[Pkg-freeipa-devel] freeipa: Changes to 'refs/tags/debian/4.4.3-1'

Timo Aaltonen tjaalton at moszumanska.debian.org
Sat Jan 14 13:38:13 UTC 2017

Tag 'debian/4.4.3-1' created by Timo Aaltonen <tjaalton at debian.org> at 2017-01-14 13:37 +0000

tagging package freeipa version debian/4.4.3-1
Version: GnuPG v1


Changes since debian/4.3.2-5:
Abhijeet Kasurde (16):
      Added kpasswd_server directive in client krb5.conf
      Fixed login error message box in LoginScreen page
      Added fix for notifying user about Kerberos principal expiration in WebUI
      Added description related to 'status' in ipactl man page
      Added warning to user for Internet Explorer
      Added fix for notifying user about locked user account in WebUI
      Updated ipa command man page
      Fix added to ipa-compat-manage command line help
      Removed custom implementation of CalledProcessError
      Replaced find_hostname with api.env.host
      Added exception handling for mal-formatted XML Parsing
      Added missing translation to automount.py method
      Minor fix in ipa-replica-manage MAN page
      Corrected minor spell check in AD Trust information doc messages
      Removed unwanted line break from RefererError Dialog message
      Handled empty hostname in server-del command

Alexander Bokovoy (23):
      slapi-nis: update configuration to allow external members of IPA groups
      extdom: do not fail to process error case when no request is specified
      otptoken: support Python 3 for the qr code
      trusts: Add support for an external trust to Active Directory domain
      adtrust: remove nttrustpartner parameter
      adtrust: remove nttrustpartner parameter
      adtrust: support GSSAPI authentication to LDAP as Active Directory user
      adtrust: support UPNs for trusted domain users
      webui: show UPN suffixes in trust properties
      webui: support external flag to trust-add
      adtrust: optimize forest root LDAP filter
      service: add flag to allow S4U2Self
      support schema files from third-party plugins
      ipaserver/dcerpc: reformat to make the code closer to pep8
      trust: automatically resolve DNS trust conflicts for triangle trusts
      trust: make sure external trust topology is correctly rendered
      trust: make sure ID range is created for the child domain even if it exists
      ipa-kdb: simplify trusted domain parent search
      support multiple uid values in schema compatibility tree
      freeipa.spec.in: move ipa CLI utility to freeipa-client
      trustdomain-del: fix the way how subdomain is searched
      adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
      ipa-kdb: search for password policies globally

Ben Lipton (3):
      Fix several small typos
      Use existing HostKey config to test sshd
      Silence sshd messages during install

Christian Heimes (9):
      Require Dogtag 10.2.6-13 to fix KRA uninstall
      Modernize mod_nss's cipher suites
      Move user/group constants for PKI and DS into ipaplatform
      Correct path to HTTPD's systemd service directory
      RedHatCAService should wait for local Dogtag instance
      Remove Custodia server keys from LDAP
      Secure permissions of Custodia server.keys
      Require httpd 2.4.6-31 with mod_proxy Unix socket support
      Use RSA-OAEP instead of RSA PKCS#1 v1.5

David Kupka (61):
      installer: Propagate option values from components instead of copying them.
      installer: Fix logic of reading option values from cache.
      ipa-dns-install: Do not check for zone overlap when DNS installed.
      ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options
      installer: Change reverse zones question to better reflect reality.
      Fix: Use unattended parameter instead of options.unattended
      CI: Add '2-connected' topology generator.
      CI: Add simple replication test in 2-connected topology.
      CI: Add test for 2-connected topology generator.
      CI: Fix pep8 errors in 2-connected topology generator
      CI: add empty topology test for 2-connected topology generator
      CI: Add double circle topology.
      CI: Add replication test utilizing double-circle topology.
      CI: Add test for double-circle topology generator.
      CI: Make double circle topology python3 compatible
      upgrade: Match whole pre/post command not just basename.
      dsinstance: add start_tracking_certificates method
      httpinstance: add start_tracking_certificates method
      Look up HTTPD_USER's UID and GID during installation.
      test: test_cli: Do not expect defaults in kwargs.
      man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
      installer: positional_arguments must be tuple or list of strings
      installer: index() raises ValueError
      Remove unused locking "context manager"
      schema: Add fingerprint and TTL
      schema: Add known_fingerprints option to schema command
      schema: Cache schema in api instance
      schema: return fingerprint as unicode text
      env: Add 'server' variable to api.env
      schema: Caching on schema on client
      test: automember: Fix expected exception message
      test: cert: Reflect change in behavior in tests
      schema: Decrease schema TTL to one hour
      schema: Perform the check for schema update when force_schema_check is True
      Allow unexpiring passwords
      schema: Fix subtopic -> topic mapping
      help: Add dnsserver commands to help topic 'dns'
      vault: Catch correct exception in decrypt
      schema: Speed up schema cache
      frontend: Change doc, summary, topic and NO_CLI to class properties
      schema: Introduce schema cache format
      schema: Generate bits for help load them on request
      help: Do not create instances to get information about commands and topics
      compat: Save server's API version in for pre-schema servers
      schema cache: Do not reset ServerInfo dirty flag
      schema cache: Do not read fingerprint and format from cache
      Access data for help separately
      frontent: Add summary class property to CommandOverride
      schema cache: Read server info only once
      schema cache: Store API schema cache in memory
      client: Do not create instance just to check isinstance
      schema cache: Read schema instead of rewriting it when SchemaUpToDate
      schema check: Check current client language against cached one
      compat: Fix ping command call
      schema cache: Fallback to 'en_us' when locale is not available
      otptoken, permission: Convert custom type parameters on server
      schema cache: Store and check info for pre-schema servers
      UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
      ipaclient.plugins: Use api_version from internally called commands
      password policy: Add explicit default password policy for hosts and services
      tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all

Filip Skola (9):
      Refactor test_user_plugin, use UserTracker for tests
      Refactor test_replace
      Refactor test_attr
      Refactor test_sudocmd_plugin
      Refactor test_sudocmdgroup_plugin
      Refactor test_group_plugin, use GroupTracker for tests
      Refactor test_nesting, create HostGroupTracker
      Refactor test_hostgroup_plugin
      Refactor test_automember_plugin, create AutomemberTracker

Florence Blanc-Renaud (16):
      Add missing CA options to the manpage for ipa-replica-install
      Add the culprit line when a configuration file has an incorrect format
      add context to exception on LdapEntry decode error
      batch command can be used to trigger internal errors on server
      Always qualify requests for admin in ipa-replica-conncheck
      Report missing certificate in external trust chain
      Do not allow installation in FIPS mode
      Fix ipa-server-certinstall with certs signed by 3rd-party CA
      Do not log error when removing a non-existing file
      Show full error message for selinuxusermap-add-hostgroup
      server uninstall fails to remove krb principals
      Fix session cookies
      Fix ipa hbactest output
      Fix ipa-certupdate for CA-less installation
      Fix regression introduced in ipa-certupdate
      Add cert checks in ipa-server-certinstall

Fraser Tweedale (60):
      Do not decode HTTP reason phrase from Dogtag
      Remove workaround for CA running check
      caacl: correctly handle full user principal name
      Prevent replica install from overwriting cert profiles
      Detect and repair incorrect caIPAserviceCert config
      Remove service and host cert issuer validation
      Allow CustodiaClient to be used by arbitrary principals
      Load server plugins in certmonger renewal helper
      Add ACIs for Dogtag custodia client
      Optionally add service name to Custodia key DNs
      Setup lightweight CA key retrieval on install/upgrade
      Authorise CA Agent to manage lightweight CAs
      Add custodia store for lightweight CA key replication
      Add 'ca' plugin
      Add IPA CA entry on install / upgrade
      Update 'caacl' plugin to support lightweight CAs
      Add CA argument to ra.request_certificate
      Update cert-request to allow specifying CA
      Add issuer options to cert-show and cert-find
      replica-install: configure key retriever before starting Dogtag
      upgrade: do not try to start CA if not configured
      restart scripts: bootstrap api with in_server=True
      Require Dogtag >= 10.3.3
      Fix IssuerDN presence check in cert search result
      Set default OCSP URI on install and upgrade
      ipaldap: turn LDAP filter utility functions into class methods
      Skip CS.cfg update if cert nickname not known
      Update lightweight CA serial after renewal
      ipa-certupdate: track lightweight CA certificates
      cert-find: fix 'issuer' option
      cert-request: better error msg when 'add' not supported
      Check for CA subject name collision before attempting creation
      Add --ca option to cert-revoke and cert-remove-hold
      Split CA replica installation steps for domain level 0
      Fix migration from pre-lightweight CAs master
      Add --cn option to cert-status
      Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3
      uninstall: untrack lightweight CA certs
      caacl: expand plugin documentation
      spec: require Dogtag >= 10.3.3-3
      Create server and host certs with DNS altname
      caacl: fix regression in rule instantiation
      cert-revoke: fix permission check bypass (CVE-2016-5404)
      Move GeneralName parsing code to ipalib.x509
      x509: fix SAN directoryName parsing
      x509: use NSS enums and OIDs to identify SAN types
      x509: include otherName DER value in GeneralNameInfo
      cert-show: show subject alternative names
      Track lightweight CAs on replica installation
      Add ca-disable and ca-enable commands
      Allow Dogtag RestClient to perform requests without logging in
      Add HTTPRequestError class
      Use Dogtag REST API for certificate requests
      cert-request: raise CertificateOperationError if CA disabled
      Make host/service cert revocation aware of lightweight CAs
      cert-request: raise error when request fails
      spec: require Dogtag >= 10.3.5-6
      Add commentary about CA deletion to plugin doc
      cert-show: show validity in default output
      certprofile-mod: correctly authorise config update

Gabe Alford (1):
      ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'

Ganna Kaihorodova (2):
      Fix conflict between "got" and "expected" values
      Fix for integration tests replication layouts

Jakub Hrozek (1):
      sudo: Fix a typo in the --help output of sudocmdgroup

James Groffen (1):
      Set close button type attribute to 'button'.

Jan Barta (1):
      pylint: fix: multiple-statements

Jan Cholasta (168):
      ipautil: remove unused import causing cyclic import in tests
      ipalib: assume version 2.0 when skip_version_check is enabled
      ipapython: remove default_encoding_utf8
      ipapython: port p11helper C code to Python
      ipapython: use python-cryptography instead of libcrypto in p11helper
      spec file: package python-ipalib as noarch
      cert renewal: import all external CA certs on IPA CA cert renewal
      replica install: validate DS and HTTP server certificates
      replica promotion: fix AVC denials in remote connection check
      cacert install: fix trust chain validation
      client: stop using /etc/pki/nssdb
      ipalib: provide per-call command context
      ipalib: add convenient Command method for adding messages
      certdb: never use the -r option of certutil
      spec file: bump minimum required pki-core version
      build: fix client-only build
      makeapi: use the same formatting for `int` and `long` values
      replica install: do not set CA renewal master flag
      rpc: do not crash when unable to parse JSON
      parameters: remove unused ConversionError and ValidationError arguments
      rpc: include structured error information in responses
      frontend: re-raise remote RequirementError using CLI name in CLI
      frontend: remove the unused Command.soft_validate method
      frontend: perform argument value validation only on server
      batch: do not crash when no argument is specified
      ipalib: make optional positional command arguments actually optional
      frontend: do not forward unspecified positional arguments to server
      user: do not assume the preserve flags have value in user_del
      frontend: do not forward argument defaults to server
      makeapi: optimize API.txt
      ipalib: remove the unused `csv` argument of Param
      makeaci: load additional plugins using API.add_module
      plugable: replace API.import_plugins with new API.add_package
      ipalib, ipaserver: migrate all plugins to Registry-based registration
      ipalib, ipaserver: fix incorrect API.register calls in docstrings
      plugable: remove the unused deprecated API.register method
      plugable: switch API to Registry-based plugin discovery
      frontend: merge baseldap.CallbackRegistry into Command
      frontend: move the interactive_prompt callback type to Command
      automount: do not inherit automountlocation_import from LDAPQuery
      dns: move code called on client to the module level
      dns: do not rely on server data structures in code called on client
      otptoken: fix import of DN
      otptoken_yubikey: fix otptoken_add_yubikey arguments
      vault: move client-side code to the module level
      vault: copy arguments of client commands from server counterparts
      ipalib: use relative imports for cross-plugin imports
      frontend: allow commands to have an argument named `name`
      cli: make optional positional command arguments actually optional
      dns: fix dnsrecord interactive mode
      ipaclient: introduce ipaclient.plugins
      ipalib: move client-side plugins to ipaclient
      help, makeapi: allow setting command topic explicitly
      help, makeapi: specify module topic by name
      help, makeapi: do not use hardcoded plugin package name
      plugable: turn Plugin attributes into properties
      plugable: simplify API plugin initialization code
      plugable: remember overriden plugins in API
      frontend: turn Method attributes into properties
      ipaclient: add client-side command override class
      dns: move code shared by client and server to separate module
      ipalib: split off client-side plugin code into ipaclient
      parameters: introduce cli_metavar keyword argument
      parameters: introduce no_convert keyword argument
      ipalib: replace DeprecatedParam with `deprecated` Param argument
      ipalib: introduce API schema plugins
      rpc: respect API config in RPCClient.create_connection
      rpc: allow overriding NSS DB directory in API config
      rpc: specify connection options in API config
      rpc: optimize JSON-RPC response handling
      rpc: do not validate command name in RPCClient.forward
      client install: finalize API after CA certs are available
      ipactl: use server API
      ipalib: move File command arguments to ipaclient
      misc: hide the unused --all option of `env` and `plugins` in CLI
      ipaclient: implement thin client
      ipalib: move server-side plugins to ipaserver
      frontend: do not check API minor version of the client
      schema: do not validate unrequested params in command_defaults
      replica install: use remote server API to create service entries
      schema: fix topic command output
      schema: fix typo
      spec file: require correct packages to get API plugins
      plugable: allow plugins to be non-classes
      plugable: initialize plugins on demand
      schema: generate client-side commands on demand
      batch, schema: use Dict instead of Any
      misc: fix empty CLI output of `env` and `plugins` commands
      dns, passwd: fix outputs of `dns_resolve` and `passwd` commands
      frontend: call `execute` rather than `forward` in Local
      schema: exclude local commands
      schema: fix client-side dynamic defaults
      makeaci, makeapi: use in-server API
      frontend: don't copy command arguments to output params
      frontend: skip `value` output in output_for_cli
      frontend: do not crash on missing output in output_for_cli
      automember: add object plugin for automember_rebuild
      dns: do not rely on custom param fields in record attributes
      misc: skip `count` and `total` output in env.output_for_cli
      passwd: handle sort order of passwd argument on the client
      permission: handle ipapermright deprecated CLI alias on the client
      schema: add object class schema
      schema: remove output_params
      schema: merge command args and options
      schema: remove redundant information
      schema: remove `no_cli` from command schema
      replica install: fix thin client regression
      ldap: fix handling of binary data in search filters
      cert: add object plugin
      cert: add owner information
      cert: allow search by certificate
      dns: fix dns_update_system_records to work with thin client
      schema: fix param default value handling
      schema: do not crash in command_defaults if argument is None
      automember: fix automember to work with thin client
      schema: client-side code cleanup
      misc: generate `plugins` result directly in the command
      plugable: use plugin class as the key in API namespaces
      plugable: support plugin versioning
      schema: support plugin versioning
      frontend: forward command calls using full name
      schema: fix Flag arguments on the client
      schema: properly fix Flag arguments on the client
      backup: use in-server API in ipa-backup and ipa-restore
      replica install: don't allow install against a newer server
      session: move the session module from ipalib to ipaserver
      session: do not initialize session manager on import
      xmlserver: initialize RPC server plugins only in server context
      makeaci, makeapi, oddjob: use the default API context
      server: define missing virtual attributes
      user: add object plugin for user_status
      frontend: do not ignore client-side output params
      cert: fix CLI output of cert_remove_hold
      plugable: add option to ignore override errors
      client: ignore override errors in command overrides
      client: add placeholders for required remote plugins
      server: exclude Local commands from RPC
      client: do not crash when overriding remote command as method
      client: add support for pre-schema servers
      frontend: copy command arguments to output params on client
      Revert "Enable vault-* commands on client"
      client: fix hiding of commands which lack server support
      compat: fix ping call
      install: fix external CA cert validation
      vault: add missing salt option to vault_mod
      Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
      parameters: move the `confirm` kwarg to Param
      client: add missing output params to client-side commands
      cert: speed up cert-find
      cert: do not crash on invalid data in cert-find
      server install: do not prompt for cert file PIN repeatedly
      tests: fix test_ipalib.test_frontend.test_Object
      custodia: include known CA certs in the PKCS#12 file for Dogtag
      cert: add missing param values to cert-find output
      cert: include CA name in cert command output
      rpcserver: assume version 1 for unversioned command calls
      custodia: force reconnect before retrieving CA certs from LDAP
      rpcserver: fix crash in XML-RPC system commands
      cli: use full name when executing a command
      dns: normalize record type read interactively in dnsrecord_add
      dns: prompt for missing record parts in CLI
      dns: fix crash in interactive mode against old servers
      cert: fix cert-find --certificate when the cert is not in LDAP
      client: remove hard dependency on pam_krb5
      dns: re-introduce --raw in dnsrecord-del
      test_plugable: update the rest of test_init
      cert: add revocation reason back to cert-find output
      spec file: bump minimal required version of 389-ds-base

Jérôme Fenal (1):
      Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French.

Lenka Doudova (58):
      WebUI tests: fix failing of tests due to unclicable label
      WebUI test: ID views
      WebUI: Test creating user without private group
      Test fix: Cleanup for host certificate
      Test: Maximum username length higher than 255 cannot be set
      Tests: Fix for failing location tests
      Tests: Fix ipatests/test_ipaserver/test_rpcserver.py
      Tests: Make ID views tests reflect new krbcanonicalname attribute
      Tests: Fix failing ipatests/test_ipalib/test_errors.py
      Tests: Remove DNS configuration from trust tests
      Tests: Fix failing tests in ipatests/test_ipalib/test_frontend.py
      Tests: Fix frontend tests
      Tests: Tracker class for services
      Tests: Authentication indicators xmlrpc tests
      Tests: Authentication indicators integration tests
      Tests: External trust
      Tests: Support of UPN for trusted domains
      Tests: Improve handling of rename operation by user tracker
      Tests: IPA user can kinit using enterprise principal with IPA domain
      Tests: Removing manipulation with /etc/hosts file from integration tests
      Tests: Remove has_keytab from list of expected keys of update command
      Tests: Add data attribute to messages
      Tests: test_ipalib/test_output fails due to change of Output behaviour
      Fix malformed or missing docstrings in ipalib/messages
      Tests: Fix failing tests in test_ipalib/test_parameters
      Tests: Fix failing tests in test_ipalib/test_frontend
      Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute
      Tests: Duplicate declaration on variables in ID views tests
      Tests: ID views tests do not recognize krbcanonicalname attribute
      Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute
      Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute
      Tests: Failing test_ipalib/test_rpc
      Tests: Failing test_ipaserver/test_ldap test
      Tests: Failing tests in test_ipalib/test_plugable
      Raise error when running ipa-adtrust-install with empty netbios--name
      Tests: Random issuer certificate can be added to a service
      Tests: Add missing attributes to test_xmlrpc/test_trust tests
      Tests: Avoid skipping tests due to missing files
      Tests: Fix regex errors in integration trust tests
      Tests: Add cleanup to integration trust tests
      Tests: Fix failing ldap.backend test
      Tests: Fix integration sudo tests setup and checks
      Tests: Remove SSSD restart from integration tests
      Tests: Add krb5kdc.service restart to integration trust tests
      Tests: Update host test with ipa-join
      Tests: Fix host attributes in ipa-join host test
      Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
      Tests: Remove invalid certplugin tests
      Tests: Certificate revocation
      Tests: Verify that cert commands show CA without --all
      Tests: Fix failing test_ipalib/test_parameters
      Tests: Fix integration sudo test
      Tests: Provide AD cleanup for trust tests
      Tests: Provide AD cleanup for legacy client tests
      Add file_exists method as a member of transport object
      Tests: Verify that validity info is present in cert-show and cert-find command
      Tests: Providing trust tests with tree root domain
      Document make_delete_command method in UserTracker

Ludwig Krispenz (3):
      prevent moving of topology entries out of managed scope by modrdn operations
      v2 - avoid crash in topology plugin when host list contains host with no hostname
      Check for conflict entries before raising domain level

Lukáš Slebodník (10):
      extdom: Remove unused macro
      IPA-SAM: Fix build with samba 4.4
      CONFIGURE: Replace obsolete macros
      ipa-sam: Do not redefine LDAP_PAGE_SIZE
      SPEC: Remove unused build dependency on libwbclient
      BUILD: Remove detection of libcheck
      ipa_pwd_extop: Fix warning declaration shadows previous local
      ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
      ipa-kdb: Allow to build with samba 4.5
      ipa-kdb: Fix unit test after packaging changes in krb5

Martin Babinsky (110):
      raise more descriptive Backend connection-related exceptions
      harden domain level 1 topology connectivity checks
      ipalib/x509.py: revert deletion of ipalib api import
      prevent crash of CA-less server upgrade due to absent certmonger
      use FFI call to rpmvercmp function for version comparison
      tests for package version comparison
      fix Py3 incompatible exception instantiation in replica install code
      ipa-csreplica-manage: remove extraneous ldap2 connection
      IPA upgrade: move replication ACIs to the mapping tree entry
      uninstallation: more robust check for master removal from topology
      correctly set LDAP bind related attributes when setting up replication
      disable RA plugins when promoting a replica from CA-less master
      fix standalone installation of externally signed CA on IPA master
      reset ldap.conf to point to newly installer replica after promotion
      always start certmonger during IPA server configuration upgrade
      upgrade: unconditional import of certificate profiles into LDAP
      CI tests: use old schema when testing hostmask-based sudo rules
      use LDAPS during standalone CA/KRA subsystem deployment
      test_cert_plugin: use only first part of the hostname to construct short name
      only search for Kerberos SRV records when autodiscovery was requested
      spec: add conflict with bind-chroot to freeipa-server-dns
      spec: require python-cryptography newer than 0.9
      ipa-replica-manage: print traceback on unexpected error when in verbose mode
      otptoken-add: improve the robustness of QR code printing
      differentiate between limit types when LDAP search exceeds configured limits
      specify type of exceeded limit when warning about truncated search results
      replica-prepare: do not add PTR records if there is no IPA managed reverse zone
      Server Roles: definitions of server roles and attributes
      Server Roles: Backend plugin to query roles and attributes
      Test suite for `serverroles` backend
      Server Roles: public API for server roles
      Server Roles: make server-{show,find} utilize role information
      Server Roles: make *config-show consume relevant roles/attributes
      Server Roles: provide an API for setting CA renewal master
      Add NTP to the list of services stored in IPA masters LDAP subtree
      Introduce "NTP server" role
      ipaserver module for working with managed topology
      delegate removal of master DNS record and replica keys to separate functions
      server-del: perform full master removal in managed topology
      CI test suite for `server-del`
      ipa-replica-manage: use `server_del` when removing domain level 1 replica
      remove the master from managed topology during uninstallation
      Fix listing of enabled roles in `server-find`
      Do not update result of *-config-show with empty server attributes
      server-del: harden check for last roles
      perform case-insensitive principal search when canonicalization is requested
      mark 'ipaKrbPrincipalAlias' attribute as deprecated in schema
      add case-insensitive matching rule to krbprincipalname index
      add krbCanonicalName to attributes watched by MODRDN plugin
      ipa-kdb: set krbCanonicalName when creating new principals
      ipa-enrollment: set krbCanonicalName attribute on enrolled host entry
      IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities
      set krbcanonicalname on host entry during krbinstance configuration
      account for added krbcanonicalname attribute during xmlrpc tests
      Fix incorrect construction of service principal during replica cleanup
      keep setting ipakrbprincipal objectclass on new service entries
      test_serverroles: ensure that test API is initialized with correct ldap_uri
      test-{service,host}-plugin: only expect krbcanonicalname when all=True
      ipapython module for Kerberos principal manipulation and parsing
      Test suite for `ipapython/kerberos.py`
      ipalib: introduce Principal parameter
      Migrate management framework plugins to use Principal parameter
      Add ACI for admins to modify principal attributes
      replace an ACI relying on presence of deprecated objectclass
      Allow for commands that use positional parameters to add/remove attributes
      Make framework consider krbcanonicalname as service primary key
      Provide API for management of host, service, and user principal aliases
      Unify display of principal names/aliases across entities
      Fix incorrect check for principal type when evaluating CA ACLs
      ipa-nis-manage: Use server API to retrieve plugin status
      ipa-compat-manage: use server API to retrieve plugin status
      ipa-advise: correct handling of plugin namespace iteration
      vault-add: set the default vault type on the client side if none was given
      Preserve user principal aliases during rename operation
      messages: specify message type for ResultFormattingError
      DNS install: Ensure that DNS servers container exists
      Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
      allow 'value' output param in commands without primary key
      allow multiple dashes in the components of server hostname
      expose `--secret` option in radiusproxy-* commands
      prevent search for RADIUS proxy servers by secret
      trust-add: handle `--all/--raw` options properly
      baseldap: Fix MidairCollision instantiation during entry modification
      Create indexes for krbCanonicalName attribute
      harden the check for trust namespace overlap in new principals
      re-set canonical principal name on migrated users
      add python-libsss_nss_idmap and python-sss to BuildRequires
      do not use trusted forest name to construct domain admin principal
      Always fetch forest info from root DCs when establishing two-way trust
      factor out `populate_remote_domain` method into module-level function
      Always fetch forest info from root DCs when establishing one-way trust
      raise ValidationError when deprecated param is passed to command
      ldapupdate: Use proper inheritance in BadSyntax exception
      netgroup: avoid extraneous LDAP search when retrieving primary key from DN
      trust-fetch-domains: contact forest DCs when fetching trust domain info
      ipa passwd: use correct normalizer for user principals
      use separate exception handlers for executors and validators
      Make Continuous installer continuous only during execution phase
      Move character escaping function to ipautil
      mod_nss: use more robust quoting of NSSNickname directive
      disable warnings reported by pylint-1.6.4-1
      server-del: fix incorrect check for one IPA master
      upgrade: add replica bind DN group check interval to CA topology config
      replication: ensure bind DN group check interval is set on replica config
      bindinstance: use data in named.conf to determine configuration status
      gracefully handle setting replica bind dn group on old masters
      Revert "upgrade: add replica bind DN group check interval to CA topology config"
      add missing attribute to ipaca replica during CA topology update
      Make `kadmin` family of functions return the result of ipautil.run
      Add a basic test suite for `kadmin.local` interface

Martin Bašti (203):
      Fix DNS tests: dns-resolve returns warning
      Remove unused code in server installer related to KRA
      Fix version comparison
      Fix: replace mkdir with chmod
      Use module variables for timedate_services
      Remove empty test file
      Remove unused imports
      Remove wildcard imports
      Enable multiple warnings checks in Pylint
      Enable pylint lost exception check
      Enable pylint duplicated-key check
      Enable pylint trailing-whitespace check
      Enable pylint missing-final-newline check
      Enable pylint unused-format-string-key check
      Enable pylint expression-not-assigned check
      Enable pylint empty-docstring check
      Enable pylint unnecessary-pass check
      update_uniqueness plugin: fix referenced before assigment error
      Allow to used mixed case for sysrestore
      Upgrade: Fix upgrade of NIS Server configuration
      DNSSEC test: fix adding zones with --skip-overlap-check
      DNSSEC CI: add missing ldns-utils dependency
      Enable pylint unpacking-non-sequence check
      Enable pylint unbalanced-tuple-unpacking check
      CI test: fix regression in task.install_kra
      Warn about potential loss of CA, KRA, DNSSEC during uninstall
      Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
      Exclude o=ipaca subtree from Retro Changelog (syncrepl)
      Fix DNSSEC test: add glue record
      Warn user when ipa *-find reach limit
      DNSSEC CI: fix zone delegations
      make lint: use config file and plugin for pylint
      Upgrade: log to ipaupgrade.log when IPA server is not installed
      Disable new pylint checks
      Py3: do not use dict.iteritems()
      upgrade: fix config of sidgen and extdom plugins
      trusts: use ipaNTTrustPartner attribute to detect trust entries
      Warn user if trust is broken
      fix upgrade: wait for proper DS socket after DS restart
      Revert "test: Temporarily increase timeout in vault test."
      Remove duplicated except
      Pylint: add missing attributes of errors to definitions
      fix permission: Read Replication Agreements
      Make PTR records check optional for IPA installation
      Fix connections to DS during installation
      pylint: supress false positive no-member errors
      CI: allow customized DS install test to work with domain levels
      fix suspicious except statements
      Remove unused arguments from update_ssh_keys method
      Configure 389ds with "default" cipher suite
      krb5conf: use 'true' instead of 'yes' for forwardable option
      stageuser-activate: Normalize manager value
      Remove redundant parameters from CS.cfg in dogtaginstance
      Use platform path constant for SSSD log dir
      Fix broken trust warnings
      spec: Add missing dependencies to python*-ipalib package
      client: enable ChallengeResponseAuthentication in sshd_config
      pylint: remove bare except
      Pylint: fix definition of global variables
      Pylint: enable pointless-except check
      Pylint: enable reimported check
      Pylint: use list comprehension instead of iteration
      Pylint: import max one module per line
      Pylint: remove unnecessary-semicolon
      Pylint: enable invalid-name check
      SPEC: do not run upgrade when ipa server is not installed
      Fix: catch Exception instead of more specific exception types
      Fix stageuser-activate - managers test
      Add missing pre_common_callback to stageuser_add
      host_del: fix removal of host records
      host_del: replace dns-record find command with show
      host_del: remove unneeded dnszone-show command call
      host_del: split removing A/AAAA and PTR records to separate functions
      host_del: remove only A, AAAA, SSHFP, PTR records
      host_del: update help for --updatedns option
      host-del --updatedns: print warnings instead of error
      Use netifaces module instead of 'ip' command
      Limit max username length to 255 in config-mod
      Increase API version for 'ipamaxusernamelength' attribute change
      Configure httpd service from installer instead of directly from RPM
      Performace: don't download password attributes in host/user-find
      Do not do extra search for ipasshpubkey to generate fingerprints
      Always set hostname
      Remove deprecated hostname restoration from Fedora18
      Remove unused hostname variables
      Log errors from backup_and_replace hostname to logger
      Tasks: raise NotImplementedError for not implemented methods
      fix stageuser tests (removal of has_keytab and has_password from find)
      make: fail when ACI.txt or API.txt differs from values in source code
      ipactl: advertise --ignore-service-failure option
      Remove unused variable and finally block in SchemaCache
      Fix referenced before assigment variables in except statements
      Upgrade: always start CA
      Remove unused variables in automount plugin
      fix pylint false positive errors
      Translations: remove deprecated locale configuration
      Make option --no-members public in CLI
      Performance: Find commands: do not process members by default
      Test: fix failing host_test
      Fix: replace incorrect no_cli with no_option flag
      Fix: topologysuffix_find doesn't have no_members option
      DNS Locations: Always create DNS related privileges
      DNS Locations: add new attributes and objectclasses
      DNS Locations: location-* commands
      DNS Locations: API tests
      Allow to use non-Str attributes as keys for members
      DNS Locations: extend server-* command with locations
      DNS Location: location-show: return list of servers in location
      DNS Locations: when removing location remove it from servers first
      DNS Locations: extend tests with server-* commands
      Upgrade mod_wsgi socket-timeout on existing installation
      Exclude unneeded dirs and files from pylint check
      Fix resolve_rrsets: RRSet is not hashable
      Revert "adtrust: remove nttrustpartner parameter"
      Fix: Local variable s_indent might be referenced before defined
      Revert "Switch /usr/bin/ipa to Python 3"
      Use python2 for ipa cli
      DNS Locations: add index for ipalocation attribute
      DNS Locations: fix location-del
      DNS Locations: add idnsTemplateObject objectclass
      DNS Locations: DNS data management
      DNS Locations: permission: allow to read status of services
      DNS Locations: add ACI for template attribute
      DNS Locations: command dns-update-system-records
      DNS Locations: use dns_update_service_records in installers
      DNS Locations: adtrustinstance simplify dns management
      DNS Locations: use automatic records update in ipa-adtrust-install
      DNS Locations: server-mod: add automatic records update
      DNS Locations: dnsservers: add required objectclasses
      DNS Locations: dnsserver-* commands
      DNS Locations: dnsserver: put server_id option into named.conf
      DNS Locations: dnsserver: use the newer config way in installer
      DNS Locations: dnsserver: remove config when replica is removed
      DNS Locations: set proper substitution variable
      DNS Locations: require to restart named-pkcs11 affter location change
      DNS Locations: show warning if there is no DNS servers in location
      DNS Locations: prevent to remove used locations
      DNS Locations: do not generate location records for unused locations
      DNS Locations: location-del: remove location record
      DNS Locations: Rename ipalocationweight to ipaserviceweight
      DNS Locations: generate NTP records
      upgrade: don't fail if zone does not exists in in find
      DNS Location: add list of roles and DNS servers to location-show
      DNS Locations: dnsserver: print specific error when DNS is not installed
      Fix possibly undefined variable in ipa_smb_conf_exists()
      Updated IPA translations
      Replica promotion: use the correct IPA domain for replica
      Server-del: fix system records removal
      Increase ipa-getkeytab LDAP timeout to 100sec
      DNS Locations: server-mod: fix if statement
      ipa-rmkeytab, ipa-join: don't fail if init of gettext failed
      Revert "DNS Locations: do not generate location records for unused locations"
      DNS Locations: hide option --no-msdcs in adtrust-install
      DNS Locations: optimization: use server-find to get information
      DNS Locations: cleanup of bininstance
      CA replica promotion: add proper CA DNS records
      Fix replica install with CA
      cert.py split module docstring to multiple ugetext string
      Add option --no-log for ipa-replica-conncheck script
      Do not log to file in remote conncheck side
      Bump SSSD version in requires
      IPA 4.4.0 Translations
      Enable vault-* commands on client
      host-find: do not show SSH key by default
      CI: DNS locations
      Host-del: fix behavior of --updatedns and PTR records
      DNS Locations: fix update-system-records unpacking error
      Use copy when replacing files to keep SELinux context
      CI tests: improve log collecting
      CI tests: fix SSSD log collecting
      idrange: fix unassigned global variable
      Do not initialize API in ipa-client-automount uninstall
      Increase default length of auto generated passwords
      ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
      Fix: container owner should be able to add vault
      Remove forgotten print from DN.__str__ implementation
      Raise DuplicatedEnrty error when user exists in delete_container
      Update translations
      Print to debug output answer from CA
      Revert "Enable LDAPS in replica promotion"
      Become IPA 4.4.1
      Set zanata project-version fo 4.4 branch
      Fix ScriptError to always return string from __str__
      Fix parse errors with link-local addresses
      Allow network ip addresses
      Allow broadcast ip addresses
      Allow multicast addresses in A/AAAA records
      Show warning when net/broadcast IP address is used in installer
      Tests: extend DNS cmdline tests with lowercased record type
      Start named during configuration upgrade.
      Catch DNS exceptions during emptyzones named.conf upgrade
      Abstract procedures for IP address warnings
      Fix missing config.ips in promote_check
      Add check for IP addresses into DNS installer
      Fix regexp patterns in parameters to not enforce length
      Use constant for user and group patterns
      Test: dont use global variable for iteration in test_cert_plugin
      test_text: add test ipa.pot file for tests
      CI: extend replication layouts tests with KRA
      CI: use --setup-kra with replica installation
      CI: Disable KRA install tests on DL0
      Zanata: exlude testing ipa.pot file
      freeipa-4.4.3: update translations

Martin Košek (2):
      Update Developers in Contributors.txt
      Update Contributors.txt

Matt Rogers (1):
      ipa_kdb: add krbPrincipalAuthInd handling

Michael Simacek (1):
      Fix bytes/string handling in rpc

Milan Kubík (26):
      ipatests: replace the test-example.com domain in tests
      ipatests: Roll back the forwarder config after a test case
      ipatests: Fix configuration problems in dns tests
      ipatests: Make the A record for hosts in topology conditional
      ipatests: fix the install of external ca
      ipatests: Add missing certificate profile fixture
      ipatests: extend permission plugin test with new expected output
      spec file: rename the python-polib dependency name to python2-polib
      ipatests: fix for change_principal context manager
      ipatests: Add test case for requesting a certificate with full principal.
      spec: Add python-sssdconfig dependency for python-ipatests package
      ipatests: Tracker implementation for Sub CA feature
      ipatests: Extend CAACL suite to cover Sub CA members
      ipatests: Test Sub CA with CAACL and certificate profile
      ipatests: remove ipacertbase option from test CSR configuration
      ipatests: Add tracker class for kerberos principal aliases
      ipatests: Extend the MockLDAP utility class
      ipatests: Provide a context manager for mocking a trust in RPC tests
      ipatests: Move trust mock helper functions to a separate module
      ipapython: Extend kinit_password to support principal canonicalization
      ipatests: Allow change_principal context manager to use canonicalization
      ipatests: Add kerberos principal alias tests
      ipatests: Fix wrong fixture in kerberos principal alias test
      ipatests: provide context manager for keytab usage in RPC tests
      ipatests: Fix name property on a service tracker
      ipatests: Implement tests with CSRs requesting SAN

Nathaniel McCallum (9):
      Don't error when find_base() fails if a base is not required
      Rename syncreq.[ch] to otpctrl.[ch]
      Ensure that ipa-otpd bind auths validate an OTP
      Return password-only preauth if passwords are allowed
      Enable authentication indicators for OTP and RADIUS
      Migrate from #ifndef guards to #pragma once
      Enable service authentication indicator management
      Add authentication indicators support to Host objects
      Properly handle LDAP socket closures in ipa-otpd

Oleg Fayans (45):
      CI tests: Enabled automatic creation of reverse zone during master installation
      CI tests: Added domain realm as a parameter to master installation in integration tests
      Fixed install_ca and install_kra under domain level 0
      fixed an issue with master installation not creating reverse zone
      Enabled recreation of test directory in apply_common_fixes function
      Updated connect/disconnect replica to work with both domainlevels
      Removed --ip-address option from replica installation
      Removed messing around with resolv.conf
      Integration tests for replica promotion feature
      Enabled setting domain level explicitly in test class
      Removed a constantly failing call to prepare_host
      Made apply_common_fixes call at replica installation independent on domain_level
      Workaround for ticket 5627
      Added copyright info to replica promotion tests
      rewrite a misprocessed teardown_method method as a custom decorator
      Reverted changes in mh fixture causing some tests to fail
      Fixed a bug with prepare_host failing upon existing ipatests folder
      Added a kdestroy call to clean ccache at master/client uninstallation
      Added 5 more tests to Replica Promotion testsuite
      Fixed a failure in legacy_client tests
      Add test if replica is working after domain upgrade
      Improve reporting of failed tests in topology test suite
      Bugfixes in managed topology tests
      A workaround for ticket N 5348
      Added necessary A record for the replica to root zone
      Increased certmonger timeout
      Test for incorrect client domain
      Fixed import error
      Fixed incorrect return code assert
      Fixed incorrect domainlevel determination in tests
      Fixed incorrect sequence of method calls in tasks.py
      Added a sleep interval after domainlevel raise in tests
      Disabled raiseonerr in kinit call during topology level check
      Removed incorrect check for returncode
      Several fixes in replica_promotion tests
      Changed addressing to the client hosts to be replicas
      Test: disabled wrong client domain tests for domlevel 0
      Reverted the essertion for replica uninstall returncode
      tests: Automated clean-ruv subcommand tests
      Automated ipa-replica-manage del tests
      Added interface to certutil
      Test: integration tests for certs in idoverrides feature
      Test for installing rules with service principals
      Created idview tracker
      tests: Added basic tests for certs in idoverrides

Patrice Duc-Jacquet (2):
      Incorrect message when KRA already installed
      Add more information regarding where to find revocation reason in "ipa cert_revoke -h" and "ipa cert_find -h".

Pavel Vomacka (88):
      Add tool tips for Revert, Refresh, Undo, and Undo All
      Add support for the 'user' url parameter for the reset_password.html
      Add validation to Issue new certificate dialog
      Add pan and zoom functionality to the topology graph
      Nodes stay fixed after initial animation.
      Add field for group id in user add dialog
      Resize topology graph canvas according to window size
      Add X-Frame-Options and frame-ancestors options
      Add activate option to stage user details page
      Add 'skip overlap check' checkbox into add zone dialog
      Add 'skip overlap check' checkbox to the add dns forward zone dialog
      Add option to show OTP when adding host
      Update the delete dialog on details user page
      Add ability to stage multiple users
      Add option to stage user from details page
      Change lang.hitch to javascript bind method
      Change 'Restore' to 'Remove Hold'
      Extend the certificate request dialog
      Auth Indicators WebUI part
      Fix bad searching of reverse DNS zone
      Add adapter attribute for choosing record
      DNS Locations: WebUI part
      Add lists of hosts allowed to create or retrieve keytabs
      Correct a jslint warning
      Association table can be read only
      Extend table facet
      Add server roles on topology page
      Search facet can be without search field
      Add ability to review cert request dialog
      Add new webui plugin - ca
      Extend certificate entity page
      Extend caacl entity
      Make Actions string translatable
      Extend DNS config page
      Extend trust config page
      Add creating a segment using mouse
      Add listener which opens add segment dialog
      Add placeholder to add segment dialog
      Add DNS default TTL field
      Allow to set weight of a server without location
      DNS Servers: Web UI part
      Add support for custom menu in multivalued widget
      Extends functionality of DropdownWidget
      Add working widget
      Add ability to turn off activity icon
      Add Object adapter
      Refactored certificate view and remove hold dialog
      Changed the way how to handle remove hold and revoke actions
      Remove old useless actions - get and view
      Add widget for showing multiple certificates
      Add certificate widget
      Add new certificates widget to the user details page
      Add new certificates widget to the host details page. Also extends evaluator and add support for adapters.
      Add new certificates widget to the service details page
      Updated certificates table
      Add new custom command multivalued widget
      Add button for dns_update_system_records command
      Add certificate widget to ID override user details page.
      Add authentication identificator to host page
      Change paths of strings in auth indicators widget on service page
      Simplify the confirmation messages
      Add support to change button css class on confirm dialog
      Add button for server-del command
      Change error handling in custom_command_multivalued_widget
      Set default confirmation button label to 'Remove'
      Add widgets for kerberos aliases
      Add widget for kerberos aliases to user page
      Add widget for kerberos aliases to hosts page
      Add widget for kerberos aliases to service page
      Close host adder dialog before showing 4304 dialog
      Remove navigation using breadcrumb menus
      Fix test_navigation tests
      Fix test which checks removing of user
      Set default delete action name to 'delete'
      Remove full name from adding user to user group dialog
      Add function which check whether the field is empty
      Add jslint into Makefile
      Fix unicode characters in ca and domain adders
      Add warning about only one existing CA server
      Set servers list as default facet in topology facet group
      Add 'trusted to auth as user' checkbox

More information about the Pkg-freeipa-devel mailing list