Release date: 2017-03-15

The FreeIPA team would like to announce FreeIPA 4.5.0 release!

It can be downloaded from Builds for
Fedora 25 and Fedora 26 will be available soon in the official COPR
repository: <>

This announcement is also available at

== Highlights in 4.5.0 ==

=== Enhancements ===
==== AD User Short  Names ====
Support for AD users short names has been added. Short names can be
enabled from CLI by setting `ipa config-mod
or from WebUI under ''Configuration'' tab. No manual configuration on
SSSD side is required.

Please note that this feature is not supported by SSSD yet and the work
is tracked with <>
* <>

==== FIPS 140-2 Support ====
FreeIPA server and client can be installed on FIPS enabled systems. MD5
fingerprints have been replaced with SHA256. Variable ''fips_mode'' has
been added to env that indicates whether FIPS is turned on the server.

Please note that FIPS 140-2 support may not work on some platforms
because all dependencies of FreeIPA must support FIPS 140-2 what we
cannot guarantee. (Should work with RHEL 7.4+.) The FreeIPA code itself
is FIPS 140-2 compatible.
* <>

==== Certificate Identity Mapping ====
Support for multiple certificates on Smart cards has been added. User
can choose which certificate is used to authenticate. This allows to
define multiple certificates per user.
The same certificate can be used by different accounts, and the mapping
between a certificate and an account can be done through binary match of
the whole certificate or a match on custom certificate attributes (such
as Subject + Issuer).
* <>

==== Improvements for Containerization ====
AD trust and KRA can be installed in one step in containers without need
to call subsequent ipa-adtrust-install and ipa-kra-install in containers.
Option ''--setup-adtrust'' has been added to ''ipa-server-install'' and
''ipa-replica-install'', and option ''--setup-kra'' has been added to
* <>
* <>

==== Semi-automatic Integration with External DNS ====
Option "--out" has been added to command "ipa
dns-update-system-records". This option allows to store IPA system DNS
records in nsupdate format in specified file and can be used with
nsupdate command to update records on an external DNS server. For more
details see this howto
* <>

=== Known Issues ===
* CLI doesn't work after ''ipa-restore''
* AD Trust doesn't work with enabled FIPS mode
* ''cert-find'' does not find all certificates without sizelimit=0

=== Bug fixes ===
Contains all bugfixes and enhacements of 4.4.1, 4.4.2, 4.4.3 releases

==== Installers Refactoring ====
Installers code base has been migrated into modules and many code
duplication has been removed.
* <>

==== "Normal" group has been renamed to "Non-POSIX" in WebUI ====
In the web UI, the group type label "Normal" has been changed to
"Non-POSIX" to be compatible with CLI options. The semantics of group
types is unchanged.
* <>

==== Build System Refactoring ====
Several improvements of FreeIPA build system have been done. In case you
are package maintainer please read the following design document.
* <>

==== LDAP Connection Management Refactoring ====
LDAP connection management has been standardized across FreeIPA and
should prevent LDAP connection issues during installation and upgrades
in future.
* <>

==== Do not fail when IPA server has shortname first in /etc/hosts ====
Kerberos client library is now instructed to not attempt to canonicalize
hostnames when issuing TGS requests. This improves security by avoiding
DNS lookups during canonicalization and also improves robustness of
service principal lookups in more complex DNS environments (clouds,
containerized applications). Due to this change in behavior, care must
be taken to specify correct FQDN in host/service principals as no
attempt to resolve e.g. short names will be made.
* <>

==== Replica Connection Check Improvements ====
Improved connection check reduces possibility of failure in further
installation steps. Now ports on both IPv4 and IPv6 addresses are
checked (if available).
* <>

==== Replace NSS with OpenSSL ====
Should reduce number of issues related to HTTPS connections. This change
was also needed to support FIPS.
* <>

==== Fully customisable CA name ====

The CA subject name is now fully customisable, and is no longer
required to be related to the certificate subject base.  The
''ipa-server-instal'' and ''ipa-ca-install'' commands learned the
''--ca-subject'' and ''--subject-base'' options for configuring these

* <>

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
list ( or #freeipa
channel on Freenode.

== Resolved tickets ==
* 6764 debian: python modules should be installed under dist-packages
* 6759 replica prepare broken on KDC cert export
* 6755 [] - "ipa-replica-prepare" command fails when trying to
unlink non-existing "tmpcert.der" file in /var/lib/ipa/
* 6750 Web page ipa/config/ssbrowser.html refers to missing
ipa/config/ca.crt file
* 6739 Cannot login to replica's WebUI
* 6735 The ipa-managed-entries command failed, exception:
AttributeError: ldap2
* 6734 vaultconfig-show throws internal error
* 6731 ipa-server-install: allow to in install KRA in one step
* 6730 Harden client HTTPS connections
* 6724 [] - comparison test scripts not reflected changes
in "openssl_base.tmpl"
* 6723 ipa systemd unit should define Wants=network instead of
* 6718 SessionMaxAge in /etc/httpd/conf.d/ipa.conf introduces regression
* 6717 WebUI: change structure of Identity submenu
* 6714 ipaclient.csrgen depends on ipaplatform
* 6713 ipa: Insufficient permission check for ca-del, ca-disable and
ca-enable commands (CVE-2017-2590)
* 6712 WebUI: Arbitrary certificates on {user|host|service} details
pages are not displayed in WebUI
* 6707 Removal of IPAConfig broke Ipsilon's FreeIPA integration
* 6701 Add SHA256 fingerprints
* 6698 User with ticket gets GSS failure when calling freeipa CLI command
* 6694 ipa-client-install command failed, TypeError: list found
* 6690 Plugin schema cache is slow
* 6686 ipa-replica-install fails promotecustodia.create_replica with
cert errors (untrusted) after adding externally signed CA cert
* 6685 logout does not work properly
* 6682 session logout should not remove ccache
* 6680 kra-agent.pem file is not auto-renewed by certmonger
* 6676 unable to parse cookie header
* 6675 KRA_AGENT_PEM file is missing
* 6674 ipactl: noise error from pki-tomcatd start
* 6673 httpd unit files deletes root ccache
* 6670 PKINIT upgrade process is incomplete
* 6661 Move ipa session data from keyring to ccaches
* 6659 ipa-backup does not include /root/kracert.p12
* 6650 [vault] Replace nss crypto with cryptography
* 6648 Make ipa-cacert-manage man page more clear
* 6647 batch param compatibility is incorrect
* 6646 IdM Server: list all Employees with matching Smart Card
* 6643 [RFE] Add ipa-whoami command
* 6640 DS certificate request during replica install fails due to
bytes/string mismatch
* 6639 Rewrite the code handling discovery and adding of AD trust agents
in AD trust installer
* 6638 AD trust installer should be able to configure samba instance
also without admin credentials
* 6637 Build fails on Fedora 26
* 6636 UnboundLocalError during ipa-client-install
* 6634 --ignore-last-of-role is not in man page
* 6633 IPA replica install log shows password in plain text
* 6631 Use Python warnings for development
* 6630 Merge AD trust installer to server/replica install
* 6629 Migrate AD trust installer on the new-style installer framework
* 6625 WSGI fails with internal server error when mode != production
(locked attribute)
* 6623 Stageuser is missing -{add,remove}-{cert,principal} commands
* 6620 Remove ipa-upgradeconfig command
* 6619 krb5 1.15 broke DAL principal free
* 6608 IPA server installation should check if IPv6 stack is enabled
* 6607 Deprecate SSLv2 from API config
* 6606 Full backup and restore prevents KRA from installing
* 6601 [RFE] WebUI: Certificate Identity Mapping
* 6600 Legacy client tests doesn't have tree domain role.
* 6598 [webui] Show "CA replica warning" only if there one or more
replicas but only 1 CA
* 6597 ipapython.version.DEFAULT_PLUGINS is not configured
* 6596 Update ETAs in installers
* 6588 replication race condition prevents IPA to install
* 6586 Minor string fixes in
* 6585 [RFE] nsupdate output format in dns-update-system-records command
* 6584 ipa-client-install fails to get CA cert via LDAP when non-FQDN
name of IPA server is first in /etc/hosts
* 6578 IPA CLI will eventually stop working when invoked in parallel
* 6575 ipa-replica-install fails on requesting DS cert when master is
not configured with IPv6
* 6574 description of --domain and --realm is confusing
* 6573 CA-less replica installation fails due to attempted cert issuance
* 6570 Duplicate PKINIT certificates being tracked after restoring IPA
backup on re-installed master
* 6565 FreeIPA server install fails (and existing servers probably fail
to start) due to changes in 'dyndb' feature on merge to upstream BIND
* 6564 IPA WebUI certificates are grayed out on overview page but not on
details page
* 6559 [py3] switch to PY3 causes warnings from IPA schema cache
* 6558 [Py3] http session cookie doesn't work under Py3
* 6551 Upgrade Samba configuration to not include keytab prefix
* 6550 Refactor PKCS #7 parsing to use pyasn1_modules
* 6548 [RFE] Mention ipa-backup in warning message before uninstalling
IPA server
* 6547 [RFE] Certificates issued by externally signed IdM CA should
contain full trust chain
* 6546 Delete option shouldn't be available for hosts applied to view.
* 6542 [RFE] Certificate Identity Mapping
* 6541 ipa-replica-install fails to import DS cert from replica file
* 6540 Migration from ipa-3.0 fails due to crashing
* 6539 ipa vault operations are not possible with an older server
* 6538 KRA: add checks to prevent removing the last instance of KRA in
* 6534 topology should not include A<->B segment "both" and B->A "left
right" at the same time.
* 6532 replica installation incorrectly sets
nsds5replicabinddngroup/nsds5replicabinddngroupcheckinterval on IPA 3.x
* 6526 remove "request certificate with subjectaltname" permission
* 6522 ipa-replica-conncheck should check for open ports on all IPs
resolved from hostname
* 6518 Can not install IPA server when hostname is not DNS resolvable
* 6514 replica install: request_service_cert doesn't raise error when
certificate isuance failed
* 6513 `ipa plugins` command crashes with internal error
* 6512 Improve the robustness FreeIPA's i18n module and its tests
* 6510 Wrong error message during failed domainlevel 0 installations
without a replica file
* 6508 ipa-ca-install on promoted replica hangs on creating a temporary
CA admin
* 6505 Make ipapython.kerberos.Principal.__repr__ show the actual
principal name
* 6504 Create a test for uniqueness of CA renewal master
* 6503 IPA upgrade of replica without DNS fails during restart of
* 6500 ipa-server-upgrade fails with AttributeError
* 6498 Build system must regenerate file when template changes.
* 6497 Misleading error message in replica_conn_check()
* 6496 remove references to
* 6495 DNSSEC: ipa-ods-expoter.socket creates incorrect socket and
breaks DNSSEC signing
* 6492 Register entry points of Custodia plugins
* 6490 Add local-env subcommand to ipa script
* 6489 Provide legacy client test coverage with tree root domain
* 6487 ipa-replica-conncheck fails randomly (race condition)
* 6486 Add NTP server list to ipaplatform
* 6481 Create a test for instantiating rules with service principals
* 6480 Update man page for ipa-adtrust-install by removing --no-msdcs option
* 6474 Remove ipaplatform dependency from ipa modules
* 6472 cert-request no longer accepts CSR with extraneous data
surrounding PEM data
* 6469 Use xml.etree instead of lxml in
* 6466 [abrt] krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV
* 6461 LDAP Connection Management refactoring
* 6460 NSSNickname enclosed in single quotes causes
ipa-server-certinstall failure
* 6457 ipa dnsrecord-add fails with Keyerror stack trace
* 6455 Add example of RDN order for ipa-server-install --subject
* 6451 Automate managed replication topology 4.4 features
* 6448 Tests: Stageuser tracker creation of user with minimal values,
with uid not specified
* 6446 Create test for kerberos over http
* 6445 Traceback seen in error_log when trustdomain-del is run
* 6439 Members of nested netgroups configured in IdM cannot be seen by
getent on clients
* 6435 Fix zanata.xml config to skip testing ipa.pot file
* 6434 Installers: perform host enrollment also in domain level 0
replica install
* 6433 Refactor installer code requesting certificates
* 6420 Pretty print option of pytest makes tracker fail when used in ipa
* 6419 cert-show default output does not show validity
* 6417 Skip topology disconnect/last of role checks when uninstalling
single domain level 1 master
* 6415 replica-install creates spurious entries in cn=certificates
* 6412 Create tests for certs in idoverrides feature
* 6410 Tests: Verify that cert commands show CA without --all
* 6409 [RFE] extend ipa-getkeytab to support other LDAP bind methods
* 6406 Use common mechanism for setting up initial replication in both
domain levels
* 6405 unify domain level-specific mechanisms for replica's DS/HTTP
keytab generation
* 6402 IPA Allows Password Reuse with History value defined when admin
resets the password.
* 6401 Revert expected returncode in replica_promotion test
* 6400 Add file_exists method as a member of transport object
* 6399 Object-Signing cert is unused; don't create it
* 6398 Refactor certificate inspection code to use python-cryptography
* 6397 WebUI: Services are not displayed correctly after upgrade
* 6396 Cleanup AD trust information after tests
* 6394 WebUI: Update Patternfly and Bootstrap to newer versions
* 6393 Make httpd publish CA certificate on Domain Level 1
* 6392 Installers refactoring tracker
* 6388 WebUI: Adder dialog cannot be reopened in case that it is closed
using ESC and dropdown field was focuseded
* 6386 Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
* 6384 Web UI: Lowercase "b" in the "API browser" subtab label
* 6381 ipa-cacert-manage man page should mention to run ipa-certupdate
* 6375 ipa-replica-install fails when replica file created after
ipa-ca-install on domain level 0
* 6372 [RFE] allow managing prioritized list of trusted domains for
unqualified ID resolution
* 6369 [tracker] raise 389 requires when "Total init may fail if the
pushed schema is rejected" is part of update
* 6365 Custodia compatibility: add iSecStore.span method
* 6359 test_0003_find_OCSP will never fail
* 6358 ipa migrate-ds fails when it finds a referral
* 6357 ipa-server-install script option --no_hbac_allow should match
other options
* 6354 regression: certmap.conf file is not backedup during
* 6352 replica promotion with OTP: add additional info to ""Insufficient
privileges" error message
* 6347 Tests: provide trust test coverage for tree root domains
* 6344 [RFE] support URI resource records
* 6343 [RFE] Allow login to WebUI using Kerberos aliases/enterprise
* 6340 IPA client ipv6 - invalid --ip-address shows traceback
* 6335 Set priority as required filed in password policy
* 6334 "Normal" group type in the UI is confusing
* 6331 Reason is lost when CheckedIPAddress returns ValueError in
* 6308 [webui] Does not handle uppercase authentication indicators.
* 6305 host/service-mod with --certificate= (remove all certs) does not
revoke certs
* 6295 cert-request is not aware of Kerberos principal aliases
* 6269 cert-find --all does not show information about revocation
* 6263 ipa-server-certinstall does not update all certificate stores and
doesn't set proper trust permissions
* 6226 ipa-replica-install in CA-less environment does not configure DS
TLS - ipa-ca-install then fails on replica
* 6225 [RFE] Web UI: allow Smart Card authentication - finalization
* 6202 ipa-client-install - document that --server option expects FQDN
* 6178 Add options to retrieve lightweight CA certificate/chain
* 6169 ipa dnsforwardzone-add w/o arguments fails
* 6144 RPC code should be agnostic to display layer
* 6132 Broken setup if 3rd party CA certificate conflicts with
system-wide CA certificate
* 6128 Tests: Base tracker contains leftover attributes from host tracker
* 6126 Tests: User tracker does not enable creation of user with minimal
* 6125 Tests: unaccessible variable self.attrs for entries that are not
created via standard create method in Tracker
* 6124 Tests: remove --force option from tracker base class
* 6123 Tests: Tracker enables silent deleting and creating entries
* 6114 Traceback message seen when ipa is provided with invalid
configuration file name
* 6088 tests involving KRA installation on replicas
fail in domain level 0
* 6005 Create an automated test for Certs in idoverrides feature
* 5949 ipa-server-install: improve prompt on interactive installation
* 5935 [py3] DNSName.ToASCII broken with python3
* 5742 [RFE] [webui] Configurable page size / User config page
* 5695 [RFE] FreeIPA on FIPS enabled systems
* 5640 Framework does not respect sizelimit passed via webUI in some
* 5348 [tracker] dig + dnssec does not display signature of freshly
created root zone
* 4821 UI drops "Unknown Error" when the ipa record in /etc/hosts changes
* 4189 [RFE] Use GSS-Proxy for the HTTP service
* 3461 [RFE] Extend freeipa's sudo to support selinux transition roles
* 157 Python 3.2a1 in rawhide

== Detailed changelog since 4.4.4 ==
=== Jan Barta (8) ===
* pylint: fix bad-mcs-method-argument
* pylint: fix bad-mcs-classmethod-argument
* pylint: fix bad-classmethod-argument
* pylint: fix old-style-class
* pylint: fix redefine-in-handler
* pylint: fix pointless-statement
* pylint: fix unneeded-not
* pylint: fix simplifiable-if-statement warnings

=== Alexander Bokovoy (7) ===
* ipaserver/ use arcfour_encrypt from samba
* add whoami command
* pkinit: make sure to have proper dictionary for Kerberos instance on
* ipa-kdb: support KDB DAL version 6.1
* ipa-kdb: search for password policies globally
* adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
* trustdomain-del: fix the way how subdomain is searched

=== Abhijeet Kasurde (11) ===
* Minor typo fix in DNS install plugin
* Update warning message for replica install
* Add fix for ipa plugins command
* Update man page of ipa-server-install
* Remove deprecated ipa-upgradeconfig command
* Update warning message for ipa server uninstall
* Fix for handling CalledProcessError in authconfig
* Enumerate available options in IPA installer
* Provide user hint about IP address in IPA install
* Add fix for no-hbac-allow option in server install
* Added a fix for setting Priority as required field in Password Policy
Details facet

=== Ben Lipton (8) ===
* csrgen: Support encrypted private keys
* csrgen: Allow overriding the CSR generation profile
* csrgen: Automate full cert request flow
* tests: Add tests for CSR autogeneration
* csrgen: Use data_sources option to define which fields are rendered
* csrgen: Add a CSR generation profile for user certificates
* csrgen: Add CSR generation profile for caIPAserviceCert
* csrgen: Add code to generate scripts that generate CSRs

=== Christian Heimes (88) ===
* Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb
* Make pylint and jsl optional
* Ignore ipapython/.DEFAULT_PLUGINS
* Run test_ipaclient test suite
* Chain CSR generator file loaders
* Move csrgen templates into ipaclient package
* Use https to get security domain from Dogtag
* Cleanup certdb
* Default to pkginstall=true without duplicated definitions
* pylint: ignore pypi placeholders
* Python build: use --build-base everywhere
* Add with_wheels global to install wheel and PyPI packaging dependencies
* Add placeholders for ipaplatform, ipaserver and ipatests
* Add python-wheel as build requirement
* Packaging: Add placeholder packages
* Vault: port key wrapping to python-cryptography
* Remove NSPRError exception from platform tasks
* Remove import nss from test_ldap
* certdb: Don't restore_context() of new NSSDB
* Finish port to PyCA cryptography
* Drop in-memory copy of schema zip file
* Speed up client schema cache
* C compilation fixes and hardening
* lite-server: validate LDAP connection and cache schema
* Add --without-ipatests option
* Add missing include of stdint.h for uint8_t
* Client-only builds with --disable-server
* New lite-server implementation
* Explain more performance tricks in doc string
* Fix test, nested lists are no longer converted to nested tuples
* Pretty print JSON in debug mode (debug level >= 2)
* Convert list to tuples
* Faster JSON encoder/decoder
* Backup /root/kracert.p12
* Ditch version_info and use version number from ipapython.version
* test_StrEnum: use int as bad type
* Stable _is_null check
* cryptography has deprecated serial in favor of serial_number
* Enable additional warnings (BytesWarning, DeprecationWarning)
* Print test env information
* Clean / ignore make check artefact
* ipapython: Add dependencies on
* pytest: set rules to find test files and functions
* Fix used before assignment bug in host_port_open()
* Use pytest and drop pytest.ini
* Catch ValueError raised by pytest.config.getoption()
* Silence pylint import errors of ipaserver in ipalib and ipaclient
* Relax check for .git to support freeipa in submodules
* Ignore backup~ files like
* Fetch correct exception in IPA_CONFDIR test
* Use env var IPA_CONFDIR to get confdir
* Set explicit confdir option for global contexts
* Remove import of ipaplatform.paths from test_ipalib
* Add pylint guard to import of ipaplatform in ipapython.certdb
* Require python-gssapi >= 1.2.0, take 2
* Backwards compatibility with setuptools 0.9.8
* Require python-cryptography >= 1.3.1
* Wheel bundles fixes
* Require python-gssapi >= 1.2.0
* Adjustments for setup requirements
* wrap long line
* Silence import warnings for Samba bindings
* Fix Python 3 bugs discovered by pylint
* Python3 pylint fixes
* Add main guards to a couple of Python scripts
* Break ipaplatform / ipalib import cycle of hell
* Replace LooseVersion
* Don't ship install subpackages with wheels
* Minor fixes for IPAVersion class
* Pylint: whitelist packages with extension modules
* Add 'ipa localenv' subcommand
* ipapython and ipatest no longer require lxml
* Register entry points of Custodia plugins
* Use xml.etree in ipa-client-automount script
* Port ipapython.dnssec.odsmgr to xml.etree
* Add install requirements to Python packages
* Make api.env.nss_dir relative to api.env.confdir
* Don't modify redhat_system_units
* Use correct classifiers to make files PyPI compatible
* Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
* Add __name__ == __main__ guards to setup.pys
* Remove ipapython/ipa.conf
* Port all to setuptools
* Replace ipaplatform's symlinks with a meta importer
* Move ipa.1 man file
* Add iSecStore.span
* Use RSA-OAEP instead of RSA PKCS#1 v1.5

=== David Kupka (20) ===
* rpcserver: x509_login: Handle unsuccessful certificate login gracefully
* Bump required version of gssproxy to 0.7.0
* tests: Add tests for kerberos principal aliases in stageuser
* tests: kerberos_principal_aliases: Deduplicate tests
* tests: Stageuser-{add,remove}-cert
* tests: add-remove-cert: Use harcoded certificates instead of
requesting them
* ipalib.x509: Handle missing SAN gracefully
* stageuser: Add stageuser-{add,remove}-principal
* stageuser: Add stageuser-{add,remove}-cert
* build: Add missing dependency on libxmlrpc{,_util}
* ipaclient: schema cache: Handle malformed server info data gracefully
* schema_cache: Make handling of string compatible with python3
* installer: Stop adding distro-specific NTP servers into ntp.conf
* tests: Expect krbpwdpolicyreference in result of
{host,service}-{find,show} --all
* password policy: Add explicit default password policy for hosts and
* ipaclient.plugins: Use api_version from internally called commands
* tests: Mark 389-ds acceptance tests
* tests: Mark Dogtag acceptance tests
* UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper
* schema cache: Store and check info for pre-schema servers

=== Florence Blanc-Renaud (20) ===
* Installation must publish CA cert in /usr/share/ipa/html/ca.crt
* IdM Server: list all Employees with matching Smart Card
* ipa systemd unit should define Wants=network instead of Requires=network
* Support for Certificate Identity Mapping
* Define template version in certmap.conf
* Fix ipa.service unit re. gssproxy
* Do not configure PKI ajp redirection to use "::1"
* ipa-kra-install must create directory if it does not exist
* ipa-restore must stop tracking PKINIT cert in the preparation phase
* Increase the timeout waiting for certificate issuance in installer
* Check the result of cert request in replica installer
* Fix ipa-replica-install when upgrade from ca-less to ca-full
* Fix ipa migrate-ds when it finds a search reference
* Fix renewal lock issues on installation
* Refactor installer code requesting certificates
* Use autobind instead of host keytab authentication in
* Fix ipa-cacert-manage man page
* Add cert checks in ipa-server-certinstall
* Fix regression introduced in ipa-certupdate
* Fix ipa-certupdate for CA-less installation

=== Fraser Tweedale (52) ===
* rabase.get_certificate: make serial number arg mandatory
* Extract method to map principal to princpal type
* Remove redundant principal_type argument
* dogtag: remove redundant property definition
* ca: correctly authorise ca-del, ca-enable and ca-disable
* replica install: relax domain level check for promotion
* Fix reference before assignment
* private_ccache: yield ccache name
* Add sanity checks for use of --ca-subject and --subject-base
* Indicate that ca subject / subject base uses LDAP RDN order
* Allow full customisability of IPA CA subject DN
* Reuse self.api when executing ca_enabled_check
* dsinstance: extract function for writing certmap.conf
* ipa-ca-install: add missing --subject-base option
* Extract function for computing default subject base
* installer: rename --subject to --subject-base
* installutils: remove hardcoded subject DN assumption
* Refactor and relocate set_subject_base_in_config
* dsinstance: minor string fixes
* Set up DS TLS on replica in CA-less topology
* Remove "Request Certificate with SubjectAltName" permission
* Fix DL1 replica installation in CA-less topology
* certprofile-mod: correctly authorise config update
* Fix regression in test suite
* Add options to write lightweight CA cert or chain to file
* certdb: accumulate extracted certs as list of PEMs
* Add function for extracting PEM certs from PKCS #7
* cert-request: match names against principal aliases
* Remove references to
* cert-request: accept CSRs with extraneous data
* Ensure correct IPA CA nickname in DS and HTTP NSSDBs
* Remove __main__ code from ipalib.x509 and ipalib.pkcs10
* x509: use python-cryptography to process certs
* x509: use pyasn1-modules X.509 specs
* x509: avoid use of nss.data_to_hex
* pkcs10: remove pyasn1 PKCS #10 spec
* pkcs10: use python-cryptography for CSR processing
* dn: support conversion from python-cryptography Name
* cert-show: show validity in default output
* Do not create Object Signing certificate
* Add commentary about CA deletion to plugin doc
* spec: require Dogtag >= 10.3.5-6
* sudorule: add SELinux transition examples to plugin doc
* Fix cert revocation when removing all certs via host/service-mod
* cert-request: raise error when request fails
* Make host/service cert revocation aware of lightweight CAs
* cert-request: raise CertificateOperationError if CA disabled
* Use Dogtag REST API for certificate requests
* Add HTTPRequestError class
* Allow Dogtag RestClient to perform requests without logging in
* Add ca-disable and ca-enable commands
* Track lightweight CAs on replica installation

=== Ganna Kaihorodova (7) ===
* Tests: Basic coverage with tree root domain
* User Tracker: Test to create user with minimal values
* User Tracker: creation of user with minimal values
* Stage User: Test to create stage user with minimal values
* Tests: Stage User Tracker implementation
* Tests: Add tree root domain role in legacy client tests
* Unaccessible variable self.attrs in Tracker

=== Jan Cholasta (106) ===
* spec file: always provide python package aliases
* spec file: support client-only build
* spec file: support build without ipatests
* slapi plugins: fix CFLAGS
* spec file: add unconditional python-setuptools BuildRequires
* httpinstance: disable system trust module in /etc/httpd/alias
* csrgen: hide cert-get-requestdata in CLI
* cert: include certificate chain in cert command output
* cert: add output file option to cert-request
* Travis CI: run tests in development mode
* backend plugins: fix crashes in development mode
* vault: cache the transport certificate on client
* rpc: fix crash in verbose mode
* install: re-introduce option groups
* install CLI: remove magic option groups
* client install: split off SSSD options into a separate class
* server install: remove duplicate knob definitions
* install: add missing space in realm_name description
* server install: remove duplicate -w option
* certmap: load certificate from file in certmap-match CLI
* pylint_plugins: add forbidden import checker
* ipapython: fix DEFAULT_PLUGINS in
* config: re-add `init_config` and `config`
* dns: fix `dnsrecord_add` interactive mode
* server install: do not attempt to issue PKINIT cert in CA-less
* compat: fix `Any` params in `batch` and `dnsrecord`
* scripts, tests: explicitly set confdir in the rest of server code
* server upgrade: uninstall ipa_memcached properly
* server upgrade: always upgrade KRA agent PEM file
* server upgrade: fix upgrade from pre-4.0
* server upgrade: fix upgrade in CA-less
* client install: create /etc/ipa/nssdb with correct mode
* ipaldap: preserve order of values in LDAPEntry._sync()
* replica install: do not log host OTP
* tests: add test for PEM certificate files with leading text
* ipa-ca-install: do not fail without --subject-base and --ca-subject
* cert: fix search limit handling in cert-find
* dogtag: search past the first 100 certificates
* ipaldap: properly escape raw binary values in LDAP filters
* client install: correctly report all failures
* cainstance: do not configure renewal guard
* dogtaginstance: track server certificate with our renew agent
* renew agent: handle non-replicated certificates
* ca: fix ca-find with --pkey-only
* spec file: revert to the previous Release tag
* x509: use PyASN1 to parse PKCS#7
* server install: fix KRA agent PEM file not being created
* spec file: do not define with_lint inside a comment
* certdb: fix PKCS#12 import with empty password
* server install: fix external CA install
* replica install: track the RA agent certificate again
* ipaclient: remove hard dependency on ipaplatform
* ipaclient: move install modules to the install subpackage
* ipalib: remove hard dependency on ipapython
* constants: remove CACERT
* ipalib: move certstore to the install subpackage
* ipapython: remove hard dependency on ipaplatform
* ipautil: move file encryption functions to installutils
* ipautil: move kinit functions to ipalib.install
* ipautil: move is_fips_enabled() to ipaplatform.tasks
* ipautil: remove the timeout argument of run()
* ipautil: remove get_domain_name()
* ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
* certdb: use a temporary file to pass password to pk12util
* certdb: move IPA NSS DB install functions to ipaclient.install
* ipapython: move certmonger and sysrestore to ipalib.install
* ipapython: move dnssec, p11helper and secrets to ipaserver
* custodiainstance: automatic restart on config file update
* paths: remove DEV_NULL
* install: migrate client install to the new class hierarchy
* install: allow specifying verbosity and console log format in CLI
* install: migrate server installers to the new class hierarchy
* install: introduce installer class hierarchy
* install: fix subclassing of knob groups
* install: make knob base declaration explicit
* install: declare knob CLI names using the argparse convention
* install: use standard Python classes to declare knob types
* install: introduce updated knob constructor
* install: simplify CLI option parsing
* install: improve CLI positional argument handling
* install: use ldaps for pkispawn in ipa-ca-install
* replica install: fix DS restart failure during replica promotion
* replica install: merge KRA agent cert export into KRA install
* replica install: merge RA cert import into CA install
* server install: do not restart httpd during CA install
* install: merge all KRA install code paths into one
* install: merge all CA install code paths into one
* replica install: use one remote KRA host name everywhere
* replica install: use one remote CA host name everywhere
* spec file: bump minimal required version of 389-ds-base
* pwpolicy: do not run klist on import
* client: remove unused libcurl build dependency
* makeapi, makeaci: do not fail on missing imports
* ipaserver: remove ipalib import from
* pylint: enable the import-error check
* spec file: do not include BuildRequires for lint by default
* spec file: clean up BuildRequires
* cert: add revocation reason back to cert-find output
* test_plugable: update the rest of test_init
* dns: re-introduce --raw in dnsrecord-del
* client: remove hard dependency on pam_krb5
* cert: fix cert-find --certificate when the cert is not in LDAP
* dns: fix crash in interactive mode against old servers
* dns: prompt for missing record parts in CLI
* dns: normalize record type read interactively in dnsrecord_add
* cli: use full name when executing a command

=== Lenka Doudova (23) ===
* Document make_delete_command method in UserTracker
* Tests: Providing trust tests with tree root domain
* Tests: Verify that validity info is present in cert-show and cert-find
* Add file_exists method as a member of transport object
* Tests: Provide AD cleanup for legacy client tests
* Tests: Provide AD cleanup for trust tests
* Tests: Fix integration sudo test
* Tests: Verify that cert commands show CA without --all
* Tests: Certificate revocation
* Tests: Remove invalid certplugin tests
* Tests: Fix failing test_ipalib/test_parameters
* Tests: Remove silent deleting and creating entries by tracker
* Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap
* Tests: Fix host attributes in ipa-join host test
* Tests: Update host test with ipa-join
* Tests: Add krb5kdc.service restart to integration trust tests
* Tests: Remove unnecessary attributes from base tracker
* Tests: Remove --force options from tracker base class
* Tests: Remove SSSD restart from integration tests
* Tests: Fix integration sudo tests setup and checks
* Tests: Fix failing ldap.backend test
* Tests: Add cleanup to integration trust tests
* Tests: Fix regex errors in integration trust tests

=== Ludwig Krispenz (1) ===
* Check for conflict entries before raising domain level

=== Lukas Slebodnik (6) ===
* CONFIGURE: Improve detection of xmlrpc_c flags
* CONFIGURE: Properly detect libpopt on el7
* ipa_pwd: remove unnecessary dependency on dirsrv plugins
* SPEC: Fix build in mock
* CONFIGURE: Update help message for jslint
* CONFIGURE: Fix detection of pylint

=== Martin Babinsky (113) ===
* Try out anonymous PKINIT after it is configured
* check for replica's KDC entry on master before requesting PKINIT cert
* check that the master requesting PKINIT cert has KDC enabled
* Make wait_for_entry raise exceptions
* Move PKINIT configuration to a later stage of server/replica install
* Request PKINIT cert directly from Dogtag API on first master
* Make PKINIT certificate request logic consistent with other installers
* idviews: correctly handle modification of non-existent view
* Re-use trust domain retrieval code in certmap validators
* idview: add domain_resolution_order attribute
* ipaconfig: add the ability to manipulate domain resolution order
* Short name resolution: introduce the required schema
* ipa-managed-entries: only permit running the command on IPA master
* ipa-managed-entries: use server-mode API
* Allow login to WebUI using Kerberos aliases/enterprise principals
* Provide basic integration tests for built-in AD trust installer
* Update server/replica installer man pages
* Fix erroneous short name options in ipa-adtrust-install man page
* Merge AD trust configurator into replica installer
* Merge AD trust configurator into server installer
* expose AD trust related knobs in composite installers
* Add AD trust installer interface for composite installer
* check for installed dependencies when *not* in standalone mode
* print the installation info only in standalone mode
* Use logging to emit error messages
* Refactor the code searching and presenting missing trust agents
* only check for netbios name when LDAP backend is connected
* Refactor the code checking for missing SIDs
* use the methods of the parent class to retrieve CIFS kerberos keys
* httpinstance: re-use parent's methods to retrieve anonymous keytab
* Make request_service_keytab into a public method
* allow for more flexibility when requesting service keytab
* Move AD trust installation code to a separate module
* Replace exit() calls with exceptions
* Remove unused variables in exception handling
* ipa-adtrust-install: format the code for PEP-8 compliance
* Travis CI: Upload the logs from failed jobs to
* Explicitly handle quoting/unquoting of NSSNickname directive
* Delegate directive value quoting/unquoting to separate functions
* installutils: improve directive value parsing in `get_directive`
* Fix the installutils.set_directive docstring
* disable hostname canonicalization by Kerberos library
* Travis CI: actually return non-zero exit status when the test job fails
* Trim the test runner log to show only pytest failures/errors
* Add license headers to the files used by Travis CI
* Travis CI: use specific Python version during build
* introduce install step to .travis.yml and cache pip installs
* split out lint to a separate Travis job
* Travis: offload test execution to a separate script
* Travis CI: a separate script to run test tasks
* Put the commands informing and displaying build logs on single line
* travis: mark FreeIPA as python project
* Bump up ipa-docker-test-runner version
* Add a basic test suite for `kadmin.local` interface
* Make `kadmin` family of functions return the result of
* gracefully handle setting replica bind dn group on old masters
* add missing attribute to ipaca replica during CA topology update
* Revert "upgrade: add replica bind DN group check interval to CA
topology config"
* bindinstance: use data in named.conf to determine configuration status
* Use ipa-docker-test-runner to run tests in Travis CI
* Configuration file for ipa-docker-test-runner
* Add 'env_confdir' to constants
* Fix pep-8 transgressions in ipalib/
* Make `env` and `plugins` commands local again
* Revert "Add 'ipa localenv' subcommand"
* Enhance __repr__ method of Principal
* replication: ensure bind DN group check interval is set on replica config
* upgrade: add replica bind DN group check interval to CA topology config
* Improve the robustness FreeIPA's i18n module and its tests
* Use common procedure to setup initial replication in both domain levels
* ensure that the initial sync using GSSAPI works agains old masters
* replication: refactor the code setting principals as replica bind DNs
* replication: augment setup_promote_replication method
* Turn replication manager group into ReplicationManager class member
* Fix the naming of ipa-dnskeysyncd service principal
* installutils: remove 'install_service_keytab' function
* domain-level agnostic keytab retrieval in httpinstance
* installers: restart DS after KDC is configured
* dsinstance: use keytab retrieval method from parent class
* use DM credentials to retrieve service keytab only in DLO
* Service: common method for service keytab requests
* Turn Kerberos-related properties to Service class members
* Make service user name a class member of Service
* service installers: clean up the inheritance
* fix incorrect invocation of ipa-getkeytab during DL0 host enrollment
* do partial host enrollment in domain level 0 replica install
* Separate function to purge IPA host principals from keytab
* certs: do not re-create NSS database when requesting service cert
* initialize empty /etc/http/alias during server/replica install
* CertDB: add API for non-destructive initialization from PKCS#12 bundle
* test_ipagetkeytab: use system-wide IPA CA cert location in tests
* Extend keytab retrieval test suite to cover new options
* Modernize ipa-getkeytab test suite
* extend ipa-getkeytab to support other LDAP bind methods
* ipa-getkeytab: expose CA cert path as option
* server-del: fix incorrect check for one IPA master
* Revert "Fix install scripts debugging"
* do not use keys() method when iterating through dictionaries
* remove trailing newlines form python modules
* mod_nss: use more robust quoting of NSSNickname directive
* Move character escaping function to ipautil
* Make Continuous installer continuous only during execution phase
* use separate exception handlers for executors and validators
* ipa passwd: use correct normalizer for user principals
* trust-fetch-domains: contact forest DCs when fetching trust domain info
* netgroup: avoid extraneous LDAP search when retrieving primary key from DN
* advise: Use `name` instead of `__name__` to get plugin names
* Use Travis-CI for basic sanity checks
* ldapupdate: Use proper inheritance in BadSyntax exception
* raise ValidationError when deprecated param is passed to command
* Always fetch forest info from root DCs when establishing one-way trust
* factor out `populate_remote_domain` method into module-level function
* Always fetch forest info from root DCs when establishing two-way trust

=== Martin Basti (134) ===
* Become IPA 4.5.0
* Update 4.5 translations
* Add copy-schema-to-ca for RHEL6 to contrib/
* Remove from master branch
* pylint: bump dependency to version >= 1.6
* backup: backup anonymous keytab
* tests: use --setup-kra in tests
* KRA: add --setup-kra to ipa-server-install
* man: add missing --setup-adtrust option to manpage
* ipactl restart: log httplib failues as debug
* Tests: search for disabled users
* Test: DNS nsupdate from dns-update-system-records
* DNS: dns-update-system-record can create nsupdate file
* py3: ipa_generate_password: do not compare None and Int
* py3: change_admin_password: use textual mode
* py3: create DNS zonefile: use textual mode
* py3: upgradeinstance: use bytes literals with LDIF operations
* py3: upgradeinstance: decode data before storing them as backup...
* py3: upgradeinstance: open dse.ldif in textual mode
* custodia: kem.set_keys: replace too-broad exception
* py3: user bytes with ldap values
* py3: custodia: basedn must be unicode
* py3: configparser: use raw keyword
* py3: modify_s: attribute name must be str not bytes
* py3: ldapupdate: fix logging str(bytes) issue
* DNSSEC: forwarders validation improvement
* py3: test_ipaserver: fix BytesWarnings
* py3: get_memberofindirect: fix ByteWarnings
* py3: DN: fix BytesWarning
* Tests: fix wait_for_replication task
* py3: send Decimal number as string instead of base64 encoded value
* py3: ipaldap: properly encode DNSName to bytes
* py3: _convert_to_idna: fix bytes/unicode mistmatch
* py3: DNS: get_record_entry_attrs: do not modify dict during iteration
* py3: _ptrrecord_precallaback: use bytes with labels
* py3: remove_entry_from_group: attribute name must be string
* py3: base64 encoding/decoding returns always bytes don't mix it
* pki-base: use pki-base-python2 as dependency
* pki: add missing depedency pki-base[-python3]
* py3: return principal as unicode string
* py3: tests_xmlrpc: do not call str() on bytes
* py3: normalize_certificate: support both bytes and unicode
* py3: strip_header: support both bytes and unicode
* py3: fingerprint_hex_sha256: fix encoding/decoding
* py3: fix CSR encoding inside framework
* Principal: validate type of input parameter
* Use dict comprehension
* py3: can_read: attributelevelrights is already string
* py3: get_effective_rights: values passed to ldap must be bytes
* py3: ipaldap: update encode/decode methods
* py3: rpcserver fix undefined variable
* py3: WSGI executioners must return bytes in list
* py3: session: fix r/w ccache data
* Py3: Fix undefined variable
* py3: rpcserver: decode input because json requires string
* py3: decode server name to str
* Use proper logging for error messages
* wait_for_entry: use only DN as parameter
* py3: decode bytes for json.loads()
* fix exception logging of JSON data
* py3: convert_attribute_members: don't use bytes as parameter for DN
* py3: make_filter_from_attr: use string instead of bytes
* py3: __add_acl: use standard ipaldap methods
* py3: add_entry_to_group: attribute name must be string not bytes
* py3: HTTPResponse has no 'dict' attribute in 'msg'
* py3: _httplib_request: don't convert string to bytes
* py3: cainstance: replace mkstemp with NamedTemporaryFile
* py3: write CA/KRA config into file opened in text mode
* py3: CA/KRA: config parser requires string
* py3: ipautil: open tempfiles in text mode
* py3: ldap modlist must have keys as string, not bytes
* py3: open temporary ldif file in text mode
* py3: replace mkstemp by NamedTemporaryFile
* py3: create_cert_db: write to file in a compatible way
* _resolve_records: fix assert, nameserver_ip can be none
* Remove duplicated step from DS install
* py3: enable py3 pylint
* Py3: Fix ToASCII method
* fix: regression in API version comparison
* ipactl: pass api as argument to services
* DNS: URI records: bump python-dns requirements
* remove Knob function
* KRA: don't add KRA container when KRA replica
* Zanata: exlude testing ipa.pot file
* client: use correct code for failed uninstall
* client: use exceptions instead of return states
* client: move install part to else branch
* client: move install cleanup from ipa-client-install to module
* client: move clean CCACHE to module
* client: fix script execution
* client: Remove useless except in ipa-client-install
* client: move custom env variable into client module
* client: extract checks from uninstall to uninstall_check
* client: extract checks from install to install_check
* client: move checks to client.install_check
* client: make statestore and fstore consistent with server
* IPAChangeConf: use constant for empty line
* client: import IPAChangeConf directly instead the module
* client: remove extra return from hardcode_ldap_server
* client: install function: return constant not hardcoded number
* client: remove unneded return from configure_ipa_conf
* client: remove unneded return configure_krb5_conf
* ipa-client-install: move client install to module
* CI: Disable KRA install tests on DL0
* CI: use --setup-kra with replica installation
* CI: extend replication layouts tests with KRA
* CI: workaround: wait for dogtag before replica-prepare
* Pylint: fix the rest of unused local variables
* Pylint: remove unused variables in tests
* Pylint: remove unused variables in ipaserver package
* Pylint: remove unused variables from installers and scripts
* Fix: find OSCP certificate test
* Pylint: enable check for unused-variables
* Remove unused variables in tests
* Remove unused variables in the code
* test_text: add test ipa.pot file for tests
* Pylint: enable global-variable-not-assigned check
* Pylint: enable cyclic-import check
* Test: dont use global variable for iteration in test_cert_plugin
* Use constant for user and group patterns
* Fix regexp patterns in parameters to not enforce length
* Add check for IP addresses into DNS installer
* Fix missing config.ips in promote_check
* Abstract procedures for IP address warnings
* Catch DNS exceptions during emptyzones named.conf upgrade
* Start named during configuration upgrade.
* Tests: extend DNS cmdline tests with lowercased record type
* Show warning when net/broadcast IP address is used in installer
* Allow multicast addresses in A/AAAA records
* Allow broadcast ip addresses
* Allow network ip addresses
* Fix parse errors with link-local addresses
* Fix ScriptError to always return string from __str__
* Bump master IPA devel version to 4.4.90

=== Martin Kosek (1) ===
* Update Contributors.txt

=== Milan Kubík (4) ===
* ipatests: Fix assert_deepequal outside of pytest process
* ipatests: Implement tests with CSRs requesting SAN
* ipatests: Fix name property on a service tracker
* ipatests: provide context manager for keytab usage in RPC tests

=== Michal Reznik (1) ===
* test_csrgen: adjusted comparison test scripts for CSRGenerator

=== Michal Židek (1) ===
* git: Add commit template

=== Nathaniel McCallum (3) ===
* Migrate OTP import script to python-cryptography
* Use RemoveOnStop to cleanup systemd sockets
* Properly handle LDAP socket closures in ipa-otpd

=== Oleg Fayans (45) ===
* Test: uniqueness of certificate renewal master
* Test: basic kerberos over http functionality
* Test: made kinit_admin a returning function
* tests: Added basic tests for certs in idoverrides
* Created idview tracker
* Test for installing rules with service principals
* Test: integration tests for certs in idoverrides feature
* Added interface to certutil
* Automated ipa-replica-manage del tests
* tests: Automated clean-ruv subcommand tests
* Reverted the essertion for replica uninstall returncode
* Test: disabled wrong client domain tests for domlevel 0
* tests: Fixed code styling in caless tests to make pep8 happy
* tests: Reverted erroneous asserts in 4 tests
* tests: fixed certinstall method
* tests: fixed super method invocation
* tests: added verbose assert to test_service_disable_doesnt_revoke
* tests: Standardized replica_preparation in test_no_certs
* tests: Implemented check for domainlevel before installation verification
* tests: Fixed Usage of improper certs in ca-less tests
* tests: fixed expects of incorrect error messages
* tests: Replaced unused setUp method with install
* tests: Replaced hardcoded certutil with imported from paths
* tests: Enabled negative testing for cleaning replication agreements
* tests: Made unapply_fixes call optional at master uninstallation
* tests: Updated master and replica installation methods to enable
negative testing
* tests: Added necessary xfails
* tests: Added necessary getkeytabs calls to fixtures
* tests: Removed outdated command options test
* tests: Applied correct teardown methods
* tests: Fixed incorrect assert in verify_installation
* tests: Adapted installation methods to utilize methods from tasks
* tests: Removed call for install method from parent class
* tests: Added teardown methods for server and replica installation
* tests: Create a method that cleans all ipa certs
* tests: Updated ipa server installation stdin text
* tests: Added generation of missing certs
* tests: Added basic constraints extension to the CA certs
* tests: Fixed method failures during second call for the method
* Xfailed a test that fails due to 6250
* Fixed segment naming in topology tests
* Xfailed the tests due to a known bug with replica preparation
* Changed addressing to the client hosts to be replicas
* Several fixes in replica_promotion tests
* Removed incorrect check for returncode

=== Petr Čech (1) ===
* ipatests: nested netgroups (intg)

=== Petr Spacek (126) ===
* ipa_generate_password algorithm change
* Remove named-pkcs11 workarounds from DNSSEC tests.
* Build: forbid builds in working directories containing white spaces
* Build: always use Pylint from Python version used for rest of the build
* Build: specify BuildRequires for Python 3 pylint
* Build: generates Python 2 & 3 packages at the same time
* Accept server host names resolvable only using /etc/hosts
* Build: properly integrate ipa.pot into build system tests
* Build: properly integrate into build system
* Build: properly integrate into build system
* Build: properly integrate loader.js into build system
* Build: properly integrate into build system
* Build: properly integrate into build system
* Build: workaround bug while calling parallel make from rpmbuild
* Build: remove ipa.pot from Git as it can be re-generated at any time
* Build: integrate translation system tests again
* Build: automatically generate list of files to be translated in configure
* Build: clean in po/ removes *~ files as well
* Build: support strip-po target for translations
* Build: use standard infrastructure for translations
* Build: fix path in ipa-ods-exporter.socket unit file
* Build: fix file dependencies for
* Build: update to use same paths as rpmbuild
* Build: remove incorrect use of MAINTAINERCLEANFILES
* Build: enable silent build in
* Build: support --enable-silent-rules for Python packages
* Build: workaround bug 1005235 related to Python paths in
auto-generated Requires
* Build: document what should be in %install section of SPEC file
* Build: move web UI file installation from SPEC to
* Build: move server directory handling from SPEC to
* Build: move client directory handling from SPEC to
* Update man page for ipa-adtrust-install by removing --no-msdcs option
* Build: pass down %{release} from SPEC to configure
* Build: update IPA_VERSION_IS_GIT_SNAPSHOT to comply with PEP440
* Build: add make srpms target
* Build: IPA_VERSION_IS_GIT_SNAPSHOT re-generates version number on RPM
* Build: use POSIX 1003.1-1988 (ustar) file format for tar archives
* Build: IPA_VERSION_IS_GIT_SNAPSHOT checks if source directory is Git repo
* Build: remove unused and redundant code from and
* Build: fix make clean to remove build artifacts from top-level directory
* Build: fix make clean for web UI
* Build: add polint target for i18n tests
* Build: add makeapi lint target
* Build: add makeaci lint target
* Build: add JS lint target
* Build: add Python lint target
* Build: remove obsolete instructions about BuildRequires from BUILD.txt
* Build: add make rpms target and convenience script
* Build: fix KDC proxy installation and remove unused kdcproxy.conf
* Build: remove unused dirs /var/cache/ipa/{sysupgrade,sysrestore} from SPEC
* Build: do not compress manual pages at install time
* Build: distribute doc directory
* Build: create /var/run directories at install time
* Build: integrate init and init/systemd into build system
* Build: remove init/SystemV directory
* Build: integrate contrib directory into build system
* Build: remove ancient checks/
* Build: integrate daemons/dnssec into build system
* Build: fix distribution of daemons/ipa-slapi-plugins/topology files
* Build: fix distribution of daemons/ipa-slapi-plugins/ipa-winsync files
* Build: fix distribution of daemons/ipa-slapi-plugins/ipa-sidgen files
* Build: fix distribution of daemons/ipa-slapi-plugins/ipa-pwd-extop files
* Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-lasttoken
* Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-counter files
* Build: fix distribution of daemons/ipa-slapi-plugins/ipa-exdom-extop files
* Build: fix distribution of daemons/ipa-slapi-plugins/ipa-cldap files
* Build: fix distribution of ipa-slapi-plugins/common files
* Build: fix distribution of daemon/ipa-kdb files
* Build: fix distribution of client header file
* Build: fix distribution of asn1/asn1c files
* Build: fix distribution of install/REDME.schema file
* Build: fix distribution of oddjob files
* Build: Remove spurious EXTRA_DIST from install/share/
* Build: cleanup unused LDIFs from install/share
* Build: fix distribution of libexec scripts
* Build: fix distribution and installation of update LDIFs
* Web UI: Remove offline version of Web UI
* Build: fix distribution of static files for web UI
* Build: stop build when a step in web UI build fails
* Build: fix distribution and installation of static files in top-level
* Build: fix man page distribution
* Build: fix distdir target for translations
* Build: rename project from ipa-server to freeipa
* Build: remove non-existing README files from
* Build: fix files to separate source and build directories
* Build: respect --prefix for systemdsystemunitdir
* Build: fix make install in asn1 subdirectory
* Build: fix ipaplatform detection for out-of-tree builds
* Build: Makefiles for Python packages
* Build: fix module name in ipaserver/
* Build: replace hand-made Makefile with one generated by Automake
* Build: move version handling from Makefile to configure
* Docs: update docs about ipaplatform to match reality
* Build: replace ipaplatform magic with symlinks generated by configure
* Build docs: update platform selection instructions
* Build: split out egg-info Makefile target from version-update target
* Build: split API/ACI checks into separate Makefile targets
* Build: use default error handling for PKG_CHECK_MODULES
* Build: use libutil convenience library for client
* Build: cleanup INI library detection
* Build: modernize XMLRPC-client library detection
* Build: modernize CURL library detection
* Build: modernize SASL library detection
* Build: modernize POPT library detection
* Build: merge client/ into top-level
* Build: remove Transifex support
* Build: move translations from install/po/ to top-level po/
* Build: merge install/ into top-level
* Build: merge ipatests/man/ to top-level
* Build: merge asn1/ to top-level
* Build: transform util directory to libutil convenience library
* Build: promote daemons/ to top-level
* Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c
* Build: pass down LIBDIR definition from RPM SPEC to Makefile
* Build: remove deprecated AC_STDC_HEADERS macro
* Build: require Python >= 2.7
* Build: remove traces of mozldap library
* Build: modernize crypto library detection
* Build: modernize UUID library detection
* Build: modernize Kerberos library detection
* Build: add missing KRB5_LIBS to daemons/ipa-otpd
* Tests: print what was expected from callables in xmlrpc_tests
* DNS: Improve field descriptions for SRV records
* DNS: Support URI resource record type
* Fix compatibility with python-dns 1.15.0
* Raise errors from by default

=== Petr Vobornik (6) ===
* permissions: add permissions for read and mod of external group members
* webui: do not warn about CAs if there is only one master
* webui: fixes normalization of value in attributes widget
* Change README to use Markdown
* Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used
* replicainstall: log ACI and LDAP errors in promotion check

=== Pavel Vomacka (69) ===
* Remove allow_constrained_delegation from gssproxy.conf
* WebUI: Add support for management of user short name resolution
* WebUI: add link to login page which for login using certificate
* Support certificate login after installation and upgrade
* TESTS WebUI: Vaults management
* TESTS: Add support for sidebar with facets
* TESTS: Add support for KRA in ui_driver
* WebUI: add vault management
* WebUI: allow to show rows with same pkey in tables
* WebUI: search facet's default actions might be overriden
* Add possibility to hide only one tab in sidebar
* Possibility to set list of table attributes which will be added to
_del command
* Extend _show command after _find command in table facets
* Add possibility to pass url parameter to update command of details page
* Add property which allows refresh command to use url value
* Added optional option in refreshing after modifying association table
* Possibility to skip checking writable according to metadata
* Allow to set another other_entity name
* Additional option to add and del operations can be set
* WebUI: Add cermapmatch module
* WebUI: Add Adapter for certmap_match result table
* WebUI: Possibility to choose object when API call returns list of objects
* WebUI: Add possibility to turn of autoload when details.load is called
* WebUI: don't change casing of Auth Indicators values
* WebUI: Allow disabling lowering text in custom_checkbox_widget
* Add support for custom table pagination size
* Make singleton from config module
* Add javascript integer validator
* WebUI: Add certmap module
* WebUI: Add Custom command multivalued adder dialog
* WebUI: Create non editable row widget for mutlivalued widget
* WebUI: Add possibility to set field always writable
* WebUI: Change structure of Identity submenu
* WebUI: add sizelimit:0 to cert-find
* WebUI: fix incorrect behavior of ESC button on combobox
* WebUI: add default on_cancel function in adder_dialog
* Coverity: removed useless semicolon which ends statement earlier
* Coverity: Fix possibility of access to attribute of undefined
* Change activity text while loading metadata
* Refactoring of rpc module
* WebUI: update Patternfly and Bootstrap
* WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
* Lowered the version of gettext
* Add python-pyasn1-modules into dependencies
* Adjustments for setup requirements v2
* TESTS: Update group type name
* Coverity - null pointer dereference
* Coverity - accessing attribute of variable which can point to null
* Coverity - opens dialog which might not be created
* Coverity - iterating over variable which could be null
* Coverity - null pointer dereference
* Coverity - true branch can't be executed
* Coverity - true branch can't be executed
* Coverity - removed dead code
* Coverity - Accesing attribute of null
* Coverity - identical code for different branches
* Coverity - not initialized variable
* Coverity - null pointer exception
* Coverity - null pointer exception
* WebUI: services without canonical name are shown correctly
* WebUI: fix API Browser menu label
* Add tooltip to all fields in DNS record adder dialog
* WebUI: hide buttons in certificate widget according to acl
* WebUI: Change group name from 'normal' to 'Non-POSIX'
* WebUI: Add handling for HTTP error 404
* Add 'Restore' option to action dropdown menu
* WebUI add support for sub-CAs while revoking certificates
* WebUI: Fix showing certificates issued by sub-CA
* Add support for additional options taken from table facet

=== Gabe (1) ===
* Allow nsaccountlock to be searched in user-find command

=== Simo Sorce (31) ===
* Store session cookie in a ccache option
* Add support for searching policies in cn=accounts
* Add code to retrieve results from multiple bases
* Use GSS-SPNEGO if connecting locally
* Limit sessions to 30 minutes by default
* Remove non-sensical kdestroy on https stop
* Fix session logout
* Deduplicate session cookies in headers
* Change session logout to kill only the cookie
* Insure removal of session on identity change
* Explicitly pass down ccache names for connections
* Allow rpc callers to pass ccache and service names
* Fix uninstall stopping ipa.service
* Rationalize creation of RA and HTTPD NSS databases
* Add a new user to run the framework code
* Always use /etc/ipa/ca.crt as CA cert file
* Simplify NSSDatabase password file handling
* Separate RA cert store from the HTTP cert store
* Configure HTTPD to work via Gss-Proxy
* Use Anonymous user to obtain FAST armor ccache
* Drop use of kinit_as_http from trust code
* Generate tmpfiles config at install time
* Change session handling
* Use the tar Posix option for tarballs
* Add compatibility code to retrieve headers
* Configure Anonymous PKINIT on server install
* Properly handle multiple cookies in rpc lib.
* Properly handle multiple cookies in rpcclient
* Support DAL version 5 and version 6
* Fix install scripts debugging
* Fix error message encoding

=== Stanislav Laznicka (78) ===
* Remove pkinit from ipa-replica-prepare
* Backup KDC certificate pair
* Don't fail more if cert req/cert creation failed
* Fix ipa-replica-prepare server-cert creation
* Don't allow standalone KRA uninstalls
* Add message about last KRA to WebUI Topology view
* Add check to prevent removal of last KRA
* Don't use weak ciphers for client HTTPS connections
* We don't offer no quickies
* Fix cookie with Max-Age processing
* Fix CA-less upgrade
* Fix replica with --setup-ca issues
* Moving ipaCert from HTTPD_ALIAS_DIR
* Added a PEMFileHandler for Custodia store
* Refactor certmonger for OpenSSL certificates
* Workaround for certmonger's "Subject" representations
* Remove ipapython.nsslib as it is not used anymore
* Remove NSSConnection from otptoken plugin
* Remove pkcs12 handling functions from CertDB
* Remove NSSConnection from Dogtag
* Move publishing of CA cert to cainstance creation on master
* Don't run kra.configure_instance if not necessary
* Move RA agent certificate file export to a different location
* Remove NSSConnection from the Python RPC module
* Remove md5_fingerprints from IPA
* Remove DM password files after successfull pkispawn run
* Remove ra_db argument from CAInstance init
* Fix ipa-server-upgrade
* Use newer Certificate.serial_number in
* Fix error in ca_cert_files validator
* Don't prepend option names with additional '--'
* Bump python-cryptography version in
* custodiainstance: don't use IPA-specific CertDB
* Add password to certutil calls in NSSDatabase
* Explicitly remove support of SSLv2/3
* Add FIPS-token password of HTTPD NSS database
* Bump required python-cryptography version
* Remove is_fips_enabled checks in installers and ipactl
* Generate sha256 ssh pubkey fingerprints for hosts
* Unify password generation across FreeIPA
* Clarify meaning of --domain and --realm in installers
* replicainstall: give correct error message on DL mismatch
* Fix permission-find with sizelimit set
* Generalize filter generation in LDAPSearch
* permission-find: fix a sizelimit off-by-one bug
* fix permission_find fail on low search size limit
* Make get_entries() not ignore its limit arguments
* Do not log DM password in ca/kra installation logs
* Fix CA replica install on DL1
* Offer more general way to check domain level in replicainstall
* Use same means of checking replication agreements on both DLs
* replicainstall: move common checks to common_check()
* Take advantage of the ca/kra code cleanup in replica installation
* Use updated CA certs in replica installation
* Use os.path.join instead of concatenation
* Remove redundant CA cert file existance check
* Use host keytab to connect to remote server on DL0
* Split install_http_certs() into two functions
* First step of merging replica installation of both DLs
* Properly bootstrap replica promotion api
* Move the pki-tomcat restart to cainstance creation
* Move httpd restart to DNS installation
* Import just IPAChangeConf instead of the whole module
* Added file permissions option to IPAChangeConf.newConf()
* Fix to ipachangeconf docstrings
* replicainstall: Unify default.conf file creation
* Replaced EMPTY_LINE constant with a function call
* client: Making the configure functions more readable
* Moved update of DNA plugin among update plugins
* Move ds.replica_populate to an update plugin
* Remove redundant dsinstance restart
* Fix missing file that fails DL1 replica installation
* Make httpd publish its CA certificate on DL1
* Make installer quit more nicely on external CA installation
* Fix test_util.test_assert_deepequal test
* Pretty-print structures in assert_deepequal
* Remove update_from_dict() method
* Updated help/man information about hostname

=== Thierry Bordaz (1) ===
* IPA Allows Password Reuse with History value defined when admin resets
the password.

=== Timo Aaltonen (8) ===
* ipaplatform/debian/paths: Add some missing values.
* ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB.
* ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.
* ipaplatform/debian/services: Fix is_running arguments.
* ipaplatform: Add Debian platform module.
* client, platform: Use paths.SSH* instead of get_config_dir().
* Move ipa-otpd to $libexecdir/ipa
* Purge obsolete firefox extension

=== Tomas Krizek (68) ===
* installer: update time estimates
* server install: require IPv6 stack to be enabled
* Add SHA256 fingerprints for certs
* man: update ipa-cacert-manage
* test_config: fix fips_mode key in Env
* Env __setitem__: replace assert with exception
* FIPS: perform replica installation check
* replicainstall: add context manager for rpc client
* check_remote_version: update exception and docstring
* test_config: fix tests for env.fips_mode
* Add fips_mode variable to env
* Bump required version of bind-dyndb-ldap to 11.0-2
* bindinstance: fix named.conf parsing regexs
* PEP8: fix line length for regexs in bindinstance
* bump required version of BIND, bind-dyndb-ldap
* named.conf template: update API for bind 9.11
* Remove obsolete serial_autoincrement from named.conf parsing
* certdb: remove unused valid_months property
* certdb: remove unused keysize property
* Fix coverity issue
* ipautil: check for open ports on all resolved IPs
* replica-conncheck: improve message logging
* replica-conncheck: improve error message during replicainstall
* ipa-replica-conncheck: fix race condition
* ipa-replica-conncheck: do not close listening ports until required
* upgrade: ldap conn management
* services: replace admin_conn with api.Backend.ldap2
* upgrade: do not explicitly set principal for services
* Build: ignore rpmbuild for lint target
* cainstance: use correct certificate for replica install check
* dns: check if container exists using ldapi
* ipaldap: remove do_bind from LDAPClient
* gitignore: ignore tar ball
* libexec scripts: ldap conn management
* ldap2: modify arguments for create_connection
* replicainstall: use ldap_uri in ReplicationManager
* replicainstall: correct hostname in ReplicationManager
* install tools: ldap conn management
* ldap2: change default bind_dn
* ipa-adtrust-install: ldap conn management
* install: remove adhoc dis/connect from services
* ldapupdate: use ldapi in LDAPUpdate
* replicainstall: properly close adhoc connection in promote
* install: ldap conn management
* install: remove adhoc api.Backend.ldap2 (dis)connect
* install: add restart_dirsrv for directory server restarts
* upgradeinstance: ldap conn management
* dsinstance: conn management
* ldap2: change default time/size limit
* cainstall: add dm_password to CA installation
* replicainstall: set ldapi uri in replica promotion
* dsinstance: enable ldapi and autobind in ds
* install: remove dirman_pw from services
* ipaldap: merge IPAdmin to LDAPClient
* ipaldap: merge gssapi_bind to LDAPClient
* ipaldap: merge external_bind into LDAPClient
* ipaldap: merge simple_bind into LDAPClient
* ipaldap: remove wait/timeout during binds
* ipa: check if provided config file exists
* ipa: allow relative paths for config file
* Prompt for forwarder in dnsforwardzone-add
* Update man/help for --server option
* Update ipa-server-install man page for hostname
* Add help info about certificate revocation reasons
* Add log messages for IP checks during client install
* Show error message for invalid IPs in client install
* Keep NSS trust flags of existing certificates
* Don't show error messages in bash completion

=== Thorsten Scherf (2) ===
* added ssl verification using IPA trust anchor
* added help about default value for --external-ca-type option

=== shanyin (1) ===
* fix missing translation string

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to