARC4
Validate vault's file parameters
Validate vault's file parameters
certprofile-import: do not require profileId in profile data
certprofile-import: do not require profileId in profile data
Asymmetric vault: validate public key in client
Asymmetric vault: validate public key in client
Add flag to list all service and user vaults
Add flag to list all service and user vaults
Change internal rsa_(public|private)_key variable names
Change internal rsa_(public|private)_key variable names
Handle timeout error in ipa-httpd-kdcproxy
Handle timeout error in ipa-httpd-kdcproxy
mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5
Require Dogtag 10.2.6-13 to fix KRA uninstall
Modernize mod_nss's cipher suites
Move user/group constants for PKI and DS into ipaplatform
David Kupka (91):
Add record(s) to /etc/host when IPA is configured as DNS server.
Use certmonger D-Bus API instead of messing with its files.
Do not restart apache server when not necessary.
Allow user to force Kerberos realm during installation.
Fix typo causing ipa-upgradeconfig to fail.
Add 'host' setting into default.conf configuration file on client. Fix description in man page.
Detect and configure all usable IP addresses.
Do not require description in UI.
Fix example usage in ipa man page.
Check that port 8443 is available when installing PKI.
Set IPA CA for freeipa certificates.
Stop dogtag when updating its configuration in ipa-upgradeconfig.
Fix printing of reverse zones in ipa-dns-install.
Fix typo causing certmonger is provided with wrong path to ipa-submit.
Respect UID and GID soft static allocation.
Stop dirsrv last in ipactl stop.
Remove unneeded internal methods. Move code to public methods.
Remove service file even if it isn't link.
Produce better error in group-add command.
Fix --{user,group}-ignore-attribute in migration plugin.
ipa-restore: Check if directory is provided + better errors.
Fix error message for nonexistent members and add tests.
Use singular in help metavars + update man pages.
Always add /etc/hosts record when DNS is being configured.
Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.
Abort backup restoration on not matching host.
idviews: Allow setting ssh public key on ipauseroverride-add
Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
Restore default.conf and use it to build API.
Always reload StateFile before getting or modifying the stored values.
Remove unused part of ipa.conf.
Use mod_auth_gssapi instead of mod_auth_kerb.
Bump ipa.conf version to 17.
Lint: Skip checking of functions stolen by python-nose.
Make lint work on Fedora 22.
Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1.
Do not store state if CA is enabled
Move CA installation code into single module.
Use 389-ds centralized scripts.
upgrade: Raise error when certmonger is not running.
ipa-replica-prepare: Do not create DNS zone it automatically.
migration: Use api.env variables.
migration: Use api.env variables.
cermonger: Use private unix socket when DBus SystemBus is not available.
cermonger: Use private unix socket when DBus SystemBus is not available.
ipa-client-install: Do not (re)start certmonger and DBus daemons.
ipa-client-install: Do not (re)start certmonger and DBus daemons.
dbus: Create empty dbus.Array with specified signature
user-undel: Fix error messages.
user-undel: Fix error messages.
client: Add support for multiple IP addresses during installation.
client: Add support for multiple IP addresses during installation.
client: Add description of --ip-address and --all-ip-addresses to man page
client: Add description of --ip-address and --all-ip-addresses to man page
Backup/resore authentication control configuration
Backup/resore authentication control configuration
vault: Limit size of data stored in vault
vault: Limit size of data stored in vault
ipactl: Do not start/stop/restart single service multiple times
ipactl: Do not start/stop/restart single service multiple times
comment: Add Documentation string to deduplicate function
admintool: Add error message with path to log on failure.
ipa-cacert-renew: Fix connection to ldap.
ipa-otptoken-import: Fix connection to ldap.
ipa-replica-install support caless install with promotion.
install: Run all validators at once.
replica: Fix ipa-replica-install with replica file (domain level 0).
test: Temporarily increase timeout in vault test.
spec file: Add dbus-python to BuildRequires
dns: do not add (forward)zone if it is already resolvable.
dns: Check if domain already exists.
dns: Add --auto-reverse option.
installer: Propagate option values from components instead of copying them.
installer: Fix logic of reading option values from cache.
ipa-dns-install: Do not check for zone overlap when DNS installed.
ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options
installer: Change reverse zones question to better reflect reality.
Fix: Use unattended parameter instead of options.unattended
CI: Add '2-connected' topology generator.
CI: Add simple replication test in 2-connected topology.
CI: Add test for 2-connected topology generator.
CI: Fix pep8 errors in 2-connected topology generator
CI: add empty topology test for 2-connected topology generator
CI: Add double circle topology.
CI: Add replication test utilizing double-circle topology.
CI: Add test for double-circle topology generator.
CI: Make double circle topology python3 compatible
upgrade: Match whole pre/post command not just basename.
dsinstance: add start_tracking_certificates method
httpinstance: add start_tracking_certificates method
Look up HTTPD_USER's UID and GID during installation.
Drew Erny (1):
Migration now accepts scope as argument
Endi Sukma Dewata (20):
Fixed KRA backend.
Modififed NSSConnection not to shutdown existing database.
Added vault plugin.
Added vault-archive and vault-retrieve commands.
Fixed KRA installation problem.
Added symmetric and asymmetric vaults.
Added ipaVaultPublicKey attribute.
Added vault access control.
Fixed missing KRA agent cert on replica.
Fixed missing KRA agent cert on replica.
Added CLI param and ACL for vault service operations.
Added CLI param and ACL for vault service operations.
Fixed vault container ownership.
Fixed vault container ownership.
Added support for changing vault encryption.
Added support for changing vault encryption.
Removed clear text passwords from KRA install log.
Removed clear text passwords from KRA install log.
Using LDAPI to setup CA and KRA agents.
Using LDAPI to setup CA and KRA agents.
Filip Skola (3):
Refactor test_user_plugin, use UserTracker for tests
Refactor test_replace
Refactor test_attr
Francesco Marella (1):
Refactor selinuxenabled check
François Cami (1):
ipa-client-install: Fix the "download the CA cert" query
Fraser Tweedale (59):
Support multiple host and service certificates
Fix certificate management with service-mod
Install CA with LDAP profiles backend
Add schema for certificate profiles
ipa-pki-proxy: provide access to profiles REST API
Add ACL to allow CA agent to modify profiles
Add certprofile plugin
Enable LDAP-based profiles in CA on upgrade
Import included profiles during install or upgrade
Add generic split_any_principal method
Add profile_id parameter to 'request_certificate'
Add usercertificate attribute to user plugin
Update cert-request to support user certs and profiles
Fix certificate subject base
Import profiles earlier during install
ipa-pki-proxy: allow certificate and password authentication
Add CA ACL plugin
Enforce CA ACLs in cert-request command
certprofile: fix doc error
Upgrade CA schema during upgrade
Migrate CA profiles after enabling LDAPProfileSubsystem
certprofile: add option to export profile config
certprofile: add ability to update profile config in Dogtag
caacl: fix incorrect construction of HbacRequest for hosts
cert-request: enforce caacl for principals in SAN
user-show: add --out option to save certificates to file
user-show: add --out option to save certificates to file
Fix otptoken-remove-managedby command summary
Fix otptoken-remove-managedby command summary
Give more info on virtual command access denial
Give more info on virtual command access denial
Allow SAN extension for cert-request self-service
Allow SAN extension for cert-request self-service
Add profile for DNP3 / IEC 62351-8 certificates
Add profile for DNP3 / IEC 62351-8 certificates
Work around python-nss bug on unrecognised OIDs
Work around python-nss bug on unrecognised OIDs
Fix default CA ACL added during upgrade
Fix default CA ACL added during upgrade
Fix KRB5PrincipalName / UPN SAN comparison
Fix KRB5PrincipalName / UPN SAN comparison
certprofile: add profile format explanation
certprofile: add profile format explanation
Add permission for bypassing CA ACL enforcement
Add permission for bypassing CA ACL enforcement
Prohibit deletion of predefined profiles
Prohibit deletion of predefined profiles
cert-request: remove allowed extensions check
cert-request: remove allowed extensions check
certprofile: prevent rename (modrdn)
certprofile: prevent rename (modrdn)
certprofile: remove 'rename' option
certprofile: remove 'rename' option
TLS and Dogtag HTTPS request logging improvements
Avoid race condition caused by profile delete and recreate
Do not erroneously reinit NSS in Dogtag interface
Add profiles and default CA ACL on migration
dogtaginstance: remove unused function 'check_inst'
Do not decode HTTP reason phrase from Dogtag
Gabe Alford (40):
ipa trust-add command should be interactive
Fix hardcoded lib dir in freeipa.spec
Missing requires on python-dns in spec file
Remove trivial path constants from modules
ipa-server-install Directory Manager help incorrect
ipa-managed-entries requires password with bad password
Update default NTP configuration
Remove usage of app_PYTHON in ipaserver Makefiles
Remove dependency on subscription-manager
Typos in ipa-rmkeytab options help and man page
permission-add does not prompt for ipapermright in interactive mode
ipa-replica-prepare should document ipv6 options
ipatests: Add tests for valid and invalid ipa-advise
ipa-replica-prepare can only be created on the first master
Add message for skipping NTP configuration during client install
Remove unneeded ip-address option in ipa-adtrust-install
Unsaved changes dialog internally inconsistent
Allow ipa help command to run when ipa-client-install is not configured
Do not print traceback when pipe is broken
Clear SSSD caches when uninstalling the client
Fix client ca.crt to match the server's cert
Add Chromium configuration note to ssbrowser
Add Chromium configuration note to ssbrowser
Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue
Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue
dnssec option missing in ipa-dns-install man page
dnssec option missing in ipa-dns-install man page
Update FreeIPA package description
Update FreeIPA package description
Remove bind configuration detected question
Warn if no installation found when running ipa-server-install --uninstall
Add Firefox options to ipa-client-install man page
interactive installer does not ignore leading/trailing whitespace
Remove 50-lockout-policy.update file
Incomplete ports for IPA AD Trust
custodia: ipa-upgrade failed on replica
ipa-replica-manage del continues when host does not exist in domain level 1
Check if IPA is configured before attempting a winsync migration
ipa-replica-install prints incorrect error message when replica is already installed
Migrate wget references and usage to curl
Jakub Hrozek (1):
CLIENT: Explicitly require python-backports-ssl_match_hostname
Jan Cholasta (261):
Allow changing CA renewal master in ipa-csreplica-manage.
Normalize external CA cert before passing it to pkispawn
Make CA-less ipa-server-install option --root-ca-file optional.
Backup CS.cfg before modifying it
Use autobind when updating CA people entries during certificate renewal
Fix certmonger code causing the ca_renewal_master update plugin to fail
Allow RPM upgrade from ipa-* packages
Include ipaplatform in client-only build
Include the ipa command in client-only build
Allow specifying signing algorithm of the IPA CA cert in ipa-server-install.
Add NSSDatabase.import_files method for importing files in various formats
External CA installer options usability fixes
CA-less installer options usability fixes
Allow choosing CA-less server certificates by name
Do stricter validation of CA certificates
Introduce NSS database /etc/ipa/nssdb
Move NSSDatabase from ipaserver.certs to ipapython.certdb
Add NSSDatabase.has_nickname for checking nickname presence in a NSS DB
Use NSSDatabase instead of direct certutil calls in client code
Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb
Check if IPA client is configured in ipa-certupdate
Get server hostname from jsonrpc_uri in ipa-certupdate
Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update
Fix certmonger.wait_for_request
Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage
Do not crash in CAInstance.__init__ when default argument values are used
Add missing imports to ipapython.certdb
Remove misleading authorization error message in cert-request with --add
Split off generic Red Hat-like platform code from Fedora platform code
Add RHEL platform module
Support building RPMs for RHEL/CentOS 7.0
Fix certmonger configuration in installer code
Support MS CS as the external CA in ipa-server-install and ipa-ca-install
Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
Fix CA cert validity check for CA-less and external CA installer options
Fix certmonger.request_cert
Add ipa-client-install switch --request-cert to request cert for the host
Do not create ipa-pki-proxy.conf if CA is not configured in ipa-upgradeconfig
Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig
Check LDAP instead of local configuration to see if IPA CA is enabled
DNSSEC: remove container_dnssec_keys
Do not check if port 8443 is available in step 2 of external CA install
Handle profile changes in dogtag-ipa-ca-renew-agent
Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
Fix possible NULL dereference in ipa-kdb
Fix memory leaks in ipa-extdom-extop
Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
Fix memory leak in ipa-pwd-extop
Fix memory leaks in ipa-join
Fix various bugs in ipap11helper
Fix CA certificate backup and restore
Fix wrong expiration date on renewed IPA CA certificates
Restore file extended attributes and SELinux context in ipa-restore
Use correct service name in cainstance.backup_config
Stop tracking certificates before restoring them in ipa-restore
Remove redefinition of LOG from ipa-otp-lasttoken
Unload P11_Helper object's library when it is finalized in ipap11helper
Fix Kerberos error handling in ipa-sam
Fix unchecked return value in ipa-kdb
Fix unchecked return values in ipa-winsync
Fix unchecked return value in ipa-join
Fix unchecked return value in krb5 common utils
Fix memory leak in GetKeytabControl asn1 code
Add TLS 1.2 to the protocol list in mod_nss config
Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent
Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
Improve validation of --instance and --backend options in ipa-restore
Check subject name encoding in ipa-cacert-manage renew
Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage
Fix ipa-restore on systems without IPA installed
Remove RUV from LDIF files before using them in ipa-restore
Fix CA certificate renewal syslog alert
Do not crash on unknown services in installutils.stopped_service
Restart dogtag when its server certificate is renewed
Make certificate renewal process synchronized
Fix validation of ipa-restore options
Do not assume certmonger is running in httpinstance
Put LDIF files to their original location in ipa-restore
Revert "Make all ipatokenTOTP attributes mandatory"
Create correct log directories during full restore in ipa-restore
Do not crash when replica is unreachable in ipa-restore
Bump 389-ds-base and pki-ca dependencies for POODLE fixes
ipalib: Allow multiple API instances
ipalib: Move plugin package setup to ipalib-specific API subclass
advise: Add separate API object for ipa-advise
ldap2: Use self API instance instead of ipalib.api
replica-install: Use different API instance for the remote server
certstore: Make certificate retrieval more robust
client-install: Do not crash on invalid CA certificate in LDAP
client: Fix ca_is_enabled calls
upload_cacrt: Fix empty cACertificate in cn=CAcert
ldap: Drop python-ldap tuple compatibility
ldap: Remove unused IPAdmin methods
ldap: Add connection management to LDAPClient
ldap: Use LDAPClient connection management in IPAdmin
ldap: Use LDAPClient connection management in ldap2
ldap: Add bind and unbind methods to LDAPClient
ldap: Use LDAPClient bind and unbind methods in IPAdmin
ldap: Use LDAPClient bind and unbind methods in ldap2
ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password
cainstance: Use LDAPClient instead of IPASimpleLDAPObject
makeaci: Use LDAPClient instead of IPASimpleLDAPObject
ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient
ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntry
ldap: Move schema handling from IPASimpleLDAPObject to LDAPClient
ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClient
ldap: Remove IPASimpleLDAPObject
Fix stop_tracking_certificates call in ipa-restore
baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry
client-install: Fix kinits with non-default Kerberos config file
install: Make a package out of ipaserver.install.server
install: Move ipa-server-install code into a module
install: Move ipa-replica-install code into a module
install: Move ipa-server-upgrade code into a module
install: Fix missing variable initialization in replica install
install: Fix CA-less server install
install: Fix external CA server install
install: Move private_ccache from ipaserver to ipapython
install: Introduce installer framework ipapython.install
install: Migrate ipa-server-install to the install framework
install: Handle Knob cli_name and cli_aliases values consistently
install: Add support for positional arguments in CLI tools
install: Allow setting usage in CLI tools
install: Migrate ipa-replica-install to the install framework
vault: Move vaults to cn=vaults,cn=kra
install: Initialize API early in server and replica install
vault: Fix ipa-kra-install
install: Fix logging setup in server and replica install
User life cycle: provide preserved user virtual attribute
install: Fix ipa-replica-install not installing RA cert
User life cycle: change user-del flags to be CLI-specific
plugable: Move plugin base class and override logic to API
ipalib: Load ipaserver plugins when api.env.in_server is True
ipalib: Move find_modules_in_dir from util to plugable
plugable: Specify plugins to import in API by module names
plugable: Load plugins only from modules imported by API
plugable: Pass API to plugins on initialization rather than using set_api
plugable: Do not use DictProxy for API
plugable: Lock API on finalization rather than on initialization
ipaplatform: Do not use MagicDict for KnownServices
plugable: Remove SetProxy, DictProxy and MagicDict
plugable: Change is_production_mode to method of API
plugable: Specify plugin base classes and modules using API properties
plugable: Remove unused call method of Plugin
replica prepare: Do not use entry after disconnecting from LDAP
ipalib: Fix skip_version_check option
spec file: Update minimal versions of required packages
spec file: Move /etc/ipa/kdcproxy to the server subpackage
spec file: Move /etc/ipa/kdcproxy to the server subpackage
spec file: Update minimum required version of krb5
spec file: Update minimum required version of krb5
install: Fix server and replica install options
install: Fix server and replica install options
ULC: Prevent preserved users from being assigned membership
ULC: Prevent preserved users from being assigned membership
spec file: Fix install with the server-dns subpackage
baseldap: Allow overriding member param label in LDAPModMember
baseldap: Allow overriding member param label in LDAPModMember
vault: Fix param labels in output of vault owner commands
vault: Fix param labels in output of vault owner commands
install: Fix replica install with custom certificates
install: Fix replica install with custom certificates
vault: Fix vault-find with criteria
vault: Fix vault-find with criteria
vault: Add container information to vault command results
vault: Add container information to vault command results
spec file: Add Requires(post) on selinux-policy
spec file: Add Requires(post) on selinux-policy
cert renewal: Include KRA users in Dogtag LDAP update
cert renewal: Include KRA users in Dogtag LDAP update
cert renewal: Automatically update KRA agent PEM file
cert renewal: Automatically update KRA agent PEM file
install: Fix SASL mappings not added in ipa-server-install
ldap: Make ldap2 connection management thread-safe again
ldap: Make ldap2 connection management thread-safe again
Use six.with_metaclass to specify metaclasses
Use six.python_2_unicode_compatible
Decode script arguments using file system encoding
config: allow user/host attributes with tagging options
config: allow user/host attributes with tagging options
Alias "unicode" to "str" under Python 3
Use bytes instead of str where appropriate
Use byte literals where appropriate
baseldap: make subtree deletion optional in LDAPDelete
baseldap: make subtree deletion optional in LDAPDelete
vault: set owner to current user on container creation
vault: set owner to current user on container creation
vault: update access control
vault: update access control
vault: add permissions and administrator privilege
vault: add permissions and administrator privilege
install: support KRA update
install: support KRA update
install: Support overriding knobs in subclasses
install: Add common base class for server and replica install
install: Move unattended option to the general help section
install: Support overriding knobs in subclasses
install: Add common base class for server and replica install
install: Move unattended option to the general help section
install: create kdcproxy user during server install
install: create kdcproxy user during server install
platform: add option to create home directory when adding user
platform: add option to create home directory when adding user
install: fix kdcproxy user home directory
install: fix kdcproxy user home directory
install: fix invocation of KRAInstance.create_instance()
install: fix ipa-server-install fail on missing --forwarder
install: fix ipa-server-install fail on missing --forwarder
install: fix KRA agent PEM file permissions
install: fix KRA agent PEM file permissions
install: always export KRA agent PEM file
vault: select a server with KRA for vault operations
install: always export KRA agent PEM file
vault: select a server with KRA for vault operations
schema: do not derive ipaVaultPublicKey from ipaPublicKey
upgrade: make sure ldap2 is connected in export_kra_agent_pem
vault: fix private service vault creation
install: fix command line option validation
install: export KRA agent PEM file in ipa-kra-install
cert renewal: make renewal of ipaCert atomic
client install: do not corrupt OpenSSH config with Match sections
install: drop support for Dogtag 9
server: use topologysuffix name in iparepltopomanagedsuffix
topology: replace "suffices" with "suffixes"
aci: add IPA servers host group 'ipaservers'
aci: replace per-server ACIs with ipaserver-based ACIs
aci: allow members of ipaservers to set up replication
ipautil: use file in a temporary dir as ccache in private_ccache
replica promotion: use host credentials when setting up replication
replica promotion: automatically add the local host to ipaservers
custodia: do not modify memberPrincipal on key update
replica promotion: allow OTP bulk client enrollment
replica install: add ipaservers if it does not exist
replica promotion: check domain level before ipaservers membership
server uninstall: ignore --ignore-topology-disconnect in domain level 0
spec file: remove config files from freeipa-python
spec file: put Python modules into standalone packages
build: put oddjob scripts into separate directory
replica install: add remote connection check over API
replica promotion: use host credentials for connection check
replica promotion: notify user about ignoring client enrollment options
aci: merge domain and CA suffix replication agreement ACIs
ca install: use host credentials in domain level 1
ipautil: allow redirecting command output to standard output in run()
server install: redirect ipa-client-install output to standard output
replica promotion: let ipa-client-install validate enrollment options
ipautil: remove unused import causing cyclic import in tests
ipalib: assume version 2.0 when skip_version_check is enabled
ipapython: remove default_encoding_utf8
ipapython: port p11helper C code to Python
ipapython: use python-cryptography instead of libcrypto in p11helper
spec file: package python-ipalib as noarch
cert renewal: import all external CA certs on IPA CA cert renewal
replica install: validate DS and HTTP server certificates
replica promotion: fix AVC denials in remote connection check
test_ipagetkeytab: fix missing import
cacert install: fix trust chain validation
client: stop using /etc/pki/nssdb
certdb: never use the -r option of certutil
daemons: remove unused erroneous _ipap11helper import
Jan Pazdziora (2):
No explicit zone specification.
The delegation uris are not set, match message to code.
Lenka Doudova (5):
Automated test for stageuser plugin
Automated test for stageuser plugin
Fix user tracker to reflect new user-del message
Fix user tracker to reflect new user-del message
Adding descriptive IDs to stageuser tests
Lenka Ryznarova (1):
Test Objectclass of postdetach group
Ludwig Krispenz (22):
Update SSL ciphers configured in 389-ds-base
Ignore irrelevant subtrees in schema compat plugin
ds plugin - manage replication topology in the shared tree
install part - manage topology in shared tree
replica install fails with domain level 1
accept missing binddn group
plugin uses 1 as minimum domain level to become active no calculation based on plugin version
crash when removing a replica
check for existing and self referential segments
make sure the agremment rdn match the rdn used in the segment
v2-reject modifications of endpoints and connectivity of a segment
correct management of one directional segments
fix coverity issues
v2 clear start attr from segment after initialization
v2 improve processing of invalid data.
allow deletion of segment if endpoint is not managed
handle multiple managed suffixes
prevent operation on tombstones
handle cleaning of RUV in the topology plugin
reject agreement only if both ends are managed
update list of managed servers when a suffix becomes managed
prevent moving of topology entries out of managed scope by modrdn operations
Lukáš Slebodník (12):
SPEC: Explicitly requires python-sssdconfig
SPEC: Require python2 version of sssd bindings
SPEC: Drop sssd from BuildRequires
ipa_kdb_tests: Remove unused variables
ipa_kdb_tests: Fix warning Wmissing-braces
topology: Fix warning Wshadow
ipa-extdom-extop: Fix warning Wformat
SPEC: Run cmocka based unit test in %check phase
BUILD: provide check target in custom Makefiles
cmocka_tests: Do not use deprecated cmocka interface
ipa_kdb_tests: Fix test with default krb5.conf
IPA-SAM: Fix build with samba 4.4
Martin Babinsky (131):
Use 'remove-ds.pl' to remove DS instance
Moved dbus-python dependence to freeipa-python package
ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message
always get PAC for client principal if AS_REQ is true
ipa-kdb: more robust handling of principal addition/editing
OTP: failed search for the user of last token emits an error message
ipa-pwd-extop: added an informational comment about intentional fallthrough
ipa-uuid: emit a message when unexpected mod type is encountered
OTP: emit a log message when LDAP entry for config record is not found
ipa-client-install: put eol character after the last line of altered config file(s)
migrate-ds: exit with error message if no users/groups to migrate are found
Changing the token owner changes also the manager
ipa-dns-install: use STARTTLS to connect to DS
ipa-dns-install: use LDAPI to connect to DS
migrate-ds: print out failed attempts when no users/groups are migrated
show the exception message thrown by dogtag._parse_ca_status during install
do not log BINDs to non-existent users as errors
fix improper handling of boolean option in
proper client host setup/teardown in forced client reenrollment integration test suite
do not install CA on replica during integration test if setup_ca=False
ipautil: new functions kinit_keytab and kinit_password
ipa-client-install: try to get host TGT several times before giving up
Adopted kinit_keytab and kinit_password for kerberos auth
use separate ccache filename for each IPA DNSSEC daemon
point the users to PKI-related logs when CA configuration fails
suppress errors arising from deleting non-existent files during client uninstall
prevent duplicate IDs when setting up multiple replicas against single master
ipa-server-install: deprecate manual setting of master KDC password
update 'api.env.ca_host' if a different hostname is used during server install
provide dedicated ccache file for httpd
move IPA-related http runtime directories to common subdirectory
explicitly destroy httpd service ccache file during httpinstance removal
do not check for directory manager password during KRA uninstall
merge KRA installation machinery to a single module
KRA: get the right dogtag version during server uninstall
add DS index for userCertificate attribute
generalize certificate creation during testing
ipa-kdb: common function to get key encodings/salt types
increase NSS memcache timeout for IPA server
baseldap: add support for API commands managing only a single attribute
reworked certificate normalization and revocation
new commands to manage user/host/service certificates
add option to skip client API version check
ipa-ca-install: print more specific errors when CA is already installed
ipa-ca-install: print more specific errors when CA is already installed
enable debugging of ntpd during client installation
enable debugging of ntpd during client installation
fix broken search for users by their manager
fix broken search for users by their manager
ACI plugin: correctly parse bind rules enclosed in parentheses
ACI plugin: correctly parse bind rules enclosed in parentheses
test suite for user/host/service certificate management API commands
test suite for user/host/service certificate management API commands
store certificates issued for user entries as userCertificate;binary
store certificates issued for user entries as userCertificate;binary
idranges: raise an error when local IPA ID range is being modified
idranges: raise an error when local IPA ID range is being modified
fix typo in BasePathNamespace member pointing to ods exporter config
fix typo in BasePathNamespace member pointing to ods exporter config
ipa-backup: archive DNSSEC zone file and kasp.db
ipa-backup: archive DNSSEC zone file and kasp.db
ipa-restore: check whether DS is running before attempting connection
ipa-restore: check whether DS is running before attempting connection
improve the handling of krb5-related errors in dnssec daemons
improve the handling of krb5-related errors in dnssec daemons
improve the usability of `ipa user-del --preserve` command
improve the usability of `ipa user-del --preserve` command
load RA backend plugins during standalone CA install on CA-less IPA master
load RA backend plugins during standalone CA install on CA-less IPA master
destroy httpd ccache after stopping the service
destroy httpd ccache after stopping the service
ipa-server-install: mark master_password Knob as deprecated
ipa-server-install: mark master_password Knob as deprecated
re-kinit after ipa-restore in backup/restore CI tests
re-kinit after ipa-restore in backup/restore CI tests
do not overwrite files with local users/groups when restoring authconfig
do not overwrite files with local users/groups when restoring authconfig
remove ID overrides when deleting a user
do not ask for segment direction when running topology commands
fix dsinstance.py:get_domain_level function
disable ipa-replica-prepare in non-zero IPA domain level
execute user-del pre-callback also during user preservation
fix class teardown in user plugin tests
always ask the resolver for the reverse zone when manipulating PTR records
silence pylint in Python 3-specific portion of ipalib/rpc.py
ipa-replica-prepare: domain level check improvements
fix error reporting when installer option is supplied with invalid choice
remove Kerberos authenticators when installing/uninstalling service instance
remove an unneccesary check from IPA server uninstaller
check for disconnected topology and deleted agreements for all suffices
suppress errors arising from adding existing LDAP entries during KRA install
update idrange tests to reflect disabled modification of local ID ranges
disconnect ldap2 backend after adding default CA ACL profiles
do not disconnect when using existing connection to check default CA ACLs
fix a typo in replica DS creation code
replica promotion: modify default.conf even if DS configuration fails
perform IPA client uninstallation as a last step of server uninstall
fix 'iparepltopomanagedsuffix' attribute consumers
extract domain level 1 topology-checking code from ipa-replica-manage
implement domain level 1 specific topology checks into IPA server uninstaller
replica install: improvements in the handling of CA-related IPA config entries
add auto-forwarders option to standalone DNS installer
add '--auto-forwarders' description to server/replica/DNS installer man pages
check whether replica exists before executing the domain level 1 deletion code
CI tests: ignore disconnected domain level 1 topology on IPA master teardown
add ACIs for custodia container to its parent during IPA upgrade
fix error message assertion in negative forced client reenrollment tests
prevent crashes of server uninstall check caused by failed LDAP connections
CI tests: remove '-p' option from ipa-dns-install calls
ipa-client-install: create a temporary directory for ccache files
raise more descriptive Backend connection-related exceptions
prevent crash of CA-less server upgrade due to absent certmonger
use FFI call to rpmvercmp function for version comparison
tests for package version comparison
fix Py3 incompatible exception instantiation in replica install code
ipa-csreplica-manage: remove extraneous ldap2 connection
IPA upgrade: move replication ACIs to the mapping tree entry
uninstallation: more robust check for master removal from topology
correctly set LDAP bind related attributes when setting up replication
disable RA plugins when promoting a replica from CA-less master
fix standalone installation of externally signed CA on IPA master
reset ldap.conf to point to newly installer replica after promotion
always start certmonger during IPA server configuration upgrade
upgrade: unconditional import of certificate profiles into LDAP
CI tests: use old schema when testing hostmask-based sudo rules
use LDAPS during standalone CA/KRA subsystem deployment
test_cert_plugin: use only first part of the hostname to construct short name
only search for Kerberos SRV records when autodiscovery was requested
spec: add conflict with bind-chroot to freeipa-server-dns
spec: require python-cryptography newer than 0.9
otptoken-add: improve the robustness of QR code printing
Martin Bašti (332):
Fix dnsrecord-mod raise error if last record attr is removed
DNSSEC: fix DS record validation
Tests: DNS dsrecord validation
DNS fix NS record coexistence validator
Test: DNS NS validation
Fix DNS record rename test
FIX DNS wildcard records (RFC4592)
Tests: DNS wildcard records
Dogtag 10.2 to spec.file
dnszone-remove-permission should raise error
DNS: remove --class option
WebUI: DNS: remove --class option
FIX: ldap schmema updater needs correct ordering of the updates
Fix DNS plugin to allow to add root zone
DNS test: allow '.' as zone name
Deprecation of --name-server and --ip-address option in DNS
Add correct NS records during installation
DNS: autofill admin email
WebUI: DNS: Remove ip-address, admin-email options
DNS tests: tests update to due to change in options
Remove --ip-address, --name-server otpions from DNS help
Refactoring of autobind, object_exists
LDAP disable service
DNS missing tests
Fix ipactl service ordering
Add missing attributes to named.conf
Make named.conf template platform independent
Remove ipaContainer, ipaOrderedContainer objectclass
Add mask, unmask methods for service
DNSSEC: dependencies
DNSSEC: schema
DNSSEC: add ipapk11helper module
DNSSEC: DNS key synchronization daemon
DNSSEC: opendnssec services
DNSSEC: platform paths and services
DNSSEC: validate forwarders
DNSSEC: modify named service to support dnssec
DNSSEC: installation
DNSSEC: uninstallation
DNSSEC: upgrading
DNSSEC: ACI
DNSSEC: add files to backup
DNSSEC: change link to ipa page
fix DNSSEC restore named state
fix forwarder validation errors
Fix dns zonemgr validation regression
Add bind-dyndb-ldap working dir to IPA specfile
Fix CI tests: install_adtrust
Fix upgrade: do not use invalid ldap connection
Fix: DNS installer adds invalid zonemgr email
Fix: DNS policy upgrade raises asertion error
Fix upgrade referint plugin
Upgrade: fix trusts objectclass violationi
Fix named working directory permissions
Fix: zonemgr must be unicode value
Fix warning message should not contain CLI commands
Show warning instead of error if CA did not start
Raise right exception if domain name is not valid
Fix pk11helper module compiler warnings
Fix: read_ip_addresses should return ipaddr object
Fix detection of encoding in zonemgr option
Fix zonemgr option encoding detection
Throw zonemgr error message before installation proceeds
Upgrade fix: masking named should be executed only once
Using wget to get status of CA
Show SSHFP record containing space in fingerprint
Fix don't check certificate during getting CA status
Fix: Upgrade forwardzones zones after adding newer replica
Fix zone find during forwardzone upgrade
Fix traceback if zonemgr error contains unicode
DNS tests: separate current forward zone tests
New test cases for Forward_zones
Detect and warn about invalid DNS forward zone configuration
DNS tests: warning if forward zone is inactive
Add debug messages into client autodetection
DNSSEC catch ldap exceptions in ipa-dnskeysyncd
DNSSEC: fix root zone dns name conversion
Always return absolute idnsname in dnszone commands
Use dyndns_update instead of deprecated sssd option
Fix reference counting in pkcs11 extension
Prevent install scripts fail silently if timeout exceeded
Fix warning message on client side
Fix restoring services status during uninstall
Fix do not enable service before storing status
Uninstall configured services only
Fix saving named restore status
Migrate uniquess plugins configuration to new style
Fix uniqueness plugins
DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
Fix memory leaks in ipap11helper
Remove unused method from ipap11pkcs helper module
Remove unused disable-betxn.ldif file
DNS fix: do not traceback if unsupported records are in LDAP
DNS fix: do not show part options for unsupported records
DNS: remove NSEC3PARAM from records
Fix dead code in ipap11helper module
Server Upgrade: Remove unused PRE_SCHEMA_UPDATE
Server Upgrade: do not sort updates by DN
Server Upgrade: Upgrade one file per time
Server Upgrade: Set modified to false, before each update
Server Upgrade: Update entries in order specified in file
Server Upgrade: order update files by default
Server Upgrade: respect --test option in plugins
Server Upgrade: remove --test option
Server Upgrade: Fix comments
DNSSEC: Do not log into files
Fix ldap2 shared connection
Server Upgrade: use only LDAPI connection
Server Upgrade: remove unused code in upgrade
Server Upgrade: Apply plugin updates immediately
Server Upgrade: specify order of plugins in update files
Server Upgrade: plugins should use ldapupdater API instance
Server Upgrade: Handle connection better in updates_from_dict
Server Upgrade: use ldap2 connection in fix_replica_agreements
Server Upgrade: restart DS using ipaplatfom service
Server Upgrade: only root can run updates
DNSSEC CI tests
ipa client: make --ntp-server option multivalued
ipa client: use NTP servers detected from SRV
ipa client: use NTP servers specified by user
Server Upgrade: ipa-server-upgrade command
Server Upgrade: Verify version and platform
Server Upgrade: use ipa-server-upgrade in RPM upgrade
Server Upgrade: fix a comment in ldapupdater
move realm_to_serverid to installutils module
Server Upgrade: use LDIF parser to modify DSE.ldif
Server Upgrade: enable DS global lock during upgrade
Server Upgrade: remove CSV from upgrade files
Server Upgrade: Allow base64 encoded values
Server Upgrade: fix memberUid index
Dont use the proxy to check CA status
Server Upgrade: Do not start DS if it was stopped before upgrade
Server Upgrade: raise RuntimeError instead exit()
Server Upgrade: do not allow to run upgradeinstace alone
Server Upgrade: handle errors better
Server Upgrade: ipa-ldap-updater will not do overall upgrade
Server Upgrade: Fix uniqueness plugins
DNSSEC: FIX Do not re-create kasp.db if already exists
DNSSEC: update OpenDNSSEC KASP configuration
DNS install: extract DNS installer into one module
Pylint: fix false positive warning for domain
Uid uniqueness: fix: exclude compat tree from uniqueness
Server Upgrade: wait until DS is ready
Server Upgrade: Fix: execute schema update
Server Upgrade: Move code from ipa-upgradeconfig to separate module
Fix: use DS socket check only for upgrade
Server Upgrade: fix remove statement
Installers fix: remove temporal ccache
ULC: fix: upgrade for stage Stage User Admins failed
Fix: regression in host and service plugin
DNSSEC: Improve global forwarders validation
DNSSEC: validate forward zone forwarders
Revert 389-DS BuildRequires version to 1.3.3.9
DNSSEC: fix traceback during shutdown phase
Server Upgrade: disconnect ldap2 connection before DS restart
DNS: add UnknownRecord to schema
ipa-ca-install fix: reconnect ldap2 after DS restart
Server Upgrade: create default config for NIS Server plugin
Fix indicies ntUserDomainId, ntUniqueId
Sanitize CA replica install
DNS: Do not traceback if DNS is not installed
KRA Install: check replica file if contains req. certificates
Server Upgrade: use debug log level for upgrade instead of info
DNSSEC: allow to disable/replace DNSSEC key master
DNSSEC: update message
Allow to run subprocess with suplementary groups
FIX: Clear SSSD caches when uninstalling the client
Fix regression: ipa-dns-install will add CA records if required
Upgrade: Do not show upgrade failed message when IPA is not installed
Fix logging in API
Prevent to rename certprofile profile id
Prevent to rename certprofile profile id
Stageusedr-activate: show username instead of DN
Stageusedr-activate: show username instead of DN
copy-schema-to-ca: allow to overwrite schema files
copy-schema-to-ca: allow to overwrite schema files
fix selinuxusermap search for non-admin users
fix selinuxusermap search for non-admin users
Validate adding privilege to a permission
Validate adding privilege to a permission
More information about the Pkg-freeipa-devel
mailing list