[Freeipa-interest] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 1 release of freeIPA 2.0 server [1]. * Binaries are available for F-14 and F-15 [2]. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-us...@redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas ofthe project. Modifications include but are not limited to: * Installation fixes. * DNS improvements. * WebUI improvements. Focus of the Release Candidate Testing * There is a Fedora test day for FreeIPA on Feb 15th [3]. Please join us in testing FreeIPA. The exact instructions will be provided later and will be available off the link on the page. * The following section outlines the areas that we are mostly interested to test [4]. Significant Changes Since Beta 2 To see all the tickets addressed since the beta 2 release see [6]. Repositories and Installation * Use the following link to install the beta 2 packages [5]. * On Fedora-14 FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * There are known issues that currently prevent FreeIPA from successfully installing with dogtag on F-15 [2]. We will send a separate message when this issue is resolved. The FreeIPA server is installable with the --selfsign option on F-15, or with dogtag on F-14. * Server-generated error messages are not translated yet. * IPv6 support is not complete. * The 'ipa help' command does not support localization. We plan to address all the outstanding tickets before the final 2.0 release. For the complete list see [7]. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] dogtag is having issues with systemd: https://bugzilla.redhat.com/show_bug.cgi?id=676330 [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [5] http://freeipa.org/downloads/freeipa-devel.repo [6] https://fedorahosted.org/freeipa/query?status=closedmilestone=2.0.1+Bug+fixing+(RC) [7] https://fedorahosted.org/freeipa/milestone/2.0.2%20Bug%20fixing%20%28RC2%29 ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] Announcing FreeIPA v2 Server Release Candidate 3 Release
To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 3 release of freeIPA 2.0 server [1]. This should be the last release candidate, becoming the final release if no critical problems are found. * Binaries are available for F-14 and F-15. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-us...@redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas of the project. Modifications include but are not limited to * i18n improvements * Fixed the self-service page in the WebUI * Use TLS for CA replication * Setting up Winsync agreements has been fixed Focus of the Release Candidate Testing * There was a Fedora test day for FreeIPA on Feb 15th [2]. These tests are still relevant and feedback would be appreciated. We are particularly interested to know if there are any problems setting up replication. * The following section outlines the areas that we are mostly interested to test [3]. Significant Changes Since RC 2 To see all the tickets addressed since the rc2 release see [5]. Repositories and Installation * Use the following link to install the RC 3 packages [4]. * FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * Installing IPA on Fedora-15 works but can take more time than Fedora 14 due to systemd. It is not recognizing some restarts as being successful so only continues after a 3-minute timeout. We are working on a solution. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [3] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [4] http://freeipa.org/downloads/freeipa-devel.repo [5] https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29 Detailed Changelog Adam Young (7): * Revert Set hard limit on number of commands in batch request to 256. * update API.txt * Use modified entity find commands for associations * fix truncated message * typo in truncation message * type in default text * Better truncated message Endi S. Dewata (13): * Removed association facets based on memberofindirect. * Replaced SUDO with Sudo in UI test data. * Fixed attribute for SUDO command group membership. * Save changes before modifying association. * Fixed host enrollment time * Fixed memory leak caused by IPA.dialog. * Fixed memory leak caused by is_dirty dialogs. * Fixed memory leak caused by reset password dialog. * Fixed memory leak caused by DNS record adder dialog. * Fixed memory leak caused by DNS record deleter dialog. * Fixed memory leak caused by IPA.error_dialog. * Fixed memory leak caused by certificate dialogs. * Fixed self service page. John Dennis (1): * Add Transifex tx client configuration file Martin Kosek (4): * IPA replica/server install does not check for a client * Inconsistent sysrestore file handling by IPA server installer * Improve error handling and return status codes in ipactl * ipa-dns-install script fails Pavel Zuna (10): * Remove deprecated i18n code from ipalib/request and all references to it. * Send Accept-Language header over XML-RPC and translate on server. * Fallback to default locale (en_US) if env. setting is corrupt. * Translate docstrings. * Fix translatable strings in ipalib plugins. * Fix i18n related failures in unit tests. * Use pygettext to generate translatable strings from plugin files. * Final i18n unit test fixes. * Fix error in user plugin email normalizer for empty --setattr=email=. * Use ldapi: instead of unsecured ldap: in ipa core tools. Rob Crittenden (12): * Set SuiteSpotGroup when setting up our 389-ds instances. * Use Sudo rather than SUDO as a label. * Replace only if old and new have nothing in common * Need to restart the dogtag 388-ds instance before using it. * Skip DNS validation checks if we're setting up DNS in ipa-server-install. * Fix style and grammatical issues in built-in command help. * Update API to reflect doc change in force parameter in dnszone_add * Always try to stop tracking the server cert when uninstalling client. * If --hostname is provided for ipa-client-install use it everywhere. * chkconfig the ipa service off when it is uninstalled. * Use TLS for dogtag replication agreements. * Become IPA v2 RC 3 (2.0.0.rc3) Simo Sorce (9): * Set the loginShell attribute on winsynced entries if configured * Fix winsync agreements setup * Unbreak the ipa winsync plugin. * Fix user synchronization. * Make activated/inactivated groups optional * Use wrapper for sasl gssapi binds so it behaves like other binds * Fix replica setup using replication admin kerberos
[Freeipa-interest] Announcing FreeIPA v2 Server
The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 2.0. FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos and NTP. FreeIPA binds together a number of technologies and adds a web interface and command-line administration tools. Features of FreeIPA v2.0 include: * Centralized authentication via Kerberos or LDAP * Identity management for users, groups, hosts and services * Pluggable and extensible framework for UI/CLI * Rich CLI * Web-based User Interface * Server X.509 v3 certificate provisioning capabilities * Managing host identities including grouping hosts * Defining host-based access control rules that will be enforced on the client side by the IPA back end for SSSD [1] * Serving netgroups based on user and host objects stored in IPA * Serving sets of automount maps to different clients * Finer-grained management delegation * Group-based password policies * Centrally-managed SUDO * Automatic management of private groups * Compatibility with broad set of clients * Painless password migration * Optional integrated DNS server managed by IPA * Optional integrated Certificate Authority to manage server certificates managed by IPA * Can act as NIS server for legacy systems * Supports multi-server deployment based on the multi-master replication * User and group replication with MS Active Directory We encourage users and developers to start testing and deploying FreeIPA in their environments. A very simple installation procedure is provided and is part of the effort of making these complex technologies simple to use and friendly to administrators. We encourage people to experiment and evaluate the current release, we welcome feedback on the overall experience and bug reports [2]. We also would like to encourage interested users and developers to join our mailing list and discuss features and development directions [3]. The complete source code[4] is available for download here: http://www.freeipa.org/page/Downloads See our git repository at http://git.fedorahosted.org/git/freeipa.git/ for a complete changelog. FreeIPA 2.0 is available in Fedora 15, see Known Issues below. You will need to enable the updates-testing repository, e.g. # yum install freeipa-server --enablerepo=updates-testing Have Fun! The FreeIPA Project Team. --- [1] https://fedorahosted.org/sssd/ [2] https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora (component is ipa) [3] http://freeipa.org/page/Contribute Known Issues * The latest tomcat6 package has not been pushed to updates-testing. You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . The installation will fail restarting the CA with the current tomcat6 package in Fedora 15. * If the domain and realm do not match you may need to use the --force flag with ipa-client-install. * Dogtag replication is done separately from IPA replication. The ipa-replica-manage tool does not currently operate on dogtag replication agreements. * The OCSP URL encoded in dogtag certificates is by default the CA machine that issued the certificate. Detailed Changlog since FreeIPA v2.0.0 rc3 Adam Young (1): * pwpolicy priority Priority is now a required field in order to add a new password policy. Thus, not having the field present means we cannot create one. Endi S. Dewata (1): * Removed nested role from UI. Martin Kosek (2): * Wait for Directory Server ports to open * Prevent stacktrace when DNS record is added Pavel Zuna (1): * Update translation file (ipa.pot). Rob Crittenden (4): * Always consider domain and server when doing DNS discovery in client. * Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. * Ensure that the system hostname is lower-case. * Automatically update IPA LDAP on rpm upgrades Simo Sorce (1): * Domain to Realm Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same. * Fix uninitialized variable. ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] Announcing FreeIPA 2.0.1
The FreeIPA Project is proud to announce the latest bugfix release of the FreeIPA. As always, the latest tarball can be found at http://freeipa.org/ == Highlights == * Fixed a number of issues uncovered by pylint in preparation for executing it as part of the freeIPA build process. * Changed the algorithm used for determining indirect membership resulting in significant performance improvement. * Added index for memberHost and memberUser. * Fixed problems in ipa-compat-manage and ipa-nis-manage. * Improved detection of current installation status for both client and server. * The --gidnumber option for users has been fixed. * postalCode is now a string intead of an integer. Older clients will still send this as an Int so upgrade your clients if you need this. * Fix 389-ds crash issue in installer. We could try to shut down the server while it was trying to create an index. * The default groups we create should have ipaUniqueId set == Detailed Changelog == Endi S. Dewata (1): * Fixed undefined label in permission adder dialog box. Jan Cholasta (10): * Fix wording of error message. * Add note about ipa-dns-install to ipa-server-install man page. * Fix typo in ipa-server-install. * Fix uninitialized variables. * Fix double definition of output_for_cli. * Add lint script for static code analysis. * Fix lint false positives. * Remove unused classes. * Fix some minor issues uncovered by pylint. * Fix uninitialized attributes. Jr Aquino (4): * Escape LDAP characters in member and memberof searches * Add memberHost and memberUser to default indexes * Optimize and dynamically verify group membership * Delete the sudoers entry when disabling Schema Compat Martin Kosek (12): * Inconsistent error message for duplicate user * Replica installation fails for self-signed server * Password policy commands do not include cospriority * Improve DNS PTR record validation * IPA replica is not started after the reboot * Improve Directory Service open port checker * Log temporary files in ipa-client-install * Prevent uninstalling client on the IPA server * pwpolicy-mod doesn't accept old attribute values * Forbid reinstallation in ipa-client-install * ipa-client-install uninstall does not work on IPA server * LDAP Updater may crash IPA installer Pavel Zuna (1): * Fix gidnumber option of user-add command. Rob Crittenden (18): * Allow a client to enroll using principal when the host has a OTP * Make retrieval of the CA during DNS discovery non-fatal. * Cache the value of get_ipa_config() in the request context. * Change default gecos from uid to first and last name. * Fix ORDERING in some attributetypes and remove other unnecessary elements. * postalCode should be a string not an integer. * Fix traceback in ipa-nis-manage. * Suppress --on-master from ipa-client-install command-line and man page. * Sort entries returned by *-find by the primary key (if any). * The default groups we create should have ipaUniqueId set * Always ask members in LDAP*ReverseMember commands. * Provide attributelevelrights for the aci components in permission_show. * Wait for memberof task and DS to start before proceeding in installation. * Convert manager from userid to dn for storage and back for displaying. * Modify the default attributes shown in user-find to match the UI design. * Ensure that the zonemgr passed to the installer conforms to IA5String. * Handle principal not found errors when converting replication agreements Simo Sorce (2): * Fix resource leaks. * ipautil: Preserve environment unless explicitly overridden by caller. rob ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] Announcing FreeIPA v2.1.90 beta 1 Release
The FreeIPA team is proud to announce version 2.1.90 beta 1. This will eventually become FreeIPA v2.2.0. It can be downloaded from http://www.freeipa.org/Downloads or from our development repo (http://freeipa.org/downloads/freeipa-devel.repo). Fedora 16 and 17 builds are available. Builds for Fedora 15 are no longer being provided. Packages that FreeIPA requires are not available in Fedora 15. == Highlights in 2.1.90 beta 1 == * Forms-based login. If Kerberos negotiate authentication fails you have the option of logging in using a form using username and password. Or you can go directly to /ipa/ui/login.html if you do not have/cannot get a Kerberos ticket. This is the preferred alternative login mechanism over enabling KrbMethodK5Passwd. * Logout from the UI * Support for SSH known-hosts with sssd 1.8.0. This will create a known-hosts file dynamically based on information stored in IPA. * DNS forwarders now configurable via IPA * Configurable by DNS zone: query policy, transfer policy, forward policy and forward and reverse synchronization. * More consistent hostname validation * Recommendation that the compat plugin be disabled during migration (unnecessary overhead) * On new installations the default users group, ipausers, is now non-POSIX == Upgrading == We tested upgrades from 2.1.4 successfully but this is beta code. We do not recommend upgrading a production server. Installing updated rpms is all that is required to upgrade from 2.1.4. It is unlikely that downgrading to a previous release once 2.1.90 is installed will work. Upgrading directly from the alpha may work but is untested. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 2.1.90 beta 1 == Jan Cholasta (1): * Configure SSH features of SSSD in ipa-client-install. John Dennis (8): * update translation pot file and PY_EXPLICIT_FILES list * update po files * created Transifex resource, adjust tx config file to point to it. * Tweak the session auth to reflect developer consensus. * Implement session activity timeout * Implement password based session login * Log a message when returning non-success HTTP result Martin Kosek (21): * Ease zonemgr restrictions * Update schema for bind-dyndb-ldap * Global DNS options * Query and transfer ACLs for DNS zones * Add DNS conditional forwarding * Add API for PTR sync control * Add gidnumber minvalue * Add reverse DNS record when forward is created * Sanitize UDP checks in conncheck * Add client hostname requirements to man page * Add SSHFP update policy for existing zones * Improve dns error message * Improve dnsrecord-add interactive mode * Improve hostname and domain name validation * Improve FQDN handling in DNS and host plugins * Improve hostname verification in install tools * Fix typos in ipa-replica-manage man page * Remove memberPrincipal for deleted replicas * Fix encoding for setattr/addattr/delattr * Add help for new structured DNS framework * Improve dnsrecord interactive help Ondrej Hamada (3): * Validate attributes in permission-add * Migration warning when compat enabled * ipa-client-install not calling authconfig Petr Viktorin (6): * Make ipausers a non-posix group on new installs * Add extra checking function to XMLRPC test framework * Add common helper for interactive prompts * Make sure the nolog argument to ipautil.run is not a bare string * Use stricter semantics when checking IP address for DNS records * Use stricter semantics when checking IP address for DNS records * Use reboot from /sbin Petr Voborník (18): * Fixed content type check in login_password * Improved usability of login dialog * Removed CSV creation from UI * Fixed problem when attributes_widget was displaying empty option * Added missing configuration options * Static metadata update - new DNS options * New checkboxes option: Mutual exclusive * DNS Zone UI: added new attributes * DNS UI: added A, create reverse options to adder dialog * Fixed displaying of A6 Record * New UI for DNS global configuration * Multiple fields for one attribute * Added attrs to permission when target is group or filter * Moved is_empty method from field to IPA object * Making validators to return true result if empty * Fixed DNS record add handling of 4304 error * Added unsupported_validator * Fixed redirection in Add and edit in automember hostgroup. * Fixed selection of single value in combobox * Added logout button * Forms based authentication UI Rob Crittenden (37): * Limit the change password permission so it can't change admin passwords * Don't allow Modify Group membership permission to manage admins * Add the -v option to sslget to provide more verbose errors * Make sure memberof is in replication attribute exclusion list. * Don't check for schema uniqueness when comparing in ldapupdate
[Freeipa-interest] IPA 2.2 on Fedora 17
The current 389-ds-base package in Fedora 17 is known to not work with IPA. This is any of the 1.2.11.x builds through 1.2.11.4. The only solution we have right now is to downgrade to 1.2.10.4. This is unfortunately not in any yum repositories. To install it you can either download the packages manually from http://koji.fedoraproject.org/koji/buildinfo?buildID=308732 or use the koji tool to retrieve them: # koji download-build 389-ds-base-1.2.10.4-2.fc17 Then install the right bits for your architecture. You'll want to remove any existing 389-ds-base bits: # rpm -e 389-ds-base 389-ds-base-libs We're working with the 389-ds team to fix this. We do not currently have an ETA. rob ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] Announcing FreeIPA v3.0.0 beta 2 Release
for permission type=subtree * IDs and names for dialogs * Fix autoscroll to top in tables in IE * Fixed: Unable to select option in combobox in IE and Chrome * Fixed: Unable to select option in combobox in IE and Chrome * Fixed: combobox stacking in service adder dialog * PAC Type options for services in Web UI * Update to jquery.1.7.2.min * Update to jquery-ui-1.8.21.custom * Fix for incorrect event handler definition * Removal of unnecessary overrides of jquery-ui styles * Unified buttons * Web UI tests fix * Fixed incorrect use of jQuery.attr for setting disabled attribute * Replace use of attr with prop for booleans * Add external group * Make group external * Make group posix * Display group type * Attribute facet * Group external member facet * Read-only external facet for non-external groups * Handle case when trusted domain user access the Web UI * Disable caching of Web UI login_kerberos request * Update other facets on delete from search page Rob Crittenden (12): * Centralize timeout for waiting for servers to start. * Make client server option multi-valued, allow disabling DNS discovery * Don't hardcode serial_autoincrement to True. * Support per-principal sessions and handle session update failures * Default to no when trying trying to install a replica on wrong server. * Fix validator for SELinux user map settings in config plugin. * Use certmonger to renew CA subsystem certificates * Add per-service option to store the types of PAC it supports * Convert PKCS#11 subject to string before passing to ipapython.DN * Use DN object for Directory Manager in ipa-replica-manage connect command * Raise proper exception when given a bad DN attribute. * Validate default user in ordered list when using setattr, require MLS Simo Sorce (14): * Fix wrong check after allocation. * Fix safety checks to prevent orphaning replicas * Fix detection of deleted masters * Add libtalloc-devel as spec file BuildRequire * Add all external samba libraries to BuildRequires * Do not check for DNA magic values * Move code into common krb5 utils * Improve loops around slapi mods * Add special modify op to regen ipaNTHash * Move mspac structure to be a private pointer * Load list of trusted domain on connecting to ldap * Properly name function to add ipa external groups * Split out manipulation of logon_info blob * Add PAC filtering Sumit Bose (4): * Allow silent build if available * ipasam: fixes for clang warnings * ipasam: replace testing code * Fix typo Tomas Babej (5): * Adds check for ipa-join. * Permissions of replica files changed to 0600. * Handle SSSD restart crash more gently. * Corrects help description of selinuxusermap. * Improves exception handling in ipa-replica-prepare. ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] Announcing FreeIPA v3.0.0 release candidate 2
The FreeIPA team is proud to announce version FreeIPA v3.0.0 rc 2. It can be downloaded from http://www.freeipa.org/page/Downloads. Builds are not yet available but we plan builds for Fedora 18 and rawhide. The tarball is available on the Downloads page. For additional information see the AD Trust design page http://freeipa.org/page/IPAv3_AD_trust and the AD Trust testing page http://freeipa.org/page/IPAv3_testing_AD_trust. == Highlights since 3.0.0 rc 1 == * Python changes to work with python-ldap 2.3. * Add missing indices for automount and principal aliases which will improve performance. * Provide a new Firefox extension for configuring the browser. Firefox 15 deprecated the interface we used in the past to set the Kerberos negotiation directives. This new extension will be used on Firefox 15 and beyond, and the older interface for older browsers. * Man page improvements * A SID can be created as the last step of ipa-adtrust-install. * Create a default fallback group for AD trust users. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 should work but has not been fully tested. Proceed with caution. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed changelog == Alexander Bokovoy (3): * Make sure external group members are listed for the external group * Change the way SID comparison is done for belonging to trusted domain * Support python-ldap 2.3 way of making LDAP control Martin Kosek (9): * Use custom zonemgr for reverse zones * Validate SELinux users in config-mod * Improve StrEnum validation error message * Add support for unified samba packages * Improve DN usage in ipa-client-install * Index ipakrbprincipalalias and ipaautomountkey attributes * Do not produce unindexed search on every DEL command * Only use service PAC type as an override * Fill ipakrbprincipalalias on upgrades Petr Viktorin (4): * Always handle NotFound error in dnsrecord-mod * Don't use bare except: clauses in ipa-client-install * Fix NS records in installation * Wait for secure Dogtag ports when starting the pki services Petr Vobornik (5): * Kerberos authentication extension * Kerberos authentication extension makefiles * Build and installation of Kerberos authentication extension * Configuration pages changed to use new FF extension * Removal of delegation-uris instruction from browser config Rob Crittenden (3): * Fix python syntax in ipa-client-automount * Clear kernel keyring in client installer, save dbdir on new connections * Become IPA v3 RC 2 (3.0.0.rc2) Sumit Bose (12): * Add man page paragraph about running ipa-adtrust-install multiple times * Enhance description of --no-msdcs in man page * Add --rid-base and --secondary-rid-base to ipa-adtrust-install man page * ipa-adtrust-install: remove wrong check for dm_password * ipa-adtrust-install: Add fallback group * ipa-adtrust-install: replace print with self.print_msg * ipasam: add fallback primary group * Add SIDs for existing users and groups at the end of ipa-adtrust-install * Avoid ldapmodify error messages during ipa-adtrust-install * ipa-adtrust-install: print list of needed SRV records * Add new ipaIDobject to DNA plugin configuraton * ipasam: generate proper SID for trusted domain object Tomas Babej (2): * Improve user addition to default group in user-add * Restrict admins group modifications ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] Announcing FreeIPA v3.0.1 Release
The FreeIPA team is proud to announce version FreeIPA v3.0.1. It can be downloaded from http://www.freeipa.org/page/Downloads. A build will be submitted to updates-testing for Fedora 18 soon. == Highlights in 3.0.1 == * Change the way we calculate what services IPA is managing so that startup/shutdown with systemd works. * Resolve external members from trusted domain via Global Catalog. * Improvements to ipa-client-automount. * Man page and command help improvements. * Added option to configure DNS forwarding by zone. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 3.0.0 == Alexander Bokovoy (4): * Remove bogus check for smbpasswd * Warn about DNA plugin configuration when working with local ID ranges * Resolve external members from trusted domain via Global Catalog * Clarify trust-add help regarding multiple runs against the same domain Jakub Hrozek (1): * ipa-client-automount: Add the autofs service if it doesn't exist yet Jan Cholasta (1): * Reword description of the --passsync option of ipa-replica-manage. John Dennis (1): * log dogtag errors Martin Kosek (9): * Create reverse zone in unattended mode * Add fallback for httpd restarts on sysV platforms * Report ipa-upgradeconfig errors during RPM upgrade * Avoid uninstalling dependencies during package lifetime * Remove servertrls and clientctrls options from rename_s * Use common encoding in modlist generation * Process relative nameserver DNS record correctly * Do not require resolvable nameserver in DNS install * Disable global forwarding per-zone Nikolai Kondrashov (1): * Add uninstall command hints to ipa-*-install Petr Viktorin (3): * ipautil.run: Log the command line before running the command * ipa-replica-install: Use configured IPA DNS servers in forward/reverse resolution check * Make sure the CA is running when starting services Petr Vobornik (2): * Simpler instructions to generate certificate * Fixed incorrect link to browser config after session expiration Rob Crittenden (11): * Use TLS for CA replication * Don't configure a reverse zone if not desired in interactive installer. * Fix requesting certificates that contain subject altnames. * Improve error messages in ipa-replica-manage. * Close connection after each request, avoid NSS shutdown problem. * The SECURE_NFS value needs to be lower-case yes on SysV systems. * After unininstall see if certmonger is still tracking any of our certs. * Wait for the directory server to come up when updating the agent certificate. * Set MLS/MCS for user_u context to what will be on remote systems. * Handle the case where there are no replicas with list-ruv * Become IPA 3.0.1 Simo Sorce (6): * Add support for using AES fo cross-realm TGTs * Preserve original service_name in services * Save service name on service startup * Get list of service from LDAP only at startup * Revert Save service name on service startup * Save service name on service startup/shutdown Sumit Bose (4): * Fix various issues found by Coverity * extdom: handle INP_POSIX_UID and INP_POSIX_GID requests * Restart httpd if ipa-server-trust-ad is installed or updated * ipa-adtrust-install: allow to reset te NetBIOS domain name Tomas Babej (4): * Forbid overlapping primary and secondary rid ranges * Refactoring of default.conf man page * Make service naming in ipa-server-install consistent * IPA Server check in ipa-replica-manage ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] Announcing FreeIPA v4.6.90.pre2 release
date_replica_config) in single master mode * Add commentary about PKI admin password * Fix upgrade when named.conf does not exist * replica-install: warn when there is only one CA in topology * install: configure dogtag status request timeout === Ganna Kaihorodova (5) === * Fix trust tests for Posix Support * Fix for integration tests dns_locations * Fix in IPA's multihost fixture * TestBasicADTrust.test_ipauser_authentication * Fix for test TestInstallMasterReservedIPasForwarder === Takeshi MIZUTA (1) === * Fix some typos in man page === Michal Reznik (18) === * ui_tests: introduce new test_misc cases file * ui_driver: extension and modifications related to test_user * ui_tests: extend test_user suite * test_web_ui: extend ui_driver methods * test_webui: add user life-cycles tests * ui_tests: run ipa-get/rmkeytab command on UI host * ui_tests: select_combobox() fixes * ui_tests: test cancel and delete without button * ui_tests: make associations cancelable * ui_tests: add function to run cmd on UI host * ui_tests: add funcs to add/remove users public SSH key * ui_tests: add assert_field_required() * ui_tests: add assert_notification() * ui_tests: add more test cases * ui_tests: add more test cases to test_certification * ui_tests: add_service() support func in test_service * ui_tests: add_host() support func in test_service * ui_tests: change get_http_pkey() function === Varun Mylaraiah (3) === * WebUI tests: Extend netgroup tests with more scenarios * Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags * WebUI tests: Extend user group tests with more scenarios === Pavel Picka (1) === * WebUI Hostgroups tests cases added === Petr Vobornik (4) === * webui: refresh complex pages after modification * Fix order of commands in test for removing topology segments * webui tests: fix test_host:test_crud failure * realm domains: improve doc text === Rob Crittenden (16) === * Fix certificate retrieval in ipa-replica-prepare for DL0 * Disable message about log in ipa-backup if IPA is not configured * Use a regex in installutils.get_directive instead of line splitting * Handle whitespace, add separator to regex in set_directive_lines * Validate the Directory Manager password before starting restore * Log service start/stop/restart message * Update project metadata in ipasetup.py.in * Allow dot as a valid character in an selinux identity name * Remove xfail from CALes test test_http_intermediate_ca * Some PKCS#12 errors are reported with full path names * ipa-server-certinstall failing, unknown option realm * Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c * Break out of teardown in test_replica_promotion.py if no config * Remove the Continuous installer class, it is unused * Return a value if exceptions are raised in server uninstall * VERSION.m4: Set back to git snapshot === Robbie Harwood (2) === * Move krb5 snippet into freeipa-client-common * Enable SPAKE support using krb5.conf.d snippet === Stanislav Laznicka (11) === * Allow user administrator to change user homedir * mod_ssl: add SSLVerifyDepth for external CA installs * Add absolute_import to test_authselect * Fix typo in ipa-getkeytab --help * Add absolute_import future imports * replica-install: pass --ip-address to client install * ipa_backup: Backup the password to HTTPD priv key * Fix upgrading of FreeIPA HTTPD * Remove py35 env from tox testing * Encrypt httpd key stored on disk * Dogtag configs: rename deprecated options === Thierry Bordaz (1) === * Hardening of topology plugin to prevent erronous deletion of a replica agreement === Tibor Dudlák (14) === * Use temporary pid file for chronyd -q task * Fix format string passed to pytest-multihost * Configure chrony with pool when server not set * Add enabling chrony daemon when not configured * Remove unnecessary option --force-chrony * Remove NTP server role while upgrading * Removes NTP server role from servroles and description * Update man pages for FreeIPA client, replica and server install * Adding method to ipa-server-upgrade to cleanup ntpd * Add --ntp-pool option to installers * FreeIPA server is time synchronization client only * Replace ntpd with chronyd in installation * Add dependency and paths for chrony * Removes ntp from dependencies and behave as there is always -N option ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] Announcing freeIPA 4.6.3
oting to CA-ful deployment * ipa-ca-install: run certupdate as initial step * CertUpdate: make it easy to invoke from other programs * renew_ra_cert: fix update of IPA RA user entry * Re-enable some KRA installation tests * Use correct version of Python in RPM scripts * Remove caJarSigningCert profile and related code * CertDB: remove unused method issue_signing_cert * Remove XPI and JAR MIME types from httpd config * Remove mention of firefox plugin after CA-less install * Add missing space in ipa-replica-conncheck error * ipa-cacert-manage: avoid some duplicate string definitions * ipa-cacert-manage: handle alternative tracking request CA name * Add tests for external CA profile specifiers * ipa-cacert-manage: support MS V2 template extension * certmonger: add support for MS V2 template * certmonger: refactor 'resubmit_request' and 'modify' * ipa-ca-install: add --external-ca-profile option * install: allow specifying external CA template * Remove duplicate references to external CA type * cli: simplify parsing of arbitrary types * py3: fix pkcs7 file processing * ipa-pki-retrieve-key: ensure we do not crash * issue_server_cert: avoid application of str to bytes === John Morris (1) === * Increase dbus client timeouts during CA install === Martin Basti (1) === * py3: set samba dependencies === Michal Reznik (23) === * test_caless: add SAN extension to other certs * prci: run full external_ca test suite * tests: move CA related modules to pytest_plugins * test_external_ca: selfsigned->ext_ca->selfsigned * test_tasks: add sign_ca_and_transport() function * paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants * test_caless: test PKINIT install and anchor update * test_renewal_master: add ipa csreplica-manage test * test_cert_plugin: check if SAN is added with default profile * test_help: test "help" command without cache * test_x509: test very long OID * test_batch_plugin: fix py2/3 failing assertion * test_vault: increase WAIT_AFTER_ARCHIVE * test_caless: fix http.p12 is not valid * test_caless: fix TypeError on domain_level compare * manpage: ipa-replica-conncheck - fix minor typo * test_external_dns: add missing test cases * test_caless: open CA cert in binary mode * test_forced_client: decode get_file_contents() result * tests: add host zone with overlap * tests_py3: decode get_file_contents() result * test_caless: add caless to external CA test * test_external_ca: switch to python-cryptography === Mohammad Rizwan Yusuf (1) === * ipatest: replica install with existing entry on master === Petr Čech (2) === * tests: Mark failing tests as failing * ipatests: Fix on logs collection === Petr Vobornik (1) === * browser config: cleanup after removal of Firefox extension === Pavel Vomacka (16) === * WebUI: make keytab tables on service and host pages writable * Include npm related files into Makefile and .gitignore * Update jsl.conf in tests subfolder * Edit TravisCI conf files to run WebUI unit tests * Update README about WebUI unit tests * Update tests * Create symlink to qunit.js * Update jsl to not warn about module in Gruntfile * Add Gruntfile and package.json to ui directory * Update QUnit CSS file to 2.4.1 * Update qunit.js to version 2.4.1 * Extend ui_driver to support geckodriver log_path * WebUI: make Domain Resolution Order writable * WebUI: Fix calling undefined method during reset passwords * WebUI: remove unused parameter from get_whoami_command * Adds whoami DS plugin in case that plugin is missing === Rob Crittenden (13) === * Log contents of files created or modified by IPAChangeConf * Don't manually generate default.conf in server, use IPAChangeConf * Enable ephemeral KRA requests * Make the path to CS.cfg a class variable * Run server upgrade in ipactl start/restart * If the cafile is not present or readable then raise an exception * Add test to ensure that properties are being set in rpcclient * Use the CA chain file from the RPC context * Fix cert-find for CA-less installations * Use 389-ds provided method for file limits tuning * Collect group membership without a size limit * Add exec to /var/lib/ipa/sysrestore for install status inquiries * Use TLS for the cert-find operation === Robbie Harwood (1) === * ipa-kdb: support KDB DAL version 7.0 === Rishabh Dave (1) === * ipa-ca-install: mention REPLICA_FILE as optional in help === Sumit Bose (1) === * ipa-kdb: reinit trusted domain data for enterprise principals === Stanislav Laznicka (53) === * replica_prepare: Remove the correct NSS DB files * Add a helpful comment to ca.py:install_check() * Don't allow OTP or RADIUS in FIPS mode * caless tests: decode cert bytes in debug log * caless tests: make debug log of certificates sensible * Add indexing to improve host-find performance * Add the sub operation for fqdn index config * x509: remove subject_base() function * x509: remove the strip_header() function * py3: pass raw entries to LDIFWriter * ipatests: use python3 if built with python3 * PRCI: use a new templ
[Freeipa-interest] Release notes for freeIPA 4.6.90.pre1
master: add ipa csreplica-manage test * test_cert_plugin: check if SAN is added with default profile * test_help: test "help" command without cache * test_x509: test very long OID * test_batch_plugin: fix py2/3 failing assertion * test_vault: increase WAIT_AFTER_ARCHIVE * test_caless: fix http.p12 is not valid * test_caless: fix TypeError on domain_level compare * manpage: ipa-replica-conncheck - fix minor typo * test_external_dns: add missing test cases * test_caless: open CA cert in binary mode * test_forced_client: decode get_file_contents() result * tests: add host zone with overlap * tests_py3: decode get_file_contents() result * test_caless: add caless to external CA test * test_external_ca: switch to python-cryptography === Mohammad Rizwan Yusuf (5) === * Before the fix, when ipa-backup was called for the first time, the LDAP database exported to /var/lib/dirsrv/slapd-/ldif/-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root. * Updated the TestExternalCA with the functions introduced for the steps of external CA installation. * When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail. * IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address. * ipatest: replica install with existing entry on master === Nathaniel McCallum (3) === * Revert "Don't allow OTP or RADIUS in FIPS mode" * Increase the default token key size * Fix OTP validation in FIPS mode === Petr Čech (2) === * tests: Mark failing tests as failing * ipatests: Fix on logs collection === Petr Vobornik (8) === * webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes * Revert "temp commit to run the affected tests" * temp commit to run the affected tests * webui:tests: close big notifications in realm domains tests * webui:tests: realm domain add with DNS check * webui:tests: move DNS test data to separate file * fastcheck: do not test context in pycodestyle * browser config: cleanup after removal of Firefox extension === Pavel Vomacka (16) === * WebUI: make keytab tables on service and host pages writable * Include npm related files into Makefile and .gitignore * Update jsl.conf in tests subfolder * Edit TravisCI conf files to run WebUI unit tests * Update README about WebUI unit tests * Update tests * Create symlink to qunit.js * Update jsl to not warn about module in Gruntfile * Add Gruntfile and package.json to ui directory * Update QUnit CSS file to 2.4.1 * Update qunit.js to version 2.4.1 * Extend ui_driver to support geckodriver log_path * WebUI: make Domain Resolution Order writable * WebUI: Fix calling undefined method during reset passwords * WebUI: remove unused parameter from get_whoami_command * Adds whoami DS plugin in case that plugin is missing === Rob Crittenden (24) === * Don't try to backup CS.cfg during upgrade if CA is not configured * Don't return None on mismatched interactive passwords * Update smart_card_auth advise script for mod_ssl * Add value in set_directive after a commented-out version * Don't backup nss.conf on upgrade with the switch to mod_ssl * Enable upgrades from a mod_nss-installed master to mod_ssl * Convert ipa-pki-proxy.conf to use mod_ssl directives * Remove main function from the certmonger library * Use mod_ssl instead of mod_nss for Apache TLS for new installs * Fix detection of KRA installation so upgrades can succeed * Move Requires: pythonX-sssdconfig into conditional * Log contents of files created or modified by IPAChangeConf * Don't manually generate default.conf in server, use IPAChangeConf * Enable ephemeral KRA requests * Make the path to CS.cfg a class variable * Run server upgrade in ipactl start/restart * If the cafile is not present or readable then raise an exception * Add test to ensure that properties are being set in rpcclient * Use the CA chain file from the RPC context * Fix cert-find for CA-less installations * Use 389-ds provided method for file limits tuning * Collect group membership without a size limit * Add exec to /var/lib/ipa/sysrestore for install status inquiries * Use TLS for the cert-find operation === Robbie Harwood (2) === * Log errors from NSS during FIPS OTP key import * ipa-kdb: support KDB DAL version 7.0 === Rishabh Dave (1) === * ipa-ca-install: mention REPLICA_FILE as optional in help === Sumit Bose (1) === * ipa-kdb: reinit trusted domain data for enterprise principals === Sumit Bose (2) === * ipa-kdb: update trust information in all workers * ipa-kdb: use magic value to check if ipadb is used === John L (1) === * Remove special characters in host_add random OTP generation === Stanislav Laznicka (71) === * Backup HTTPD's mod_ssl config and cert-key pair * vault: fix vault-retrieve to a file
[Freeipa-interest] Announcing freeIPA 4.6.5
-restritive mask detection Fraser Tweedale (12): Fix writing certificate chain to file ipaldap: avoid invalid modlist when attribute encoding differs rpc: always read response certupdate: add commentary about certmonger behaviour cert-request: restrict IPAddress SAN to host/service principals cert-request: collect only qualified DNS names for IPAddress validation cert-request: generalise _san_dnsname_ips for arbitrary cname depth cert-request: report all unmatched SAN IP addresses Add tests for cert-request IP address SAN support cert-request: more specific errors in IP address validation cert-request: handle missing zone cert-request: fix py2 unicode/str issues Ganna Kaihorodova (1): Add check for occuring traceback during uninstallation ipa master Ian Pilcher (1): Allow issuing certificates with IP addresses in subjectAltName Kaleemullah Siddiqui (1): Test coverage for multiservers for radius proxy Michal Reznik (7): ui_tests: fixes for issues with sending key and focus on element ui_tests: extend test_config.py suite ipa_tests: test ssh keys login test: client uninstall fails when installed using non-existing hostname tests: sssd_ssh fd leaks when user cert converted into SSH key add strip_cert_header() to tasks.py bump ci-ipa-4-6-f27 PRCI template Mohammad Rizwan Yusuf (6): Extended UI test for selfservice permission. Extended UI test for Certificates Check if issuer DN is updated after self-signed > external-ca Check if user permssions and umask 0022 is set when executing ipa-restore Test if WSGI worker process count is set to 4 Test error when yubikey hardware not present Nikhil Dehadrai (1): Test for improved Custodia key distribution Oleg Kozlov (1): Remove stale kdc requests info files when upgrading IPA server Petr Voborník (1): ipa-advise: update url of cacerdir_rehash tool Rob Crittenden (12): VERSION.m4: Set back to git snapshot zanata: update translations for ipa-4-6 Use replace instead of add to set new default ipaSELinuxUserMapOrder Replace some test case adjectives Rename test class for testing simple commands, add test replicainstall: DS SSL replica install pick right certmonger host Disable message about log in ipa-backup if IPA is not configured Enable LDAP debug output in client to display TLS errors in join Update mod_nss cipher list so there is overlap with a 4.x master Add support for multiple certificates/formats to ipa-cacert-manage Add tests for ipa-cacert-manage install Send only the path and not the full URI to httplib.request Robbie Harwood (2): Clear next field when returnining list elements in queue.c Add cmocka unit tests for ipa otpd queue code Sergey Orlov (1): ipatests: add test for correct modlist when value encoding differs Serhii Tsymbaliuk (15): Fix hardcoded CSR in test_webui/test_cert.py Use random IPs and domains in test_webui/test_host.py Increase request timeout for WebUI tests Fix test_realmdomains::test_add_single_labeled_domain (Web UI test) Use random realmdomains in test_webui/test_realmdomains.py Fix test_user::test_login_without_username (Web UI test) Fix unpermitted user session in test_selfservice (Web UI test) Add SAN extension for CSR generation in test_cert (Web UI tests) Generate CSR for test_host::test_certificates (Web UI test) Add cookies clearing for all Web UI tests Remove unnecessary session clearing in some Web UI tests Increase some timeouts in Web UI tests Fix UI_driver.has_class exception. Handle situation when element has no class attribute Change Web UI tests setup flow Fix "Configured size limit exceeded" warning on Web UI Sumit Bose (1): ipa-extdom-exop: add instance counter and limit Thierry Bordaz (1): In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange Thomas Woerner (4): ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound Find orphan automember rules Fix ressource leak in client/config.c get_config_entry Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon Tibor Dudlák (4): Do not check deleted files with `make fastlint` Re-open the ldif file to prevent error message Add assert to check output of upgrade Do not set ca_host when --setup-ca is used ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
[Freeipa-interest] freeIPA interest mailing list migration
The current freeIPA announcement mailing list (freeipa-interest@redhat.com) will be decommissioned soon due to retirement of the listman.redhat.com infrastructure. The other freeIPA mailing lists (user and devel) were migrated to the Fedora-hosted infrastructure years ago. If you would like to continue receiving freeIPA-related communications, please subscribe to Fedora-hosted mailing list at: https://lists.fedoraproject.org/admin/lists/freeipa interest.lists.fedoraproject.org/ regards rob ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://listman.redhat.com/mailman/listinfo/freeipa-interest
Re: [Freeipa-interest] freeIPA interest mailing list migration
I somehow managed to mangle the URL. This one should work: https://lists.fedoraproject.org/admin/lists/freeipa-interest.lists.fedoraproject.org/ rob Rob Crittenden wrote: > The current freeIPA announcement mailing list > (freeipa-interest@redhat.com) will be decommissioned soon due to > retirement of the listman.redhat.com infrastructure. The other freeIPA > mailing lists (user and devel) were migrated to the Fedora-hosted > infrastructure years ago. > > If you would like to continue receiving freeIPA-related communications, > please subscribe to Fedora-hosted mailing list at: > > https://lists.fedoraproject.org/admin/lists/freeipa > interest.lists.fedoraproject.org/ > > regards > > rob > ___ > Freeipa-interest mailing list > Freeipa-interest@redhat.com > https://listman.redhat.com/mailman/listinfo/freeipa-interest > ___ Freeipa-interest mailing list Freeipa-interest@redhat.com https://listman.redhat.com/mailman/listinfo/freeipa-interest
Re: [Freeipa-interest] [Freeipa-users] FreeIPA 4.10.0
The Fedora rawhide build of 4.10.0 is done and should land in repositories soon. The major feature of 4.10.0 is support for Random Serial Numbers which request dogtag 11.2.0 which is only in rawhide. Builds for other Fedora releases are not planned. rob Antonio Torres via FreeIPA-users wrote: > The FreeIPA team would like to announce FreeIPA 4.10.0 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. Builds > for Fedora distributions will be available from the official repository > soon. > > == Highlights in 4.10.0 > > * 2016: [RFE] Support random serial numbers in IPA certificates > > RSN can be enabled in new server installations. > > > * 7404: Incorrect certs are being updated with "ipa-certupdate" > > ipa-cacert-manage command now supports the "prune" subcommand, that > allows to remove the expired CA certificates. > > > === Bug fixes > > FreeIPA 4.10.0 is a stabilization release for the features delivered as > a part of 4.10 version series. > > There are 7 bug-fixes since FreeIPA 4.9.10 release. Details of the > bug-fixes can be seen in the list of resolved tickets below. > > == Upgrading > > Upgrade instructions are available on Upgrade page. > > == Feedback > > Please provide comments, bugs and other feedback via the freeipa-users > mailing list > (https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/) > or #freeipa channel on libera.chat. > > == Resolved tickets > > * https://pagure.io/freeipa/issue/2016[#2016] [RFE] Support random > serial numbers in IPA certificates > * https://pagure.io/freeipa/issue/2278[#2278] IPA needs better sudo > option validation or better documentation > * https://pagure.io/freeipa/issue/7404[#7404] Incorrect certs are being > updated with "ipa-certupdate" > * https://pagure.io/freeipa/issue/8544[#8544] After reboot: Replication > bind with GSSAPI auth failed > * https://pagure.io/freeipa/issue/8684[#8684] [WebUI] > test_hostgroup::test_names_and_button - timeout reached > * https://pagure.io/freeipa/issue/9035[#9035] Nightly failure (rawhide) > in test_installation_client.py::TestInstallClient > * https://pagure.io/freeipa/issue/9105[#9105] Review usage of quiet flag > in ipa-join > > == Detailed changelog since 4.9.10 > > === Rob Crittenden (9) > > * Fix test_secure_ajp_connector.py failing with Python 3.6.8 > https://pagure.io/freeipa/c/9a97f9b40[commit] > * Add tests for Random Serial Number v3 support > https://pagure.io/freeipa/c/d241d7405[commit] > https://pagure.io/freeipa/issue/2016[#2016] > * Add support for Random Serial Numbers v3 > https://pagure.io/freeipa/c/beaa0562d[commit] > https://pagure.io/freeipa/issue/2016[#2016] > * Add a new parameter type, SerialNumber, as a subclass of Str > https://pagure.io/freeipa/c/83be923ac[commit] > https://pagure.io/freeipa/issue/2016[#2016] > * doc/designs: add Random Serial Numbers v3 support > https://pagure.io/freeipa/c/d3481449e[commit] > https://pagure.io/freeipa/issue/2016[#2016] > * Design for IPA-to-IPA migration > https://pagure.io/freeipa/c/d4859db4e[commit] > * Re-work the quiet option in ipa-join to not suppress errors > https://pagure.io/freeipa/c/61650c577[commit] > https://pagure.io/freeipa/issue/9105[#9105] > * Improve sudooption docs, make the option multi-value > https://pagure.io/freeipa/c/47fbe05f7[commit] > https://pagure.io/freeipa/issue/2278[#2278] > * Design doc to allow LDAP bind using the RADIUS auth type > https://pagure.io/freeipa/c/16ab690bf[commit] > > === Matthew Davis (1) > > * Add missing parameter to Suse modify_nsswitch_pam_stack > https://pagure.io/freeipa/c/6d6b135ff[commit] > > === Anuja More (3) > > * ipatests: Fix install_master for test_idp.py > https://pagure.io/freeipa/c/ef091c99f[commit] > * Add end to end integration tests for external IdP > https://pagure.io/freeipa/c/bd57ff356[commit] > * ipatests: update prci definitions for test_idp.py > https://pagure.io/freeipa/c/a80a98194[commit] > > === Timo Aaltonen (2) > > * ipaplatform/debian: Drop the path for ldap.so > https://pagure.io/freeipa/c/808ac46ba[commit] > * ipaplatform/debian: Use multiarch path for libsofthsm2.so > https://pagure.io/freeipa/c/92d718dbf[commit] > > === Michal Polovka (5) > > * ipatests: Healthcheck use subject base from IPA not REALM > https://pagure.io/freeipa/c/d3c11f762[commit] > * ipatests: Increase expect timeout for interactive mode > https://pagure.io/freeipa/c/40b3c11bd[commit] > * ipatests: Healthcheck should ignore pki errors when CA is not > configured https://pagure.io/freeipa/c/b2bbf8165[commit] > * test_webui: test_hostgrou
