Hello Peter and Team -

Excellent news and great work behind this announcement.  Congratulations!
On 21 Jun 2016, at 13:56, Petr Vobornik <pvobo...@redhat.com> wrote:

>                   == FreeIPA 4.4.0 Alpha 1 ===
> The FreeIPA team would like to announce FreeIPA v4.4.0 alpha1 release!
> A tarball can be downloaded from http://www.freeipa.org/page/Downloads
> == Highlights in 4.4.0 Alpha 1 ==
> Enhancements:
> * Improved Topology Management
> <http://www.freeipa.org/page/V4/Manage_replication_topology_4_4>
> * Added Overview of IPA server roles:
> <http://www.freeipa.org/page/V4/Server_Roles>
> * Added support certificates for AD users:
> <http://www.freeipa.org/page/V4/Certs_in_ID_overrides>
> * Added support of UPN for trusted domains
> <http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains>
> * Added support for Kerberos Authentication Indicators
> <http://www.freeipa.org/page/V4/Authentication_Indicators>
> * Added DNS Location Mechanism
> <http://www.freeipa.org/page/V4/DNS_Location_Mechanism>
> * Several performance improvements
> <http://www.freeipa.org/page/V4/Performance_Improvements>
> * Refactored IPA command line tool
> <http://www.freeipa.org/page/V4/Thin_Client>
> * Added support for Sub-CAs <http://www.freeipa.org/page/V4/Sub-CAs>
> == Detailed Changelog since 4.3.1 ==
> Abhijeet Kasurde (12):
>      Added kpasswd_server directive in client krb5.conf
>      Fixed login error message box in LoginScreen page
>      Added fix for notifying user about Kerberos principal expiration
> in WebUI
>      Added description related to 'status' in ipactl man page
>      Added warning to user for Internet Explorer
>      Added fix for notifying user about locked user account in WebUI
>      Updated ipa command man page
>      Fix added to ipa-compat-manage command line help
>      Removed custom implementation of CalledProcessError
>      Replaced find_hostname with api.env.host
>      Added exception handling for mal-formatted XML Parsing
>      Added missing translation to automount.py method
> Alexander Bokovoy (11):
>      slapi-nis: update configuration to allow external members of IPA
> groups
>      extdom: do not fail to process error case when no request is specified
>      otptoken: support Python 3 for the qr code
>      trusts: Add support for an external trust to Active Directory domain
>      adtrust: remove nttrustpartner parameter
>      adtrust: remove nttrustpartner parameter
>      adtrust: support GSSAPI authentication to LDAP as Active Directory
> user
>      adtrust: support UPNs for trusted domain users
>      webui: show UPN suffixes in trust properties
>      webui: support external flag to trust-add
>      adtrust: optimize forest root LDAP filter
> Christian Heimes (3):
>      Require Dogtag 10.2.6-13 to fix KRA uninstall
>      Modernize mod_nss's cipher suites
>      Move user/group constants for PKI and DS into ipaplatform
> David Kupka (28):
>      installer: Propagate option values from components instead of
> copying them.
>      installer: Fix logic of reading option values from cache.
>      ipa-dns-install: Do not check for zone overlap when DNS installed.
>      ipa-replica-prepare: Add '--auto-reverse' and
> '--allow-zone-overlap' options
>      installer: Change reverse zones question to better reflect reality.
>      Fix: Use unattended parameter instead of options.unattended
>      CI: Add '2-connected' topology generator.
>      CI: Add simple replication test in 2-connected topology.
>      CI: Add test for 2-connected topology generator.
>      CI: Fix pep8 errors in 2-connected topology generator
>      CI: add empty topology test for 2-connected topology generator
>      CI: Add double circle topology.
>      CI: Add replication test utilizing double-circle topology.
>      CI: Add test for double-circle topology generator.
>      CI: Make double circle topology python3 compatible
>      upgrade: Match whole pre/post command not just basename.
>      dsinstance: add start_tracking_certificates method
>      httpinstance: add start_tracking_certificates method
>      Look up HTTPD_USER's UID and GID during installation.
>      test: test_cli: Do not expect defaults in kwargs.
>      man: Decribe ipa-client-install workaround for broken D-Bus
> enviroment.
>      installer: positional_arguments must be tuple or list of strings
>      installer: index() raises ValueError
>      Remove unused locking "context manager"
>      schema: Add fingerprint and TTL
>      schema: Add known_fingerprints option to schema command
>      schema: Cache schema in api instance
>      schema: return fingerprint as unicode text
> Filip Skola (9):
>      Refactor test_user_plugin, use UserTracker for tests
>      Refactor test_replace
>      Refactor test_attr
>      Refactor test_sudocmd_plugin
>      Refactor test_sudocmdgroup_plugin
>      Refactor test_group_plugin, use GroupTracker for tests
>      Refactor test_nesting, create HostGroupTracker
>      Refactor test_hostgroup_plugin
>      Refactor test_automember_plugin, create AutomemberTracker
> Florence Blanc-Renaud (5):
>      Add missing CA options to the manpage for ipa-replica-install
>      Add the culprit line when a configuration file has an incorrect format
>      add context to exception on LdapEntry decode error
>      batch command can be used to trigger internal errors on server
>      Always qualify requests for admin in ipa-replica-conncheck
> Fraser Tweedale (22):
>      Do not decode HTTP reason phrase from Dogtag
>      Remove workaround for CA running check
>      caacl: correctly handle full user principal name
>      Prevent replica install from overwriting cert profiles
>      Detect and repair incorrect caIPAserviceCert config
>      Remove service and host cert issuer validation
>      Allow CustodiaClient to be used by arbitrary principals
>      Load server plugins in certmonger renewal helper
>      Add ACIs for Dogtag custodia client
>      Optionally add service name to Custodia key DNs
>      Setup lightweight CA key retrieval on install/upgrade
>      Authorise CA Agent to manage lightweight CAs
>      Add custodia store for lightweight CA key replication
>      Add 'ca' plugin
>      Add IPA CA entry on install / upgrade
>      Update 'caacl' plugin to support lightweight CAs
>      Add CA argument to ra.request_certificate
>      Update cert-request to allow specifying CA
>      Add issuer options to cert-show and cert-find
>      replica-install: configure key retriever before starting Dogtag
>      upgrade: do not try to start CA if not configured
>      restart scripts: bootstrap api with in_server=True
> Gabe Alford (1):
>      ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'
> Jakub Hrozek (1):
>      sudo: Fix a typo in the --help output of sudocmdgroup
> James Groffen (1):
>      Set close button type attribute to 'button'.
> Jan Barta (1):
>      pylint: fix: multiple-statements
> Jan Cholasta (112):
>      ipautil: remove unused import causing cyclic import in tests
>      ipalib: assume version 2.0 when skip_version_check is enabled
>      ipapython: remove default_encoding_utf8
>      ipapython: port p11helper C code to Python
>      ipapython: use python-cryptography instead of libcrypto in p11helper
>      spec file: package python-ipalib as noarch
>      cert renewal: import all external CA certs on IPA CA cert renewal
>      replica install: validate DS and HTTP server certificates
>      replica promotion: fix AVC denials in remote connection check
>      cacert install: fix trust chain validation
>      client: stop using /etc/pki/nssdb
>      ipalib: provide per-call command context
>      ipalib: add convenient Command method for adding messages
>      certdb: never use the -r option of certutil
>      spec file: bump minimum required pki-core version
>      build: fix client-only build
>      makeapi: use the same formatting for `int` and `long` values
>      replica install: do not set CA renewal master flag
>      rpc: do not crash when unable to parse JSON
>      parameters: remove unused ConversionError and ValidationError
> arguments
>      rpc: include structured error information in responses
>      frontend: re-raise remote RequirementError using CLI name in CLI
>      frontend: remove the unused Command.soft_validate method
>      frontend: perform argument value validation only on server
>      batch: do not crash when no argument is specified
>      ipalib: make optional positional command arguments actually optional
>      frontend: do not forward unspecified positional arguments to server
>      user: do not assume the preserve flags have value in user_del
>      frontend: do not forward argument defaults to server
>      makeapi: optimize API.txt
>      ipalib: remove the unused `csv` argument of Param
>      makeaci: load additional plugins using API.add_module
>      plugable: replace API.import_plugins with new API.add_package
>      ipalib, ipaserver: migrate all plugins to Registry-based registration
>      ipalib, ipaserver: fix incorrect API.register calls in docstrings
>      plugable: remove the unused deprecated API.register method
>      plugable: switch API to Registry-based plugin discovery
>      frontend: merge baseldap.CallbackRegistry into Command
>      frontend: move the interactive_prompt callback type to Command
>      automount: do not inherit automountlocation_import from LDAPQuery
>      dns: move code called on client to the module level
>      dns: do not rely on server data structures in code called on client
>      otptoken: fix import of DN
>      otptoken_yubikey: fix otptoken_add_yubikey arguments
>      vault: move client-side code to the module level
>      vault: copy arguments of client commands from server counterparts
>      ipalib: use relative imports for cross-plugin imports
>      frontend: allow commands to have an argument named `name`
>      cli: make optional positional command arguments actually optional
>      dns: fix dnsrecord interactive mode
>      ipaclient: introduce ipaclient.plugins
>      ipalib: move client-side plugins to ipaclient
>      help, makeapi: allow setting command topic explicitly
>      help, makeapi: specify module topic by name
>      help, makeapi: do not use hardcoded plugin package name
>      plugable: turn Plugin attributes into properties
>      plugable: simplify API plugin initialization code
>      plugable: remember overriden plugins in API
>      frontend: turn Method attributes into properties
>      ipaclient: add client-side command override class
>      dns: move code shared by client and server to separate module
>      ipalib: split off client-side plugin code into ipaclient
>      parameters: introduce cli_metavar keyword argument
>      parameters: introduce no_convert keyword argument
>      ipalib: replace DeprecatedParam with `deprecated` Param argument
>      ipalib: introduce API schema plugins
>      rpc: respect API config in RPCClient.create_connection
>      rpc: allow overriding NSS DB directory in API config
>      rpc: specify connection options in API config
>      rpc: optimize JSON-RPC response handling
>      rpc: do not validate command name in RPCClient.forward
>      client install: finalize API after CA certs are available
>      ipactl: use server API
>      ipalib: move File command arguments to ipaclient
>      misc: hide the unused --all option of `env` and `plugins` in CLI
>      ipaclient: implement thin client
>      ipalib: move server-side plugins to ipaserver
>      frontend: do not check API minor version of the client
>      schema: do not validate unrequested params in command_defaults
>      replica install: use remote server API to create service entries
>      schema: fix topic command output
>      schema: fix typo
>      spec file: require correct packages to get API plugins
>      plugable: allow plugins to be non-classes
>      plugable: initialize plugins on demand
>      schema: generate client-side commands on demand
>      batch, schema: use Dict instead of Any
>      misc: fix empty CLI output of `env` and `plugins` commands
>      dns, passwd: fix outputs of `dns_resolve` and `passwd` commands
>      frontend: call `execute` rather than `forward` in Local
>      schema: exclude local commands
>      schema: fix client-side dynamic defaults
>      makeaci, makeapi: use in-server API
>      frontend: don't copy command arguments to output params
>      frontend: skip `value` output in output_for_cli
>      frontend: do not crash on missing output in output_for_cli
>      automember: add object plugin for automember_rebuild
>      dns: do not rely on custom param fields in record attributes
>      misc: skip `count` and `total` output in env.output_for_cli
>      passwd: handle sort order of passwd argument on the client
>      permission: handle ipapermright deprecated CLI alias on the client
>      schema: add object class schema
>      schema: remove output_params
>      schema: merge command args and options
>      schema: remove redundant information
>      schema: remove `no_cli` from command schema
>      replica install: fix thin client regression
>      ldap: fix handling of binary data in search filters
>      cert: add object plugin
>      cert: add owner information
>      cert: allow search by certificate
>      dns: fix dns_update_system_records to work with thin client
> Jérôme Fenal (1):
>      Fix the man page part for shorter sentences, to avoid dual
> understanding, and punctuation, all spotted while translating to French.
> Lenka Doudova (5):
>      WebUI tests: fix failing of tests due to unclicable label
>      WebUI test: ID views
>      WebUI: Test creating user without private group
>      Test fix: Cleanup for host certificate
>      Test: Maximum username length higher than 255 cannot be set
> Ludwig Krispenz (2):
>      prevent moving of topology entries out of managed scope by modrdn
> operations
>      v2 - avoid crash in topology plugin when host list contains host
> with no hostname
> Lukáš Slebodník (6):
>      extdom: Remove unused macro
>      IPA-SAM: Fix build with samba 4.4
>      CONFIGURE: Replace obsolete macros
>      ipa-sam: Do not redefine LDAP_PAGE_SIZE
>      SPEC: Remove unused build dependency on libwbclient
>      BUILD: Remove detection of libcheck
> Martin Babinsky (44):
>      raise more descriptive Backend connection-related exceptions
>      harden domain level 1 topology connectivity checks
>      ipalib/x509.py: revert deletion of ipalib api import
>      prevent crash of CA-less server upgrade due to absent certmonger
>      use FFI call to rpmvercmp function for version comparison
>      tests for package version comparison
>      fix Py3 incompatible exception instantiation in replica install code
>      ipa-csreplica-manage: remove extraneous ldap2 connection
>      IPA upgrade: move replication ACIs to the mapping tree entry
>      uninstallation: more robust check for master removal from topology
>      correctly set LDAP bind related attributes when setting up replication
>      disable RA plugins when promoting a replica from CA-less master
>      fix standalone installation of externally signed CA on IPA master
>      reset ldap.conf to point to newly installer replica after promotion
>      always start certmonger during IPA server configuration upgrade
>      upgrade: unconditional import of certificate profiles into LDAP
>      CI tests: use old schema when testing hostmask-based sudo rules
>      use LDAPS during standalone CA/KRA subsystem deployment
>      test_cert_plugin: use only first part of the hostname to construct
> short name
>      only search for Kerberos SRV records when autodiscovery was requested
>      spec: add conflict with bind-chroot to freeipa-server-dns
>      spec: require python-cryptography newer than 0.9
>      ipa-replica-manage: print traceback on unexpected error when in
> verbose mode
>      otptoken-add: improve the robustness of QR code printing
>      differentiate between limit types when LDAP search exceeds
> configured limits
>      specify type of exceeded limit when warning about truncated search
> results
>      replica-prepare: do not add PTR records if there is no IPA managed
> reverse zone
>      Server Roles: definitions of server roles and attributes
>      Server Roles: Backend plugin to query roles and attributes
>      Test suite for `serverroles` backend
>      Server Roles: public API for server roles
>      Server Roles: make server-{show,find} utilize role information
>      Server Roles: make *config-show consume relevant roles/attributes
>      Server Roles: provide an API for setting CA renewal master
>      Add NTP to the list of services stored in IPA masters LDAP subtree
>      Introduce "NTP server" role
>      ipaserver module for working with managed topology
>      delegate removal of master DNS record and replica keys to separate
> functions
>      server-del: perform full master removal in managed topology
>      CI test suite for `server-del`
>      ipa-replica-manage: use `server_del` when removing domain level 1
> replica
>      remove the master from managed topology during uninstallation
>      Fix listing of enabled roles in `server-find`
>      Do not update result of *-config-show with empty server attributes
> Martin Bašti (147):
>      Fix DNS tests: dns-resolve returns warning
>      Remove unused code in server installer related to KRA
>      Fix version comparison
>      Fix: replace mkdir with chmod
>      Use module variables for timedate_services
>      Remove empty test file
>      Remove unused imports
>      Remove wildcard imports
>      Enable multiple warnings checks in Pylint
>      Enable pylint lost exception check
>      Enable pylint duplicated-key check
>      Enable pylint trailing-whitespace check
>      Enable pylint missing-final-newline check
>      Enable pylint unused-format-string-key check
>      Enable pylint expression-not-assigned check
>      Enable pylint empty-docstring check
>      Enable pylint unnecessary-pass check
>      update_uniqueness plugin: fix referenced before assigment error
>      Allow to used mixed case for sysrestore
>      Upgrade: Fix upgrade of NIS Server configuration
>      DNSSEC test: fix adding zones with --skip-overlap-check
>      DNSSEC CI: add missing ldns-utils dependency
>      Enable pylint unpacking-non-sequence check
>      Enable pylint unbalanced-tuple-unpacking check
>      CI test: fix regression in task.install_kra
>      Warn about potential loss of CA, KRA, DNSSEC during uninstall
>      Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
>      Exclude o=ipaca subtree from Retro Changelog (syncrepl)
>      Fix DNSSEC test: add glue record
>      Warn user when ipa *-find reach limit
>      DNSSEC CI: fix zone delegations
>      make lint: use config file and plugin for pylint
>      Upgrade: log to ipaupgrade.log when IPA server is not installed
>      Disable new pylint checks
>      Py3: do not use dict.iteritems()
>      upgrade: fix config of sidgen and extdom plugins
>      trusts: use ipaNTTrustPartner attribute to detect trust entries
>      Warn user if trust is broken
>      fix upgrade: wait for proper DS socket after DS restart
>      Revert "test: Temporarily increase timeout in vault test."
>      Remove duplicated except
>      Pylint: add missing attributes of errors to definitions
>      fix permission: Read Replication Agreements
>      Make PTR records check optional for IPA installation
>      Fix connections to DS during installation
>      pylint: supress false positive no-member errors
>      CI: allow customized DS install test to work with domain levels
>      fix suspicious except statements
>      Remove unused arguments from update_ssh_keys method
>      Configure 389ds with "default" cipher suite
>      krb5conf: use 'true' instead of 'yes' for forwardable option
>      stageuser-activate: Normalize manager value
>      Remove redundant parameters from CS.cfg in dogtaginstance
>      Use platform path constant for SSSD log dir
>      Fix broken trust warnings
>      spec: Add missing dependencies to python*-ipalib package
>      client: enable ChallengeResponseAuthentication in sshd_config
>      pylint: remove bare except
>      Pylint: fix definition of global variables
>      Pylint: enable pointless-except check
>      Pylint: enable reimported check
>      Pylint: use list comprehension instead of iteration
>      Pylint: import max one module per line
>      Pylint: remove unnecessary-semicolon
>      Pylint: enable invalid-name check
>      SPEC: do not run upgrade when ipa server is not installed
>      Fix: catch Exception instead of more specific exception types
>      Fix stageuser-activate - managers test
>      Add missing pre_common_callback to stageuser_add
>      host_del: fix removal of host records
>      host_del: replace dns-record find command with show
>      host_del: remove unneeded dnszone-show command call
>      host_del: split removing A/AAAA and PTR records to separate functions
>      host_del: remove only A, AAAA, SSHFP, PTR records
>      host_del: update help for --updatedns option
>      host-del --updatedns: print warnings instead of error
>      Use netifaces module instead of 'ip' command
>      Limit max username length to 255 in config-mod
>      Increase API version for 'ipamaxusernamelength' attribute change
>      Configure httpd service from installer instead of directly from RPM
>      Performace: don't download password attributes in host/user-find
>      Do not do extra search for ipasshpubkey to generate fingerprints
>      Always set hostname
>      Remove deprecated hostname restoration from Fedora18
>      Remove unused hostname variables
>      Log errors from backup_and_replace hostname to logger
>      Tasks: raise NotImplementedError for not implemented methods
>      fix stageuser tests (removal of has_keytab and has_password from find)
>      make: fail when ACI.txt or API.txt differs from values in source code
>      ipactl: advertise --ignore-service-failure option
>      Remove unused variable and finally block in SchemaCache
>      Fix referenced before assigment variables in except statements
>      Upgrade: always start CA
>      Remove unused variables in automount plugin
>      fix pylint false positive errors
>      Translations: remove deprecated locale configuration
>      Make option --no-members public in CLI
>      Performance: Find commands: do not process members by default
>      Test: fix failing host_test
>      Fix: replace incorrect no_cli with no_option flag
>      Fix: topologysuffix_find doesn't have no_members option
>      DNS Locations: Always create DNS related privileges
>      DNS Locations: add new attributes and objectclasses
>      DNS Locations: location-* commands
>      DNS Locations: API tests
>      Allow to use non-Str attributes as keys for members
>      DNS Locations: extend server-* command with locations
>      DNS Location: location-show: return list of servers in location
>      DNS Locations: when removing location remove it from servers first
>      DNS Locations: extend tests with server-* commands
>      Upgrade mod_wsgi socket-timeout on existing installation
>      Exclude unneeded dirs and files from pylint check
>      Fix resolve_rrsets: RRSet is not hashable
>      Revert "adtrust: remove nttrustpartner parameter"
>      Fix: Local variable s_indent might be referenced before defined
>      Revert "Switch /usr/bin/ipa to Python 3"
>      Use python2 for ipa cli
>      DNS Locations: add index for ipalocation attribute
>      DNS Locations: fix location-del
>      DNS Locations: add idnsTemplateObject objectclass
>      DNS Locations: DNS data management
>      DNS Locations: permission: allow to read status of services
>      DNS Locations: add ACI for template attribute
>      DNS Locations: command dns-update-system-records
>      DNS Locations: use dns_update_service_records in installers
>      DNS Locations: adtrustinstance simplify dns management
>      DNS Locations: use automatic records update in ipa-adtrust-install
>      DNS Locations: server-mod: add automatic records update
>      DNS Locations: dnsservers: add required objectclasses
>      DNS Locations: dnsserver-* commands
>      DNS Locations: dnsserver: put server_id option into named.conf
>      DNS Locations: dnsserver: use the newer config way in installer
>      DNS Locations: dnsserver: remove config when replica is removed
>      DNS Locations: set proper substitution variable
>      DNS Locations: require to restart named-pkcs11 affter location change
>      DNS Locations: show warning if there is no DNS servers in location
>      DNS Locations: prevent to remove used locations
>      DNS Locations: do not generate location records for unused locations
>      DNS Locations: location-del: remove location record
>      DNS Locations: Rename ipalocationweight to ipaserviceweight
>      DNS Locations: generate NTP records
>      upgrade: don't fail if zone does not exists in in find
>      DNS Location: add list of roles and DNS servers to location-show
>      DNS Locations: dnsserver: print specific error when DNS is not
> installed
>      Fix possibly undefined variable in ipa_smb_conf_exists()
>      Updated IPA translations
>      Replica promotion: use the correct IPA domain for replica
> Martin Košek (1):
>      Update Developers in Contributors.txt
> Matt Rogers (1):
>      ipa_kdb: add krbPrincipalAuthInd handling
> Michael Simacek (1):
>      Fix bytes/string handling in rpc
> Milan Kubík (11):
>      ipatests: replace the test-example.com domain in tests
>      ipatests: Roll back the forwarder config after a test case
>      ipatests: Fix configuration problems in dns tests
>      ipatests: Make the A record for hosts in topology conditional
>      ipatests: fix the install of external ca
>      ipatests: Add missing certificate profile fixture
>      ipatests: extend permission plugin test with new expected output
>      spec file: rename the python-polib dependency name to python2-polib
>      ipatests: fix for change_principal context manager
>      ipatests: Add test case for requesting a certificate with full
> principal.
>      spec: Add python-sssdconfig dependency for python-ipatests package
> Nathaniel McCallum (7):
>      Don't error when find_base() fails if a base is not required
>      Rename syncreq.[ch] to otpctrl.[ch]
>      Ensure that ipa-otpd bind auths validate an OTP
>      Return password-only preauth if passwords are allowed
>      Enable authentication indicators for OTP and RADIUS
>      Migrate from #ifndef guards to #pragma once
>      Enable service authentication indicator management
> Oleg Fayans (26):
>      CI tests: Enabled automatic creation of reverse zone during master
> installation
>      CI tests: Added domain realm as a parameter to master installation
> in integration tests
>      Fixed install_ca and install_kra under domain level 0
>      fixed an issue with master installation not creating reverse zone
>      Enabled recreation of test directory in apply_common_fixes function
>      Updated connect/disconnect replica to work with both domainlevels
>      Removed --ip-address option from replica installation
>      Removed messing around with resolv.conf
>      Integration tests for replica promotion feature
>      Enabled setting domain level explicitly in test class
>      Removed a constantly failing call to prepare_host
>      Made apply_common_fixes call at replica installation independent
> on domain_level
>      Workaround for ticket 5627
>      Added copyright info to replica promotion tests
>      rewrite a misprocessed teardown_method method as a custom decorator
>      Reverted changes in mh fixture causing some tests to fail
>      Fixed a bug with prepare_host failing upon existing ipatests folder
>      Added a kdestroy call to clean ccache at master/client uninstallation
>      Added 5 more tests to Replica Promotion testsuite
>      Fixed a failure in legacy_client tests
>      Add test if replica is working after domain upgrade
>      Improve reporting of failed tests in topology test suite
>      Bugfixes in managed topology tests
>      A workaround for ticket N 5348
>      Added necessary A record for the replica to root zone
>      Increased certmonger timeout
> Patrice Duc-Jacquet (2):
>      Incorrect message when KRA already installed
>      Add more information regarding where to find revocation reason in
> "ipa cert_revoke -h" and "ipa cert_find -h".
> Pavel Vomacka (41):
>      Add tool tips for Revert, Refresh, Undo, and Undo All
>      Add support for the 'user' url parameter for the reset_password.html
>      Add validation to Issue new certificate dialog
>      Add pan and zoom functionality to the topology graph
>      Nodes stay fixed after initial animation.
>      Add field for group id in user add dialog
>      Resize topology graph canvas according to window size
>      Add X-Frame-Options and frame-ancestors options
>      Add activate option to stage user details page
>      Add 'skip overlap check' checkbox into add zone dialog
>      Add 'skip overlap check' checkbox to the add dns forward zone dialog
>      Add option to show OTP when adding host
>      Update the delete dialog on details user page
>      Add ability to stage multiple users
>      Add option to stage user from details page
>      Change lang.hitch to javascript bind method
>      Change 'Restore' to 'Remove Hold'
>      Extend the certificate request dialog
>      Auth Indicators WebUI part
>      Fix bad searching of reverse DNS zone
>      Add adapter attribute for choosing record
>      DNS Locations: WebUI part
>      Add lists of hosts allowed to create or retrieve keytabs
>      Correct a jslint warning
>      Association table can be read only
>      Extend table facet
>      Add server roles on topology page
>      Search facet can be without search field
>      Add ability to review cert request dialog
>      Add new webui plugin - ca
>      Extend certificate entity page
>      Extend caacl entity
>      Make Actions string translatable
>      Extend DNS config page
>      Extend trust config page
>      Add creating a segment using mouse
>      Add listener which opens add segment dialog
>      Add placeholder to add segment dialog
>      Add DNS default TTL field
>      Allow to set weight of a server without location
>      DNS Servers: Web UI part
> Peter Lacko (1):
>      Ping module tests.
> Petr Viktorin (46):
>      Package ipapython, ipalib, ipaplatform, ipatests for Python 3
>      Use explicit truncating division
>      Don't index exceptions directly
>      Use print_function future definition wherever print() is used
>      Alias "unicode" to "str" under Python 3
>      Avoid builtins that were removed in Python 3
>      dnsutil: Rename __nonzero__ to __bool__
>      Remove deprecated contrib/RHEL4
>      make-lint: Allow running pylint --py3k to detect Python3 issues
>      Split ipa-client/ into ipaclient/ (Python library) and client/ (C,
> scripts)
>      test_parameters: Ignore specific error message
>      ipaldap, ldapupdate: Encoding fixes for Python 3
>      ipautil.run, kernel_keyring: Encoding fixes for Python 3
>      tests: Use absolute imports
>      ipautil: Use mode 'w+' in write_tmp_file
>      test_util: str/bytes check fixes for Python 3
>      p11helper: Port to Python 3
>      cli: Don't encode/decode for stdin/stdout on Python 3
>      Package python3-ipaclient
>      Move get_ipa_basedn from ipautil to ipadiscovery
>      ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
>      ipapython.sysrestore: Use str methods instead of functions from
> the string module
>      ipalib.x809: Accept bytes for make_pem
>      dns plugin: Fix zone normalization under Python 3
>      sysrestore: Iterate over a list of dict keys
>      test_xmlrpc: Use absolute imports
>      xmlrpc_test: Rename exception instance before working with it
>      radiusproxy plugin: Use str(error) rather than error.message
>      xmlrpc_test: Expect bytes rather than strings for binary attributes
>      ipalib.rpc: Send base64-encoded data as string under Python 3
>      range plugin tests: Use bytes with MockLDAP under Python 3
>      radiusproxy plugin tests: Expect bytes, not text, for
> ipatokenradiussecret
>      certprofile plugin: Use binary mode for file with binary data
>      test_add_remove_cert_cmd: Use bytes for base64.b64encode()
>      Switch /usr/bin/ipa to Python 3
>      Fix remaining relative import and enable Pylint check
>      ipalib.cli: Improve reporting of binary values in the CLI
>      test_cert_plugin: Encode 'certificate' for comparison with
> 'usercertificate'
>      ipaldap: Keep attribute names as text, not bytes
>      ipapython.secrets.kem: Use ConfigParser from six.moves
>      test_topology_plugin: Don't rely on order of an attribute's values
>      test_rpcserver: Expect updated error message under Python 3
>      ipaplatform.redhat: Use bytestrings when calling rpm.so for
> version comparison
>      test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
>      ipaldap: Convert dict items to list before iterating
>      test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView
> Petr Voborník (16):
>      Bump 4.4 development version to 4.3.90
>      webui: add examples to network address validator error message
>      webui: pwpolicy cospriority field was marked as required
>      spec: do not require arch specific ipalib package from noarch packages
>      webui: dislay server suffixes in server search page
>      stop installer when setup-ds.pl fail
>      webui: crash nicely if sessionStorage is not available
>      webui: remove moot error from webui build
>      webui: use API call ca_is_enabled instead of enable_ra env variable.
>      webui: fixed showing of success message after password change on login
>      advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap
> plugins
>      cookie parser: do not fail on cookie with empty value
>      fix incorrect name of ipa-winsync-migrate command in help
>      webui: fail nicely if cookies are disabled
>      ipa-client-install: fix typo in nslcd service name
>      Become IPA 4.4.0 Alpha 1
> Petr Špaček (51):
>      dns: Handle SERVFAIL in check if domain already exists.
>      DNSSEC: Improve error reporting from ipa-ods-exporter
>      DNSSEC: Make sure that current state in OpenDNSSEC matches key
> state in LDAP
>      DNSSEC: Make sure that current key state in LDAP matches key state
> in BIND
>      DNSSEC: remove obsolete TODO note
>      DNSSEC: add debug mode to ldapkeydb.py
>      DNSSEC: logging improvements in ipa-ods-exporter
>      DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
>      DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
>      DNSSEC: ipa-ods-exporter: add ldap-cleanup command
>      DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
>      DNSSEC: Log debug messages at log level DEBUG
>      Fix --auto-reverse option in --unattended mode.
>      Fix dns_is_enabled() API command to throw exceptions as appropriate
>      Fix DNS zone overlap check to allow ipa-replica-install to work
>      Fix ipa-adtrust-install to always generate SRV records with FQDNs
>      Fix URL for reporting bugs in strings
>      Pylint: enable parallelism
>      Makefile: replace perl with sed
>      Remove function ipapython.ipautil.host_exists()
>      Extend installers with --forward-policy option
>      Move automatic empty zone list into ipapython.dnsutil and make it
> reusable
>      Add assert_absolute_dnsname() helper to ipapython.dnsutil
>      Move function is_auto_empty_zone() into ipapython.dnsutil
>      Use shared sanity check and tests
> ipapython.dnsutil.is_auto_empty_zone()
>      Add function ipapython.dnsutil.inside_auto_empty_zone()
>      Auto-detect default value for --forward-policy option in installers
>      ipa-nis-manage: Replace text references to compat plugin with NIS
>      ipa-nis-manage: mention return code 3 in man page
>      DNS: Fix upgrade - master to forward zone transformation
>      DNS installer: accept --auto-forwarders option in unattended mode
>      Remove unused file install/share/fedora-ds.init.patch
>      Batch command: avoid accessing potentially undefined context.principal
>      pylint: replace Refactor category with individual check names
>      ipa-nis-manage: add status option
>      DNS: Warn if forwarding policy conflicts with automatic empty zones
>      Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
>      Use root_logger for verify_host_resolvable()
>      Move IP address resolution from ipaserver.install.installutils to
> ipapython.dnsutil
>      Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
>      Add ipaDNSVersion option to dnsconfig* commands and use new attribute
>      DNS upgrade: separate backup logic to make it reusable
>      Add function ipapython.dnsutil.related_to_auto_empty_zone()
>      DNS upgrade: change forwarding policy to = only for conflicting
> forward zones
>      DNS upgrade: change global forwarding policy in LDAP to "only" if
> private IPs are used
>      DNS upgrade: change global forwarding policy in named.conf to
> "only" if private IPs are used
>      Require 389-ds-base >=
>      DNS Locations: make ipa-ca record generation more robust
>      DNS: Support default TTL setting for master DNS zones
>      DNS: Warn about restart when default TTL setting DNS is changed
>      DNS: Fix realm domains integration with DNS zone add.
> Simo Sorce (6):
>      Use only AES enctypes by default
>      Always verify we have a valid ldap context.
>      Improve keytab code to select the right principal.
>      Convert ipa-sam to use the new getkeytab control
>      Allow admins to disable preauth for SPNs.
>      Allow to specify Kerberos authz data type per user
> Stanislav Laznicka (21):
>      Listing and cleaning RUV extended for CA suffix
>      Automatically detect and remove dangling RUVs
>      Cosmetic changes to the code
>      Fixes minor issues
>      replica-manage: fail nicely when DM psswd required
>      ipa-replica-manage refactoring
>      abort-clean/list/clean-ruv now work for both suffixes
>      Moved password check from clean_dangling_ruv
>      Fix to clean-dangling-ruv for single CA topologies
>      Added pyusb as a dependency
>      Added some attributes to Modify Users permission
>      Deprecated the domain-level option in ipa-server-install
>      Increased mod_wsgi socket-timeout
>      Added <my_hostname>=<IPA REALM> mapping to krb5.conf
>      Decreased timeout for IO blocking for DS
>      fixes premature sys.exit in ipa-replica-manage del
>      Remove dangling RUVs even if replicas are offline
>      Added krb5.conf.d/ to included dirs in krb5.conf
>      Removed dead code from LDAP{Remove,Add}ReverseMember
>      Fixes CA always being presented as running
>      Increase nsslapd-db-locks to 50000
> Sumit Bose (3):
>      ipa-kdb: get_authz_data_types() make sure entry can be NULL
>      ipa-kdb: map_groups() consider all results
>      extdom: add certificate request
> Thierry Bordaz (3):
>      configure DNA plugin shared config entries to allow connection
> with GSSAPI
>      DS deadlock when memberof scopes topology plugin updates
>      Make sure ipapwd_extop takes precedence over passwd_modify_extop
> Thorsten Scherf (1):
>      Fixed typo in service-add
> Timo Aaltonen (6):
>      Use HTTPD_USER in dogtaginstance.py
>      Move freeipa certmonger helpers to libexecdir.
>      ipa_restore: Import only FQDN from ipalib.constants
>      ipaplatform: Move remaining user/group constants to
> ipaplatform.constants.
>      Use ODS_USER/ODS_GROUP in opendnssec_conf.template
>      Fix kdc.conf.template to use ipaplatform.paths.
> Tomáš Babej (10):
>      py3: Remove py3 incompatible exception handling
>      logger: Use warning instead of warn
>      Loggger: Use warning instead of warn - dns plugin
>      ipa-getkeytab: Handle the possibility of not obtaining a result
>      ipa-adtrust-install: Allow dash in the NETBIOS name
>      spec: Bump required sssd version to 1.13.3-5
>      adtrustinstance: Make sure smb.conf exists
>      l10n: Remove Transifex configuration
>      ipalib: Fix user certificate docstrings
>      idviews: Add user certificate attribute to user ID overrides
> Yuri Chornoivan (3):
>      Fix minor typo
>      Fix minor typos
>      Fix minor typos
> --
> Petr Vobornik
> _______________________________________________
> Freeipa-interest mailing list
> freeipa-inter...@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-interest

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to