Draft 4.7.0 release notes. In particular please double check that I didn't miss any enhancements (and that I got the wording right).
I can't think of any Known Issues worth highlighting. I could be wrong. ----- The FreeIPA team would like to announce FreeIPA 4.7.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 4.7.0 == === Enhancements === ==== mod_ssl ===== IPA has switched to mod_ssl as the crypto engine for Apache. This change will be made automatically when upgrading. ==== NSS sqlite database ==== Fedora 28 changed the default database format type from dbm to sqlite. Theoretically there should be no end-user difference but you will see different file names for your NSS databases: cert9.db, key4.db and pkcs11.txt. ==== authselect ==== Fedora 28 switched to a new PAM configuration tool, authselect. https://fedoraproject.org/wiki/Changes/Authselect ==== Time server change to chronyd ==== The ntpd service was deprecated in F28. It was replaced by chronyd. The client also uses chrony as its time client. https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support ==== Python 3 ==== FreeIPA now fully supports Python 3 and can be installed without any python 2 dependencies. === Known Issues === === Bug fixes === FreeIPA 4.7.0 includes all of the bug fixes and enhancements from 4.6.1 - 4.6.4. There are more than 170 bug fixes, details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/) or #freeipa channel on Freenode. == Resolved tickets == * 7615 ipa_tests: ipa-replica-prepare stuck on user input * 7550 [WebUI] extend host test suite * 7547 ui_tests: checkbox click fix * 7546 ui_tests: improve "field_validation" method * 7544 ui_tests: extend test_selinuxusermap.py suite * 7542 CLI and Web UI allow to add more then one radius server into radius proxy * 7540 Extend WebUI test_krbpolicy suite with the following test cases: * 7535 ipa-restore fails because tmp/etc/ipa/ca.crt is missing * 7526 IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain * 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has occurred" * 7519 Adding SSH keys for AD users as I created overrides * 7510 validate_selinuxuser does not allow a period in selinux user identifier * 7505 WebUI tests: Extend netgroup tests * 7503 multiple occurrences of profileId in certprofile causes incorrect behaviour * 7485 Extending webui user group test * 7474 ipa-server-install --uninstall on replica fails with "NoOptionError: No option 'ldap_uri' in section: 'global'" * 7473 ERROR: No valid Negotiate header in server response * 7468 test_host.py::test_host::test_crud is failing in nightly tests * 7463 test_webui: add user life-cycles tests * 7447 test_create_host_with_ip is not fully covering possible return errors * 7436 ipa: Please log something after restarting the KDC * 7433 CRL url on replicas gets incorrectly redirected * 7432 make fasttest fails on fresh clone. fedora26 * 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA * 7424 Improve Realm Domains doc text * 7411 Simplify CA, TLS and bytes warning configuration of LDAP connections * 7400 Add excludearch for i686 because 389-ds is no longer doing 32-bit builds * 7397 ipa host-add --ip-address... returns Internal error when forward-policy=none is defined * 7394 file conflicts between python2-mod_wsgi and freeipa-server * 7393 Installing 4.6.3-1 in rawhide/F28 fails with DuplicateEntry enabling TLS in 389-ds * 7390 cert-request: issuance of malformed certificate causes IPA Internal Error * 7389 F-27 upgrade to 4.6.3-1 fails with KRA update * 7383 user-add: user creation proceeds when password is wrong * 7381 Drop PyOpenSSL requirement * 7380 Possible regression for limited OTP characters in host-add * 7378 ipa-ods-exporter fails with socket activation did not return socket * 7374 IPA 'Generate OTP' option in web gui does not show OTP code when no reverse zone is managed * 7373 "An internal error has occurred" show up when trying to add a user to the Member User table in Vault. * 7371 uninstalling replica leaves orphained data in ldap * 7359 [RFE] extend topology plugin to clean up a removed replica ldap/ principal * 7357 IntegrationTests do not fail even if the uninstall process fails * 7342 admins group is not including all permissions of Role "User Administrator" * 7338 FreeIPA server install/upgrade does not process schema.d/ files correctly * 7335 Integration tests are not collecting all logs * 7330 ipa-server-install --uninstall does not return error code on error * 7318 Cannot uninstall ipaserver after fresh install - {'desc': "Can't contact LDAP server", 'errno': 111, 'info': 'Connection refused'} * 7315 Packaging: use pylint 1.7.5 and remove disable for import stat * 7313 trust integration tests need to override test_establish_trust method when using different trust-add options * 7308 Help for ipa trust-add --range-type * 7299 RPM post-install scripts fail because they are run with python2 * 7294 python3 incompatibility in vault_archive * 7275 Viewing DNS Records with WebUI fails * 7254 test_caless: fix http.p12 is not valid and provide domain_level for replica tests * 7253 Custodia keys are not removed on uninstall * 7240 ipa-dnskeysyncd broken (and ipactl doesn't tell) * 7226 Remove remaining references to Firefox configuration extension * 7220 Third KRA installation in topology fails * 7210 Firefox reports insecure TLS configuration when visiting FreeIPA web UI after standard server deployment * 7208 freeipa: binary RPMs require both Python 2 and Python 3 * 7190 Wrong info message from tasks.py * 7189 make check is failed * 7187 ipa-replica-manage should provide a debug option * 7186 testing: get back command outputs when running tests * 7162 [ipatests] disable replication debugging for 389-ds logs in integration tests * 7157 [tracker] pyasn1 fails to parse kerberos principal name * 7155 test_caless: add caless to external CA test * 7154 test_external_ca: switch to python-cryptography * 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start tracking certs * 7150 Ipa-server-install update dse.ldif with wrong SELinux context * 7148 py3: ipa cert-request --principal --database fails with BytesWarning: str() on a bytes instance * 7143 "unknown command 'undefined'" error when changing user's password via the web UI * 7136 ipa-restore command doesn't exit with failure if wrong directory manager's password is provided * 7135 Server deployment still sets up Firefox extension, this is no longer necessary and broken on F27+ * 7134 ipa param-find: command displays internal error * 7132 [4.6] PyPI packages are broken * 7131 Finish Python3 support * 7129 ipa-server/replica-install fails with: "exception: BytesWarning: Comparison between bytes and string" when using '--dirsrv-config-file' parameter * 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails due to missing dns records * 7119 kdc_proxy: kinit admin fails with "Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials" * 7115 ipa-pki-retrieve-key: failure results in crash report * 7033 vault: TypeError: ... is not JSON serializable * 7027 Use TLS for cert-find * 7012 Users can delete their last active OTP token * 6994 RFE: Remove 389-ds tuning step * 6968 Consider moving upgrades from rpm install post * 6874 pylint 1.7.1 fails * 6858 RFE - Option to add custom OID or display name in IPA Cert * 6851 Don't use ctypes.util.find_library in ipaclient * 6844 ipa-restore fails when umask is set to 0027 * 6721 While performing ipa-server-upgrade, sssd goes offline and stalls the upgrade process * 6703 Enable ephemeral KRA requests * 6609 A CA administrator fails to add CA for Insufficient 'add' privilege * 5922 ipa vault-archive overwrites an existing value without warning * 5887 IDNA domains does not work under py3 * 5813 ipa-kra-install disrupts bind-dyndb-ldap * 5776 webui: some data disappear from user details page after the save action is performed * 5638 Port client code to Python 3 * 5442 [tracker] SELinux 'execmem' denials * 7624 [WebUI] wrong link to browser configuration guide on Login page * 7609 [py37] Import from collections.abc * 7604 ipa-client-install --mkhomedir doesn't enable oddjobd * 7591 [freeipa] Drop requirements for 'initscripts' from specfile * 7590 lightweight subca: ca-show fails on replica * 7589 cacert renew fails on replica * 7585 Update to python3-lesscpy 0.13 * 7581 Translated text is formed incorrectly (API Browser) * 7562 Regression: authselect 0.4-3 breaks FreeIPA sudo rules * 7560 Do not depend on gnupg (1.x), use gnupg2 * 7559 UI LoginScreen widget cannot be translated * 7536 [F28] SubCA failing, keys are orphan * 7533 ipa-advise: remove plugin config-fedora-authconfig * 7530 external CA replica installation fails with CA_UNREACHABLE * 7529 AVC denials and errors for IPA server installed on Fedora28 * 7524 ipa-client-install fails because of missing file /usr/share/ipa/freeipa.template * 7523 external CA installation: step two reports self-signed configuration * 7516 [F28] ipa-ca-install fails on replica * 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf despite the migration to ssl.conf * 7514 Allow to create Kerberos services without a corresponding host object * 7513 Allow Kerberos services to be members of IPA groups * 7500 FreeIPA can remove svrcore-devel requirement * 7498 [F28] CA replica fails with could not find certificate named "caSigningCert cert-pki-ca" * 7491 Unknown user 'ipaapi' when updating packages * 7490 installutils.set_directive doesn't handle debian ssl.conf properly * 7489 Test test_caless_TestCertInstall is failing in nightly * 7478 [F28] ipa-backup fails with "Failed to execute authconfig command" * 7471 [F28] replica pkispawn fails * 7469 ipa-replica-prepare fail with "stat: path should be string, bytes, os.PathLike or integer, not NoneType" * 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError * 7465 [F28] oddjobd not started, replica install fails with dbus error in conn check * 7464 CI is failing with pkispawn timeout * 7461 Hardening of topology plugin to prevent erronous deletion of a replica agreement * 7426 DogtagInstance.backup_config creates backup with wrong owner * 7421 Store HTTPD private keys encrypted * 7418 [RFE] Improve ipa-client-install behaviour when non-standard ldap.conf is used * 7415 CA installer need to check availability of port 8080 * 7410 ipa-replica-install --add-agents option doesn't install trust-agent on replica * 7396 ipa-client-automount --uninstall should return errcode CLIENT_NOT_CONFIGURED * 7377 Investigate and define plan of authconfig replacement in FreeIPA * 7354 Fedora 28: Support NSSDB SQL format * 7322 cert_find --subject is not finding by cert subject * 7311 Update ui_driver to allow set path for geckodriver.log * 7310 Integration tests don't collect logs from other replicas * 7309 Integration tests: CA-less -> CA-ful promotion; post-promotion checks * 7304 double ca acl provoke console error. * 7302 test_external_ca: add selfsigned > external_ca > selfsigned test case * 7301 Drop dependency on Python nose * 7300 test_x509: test very long OID * 7295 Build freeIPA with Python3 in @freeipa/freeipa-master-nightly * 7278 Run WebUI unit test in TravisCI * 7274 ipa-replica-install fails with PIN error [ CA-less environment ] * 7263 Typo in login screen * 7258 typo in accounts menu * 7257 DNSSEC isn't supported in Python3 * 7251 f.flush() or os.fsync() don't sync * 7246 Report CA Subject DN and subject base before installing. * 7239 Using --auto-reverse and --allow-zone-overlap does not skip zone overlap check * 7225 CLI: view command / plugin help in pager * 7224 Logging: ipa-replica-conncheck is missing a /n * 7207 ipa-server-install should prevent installations with single label domains * 7201 ipa-replica-manage re-initialize TypeError: 'NoneType' object does not support item assignment * 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall * 7095 [tracker] please rotate & compress /var/lib/pki/pki-tomcat/logs/ca/debug * 7049 Prepare for NSS switch default database to sqlite in F-27 * 7024 freeipa depends on ntp * 6931 custodia user isn't created when FreeIPA RPMs are installed * 6890 Quickstart guide: mention how to open firewall ports * 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group * 6843 ipa-backup does not create log file at /var/log/ * 6837 make ipa.conf and named.conf portable * 6760 Improve console message for "ipa-server-install --uninstall" command * 6604 Make pylint and jsl optional (and other issues) * 6589 client should require /etc/krb5.conf.d/ * 6450 pylint: cyclic dep check sometimes makes build fail * 4853 Utilize system-wide crypto-policies * 4140 Configure the NSS shared database model in IPA servers * 3757 [RFE] Allow IPA to use either mod_ssl or mod_nss * 2536 Create DOAP description for the IPA project == Detailed changelog since 4.6.4 == === Armando Neto (9) === * Disable Pylint 2.0 violations * Fix Pylint 2.0 violations * Fix pylint 2.0 conditional-related violations * Fix pylint 2.0 return-related violations * Replace file.flush() calls with flush_sync() helper * ipa-server-install: fix zonemgr argument validator * ipa-client-install: Update how comments are added by ipachangeconf * ui_tests: fix test_config::test_size_limits * Prevent the creation on users and groups with numeric characters only === Alexander Bokovoy (28) === * ipaserver/dcerpc.py: handle indirect topology conflicts * pylint3: workaround false positives reported for W1662 * group: allow services as members of groups * service: allow creating services without a host to manage them * group-del: add a warning to logs when password policy could not be removed * idoverrideuser-add: allow adding ssh key in web ui * ACL: Allow hosts to remove services they manage * install: validate AD trust-related options in installers * replication: support error messages from 389-ds 1.3.5 or later * upgrade: treat duplicate entry when updating as not an error * Allow anonymous access to parentID attribute * upgrade: Run configuration upgrade under empty ccache collection * use LDAP Whoami command when creating an OTP token * Update template directory with new variables when upgrading ipa.conf.template * Processing of server roles should ignore errors.EmptyResult * ipaserver/plugins/trust.py: pep8 compliance * trust: detect and error out when non-AD trust with IPA domain name exists * ipaserver/plugins/trust.py; fix some indenting issues * ipa-extdom-extop: refactor nsswitch operations * test_dns_plugin: cope with missing IPv6 in Travis * travis-ci: collect logs from cmocka tests * ipa-kdb: override krb5.conf when testing KDC code in cmocka * adtrust: filter out subdomains when defining our topology to AD * ipa-replica-manage: implicitly ignore initial time skew in force-sync * ds: ignore time skew during initial replication step * Make sure upgrade also checks for IPv6 stack * OTP import: support hash names with HMAC- prefix * dsinstance: Restore context after changing dse.ldif === Abhijeet Kasurde (3) === * Trivial typo fix. * ipatests: Fix interactive prompt in ca_less tests * tests: correct usage of hostname in logger in tasks === Alexander Koksharov (4) === * Fix replica_promotion-domlevel0 test failures * preventing ldap principal to be deleted * ensuring 389-ds plugins are enabled after install * kra-install: better warning message === Alexey Slaykovsky (2) === * Make tox tests to generate results in JUnit XML * Make WebUI unit tests to generate results as JUnit === amitkuma (13) === * Match Common Name attribute in Subject * ipa vault-archive overwrites an existing value without warning * ipa-advise: remove plugin config-fedora-authconfig * RFE: ipa client should setup openldap for GSSAPI * Correcting detect typo in server.m4 * Correction of management spelling. * clear sssd cache when uninstalling client * clear sssd cache when uninstalling client * Error message while adding idrange with untrusted domain * Removing extra spaces present in man ipa-server-install * ipa-advise for smartcards updated * Custom ca-subject logging * Documenting kinit_lifetime in /etc/ipa/default.conf === Anuja More (5) === * Test for ipa-client-install should not use hardcoded admin principal * Test that host can remove there own services * Test for ipa-replica-install fails with PIN error for CA-less env. * Adding test-cases for ipa-cacert-manage * Adding test-cases for ipa-cacert-manage === Aleksei Slaikovskii (15) === * Revert "Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users" * Uninstall fix for named-pkcs11 * Radius proxy multiservers fix * test_backup_and_restore.py Fix logging * Enable and start oddjobd after ipa-restore if it's not running. * Fixing translation problems * test_backup_and_restore.py AssertionError fix * ipalib/frontend.py output_for_cli loops optimization * View plugin/command help in pager * ipa-restore: Set umask to 0022 while restoring * Prevent installation with single label domains * Add a notice to restart ipa services after certs are installed * Fix TypeError while ipa-restore is restoring a backup * ipaclient.plugins.dns: Cast DNS name to unicode * Less confusing message for PKINIT configuration during install === Brian J. Murrell (1) === * Move ETag disabling to /ipa virtual server === Christian Heimes (191) === * Remove needless use of %defatt * Add more RHEL customizations to spec file * Update builddep command in BUILD.txt * Use python2_sitelib in spec file * Fedora 29: No longer build python2-ipaserver * Add pylint ignore to magic config.Env attributes * Teach pylint how our api works * Fix ipa console filename * Create helper function to upload to temp file * Add tab completion and history to ipa console * Handle races in replica config * pylint 2.0: node.path is a list * Fix XPASS in test_installation * Mark all expected failures as strict * Fix DNSSEC install regression * Wait for client certificates * Auto-retry failed certmonger requests * Tune DS replication settings * Fix race condition in get_locations_records() * Fix CA topology warning * Delay enabling services until end of installer * Only create DNS SRV records for ready server * Query for server role IPA master * Cleanup shebang and executable bit * Import ABCs from collections.abc * Require JSS 4.4.5 with replication fixes * Extend Sub CA replication test * pylint: Class node has been renamed to ClassDef * Pythhon3.7: re module has no re._pattern_type * Catch ACIError instead of invalid credentials * Fix permission of public files in upgrader * Make /etc/httpd/alias world readable & executable * Always make ipa.p11-kit world-readable * Ensure that public cert and CA bundle are readable * Use 4 WSGI workers on 64bit systems * Fix replication races in Dogtag admin code * Use common replication wait timeout of 5min * Improve and fix timeout bug in wait_for_entry() * Remove restarted_named and xfail * Tests: Set default TTL for DNS zones to 1 sec * Always set ca_host when installing replica * Start to deprecate Python 2 and 3.5 * Sort and shuffle SRV record by priority and weight * Increase WSGI process count to 5 on 64bit * Fedora 29 renamed fedora-domainname.service * Use python3-lesscpy 0.13.0 * Split external_ca PR-CI into two jobs * Always build Python 3 packages * Make Python 2 build dependency optional * Use one Custodia peer to retrieve all secrets * Move client templates to separate directory * Print version string in installer * Backport gzip.decompress for Python 2 * Require JSS 4.4.4 with fix for sub CA replication * Refuse PORT, HOST in /etc/openldap/ldap.conf * Apply sane LDAP settings to C code * Use sane default settings for ldap connections * Add test case for allow-create-keytab * Use GnuPG 2 for backup/restore * Use GnuPG 2 for symmentric encryption * Require python-ldap >= 3.1.0 * Reproducer for issue 5923 (bytes in error response) * Run PR-CI with Fedora 28 * Revert "Validate the Directory Manager password" * Create missing /etc/httpd/alias for ipasession.key * Only run subset of external CA tests * Require Dogtag 10.6.1 * Require nss with fix for nickname bug * ipa-client package needs sssd-tool * Make ipatests' create_external_ca a script * Load certificate files as binary data * Remove contrib/nssciphersuite * Compatibility with pytest 3.4 * Use shutil to copy file * Use single Custodia instance in installers * Add augeas dependency to client package * Create users in server-common pre hook * Require 389-ds-base >= 1.4.0.8-1 * CA replica PKCS12 workaround for SQL NSSDB * Add nsds5ReplicaReleaseTimeout to replica config * Fix Python dependencies * Remove os.chdir() from test_ipap11helper * certdb: Move chdir into subprocess call * Provide ldap_uri in Custodia uninstaller * Defer import of ipaclient.csrgen * Require more recent glibc on F27 * Load librpm on demand for IPAVersion * Fix installer CA port check for port 8080 * Temporarily disable authconfig backup and restore * Cleanup and remove more files on uninstall * Fix compatibility with latest pytest * More cleanup after uninstall * Require Dogtag PKI >= 10.6 * Keep owner when backing up CA.cfg * Pylint 1.8.3 fixes * Relax message check in test_create_host_with_ip * Make fasttest pass without ~/.ipa/default.conf * Instrument installer to profile steps * autoconf prefers Python 3 over 2 * Simplify Python package installation * Move DNS related files to server-dns package * Silence GCC warning in ipa_extdom * Silence GCC warning in ipa-kdb * Remove unused modutils wrappers from NSS/CertDB * Update /etc/ipa/nssdb in client scripts * NSS: Force restore of SELinux context * NSSDB: Let certutil decide its default db type * Prepare migration of mod_nss NSSDB to sql format * certmonger: Use explicit storage format * Remove deprecated -p option from ipa-dns-install * Add mocked test for named crypto policy update * Upgrade named.conf to include crypto policy * Use system-wide crypto-policies on Fedora * Add better CalledProcessError and run() logging * freeipa-server no longer supports i686 arch on F28 * ipa-custodia-checker now uses python3 shebang * Unified ldap_initialize() function * Fix multiple uninstallation of server * Fix i18n test for Chinese translation * Run API and ACI under Python 2 and 3 * Generate same API.txt under Python 2 and 3 * Replace wsgi package conflict with config file * Restart named-pkcs11 after KRA installation * Update existing 389-DS cn=RSA,cn=encryption config * Replace hard-coded paths with path constants * Bump python-ldap version to fix syncrepl bug * Bump SELinux policy for DNSSEC * ipa-server-upgrade now checks custodia server keys * DNSSEC code cleanup * DNSSEC: Reformat lines to address PEP8 violations * Decode ODS commands * Run DNSSEC under Python 3 * More DNSSEC house keeping * Remove unused PyOpenSSL from spec file * Give ODS socket a bit of time * Require dbus-python on F27 * Fix pylint error in ipapython/dn.py * Lower python-ldap requirement for F27 * ipa-run-tests: make --ignore absolute, too * Sort external schema files * LGTM: unnecessary else in for loop * LGTM: Use explicit string concatenation * LGTM: raise handle_not_found() * LGTM: Fix multiple use before assignment * LGTM: Remove redundant assignment * LGTM: Fix exception in permission_del * LGTM: Membership test with a non-container * LGTM: Name unused variable in loop * LGTM: Use of exit() or quit() * LGTM: Silence unmatchable dollar * Make fastlint even faster * ipa-run-tests: replace chdir with plugin * Include ipa_krb5.h without util prefix * Custodia uninstall: Don't fail when LDAP is down * Require python-ldap 3.0.0b2 * Use pylint 1.7.5 with fix for bad python3 import * Vault: Add argument checks to encrypt/decrypt * Fix pylint warnings inconsistent-return-statements * Travis: Add workaround for missing IPv6 support * Replace nose with unittest and pytest * Add safe DirectiveSetter context manager * More log in verbs * Address more 'to login' * Fix grammar error: Log out * Fix grammar in login screen * Add make targets for fast linting and testing * Add marker needs_ipaapi and option to skip tests * Add python_requires to Python package metadata * Remove Custodia keys on uninstall * NSSDB: use preferred convert command * Skip test_rpcclient_context in client tests * Update to python-ldap 3.0.0 * Update builddep command to install Python 3 and tox deps * Add workaround for pytest 3.3.0 bug * Fix dict iteration bug in dnsrecord_show * Reproducer for bug in structured dnsrecord_show * Use Python 3 on Travis * Prevent installation of Py2 and Py3 mod_wsgi * Require UTF-8 fs encoding * libotp: add libraries after objects * Run tox tests for PyPI packages on Travis * Support sqlite NSSDB * Py3: Fix vault tests * Test script for ipa-custodia * ipa-custodia: use Dogtag's alias/pwdfile.txt * Use namespace-aware meta importer for ipaplatform * Remove ignore_import_errors * Backup ipa-custodia conf and keys * Py3: fix fetching of tar files * Use os.path.isfile() and isdir() * Block PyOpenSSL to prevent SELinux execmem in wsgi === David Kupka (2) === * schema: Fix internal error in param-{find,show} with nonexistent object * tests: Add LDAP URI to ldappasswd explicitly === Felipe Barreto (38) === * Adding xfail to failing tests * Fixing tests on TestReplicaManageDel * Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs * Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users * Adding GSSPROXY_CONF to be backed up on ipa-backup * Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09 * Fix TestSubCAkeyReplication providing the right path to pki log * temp commit: adding test to PR CI run * Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder * Changing Django's CoC to reflect FreeIPA CoC * Adding Django's Code of Conduct * prci: Bump ci-master-f27 template to 1.0.3 * Adding more tests to PR CI * Fixing cleanup process in test_caless * WebUI Tests: changing the ActionsChains.move_to_element to a new approach * WebUI Tests: fixing test_user.py::test_test_noprivate_posix * WebUI Tests: Changing how the initial load process is done * WebUI Tests: fixing test_range test case * WebUI Tests: changing how the login screen is detected * WebUI Tests: refactoring login method to be more readable * WebUI Tests: fixing test_navigation * WebUI Tests: fixing test_group * WebUI Tests: fixing test_hbac * Check if replication agreement exist before enable/disable it * Make IntegrationTest fail if an error happened during uninstall * IntegrationTests now collects logs from all test methods * Fixing vault-add-member to be compatible with py3 * Fixing test_backup_and_restore assert to do not rely on the order * Fixing test_testconfig with proper asserts * Warning the user when using a loopback IP as forwarder * Removing replica-s4u2proxy.ldif since it's not used anymore * Fix log capture when running pytests_multihosts commands * Checks if replica-s4u2proxy.ldif should be applied * Fixing tox and pylint errors * Fixing param-{find,show} and output-{find,show} commands * Checks if Dir Server is installed and running before IPA installation * Changing idoverrideuser-* to treat objectClass case insensitively * Fixing how sssd.conf is updated when promoting a client to replica === François Cami (1) === * 10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server. === Florence Blanc-Renaud (38) === * ipa client uninstall: clean the state store when restoring hostname * Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd * ipa-client-install: enable and start oddjobd if mkhomedir * fix dependency for *-domainname.service file * Installer: configure authselect with-sudo * Test for 7526 * ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt * authselect migration: use stable interface to query current config * authselect test: skip test if authselect is not available * ipa-advise: adapt config-client-for-smart-card-auth to authselect * Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a * New tests for authselect migration * Migration from authconfig to authselect * ipa-advise config-server-for-smart-card-auth: use mod-ssl * ipa-replica-install: make sure that certmonger picks the right master * ipa-restore: remove /etc/httpd/conf.d/nss.conf * ipa-server-install: handle error when calling kdb5_util create * ipa host-add: do not raise exception when reverse record not added * ACI: grant access to admins group instead of admin user * 389-ds OTP lasttoken plugin: Add unit test * User must not be able to delete his last active otp token * ipa host-add --ip-address: properly handle NoNameservers * test_integration: backup custodia conf and keys * Idviews: fix objectclass violation on idview-add * Improve help message for ipa trust-add --range-type * Fix ca less IPA install on fips mode * Fix ipa-replica-install when key not protected by PIN * Fix ipa-restore (python2) * ipa-getkeytab man page: add more details about the -r option * Py3: fix ipa-replica-conncheck * Fix ipa-replica-conncheck when called with --principal * py3: fix ipa cert-request --database ... * ipa-cacert-manage renew: switch from ext-signed CA to self-signed * ipa-server-upgrade: do not add untracked certs to the request list * ipa-server-upgrade: fix the logic for tracking certs * Fix ipa-server-upgrade with server cert tracking * Python3: Fix winsync replication agreement * Fix ipa config-mod --ca-renewal-master === Fraser Tweedale (52) === * Add missing space in error string * Handle compressed responses from Dogtag * install: fix reported external CA configuration * csrgen: fix when attribute shortname is lower case * csrgen: drive-by docstring * csrgen: support initialising OpenSSL adaptor with key object * py3: fix csrgen error handling * certprofile: add tests for config profileId scenarios * certprofile: reject config with multiple profileIds * Fix upgrade (update_replica_config) in single master mode * Add commentary about PKI admin password * Fix upgrade when named.conf does not exist * replica-install: warn when there is only one CA in topology * install: configure dogtag status request timeout * upgrade: remove fix_trust_flags procedure * ldap2: fix implementation of can_add * ipaldap: allow GetEffectiveRights on individual operations * Update IPA CA issuer DN upon renewal * cert-request: avoid internal error when cert malformed * Improve warning message for malformed certificates * Don't use admin cert during KRA installation * Add uniqueness constraint on CA ACL name * Add tests for installutils.set_directive * installutils: refactor set_directive * pep8: reduce line lengths in CAInstance.__enable_crl_publish * Prevent set_directive from clobbering other keys * install: report CA Subject DN and subject base to be used * ipa_certupdate: avoid classmethod and staticmethod * Run certupdate after promoting to CA-ful deployment * ipa-ca-install: run certupdate as initial step * CertUpdate: make it easy to invoke from other programs * renew_ra_cert: fix update of IPA RA user entry * Re-enable some KRA installation tests * Use correct version of Python in RPM scripts * Remove caJarSigningCert profile and related code * CertDB: remove unused method issue_signing_cert * Remove XPI and JAR MIME types from httpd config * Remove mention of firefox plugin after CA-less install * Add missing space in ipa-replica-conncheck error * ipa-cacert-manage: avoid some duplicate string definitions * ipa-cacert-manage: handle alternative tracking request CA name * Add tests for external CA profile specifiers * ipa-cacert-manage: support MS V2 template extension * certmonger: add support for MS V2 template * certmonger: refactor 'resubmit_request' and 'modify' * ipa-ca-install: add --external-ca-profile option * install: allow specifying external CA template * Remove duplicate references to external CA type * cli: simplify parsing of arbitrary types * py3: fix pkcs7 file processing * ipa-pki-retrieve-key: ensure we do not crash * issue_server_cert: avoid application of str to bytes === Ganna Kaihorodova (7) === * check nsds5ReplicaReleaseTimeout option was set * Fix trust tests for Posix Support * Fix for integration tests dns_locations * Fix in IPA's multihost fixture * TestBasicADTrust.test_ipauser_authentication * Fix for test TestInstallMasterReservedIPasForwarder * Overide trust methods for integration tests === John Morris (1) === * Increase dbus client timeouts during CA install === Justin Stephenson (1) === * Skip zone overlap check with auto-reverse === Kaleemullah Siddiqui (1) === * Test coverage for multiservers for radius proxy === Martin Basti (3) === * py3: bindmgr: fix iteration over bytes * py3: ipa-dnskeysyncd: fix bytes issues * py3: set samba dependencies === Takeshi MIZUTA (1) === * Fix some typos in man page === Michal Reznik (54) === * Mark DL0 TestReplicaManageDel tests as xfail * ipa_tests: ipa-replica-prepare stuck on user input * ui_tests: stabilization fixes * ui_tests: extend test_config.py suite * ui_tests: fixes for issues with sending key and focus on element * ui_tests: add click_undo_button() func * ui_tests: extend test_selinuxusermap.py suite * ui_tests: improve "field_validation" method * ui_tests: checkbox click fix * ui_tests: introduce new test_misc cases file * ui_driver: extension and modifications related to test_user * ui_tests: extend test_user suite * test_web_ui: extend ui_driver methods * test_webui: add user life-cycles tests * ui_tests: run ipa-get/rmkeytab command on UI host * ui_tests: select_combobox() fixes * ui_tests: test cancel and delete without button * ui_tests: make associations cancelable * ui_tests: add function to run cmd on UI host * ui_tests: add funcs to add/remove users public SSH key * ui_tests: add assert_field_required() * ui_tests: add assert_notification() * ui_tests: add more test cases * ui_tests: add more test cases to test_certification * ui_tests: add_service() support func in test_service * ui_tests: add_host() support func in test_service * ui_tests: change get_http_pkey() function * test_caless: adjust try/except to capture also IOError * ipa_tests: test signing request with subca on replica * tests: ca-less to ca-full - remove certupdate * ipa_tests: test subca key replication * test_caless: add SAN extension to other certs * prci: run full external_ca test suite * tests: move CA related modules to pytest_plugins * test_external_ca: selfsigned->ext_ca->selfsigned * test_tasks: add sign_ca_and_transport() function * paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants * test_caless: test PKINIT install and anchor update * test_renewal_master: add ipa csreplica-manage test * test_cert_plugin: check if SAN is added with default profile * test_help: test "help" command without cache * test_x509: test very long OID * test_batch_plugin: fix py2/3 failing assertion * test_vault: increase WAIT_AFTER_ARCHIVE * test_caless: fix http.p12 is not valid * test_caless: fix TypeError on domain_level compare * manpage: ipa-replica-conncheck - fix minor typo * test_external_dns: add missing test cases * test_caless: open CA cert in binary mode * test_forced_client: decode get_file_contents() result * tests: add host zone with overlap * tests_py3: decode get_file_contents() result * test_caless: add caless to external CA test * test_external_ca: switch to python-cryptography === Varun Mylaraiah (5) === * ui_tests: extend test_pwpolicy.py suite * Extend WebUI test_krbpolicy suite with the following test cases: test_verifying_button (verify button's action in various scenarios) test_negative_value (verify invalid values) test_verifying_measurement_unit * WebUI tests: Extend netgroup tests with more scenarios * Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags * WebUI tests: Extend user group tests with more scenarios === Mohammad Rizwan Yusuf (9) === * Check if issuer DN is updated after self-signed > external-ca * Extended UI test for Certificates * Extended UI test for selfservice permission. * Test to check second replica installation after master restore * Before the fix, when ipa-backup was called for the first time, the LDAP database exported to /var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root. * Updated the TestExternalCA with the functions introduced for the steps of external CA installation. * When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail. * IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address. * ipatest: replica install with existing entry on master === Nikhil Dehadrai (1) === * Test for improved Custodia key distribution === Armando Neto (1) === * ipaserver config plugin: Increase search records minimum limit === Nathaniel McCallum (3) === * Revert "Don't allow OTP or RADIUS in FIPS mode" * Increase the default token key size * Fix OTP validation in FIPS mode === Petr Čech (3) === * webui:tests: Add tests for realmd domains * tests: Mark failing tests as failing * ipatests: Fix on logs collection === Pavel Picka (2) === * Adding WebUI Host test cases * WebUI Hostgroups tests cases added === Petr Vobornik (17) === * Update Dojo and Dojo builder to 1.13.0 * WebUI build: use NodeJS instead of Rhino * WebUI build: replace uglifyjs with system package * Fix test_server_del::TestLastServices * server-del do not return early if CA renewal master cannot be changed * webui: refresh complex pages after modification * Fix order of commands in test for removing topology segments * webui tests: fix test_host:test_crud failure * realm domains: improve doc text * webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes * Revert "temp commit to run the affected tests" * temp commit to run the affected tests * webui:tests: close big notifications in realm domains tests * webui:tests: realm domain add with DNS check * webui:tests: move DNS test data to separate file * fastcheck: do not test context in pycodestyle * browser config: cleanup after removal of Firefox extension === Pavel Vomacka (16) === * WebUI: make keytab tables on service and host pages writable * Include npm related files into Makefile and .gitignore * Update jsl.conf in tests subfolder * Edit TravisCI conf files to run WebUI unit tests * Update README about WebUI unit tests * Update tests * Create symlink to qunit.js * Update jsl to not warn about module in Gruntfile * Add Gruntfile and package.json to ui directory * Update QUnit CSS file to 2.4.1 * Update qunit.js to version 2.4.1 * Extend ui_driver to support geckodriver log_path * WebUI: make Domain Resolution Order writable * WebUI: Fix calling undefined method during reset passwords * WebUI: remove unused parameter from get_whoami_command * Adds whoami DS plugin in case that plugin is missing === Rob Crittenden (62) === * replicainstall: DS SSL replica install pick right certmonger host * Extend CALessBase::installer_server to accept extra_args * Handle subyptes in ACIs * server install: drop some print statements, change log level * Drop attr defaultServerList if removing the last server * Improve console logging for ipa-server-install * Replace some test case adjectives * Suppress missing cn=schema compat on installation * Use replace instead of add to set new default ipaSELinuxUserMapOrder * Disable Schema Compat plugin during server upgrade * Add tests for ipa-restore with DM password validation check * Validate the Directory Manager password before starting restore * Rename test class for testing simple commands, add test * Don't try to set Kerberos extradata when there is no principal * Client install should handle automount unconfigured on uninstall * Return unique error when automount is already or not configured * VERSION.m4: Set back to git snapshot * Become IPA 4.6.90.pre2 * Update 4.7 translations * Fix certificate retrieval in ipa-replica-prepare for DL0 * Disable message about log in ipa-backup if IPA is not configured * Use a regex in installutils.get_directive instead of line splitting * Handle whitespace, add separator to regex in set_directive_lines * Validate the Directory Manager password before starting restore * Log service start/stop/restart message * Update project metadata in ipasetup.py.in * Allow dot as a valid character in an selinux identity name * Remove xfail from CALes test test_http_intermediate_ca * Some PKCS#12 errors are reported with full path names * ipa-server-certinstall failing, unknown option realm * Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c * Break out of teardown in test_replica_promotion.py if no config * Remove the Continuous installer class, it is unused * Return a value if exceptions are raised in server uninstall * VERSION.m4: Set back to git snapshot * Become IPA 4.6.90.pre1 * Update Contributors.txt * Redirect CRL requests to the http port, not the https port * Don't try to backup CS.cfg during upgrade if CA is not configured * Don't return None on mismatched interactive passwords * Update smart_card_auth advise script for mod_ssl * Add value in set_directive after a commented-out version * Don't backup nss.conf on upgrade with the switch to mod_ssl * Enable upgrades from a mod_nss-installed master to mod_ssl * Convert ipa-pki-proxy.conf to use mod_ssl directives * Remove main function from the certmonger library * Use mod_ssl instead of mod_nss for Apache TLS for new installs * Fix detection of KRA installation so upgrades can succeed * Move Requires: pythonX-sssdconfig into conditional * Log contents of files created or modified by IPAChangeConf * Don't manually generate default.conf in server, use IPAChangeConf * Enable ephemeral KRA requests * Make the path to CS.cfg a class variable * Run server upgrade in ipactl start/restart * If the cafile is not present or readable then raise an exception * Add test to ensure that properties are being set in rpcclient * Use the CA chain file from the RPC context * Fix cert-find for CA-less installations * Use 389-ds provided method for file limits tuning * Collect group membership without a size limit * Add exec to /var/lib/ipa/sysrestore for install status inquiries * Use TLS for the cert-find operation === Robbie Harwood (5) === * Fix elements not being removed in otpd_queue_pop_msgid() * Move krb5 snippet into freeipa-client-common * Enable SPAKE support using krb5.conf.d snippet * Log errors from NSS during FIPS OTP key import * ipa-kdb: support KDB DAL version 7.0 === Rishabh Dave (1) === * ipa-ca-install: mention REPLICA_FILE as optional in help === Sumit Bose (1) === * ipa-kdb: reinit trusted domain data for enterprise principals === Sumit Bose (2) === * ipa-kdb: update trust information in all workers * ipa-kdb: use magic value to check if ipadb is used === John L (1) === * Remove special characters in host_add random OTP generation === Stanislav Laznicka (84) === * Move config directives handling code * Travis: ignore 'line break after binary operator' * Allow user administrator to change user homedir * mod_ssl: add SSLVerifyDepth for external CA installs * Add absolute_import to test_authselect * Fix typo in ipa-getkeytab --help * Add absolute_import future imports * replica-install: pass --ip-address to client install * ipa_backup: Backup the password to HTTPD priv key * Fix upgrading of FreeIPA HTTPD * Remove py35 env from tox testing * Encrypt httpd key stored on disk * Dogtag configs: rename deprecated options * Backup HTTPD's mod_ssl config and cert-key pair * vault: fix vault-retrieve to a file * Backup ssl.conf when migrating from mod_nss * Move HTTPD cert/key pair to /var/lib/ipa/certs * httpinstance fixup: remove commented-out lines * httpinstance: fix publishing of CA cert * httpinstance: verify priv key belongs to certificate * httpinstance: backup mod_nss conf instead of just removing it * service: rename import_ca_certs_* to export_* * fixup: add ipa-rewrite.conf to ssl.conf on upgrade * Make ipa-server-certinstall store HTTPD cert in a file * certupdate: don't update HTTPD NSS db * x509: Fix docstring of write_certificate() * x509: Remove unused argument of load_certificate_from_file() * httpinstance: handle supplied PKCS#12 files in installation * mod_ssl migration: fix upload_cacrt.py plugin * Fix FileStore.backup_file() not to backup same file * Have all the scripts run in python 3 by default * replica_prepare: Remove the correct NSS DB files * Add a helpful comment to ca.py:install_check() * Don't allow OTP or RADIUS in FIPS mode * caless tests: decode cert bytes in debug log * caless tests: make debug log of certificates sensible * Add indexing to improve host-find performance * Add the sub operation for fqdn index config * x509: remove subject_base() function * x509: remove the strip_header() function * py3: pass raw entries to LDIFWriter * ipatests: use python3 if built with python3 * PRCI: use a new template for py3 testing * travis: pep8 changes to pycodestyle * csrgen_ffi: cast the DN value to unsigned char * * Remove pkcs10 module contents * Add tests for CertificateSigningRequest * parameters: introduce CertificateSigningRequest * parameters: relax type checks * csrgen: update docstring for py3 * csrgen: accept public key info as Bytes * csrgen_ffi: pass bytes where "char *" is required * p11-kit: add serial number in DER format * travis: make tests fail if pep8 does not pass * Remove the `message` attribute from exceptions * rpc: don't decode cookie_string if it's None * Don't write p11-kit EKU extension object if no EKU * pylint: fix missing module * travis: run the same tests in python2/3 * certmap testing: fix wrong cert construction * ldap2: don't use decode() on str instance * client: fix retrieving certs from HTTP * uninstall: remove deprecation warning * ldif: handle attribute names as strings * pkinit: don't fail when no pkinit servers found * pkinit: fix sorting dictionaries * travis: remove "fast" from "makecache fast" * Change Travis CI container to FreeIPA-owned * Change the requirements for pylint in wheel * rpcserver: don't call xmlserver.Command * secrets: disable relative-imports for custodia * pylint: disable __hash__ for some classes * install.util: disable no-value-for-parameter * pylint: make unsupported-assignment-operation check local * sudocmd: fix unsupported assignment * pylint: Iterate through dictionaries * parameters: convert Decimal.precision to int * dcerpc: disable unbalanced-tuple-unpacking * dcerpc: refactor assess_dcerpc_exception * pylint: fix no-member in schema plugin * csrgen: fix incorrect codec for pyasn BitString * pylint: fix not-context-manager false positives * travis: temporary workaround for Travis CI * Travis: archive logs of py3 jobs === Stanislav Levin (11) === * Fix link to browser configuration guide on Login page * Fix some untranslatable commands in Web UI API Browser * Apply validate_doc() to NO_CLI commands * Fix formatted translations of error messages in topology plugin * Fix formatted translations of error messages in serverroles plugin * Fix formatted translations in trust plugin * Fix translation of idrange_* commands description * Fix formatted translations in domainlevel plugin * Use intended format() method of translation object * Add support for format method to translation objects * Fix translation of commands description in API Browser === Sudhir Menon (2) === * Adding modified DOAP file * DOAP Description for IPA Project === Thierry Bordaz (2) === * Hardening of topology plugin to prevent erronous deletion of a replica agreement * 389-ds-base crashed as part of ipa-server-intall in ipa-uuid === Tibor Dudlák (15) === * Use temporary pid file for chronyd -q task * Fix format string passed to pytest-multihost * Configure chrony with pool when server not set * Add enabling chrony daemon when not configured * Remove unnecessary option --force-chrony * Remove NTP server role while upgrading * Removes NTP server role from servroles and description * Update man pages for FreeIPA client, replica and server install * Adding method to ipa-server-upgrade to cleanup ntpd * Add --ntp-pool option to installers * FreeIPA server is time synchronization client only * Replace ntpd with chronyd in installation * Add dependency and paths for chrony * Removes ntp from dependencies and behave as there is always -N option * Do not check deleted files with `make fastlint` === Timo Aaltonen (9) === * Fix HTTPD SSL configuration for Debian. * ldapupdate: Add support for Debian multiarch * named.conf: Disable duplicate zone on debian, and modify data dir * Add mkhomedir support for Debian * paths: Fix some path definitions for Debian. * constants: Fix HTTPD_GROUP for Debian * Create kadm5.acl if it doesn't exist * ipaplatform, ipa.conf: Use paths variables in ipa.conf.template * Move config templates from install/conf to install/share === Tomas Krizek (20) === * test_dnssec: re-add named-pkcs11 workarounds * py3 dnssec: convert hexlify to str * py3: bindmgr: fix bytes issues * prci: bump ci-master-f27 template to 1.0.2 * prci: define testing topologies * prci: start testing PRs on fedora 27 * py3 spec: remove python2 dependencies from server-trust-ad * py3 spec: remove python2 dependencies from freeipa-server * py3 spec: use proper python2 package names * ipatests: fix circular import for collect_logs * ipatests: collect logs for external_ca test suite * prci: add external_ca test * ldap: limit the retro changelog to dns subtree * spec: bump 389-ds-base to 1.3.7.6-1 * ipatests: set default 389-ds log level to 0 * prci: update F26 template * spec: bump python-pyasn1 to 0.3.2-2 * prci: use f26 template for master * VERSION: set 4.6 git snapshot * Contributors.txt: update === Thorsten Scherf (1) === * Add debug option to ipa-replica-manage and remove references to api_env var. _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/RSBXHH3YALXVWQJWZOYYC7JDMCIZAGAH/