Released 2015-07-08

The FreeIPA team is proud to announce FreeIPA v4.2.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository.

Highlights in 4.2

Enhancements

Support for multiple certificate profiles, including support for user certificates. The profiles are now replicated between FreeIPA server to have consistent state for all certificate creation request. The certificate submission requests are authorized by the new CA ACL rules (ticket, design)

Support One-Way Trust to Active Directory (ticket, design)

User life-cycle management management - add inactive stage users using UI or LDAP interface and have them moved to active users by single command. Deleted users can now be also moved - preserved - to special tree and re-activated when user returns, preserving it's UID/GID (ticket, design)

- to special tree and re-activated when user returns, preserving it's UID/GID (ticket, design) Support for Password Vault (KRA) component of PKI for storing user or service secrets. All encrypted with public key cryptography so that even FreeIPA server does not know the secrets! (ticket, design, implementation)

Datepicker is now used for datetime fields in the Web UI (ticket)

Upgrade process was overhauled. There is now single upgrade tool ( ipa-server-upgrade ) providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. (ticket, design)

) providing simplified interface for upgrading the FreeIPA server. See details in separate subsection. (ticket, design) Service constrained delegation rules can be now added by UI and CLI (ticket, design)

FreeIPA Web UI now provides API browser and documentation. See IPA Server - API Browser tab (ticket)

- tab (ticket) Access control instructions were updated so that hosts can create their own services (ticket)

FreeIPA server now offers Kerberos over HTTP (kdcproxy) as a service (ticket, design)

FreeIPA Web Server no longer use deprecated mod_auth_kerb but switched to the modern mod_auth_gssapi (ticket)

but switched to the modern (ticket) New automated migration tool from winsync to ID Views (ticket, design)

(ticket, design) migrate-ds command can now search the migrated users and groups with different scope

command can now search the migrated users and groups with different scope DNSSEC integration was improved and FreeIPA server is configured to do DNSSEC validation by default. This might potentially affect installations which did not follow Deployment Recommendations for DNS.

ipa migrate-ds command can now run with different search scopes (ticket)

command can now run with different search scopes (ticket) And many other small improvements or bug fixes!

Changes to upgrade

The server still upgrades automatically during RPM update. However, ipactl start now verifies that the server was really upgraded before starting FreeIPA to prevent running upgraded bits on old data when ipa-server-upgrade was not run during RPM update (for example during FedUp Fedora upgrade).

Update files (files in /usr/share/ipa/updates/ ) format was changed. Namely:

Updates are not merged, update files are applied one at a time (ticket)

Update entries no longer support CSV - commas can be now freely used in the added attributes

Update can now use base64 values (ticket)

Update plugins are now not run automatically, but when referenced from update files ( plugin: <plugin name> )

Upgrading

Upgrade instructions are available on the Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.1

Ade Lee (3)

Add a KRA to IPA

Add man page for ipa-kra-install

Re-enable uninstall feature for ipa-kra-install

Ales 'alich' Marecek (1)

Ipatests DNS SOA Record Maintenance

Alexander Bokovoy (21)

Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides

Update slapi-nis dependency to pull 0.54.1

AD trust: improve trust validation

Support Samba PASSDB 0.2.0 aka interface version 24

ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly

ipa-kdb: when processing transitions, hand over unknown ones to KDC

ipa-kdb: reject principals from disabled domains as a KDC policy

fix Makefile.am for daemons

slapi-nis: require 0.54.2 for CVE-2015-0283 fixes

ipaserver/dcerpc: Ensure LSA pipe has session key before using it

ipa-kdb: use proper memory chunk size when moving sids

ipa-kdb: filter out group membership from MS-PAC for exact SID matches too

add one-way trust support to ipasam

ipa-adtrust-install: add IPA master host principal to adtrust agents

trusts: pass AD DC hostname if specified explicitly

ipa-sidgen: reduce log level to normal if domain SID is not available

ipa-adtrust-install: allow configuring of trust agents

trusts: add support for one-way trust and switch to it by default

ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab

trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs

trust: support retrieving POSIX IDs with one-way trust during trust-add

Christian Heimes (4)

Provide Kerberos over HTTP (MS-KKDCP)

Fix removal of ipa-kdc-proxy.conf symlink

Fix upgrade of HTTPInstance for KDC Proxy

Improve error handling in ipa-httpd-kdcproxy

David Kupka (27)

Respect UID and GID soft static allocation.

Stop dirsrv last in ipactl stop.

Remove unneeded internal methods. Move code to public methods.

Remove service file even if it isn't link.

Produce better error in group-add command.

Fix --{user,group}-ignore-attribute in migration plugin.

ipa-restore: Check if directory is provided + better errors.

Fix error message for nonexistent members and add tests.

Use singular in help metavars + update man pages.

Always add /etc/hosts record when DNS is being configured.

Remove ipanttrustauthincoming/ipanttrustauthoutgoing from ipa trust-add output.

Abort backup restoration on not matching host.

idviews: Allow setting ssh public key on ipauseroverride-add

Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.

Restore default.conf and use it to build API.

Always reload StateFile before getting or modifying the stored values.

Remove unused part of ipa.conf.

Use mod_auth_gssapi instead of mod_auth_kerb.

Bump ipa.conf version to 17.

Lint: Skip checking of functions stolen by python-nose.

Make lint work on Fedora 22.

Lint: Fix error on pylint-1.3.1 introduced by fix for pylint-1.4.1.

Do not store state if CA is enabled

Move CA installation code into single module.

Use 389-ds centralized scripts.

upgrade: Raise error when certmonger is not running.

ipa-replica-prepare: Do not create DNS zone it automatically.

Drew Erny (1)

Migration now accepts scope as argument

Endi Sukma Dewata (8)

Fixed KRA backend.

Modififed NSSConnection not to shutdown existing database.

Added vault plugin.

Added vault-archive and vault-retrieve commands.

Fixed KRA installation problem.

Added symmetric and asymmetric vaults.

Added ipaVaultPublicKey attribute.

Added vault access control.

Francesco Marella (1)

Refactor selinuxenabled check

Fraser Tweedale (25)

Support multiple host and service certificates

Fix certificate management with service-mod

Install CA with LDAP profiles backend

Add schema for certificate profiles

ipa-pki-proxy: provide access to profiles REST API

Add ACL to allow CA agent to modify profiles

Add certprofile plugin

Enable LDAP-based profiles in CA on upgrade

Import included profiles during install or upgrade

Add generic split_any_principal method

Add profile_id parameter to 'request_certificate'

Add usercertificate attribute to user plugin

Update cert-request to support user certs and profiles

Fix certificate subject base

Import profiles earlier during install

ipa-pki-proxy: allow certificate and password authentication

Add CA ACL plugin

Enforce CA ACLs in cert-request command

certprofile: fix doc error

Upgrade CA schema during upgrade

Migrate CA profiles after enabling LDAPProfileSubsystem

certprofile: add option to export profile config

certprofile: add ability to update profile config in Dogtag

caacl: fix incorrect construction of HbacRequest for hosts

cert-request: enforce caacl for principals in SAN

Gabe Alford (17)

Remove trivial path constants from modules

ipa-server-install Directory Manager help incorrect

ipa-managed-entries requires password with bad password

Update default NTP configuration

Remove usage of app_PYTHON in ipaserver Makefiles

Remove dependency on subscription-manager

Typos in ipa-rmkeytab options help and man page

permission-add does not prompt for ipapermright in interactive mode

ipa-replica-prepare should document ipv6 options

ipatests: Add tests for valid and invalid ipa-advise

ipa-replica-prepare can only be created on the first master

Add message for skipping NTP configuration during client install

Remove unneeded ip-address option in ipa-adtrust-install

Unsaved changes dialog internally inconsistent

Allow ipa help command to run when ipa-client-install is not configured

Do not print traceback when pipe is broken

Clear SSSD caches when uninstalling the client

Jan Cholasta (109)

Do not crash in CAInstance.__init__ when default argument values are used

Fix certmonger configuration in installer code

Do not check if port 8443 is available in step 2 of external CA install

Handle profile changes in dogtag-ipa-ca-renew-agent

Do not wait for new CA certificate to appear in LDAP in ipa-certupdate

Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage

Fix possible NULL dereference in ipa-kdb

Fix memory leaks in ipa-extdom-extop

Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken

Fix memory leak in ipa-pwd-extop

Fix memory leaks in ipa-join

Fix various bugs in ipap11helper

Fix CA certificate backup and restore

Fix wrong expiration date on renewed IPA CA certificates

Restore file extended attributes and SELinux context in ipa-restore

Use correct service name in cainstance.backup_config

Stop tracking certificates before restoring them in ipa-restore

Remove redefinition of LOG from ipa-otp-lasttoken

Unload P11_Helper object's library when it is finalized in ipap11helper

Fix Kerberos error handling in ipa-sam

Fix unchecked return value in ipa-kdb

Fix unchecked return values in ipa-winsync

Fix unchecked return value in ipa-join

Fix unchecked return value in krb5 common utils

Fix memory leak in GetKeytabControl asn1 code

Add TLS 1.2 to the protocol list in mod_nss config

Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent

Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent

Improve validation of --instance and --backend options in ipa-restore

Check subject name encoding in ipa-cacert-manage renew

Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage

Fix ipa-restore on systems without IPA installed

Remove RUV from LDIF files before using them in ipa-restore

Fix CA certificate renewal syslog alert

Do not crash on unknown services in installutils.stopped_service

Restart dogtag when its server certificate is renewed

Make certificate renewal process synchronized

Fix validation of ipa-restore options

Do not assume certmonger is running in httpinstance

Put LDIF files to their original location in ipa-restore

Revert "Make all ipatokenTOTP attributes mandatory"

Create correct log directories during full restore in ipa-restore

Do not crash when replica is unreachable in ipa-restore

Bump 389-ds-base and pki-ca dependencies for POODLE fixes

ipalib: Allow multiple API instances

ipalib: Move plugin package setup to ipalib-specific API subclass

advise: Add separate API object for ipa-advise

ldap2: Use self API instance instead of ipalib.api

replica-install: Use different API instance for the remote server

certstore: Make certificate retrieval more robust

client-install: Do not crash on invalid CA certificate in LDAP

client: Fix ca_is_enabled calls

upload_cacrt: Fix empty cACertificate in cn=CAcert

ldap: Drop python-ldap tuple compatibility

ldap: Remove unused IPAdmin methods

ldap: Add connection management to LDAPClient

ldap: Use LDAPClient connection management in IPAdmin

ldap: Use LDAPClient connection management in ldap2

ldap: Add bind and unbind methods to LDAPClient

ldap: Use LDAPClient bind and unbind methods in IPAdmin

ldap: Use LDAPClient bind and unbind methods in ldap2

ldap: Use LDAPClient instead of IPASimpleLDAPObject in ldap2.modify_password

cainstance: Use LDAPClient instead of IPASimpleLDAPObject

makeaci: Use LDAPClient instead of IPASimpleLDAPObject

ldap: Move value encoding from IPASimpleLDAPObject to LDAPClient

ldap: Use LDAPClient instead of IPASimpleLDAPObject in LDAPEntry

ldap: Move schema handling from IPASimpleLDAPObject to LDAPClient

ldap: Use SimpleLDAPObject instead of IPASimpleLDAPObject in LDAPClient

ldap: Remove IPASimpleLDAPObject

Fix stop_tracking_certificates call in ipa-restore

baseldap: Fix possible crash in LDAPObject.handle_duplicate_entry

client-install: Fix kinits with non-default Kerberos config file

install: Make a package out of ipaserver.install.server

install: Move ipa-server-install code into a module

install: Move ipa-replica-install code into a module

install: Move ipa-server-upgrade code into a module

install: Fix missing variable initialization in replica install

install: Fix CA-less server install

install: Fix external CA server install

install: Move private_ccache from ipaserver to ipapython

install: Introduce installer framework ipapython.install

install: Migrate ipa-server-install to the install framework

install: Handle Knob cli_name and cli_aliases values consistently

install: Add support for positional arguments in CLI tools

install: Allow setting usage in CLI tools

install: Migrate ipa-replica-install to the install framework

vault: Move vaults to cn=vaults,cn=kra

install: Initialize API early in server and replica install

vault: Fix ipa-kra-install

install: Fix logging setup in server and replica install

User life cycle: provide preserved user virtual attribute

install: Fix ipa-replica-install not installing RA cert

User life cycle: change user-del flags to be CLI-specific

plugable: Move plugin base class and override logic to API

ipalib: Load ipaserver plugins when api.env.in_server is True

ipalib: Move find_modules_in_dir from util to plugable

plugable: Specify plugins to import in API by module names

plugable: Load plugins only from modules imported by API

plugable: Pass API to plugins on initialization rather than using set_api

plugable: Do not use DictProxy for API

plugable: Lock API on finalization rather than on initialization

ipaplatform: Do not use MagicDict for KnownServices

plugable: Remove SetProxy, DictProxy and MagicDict

plugable: Change is_production_mode to method of API

plugable: Specify plugin base classes and modules using API properties

plugable: Remove unused call method of Plugin

replica prepare: Do not use entry after disconnecting from LDAP

ipalib: Fix skip_version_check option

spec file: Update minimal versions of required packages

Jan Pazdziora (1)

No explicit zone specification.

Lenka Ryznarova (1)

Test Objectclass of postdetach group

Ludwig Krispenz (14)

ds plugin - manage replication topology in the shared tree

install part - manage topology in shared tree

replica install fails with domain level 1

accept missing binddn group

plugin uses 1 as minimum domain level to become active no calculation based on plugin version

crash when removing a replica

check for existing and self referential segments

make sure the agremment rdn match the rdn used in the segment

v2-reject modifications of endpoints and connectivity of a segment

correct management of one directional segments

fix coverity issues

v2 clear start attr from segment after initialization

v2 improve processing of invalid data.

allow deletion of segment if endpoint is not managed

Lukáš Slebodník (2)

SPEC: Explicitly requires python-sssdconfig

SPEC: Require python2 version of sssd bindings

Martin Babinsky (43)

Use 'remove-ds.pl' to remove DS instance

Moved dbus-python dependence to freeipa-python package

ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message

always get PAC for client principal if AS_REQ is true

ipa-kdb: more robust handling of principal addition/editing

OTP: failed search for the user of last token emits an error message

ipa-pwd-extop: added an informational comment about intentional fallthrough

ipa-uuid: emit a message when unexpected mod type is encountered

OTP: emit a log message when LDAP entry for config record is not found

ipa-client-install: put eol character after the last line of altered config file(s)

migrate-ds: exit with error message if no users/groups to migrate are found

Changing the token owner changes also the manager

ipa-dns-install: use STARTTLS to connect to DS

ipa-dns-install: use LDAPI to connect to DS

migrate-ds: print out failed attempts when no users/groups are migrated

show the exception message thrown by dogtag._parse_ca_status during install

do not log BINDs to non-existent users as errors

fix improper handling of boolean option in

proper client host setup/teardown in forced client reenrollment integration test suite

do not install CA on replica during integration test if setup_ca=False

ipautil: new functions kinit_keytab and kinit_password

ipa-client-install: try to get host TGT several times before giving up

Adopted kinit_keytab and kinit_password for kerberos auth

use separate ccache filename for each IPA DNSSEC daemon

point the users to PKI-related logs when CA configuration fails

suppress errors arising from deleting non-existent files during client uninstall

prevent duplicate IDs when setting up multiple replicas against single master

ipa-server-install: deprecate manual setting of master KDC password

update 'api.env.ca_host' if a different hostname is used during server install

provide dedicated ccache file for httpd

move IPA-related http runtime directories to common subdirectory

explicitly destroy httpd service ccache file during httpinstance removal

do not check for directory manager password during KRA uninstall

merge KRA installation machinery to a single module

KRA: get the right dogtag version during server uninstall

add DS index for userCertificate attribute

generalize certificate creation during testing

ipa-kdb: common function to get key encodings/salt types

increase NSS memcache timeout for IPA server

baseldap: add support for API commands managing only a single attribute

reworked certificate normalization and revocation

new commands to manage user/host/service certificates

add option to skip client API version check

Martin Bašti (126)

Dogtag 10.2 to spec.file

Fix dns zonemgr validation regression

Add bind-dyndb-ldap working dir to IPA specfile

Fix CI tests: install_adtrust

Fix upgrade: do not use invalid ldap connection

Fix: DNS installer adds invalid zonemgr email

Fix: DNS policy upgrade raises asertion error

Fix upgrade referint plugin

Upgrade: fix trusts objectclass violationi

Fix named working directory permissions

Fix: zonemgr must be unicode value

Fix warning message should not contain CLI commands

Show warning instead of error if CA did not start

Raise right exception if domain name is not valid

Fix pk11helper module compiler warnings

Fix: read_ip_addresses should return ipaddr object

Fix detection of encoding in zonemgr option

Fix zonemgr option encoding detection

Throw zonemgr error message before installation proceeds

Upgrade fix: masking named should be executed only once

Using wget to get status of CA

Show SSHFP record containing space in fingerprint

Fix don't check certificate during getting CA status

Fix: Upgrade forwardzones zones after adding newer replica

Fix zone find during forwardzone upgrade

Fix traceback if zonemgr error contains unicode

DNS tests: separate current forward zone tests

New test cases for Forward_zones

Detect and warn about invalid DNS forward zone configuration

DNS tests: warning if forward zone is inactive

Add debug messages into client autodetection

DNSSEC catch ldap exceptions in ipa-dnskeysyncd

DNSSEC: fix root zone dns name conversion

Always return absolute idnsname in dnszone commands

Use dyndns_update instead of deprecated sssd option

Fix reference counting in pkcs11 extension

Prevent install scripts fail silently if timeout exceeded

Fix warning message on client side

Fix restoring services status during uninstall

Fix do not enable service before storing status

Uninstall configured services only

Fix saving named restore status

Migrate uniquess plugins configuration to new style

Fix uniqueness plugins

DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism

Fix memory leaks in ipap11helper

Remove unused method from ipap11pkcs helper module

Remove unused disable-betxn.ldif file

DNS fix: do not traceback if unsupported records are in LDAP

DNS fix: do not show part options for unsupported records

DNS: remove NSEC3PARAM from records

Fix dead code in ipap11helper module

Server Upgrade: Remove unused PRE_SCHEMA_UPDATE

Server Upgrade: do not sort updates by DN

Server Upgrade: Upgrade one file per time

Server Upgrade: Set modified to false, before each update

Server Upgrade: Update entries in order specified in file

Server Upgrade: order update files by default

Server Upgrade: respect --test option in plugins

Server Upgrade: remove --test option

Server Upgrade: Fix comments

DNSSEC: Do not log into files

Fix ldap2 shared connection

Server Upgrade: use only LDAPI connection

Server Upgrade: remove unused code in upgrade

Server Upgrade: Apply plugin updates immediately

Server Upgrade: specify order of plugins in update files

Server Upgrade: plugins should use ldapupdater API instance

Server Upgrade: Handle connection better in updates_from_dict

Server Upgrade: use ldap2 connection in fix_replica_agreements

Server Upgrade: restart DS using ipaplatfom service

Server Upgrade: only root can run updates

DNSSEC CI tests

ipa client: make --ntp-server option multivalued

ipa client: use NTP servers detected from SRV

ipa client: use NTP servers specified by user

Server Upgrade: ipa-server-upgrade command

Server Upgrade: Verify version and platform

Server Upgrade: use ipa-server-upgrade in RPM upgrade

Server Upgrade: fix a comment in ldapupdater

move realm_to_serverid to installutils module

Server Upgrade: use LDIF parser to modify DSE.ldif

Server Upgrade: enable DS global lock during upgrade

Server Upgrade: remove CSV from upgrade files

Server Upgrade: Allow base64 encoded values

Server Upgrade: fix memberUid index

Dont use the proxy to check CA status

Server Upgrade: Do not start DS if it was stopped before upgrade

Server Upgrade: raise RuntimeError instead exit()

Server Upgrade: do not allow to run upgradeinstace alone

Server Upgrade: handle errors better

Server Upgrade: ipa-ldap-updater will not do overall upgrade

Server Upgrade: Fix uniqueness plugins

DNSSEC: FIX Do not re-create kasp.db if already exists

DNSSEC: update OpenDNSSEC KASP configuration

DNS install: extract DNS installer into one module

Pylint: fix false positive warning for domain

Uid uniqueness: fix: exclude compat tree from uniqueness

Server Upgrade: wait until DS is ready

Server Upgrade: Fix: execute schema update

Server Upgrade: Move code from ipa-upgradeconfig to separate module

Fix: use DS socket check only for upgrade

Server Upgrade: fix remove statement

Installers fix: remove temporal ccache

ULC: fix: upgrade for stage Stage User Admins failed

Fix: regression in host and service plugin

DNSSEC: Improve global forwarders validation

DNSSEC: validate forward zone forwarders

Revert 389-DS BuildRequires version to 1.3.3.9

DNSSEC: fix traceback during shutdown phase

Server Upgrade: disconnect ldap2 connection before DS restart

DNS: add UnknownRecord to schema

ipa-ca-install fix: reconnect ldap2 after DS restart

Server Upgrade: create default config for NIS Server plugin

Fix indicies ntUserDomainId, ntUniqueId

Sanitize CA replica install

DNS: Do not traceback if DNS is not installed

KRA Install: check replica file if contains req. certificates

Server Upgrade: use debug log level for upgrade instead of info

DNSSEC: allow to disable/replace DNSSEC key master

DNSSEC: update message

Allow to run subprocess with suplementary groups

FIX: Clear SSSD caches when uninstalling the client

Fix regression: ipa-dns-install will add CA records if required

Upgrade: Do not show upgrade failed message when IPA is not installed

Fix logging in API

Martin Košek (11)

Fix ImportError in ipa-ca-install

Bump SSSD Requires to 1.12.3

Fix IPA_BACKUP_DIR path name

Allow PassSync user to locate and update NT users

Allow Replication Administrators manipulate Winsync Agreements

Replication Administrators cannot remove replication agreements

Add anonymous read ACI for DUA profile

Print PublicError traceback when in debug mode

group-detach does not add correct objectclasses

Remove references to GPL v2.0 license

Fix typo in ipa-server-upgrade man page

Milan Kubik (1)

ipatests: port of p11helper test from github

Milan Kubík (2)

Abstract the HostTracker class from host plugin test

Fix for a typo in certprofile mod command.

Nathan Kinder (2)

Timeout when performing time sync during client install

Skip time sync during client install when using --no-ntp

Nathaniel McCallum (15)

Ensure that a password exists after OTP validation

Improve otptoken help messages

Ensure users exist when assigning tokens to them

Enable QR code display by default in otptoken-add

Catch USBError during YubiKey location

Preliminary refactoring of libotp files

Move authentication configuration cache into libotp

Enable last token deletion when password auth type is configured

Make token auth and sync windows configurable

Create an OTP help topic

Prefer TCP connections to UDP in krb5 clients

Expose the disabled User Auth Type

Update python-yubico dependency version

Fix a signedness bug in OTP code

Fix OTP token URI generation

Petr Viktorin (35)

ipa-restore: Don't crash if AD trust is not installed

ipaplatform: Use the dirsrv service, not target

Do not restore SELinux settings that were not backed up

Add additional backup & restore checks

tests: Use PEP8-compliant setup/teardown method names

tests: Add configuration for pytest

ipatests.util.ClassChecker: Raise AttributeError in get_subcls

test_automount_plugin: Fix test ordering

Use setup_class/teardown_class in Declarative tests

dogtag plugin: Don't use doctest syntax for non-doctest examples

test_webui: Don't use __init__ for test classes

test_ipapython: Use functions instead of classes in test generators

Configure pytest to run doctests

Declarative tests: Move cleanup to setup_class/teardown_class

Declarative tests: Switch to pytest

Integration tests: Port the ordering plugin to pytest

Switch make-test to pytest

Add local pytest plugin for --with-xunit and --logging-level

Switch ipa-run-tests to pytest

Switch integration testing config to a fixture

Integration tests: Port the BeakerLib plugin and log collection to pytest

test_integration: Adjust tests for pytest

copy_schema_to_ca: Fallback to old import location for ipaplatform.services

Ignore ipap11helper/setup.py in doctests

test_integration: Use python-pytest-multihost

test_integration: Use collect_log from the host, not the testing class

test_integration: Parametrize test instead of using a generator

ipatests: Use pytest-beakerlib

ipatests: Use pytest-sourceorder

Run pylint on tests

test_host_plugin: Convert tests to imperative style

test_host_plugin: Split tests into independent classes

test_host_plugin: Use HostTracker fixtures

rename_managed: Remove use of EditableDN

Remove Editable DN and DN component classes

Petr Voborník (113)

build: increase java stack size for all arches

ranges: prohibit setting --rid-base with ipa-trust-ad-posix type

unittests: baserid for ipa-ad-trust-posix idranges

ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges

idrange: include raw range type in output

webui: prohibit setting rid base with ipa-trust-ad-posix type

webui: fix potential XSS vulnerabilities

restore: clear httpd ccache after restore

webui: use domain name instead of domain SID in idrange adder dialog

webui: normalize idview tab labels

webui: add radius fields to user page

fix indentation in ipa-restore page

add --hosts and --hostgroup options to allow/retrieve keytab methods

webui: fix service unprovisioning

webui: increase duration of notification messages

revert removal of cn attribute from idnsRecord

migrate-ds: fix compat plugin check

rpcclient: use json_encode_binary for verbose output

Fix TOTP Synchronization Window label

ipatests: add missing ssh object classes to idoverrideuser

webui: service: add ipakrbrequirespreauth checkbox

webui: unable to select single value in CB by enter key

webui: use no_members option in entity select search

performance: faster DN implementation

speed up convert_attribute_members

speed up indirect member processing

webui: add pwpolicy link to group details page if group has associated pwpolicy

webui-ci: do not open 2 browser windows

Update BUILD.txt

allow to call ldap2.destroy_connection multiple times

use Connectible.disconnect() instead of .destroy_connection()

jQuery.ordered_map: faster creation

jQuery.ordered_map: remove map attribute

migrate-ds: optimize adding users to default group

migrate-ds: skip default group option

migrate-ds: remove unused def_group_gid context property

migrate-ds: optimize gid checks by utilizing dictionary nature of set

migrate-ds: log migrated group members only on debug level

cli: differentiate Flag a Bool when autofill is set

webui-ci: fix type error in host_tasks inicializations

webui: update patternfly to v1.1.4

webui: rename IPA.user_* to IPA.user.*

webui: declare search command options in search facet

webui: register construction spec based on existing spec

webui: entity facets in facet registry

webui: entity menu items navigate to main entity facet

webui: prefer entity fallback in menu item select

webui: navigation: do not remember selected childs of menu item

webui: navigation: unique names on entity facet menu items

webui: metadata validator min and max value overrides

webui: custom facet groups in a facet

webui: facet groups widget

webui: allow to replace facet tabs with sidebar

webui: allow to hide facet tabs or sidebar

webui: facet policies for all facets

webui: stageuser plugin

webui: extend user deleter dialog with --permanent and --preserve options

webui: update stageuser/user pages based on action in diffrent user search page

webui: stageusers, display page elements based on user state

webui: prefer search facet's deleter dialog

webui: fix empty table border in Firefox

webui: option to not create user private group

webui: add boostrap-datepicker files

webui: datetime widget with datepicker

git ignore ipaplatform/__init__.py

server-find and server-show commands

topology: ipa management commands

webui: IPA.command_dialog - a new dialog base class

webui: use command_dialog as a base class for password dialog

webui: make usage of --all in details facet optional

webui: topology plugin

webui: configurable refresh command

webui: don't log in back after logout

topology: allow only one node to be specified in topologysegment-refresh

topology: hide topologysuffix-add del mod commands

move replications managers group to cn=sysaccounts,cn=etc,$SUFFIX

add entries required by topology plugin on update

webui: make topology suffices UI readonly

rename topologysegment_refresh to topologysegment_reinitialize

disallow mod of topology segment nodes

topology: restrict direction changes

topology: fix swapped topologysegment-reinitialize behavior

regenerate ACI.txt after stage user permission rename

ipa-replica-manage: Do not allow topology altering commands from DL 1

server: add "del" command

ipa-replica-manage: adjust del to work with managed topology

webui: adjust user deleter dialog to new api

Become IPA 4.2.0 Alpha 1

fix handling of ldap.LDAPError in installer

add python-setuptools to requires

fix force-sync, re-initialize of replica and a check for replication agreement existence

topology: check topology in ipa-replica-manage del

Verify replication topology for a suffix

replication: fix regression in get_agreement_type

ipa-replica-manage del: relax segment deletement check if topology is disconnected

ipa-replica-manage del: add timeout to segment removal check

topologysegment: hide direction and enable options

topology: make cn of new segment consistent with topology plugin

include more information in metadata

webui: ListViewWidget

webui: fix webui specific metadata

webui: menu and navigation fixes

webui: API browser

webui: add mangedby tab to otptoken

webui: certificate profiles

webui: caacl

webui: hide facet tab in certificate details facet

move session_logout command to ipalib/plugins directory

webui: cert-request improvements

webui: show multiple cert

webui: remove cert manipulation actions from host and service

fix error message when certificate CN is invalid

Become IPA 4.2.0

Petr Špaček (28)

Fix zone name to directory name conversion in BINDMgr.

Fix minimal version of BIND for Fedora 20 and 21

Fix default value type for wait_for_dns option

p11helper: standardize indentation and other visual aspects of the code

p11helper: use sizeof() instead of magic constants

p11helper: clarify error message

Clarify messages related to adding DNS forwarders

Grammar fix in 'Estimated time' messages printed by installer

Clarify host name output in ipa-client-install

Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.

DNSSEC: Detect zone shadowing with incorrect DNSSEC signatures.

Bump run-time requires to SoftHSM 2.0.0rc1.

Improve error messages about reverse address resolution in ipa-replica-prepare

Clarify recommendation about --ip-address option in ipa-replica-prepapre

Clarify error messages in ipa-replica-prepare: add_dns_records()

Hide traceback in ipa-dnskeysyncd if kinit failed.

Bump minimal BIND version for CentOS.

Rate-limit while loop in SystemdService.is_active().

Add hint how to re-run IPA upgrade.

DNSSEC: Detect invalid master keys in LDAP.

DNSSEC: Accept ipa-ods-exporter commands from command line.

DNSSEC: ipa-ods-exporter: move zone synchronization into separate function

DNSSEC: log ipa-ods-exporter file lock operations into debug log

DNSSEC: Add ability to trigger full data synchronization to ipa-ods-exporter.

DNSSEC: Improve ipa-ods-exporter log messages with key metadata.

DNSSEC: Store time & date key metadata in UTC.

DNSSEC: ipa-dns-install: Detect existing master server sooner.

DNSSEC: Detect attempt to install & disable master at the same time.

Rob Crittenden (5)

Search using proper scope when connecting CA instances

Use NSS protocol range API to set available TLS protocols

Add plugin to manage service constraint delegations

Add ACI to allow hosts to add their own services

Don't rely on positional arguments for python-kerberos calls

Simo Sorce (14)

Add UTC date to GIT snapshot version generation

Fix filtering of enctypes in server code.

Add asn1c generated code for keytab controls

Use asn1c helpers to encode/decode the getkeytab control

Stop saving the master key in a stash file

Avoid calling ldap functions without a context

Remove the removal of the ccache

Handle DAL ABI change in MIT 1.13

Add a clear OpenSSL exception.

Stop including the DES algorythm from openssl.

Detect default encsalts kadmin password change

Add compatibility function for older libkrb5

Fix s4u2proxy README and add warning

Replicas cannot define their own master password.

Sumit Bose (16)

ipa-range-check: do not treat missing objects as error

Add configure check for cwrap libraries

extdom: handle ERANGE return code for getXXYYY_r() calls

extdom: make nss buffer configurable

extdom: return LDAP_NO_SUCH_OBJECT to the client

extdom: fix memory leak

extdom: add err_msg member to request context

extdom: add add_err_msg() with test

extdom: add selected error messages

extdom: migrate check-based test to cmocka

extdom: fix wrong realloc size

extdom: add unit-test for get_user_grouplist()

ipa-kdb: convert test to cmocka

ipa-kdb: add unit-test for filter_logon_info()

ipa-kdb: make string_to_sid() and dom_sid_string() more robust

ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()

Thierry Bordaz (19)

User Life Cycle: create containers and scoping DS plugins

User Life Cycle: DNA scopes full SUFFIX

Deadlock in schema compat plugin (between automember_update_membership task and dse update)

User Life Cycle: Exclude subtree for ipaUniqueID generation

User life cycle: stageuser-add verb

User life cycle: allows MODRDN from ldap2

User life cycle: new stageuser commands del/mod/find/show

User life cycle: new stageuser commands activate

User life cycle: new stageuser commands activate (provisioning)

User life cycle: user-del supports --permanently, --preserve options and ability to delete deleted user

User life cycle: user-find support finding delete users

User life cycle: support of user-undel

User life cycle: DNA DS plugin should exclude provisioning DIT

User life cycle: Stage user Administrators permission/priviledge

User life cycle: Add 'Stage User Provisioning' permission/priviledge

Stage User: Fix permissions naming and split them where apropriate.

Display the wrong attribute name when mandatory attribute is missing

Limit deadlocks between DS plugin DNA and slapi-nis

User life cycle: permission to delete a preserved user

Thorsten Scherf (4)

pwpolicy-add: Added better error handling

Add help string on how to configure multiple DNS forwards for various cli tools

Removed recommendation from ipa-adtrust-install

Changed in-tree development setup instructions

Tomáš Babej (52)