IPAv2_210

__NOTOC__ August 17, 2011

The FreeIPA project team is pleased to announce the availability of the freeIPA 2.1.0 server.

It is available in Fedora 15.

Known Issues

• The OCSP URL encoded in dogtag certificates is by default the CA machine that issued the certificate.

Changelog since 2.0.1

Adam Young (62):

• Fixed labels for sudo and hbac rules

• update metadata with label changes

• define entities using builder and more declarative syntax

• default all false no longer default to all: true for searches, only specify it for user searches

• code review fixes

• make use of new user-find columns.

• fix JSL error

• Upgrade to jquery 1.5.2

• action panel to top tabs

• remove jquery-cookie library

• update ipa init a simple script to update the metatdate et alles that comes from the ipa_init batch call

• whitespace and -x removal

• create entities on demand. fixed changes from code review

• automount UI

• redirect on show error.

• redirect on error Code for redirecting on error has been moved to IPA.facet so it can be called from both details and assocaiton facets.

• automount delete key indirect automount maps

• scrollable content areas

• dialog scrolling table

• JSON marshalling list

• dns multiple records show multiple records that share the same dnsname

• no redirect on search

• test for dirty

• test dirty textarea runs the testdirty check before setting the undo tag for a textarea

• test dirty multivalue test the multivalue widgets for changes before showing the undo link.

• test dirty onchange

• entity select widget for manager

• hide automount tabs.

• service host entity select Use the entity select widget for add service

• entity select undo

• no redirect on unknown error If the error name is indicates a server wide error, do not attempt to redirect.

• editable entity_select

• ipaddress for host add

• entity select for password policy

• tooltips for host add

• automountkey details

• identify target as section for permissions

• optional uid

• validate required fields

• Generate record type list from metadata

• shorten url cache state in a javascript variable, and leave on information about the current entity in the URL hash params

• containing entity pkeys

• undefined pkeys

• config fields

• ipadefaultemaildomain

• config widgets entity select default group checkbox for migration

• entity link for password policy

• validate ints

• password expiration label

• HBAC deny warning

• check required on add

• clear errors on reset

• indirect admins

• entity_select naming

• remove HBAC warning from static UI

• dnsrecord-mod ui

• no dns

• remove hardcoded DNS label for record name.

• move dns to identity tab

• removing setters setup and init

• dns section header i18n.

• use other_entity for adder columns

Alexander Bokovoy (10):

• Convert Bool to TRUE/FALSE when working with LDAP backend

• Minor typos in the examples

• Convert nsaccountlock to always work as bool towards Python code

• Rearrange logging for NSCD daemon.

• Fix sssd.conf to always have IPA certificate for the domain.

• Add hbactest command.

• Modify /etc/sysconfig/network on a client when IPA manages hostname

• Make proper LDAP configuration reporting for ipa-client-install

• Ensure network configuration file has proper permissions

• Pass empty options as empty arrays for supported dns record types.

Endi S. Dewata (114):

• Fixed undefined label in permission adder dialog box.

• Initial Selenium test cases.

• Added functional test runner.

• Refactored action panel and client area.

• Refactored builder interface.

• Refactored search facet.

• Entitlements.

• Updated Selenium tests.

• Merged IPA.cmd() into IPA.command().

• Entitlement registration.

• Entitlement import.

• Entitlement download.

• Moved adder dialog box into entity.

• Standardized action panel buttons creation.

• Entitlement quantity validation.

• Refactored navigation.

• Use entity names for tab state.

• Moved entity contents outside navigation.

• Added facet container.

• Fixed self-service UI.

• Updated Selenium tests.

• Updated Selenium tests.

• Updated DNS interface.

• Added Selenium tests for DNS.

• Added UUID field for entitlement registration.

• Added Self-Service and Delegation tests.

• Customizable facet groups.

• Read-only association facet.

• jQuery ordered map.

• Fixed problem disabling HBAC and SUDO rules.

• Fixed Ajax error handling.

• Fixed details tests.

• Fixed adder dialog title.

• Fixed Add and Edit without primary key.

• Fixed Selenium tests.

• Fixed URL parameter parsing.

• Added Update and Reset buttons into Dirty dialog.

• Fixed problem deleting value in text field.

• Added pagination for associations.

• Fixed pagination problem.

• Temporary fix for indirect member tabs.

• Fixed blank dialog box on internal error.

• Fixed resizing issues.

• Added selectable option for table widget.

• Entitlement status.

• Fixed tab navigation.

• Fixed build break.

• Fixed paging for indirect members.

• Renamed associate.js to association.js.

• Fixed self-service links.

• Merged direct and indirect association facets

• Storing page number in URL.

• Removed FreeWay font files.

• Fixed problem with navigation tabs on reload.

• Converted entity header into facet header.

• Added navigation breadcrumb.

• Added record count into association facet tabs.

• Added singular entity labels.

• Fixed entity labels.

• Fixed DNS records page title.

• Fixed undo all problem.

• Removed unused images.

• Fixed hard-coded messages.

• Added confirmation dialog for user activation.

• Fixed button style in Entitlements

• Removed invalid associations.

• Added arrow icons for details sections.

• Fixed object_name usage.

• Fixed HBAC/Sudo rules associations.

• Fixed blank self-service page.

• Fixed dirty dialog problems in HBAC/Sudo rules.

• Fixed test fixture file name.

• Fixed missing entitlement import button label

• Added sudo options.

• Fixed collapsed table in Chrome.

• Fixed object_name and object_name_plural internationalization

• Fixed label capitalization

• Entity select widget improvements

• Removed reverse zones from host adder dialog.

• Fixed host details fields.

• Added checkbox to remove hosts from DNS.

• Creating reverse zones from IP address.

• Removed entitlement registration UUID field.

• Fixed problem loading data in HBAC/sudo details page.

• Removed HBAC access time code.

• Removed custom layouts using HTML templates.

• Refactored IPA.current_facet().

• Fixed problem with navigation state loading.

• Fixed navigation problems.

• Fixed navigation unit test.

• Fixed click handlers on certificate buttons.

• New icons for entitlement buttons

• Fixed problem bookmarking Policy/IPA Server tabs

• Fixed problem setting host OTP.

• Fixed hard-coded labels in sudo rules.

• Fixed hard-coded label in Find button.

• Fixed missing section header in sudo command group.

• Fixed problem unprovisioning service.

• Fixed missing memberof definition in HBAC service.

• Added association facets for HBAC and sudo.

• Fixed certificate buttons.

• Fixed missing icons.

• Fixed misaligned search icon.

• Resizable adder dialog box.

• Linked entries in HBAC/sudo details page.

• Fixed 3rd level tab style.

• Fixed facet group labels.

• Fixed error after login on IE

• Fixed host adder dialog.

• Fixed DNS zone adder dialog.

• Fixed broken links in ipa_error.css and ipa_migration.css.

• Fixed problem clicking 3rd level tabs.

• Fixed link style in dialog box.

• Fixed problem with buttons in enrollment dialog.

Jakub Hrozek (1):

• Remove wrong kpasswd sysconfig

Jan Cholasta (34):

• Fix wording of error message.

• Add note about ipa-dns-install to ipa-server-install man page.

• Fix typo in ipa-server-install.

• Fix uninitialized variables.

• Fix double definition of output_for_cli.

• Add lint script for static code analysis.

• Fix lint false positives.

• Remove unused classes.

• Fix some minor issues uncovered by pylint.

• Fix uninitialized attributes.

• Run lint during each build.

• Several improvements of the lint script.

• Fix issues found by Coverity.

• Fix regressions introduced by pylint false positive fixes.

• Assume ipa help for plugins.

• Parse netmasks in IP addresses passed to server install.

• Honor netmask in DNS reverse zone setup.

• Do stricter checking of IP addressed passed to server install.

• Fix directory manager password validation in ipa-nis-manage.

• Improve IP address handling in the host-add command.

• Verify that the hostname is fully-qualified before accessing the service information in ipactl.

• Remove redundant configuration values from krb5.conf.

• Replace the ‘private’ option in netgroup-find with ‘managed’.

• Configure SSSD to store user password if offline.

• Fix creation of reverse DNS zones.

• Add ability to specify DNS reverse zone name by IP network address.

• Fix exit status of ipa-nis-manage enable.

• Update minimum required version of python-netaddr.

• Clean up of IP address checks in install scripts.

• Don’t delete NIS netgroup compat suffix on ‘ipa-nis-manage disable’.

• Fix ipa-compat-manage not working after recent ipa-nis-manage change.

• Make sure that hostname specified by user is not an IP address.

• Fix external CA install.

• Ask for reverse DNS zone information in attended install right after asking for DNS forwarders, so that DNS configuration is done in one place.

John Dennis (9):

• Module for DN objects plus unit test

• assert_deepequal supports callback for equality testing

• Add backslash escape support for cvs reader

• Use DN class in get_primary_key_from_dn to return decoded value

• Update test_role_plugin test to include a comma in a privilege

• Ticket 1485 - DN pairwise grouping

• Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization.

• Clean up existing DN object usage

• transifex translation adjustment

Jr Aquino (15):

• Escape LDAP characters in member and memberof searches

• Add memberHost and memberUser to default indexes

• Optimize and dynamically verify group membership

• Delete the sudoers entry when disabling Schema Compat

• Return copy of config from ipa_get_config()

• Typo in host_nis_groups has been creating 2 CN’s

• Add sudorule and hbacrule to memberof and indirectmemberof attributes

• Display remaining external hosts when removing from sudorule

• Raise DuplicateEntry Error when adding a duplicate sudo option

• Don’t add empty tuple to entry_attrs[‘externalhost’]

• oneliner correct typo in ipasudorunas_group

• Return correct “RunAs External Group” when removing members

• remove escapes from the cvs parser in ipaserver/install/ldapupdate

• Correct behavior for sudorunasgroup vs sudorunasuser

• Correct sudo runasuser and runasgroup attributes in schema

Martin Kosek (68):

• Inconsistent error message for duplicate user

• Replica installation fails for self-signed server

• Remove doc from API.txt

• Revert “Remove doc from API.txt”

• Password policy commands do not include cospriority

• Improve DNS PTR record validation

• Remove unwanted trimming in text fields

• Need force option in DNS zone adder dialog

• IPA replica is not started after the reboot

• Improve Directory Service open port checker

• Log temporary files in ipa-client-install

• Prevent uninstalling client on the IPA server

• pwpolicy-mod doesn’t accept old attribute values

• Forbid reinstallation in ipa-client-install

• ipa-client-install uninstall does not work on IPA server

• LDAP Updater may crash IPA installer

• NS records not updated by replica

• Bad return values for ipa-rmkeytab command

• Update spec with missing BuildRequires for pylint check

• Let selinux-policy handle port 7390

• Limit passwd plugin to user container

• Consolidate man pages and IPA tools help

• Remove doc from API.txt

• Improve service manipulation in client install

• Running ipa-replica-manage as non-root cause errors

• KDC autodiscovery may fail when domain is not realm

• A new flag to disable creation of UPG

• Fix reverse zone creation in ipa-replica-prepare

• Improve interactive mode for DNS plugin

• Localization fails for MaxArgumentError

• Fix forward zone creation in ipa-replica-prepare

• Connection check program for replica installation

• Fix support for nss-pam-ldapd

• Skip know_host check for ipa-replica-conncheck

• IPA installation with –no-host-dns fails

• Handle LDAP search references

• Add ignore lists to migrate-ds command

• Improve DNS zone creation

• Add a list of managed hosts

• Missing krbprincipalname when uid is not set

• Add port 9443 to replica port checking

• Fix doc for sudorule runasuser commands

• Improve IP address handling in IPA option parser

• Multi-process build problems

• DNS installation fails when domain and host domain mismatch

• Fix IPA install for secure umask

• Allow recursion by default

• Add DNS record modification command

• Filter reverse zones in dnszone-find

• Remove sensitive information from logs

• Fix ipa-dns-install

• Fix self-signed replica installation

• Check IPA configuration in install tools

• Add new dnszone-find test

• Fix typo in ipa-replica-prepare

• Improve long integer type validation

• Fix sudorule-remove-user

• Add missing automount summaries

• Fix man page ipa-csreplica-manage

• Fix automountkey commands summary

• Fix invalid issuer in unit tests

• Hide continue option from automountkey-del

• Improve error message in ipactl

• Improve dnszone-add error message

• Fix idnsUpdatePolicy for reverse zone record

• Fix client enrollment

• Update 389-ds-base version

• Update pki-ca version

Nalin Dahyabhai (1):

• Select a server with a CA on it when submitting signing requests.

Pavel Zuna (1):

• Fix gidnumber option of user-add command.

Petr Vobornik (3):

• fixed empty dns record update

• Fixed adding host without DNS reverse zone

• Redirection after changing browser configuration

Rich Megginson (3):

• winsync enables disabled users in AD

• modify user deleted in AD crashes winsync

• memory leak in ipa_winsync_get_new_ds_user_dn_cb

Rob Crittenden (90):

• Allow a client to enroll using principal when the host has a OTP

• Make retrieval of the CA during DNS discovery non-fatal.

• Cache the value of get_ipa_config() in the request context.

• Change default gecos from uid to first and last name.

• Fix ORDERING in some attributetypes and remove other unnecessary elements.

• postalCode should be a string not an integer.

• Fix traceback in ipa-nis-manage.

• Suppress –on-master from ipa-client-install command-line and man page.

• Sort entries returned by *-find by the primary key (if any).

• The default groups we create should have ipaUniqueId set

• Always ask members in LDAP*ReverseMember commands.

• Provide attributelevelrights for the aci components in permission_show.

• Wait for memberof task and DS to start before proceeding in installation.

• Convert manager from userid to dn for storage and back for displaying.

• Modify the default attributes shown in user-find to match the UI design.

• Ensure that the zonemgr passed to the installer conforms to IA5String.

• Handle principal not found errors when converting replication a greements

• Bump version to 2.0.90 to distinguish between 2.0.x

• Properly handle –no-reverse being passed on the CLI in interactive mode

• Update min nvr for selinux-policy and pki-ca for F-15+

• Test for forwarded Kerberos credentials cache in wsgi code.

• Properly configure nsswitch.conf when using the –no-sssd option.

• Enable 389-ds SSL host checking by defauilt

• Configure Managed Entries on replicas.

• Document that deleting and re-adding a replica requires a dirsrv restart.

• Fix migration to work between v2 servers and remove search/size limits.

• Add option to limit the attributes allowed in an entry.

• Include the word ‘member’ with autogenerated optional member labels.

• Do a lazy retrieval of the LDAP schema rather than at module load.

• Add UID, GID and e-mail to the user default attributes.

• Fix external CA installation

• Remove root autobind search restriction, fix upgrade logging & error handling

• Support initializing memberof during replication re-init using GSSAPI

• Do better detection on status of CA DS instance when installing.

• Fix indirect member calculation

• Remove automountinformation as part of the DN for automount.

• Don’t let a JSON error get lost in cascading errors.

• Add message output summary to sudorule del, mod and find.

• Return an error message when revocation reason 7 is used

• Require an imported certificate’s issuer to match our issuer.

• On a master configure sssd to only talk to the local master.

• The IP address provided to ipa-server-install must be local

• Do lazy LDAP schema retrieval in json handler.

• Make data type of certificates more obvious/predictable internally.

• Update translation files

• Let the framework be able to override the hostname.

• Make dogtag an optional (and default un-) installed component in a replica.

• Slight performance improvement by not doing some checking in production mode

• Set the client auth callback after creating the SSL connection.

• Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def attr list

• Enforce class rules when query=True, continue to not run validators.

• find_entry_by_attr() should fail if multiple entries are found

• Fix error in AttrValueNotFound exception example

• Fix test failure in updater when adding values to a single-value attr

• Reset failed login count to 0 when admin resets password.

• Disallow direct modifications to enrolledBy.

• Document registering to an entitlement server with a UUID as not implemented.

• In sudo labels we should use RunAs and not Run As.

• Remove the ability to create new HBAC deny rules.

• Validate that the certificate subject base is in valid DN format.

• Use information from the certificate subject when setting the NSS nickname.

• Create tool to manage dogtag replication agreements

• Fix failing tests due to object name changes

• Set nickname of the RA to ‘IPA RA’ to avoid confusion with dogtag RA

• Set the ipa-modrdn plugin precedence to 60 so it runs last

• Generate a database password by default in all cases.

• Specify the package name when the replication plugin is missing.

• Change client enrollment principal prompt to hopefully be clearer.

• Optionally wait for 389-ds postop plugins to complete

• A removed external host is shown in output when removing external hosts.

• Don’t set krbLastPwdChange when setting a host OTP password.

• Fix regression when calculating external groups.

• With the external user/group management fixed, correct the unit tests.

• Set a default minimum value for class Int, handle long values better.

• Make ipa-client-install error messages more understandable and relevant.

• Add Alexander Bokovoy and Jan Cholasta to contributors file

• Only call entry_from_entry() after waiting for the new entry.

• Hide the HBAC access type attribute now that deny is deprecated.

• Autofill the default revocation reason

• Don’t check for leading/trailing spaces in a File parameter

• Add an arch-specific Requires on cyrus-sasl-gssapi

• Revert use of ‘can be at least’ to ‘must be at least’ in minvalue validator

• Don’t leave dangling map if adding an indirect map fails

• Fix message in test case for checking minimum values

• When setting a host password don’t set krbPasswordExpiration.

• Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile

• Deprecated managing users and runas user/group in sudorule add/mod

• Fix date order in changelog.

• Re-arrange CA configuration code to reduce the number of restarts.

Simo Sorce (4):

• Fix resource leaks.

• ipautil: Preserve environment unless explicitly overridden by caller.

• install-scripts: avoid using –list with chkconfig

• Don’t set the password expiration to the current time

Yuri Chornoivan (1):

• Typos in freeIPA messages and man page

Kyle Baker (5):

• Background images and tab hover

• Search bar style and positioning changes

• List page spacing changes

• Tab and spacing on list

• Facet icon swap and tab sizing