[Pkg-freeipa-devel] freeipa: Changes to 'refs/tags/debian/4.6.2-1'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Sat Jan 20 10:51:24 UTC 2018
Tag 'debian/4.6.2-1' created by Timo Aaltonen <tjaalton at debian.org> at 2018-01-20 10:42 +0000
tagging package freeipa version debian/4.6.2-1
-----BEGIN PGP SIGNATURE-----
iQIcBAABCAAGBQJaYx0AAAoJEMtwMWWoiYTcXsUP/iD3cis2KZYB/0p77LIb1BfR
7qflWjGUQS03Q8Y7Lk6roZXSQHqAdwMi8jELq2jw6C27x/Iil9YskPa9t5GVLCqY
zgKHNNLp6du2leSj+/ZtGh0YGYXM8AEN4MVQU/oLOacdE23I16iUEYrjRyNaxYb8
kpFTYNqXCbTMgFP0SvJuh9xwui13oTgOx4PRbKKfwjJ30yJntZxeOZRkfpGVouB1
DGKk3z9Sbgr7vxJ2tBoFuuB1okwNeHeOmUxPcjylRN7klgHbg8ehUtcmhC63dd5I
y9Szm9UJrfY0Xuu+NHgfwa8ww08b31HnX+3hh1mO89juQOTXaW/yQwZYPTfDgSC2
FpaMf0wcJGgBc0jqYOMb1VFpE3Vd4eBsFJTfxkTFWxzx6cONLYoM6sBpPbQEFpfp
FMLpOK3rd7zMOx50lIOXdiHMZHOlKf73iCB++wy2zr+to4eB54RSadsm1UoN+QmY
FjC6PslpQELcN6nee/aegHChyM9oSaoCYCmn8NyNK849zsCuHi7h23H3tYaXs/+q
FXaHFdIOLZErOLfN6R34GrOvzF273d5bFhE+oh591iwh4WiRgPT2ivGIEqj/3jfw
A9YjUFrajL8sNBM/wI3vVXmBvyVg3Viut2k7iAoDNqRySx4aRBhhpPjyQHtNHmME
W8YH8/7Dsr8bXrNygWX1
=WRMi
-----END PGP SIGNATURE-----
Changes since debian/4.4.4-4:
Abhijeet Kasurde (22):
Added a fix for setting Priority as required field in Password Policy Details facet
Add fix for no-hbac-allow option in server install
Provide user hint about IP address in IPA install
Enumerate available options in IPA installer
Fix for handling CalledProcessError in authconfig
Update warning message for ipa server uninstall
Remove deprecated ipa-upgradeconfig command
Update man page of ipa-server-install
Add fix for ipa plugins command
Update warning message for replica install
Minor typo fix in DNS install plugin
Use with statement for opening file
Hide PKI Client database password in log file
Hide request_type doc string in cert-request help
Hide request_type doc string in cert-request help
Minor typo in details.js
Minor typo fixes
Hide PKI Client database password in log file
Vault testcase improvement
tests: correct usage of hostname in logger in tasks
ipatests: Fix interactive prompt in ca_less tests
Trivial typo fix.
Aleksei Slaikovskii (9):
ipapython/graph.py complexity optimization
ipapython/graph.py String formatting
ipapython/graph.py redundant variable fix
Less confusing message for PKINIT configuration during install
ipaclient.plugins.dns: Cast DNS name to unicode
Fix TypeError while ipa-restore is restoring a backup
Add a notice to restart ipa services after certs are installed
View plugin/command help in pager
ipa-restore: Set umask to 0022 while restoring
Alex Zeleznikov (1):
Sort SRV records by priority
Alexander Bokovoy (44):
trustdomain-del: fix the way how subdomain is searched
adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
ipa-kdb: search for password policies globally
ipa-kdb: support KDB DAL version 6.1
pkinit: make sure to have proper dictionary for Kerberos instance on upgrade
add whoami command
ipaserver/dcerpc.py: use arcfour_encrypt from samba
ldap2: use LDAP whoami operation to retrieve bind DN for current connection
ldap2: use LDAP whoami operation to retrieve bind DN for current connection
server: make sure we test for sss_nss_getlistbycert
server: make sure we test for sss_nss_getlistbycert
adtrust: make sure that runtime hostname result is consistent with the configuration
adtrust: make sure that runtime hostname result is consistent with the configuration
ipaserver/dcerpc: unify error processing
ipaserver/dcerpc: unify error processing
trust: always use oddjobd helper for fetching trust information
trust: always use oddjobd helper for fetching trust information
krb5: make sure KDC certificate is readable
krb5: make sure KDC certificate is readable
Fix index definition for ipaAnchorUUID
Fix index definition for ipaAnchorUUID
ipa-kdb: add pkinit authentication indicator in case of a successful certauth
ipa-kdb: add pkinit authentication indicator in case of a successful certauth
trust-mod: allow modifying list of UPNs of a trusted forest
trust-mod: allow modifying list of UPNs of a trusted forest
ipa-sam: use own private structure, not ldapsam_privates
ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
ipa-sam: use own private structure, not ldapsam_privates
ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
dcerpc: support Python 3
csrgen: support openssl 1.0 and 1.1
dsinstance: Restore context after changing dse.ldif
OTP import: support hash names with HMAC- prefix
Make sure upgrade also checks for IPv6 stack
ds: ignore time skew during initial replication step
ipa-replica-manage: implicitly ignore initial time skew in force-sync
adtrust: filter out subdomains when defining our topology to AD
ipa-kdb: override krb5.conf when testing KDC code in cmocka
travis-ci: collect logs from cmocka tests
test_dns_plugin: cope with missing IPv6 in Travis
ipa-extdom-extop: refactor nsswitch operations
ipaserver/plugins/trust.py; fix some indenting issues
trust: detect and error out when non-AD trust with IPA domain name exists
ipaserver/plugins/trust.py: pep8 compliance
Alexander Koksharov (1):
kra-install: better warning message
Ben Lipton (12):
csrgen: Add code to generate scripts that generate CSRs
csrgen: Add CSR generation profile for caIPAserviceCert
csrgen: Add a CSR generation profile for user certificates
csrgen: Use data_sources option to define which fields are rendered
tests: Add tests for CSR autogeneration
csrgen: Automate full cert request flow
csrgen: Allow overriding the CSR generation profile
csrgen: Support encrypted private keys
csrgen: Remove helper abstraction
csrgen: Change to pure openssl config format (no script)
csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo
csrgen: Beginnings of NSS database support
Christian Heimes (172):
Use RSA-OAEP instead of RSA PKCS#1 v1.5
Add iSecStore.span
Move ipa.1 man file
Replace ipaplatform's symlinks with a meta importer
Port all setup.py to setuptools
Remove ipapython/ipa.conf
Add __name__ == __main__ guards to setup.pys
Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
Use correct classifiers to make setup.py files PyPI compatible
Don't modify redhat_system_units
Make api.env.nss_dir relative to api.env.confdir
Add install requirements to Python packages
Port ipapython.dnssec.odsmgr to xml.etree
Use xml.etree in ipa-client-automount script
Register entry points of Custodia plugins
ipapython and ipatest no longer require lxml
Add 'ipa localenv' subcommand
Pylint: whitelist packages with extension modules
Minor fixes for IPAVersion class
Don't ship install subpackages with wheels
Replace LooseVersion
Break ipaplatform / ipalib import cycle of hell
Add main guards to a couple of Python scripts
Python3 pylint fixes
Fix Python 3 bugs discovered by pylint
Silence import warnings for Samba bindings
wrap long line
Adjustments for setup requirements
Require python-gssapi >= 1.2.0
Wheel bundles fixes
Require python-cryptography >= 1.3.1
Backwards compatibility with setuptools 0.9.8
Require python-gssapi >= 1.2.0, take 2
Add pylint guard to import of ipaplatform in ipapython.certdb
Remove BIN_FALSE and BIN_TRUE
Remove import of ipaplatform.paths from test_ipalib
Set explicit confdir option for global contexts
Use env var IPA_CONFDIR to get confdir
Fetch correct exception in IPA_CONFDIR test
Ignore backup~ files like config.h.in~
Relax check for .git to support freeipa in submodules
Silence pylint import errors of ipaserver in ipalib and ipaclient
Catch ValueError raised by pytest.config.getoption()
Use pytest conftest.py and drop pytest.ini
Fix used before assignment bug in host_port_open()
pytest: set rules to find test files and functions
ipapython: Add dependencies on version.py
Clean / ignore make check artefact
Print test env information
Enable additional warnings (BytesWarning, DeprecationWarning)
cryptography has deprecated serial in favor of serial_number
Stable _is_null check
test_StrEnum: use int as bad type
Ditch version_info and use version number from ipapython.version
Backup /root/kracert.p12
Faster JSON encoder/decoder
Convert list to tuples
Pretty print JSON in debug mode (debug level >= 2)
Fix test, nested lists are no longer converted to nested tuples
Explain more performance tricks in doc string
New lite-server implementation
Client-only builds with --disable-server
Add missing include of stdint.h for uint8_t
Add --without-ipatests option
lite-server: validate LDAP connection and cache schema
C compilation fixes and hardening
Speed up client schema cache
Drop in-memory copy of schema zip file
Finish port to PyCA cryptography
certdb: Don't restore_context() of new NSSDB
Remove import nss from test_ldap
Remove NSPRError exception from platform tasks
Vault: port key wrapping to python-cryptography
Packaging: Add placeholder packages
Add python-wheel as build requirement
Add placeholders for ipaplatform, ipaserver and ipatests
Add with_wheels global to install wheel and PyPI packaging dependencies
Python build: use --build-base everywhere
pylint: ignore pypi placeholders
Default to pkginstall=true without duplicated definitions
Cleanup certdb
Use https to get security domain from Dogtag
Move csrgen templates into ipaclient package
Chain CSR generator file loaders
Run test_ipaclient test suite
Ignore ipapython/.DEFAULT_PLUGINS
Make pylint and jsl optional
Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb
Fix Python 3 pylint errors
Python 3: Fix session storage
Add options to run only ipaclient unittests
Add options to run only ipaclient unittests
Use connection keep-alive
Use connection keep-alive
Add debug logging for keep-alive
Add debug logging for keep-alive
Increase Apache HTTPD's default keep alive timeout
Increase Apache HTTPD's default keep alive timeout
Move helper code for integration plugin
Move helper code for integration plugin
Move config module to ipatests.pytest_plugins.integration.config
Move config module to ipatests.pytest_plugins.integration.config
Move env_config module to ipatests.pytest_plugins.integration.env_config
Move env_config module to ipatests.pytest_plugins.integration.env_config
Move tasks module to ipatests.pytest_plugins.integration.tasks
Move tasks module to ipatests.pytest_plugins.integration.tasks
Move hosts module to ipatests.pytest_plugins.integration.hosts
Move hosts module to ipatests.pytest_plugins.integration.hosts
Move function run_repeatedly to tasks module
Move function run_repeatedly to tasks module
Ship ipatests.pytest_plugins.integration
Ship ipatests.pytest_plugins.integration
Move remaining util functions to tasks module
Move remaining util functions to tasks module
Constrain wheel package versions
Constrain wheel package versions
pytest 3.x compatibility
Simplify KRA transport cert cache
Simplify KRA transport cert cache
Use Custodia 0.3.1 features
Use Custodia 0.3.1 features
Python 3: Fix session storage
Fix ipatests.util doc tests
session storage parameters must be bytes
Add make devcheck for developers
Add make devcheck for developers
Skip test_session_storage in ipaclient unittest mode
Skip test_session_storage in ipaclient unittest mode
Conditionally import pyhbac
Add extra_requires for additional dependencies
Add an option to build ipaserver wheels
Don't hard-code with_wheels
Use entry_points for ipa CLI
Use entry_points for ipa CLI
Replace hard-coded kdcproxy path with WSGI script
Stabilize make pypi_packages
tox testing support for client wheel packages
Regenerate ASN.1 code with asn1c 0.9.28
Replace _BSD_SOURCE with _DEFAULT_SOURCE
tox: use pylint 1.6.x for now
Correct PyPI package dependencies
Band-aid for pip dependency bug
Vault: Explicitly default to 3DES CBC
Vault: Explicitly default to 3DES CBC
Correct PyPI package dependencies
Slim down dependencies
Silence pytest.yield_fixture deprecation warning
Reimplement yield tests are parametrized tests
Misc Python 3 fixes for ipaserver.secrets
Block PyOpenSSL to prevent SELinux execmem in wsgi
Use os.path.isfile() and isdir()
Py3: fix fetching of tar files
Backup ipa-custodia conf and keys
Remove ignore_import_errors
Test script for ipa-custodia
Use namespace-aware meta importer for ipaplatform
Py3: Fix vault tests
Run tox tests for PyPI packages on Travis
Require UTF-8 fs encoding
libotp: add libraries after objects
Prevent installation of Py2 and Py3 mod_wsgi
Use Python 3 on Travis
Reproducer for bug in structured dnsrecord_show
Fix dict iteration bug in dnsrecord_show
Add workaround for pytest 3.3.0 bug
Update builddep command to install Python 3 and tox deps
Update to python-ldap 3.0.0
Remove Custodia keys on uninstall
Add python_requires to Python package metadata
Add marker needs_ipaapi and option to skip tests
Add make targets for fast linting and testing
Update IPA_GIT_BRANCH to ipa-4-6
David Kreitschmann (4):
Fix libkrb5 filename for macOS
Use os.fsync instead of os.fdatasync because macOS doesn't support fdatasync
Store help in Schema before writing to disk
Disable pylint in get_help function because of type confusion.
David Kupka (55):
schema cache: Store and check info for pre-schema servers
UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
tests: Mark Dogtag acceptance tests
tests: Mark 389-ds acceptance tests
ipaclient.plugins: Use api_version from internally called commands
password policy: Add explicit default password policy for hosts and services
tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all
installer: Stop adding distro-specific NTP servers into ntp.conf
schema_cache: Make handling of string compatible with python3
ipaclient: schema cache: Handle malformed server info data gracefully
build: Add missing dependency on libxmlrpc{,_util}
stageuser: Add stageuser-{add,remove}-cert
stageuser: Add stageuser-{add,remove}-principal
ipalib.x509: Handle missing SAN gracefully
tests: add-remove-cert: Use harcoded certificates instead of requesting them
tests: Stageuser-{add,remove}-cert
tests: kerberos_principal_aliases: Deduplicate tests
tests: Add tests for kerberos principal aliases in stageuser
Bump required version of gssproxy to 0.7.0
rpcserver: x509_login: Handle unsuccessful certificate login gracefully
ipapython.ipautil.nolog_replace: Do not replace empty value
ipapython.ipautil.nolog_replace: Do not replace empty value
Create temporaty directories at the begining of uninstall
Create temporaty directories at the begining of uninstall
rpcserver.login_x509: Actually return reply from __call__ method
rpcserver.login_x509: Actually return reply from __call__ method
spec file: Bump requires to make Certificate Login in WebUI work
spec file: Bump requires to make Certificate Login in WebUI work
httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available
httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available
WebUI: cert login: Configure name of parameter used to pass username
WebUI: cert login: Configure name of parameter used to pass username
Create system users for FreeIPA services during package installation
Create system users for FreeIPA services during package installation
Bump version of ipa.conf file
Bump version of ipa.conf file
otptoken-add-yubikey: When --digits not provided use default value
otptoken-add-yubikey: When --digits not provided use default value
ipapython.ipautil.run: Add option to set umask before executing command
ipapython.ipautil.run: Add option to set umask before executing command
kra: promote: Get ticket before calling custodia
kra: promote: Get ticket before calling custodia
install: replica: Show message about key synchronization
tests: tracker: Split Tracker into one-purpose Trackers
tests: tracker: Add EnableTracker to test *-{enable,disable} commands
tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands
tests: tracker: Add CertmapTracker for testing certmap-* commands
tests: certmap: Add basic tests for certmaprule commands
tests: certmap: Test permissions for certmap
tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands
tests: certmap: Add test for certmapconfig-{mod,show}
tests: tracker: Add CertmapdataMixin tracker
tests: certmap: Add test for user-{add,remove}-certmap
tests: Add LDAP URI to ldappasswd explicitly
schema: Fix internal error in param-{find,show} with nonexistent object
Fabiano Fidêncio (2):
Allow erasing ipaDomainResolutionOrder attribute
Allow erasing ipaDomainResolutionOrder attribute
Felipe Barreto (6):
Fixing param-{find,show} and output-{find,show} commands
Fixing tox and pylint errors
Checks if replica-s4u2proxy.ldif should be applied
Fix log capture when running pytests_multihosts commands
Removing replica-s4u2proxy.ldif since it's not used anymore
Warning the user when using a loopback IP as forwarder
Felipe Volpone (13):
Fixing the cert-request comparing whole email address case-sensitively.
Fixing adding authenticator indicators to host
Fixing adding authenticator indicators to host
Changing cert-find to do not use only primary key to search in LDAP.
Changing cert-find to do not use only primary key to search in LDAP.
Changing cert-find to go through the proxy instead of using the port 8080
Changing cert-find to go through the proxy instead of using the port 8080
Adding section "Building FreeIPA from source" on README
py3: fixing zonemgr_callback
Changing how commands handles error when it can't connect to IPA server
Removing part of circular dependency of ipalib in ipaplaform
Fixing how sssd.conf is updated when promoting a client to replica
Changing idoverrideuser-* to treat objectClass case insensitively
Florence Blanc-Renaud (72):
Fix ipa-certupdate for CA-less installation
Fix regression introduced in ipa-certupdate
Add cert checks in ipa-server-certinstall
Fix ipa-cacert-manage man page
Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent
Refactor installer code requesting certificates
Fix renewal lock issues on installation
Fix ipa migrate-ds when it finds a search reference
Fix ipa-replica-install when upgrade from ca-less to ca-full
Check the result of cert request in replica installer
Increase the timeout waiting for certificate issuance in installer
ipa-restore must stop tracking PKINIT cert in the preparation phase
ipa-kra-install must create directory if it does not exist
Do not configure PKI ajp redirection to use "::1"
Fix ipa.service unit re. gssproxy
Define template version in certmap.conf
Support for Certificate Identity Mapping
ipa systemd unit should define Wants=network instead of Requires=network
IdM Server: list all Employees with matching Smart Card
Installation must publish CA cert in /usr/share/ipa/html/ca.crt
man ipa-cacert-manage install needs clarification
man ipa-cacert-manage install needs clarification
dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org
ipa-ca-install man page: Add domain level 1 help
ipa-ca-install man page: Add domain level 1 help
idrange-add: properly handle empty --dom-name option
idrange-add: properly handle empty --dom-name option
ipa-sam: create the gidNumber attribute in the trusted domain entry
ipa-sam: create the gidNumber attribute in the trusted domain entry
Upgrade: add gidnumber to trusted domain entry
Upgrade: add gidnumber to trusted domain entry
tests: add non-reg for idrange-add
tests: add non-reg for idrange-add
upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed
upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed
vault: piped input for ipa vault-add fails
vault: piped input for ipa vault-add fails
ipa-client-install: remove extra space in pkinit_anchors definition
ipa-client-install: remove extra space in pkinit_anchors definition
ipa-server-install with external CA: fix pkinit cert issuance
ipa-server-install with external CA: fix pkinit cert issuance
ipa-kra-install: fix check_host_keys
ipa-kra-install: fix check_host_keys
ipa-kra-install manpage: document domain-level 1
ipa-kra-install manpage: document domain-level 1
ipa-server-install: fix uninstall
ipa-server-install: fix uninstall
ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
server-del: update defaultServerList in cn=default,ou=profile,$BASE
ipa-replica-manage del (dl 0): remove server from defaultServerList
ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
ipa-replica-conncheck: handle ssh not installed
ipa-replica-conncheck: handle ssh not installed
Fix ipa-server-upgrade: This entry already exists
Fix Certificate renewal (with ext ca)
Fix ipa config-mod --ca-renewal-master
Python3: Fix winsync replication agreement
Fix ipa-server-upgrade with server cert tracking
ipa-server-upgrade: fix the logic for tracking certs
ipa-server-upgrade: do not add untracked certs to the request list
ipa-cacert-manage renew: switch from ext-signed CA to self-signed
py3: fix ipa cert-request --database ...
Fix ipa-replica-conncheck when called with --principal
Py3: fix ipa-replica-conncheck
ipa-getkeytab man page: add more details about the -r option
Fix ipa-restore (python2)
Fix ca less IPA install on fips mode
Improve help message for ipa trust-add --range-type
Fraser Tweedale (92):
Track lightweight CAs on replica installation
Add ca-disable and ca-enable commands
Allow Dogtag RestClient to perform requests without logging in
Add HTTPRequestError class
Use Dogtag REST API for certificate requests
cert-request: raise CertificateOperationError if CA disabled
Make host/service cert revocation aware of lightweight CAs
cert-request: raise error when request fails
Fix cert revocation when removing all certs via host/service-mod
sudorule: add SELinux transition examples to plugin doc
spec: require Dogtag >= 10.3.5-6
Add commentary about CA deletion to plugin doc
Do not create Object Signing certificate
cert-show: show validity in default output
dn: support conversion from python-cryptography Name
pkcs10: use python-cryptography for CSR processing
pkcs10: remove pyasn1 PKCS #10 spec
x509: avoid use of nss.data_to_hex
x509: use pyasn1-modules X.509 specs
x509: use python-cryptography to process certs
Remove __main__ code from ipalib.x509 and ipalib.pkcs10
Ensure correct IPA CA nickname in DS and HTTP NSSDBs
cert-request: accept CSRs with extraneous data
Remove references to ds_newinst.pl
cert-request: match names against principal aliases
Add function for extracting PEM certs from PKCS #7
certdb: accumulate extracted certs as list of PEMs
Add options to write lightweight CA cert or chain to file
Fix regression in test suite
certprofile-mod: correctly authorise config update
Fix DL1 replica installation in CA-less topology
Remove "Request Certificate with SubjectAltName" permission
Set up DS TLS on replica in CA-less topology
dsinstance: minor string fixes
Refactor and relocate set_subject_base_in_config
installutils: remove hardcoded subject DN assumption
installer: rename --subject to --subject-base
Extract function for computing default subject base
ipa-ca-install: add missing --subject-base option
dsinstance: extract function for writing certmap.conf
Reuse self.api when executing ca_enabled_check
Allow full customisability of IPA CA subject DN
Indicate that ca subject / subject base uses LDAP RDN order
Add sanity checks for use of --ca-subject and --subject-base
private_ccache: yield ccache name
Fix reference before assignment
replica install: relax domain level check for promotion
ca: correctly authorise ca-del, ca-enable and ca-disable
dogtag: remove redundant property definition
Remove redundant principal_type argument
Extract method to map principal to princpal type
rabase.get_certificate: make serial number arg mandatory
Support 8192-bit RSA keys in default cert profile
Support 8192-bit RSA keys in default cert profile
Add Subject Key Identifier to CA cert validity check
ca-add: validate Subject DN name attributes
py3: fix regression in schemaupdate
Add a README to certificate profile templates directory
Add CommonNameToSANDefault to default cert profile
Add CommonNameToSANDefault to default cert profile
cert-request: simplify request processing
Restore old version of caIPAserviceCert for upgrade only
Fix incorrect 'with' statement in CA-less installation
py3: fix schema response for py2 server with py3 client
cert: fix application of 'str' to bytes when formatting otherName
py3: fix vault public key decoding
py3: handle bytes in schema response
Fix external renewal for CA with non-default subject DN
issue_server_cert: avoid application of str to bytes
ipa-pki-retrieve-key: ensure we do not crash
py3: fix pkcs7 file processing
cli: simplify parsing of arbitrary types
Remove duplicate references to external CA type
install: allow specifying external CA template
ipa-ca-install: add --external-ca-profile option
certmonger: refactor 'resubmit_request' and 'modify'
certmonger: add support for MS V2 template
ipa-cacert-manage: support MS V2 template extension
Add tests for external CA profile specifiers
ipa-cacert-manage: handle alternative tracking request CA name
ipa-cacert-manage: avoid some duplicate string definitions
Remove mention of firefox plugin after CA-less install
Remove XPI and JAR MIME types from httpd config
CertDB: remove unused method issue_signing_cert
Remove caJarSigningCert profile and related code
Re-enable some KRA installation tests
Use correct version of Python in RPM scripts
renew_ra_cert: fix update of IPA RA user entry
CertUpdate: make it easy to invoke from other programs
ipa-ca-install: run certupdate as initial step
Run certupdate after promoting to CA-ful deployment
ipa_certupdate: avoid classmethod and staticmethod
Gabe Alford (4):
Allow nsaccountlock to be searched in user-find command
Add --password-expiration to allow admin to force user password expiration
Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
Ganna Kaihorodova (7):
Unaccessible variable self.attrs in Tracker
Tests: Add tree root domain role in legacy client tests
Tests: Stage User Tracker implementation
Stage User: Test to create stage user with minimal values
User Tracker: creation of user with minimal values
User Tracker: Test to create user with minimal values
Tests: Basic coverage with tree root domain
Jan Barta (8):
pylint: fix simplifiable-if-statement warnings
pylint: fix unneeded-not
pylint: fix pointless-statement
pylint: fix redefine-in-handler
pylint: fix old-style-class
pylint: fix bad-classmethod-argument
pylint: fix bad-mcs-classmethod-argument
pylint: fix bad-mcs-method-argument
Jan Cholasta (209):
cli: use full name when executing a command
dns: normalize record type read interactively in dnsrecord_add
dns: prompt for missing record parts in CLI
dns: fix crash in interactive mode against old servers
cert: fix cert-find --certificate when the cert is not in LDAP
client: remove hard dependency on pam_krb5
dns: re-introduce --raw in dnsrecord-del
test_plugable: update the rest of test_init
cert: add revocation reason back to cert-find output
spec file: clean up BuildRequires
spec file: do not include BuildRequires for lint by default
pylint: enable the import-error check
ipaserver: remove ipalib import from setup.py
makeapi, makeaci: do not fail on missing imports
client: remove unused libcurl build dependency
pwpolicy: do not run klist on import
spec file: bump minimal required version of 389-ds-base
replica install: use one remote CA host name everywhere
replica install: use one remote KRA host name everywhere
install: merge all CA install code paths into one
install: merge all KRA install code paths into one
server install: do not restart httpd during CA install
replica install: merge RA cert import into CA install
replica install: merge KRA agent cert export into KRA install
replica install: fix DS restart failure during replica promotion
install: use ldaps for pkispawn in ipa-ca-install
install: improve CLI positional argument handling
install: simplify CLI option parsing
install: introduce updated knob constructor
install: use standard Python classes to declare knob types
install: declare knob CLI names using the argparse convention
install: make knob base declaration explicit
install: fix subclassing of knob groups
install: introduce installer class hierarchy
install: migrate server installers to the new class hierarchy
install: allow specifying verbosity and console log format in CLI
install: migrate client install to the new class hierarchy
paths: remove DEV_NULL
custodiainstance: automatic restart on config file update
ipapython: move dnssec, p11helper and secrets to ipaserver
ipapython: move certmonger and sysrestore to ipalib.install
certdb: move IPA NSS DB install functions to ipaclient.install
certdb: use a temporary file to pass password to pk12util
ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
ipautil: remove get_domain_name()
ipautil: remove the timeout argument of run()
ipautil: move is_fips_enabled() to ipaplatform.tasks
ipautil: move kinit functions to ipalib.install
ipautil: move file encryption functions to installutils
ipapython: remove hard dependency on ipaplatform
ipalib: move certstore to the install subpackage
constants: remove CACERT
ipalib: remove hard dependency on ipapython
ipaclient: move install modules to the install subpackage
ipaclient: remove hard dependency on ipaplatform
replica install: track the RA agent certificate again
server install: fix external CA install
certdb: fix PKCS#12 import with empty password
spec file: do not define with_lint inside a comment
server install: fix KRA agent PEM file not being created
x509: use PyASN1 to parse PKCS#7
spec file: revert to the previous Release tag
ca: fix ca-find with --pkey-only
renew agent: handle non-replicated certificates
dogtaginstance: track server certificate with our renew agent
cainstance: do not configure renewal guard
client install: correctly report all failures
ipaldap: properly escape raw binary values in LDAP filters
dogtag: search past the first 100 certificates
cert: fix search limit handling in cert-find
ipa-ca-install: do not fail without --subject-base and --ca-subject
tests: add test for PEM certificate files with leading text
replica install: do not log host OTP
ipaldap: preserve order of values in LDAPEntry._sync()
client install: create /etc/ipa/nssdb with correct mode
server upgrade: fix upgrade in CA-less
server upgrade: fix upgrade from pre-4.0
server upgrade: always upgrade KRA agent PEM file
server upgrade: uninstall ipa_memcached properly
scripts, tests: explicitly set confdir in the rest of server code
compat: fix `Any` params in `batch` and `dnsrecord`
server install: do not attempt to issue PKINIT cert in CA-less
dns: fix `dnsrecord_add` interactive mode
config: re-add `init_config` and `config`
ipapython: fix DEFAULT_PLUGINS in version.py
pylint_plugins: add forbidden import checker
certmap: load certificate from file in certmap-match CLI
server install: remove duplicate -w option
install: add missing space in realm_name description
server install: remove duplicate knob definitions
client install: split off SSSD options into a separate class
install CLI: remove magic option groups
install: re-introduce option groups
rpc: fix crash in verbose mode
vault: cache the transport certificate on client
backend plugins: fix crashes in development mode
Travis CI: run tests in development mode
cert: add output file option to cert-request
cert: include certificate chain in cert command output
csrgen: hide cert-get-requestdata in CLI
httpinstance: disable system trust module in /etc/httpd/alias
spec file: add unconditional python-setuptools BuildRequires
slapi plugins: fix CFLAGS
spec file: support build without ipatests
spec file: support client-only build
spec file: always provide python package aliases
tasks: run `systemctl daemon-reload` after httpd.service.d updates
tasks: run `systemctl daemon-reload` after httpd.service.d updates
certs: do not implicitly create DS pin.txt
certs: do not implicitly create DS pin.txt
httpinstance: clean up /etc/httpd/alias on uninstall
httpinstance: clean up /etc/httpd/alias on uninstall
replica prepare: fix wrong IPA CA nickname in replica file
replica prepare: fix wrong IPA CA nickname in replica file
cert: do not limit internal searches in cert-find
cert: do not limit internal searches in cert-find
spec file: bump krb5-devel BuildRequires for certauth
spec file: bump krb5-devel BuildRequires for certauth
spec file: bump libsss_nss_idmap-devel BuildRequires
spec file: bump libsss_nss_idmap-devel BuildRequires
certdb: use certutil and match_hostname for cert verification
setup, pylint, spec file: drop python-nss dependency
certdb: fix `AttributeError` in `verify_ca_cert_validity`
httpinstance: make sure NSS database is backed up
httpinstance: make sure NSS database is backed up
dsinstance: reconnect ldap2 after DS is restarted by certmonger
dsinstance: reconnect ldap2 after DS is restarted by certmonger
httpinstance: avoid httpd restart during certificate request
httpinstance: avoid httpd restart during certificate request
dsinstance, httpinstance: consolidate certificate request code
dsinstance, httpinstance: consolidate certificate request code
install: request service certs after host keytab is set up
install: request service certs after host keytab is set up
renew agent: revert to host keytab authentication
renew agent: revert to host keytab authentication
renew agent, restart scripts: connect to LDAP after kinit
renew agent, restart scripts: connect to LDAP after kinit
cert: defer cert-find result post-processing
cert: defer cert-find result post-processing
configure: fix AC_CHECK_LIB usage
configure: fix AC_CHECK_LIB usage
spec file: bump python-netaddr Requires
spec file: bump krb5 Requires for certauth fixes
spec file: bump krb5 Requires for certauth fixes
spec file: bump python-netaddr Requires
renew agent: respect CA renewal master setting
renew agent: respect CA renewal master setting
server upgrade: always fix certmonger tracking request
server upgrade: always fix certmonger tracking request
cainstance: use correct profile for lightweight CA certificates
cainstance: use correct profile for lightweight CA certificates
renew agent: allow reusing existing certs
renew agent: allow reusing existing certs
renew agent: always export CSR on IPA CA certificate renewal
renew agent: always export CSR on IPA CA certificate renewal
renew agent: get rid of virtual profiles
renew agent: get rid of virtual profiles
ipa-cacert-manage: add --external-ca-type
ipa-cacert-manage: add --external-ca-type
certdb: add named trust flag constants
certdb, certs: make trust flags argument mandatory
certdb: use custom object for trust flags
install: trust IPA CA for PKINIT
client install: fix client PKINIT configuration
install: introduce generic Kerberos Augeas lens
server install: fix KDC PKINIT configuration
certs: do not export keys world-readable in install_key_from_p12
certs: do not export CA certs in install_pem_from_p12
server install: fix KDC certificate validation in CA-less
replica install: respect --pkinit-cert-file
cacert manage: support PKINIT
server certinstall: support PKINIT
certdb: add named trust flag constants
certdb, certs: make trust flags argument mandatory
certdb: use custom object for trust flags
install: trust IPA CA for PKINIT
client install: fix client PKINIT configuration
install: introduce generic Kerberos Augeas lens
server install: fix KDC PKINIT configuration
certs: do not export keys world-readable in install_key_from_p12
certs: do not export CA certs in install_pem_from_p12
server install: fix KDC certificate validation in CA-less
replica install: respect --pkinit-cert-file
cacert manage: support PKINIT
server certinstall: support PKINIT
httpinstance: wait until the service entry is replicated
httpinstance: wait until the service entry is replicated
server certinstall: update KDC master entry
server certinstall: update KDC master entry
pkinit manage: introduce ipa-pkinit-manage
pkinit manage: introduce ipa-pkinit-manage
server upgrade: do not enable PKINIT by default
server upgrade: do not enable PKINIT by default
install: do not assume /etc/krb5.conf.d exists
user, migration: use LDAPClient for ad-hoc LDAP connections
{ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections
test_ldap: drop redundant URI argument
ldap2: remove URI argument from ldap2 constructor
config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn`
wsgi, oddjob: remove needless uses of Env
logging: do not configure any handlers by default
logging: port to standard Python logging
logging: use the actual root logger as the root logger
logging: remove object-specific loggers
doc: sync guide.org with cli.py
logging: do not reference loggers in arguments and attributes
logging: do not log into the root logger
logging: do not use `ipa_log_manager` to create module-level loggers
pylint: enable logging checks
John Morris (1):
Increase dbus client timeouts during CA install
Lenka Doudova (23):
Tests: Fix regex errors in integration trust tests
Tests: Add cleanup to integration trust tests
Tests: Fix failing ldap.backend test
Tests: Fix integration sudo tests setup and checks
Tests: Remove SSSD restart from integration tests
Tests: Remove --force options from tracker base class
Tests: Remove unnecessary attributes from base tracker
Tests: Add krb5kdc.service restart to integration trust tests
Tests: Update host test with ipa-join
Tests: Fix host attributes in ipa-join host test
Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
Tests: Remove silent deleting and creating entries by tracker
Tests: Fix failing test_ipalib/test_parameters
Tests: Remove invalid certplugin tests
Tests: Certificate revocation
Tests: Verify that cert commands show CA without --all
Tests: Fix integration sudo test
Tests: Provide AD cleanup for trust tests
Tests: Provide AD cleanup for legacy client tests
Add file_exists method as a member of transport object
Tests: Verify that validity info is present in cert-show and cert-find command
Tests: Providing trust tests with tree root domain
Document make_delete_command method in UserTracker
Lewis Eason (1):
Correct typo estabilish->establish in the install scripts
Ludwig Krispenz (1):
Check for conflict entries before raising domain level
Lukáš Slebodník (6):
CONFIGURE: Fix detection of pylint
CONFIGURE: Update help message for jslint
SPEC: Fix build in mock
ipa_pwd: remove unnecessary dependency on dirsrv plugins
CONFIGURE: Properly detect libpopt on el7
CONFIGURE: Improve detection of xmlrpc_c flags
Martin Babinsky (199):
Always fetch forest info from root DCs when establishing two-way trust
factor out `populate_remote_domain` method into module-level function
Always fetch forest info from root DCs when establishing one-way trust
raise ValidationError when deprecated param is passed to command
ldapupdate: Use proper inheritance in BadSyntax exception
Use Travis-CI for basic sanity checks
advise: Use `name` instead of `__name__` to get plugin names
netgroup: avoid extraneous LDAP search when retrieving primary key from DN
trust-fetch-domains: contact forest DCs when fetching trust domain info
ipa passwd: use correct normalizer for user principals
use separate exception handlers for executors and validators
Make Continuous installer continuous only during execution phase
Move character escaping function to ipautil
mod_nss: use more robust quoting of NSSNickname directive
remove trailing newlines form python modules
do not use keys() method when iterating through dictionaries
Revert "Fix install scripts debugging"
server-del: fix incorrect check for one IPA master
ipa-getkeytab: expose CA cert path as option
extend ipa-getkeytab to support other LDAP bind methods
Modernize ipa-getkeytab test suite
Extend keytab retrieval test suite to cover new options
test_ipagetkeytab: use system-wide IPA CA cert location in tests
CertDB: add API for non-destructive initialization from PKCS#12 bundle
initialize empty /etc/http/alias during server/replica install
certs: do not re-create NSS database when requesting service cert
Separate function to purge IPA host principals from keytab
do partial host enrollment in domain level 0 replica install
fix incorrect invocation of ipa-getkeytab during DL0 host enrollment
service installers: clean up the inheritance
Make service user name a class member of Service
Turn Kerberos-related properties to Service class members
Service: common method for service keytab requests
use DM credentials to retrieve service keytab only in DLO
dsinstance: use keytab retrieval method from parent class
installers: restart DS after KDC is configured
domain-level agnostic keytab retrieval in httpinstance
installutils: remove 'install_service_keytab' function
Fix the naming of ipa-dnskeysyncd service principal
Turn replication manager group into ReplicationManager class member
replication: augment setup_promote_replication method
replication: refactor the code setting principals as replica bind DNs
ensure that the initial sync using GSSAPI works agains old masters
Use common procedure to setup initial replication in both domain levels
Improve the robustness FreeIPA's i18n module and its tests
upgrade: add replica bind DN group check interval to CA topology config
replication: ensure bind DN group check interval is set on replica config
Enhance __repr__ method of Principal
Revert "Add 'ipa localenv' subcommand"
Make `env` and `plugins` commands local again
Fix pep-8 transgressions in ipalib/misc.py
Add 'env_confdir' to constants
Configuration file for ipa-docker-test-runner
Use ipa-docker-test-runner to run tests in Travis CI
bindinstance: use data in named.conf to determine configuration status
Revert "upgrade: add replica bind DN group check interval to CA topology config"
add missing attribute to ipaca replica during CA topology update
gracefully handle setting replica bind dn group on old masters
Make `kadmin` family of functions return the result of ipautil.run
Add a basic test suite for `kadmin.local` interface
Bump up ipa-docker-test-runner version
travis: mark FreeIPA as python project
Put the commands informing and displaying build logs on single line
Travis CI: a separate script to run test tasks
Travis: offload test execution to a separate script
split out lint to a separate Travis job
introduce install step to .travis.yml and cache pip installs
Travis CI: use specific Python version during build
Add license headers to the files used by Travis CI
Trim the test runner log to show only pytest failures/errors
Travis CI: actually return non-zero exit status when the test job fails
disable hostname canonicalization by Kerberos library
Fix the installutils.set_directive docstring
installutils: improve directive value parsing in `get_directive`
Delegate directive value quoting/unquoting to separate functions
Explicitly handle quoting/unquoting of NSSNickname directive
Travis CI: Upload the logs from failed jobs to transfer.sh
ipa-adtrust-install: format the code for PEP-8 compliance
Remove unused variables in exception handling
Replace exit() calls with exceptions
Move AD trust installation code to a separate module
allow for more flexibility when requesting service keytab
Make request_service_keytab into a public method
httpinstance: re-use parent's methods to retrieve anonymous keytab
use the methods of the parent class to retrieve CIFS kerberos keys
Refactor the code checking for missing SIDs
only check for netbios name when LDAP backend is connected
Refactor the code searching and presenting missing trust agents
adtrust.py: Use logging to emit error messages
print the installation info only in standalone mode
check for installed dependencies when *not* in standalone mode
Add AD trust installer interface for composite installer
expose AD trust related knobs in composite installers
Merge AD trust configurator into server installer
Merge AD trust configurator into replica installer
Fix erroneous short name options in ipa-adtrust-install man page
Update server/replica installer man pages
Provide basic integration tests for built-in AD trust installer
Allow login to WebUI using Kerberos aliases/enterprise principals
ipa-managed-entries: use server-mode API
ipa-managed-entries: only permit running the command on IPA master
Short name resolution: introduce the required schema
ipaconfig: add the ability to manipulate domain resolution order
idview: add domain_resolution_order attribute
Re-use trust domain retrieval code in certmap validators
idviews: correctly handle modification of non-existent view
Make PKINIT certificate request logic consistent with other installers
Request PKINIT cert directly from Dogtag API on first master
Move PKINIT configuration to a later stage of server/replica install
Make wait_for_entry raise exceptions
check that the master requesting PKINIT cert has KDC enabled
check for replica's KDC entry on master before requesting PKINIT cert
Try out anonymous PKINIT after it is configured
Travis CI: invoke integration test helper scripts before test execution
Upgrade: configure PKINIT after adding anonymous principal
Upgrade: configure PKINIT after adding anonymous principal
Remove unused variable from failed anonymous PKINIT handling
Remove unused variable from failed anonymous PKINIT handling
Split out anonymous PKINIT test to a separate method
Split out anonymous PKINIT test to a separate method
Ensure KDC is propery configured after upgrade
Ensure KDC is propery configured after upgrade
Always check and create anonymous principal during KDC install
Always check and create anonymous principal during KDC install
Remove duplicate functionality in upgrade
Remove duplicate functionality in upgrade
Revert "Store GSSAPI session key in /var/run/ipa"
Revert "Store GSSAPI session key in /var/run/ipa"
separate function to set ipaConfigString values on service entry
separate function to set ipaConfigString values on service entry
Allow for configuration of all three PKINIT variants when deploying KDC
Allow for configuration of all three PKINIT variants when deploying KDC
API for retrieval of master's PKINIT status and publishing it in LDAP
API for retrieval of master's PKINIT status and publishing it in LDAP
Use only anonymous PKINIT to fetch armor ccache
Use only anonymous PKINIT to fetch armor ccache
Stop requesting anonymous keytab and purge all references of it
Stop requesting anonymous keytab and purge all references of it
Use local anchor when armoring password requests
Use local anchor when armoring password requests
Upgrade: configure local/full PKINIT depending on the master status
Upgrade: configure local/full PKINIT depending on the master status
Do not test anonymous PKINIT after install/upgrade
Do not test anonymous PKINIT after install/upgrade
Travis CI: explicitly update pip before running the builds
Travis CI: explicitly update pip before running the builds
Travis CI: Add the server uninstaller as a last step of tests
Allow for multivalued server attributes
Allow for multivalued server attributes
Refactor the role/attribute member reporting code
Refactor the role/attribute member reporting code
Add an attribute reporting client PKINIT-capable servers
Add an attribute reporting client PKINIT-capable servers
Add the list of PKINIT servers as a virtual attribute to global config
Add the list of PKINIT servers as a virtual attribute to global config
Add `pkinit-status` command
Add `pkinit-status` command
test_serverroles: Get rid of MockLDAP and use ldap2 instead
test_serverroles: Get rid of MockLDAP and use ldap2 instead
only stop/disable simple service if it is installed
only stop/disable simple service if it is installed
test_backup_restore: do not fail on missing KrbLastSuccessfulAuth
Do not delete DS and PKI users during backup/restore tests
fix incorrect suffix handling in topology checks
fix incorrect suffix handling in topology checks
Extend the advice printing code by some useful abstractions
Extend the advice printing code by some useful abstractions
More information about the Pkg-freeipa-devel
mailing list