[Pkg-freeipa-devel] freeipa: Changes to 'refs/tags/debian/4.3.1-1'

Timo Aaltonen tjaalton at moszumanska.debian.org
Mon Apr 18 14:49:12 UTC 2016


Tag 'debian/4.3.1-1' created by Timo Aaltonen <tjaalton at debian.org> at 2016-04-18 14:47 +0000

tagging package freeipa version debian/4.3.1-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJXFPOQAAoJEMtwMWWoiYTc+k0QAK7g7Ew6h+plWc0b9cTsoSZe
pvJsc4Tkp7edYcROgbxZ0EXocPi7K9z/GqQKHkJwQOb+eIsuDfg9THtTVz5tualy
nzrp+TCM4ioUSyWEzwz8yrijXBql/gQ50CYWPrtwu6jW4DBofkas7LIwuIIelGJs
2mlrgbYZBQECpZAak/kxQzOHJebTcbiYdUmhYDs9NF9FRaSBBdv6mk53p7FE8GJ8
XeoxoBS02ln0xKw+j7w7Jlaj50gUGCmRwordmMAorJYJ5/h0jHbDd7f5j+gky9KO
3Tv97Uhv+NTxXGclTv1s+DQZV5F6YnPegqjnXeptQk2LnJt43DU5yyqZykB3sTx5
aTaxDHZI4UzgM6QFFeuXnTfAe+3ezTAIxNbbTjr9VWyTkD6bCTkSpAw2k/tL18H8
MUGD3SyNmgAx8zDL+dR3awl3DEca/4gtb1aJLcYAtlHmRaVZ6o40VMfH0oeHFLfu
krmyBIU64FzvurNGrANCFS4FQbF3pQk3nvuF1f5lAhj/zwtIyDFWjIYrBSwFtNaZ
/4dwV+OHvE+jU6QcQg8Zoa8qIjLUNCgoIDpRJP4s/C4280qKpEWvVBlfRvWjHAbw
zfbRQzjXOoenjUoMMC6tw/Zatq3T7Hhn5gRtWI+NyJ4Wi5d+J1J1kc9ZgSwqcoUG
GueIIU1GV1ofHC6eGbV1
=9tq5
-----END PGP SIGNATURE-----

Changes since debian/4.1.4-1:
Abhijeet Kasurde (6):
      Added try/except block for user_input in ipautil
      Updated number of legacy permission in ipatests
      Updated number of legacy permission in ipatests
      Added user friendly error message for dnszone enable and disable
      Fixed small typo in stage-user documentation
      Fixed login error message box in LoginScreen page

Ade Lee (3):
      Add a KRA to IPA
      Add man page for ipa-kra-install
      Re-enable uninstall feature for ipa-kra-install

Ales 'alich' Marecek (1):
      Ipatests DNS SOA Record Maintenance

Alexander Bokovoy (50):
      ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC
      ipaserver/dcerpc.py: make PDC discovery more robust
      ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
      ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust
      ipaserver/dcerpc.py: Make sure trust is established only to forest root domain
      Support overridding user shell in ID views
      Allow user overrides to specify SSH public keys
      Allow user overrides to specify GID of the user
      Allow override of gecos field in ID views
      Update API version for ID views support
      Require slapi-nis 0.54 or later for ID views support
      Support idviews in compat tree
      Change ipaOverrideTarget OID to avoid conflict with DNSSEC feature
      updater: enable uid uniqueness plugin for posixAccounts
      Default to use TLSv1.0 and TLSv1.1 on the IPA server side
      Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides
      Update slapi-nis dependency to pull 0.54.1
      AD trust: improve trust validation
      Support Samba PASSDB 0.2.0 aka interface version 24
      ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
      ipa-kdb: when processing transitions, hand over unknown ones to KDC
      ipa-kdb: reject principals from disabled domains as a KDC policy
      fix Makefile.am for daemons
      slapi-nis: require 0.54.2 for CVE-2015-0283 fixes
      ipaserver/dcerpc: Ensure LSA pipe has session key before using it
      ipa-kdb: use proper memory chunk size when moving sids
      ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
      add one-way trust support to ipasam
      ipa-adtrust-install: add IPA master host principal to adtrust agents
      trusts: pass AD DC hostname if specified explicitly
      ipa-sidgen: reduce log level to normal if domain SID is not available
      ipa-adtrust-install: allow configuring of trust agents
      trusts: add support for one-way trust and switch to it by default
      ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
      trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
      trust: support retrieving POSIX IDs with one-way trust during trust-add
      selinux: enable httpd_run_ipa to allow communicating with oddjobd services
      selinux: enable httpd_run_ipa to allow communicating with oddjobd services
      oddjob: avoid chown keytab to sssd if sssd user does not exist
      oddjob: avoid chown keytab to sssd if sssd user does not exist
      Fix selector of protocol for LSA RPC binding string
      Fix selector of protocol for LSA RPC binding string
      trusts: harden trust-fetch-domains oddjobd-based script
      trusts: harden trust-fetch-domains oddjobd-based script
      trusts: format Kerberos principal properly when fetching trust topology
      trusts: format Kerberos principal properly when fetching trust topology
      client referral support for trusted domain principals
      client referral support for trusted domain principals
      spec file: depend on Dogtag 10.2.6-12 for tomcat 8 upgrade
      slapi-nis: update configuration to allow external members of IPA groups

Ana Krivokapić (1):
      Remove internaldb password from password.conf

Benjamin Drung (3):
      Fix hyphen-used-as-minus-sign warning (found by lintian)
      Fix manpage-has-errors-from-man warning (found by Lintian)
      default.conf.5: Fix a typo

Christian Heimes (36):
      Provide Kerberos over HTTP (MS-KKDCP)
      Fix removal of ipa-kdc-proxy.conf symlink
      Fix upgrade of HTTPInstance for KDC Proxy
      Improve error handling in ipa-httpd-kdcproxy
      Start dirsrv for kdcproxy upgrade
      Start dirsrv for kdcproxy upgrade
      Remove tuple unpacking from except clause contrib/RHEL4/ipachangeconf.py
      Remove tuple unpacking from except clause ipa-client/ipaclient/ipachangeconf.py
      Remove tuple unpacking from except clause ipalib/plugins/hbactest.py
      Remove tuple unpacking from except clause ipaserver/dcerpc.py
      Replace file() with open()
      Fix selinux denial during kdcproxy user creation
      Fix selinux denial during kdcproxy user creation
      certprofile-import: improve profile format documentation
      certprofile-import: improve profile format documentation
      otptoken: use ipapython.nsslib instead of Python's ssl module
      otptoken: use ipapython.nsslib instead of Python's ssl module
      Require Dogtag PKI >= 10.2.6
      Require Dogtag PKI >= 10.2.6
      Replace M2Crypto RC4 with python-cryptography ARC4
      Validate vault's file parameters
      Validate vault's file parameters
      certprofile-import: do not require profileId in profile data
      certprofile-import: do not require profileId in profile data
      Asymmetric vault: validate public key in client
      Asymmetric vault: validate public key in client
      Add flag to list all service and user vaults
      Add flag to list all service and user vaults
      Change internal rsa_(public|private)_key variable names
      Change internal rsa_(public|private)_key variable names
      Handle timeout error in ipa-httpd-kdcproxy
      Handle timeout error in ipa-httpd-kdcproxy
      mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5
      Require Dogtag 10.2.6-13 to fix KRA uninstall
      Modernize mod_nss's cipher suites
      Move user/group constants for PKI and DS into ipaplatform

David Kupka (91):
      Add record(s) to /etc/host when IPA is configured as DNS server.
      Use certmonger D-Bus API instead of messing with its files.
      Do not restart apache server when not necessary.
      Allow user to force Kerberos realm during installation.
      Fix typo causing ipa-upgradeconfig to fail.
      Add 'host' setting into default.conf configuration file on client. Fix description in man page.
      Detect and configure all usable IP addresses.
      Do not require description in UI.
      Fix example usage in ipa man page.
      Check that port 8443 is available when installing PKI.
      Set IPA CA for freeipa certificates.
      Stop dogtag when updating its configuration in ipa-upgradeconfig.
      Fix printing of reverse zones in ipa-dns-install.
      Fix typo causing certmonger is provided with wrong path to ipa-submit.
      Respect UID and GID soft static allocation.
      Stop dirsrv last in ipactl stop.
      Remove unneeded internal methods. Move code to public methods.
      Remove service file even if it isn't link.
      Produce better error in group-add command.
      Fix --{user,group}-ignore-attribute in migration plugin.
      ipa-restore: Check if directory is provided + better errors.
      Fix error message for nonexistent members and add tests.
      Use singular in help metavars + update man pages.
      Always add /etc/hosts record when DNS is being configured.
      Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.
      Abort backup restoration on not matching host.
      idviews: Allow setting ssh public key on ipauseroverride-add
      Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
      Restore default.conf and use it to build API.
      Always reload StateFile before getting or modifying the stored values.
      Remove unused part of ipa.conf.
      Use mod_auth_gssapi instead of mod_auth_kerb.
      Bump ipa.conf version to 17.
      Lint: Skip checking of functions stolen by python-nose.
      Make lint work on Fedora 22.
      Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1.
      Do not store state if CA is enabled
      Move CA installation code into single module.
      Use 389-ds centralized scripts.
      upgrade: Raise error when certmonger is not running.
      ipa-replica-prepare: Do not create DNS zone it automatically.
      migration: Use api.env variables.
      migration: Use api.env variables.
      cermonger: Use private unix socket when DBus SystemBus is not available.
      cermonger: Use private unix socket when DBus SystemBus is not available.
      ipa-client-install: Do not (re)start certmonger and DBus daemons.
      ipa-client-install: Do not (re)start certmonger and DBus daemons.
      dbus: Create empty dbus.Array with specified signature
      user-undel: Fix error messages.
      user-undel: Fix error messages.
      client: Add support for multiple IP addresses during installation.
      client: Add support for multiple IP addresses during installation.
      client: Add description of --ip-address and --all-ip-addresses to man page
      client: Add description of --ip-address and --all-ip-addresses to man page
      Backup/resore authentication control configuration
      Backup/resore authentication control configuration
      vault: Limit size of data stored in vault
      vault: Limit size of data stored in vault
      ipactl: Do not start/stop/restart single service multiple times
      ipactl: Do not start/stop/restart single service multiple times
      comment: Add Documentation string to deduplicate function
      admintool: Add error message with path to log on failure.
      ipa-cacert-renew: Fix connection to ldap.
      ipa-otptoken-import: Fix connection to ldap.
      ipa-replica-install support caless install with promotion.
      install: Run all validators at once.
      replica: Fix ipa-replica-install with replica file (domain level 0).
      test: Temporarily increase timeout in vault test.
      spec file: Add dbus-python to BuildRequires
      dns: do not add (forward)zone if it is already resolvable.
      dns: Check if domain already exists.
      dns: Add --auto-reverse option.
      installer: Propagate option values from components instead of copying them.
      installer: Fix logic of reading option values from cache.
      ipa-dns-install: Do not check for zone overlap when DNS installed.
      ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options
      installer: Change reverse zones question to better reflect reality.
      Fix: Use unattended parameter instead of options.unattended
      CI: Add '2-connected' topology generator.
      CI: Add simple replication test in 2-connected topology.
      CI: Add test for 2-connected topology generator.
      CI: Fix pep8 errors in 2-connected topology generator
      CI: add empty topology test for 2-connected topology generator
      CI: Add double circle topology.
      CI: Add replication test utilizing double-circle topology.
      CI: Add test for double-circle topology generator.
      CI: Make double circle topology python3 compatible
      upgrade: Match whole pre/post command not just basename.
      dsinstance: add start_tracking_certificates method
      httpinstance: add start_tracking_certificates method
      Look up HTTPD_USER's UID and GID during installation.

Drew Erny (1):
      Migration now accepts scope as argument

Endi Sukma Dewata (20):
      Fixed KRA backend.
      Modififed NSSConnection not to shutdown existing database.
      Added vault plugin.
      Added vault-archive and vault-retrieve commands.
      Fixed KRA installation problem.
      Added symmetric and asymmetric vaults.
      Added ipaVaultPublicKey attribute.
      Added vault access control.
      Fixed missing KRA agent cert on replica.
      Fixed missing KRA agent cert on replica.
      Added CLI param and ACL for vault service operations.
      Added CLI param and ACL for vault service operations.
      Fixed vault container ownership.
      Fixed vault container ownership.
      Added support for changing vault encryption.
      Added support for changing vault encryption.
      Removed clear text passwords from KRA install log.
      Removed clear text passwords from KRA install log.
      Using LDAPI to setup CA and KRA agents.
      Using LDAPI to setup CA and KRA agents.

Filip Skola (3):
      Refactor test_user_plugin, use UserTracker for tests
      Refactor test_replace
      Refactor test_attr

Francesco Marella (1):
      Refactor selinuxenabled check

François Cami (1):
      ipa-client-install: Fix the "download the CA cert" query

Fraser Tweedale (59):
      Support multiple host and service certificates
      Fix certificate management with service-mod
      Install CA with LDAP profiles backend
      Add schema for certificate profiles
      ipa-pki-proxy: provide access to profiles REST API
      Add ACL to allow CA agent to modify profiles
      Add certprofile plugin
      Enable LDAP-based profiles in CA on upgrade
      Import included profiles during install or upgrade
      Add generic split_any_principal method
      Add profile_id parameter to 'request_certificate'
      Add usercertificate attribute to user plugin
      Update cert-request to support user certs and profiles
      Fix certificate subject base
      Import profiles earlier during install
      ipa-pki-proxy: allow certificate and password authentication
      Add CA ACL plugin
      Enforce CA ACLs in cert-request command
      certprofile: fix doc error
      Upgrade CA schema during upgrade
      Migrate CA profiles after enabling LDAPProfileSubsystem
      certprofile: add option to export profile config
      certprofile: add ability to update profile config in Dogtag
      caacl: fix incorrect construction of HbacRequest for hosts
      cert-request: enforce caacl for principals in SAN
      user-show: add --out option to save certificates to file
      user-show: add --out option to save certificates to file
      Fix otptoken-remove-managedby command summary
      Fix otptoken-remove-managedby command summary
      Give more info on virtual command access denial
      Give more info on virtual command access denial
      Allow SAN extension for cert-request self-service
      Allow SAN extension for cert-request self-service
      Add profile for DNP3 / IEC 62351-8 certificates
      Add profile for DNP3 / IEC 62351-8 certificates
      Work around python-nss bug on unrecognised OIDs
      Work around python-nss bug on unrecognised OIDs
      Fix default CA ACL added during upgrade
      Fix default CA ACL added during upgrade
      Fix KRB5PrincipalName / UPN SAN comparison
      Fix KRB5PrincipalName / UPN SAN comparison
      certprofile: add profile format explanation
      certprofile: add profile format explanation
      Add permission for bypassing CA ACL enforcement
      Add permission for bypassing CA ACL enforcement
      Prohibit deletion of predefined profiles
      Prohibit deletion of predefined profiles
      cert-request: remove allowed extensions check
      cert-request: remove allowed extensions check
      certprofile: prevent rename (modrdn)
      certprofile: prevent rename (modrdn)
      certprofile: remove 'rename' option
      certprofile: remove 'rename' option
      TLS and Dogtag HTTPS request logging improvements
      Avoid race condition caused by profile delete and recreate
      Do not erroneously reinit NSS in Dogtag interface
      Add profiles and default CA ACL on migration
      dogtaginstance: remove unused function 'check_inst'
      Do not decode HTTP reason phrase from Dogtag

Gabe Alford (40):
      ipa trust-add command should be interactive
      Fix hardcoded lib dir in freeipa.spec
      Missing requires on python-dns in spec file
      Remove trivial path constants from modules
      ipa-server-install Directory Manager help incorrect
      ipa-managed-entries requires password with bad password
      Update default NTP configuration
      Remove usage of app_PYTHON in ipaserver Makefiles
      Remove dependency on subscription-manager
      Typos in ipa-rmkeytab options help and man page
      permission-add does not prompt for ipapermright in interactive mode
      ipa-replica-prepare should document ipv6 options
      ipatests: Add tests for valid and invalid ipa-advise
      ipa-replica-prepare can only be created on the first master
      Add message for skipping NTP configuration during client install
      Remove unneeded ip-address option in ipa-adtrust-install
      Unsaved changes dialog internally inconsistent
      Allow ipa help command to run when ipa-client-install is not configured
      Do not print traceback when pipe is broken
      Clear SSSD caches when uninstalling the client
      Fix client ca.crt to match the server's cert
      Add Chromium configuration note to ssbrowser
      Add Chromium configuration note to ssbrowser
      Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue
      Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue
      dnssec option missing in ipa-dns-install man page
      dnssec option missing in ipa-dns-install man page
      Update FreeIPA package description
      Update FreeIPA package description
      Remove bind configuration detected question
      Warn if no installation found when running ipa-server-install --uninstall
      Add Firefox options to ipa-client-install man page
      interactive installer does not ignore leading/trailing whitespace
      Remove 50-lockout-policy.update file
      Incomplete ports for IPA AD Trust
      custodia: ipa-upgrade failed on replica
      ipa-replica-manage del continues when host does not exist in domain level 1
      Check if IPA is configured before attempting a winsync migration
      ipa-replica-install prints incorrect error message when replica is already installed
      Migrate wget references and usage to curl

Jakub Hrozek (1):
      CLIENT: Explicitly require python-backports-ssl_match_hostname

Jan Cholasta (261):
      Allow changing CA renewal master in ipa-csreplica-manage.
      Normalize external CA cert before passing it to pkispawn
      Make CA-less ipa-server-install option --root-ca-file optional.
      Backup CS.cfg before modifying it
      Use autobind when updating CA people entries during certificate renewal
      Fix certmonger code causing the ca_renewal_master update plugin to fail
      Allow RPM upgrade from ipa-* packages
      Include ipaplatform in client-only build
      Include the ipa command in client-only build
      Allow specifying signing algorithm of the IPA CA cert in ipa-server-install.
      Add NSSDatabase.import_files method for importing files in various formats
      External CA installer options usability fixes
      CA-less installer options usability fixes
      Allow choosing CA-less server certificates by name
      Do stricter validation of CA certificates
      Introduce NSS database /etc/ipa/nssdb
      Move NSSDatabase from ipaserver.certs to ipapython.certdb
      Add NSSDatabase.has_nickname for checking nickname presence in a NSS DB
      Use NSSDatabase instead of direct certutil calls in client code
      Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb
      Check if IPA client is configured in ipa-certupdate
      Get server hostname from jsonrpc_uri in ipa-certupdate
      Remove ipa-ca.crt from systemwide CA store on client uninstall and cert update
      Fix certmonger.wait_for_request
      Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage
      Do not crash in CAInstance.__init__ when default argument values are used
      Add missing imports to ipapython.certdb
      Remove misleading authorization error message in cert-request with --add
      Split off generic Red Hat-like platform code from Fedora platform code
      Add RHEL platform module
      Support building RPMs for RHEL/CentOS 7.0
      Fix certmonger configuration in installer code
      Support MS CS as the external CA in ipa-server-install and ipa-ca-install
      Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install
      Fix CA cert validity check for CA-less and external CA installer options
      Fix certmonger.request_cert
      Add ipa-client-install switch --request-cert to request cert for the host
      Do not create ipa-pki-proxy.conf if CA is not configured in ipa-upgradeconfig
      Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig
      Check LDAP instead of local configuration to see if IPA CA is enabled
      DNSSEC: remove container_dnssec_keys
      Do not check if port 8443 is available in step 2 of external CA install
      Handle profile changes in dogtag-ipa-ca-renew-agent
      Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
      Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
      Fix possible NULL dereference in ipa-kdb
      Fix memory leaks in ipa-extdom-extop
      Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
      Fix memory leak in ipa-pwd-extop
      Fix memory leaks in ipa-join
      Fix various bugs in ipap11helper
      Fix CA certificate backup and restore
      Fix wrong expiration date on renewed IPA CA certificates
      Restore file extended attributes and SELinux context in ipa-restore
      Use correct service name in cainstance.backup_config
      Stop tracking certificates before restoring them in ipa-restore
      Remove redefinition of LOG from ipa-otp-lasttoken
      Unload P11_Helper object's library when it is finalized in ipap11helper
      Fix Kerberos error handling in ipa-sam
      Fix unchecked return value in ipa-kdb
      Fix unchecked return values in ipa-winsync
      Fix unchecked return value in ipa-join
      Fix unchecked return value in krb5 common utils
      Fix memory leak in GetKeytabControl asn1 code
      Add TLS 1.2 to the protocol list in mod_nss config
      Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent
      Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
      Improve validation of --instance and --backend options in ipa-restore
      Check subject name encoding in ipa-cacert-manage renew
      Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage
      Fix ipa-restore on systems without IPA installed
      Remove RUV from LDIF files before using them in ipa-restore
      Fix CA certificate renewal syslog alert
      Do not crash on unknown services in installutils.stopped_service
      Restart dogtag when its server certificate is renewed
      Make certificate renewal process synchronized
      Fix validation of ipa-restore options
      Do not assume certmonger is running in httpinstance
      Put LDIF files to their original location in ipa-restore
      Revert "Make all ipatokenTOTP attributes mandatory"
      Create correct log directories during full restore in ipa-restore
      Do not crash when replica is unreachable in ipa-restore
      Bump 389-ds-base and pki-ca dependencies for POODLE fixes
      ipalib: Allow multiple API instances
      ipalib: Move plugin package setup to ipalib-specific API subclass
      advise: Add separate API object for ipa-advise
      ldap2: Use self API instance instead of ipalib.api
      replica-install: Use different API instance for the remote server
      certstore: Make certificate retrieval more robust
      client-install: Do not crash on invalid CA certificate in LDAP
      client: Fix ca_is_enabled calls
      upload_cacrt: Fix empty cACertificate in cn=CAcert
      ldap: Drop python-ldap tuple compatibility
      ldap: Remove unused IPAdmin methods
      ldap: Add connection management to LDAPClient
      ldap: Use LDAPClient connection management in IPAdmin
      ldap: Use LDAPClient connection management in ldap2
      ldap: Add bind and unbind methods to LDAPClient
      ldap: Use LDAPClient bind and unbind methods in IPAdmin
      ldap: Use LDAPClient bind and unbind methods in ldap2
      ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password
      cainstance: Use LDAPClient instead of IPASimpleLDAPObject
      makeaci: Use LDAPClient instead of IPASimpleLDAPObject
      ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient
      ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntry
      ldap: Move schema handling from IPASimpleLDAPObject to LDAPClient
      ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClient
      ldap: Remove IPASimpleLDAPObject
      Fix stop_tracking_certificates call in ipa-restore
      baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry
      client-install: Fix kinits with non-default Kerberos config file
      install: Make a package out of ipaserver.install.server
      install: Move ipa-server-install code into a module
      install: Move ipa-replica-install code into a module
      install: Move ipa-server-upgrade code into a module
      install: Fix missing variable initialization in replica install
      install: Fix CA-less server install
      install: Fix external CA server install
      install: Move private_ccache from ipaserver to ipapython
      install: Introduce installer framework ipapython.install
      install: Migrate ipa-server-install to the install framework
      install: Handle Knob cli_name and cli_aliases values consistently
      install: Add support for positional arguments in CLI tools
      install: Allow setting usage in CLI tools
      install: Migrate ipa-replica-install to the install framework
      vault: Move vaults to cn=vaults,cn=kra
      install: Initialize API early in server and replica install
      vault: Fix ipa-kra-install
      install: Fix logging setup in server and replica install
      User life cycle: provide preserved user virtual attribute
      install: Fix ipa-replica-install not installing RA cert
      User life cycle: change user-del flags to be CLI-specific
      plugable: Move plugin base class and override logic to API
      ipalib: Load ipaserver plugins when api.env.in_server is True
      ipalib: Move find_modules_in_dir from util to plugable
      plugable: Specify plugins to import in API by module names
      plugable: Load plugins only from modules imported by API
      plugable: Pass API to plugins on initialization rather than using set_api
      plugable: Do not use DictProxy for API
      plugable: Lock API on finalization rather than on initialization
      ipaplatform: Do not use MagicDict for KnownServices
      plugable: Remove SetProxy, DictProxy and MagicDict
      plugable: Change is_production_mode to method of API
      plugable: Specify plugin base classes and modules using API properties
      plugable: Remove unused call method of Plugin
      replica prepare: Do not use entry after disconnecting from LDAP
      ipalib: Fix skip_version_check option
      spec file: Update minimal versions of required packages
      spec file: Move /etc/ipa/kdcproxy to the server subpackage
      spec file: Move /etc/ipa/kdcproxy to the server subpackage
      spec file: Update minimum required version of krb5
      spec file: Update minimum required version of krb5
      install: Fix server and replica install options
      install: Fix server and replica install options
      ULC: Prevent preserved users from being assigned membership
      ULC: Prevent preserved users from being assigned membership
      spec file: Fix install with the server-dns subpackage
      baseldap: Allow overriding member param label in LDAPModMember
      baseldap: Allow overriding member param label in LDAPModMember
      vault: Fix param labels in output of vault owner commands
      vault: Fix param labels in output of vault owner commands
      install: Fix replica install with custom certificates
      install: Fix replica install with custom certificates
      vault: Fix vault-find with criteria
      vault: Fix vault-find with criteria
      vault: Add container information to vault command results
      vault: Add container information to vault command results
      spec file: Add Requires(post) on selinux-policy
      spec file: Add Requires(post) on selinux-policy
      cert renewal: Include KRA users in Dogtag LDAP update
      cert renewal: Include KRA users in Dogtag LDAP update
      cert renewal: Automatically update KRA agent PEM file
      cert renewal: Automatically update KRA agent PEM file
      install: Fix SASL mappings not added in ipa-server-install
      ldap: Make ldap2 connection management thread-safe again
      ldap: Make ldap2 connection management thread-safe again
      Use six.with_metaclass to specify metaclasses
      Use six.python_2_unicode_compatible
      Decode script arguments using file system encoding
      config: allow user/host attributes with tagging options
      config: allow user/host attributes with tagging options
      Alias "unicode" to "str" under Python 3
      Use bytes instead of str where appropriate
      Use byte literals where appropriate
      baseldap: make subtree deletion optional in LDAPDelete
      baseldap: make subtree deletion optional in LDAPDelete
      vault: set owner to current user on container creation
      vault: set owner to current user on container creation
      vault: update access control
      vault: update access control
      vault: add permissions and administrator privilege
      vault: add permissions and administrator privilege
      install: support KRA update
      install: support KRA update
      install: Support overriding knobs in subclasses
      install: Add common base class for server and replica install
      install: Move unattended option to the general help section
      install: Support overriding knobs in subclasses
      install: Add common base class for server and replica install
      install: Move unattended option to the general help section
      install: create kdcproxy user during server install
      install: create kdcproxy user during server install
      platform: add option to create home directory when adding user
      platform: add option to create home directory when adding user
      install: fix kdcproxy user home directory
      install: fix kdcproxy user home directory
      install: fix invocation of KRAInstance.create_instance()
      install: fix ipa-server-install fail on missing --forwarder
      install: fix ipa-server-install fail on missing --forwarder
      install: fix KRA agent PEM file permissions
      install: fix KRA agent PEM file permissions
      install: always export KRA agent PEM file
      vault: select a server with KRA for vault operations
      install: always export KRA agent PEM file
      vault: select a server with KRA for vault operations
      schema: do not derive ipaVaultPublicKey from ipaPublicKey
      upgrade: make sure ldap2 is connected in export_kra_agent_pem
      vault: fix private service vault creation
      install: fix command line option validation
      install: export KRA agent PEM file in ipa-kra-install
      cert renewal: make renewal of ipaCert atomic
      client install: do not corrupt OpenSSH config with Match sections
      install: drop support for Dogtag 9
      server: use topologysuffix name in iparepltopomanagedsuffix
      topology: replace "suffices" with "suffixes"
      aci: add IPA servers host group 'ipaservers'
      aci: replace per-server ACIs with ipaserver-based ACIs
      aci: allow members of ipaservers to set up replication
      ipautil: use file in a temporary dir as ccache in private_ccache
      replica promotion: use host credentials when setting up replication
      replica promotion: automatically add the local host to ipaservers
      custodia: do not modify memberPrincipal on key update
      replica promotion: allow OTP bulk client enrollment
      replica install: add ipaservers if it does not exist
      replica promotion: check domain level before ipaservers membership
      server uninstall: ignore --ignore-topology-disconnect in domain level 0
      spec file: remove config files from freeipa-python
      spec file: put Python modules into standalone packages
      build: put oddjob scripts into separate directory
      replica install: add remote connection check over API
      replica promotion: use host credentials for connection check
      replica promotion: notify user about ignoring client enrollment options
      aci: merge domain and CA suffix replication agreement ACIs
      ca install: use host credentials in domain level 1
      ipautil: allow redirecting command output to standard output in run()
      server install: redirect ipa-client-install output to standard output
      replica promotion: let ipa-client-install validate enrollment options
      ipautil: remove unused import causing cyclic import in tests
      ipalib: assume version 2.0 when skip_version_check is enabled
      ipapython: remove default_encoding_utf8
      ipapython: port p11helper C code to Python
      ipapython: use python-cryptography instead of libcrypto in p11helper
      spec file: package python-ipalib as noarch
      cert renewal: import all external CA certs on IPA CA cert renewal
      replica install: validate DS and HTTP server certificates
      replica promotion: fix AVC denials in remote connection check
      test_ipagetkeytab: fix missing import
      cacert install: fix trust chain validation
      client: stop using /etc/pki/nssdb
      certdb: never use the -r option of certutil
      daemons: remove unused erroneous _ipap11helper import

Jan Pazdziora (2):
      No explicit zone specification.
      The delegation uris are not set, match message to code.

Lenka Doudova (5):
      Automated test for stageuser plugin
      Automated test for stageuser plugin
      Fix user tracker to reflect new user-del message
      Fix user tracker to reflect new user-del message
      Adding descriptive IDs to stageuser tests

Lenka Ryznarova (1):
      Test Objectclass of postdetach group

Ludwig Krispenz (22):
      Update SSL ciphers configured in 389-ds-base
      Ignore irrelevant subtrees in schema compat plugin
      ds plugin - manage replication topology in the shared tree
      install part - manage topology in shared tree
      replica install fails with domain level 1
      accept missing binddn group
      plugin uses 1 as minimum domain level to become active no calculation based on plugin version
      crash when removing a replica
      check for existing and self referential segments
      make sure the agremment rdn match the rdn used in the segment
      v2-reject modifications of endpoints and connectivity of a segment
      correct management of one directional segments
      fix coverity issues
      v2 clear start attr from segment after initialization
      v2 improve processing of invalid data.
      allow deletion of segment if endpoint is not managed
      handle multiple managed suffixes
      prevent operation on tombstones
      handle cleaning of RUV in the topology plugin
      reject agreement only if both ends are managed
      update list of managed servers when a suffix becomes managed
      prevent moving of topology entries out of managed scope by modrdn operations

Lukáš Slebodník (12):
      SPEC: Explicitly requires python-sssdconfig
      SPEC: Require python2 version of sssd bindings
      SPEC: Drop sssd from BuildRequires
      ipa_kdb_tests: Remove unused variables
      ipa_kdb_tests: Fix warning Wmissing-braces
      topology: Fix warning Wshadow
      ipa-extdom-extop: Fix warning Wformat
      SPEC: Run cmocka based unit test in %check phase
      BUILD: provide check target in custom Makefiles
      cmocka_tests: Do not use deprecated cmocka interface
      ipa_kdb_tests: Fix test with default krb5.conf
      IPA-SAM: Fix build with samba 4.4

Martin Babinsky (131):
      Use 'remove-ds.pl' to remove DS instance
      Moved dbus-python dependence to freeipa-python package
      ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message
      always get PAC for client principal if AS_REQ is true
      ipa-kdb: more robust handling of principal addition/editing
      OTP: failed search for the user of last token emits an error message
      ipa-pwd-extop: added an informational comment about intentional fallthrough
      ipa-uuid: emit a message when unexpected mod type is encountered
      OTP: emit a log message when LDAP entry for config record is not found
      ipa-client-install: put eol character after the last line of altered config file(s)
      migrate-ds: exit with error message if no users/groups to migrate are found
      Changing the token owner changes also the manager
      ipa-dns-install: use STARTTLS to connect to DS
      ipa-dns-install: use LDAPI to connect to DS
      migrate-ds: print out failed attempts when no users/groups are migrated
      show the exception message thrown by dogtag._parse_ca_status during install
      do not log BINDs to non-existent users as errors
      fix improper handling of boolean option in
      proper client host setup/teardown in forced client reenrollment integration test suite
      do not install CA on replica during integration test if setup_ca=False
      ipautil: new functions kinit_keytab and kinit_password
      ipa-client-install: try to get host TGT several times before giving up
      Adopted kinit_keytab and kinit_password for kerberos auth
      use separate ccache filename for each IPA DNSSEC daemon
      point the users to PKI-related logs when CA configuration fails
      suppress errors arising from deleting non-existent files during client uninstall
      prevent duplicate IDs when setting up multiple replicas against single master
      ipa-server-install: deprecate manual setting of master KDC password
      update 'api.env.ca_host' if a different hostname is used during server install
      provide dedicated ccache file for httpd
      move IPA-related http runtime directories to common subdirectory
      explicitly destroy httpd service ccache file during httpinstance removal
      do not check for directory manager password during KRA uninstall
      merge KRA installation machinery to a single module
      KRA: get the right dogtag version during server uninstall
      add DS index for userCertificate attribute
      generalize certificate creation during testing
      ipa-kdb: common function to get key encodings/salt types
      increase NSS memcache timeout for IPA server
      baseldap: add support for API commands managing only a single attribute
      reworked certificate normalization and revocation
      new commands to manage user/host/service certificates
      add option to skip client API version check
      ipa-ca-install: print more specific errors when CA is already installed
      ipa-ca-install: print more specific errors when CA is already installed
      enable debugging of ntpd during client installation
      enable debugging of ntpd during client installation
      fix broken search for users by their manager
      fix broken search for users by their manager
      ACI plugin: correctly parse bind rules enclosed in parentheses
      ACI plugin: correctly parse bind rules enclosed in parentheses
      test suite for user/host/service certificate management API commands
      test suite for user/host/service certificate management API commands
      store certificates issued for user entries as userCertificate;binary
      store certificates issued for user entries as userCertificate;binary
      idranges: raise an error when local IPA ID range is being modified
      idranges: raise an error when local IPA ID range is being modified
      fix typo in BasePathNamespace member pointing to ods exporter config
      fix typo in BasePathNamespace member pointing to ods exporter config
      ipa-backup: archive DNSSEC zone file and kasp.db
      ipa-backup: archive DNSSEC zone file and kasp.db
      ipa-restore: check whether DS is running before attempting connection
      ipa-restore: check whether DS is running before attempting connection
      improve the handling of krb5-related errors in dnssec daemons
      improve the handling of krb5-related errors in dnssec daemons
      improve the usability of `ipa user-del --preserve` command
      improve the usability of `ipa user-del --preserve` command
      load RA backend plugins during standalone CA install on CA-less IPA master
      load RA backend plugins during standalone CA install on CA-less IPA master
      destroy httpd ccache after stopping the service
      destroy httpd ccache after stopping the service
      ipa-server-install: mark master_password Knob as deprecated
      ipa-server-install: mark master_password Knob as deprecated
      re-kinit after ipa-restore in backup/restore CI tests
      re-kinit after ipa-restore in backup/restore CI tests
      do not overwrite files with local users/groups when restoring authconfig
      do not overwrite files with local users/groups when restoring authconfig
      remove ID overrides when deleting a user
      do not ask for segment direction when running topology commands
      fix dsinstance.py:get_domain_level function
      disable ipa-replica-prepare in non-zero IPA domain level
      execute user-del pre-callback also during user preservation
      fix class teardown in user plugin tests
      always ask the resolver for the reverse zone when manipulating PTR records
      silence pylint in Python 3-specific portion of ipalib/rpc.py
      ipa-replica-prepare: domain level check improvements
      fix error reporting when installer option is supplied with invalid choice
      remove Kerberos authenticators when installing/uninstalling service instance
      remove an unneccesary check from IPA server uninstaller
      check for disconnected topology and deleted agreements for all suffices
      suppress errors arising from adding existing LDAP entries during KRA install
      update idrange tests to reflect disabled modification of local ID ranges
      disconnect ldap2 backend after adding default CA ACL profiles
      do not disconnect when using existing connection to check default CA ACLs
      fix a typo in replica DS creation code
      replica promotion: modify default.conf even if DS configuration fails
      perform IPA client uninstallation as a last step of server uninstall
      fix 'iparepltopomanagedsuffix' attribute consumers
      extract domain level 1 topology-checking code from ipa-replica-manage
      implement domain level 1 specific topology checks into IPA server uninstaller
      replica install: improvements in the handling of CA-related IPA config entries
      add auto-forwarders option to standalone DNS installer
      add '--auto-forwarders' description to server/replica/DNS installer man pages
      check whether replica exists before executing the domain level 1 deletion code
      CI tests: ignore disconnected domain level 1 topology on IPA master teardown
      add ACIs for custodia container to its parent during IPA upgrade
      fix error message assertion in negative forced client reenrollment tests
      prevent crashes of server uninstall check caused by failed LDAP connections
      CI tests: remove '-p' option from ipa-dns-install calls
      ipa-client-install: create a temporary directory for ccache files
      raise more descriptive Backend connection-related exceptions
      prevent crash of CA-less server upgrade due to absent certmonger
      use FFI call to rpmvercmp function for version comparison
      tests for package version comparison
      fix Py3 incompatible exception instantiation in replica install code
      ipa-csreplica-manage: remove extraneous ldap2 connection
      IPA upgrade: move replication ACIs to the mapping tree entry
      uninstallation: more robust check for master removal from topology
      correctly set LDAP bind related attributes when setting up replication
      disable RA plugins when promoting a replica from CA-less master
      fix standalone installation of externally signed CA on IPA master
      reset ldap.conf to point to newly installer replica after promotion
      always start certmonger during IPA server configuration upgrade
      upgrade: unconditional import of certificate profiles into LDAP
      CI tests: use old schema when testing hostmask-based sudo rules
      use LDAPS during standalone CA/KRA subsystem deployment
      test_cert_plugin: use only first part of the hostname to construct short name
      only search for Kerberos SRV records when autodiscovery was requested
      spec: add conflict with bind-chroot to freeipa-server-dns
      spec: require python-cryptography newer than 0.9
      otptoken-add: improve the robustness of QR code printing

Martin Bašti (332):
      Fix dnsrecord-mod raise error if last record attr is removed
      DNSSEC: fix DS record validation
      Tests: DNS dsrecord validation
      DNS fix NS record coexistence validator
      Test: DNS NS validation
      Fix DNS record rename test
      FIX DNS wildcard records (RFC4592)
      Tests: DNS wildcard records
      Dogtag 10.2 to spec.file
      dnszone-remove-permission should raise error
      DNS: remove --class option
      WebUI: DNS: remove --class option
      FIX: ldap schmema updater needs correct ordering of the updates
      Fix DNS plugin to allow to add root zone
      DNS test: allow '.' as zone name
      Deprecation of --name-server and --ip-address option in DNS
      Add correct NS records during installation
      DNS: autofill admin email
      WebUI: DNS: Remove ip-address, admin-email options
      DNS tests: tests update to due to change in options
      Remove --ip-address, --name-server otpions from DNS help
      Refactoring of autobind, object_exists
      LDAP disable service
      DNS missing tests
      Fix ipactl service ordering
      Add missing attributes to named.conf
      Make named.conf template platform independent
      Remove ipaContainer, ipaOrderedContainer objectclass
      Add mask, unmask methods for service
      DNSSEC: dependencies
      DNSSEC: schema
      DNSSEC: add ipapk11helper module
      DNSSEC: DNS key synchronization daemon
      DNSSEC: opendnssec services
      DNSSEC: platform paths and services
      DNSSEC: validate forwarders
      DNSSEC: modify named service to support dnssec
      DNSSEC: installation
      DNSSEC: uninstallation
      DNSSEC: upgrading
      DNSSEC: ACI
      DNSSEC: add files to backup
      DNSSEC: change link to ipa page
      fix DNSSEC restore named state
      fix forwarder validation errors
      Fix dns zonemgr validation regression
      Add bind-dyndb-ldap working dir to IPA specfile
      Fix CI tests: install_adtrust
      Fix upgrade: do not use invalid ldap connection
      Fix: DNS installer adds invalid zonemgr email
      Fix: DNS policy upgrade raises asertion error
      Fix upgrade referint plugin
      Upgrade: fix trusts objectclass violationi
      Fix named working directory permissions
      Fix: zonemgr must be unicode value
      Fix warning message should not contain CLI commands
      Show warning instead of error if CA did not start
      Raise right exception if domain name is not valid
      Fix pk11helper module compiler warnings
      Fix: read_ip_addresses should return ipaddr object
      Fix detection of encoding in zonemgr option
      Fix zonemgr option encoding detection
      Throw zonemgr error message before installation proceeds
      Upgrade fix: masking named should be executed only once
      Using wget to get status of CA
      Show SSHFP record containing space in fingerprint
      Fix don't check certificate during getting CA status
      Fix: Upgrade forwardzones zones after adding newer replica
      Fix zone find during forwardzone upgrade
      Fix traceback if zonemgr error contains unicode
      DNS tests: separate current forward zone tests
      New test cases for Forward_zones
      Detect and warn about invalid DNS forward zone configuration
      DNS tests: warning if forward zone is inactive
      Add debug messages into client autodetection
      DNSSEC catch ldap exceptions in ipa-dnskeysyncd
      DNSSEC: fix root zone dns name conversion
      Always return absolute idnsname in dnszone commands
      Use dyndns_update instead of deprecated sssd option
      Fix reference counting in pkcs11 extension
      Prevent install scripts fail silently if timeout exceeded
      Fix warning message on client side
      Fix restoring services status during uninstall
      Fix do not enable service before storing status
      Uninstall configured services only
      Fix saving named restore status
      Migrate uniquess plugins configuration to new style
      Fix uniqueness plugins
      DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
      Fix memory leaks in ipap11helper
      Remove unused method from ipap11pkcs helper module
      Remove unused disable-betxn.ldif file
      DNS fix: do not traceback if unsupported records are in LDAP
      DNS fix: do not show part options for unsupported records
      DNS: remove NSEC3PARAM from records
      Fix dead code in ipap11helper module
      Server Upgrade: Remove unused PRE_SCHEMA_UPDATE
      Server Upgrade: do not sort updates by DN
      Server Upgrade: Upgrade one file per time
      Server Upgrade: Set modified to false, before each update
      Server Upgrade: Update entries in order specified in file
      Server Upgrade: order update files by default
      Server Upgrade: respect --test option in plugins
      Server Upgrade: remove --test option
      Server Upgrade: Fix comments
      DNSSEC: Do not log into files
      Fix ldap2 shared connection
      Server Upgrade: use only LDAPI connection
      Server Upgrade: remove unused code in upgrade
      Server Upgrade: Apply plugin updates immediately
      Server Upgrade: specify order of plugins in update files
      Server Upgrade: plugins should use ldapupdater API instance
      Server Upgrade: Handle connection better in updates_from_dict
      Server Upgrade: use ldap2 connection in fix_replica_agreements
      Server Upgrade: restart DS using ipaplatfom service
      Server Upgrade: only root can run updates
      DNSSEC CI tests
      ipa client: make --ntp-server option multivalued
      ipa client: use NTP servers detected from SRV
      ipa client: use NTP servers specified by user
      Server Upgrade: ipa-server-upgrade command
      Server Upgrade: Verify version and platform
      Server Upgrade: use ipa-server-upgrade in RPM upgrade
      Server Upgrade: fix a comment in ldapupdater
      move realm_to_serverid to installutils module
      Server Upgrade: use LDIF parser to modify DSE.ldif
      Server Upgrade: enable DS global lock during upgrade
      Server Upgrade: remove CSV from upgrade files
      Server Upgrade: Allow base64 encoded values
      Server Upgrade: fix memberUid index
      Dont use the proxy to check CA status
      Server Upgrade: Do not start DS if it was stopped before upgrade
      Server Upgrade: raise RuntimeError instead exit()
      Server Upgrade: do not allow to run upgradeinstace alone
      Server Upgrade: handle errors better
      Server Upgrade: ipa-ldap-updater will not do overall upgrade
      Server Upgrade: Fix uniqueness plugins
      DNSSEC: FIX Do not re-create kasp.db if already exists
      DNSSEC: update OpenDNSSEC KASP configuration
      DNS install: extract DNS installer into one module
      Pylint: fix false positive warning for domain
      Uid uniqueness: fix: exclude compat tree from uniqueness
      Server Upgrade: wait until DS is ready
      Server Upgrade: Fix: execute schema update
      Server Upgrade: Move code from ipa-upgradeconfig to separate module
      Fix: use DS socket check only for upgrade
      Server Upgrade: fix remove statement
      Installers fix: remove temporal ccache
      ULC: fix: upgrade for stage Stage User Admins failed
      Fix: regression in host and service plugin
      DNSSEC: Improve global forwarders validation
      DNSSEC: validate forward zone forwarders
      Revert 389-DS BuildRequires version to 1.3.3.9
      DNSSEC: fix traceback during shutdown phase
      Server Upgrade: disconnect ldap2 connection before DS restart
      DNS: add UnknownRecord to schema
      ipa-ca-install fix: reconnect ldap2 after DS restart
      Server Upgrade: create default config for NIS Server plugin
      Fix indicies ntUserDomainId, ntUniqueId
      Sanitize CA replica install
      DNS: Do not traceback if DNS is not installed
      KRA Install: check replica file if contains req. certificates
      Server Upgrade: use debug log level for upgrade instead of info
      DNSSEC: allow to disable/replace DNSSEC key master
      DNSSEC: update message
      Allow to run subprocess with suplementary groups
      FIX: Clear SSSD caches when uninstalling the client
      Fix regression: ipa-dns-install will add CA records if required
      Upgrade: Do not show upgrade failed message when IPA is not installed
      Fix logging in API
      Prevent to rename certprofile profile id
      Prevent to rename certprofile profile id
      Stageusedr-activate: show username instead of DN
      Stageusedr-activate: show username instead of DN
      copy-schema-to-ca: allow to overwrite schema files
      copy-schema-to-ca: allow to overwrite schema files
      fix selinuxusermap search for non-admin users
      fix selinuxusermap search for non-admin users
      Validate adding privilege to a permission
      Validate adding privilege to a permission



More information about the Pkg-freeipa-devel mailing list