== FreeIPA 4.4.0 Alpha 1 === The FreeIPA team would like to announce FreeIPA v4.4.0 alpha1 release!
A tarball can be downloaded from http://www.freeipa.org/page/Downloads == Highlights in 4.4.0 Alpha 1 == Enhancements: * Improved Topology Management <http://www.freeipa.org/page/V4/Manage_replication_topology_4_4> * Added Overview of IPA server roles: <http://www.freeipa.org/page/V4/Server_Roles> * Added support certificates for AD users: <http://www.freeipa.org/page/V4/Certs_in_ID_overrides> * Added support of UPN for trusted domains <http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains> * Added support for Kerberos Authentication Indicators <http://www.freeipa.org/page/V4/Authentication_Indicators> * Added DNS Location Mechanism <http://www.freeipa.org/page/V4/DNS_Location_Mechanism> * Several performance improvements <http://www.freeipa.org/page/V4/Performance_Improvements> * Refactored IPA command line tool <http://www.freeipa.org/page/V4/Thin_Client> * Added support for Sub-CAs <http://www.freeipa.org/page/V4/Sub-CAs> == Detailed Changelog since 4.3.1 == Abhijeet Kasurde (12): Added kpasswd_server directive in client krb5.conf Fixed login error message box in LoginScreen page Added fix for notifying user about Kerberos principal expiration in WebUI Added description related to 'status' in ipactl man page Added warning to user for Internet Explorer Added fix for notifying user about locked user account in WebUI Updated ipa command man page Fix added to ipa-compat-manage command line help Removed custom implementation of CalledProcessError Replaced find_hostname with api.env.host Added exception handling for mal-formatted XML Parsing Added missing translation to automount.py method Alexander Bokovoy (11): slapi-nis: update configuration to allow external members of IPA groups extdom: do not fail to process error case when no request is specified otptoken: support Python 3 for the qr code trusts: Add support for an external trust to Active Directory domain adtrust: remove nttrustpartner parameter adtrust: remove nttrustpartner parameter adtrust: support GSSAPI authentication to LDAP as Active Directory user adtrust: support UPNs for trusted domain users webui: show UPN suffixes in trust properties webui: support external flag to trust-add adtrust: optimize forest root LDAP filter Christian Heimes (3): Require Dogtag 10.2.6-13 to fix KRA uninstall Modernize mod_nss's cipher suites Move user/group constants for PKI and DS into ipaplatform David Kupka (28): installer: Propagate option values from components instead of copying them. installer: Fix logic of reading option values from cache. ipa-dns-install: Do not check for zone overlap when DNS installed. ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options installer: Change reverse zones question to better reflect reality. Fix: Use unattended parameter instead of options.unattended CI: Add '2-connected' topology generator. CI: Add simple replication test in 2-connected topology. CI: Add test for 2-connected topology generator. CI: Fix pep8 errors in 2-connected topology generator CI: add empty topology test for 2-connected topology generator CI: Add double circle topology. CI: Add replication test utilizing double-circle topology. CI: Add test for double-circle topology generator. CI: Make double circle topology python3 compatible upgrade: Match whole pre/post command not just basename. dsinstance: add start_tracking_certificates method httpinstance: add start_tracking_certificates method Look up HTTPD_USER's UID and GID during installation. test: test_cli: Do not expect defaults in kwargs. man: Decribe ipa-client-install workaround for broken D-Bus enviroment. installer: positional_arguments must be tuple or list of strings installer: index() raises ValueError Remove unused locking "context manager" schema: Add fingerprint and TTL schema: Add known_fingerprints option to schema command schema: Cache schema in api instance schema: return fingerprint as unicode text Filip Skola (9): Refactor test_user_plugin, use UserTracker for tests Refactor test_replace Refactor test_attr Refactor test_sudocmd_plugin Refactor test_sudocmdgroup_plugin Refactor test_group_plugin, use GroupTracker for tests Refactor test_nesting, create HostGroupTracker Refactor test_hostgroup_plugin Refactor test_automember_plugin, create AutomemberTracker Florence Blanc-Renaud (5): Add missing CA options to the manpage for ipa-replica-install Add the culprit line when a configuration file has an incorrect format add context to exception on LdapEntry decode error batch command can be used to trigger internal errors on server Always qualify requests for admin in ipa-replica-conncheck Fraser Tweedale (22): Do not decode HTTP reason phrase from Dogtag Remove workaround for CA running check caacl: correctly handle full user principal name Prevent replica install from overwriting cert profiles Detect and repair incorrect caIPAserviceCert config Remove service and host cert issuer validation Allow CustodiaClient to be used by arbitrary principals Load server plugins in certmonger renewal helper Add ACIs for Dogtag custodia client Optionally add service name to Custodia key DNs Setup lightweight CA key retrieval on install/upgrade Authorise CA Agent to manage lightweight CAs Add custodia store for lightweight CA key replication Add 'ca' plugin Add IPA CA entry on install / upgrade Update 'caacl' plugin to support lightweight CAs Add CA argument to ra.request_certificate Update cert-request to allow specifying CA Add issuer options to cert-show and cert-find replica-install: configure key retriever before starting Dogtag upgrade: do not try to start CA if not configured restart scripts: bootstrap api with in_server=True Gabe Alford (1): ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' Jakub Hrozek (1): sudo: Fix a typo in the --help output of sudocmdgroup James Groffen (1): Set close button type attribute to 'button'. Jan Barta (1): pylint: fix: multiple-statements Jan Cholasta (112): ipautil: remove unused import causing cyclic import in tests ipalib: assume version 2.0 when skip_version_check is enabled ipapython: remove default_encoding_utf8 ipapython: port p11helper C code to Python ipapython: use python-cryptography instead of libcrypto in p11helper spec file: package python-ipalib as noarch cert renewal: import all external CA certs on IPA CA cert renewal replica install: validate DS and HTTP server certificates replica promotion: fix AVC denials in remote connection check cacert install: fix trust chain validation client: stop using /etc/pki/nssdb ipalib: provide per-call command context ipalib: add convenient Command method for adding messages certdb: never use the -r option of certutil spec file: bump minimum required pki-core version build: fix client-only build makeapi: use the same formatting for `int` and `long` values replica install: do not set CA renewal master flag rpc: do not crash when unable to parse JSON parameters: remove unused ConversionError and ValidationError arguments rpc: include structured error information in responses frontend: re-raise remote RequirementError using CLI name in CLI frontend: remove the unused Command.soft_validate method frontend: perform argument value validation only on server batch: do not crash when no argument is specified ipalib: make optional positional command arguments actually optional frontend: do not forward unspecified positional arguments to server user: do not assume the preserve flags have value in user_del frontend: do not forward argument defaults to server makeapi: optimize API.txt ipalib: remove the unused `csv` argument of Param makeaci: load additional plugins using API.add_module plugable: replace API.import_plugins with new API.add_package ipalib, ipaserver: migrate all plugins to Registry-based registration ipalib, ipaserver: fix incorrect API.register calls in docstrings plugable: remove the unused deprecated API.register method plugable: switch API to Registry-based plugin discovery frontend: merge baseldap.CallbackRegistry into Command frontend: move the interactive_prompt callback type to Command automount: do not inherit automountlocation_import from LDAPQuery dns: move code called on client to the module level dns: do not rely on server data structures in code called on client otptoken: fix import of DN otptoken_yubikey: fix otptoken_add_yubikey arguments vault: move client-side code to the module level vault: copy arguments of client commands from server counterparts ipalib: use relative imports for cross-plugin imports frontend: allow commands to have an argument named `name` cli: make optional positional command arguments actually optional dns: fix dnsrecord interactive mode ipaclient: introduce ipaclient.plugins ipalib: move client-side plugins to ipaclient help, makeapi: allow setting command topic explicitly help, makeapi: specify module topic by name help, makeapi: do not use hardcoded plugin package name plugable: turn Plugin attributes into properties plugable: simplify API plugin initialization code plugable: remember overriden plugins in API frontend: turn Method attributes into properties ipaclient: add client-side command override class dns: move code shared by client and server to separate module ipalib: split off client-side plugin code into ipaclient parameters: introduce cli_metavar keyword argument parameters: introduce no_convert keyword argument ipalib: replace DeprecatedParam with `deprecated` Param argument ipalib: introduce API schema plugins rpc: respect API config in RPCClient.create_connection rpc: allow overriding NSS DB directory in API config rpc: specify connection options in API config rpc: optimize JSON-RPC response handling rpc: do not validate command name in RPCClient.forward client install: finalize API after CA certs are available ipactl: use server API ipalib: move File command arguments to ipaclient misc: hide the unused --all option of `env` and `plugins` in CLI ipaclient: implement thin client ipalib: move server-side plugins to ipaserver frontend: do not check API minor version of the client schema: do not validate unrequested params in command_defaults replica install: use remote server API to create service entries schema: fix topic command output schema: fix typo spec file: require correct packages to get API plugins plugable: allow plugins to be non-classes plugable: initialize plugins on demand schema: generate client-side commands on demand batch, schema: use Dict instead of Any misc: fix empty CLI output of `env` and `plugins` commands dns, passwd: fix outputs of `dns_resolve` and `passwd` commands frontend: call `execute` rather than `forward` in Local schema: exclude local commands schema: fix client-side dynamic defaults makeaci, makeapi: use in-server API frontend: don't copy command arguments to output params frontend: skip `value` output in output_for_cli frontend: do not crash on missing output in output_for_cli automember: add object plugin for automember_rebuild dns: do not rely on custom param fields in record attributes misc: skip `count` and `total` output in env.output_for_cli passwd: handle sort order of passwd argument on the client permission: handle ipapermright deprecated CLI alias on the client schema: add object class schema schema: remove output_params schema: merge command args and options schema: remove redundant information schema: remove `no_cli` from command schema replica install: fix thin client regression ldap: fix handling of binary data in search filters cert: add object plugin cert: add owner information cert: allow search by certificate dns: fix dns_update_system_records to work with thin client Jérôme Fenal (1): Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French. Lenka Doudova (5): WebUI tests: fix failing of tests due to unclicable label WebUI test: ID views WebUI: Test creating user without private group Test fix: Cleanup for host certificate Test: Maximum username length higher than 255 cannot be set Ludwig Krispenz (2): prevent moving of topology entries out of managed scope by modrdn operations v2 - avoid crash in topology plugin when host list contains host with no hostname Lukáš Slebodník (6): extdom: Remove unused macro IPA-SAM: Fix build with samba 4.4 CONFIGURE: Replace obsolete macros ipa-sam: Do not redefine LDAP_PAGE_SIZE SPEC: Remove unused build dependency on libwbclient BUILD: Remove detection of libcheck Martin Babinsky (44): raise more descriptive Backend connection-related exceptions harden domain level 1 topology connectivity checks ipalib/x509.py: revert deletion of ipalib api import prevent crash of CA-less server upgrade due to absent certmonger use FFI call to rpmvercmp function for version comparison tests for package version comparison fix Py3 incompatible exception instantiation in replica install code ipa-csreplica-manage: remove extraneous ldap2 connection IPA upgrade: move replication ACIs to the mapping tree entry uninstallation: more robust check for master removal from topology correctly set LDAP bind related attributes when setting up replication disable RA plugins when promoting a replica from CA-less master fix standalone installation of externally signed CA on IPA master reset ldap.conf to point to newly installer replica after promotion always start certmonger during IPA server configuration upgrade upgrade: unconditional import of certificate profiles into LDAP CI tests: use old schema when testing hostmask-based sudo rules use LDAPS during standalone CA/KRA subsystem deployment test_cert_plugin: use only first part of the hostname to construct short name only search for Kerberos SRV records when autodiscovery was requested spec: add conflict with bind-chroot to freeipa-server-dns spec: require python-cryptography newer than 0.9 ipa-replica-manage: print traceback on unexpected error when in verbose mode otptoken-add: improve the robustness of QR code printing differentiate between limit types when LDAP search exceeds configured limits specify type of exceeded limit when warning about truncated search results replica-prepare: do not add PTR records if there is no IPA managed reverse zone Server Roles: definitions of server roles and attributes Server Roles: Backend plugin to query roles and attributes Test suite for `serverroles` backend Server Roles: public API for server roles Server Roles: make server-{show,find} utilize role information Server Roles: make *config-show consume relevant roles/attributes Server Roles: provide an API for setting CA renewal master Add NTP to the list of services stored in IPA masters LDAP subtree Introduce "NTP server" role ipaserver module for working with managed topology delegate removal of master DNS record and replica keys to separate functions server-del: perform full master removal in managed topology CI test suite for `server-del` ipa-replica-manage: use `server_del` when removing domain level 1 replica remove the master from managed topology during uninstallation Fix listing of enabled roles in `server-find` Do not update result of *-config-show with empty server attributes Martin Bašti (147): Fix DNS tests: dns-resolve returns warning Remove unused code in server installer related to KRA Fix version comparison Fix: replace mkdir with chmod Use module variables for timedate_services Remove empty test file Remove unused imports Remove wildcard imports Enable multiple warnings checks in Pylint Enable pylint lost exception check Enable pylint duplicated-key check Enable pylint trailing-whitespace check Enable pylint missing-final-newline check Enable pylint unused-format-string-key check Enable pylint expression-not-assigned check Enable pylint empty-docstring check Enable pylint unnecessary-pass check update_uniqueness plugin: fix referenced before assigment error Allow to used mixed case for sysrestore Upgrade: Fix upgrade of NIS Server configuration DNSSEC test: fix adding zones with --skip-overlap-check DNSSEC CI: add missing ldns-utils dependency Enable pylint unpacking-non-sequence check Enable pylint unbalanced-tuple-unpacking check CI test: fix regression in task.install_kra Warn about potential loss of CA, KRA, DNSSEC during uninstall Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter Exclude o=ipaca subtree from Retro Changelog (syncrepl) Fix DNSSEC test: add glue record Warn user when ipa *-find reach limit DNSSEC CI: fix zone delegations make lint: use config file and plugin for pylint Upgrade: log to ipaupgrade.log when IPA server is not installed Disable new pylint checks Py3: do not use dict.iteritems() upgrade: fix config of sidgen and extdom plugins trusts: use ipaNTTrustPartner attribute to detect trust entries Warn user if trust is broken fix upgrade: wait for proper DS socket after DS restart Revert "test: Temporarily increase timeout in vault test." Remove duplicated except Pylint: add missing attributes of errors to definitions fix permission: Read Replication Agreements Make PTR records check optional for IPA installation Fix connections to DS during installation pylint: supress false positive no-member errors CI: allow customized DS install test to work with domain levels fix suspicious except statements Remove unused arguments from update_ssh_keys method Configure 389ds with "default" cipher suite krb5conf: use 'true' instead of 'yes' for forwardable option stageuser-activate: Normalize manager value Remove redundant parameters from CS.cfg in dogtaginstance Use platform path constant for SSSD log dir Fix broken trust warnings spec: Add missing dependencies to python*-ipalib package client: enable ChallengeResponseAuthentication in sshd_config pylint: remove bare except Pylint: fix definition of global variables Pylint: enable pointless-except check Pylint: enable reimported check Pylint: use list comprehension instead of iteration Pylint: import max one module per line Pylint: remove unnecessary-semicolon Pylint: enable invalid-name check SPEC: do not run upgrade when ipa server is not installed Fix: catch Exception instead of more specific exception types Fix stageuser-activate - managers test Add missing pre_common_callback to stageuser_add host_del: fix removal of host records host_del: replace dns-record find command with show host_del: remove unneeded dnszone-show command call host_del: split removing A/AAAA and PTR records to separate functions host_del: remove only A, AAAA, SSHFP, PTR records host_del: update help for --updatedns option host-del --updatedns: print warnings instead of error Use netifaces module instead of 'ip' command Limit max username length to 255 in config-mod Increase API version for 'ipamaxusernamelength' attribute change Configure httpd service from installer instead of directly from RPM Performace: don't download password attributes in host/user-find Do not do extra search for ipasshpubkey to generate fingerprints Always set hostname Remove deprecated hostname restoration from Fedora18 Remove unused hostname variables Log errors from backup_and_replace hostname to logger Tasks: raise NotImplementedError for not implemented methods fix stageuser tests (removal of has_keytab and has_password from find) make: fail when ACI.txt or API.txt differs from values in source code ipactl: advertise --ignore-service-failure option Remove unused variable and finally block in SchemaCache Fix referenced before assigment variables in except statements Upgrade: always start CA Remove unused variables in automount plugin fix pylint false positive errors Translations: remove deprecated locale configuration Make option --no-members public in CLI Performance: Find commands: do not process members by default Test: fix failing host_test Fix: replace incorrect no_cli with no_option flag Fix: topologysuffix_find doesn't have no_members option DNS Locations: Always create DNS related privileges DNS Locations: add new attributes and objectclasses DNS Locations: location-* commands DNS Locations: API tests Allow to use non-Str attributes as keys for members DNS Locations: extend server-* command with locations DNS Location: location-show: return list of servers in location DNS Locations: when removing location remove it from servers first DNS Locations: extend tests with server-* commands Upgrade mod_wsgi socket-timeout on existing installation Exclude unneeded dirs and files from pylint check Fix resolve_rrsets: RRSet is not hashable Revert "adtrust: remove nttrustpartner parameter" Fix: Local variable s_indent might be referenced before defined Revert "Switch /usr/bin/ipa to Python 3" Use python2 for ipa cli DNS Locations: add index for ipalocation attribute DNS Locations: fix location-del DNS Locations: add idnsTemplateObject objectclass DNS Locations: DNS data management DNS Locations: permission: allow to read status of services DNS Locations: add ACI for template attribute DNS Locations: command dns-update-system-records DNS Locations: use dns_update_service_records in installers DNS Locations: adtrustinstance simplify dns management DNS Locations: use automatic records update in ipa-adtrust-install DNS Locations: server-mod: add automatic records update DNS Locations: dnsservers: add required objectclasses DNS Locations: dnsserver-* commands DNS Locations: dnsserver: put server_id option into named.conf DNS Locations: dnsserver: use the newer config way in installer DNS Locations: dnsserver: remove config when replica is removed DNS Locations: set proper substitution variable DNS Locations: require to restart named-pkcs11 affter location change DNS Locations: show warning if there is no DNS servers in location DNS Locations: prevent to remove used locations DNS Locations: do not generate location records for unused locations DNS Locations: location-del: remove location record DNS Locations: Rename ipalocationweight to ipaserviceweight DNS Locations: generate NTP records upgrade: don't fail if zone does not exists in in find DNS Location: add list of roles and DNS servers to location-show DNS Locations: dnsserver: print specific error when DNS is not installed Fix possibly undefined variable in ipa_smb_conf_exists() Updated IPA translations Replica promotion: use the correct IPA domain for replica Martin Košek (1): Update Developers in Contributors.txt Matt Rogers (1): ipa_kdb: add krbPrincipalAuthInd handling Michael Simacek (1): Fix bytes/string handling in rpc Milan Kubík (11): ipatests: replace the test-example.com domain in tests ipatests: Roll back the forwarder config after a test case ipatests: Fix configuration problems in dns tests ipatests: Make the A record for hosts in topology conditional ipatests: fix the install of external ca ipatests: Add missing certificate profile fixture ipatests: extend permission plugin test with new expected output spec file: rename the python-polib dependency name to python2-polib ipatests: fix for change_principal context manager ipatests: Add test case for requesting a certificate with full principal. spec: Add python-sssdconfig dependency for python-ipatests package Nathaniel McCallum (7): Don't error when find_base() fails if a base is not required Rename syncreq.[ch] to otpctrl.[ch] Ensure that ipa-otpd bind auths validate an OTP Return password-only preauth if passwords are allowed Enable authentication indicators for OTP and RADIUS Migrate from #ifndef guards to #pragma once Enable service authentication indicator management Oleg Fayans (26): CI tests: Enabled automatic creation of reverse zone during master installation CI tests: Added domain realm as a parameter to master installation in integration tests Fixed install_ca and install_kra under domain level 0 fixed an issue with master installation not creating reverse zone Enabled recreation of test directory in apply_common_fixes function Updated connect/disconnect replica to work with both domainlevels Removed --ip-address option from replica installation Removed messing around with resolv.conf Integration tests for replica promotion feature Enabled setting domain level explicitly in test class Removed a constantly failing call to prepare_host Made apply_common_fixes call at replica installation independent on domain_level Workaround for ticket 5627 Added copyright info to replica promotion tests rewrite a misprocessed teardown_method method as a custom decorator Reverted changes in mh fixture causing some tests to fail Fixed a bug with prepare_host failing upon existing ipatests folder Added a kdestroy call to clean ccache at master/client uninstallation Added 5 more tests to Replica Promotion testsuite Fixed a failure in legacy_client tests Add test if replica is working after domain upgrade Improve reporting of failed tests in topology test suite Bugfixes in managed topology tests A workaround for ticket N 5348 Added necessary A record for the replica to root zone Increased certmonger timeout Patrice Duc-Jacquet (2): Incorrect message when KRA already installed Add more information regarding where to find revocation reason in "ipa cert_revoke -h" and "ipa cert_find -h". Pavel Vomacka (41): Add tool tips for Revert, Refresh, Undo, and Undo All Add support for the 'user' url parameter for the reset_password.html Add validation to Issue new certificate dialog Add pan and zoom functionality to the topology graph Nodes stay fixed after initial animation. Add field for group id in user add dialog Resize topology graph canvas according to window size Add X-Frame-Options and frame-ancestors options Add activate option to stage user details page Add 'skip overlap check' checkbox into add zone dialog Add 'skip overlap check' checkbox to the add dns forward zone dialog Add option to show OTP when adding host Update the delete dialog on details user page Add ability to stage multiple users Add option to stage user from details page Change lang.hitch to javascript bind method Change 'Restore' to 'Remove Hold' Extend the certificate request dialog Auth Indicators WebUI part Fix bad searching of reverse DNS zone Add adapter attribute for choosing record DNS Locations: WebUI part Add lists of hosts allowed to create or retrieve keytabs Correct a jslint warning Association table can be read only Extend table facet Add server roles on topology page Search facet can be without search field Add ability to review cert request dialog Add new webui plugin - ca Extend certificate entity page Extend caacl entity Make Actions string translatable Extend DNS config page Extend trust config page Add creating a segment using mouse Add listener which opens add segment dialog Add placeholder to add segment dialog Add DNS default TTL field Allow to set weight of a server without location DNS Servers: Web UI part Peter Lacko (1): Ping module tests. Petr Viktorin (46): Package ipapython, ipalib, ipaplatform, ipatests for Python 3 Use explicit truncating division Don't index exceptions directly Use print_function future definition wherever print() is used Alias "unicode" to "str" under Python 3 Avoid builtins that were removed in Python 3 dnsutil: Rename __nonzero__ to __bool__ Remove deprecated contrib/RHEL4 make-lint: Allow running pylint --py3k to detect Python3 issues Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) test_parameters: Ignore specific error message ipaldap, ldapupdate: Encoding fixes for Python 3 ipautil.run, kernel_keyring: Encoding fixes for Python 3 tests: Use absolute imports ipautil: Use mode 'w+' in write_tmp_file test_util: str/bytes check fixes for Python 3 p11helper: Port to Python 3 cli: Don't encode/decode for stdin/stdout on Python 3 Package python3-ipaclient Move get_ipa_basedn from ipautil to ipadiscovery ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn() ipapython.sysrestore: Use str methods instead of functions from the string module ipalib.x809: Accept bytes for make_pem dns plugin: Fix zone normalization under Python 3 sysrestore: Iterate over a list of dict keys test_xmlrpc: Use absolute imports xmlrpc_test: Rename exception instance before working with it radiusproxy plugin: Use str(error) rather than error.message xmlrpc_test: Expect bytes rather than strings for binary attributes ipalib.rpc: Send base64-encoded data as string under Python 3 range plugin tests: Use bytes with MockLDAP under Python 3 radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret certprofile plugin: Use binary mode for file with binary data test_add_remove_cert_cmd: Use bytes for base64.b64encode() Switch /usr/bin/ipa to Python 3 Fix remaining relative import and enable Pylint check ipalib.cli: Improve reporting of binary values in the CLI test_cert_plugin: Encode 'certificate' for comparison with 'usercertificate' ipaldap: Keep attribute names as text, not bytes ipapython.secrets.kem: Use ConfigParser from six.moves test_topology_plugin: Don't rely on order of an attribute's values test_rpcserver: Expect updated error message under Python 3 ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison test_ipaserver.test_ldap: Use bytestrings for raw LDAP values ipaldap: Convert dict items to list before iterating test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView Petr Voborník (16): Bump 4.4 development version to 4.3.90 webui: add examples to network address validator error message webui: pwpolicy cospriority field was marked as required spec: do not require arch specific ipalib package from noarch packages webui: dislay server suffixes in server search page stop installer when setup-ds.pl fail webui: crash nicely if sessionStorage is not available webui: remove moot error from webui build webui: use API call ca_is_enabled instead of enable_ra env variable. webui: fixed showing of success message after password change on login advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins cookie parser: do not fail on cookie with empty value fix incorrect name of ipa-winsync-migrate command in help webui: fail nicely if cookies are disabled ipa-client-install: fix typo in nslcd service name Become IPA 4.4.0 Alpha 1 Petr Špaček (51): dns: Handle SERVFAIL in check if domain already exists. DNSSEC: Improve error reporting from ipa-ods-exporter DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP DNSSEC: Make sure that current key state in LDAP matches key state in BIND DNSSEC: remove obsolete TODO note DNSSEC: add debug mode to ldapkeydb.py DNSSEC: logging improvements in ipa-ods-exporter DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP DNSSEC: ipa-ods-exporter: add ldap-cleanup command DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal DNSSEC: Log debug messages at log level DEBUG Fix --auto-reverse option in --unattended mode. Fix dns_is_enabled() API command to throw exceptions as appropriate Fix DNS zone overlap check to allow ipa-replica-install to work Fix ipa-adtrust-install to always generate SRV records with FQDNs Fix URL for reporting bugs in strings Pylint: enable parallelism Makefile: replace perl with sed Remove function ipapython.ipautil.host_exists() Extend installers with --forward-policy option Move automatic empty zone list into ipapython.dnsutil and make it reusable Add assert_absolute_dnsname() helper to ipapython.dnsutil Move function is_auto_empty_zone() into ipapython.dnsutil Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone() Add function ipapython.dnsutil.inside_auto_empty_zone() Auto-detect default value for --forward-policy option in installers ipa-nis-manage: Replace text references to compat plugin with NIS ipa-nis-manage: mention return code 3 in man page DNS: Fix upgrade - master to forward zone transformation DNS installer: accept --auto-forwarders option in unattended mode Remove unused file install/share/fedora-ds.init.patch Batch command: avoid accessing potentially undefined context.principal pylint: replace Refactor category with individual check names ipa-nis-manage: add status option DNS: Warn if forwarding policy conflicts with automatic empty zones Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil Use root_logger for verify_host_resolvable() Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil Add ipaDNSVersion option to dnsconfig* commands and use new attribute DNS upgrade: separate backup logic to make it reusable Add function ipapython.dnsutil.related_to_auto_empty_zone() DNS upgrade: change forwarding policy to = only for conflicting forward zones DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used Require 389-ds-base >= 1.3.5.6 DNS Locations: make ipa-ca record generation more robust DNS: Support default TTL setting for master DNS zones DNS: Warn about restart when default TTL setting DNS is changed DNS: Fix realm domains integration with DNS zone add. Simo Sorce (6): Use only AES enctypes by default Always verify we have a valid ldap context. Improve keytab code to select the right principal. Convert ipa-sam to use the new getkeytab control Allow admins to disable preauth for SPNs. Allow to specify Kerberos authz data type per user Stanislav Laznicka (21): Listing and cleaning RUV extended for CA suffix Automatically detect and remove dangling RUVs Cosmetic changes to the code Fixes minor issues replica-manage: fail nicely when DM psswd required ipa-replica-manage refactoring abort-clean/list/clean-ruv now work for both suffixes Moved password check from clean_dangling_ruv Fix to clean-dangling-ruv for single CA topologies Added pyusb as a dependency Added some attributes to Modify Users permission Deprecated the domain-level option in ipa-server-install Increased mod_wsgi socket-timeout Added <my_hostname>=<IPA REALM> mapping to krb5.conf Decreased timeout for IO blocking for DS fixes premature sys.exit in ipa-replica-manage del Remove dangling RUVs even if replicas are offline Added krb5.conf.d/ to included dirs in krb5.conf Removed dead code from LDAP{Remove,Add}ReverseMember Fixes CA always being presented as running Increase nsslapd-db-locks to 50000 Sumit Bose (3): ipa-kdb: get_authz_data_types() make sure entry can be NULL ipa-kdb: map_groups() consider all results extdom: add certificate request Thierry Bordaz (3): configure DNA plugin shared config entries to allow connection with GSSAPI DS deadlock when memberof scopes topology plugin updates Make sure ipapwd_extop takes precedence over passwd_modify_extop Thorsten Scherf (1): Fixed typo in service-add Timo Aaltonen (6): Use HTTPD_USER in dogtaginstance.py Move freeipa certmonger helpers to libexecdir. ipa_restore: Import only FQDN from ipalib.constants ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ODS_USER/ODS_GROUP in opendnssec_conf.template Fix kdc.conf.template to use ipaplatform.paths. Tomáš Babej (10): py3: Remove py3 incompatible exception handling logger: Use warning instead of warn Loggger: Use warning instead of warn - dns plugin ipa-getkeytab: Handle the possibility of not obtaining a result ipa-adtrust-install: Allow dash in the NETBIOS name spec: Bump required sssd version to 1.13.3-5 adtrustinstance: Make sure smb.conf exists l10n: Remove Transifex configuration ipalib: Fix user certificate docstrings idviews: Add user certificate attribute to user ID overrides Yuri Chornoivan (3): Fix minor typo Fix minor typos Fix minor typos -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project