The FreeIPA team would like to announce FreeIPA 4.7.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Highlights in 4.7.0#

Enhancements#

mod_ssl#

IPA has switched to mod_ssl as the crypto engine for Apache. This change will be made automatically when upgrading.

NSS sqlite database#

Fedora 28 changed the default database format type from dbm to sqlite. Theoretically there should be no end-user difference but you will see different file names for your NSS databases: cert9.db, key4.db and pkcs11.txt.

authselect#

Fedora 28 switched to a new PAM configuration tool, authselect. https://fedoraproject.org/wiki/Changes/Authselect

Time server change to chronyd#

The ntpd service was deprecated in F28. It was replaced by chronyd. The client also uses chrony as its time client.

https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support

Python 3#

FreeIPA now fully supports Python 3 and can be installed without any python 2 dependencies.

Known Issues#

Bug fixes#

FreeIPA 4.7.0 includes all of the bug fixes and enhancements from 4.6.1 - 4.6.4.

There are more than 170 bug fixes, details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

7615 ipa_tests: ipa-replica-prepare stuck on user input
7550 [WebUI] extend host test suite
7547 ui_tests: checkbox click fix
7546 ui_tests: improve “field_validation” method
7544 ui_tests: extend test_selinuxusermap.py suite
7542 CLI and Web UI allow to add more then one radius server into radius proxy
7540 Extend WebUI test_krbpolicy suite with the following test cases:
7535 ipa-restore fails because tmp/etc/ipa/ca.crt is missing
7526 IdM servers:/usr/share/ipa/html/ca.crt does not include the complete chain
7520 ipa certmap-match throwing “ipa: ERROR: an internal error has occurred”
7519 Adding SSH keys for AD users as I created overrides
7510 validate_selinuxuser does not allow a period in selinux user identifier
7505 WebUI tests: Extend netgroup tests
7503 multiple occurrences of profileId in certprofile causes incorrect behaviour
7485 Extending webui user group test
7474 ipa-server-install –uninstall on replica fails with “NoOptionError: No option ‘ldap_uri’ in section: ‘global’”
7473 ERROR: No valid Negotiate header in server response
7468 test_host.py::test_host::test_crud is failing in nightly tests
7463 test_webui: add user life-cycles tests
7447 test_create_host_with_ip is not fully covering possible return errors
7436 ipa: Please log something after restarting the KDC
7433 CRL url on replicas gets incorrectly redirected
7432 make fasttest fails on fresh clone. fedora26
7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA
7424 Improve Realm Domains doc text
7411 Simplify CA, TLS and bytes warning configuration of LDAP connections
7400 Add excludearch for i686 because 389-ds is no longer doing 32-bit builds
7397 ipa host-add –ip-address… returns Internal error when forward-policy=none is defined
7394 file conflicts between python2-mod_wsgi and freeipa-server
7393 Installing 4.6.3-1 in rawhide/F28 fails with DuplicateEntry enabling TLS in 389-ds
7390 cert-request: issuance of malformed certificate causes IPA Internal Error
7389 F-27 upgrade to 4.6.3-1 fails with KRA update
7383 user-add: user creation proceeds when password is wrong
7381 Drop PyOpenSSL requirement
7380 Possible regression for limited OTP characters in host-add
7378 ipa-ods-exporter fails with socket activation did not return socket
7374 IPA ‘Generate OTP’ option in web gui does not show OTP code when no reverse zone is managed
7373 “An internal error has occurred” show up when trying to add a user to the Member User table in Vault.
7371 uninstalling replica leaves orphained data in ldap
7359 [RFE] extend topology plugin to clean up a removed replica ldap/ principal
7357 IntegrationTests do not fail even if the uninstall process fails
7342 admins group is not including all permissions of Role “User Administrator”
7338 FreeIPA server install/upgrade does not process schema.d/ files correctly
7335 Integration tests are not collecting all logs
7330 ipa-server-install –uninstall does not return error code on error
7318 Cannot uninstall ipaserver after fresh install - {‘desc’: “Can’t contact LDAP server”, ‘errno’: 111, ‘info’: ‘Connection refused’}
7315 Packaging: use pylint 1.7.5 and remove disable for import stat
7313 trust integration tests need to override test_establish_trust method when using different trust-add options
7308 Help for ipa trust-add –range-type
7299 RPM post-install scripts fail because they are run with python2
7294 python3 incompatibility in vault_archive
7275 Viewing DNS Records with WebUI fails
7254 test_caless: fix http.p12 is not valid and provide domain_level for replica tests
7253 Custodia keys are not removed on uninstall
7240 ipa-dnskeysyncd broken (and ipactl doesn’t tell)
7226 Remove remaining references to Firefox configuration extension
7220 Third KRA installation in topology fails
7210 Firefox reports insecure TLS configuration when visiting FreeIPA web UI after standard server deployment
7208 freeipa: binary RPMs require both Python 2 and Python 3
7190 Wrong info message from tasks.py
7189 make check is failed
7187 ipa-replica-manage should provide a debug option
7186 testing: get back command outputs when running tests
7162 [ipatests] disable replication debugging for 389-ds logs in integration tests
7157 [tracker] pyasn1 fails to parse kerberos principal name
7155 test_caless: add caless to external CA test
7154 test_external_ca: switch to python-cryptography
7151 ipa-server-upgrade performs unneeded steps to stop tracking/start tracking certs
7150 Ipa-server-install update dse.ldif with wrong SELinux context
7148 py3: ipa cert-request –principal –database fails with BytesWarning: str() on a bytes instance
7143 “unknown command ‘undefined’” error when changing user’s password via the web UI
7136 ipa-restore command doesn’t exit with failure if wrong directory manager’s password is provided
7135 Server deployment still sets up Firefox extension, this is no longer necessary and broken on F27+
7134 ipa param-find: command displays internal error
7132 [4.6] PyPI packages are broken
7131 Finish Python3 support
7129 ipa-server/replica-install fails with: “exception: BytesWarning: Comparison between bytes and string” when using ‘–dirsrv-config-file’ parameter
7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails due to missing dns records
7119 kdc_proxy: kinit admin fails with “Cannot contact any KDC for realm ‘IPA.TEST’ while getting initial credentials”
7115 ipa-pki-retrieve-key: failure results in crash report
7033 vault: TypeError: … is not JSON serializable
7027 Use TLS for cert-find
7012 Users can delete their last active OTP token
6994 RFE: Remove 389-ds tuning step
6968 Consider moving upgrades from rpm install post
6874 pylint 1.7.1 fails
6858 RFE - Option to add custom OID or display name in IPA Cert
6851 Don’t use ctypes.util.find_library in ipaclient
6844 ipa-restore fails when umask is set to 0027
6721 While performing ipa-server-upgrade, sssd goes offline and stalls the upgrade process
6703 Enable ephemeral KRA requests
6609 A CA administrator fails to add CA for Insufficient ‘add’ privilege
5922 ipa vault-archive overwrites an existing value without warning
5887 IDNA domains does not work under py3
5813 ipa-kra-install disrupts bind-dyndb-ldap
5776 webui: some data disappear from user details page after the save action is performed
5638 Port client code to Python 3
5442 [tracker] SELinux ‘execmem’ denials
7624 [WebUI] wrong link to browser configuration guide on Login page
7609 [py37] Import from collections.abc
7604 ipa-client-install –mkhomedir doesn’t enable oddjobd
7591 [freeipa] Drop requirements for ‘initscripts’ from specfile
7590 lightweight subca: ca-show fails on replica
7589 cacert renew fails on replica
7585 Update to python3-lesscpy 0.13
7581 Translated text is formed incorrectly (API Browser)
7562 Regression: authselect 0.4-3 breaks FreeIPA sudo rules
7560 Do not depend on gnupg (1.x), use gnupg2
7559 UI LoginScreen widget cannot be translated
7536 [F28] SubCA failing, keys are orphan
7533 ipa-advise: remove plugin config-fedora-authconfig
7530 external CA replica installation fails with CA_UNREACHABLE
7529 AVC denials and errors for IPA server installed on Fedora28
7524 ipa-client-install fails because of missing file /usr/share/ipa/freeipa.template
7523 external CA installation: step two reports self-signed configuration
7516 [F28] ipa-ca-install fails on replica
7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf despite the migration to ssl.conf
7514 Allow to create Kerberos services without a corresponding host object
7513 Allow Kerberos services to be members of IPA groups
7500 FreeIPA can remove svrcore-devel requirement
7498 [F28] CA replica fails with could not find certificate named “caSigningCert cert-pki-ca”
7491 Unknown user ‘ipaapi’ when updating packages
7490 installutils.set_directive doesn’t handle debian ssl.conf properly
7489 Test test_caless_TestCertInstall is failing in nightly
7478 [F28] ipa-backup fails with “Failed to execute authconfig command”
7471 [F28] replica pkispawn fails
7469 ipa-replica-prepare fail with “stat: path should be string, bytes, os.PathLike or integer, not NoneType”
7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
7465 [F28] oddjobd not started, replica install fails with dbus error in conn check
7464 CI is failing with pkispawn timeout
7461 Hardening of topology plugin to prevent erronous deletion of a replica agreement
7426 DogtagInstance.backup_config creates backup with wrong owner
7421 Store HTTPD private keys encrypted
7418 [RFE] Improve ipa-client-install behaviour when non-standard ldap.conf is used
7415 CA installer need to check availability of port 8080
7410 ipa-replica-install –add-agents option doesn’t install trust-agent on replica
7396 ipa-client-automount –uninstall should return errcode CLIENT_NOT_CONFIGURED
7377 Investigate and define plan of authconfig replacement in FreeIPA
7354 Fedora 28: Support NSSDB SQL format
7322 cert_find –subject is not finding by cert subject
7311 Update ui_driver to allow set path for geckodriver.log
7310 Integration tests don’t collect logs from other replicas
7309 Integration tests: CA-less -> CA-ful promotion; post-promotion checks
7304 double ca acl provoke console error.
7302 test_external_ca: add selfsigned > external_ca > selfsigned test case
7301 Drop dependency on Python nose
7300 test_x509: test very long OID
7295 Build freeIPA with Python3 in @freeipa/freeipa-master-nightly
7278 Run WebUI unit test in TravisCI
7274 ipa-replica-install fails with PIN error [ CA-less environment ]
7263 Typo in login screen
7258 typo in accounts menu
7257 DNSSEC isn’t supported in Python3
7251 f.flush() or os.fsync() don’t sync
7246 Report CA Subject DN and subject base before installing.
7239 Using –auto-reverse and –allow-zone-overlap does not skip zone overlap check
7225 CLI: view command / plugin help in pager
7224 Logging: ipa-replica-conncheck is missing a /n
7207 ipa-server-install should prevent installations with single label domains
7201 ipa-replica-manage re-initialize TypeError: ‘NoneType’ object does not support item assignment
7183 /etc/gssproxy/10-ipa.conf not removed on uninstall
7095 [tracker] please rotate & compress /var/lib/pki/pki-tomcat/logs/ca/debug
7049 Prepare for NSS switch default database to sqlite in F-27
7024 freeipa depends on ntp
6931 custodia user isn’t created when FreeIPA RPMs are installed
6890 Quickstart guide: mention how to open firewall ports
6884 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
6843 ipa-backup does not create log file at /var/log/
6837 make ipa.conf and named.conf portable
6760 Improve console message for “ipa-server-install –uninstall” command
6604 Make pylint and jsl optional (and other issues)
6589 client should require /etc/krb5.conf.d/
6450 pylint: cyclic dep check sometimes makes build fail
4853 Utilize system-wide crypto-policies
4140 Configure the NSS shared database model in IPA servers
3757 [RFE] Allow IPA to use either mod_ssl or mod_nss
2536 Create DOAP description for the IPA project

Detailed changelog since 4.6.4#

Armando Neto (9)#

Disable Pylint 2.0 violations
Fix Pylint 2.0 violations
Fix pylint 2.0 conditional-related violations
Fix pylint 2.0 return-related violations
Replace file.flush() calls with flush_sync() helper
ipa-server-install: fix zonemgr argument validator
ipa-client-install: Update how comments are added by ipachangeconf
ui_tests: fix test_config::test_size_limits
Prevent the creation on users and groups with numeric characters only

Alexander Bokovoy (28)#

ipaserver/dcerpc.py: handle indirect topology conflicts
pylint3: workaround false positives reported for W1662
group: allow services as members of groups
service: allow creating services without a host to manage them
group-del: add a warning to logs when password policy could not be removed
idoverrideuser-add: allow adding ssh key in web ui
ACL: Allow hosts to remove services they manage
install: validate AD trust-related options in installers
replication: support error messages from 389-ds 1.3.5 or later
upgrade: treat duplicate entry when updating as not an error
Allow anonymous access to parentID attribute
upgrade: Run configuration upgrade under empty ccache collection
use LDAP Whoami command when creating an OTP token
Update template directory with new variables when upgrading ipa.conf.template
Processing of server roles should ignore errors.EmptyResult
ipaserver/plugins/trust.py: pep8 compliance
trust: detect and error out when non-AD trust with IPA domain name exists
ipaserver/plugins/trust.py; fix some indenting issues
ipa-extdom-extop: refactor nsswitch operations
test_dns_plugin: cope with missing IPv6 in Travis
travis-ci: collect logs from cmocka tests
ipa-kdb: override krb5.conf when testing KDC code in cmocka
adtrust: filter out subdomains when defining our topology to AD
ipa-replica-manage: implicitly ignore initial time skew in force-sync
ds: ignore time skew during initial replication step
Make sure upgrade also checks for IPv6 stack
OTP import: support hash names with HMAC- prefix
dsinstance: Restore context after changing dse.ldif

Abhijeet Kasurde (3)#

Trivial typo fix.
ipatests: Fix interactive prompt in ca_less tests
tests: correct usage of hostname in logger in tasks

Alexander Koksharov (4)#

Fix replica_promotion-domlevel0 test failures
preventing ldap principal to be deleted
ensuring 389-ds plugins are enabled after install
kra-install: better warning message

amitkuma (13)#

Match Common Name attribute in Subject
ipa vault-archive overwrites an existing value without warning
ipa-advise: remove plugin config-fedora-authconfig
RFE: ipa client should setup openldap for GSSAPI
Correcting detect typo in server.m4
Correction of management spelling.
clear sssd cache when uninstalling client
clear sssd cache when uninstalling client
Error message while adding idrange with untrusted domain
Removing extra spaces present in man ipa-server-install
ipa-advise for smartcards updated
Custom ca-subject logging
Documenting kinit_lifetime in /etc/ipa/default.conf

Anuja More (5)#

Test for ipa-client-install should not use hardcoded admin principal
Test that host can remove there own services
Test for ipa-replica-install fails with PIN error for CA-less env.
Adding test-cases for ipa-cacert-manage
Adding test-cases for ipa-cacert-manage

Aleksei Slaikovskii (17)#

Revert “Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users”
Uninstall fix for named-pkcs11
Radius proxy multiservers fix
test_backup_and_restore.py Fix logging
Enable and start oddjobd after ipa-restore if it’s not running.
Fixing translation problems
test_backup_and_restore.py AssertionError fix
ipalib/frontend.py output_for_cli loops optimization
View plugin/command help in pager
ipa-restore: Set umask to 0022 while restoring
Prevent installation with single label domains
Add a notice to restart ipa services after certs are installed
Fix TypeError while ipa-restore is restoring a backup
ipaclient.plugins.dns: Cast DNS name to unicode
Less confusing message for PKINIT configuration during install
Make tox tests to generate results in JUnit XML
Make WebUI unit tests to generate results as JUnit

Brian J. Murrell (1)#

Move ETag disabling to /ipa virtual server

Christian Heimes (191)#

Remove needless use of %defatt
Add more RHEL customizations to spec file
Update builddep command in BUILD.txt
Use python2_sitelib in spec file
Fedora 29: No longer build python2-ipaserver
Add pylint ignore to magic config.Env attributes
Teach pylint how our api works
Fix ipa console filename
Create helper function to upload to temp file
Add tab completion and history to ipa console
Handle races in replica config
pylint 2.0: node.path is a list
Fix XPASS in test_installation
Mark all expected failures as strict
Fix DNSSEC install regression
Wait for client certificates
Auto-retry failed certmonger requests
Tune DS replication settings
Fix race condition in get_locations_records()
Fix CA topology warning
Delay enabling services until end of installer
Only create DNS SRV records for ready server
Query for server role IPA master
Cleanup shebang and executable bit
Import ABCs from collections.abc
Require JSS 4.4.5 with replication fixes
Extend Sub CA replication test
pylint: Class node has been renamed to ClassDef
Pythhon3.7: re module has no re._pattern_type
Catch ACIError instead of invalid credentials
Fix permission of public files in upgrader
Make /etc/httpd/alias world readable & executable
Always make ipa.p11-kit world-readable
Ensure that public cert and CA bundle are readable
Use 4 WSGI workers on 64bit systems
Fix replication races in Dogtag admin code
Use common replication wait timeout of 5min
Improve and fix timeout bug in wait_for_entry()
Remove restarted_named and xfail
Tests: Set default TTL for DNS zones to 1 sec
Always set ca_host when installing replica
Start to deprecate Python 2 and 3.5
Sort and shuffle SRV record by priority and weight
Increase WSGI process count to 5 on 64bit
Fedora 29 renamed fedora-domainname.service
Use python3-lesscpy 0.13.0
Split external_ca PR-CI into two jobs
Always build Python 3 packages
Make Python 2 build dependency optional
Use one Custodia peer to retrieve all secrets
Move client templates to separate directory
Print version string in installer
Backport gzip.decompress for Python 2
Require JSS 4.4.4 with fix for sub CA replication
Refuse PORT, HOST in /etc/openldap/ldap.conf
Apply sane LDAP settings to C code
Use sane default settings for ldap connections
Add test case for allow-create-keytab
Use GnuPG 2 for backup/restore
Use GnuPG 2 for symmentric encryption
Require python-ldap >= 3.1.0
Reproducer for issue 5923 (bytes in error response)
Run PR-CI with Fedora 28
Revert “Validate the Directory Manager password”
Create missing /etc/httpd/alias for ipasession.key
Only run subset of external CA tests
Require Dogtag 10.6.1
Require nss with fix for nickname bug
ipa-client package needs sssd-tool
Make ipatests’ create_external_ca a script
Load certificate files as binary data
Remove contrib/nssciphersuite
Compatibility with pytest 3.4
Use shutil to copy file
Use single Custodia instance in installers
Add augeas dependency to client package
Create users in server-common pre hook
Require 389-ds-base >= 1.4.0.8-1
CA replica PKCS12 workaround for SQL NSSDB
Add nsds5ReplicaReleaseTimeout to replica config
Fix Python dependencies
Remove os.chdir() from test_ipap11helper
certdb: Move chdir into subprocess call
Provide ldap_uri in Custodia uninstaller
Defer import of ipaclient.csrgen
Require more recent glibc on F27
Load librpm on demand for IPAVersion
Fix installer CA port check for port 8080
Temporarily disable authconfig backup and restore
Cleanup and remove more files on uninstall
Fix compatibility with latest pytest
More cleanup after uninstall
Require Dogtag PKI >= 10.6
Keep owner when backing up CA.cfg
Pylint 1.8.3 fixes
Relax message check in test_create_host_with_ip
Make fasttest pass without ~/.ipa/default.conf
Instrument installer to profile steps
autoconf prefers Python 3 over 2
Simplify Python package installation
Move DNS related files to server-dns package
Silence GCC warning in ipa_extdom
Silence GCC warning in ipa-kdb
Remove unused modutils wrappers from NSS/CertDB
Update /etc/ipa/nssdb in client scripts
NSS: Force restore of SELinux context
NSSDB: Let certutil decide its default db type
Prepare migration of mod_nss NSSDB to sql format
certmonger: Use explicit storage format
Remove deprecated -p option from ipa-dns-install
Add mocked test for named crypto policy update
Upgrade named.conf to include crypto policy
Use system-wide crypto-policies on Fedora
Add better CalledProcessError and run() logging
freeipa-server no longer supports i686 arch on F28
ipa-custodia-checker now uses python3 shebang
Unified ldap_initialize() function
Fix multiple uninstallation of server
Fix i18n test for Chinese translation
Run API and ACI under Python 2 and 3
Generate same API.txt under Python 2 and 3
Replace wsgi package conflict with config file
Restart named-pkcs11 after KRA installation
Update existing 389-DS cn=RSA,cn=encryption config
Replace hard-coded paths with path constants
Bump python-ldap version to fix syncrepl bug
Bump SELinux policy for DNSSEC
ipa-server-upgrade now checks custodia server keys
DNSSEC code cleanup
DNSSEC: Reformat lines to address PEP8 violations
Decode ODS commands
Run DNSSEC under Python 3
More DNSSEC house keeping
Remove unused PyOpenSSL from spec file
Give ODS socket a bit of time
Require dbus-python on F27
Fix pylint error in ipapython/dn.py
Lower python-ldap requirement for F27
ipa-run-tests: make –ignore absolute, too
Sort external schema files
LGTM: unnecessary else in for loop
LGTM: Use explicit string concatenation
LGTM: raise handle_not_found()
LGTM: Fix multiple use before assignment
LGTM: Remove redundant assignment
LGTM: Fix exception in permission_del
LGTM: Membership test with a non-container
LGTM: Name unused variable in loop
LGTM: Use of exit() or quit()
LGTM: Silence unmatchable dollar
Make fastlint even faster
ipa-run-tests: replace chdir with plugin
Include ipa_krb5.h without util prefix
Custodia uninstall: Don’t fail when LDAP is down
Require python-ldap 3.0.0b2
Use pylint 1.7.5 with fix for bad python3 import
Vault: Add argument checks to encrypt/decrypt
Fix pylint warnings inconsistent-return-statements
Travis: Add workaround for missing IPv6 support
Replace nose with unittest and pytest
Add safe DirectiveSetter context manager
More log in verbs
Address more ‘to login’
Fix grammar error: Log out
Fix grammar in login screen
Add make targets for fast linting and testing
Add marker needs_ipaapi and option to skip tests
Add python_requires to Python package metadata
Remove Custodia keys on uninstall
NSSDB: use preferred convert command
Skip test_rpcclient_context in client tests
Update to python-ldap 3.0.0
Update builddep command to install Python 3 and tox deps
Add workaround for pytest 3.3.0 bug
Fix dict iteration bug in dnsrecord_show
Reproducer for bug in structured dnsrecord_show
Use Python 3 on Travis
Prevent installation of Py2 and Py3 mod_wsgi
Require UTF-8 fs encoding
libotp: add libraries after objects
Run tox tests for PyPI packages on Travis
Support sqlite NSSDB
Py3: Fix vault tests
Test script for ipa-custodia
ipa-custodia: use Dogtag’s alias/pwdfile.txt
Use namespace-aware meta importer for ipaplatform
Remove ignore_import_errors
Backup ipa-custodia conf and keys
Py3: fix fetching of tar files
Use os.path.isfile() and isdir()
Block PyOpenSSL to prevent SELinux execmem in wsgi

David Kupka (2)#

schema: Fix internal error in param-{find,show} with nonexistent object
tests: Add LDAP URI to ldappasswd explicitly

Felipe Barreto (38)#

Adding xfail to failing tests
Fixing tests on TestReplicaManageDel
Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
Adding GSSPROXY_CONF to be backed up on ipa-backup
Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
Fix TestSubCAkeyReplication providing the right path to pki log
temp commit: adding test to PR CI run
Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder
Changing Django’s CoC to reflect FreeIPA CoC
Adding Django’s Code of Conduct
prci: Bump ci-master-f27 template to 1.0.3
Adding more tests to PR CI
Fixing cleanup process in test_caless
WebUI Tests: changing the ActionsChains.move_to_element to a new approach
WebUI Tests: fixing test_user.py::test_test_noprivate_posix
WebUI Tests: Changing how the initial load process is done
WebUI Tests: fixing test_range test case
WebUI Tests: changing how the login screen is detected
WebUI Tests: refactoring login method to be more readable
WebUI Tests: fixing test_navigation
WebUI Tests: fixing test_group
WebUI Tests: fixing test_hbac
Check if replication agreement exist before enable/disable it
Make IntegrationTest fail if an error happened during uninstall
IntegrationTests now collects logs from all test methods
Fixing vault-add-member to be compatible with py3
Fixing test_backup_and_restore assert to do not rely on the order
Fixing test_testconfig with proper asserts
Warning the user when using a loopback IP as forwarder
Removing replica-s4u2proxy.ldif since it’s not used anymore
Fix log capture when running pytests_multihosts commands
Checks if replica-s4u2proxy.ldif should be applied
Fixing tox and pylint errors
Fixing param-{find,show} and output-{find,show} commands
Checks if Dir Server is installed and running before IPA installation
Changing idoverrideuser-* to treat objectClass case insensitively
Fixing how sssd.conf is updated when promoting a client to replica

François Cami (1)#

10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server.

Florence Blanc-Renaud (38)#

ipa client uninstall: clean the state store when restoring hostname
Add test for ticket 7604: ipa-client-install –mkhomedir doesn’t enable oddjobd
ipa-client-install: enable and start oddjobd if mkhomedir
fix dependency for *-domainname.service file
Installer: configure authselect with-sudo
Test for 7526
ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt
authselect migration: use stable interface to query current config
authselect test: skip test if authselect is not available
ipa-advise: adapt config-client-for-smart-card-auth to authselect
Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
New tests for authselect migration
Migration from authconfig to authselect
ipa-advise config-server-for-smart-card-auth: use mod-ssl
ipa-replica-install: make sure that certmonger picks the right master
ipa-restore: remove /etc/httpd/conf.d/nss.conf
ipa-server-install: handle error when calling kdb5_util create
ipa host-add: do not raise exception when reverse record not added
ACI: grant access to admins group instead of admin user
389-ds OTP lasttoken plugin: Add unit test
User must not be able to delete his last active otp token
ipa host-add –ip-address: properly handle NoNameservers
test_integration: backup custodia conf and keys
Idviews: fix objectclass violation on idview-add
Improve help message for ipa trust-add –range-type
Fix ca less IPA install on fips mode
Fix ipa-replica-install when key not protected by PIN
Fix ipa-restore (python2)
ipa-getkeytab man page: add more details about the -r option
Py3: fix ipa-replica-conncheck
Fix ipa-replica-conncheck when called with –principal
py3: fix ipa cert-request –database …
ipa-cacert-manage renew: switch from ext-signed CA to self-signed
ipa-server-upgrade: do not add untracked certs to the request list
ipa-server-upgrade: fix the logic for tracking certs
Fix ipa-server-upgrade with server cert tracking
Python3: Fix winsync replication agreement
Fix ipa config-mod –ca-renewal-master

Fraser Tweedale (52)#

Add missing space in error string
Handle compressed responses from Dogtag
install: fix reported external CA configuration
csrgen: fix when attribute shortname is lower case
csrgen: drive-by docstring
csrgen: support initialising OpenSSL adaptor with key object
py3: fix csrgen error handling
certprofile: add tests for config profileId scenarios
certprofile: reject config with multiple profileIds
Fix upgrade (update_replica_config) in single master mode
Add commentary about PKI admin password
Fix upgrade when named.conf does not exist
replica-install: warn when there is only one CA in topology
install: configure dogtag status request timeout
upgrade: remove fix_trust_flags procedure
ldap2: fix implementation of can_add
ipaldap: allow GetEffectiveRights on individual operations
Update IPA CA issuer DN upon renewal
cert-request: avoid internal error when cert malformed
Improve warning message for malformed certificates
Don’t use admin cert during KRA installation
Add uniqueness constraint on CA ACL name
Add tests for installutils.set_directive
installutils: refactor set_directive
pep8: reduce line lengths in CAInstance.__enable_crl_publish
Prevent set_directive from clobbering other keys
install: report CA Subject DN and subject base to be used
ipa_certupdate: avoid classmethod and staticmethod
Run certupdate after promoting to CA-ful deployment
ipa-ca-install: run certupdate as initial step
CertUpdate: make it easy to invoke from other programs
renew_ra_cert: fix update of IPA RA user entry
Re-enable some KRA installation tests
Use correct version of Python in RPM scripts
Remove caJarSigningCert profile and related code
CertDB: remove unused method issue_signing_cert
Remove XPI and JAR MIME types from httpd config
Remove mention of firefox plugin after CA-less install
Add missing space in ipa-replica-conncheck error
ipa-cacert-manage: avoid some duplicate string definitions
ipa-cacert-manage: handle alternative tracking request CA name
Add tests for external CA profile specifiers
ipa-cacert-manage: support MS V2 template extension
certmonger: add support for MS V2 template
certmonger: refactor ‘resubmit_request’ and ‘modify’
ipa-ca-install: add –external-ca-profile option
install: allow specifying external CA template
Remove duplicate references to external CA type
cli: simplify parsing of arbitrary types
py3: fix pkcs7 file processing
ipa-pki-retrieve-key: ensure we do not crash
issue_server_cert: avoid application of str to bytes

Ganna Kaihorodova (7)#

check nsds5ReplicaReleaseTimeout option was set
Fix trust tests for Posix Support
Fix for integration tests dns_locations
Fix in IPA’s multihost fixture
TestBasicADTrust.test_ipauser_authentication
Fix for test TestInstallMasterReservedIPasForwarder
Overide trust methods for integration tests

John Morris (1)#

Increase dbus client timeouts during CA install

Justin Stephenson (1)#

Skip zone overlap check with auto-reverse

Kaleemullah Siddiqui (1)#

Test coverage for multiservers for radius proxy

Martin Basti (3)#

py3: bindmgr: fix iteration over bytes
py3: ipa-dnskeysyncd: fix bytes issues
py3: set samba dependencies

Takeshi MIZUTA (1)#

Fix some typos in man page

Michal Reznik (54)#

Mark DL0 TestReplicaManageDel tests as xfail
ipa_tests: ipa-replica-prepare stuck on user input
ui_tests: stabilization fixes
ui_tests: extend test_config.py suite
ui_tests: fixes for issues with sending key and focus on element
ui_tests: add click_undo_button() func
ui_tests: extend test_selinuxusermap.py suite
ui_tests: improve “field_validation” method
ui_tests: checkbox click fix
ui_tests: introduce new test_misc cases file
ui_driver: extension and modifications related to test_user
ui_tests: extend test_user suite
test_web_ui: extend ui_driver methods
test_webui: add user life-cycles tests
ui_tests: run ipa-get/rmkeytab command on UI host
ui_tests: select_combobox() fixes
ui_tests: test cancel and delete without button
ui_tests: make associations cancelable
ui_tests: add function to run cmd on UI host
ui_tests: add funcs to add/remove users public SSH key
ui_tests: add assert_field_required()
ui_tests: add assert_notification()
ui_tests: add more test cases
ui_tests: add more test cases to test_certification
ui_tests: add_service() support func in test_service
ui_tests: add_host() support func in test_service
ui_tests: change get_http_pkey() function
test_caless: adjust try/except to capture also IOError
ipa_tests: test signing request with subca on replica
tests: ca-less to ca-full - remove certupdate
ipa_tests: test subca key replication
test_caless: add SAN extension to other certs
prci: run full external_ca test suite
tests: move CA related modules to pytest_plugins
test_external_ca: selfsigned->ext_ca->selfsigned
test_tasks: add sign_ca_and_transport() function
paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
test_caless: test PKINIT install and anchor update
test_renewal_master: add ipa csreplica-manage test
test_cert_plugin: check if SAN is added with default profile
test_help: test “help” command without cache
test_x509: test very long OID
test_batch_plugin: fix py2/3 failing assertion
test_vault: increase WAIT_AFTER_ARCHIVE
test_caless: fix http.p12 is not valid
test_caless: fix TypeError on domain_level compare
manpage: ipa-replica-conncheck - fix minor typo
test_external_dns: add missing test cases
test_caless: open CA cert in binary mode
test_forced_client: decode get_file_contents() result
tests: add host zone with overlap
tests_py3: decode get_file_contents() result
test_caless: add caless to external CA test
test_external_ca: switch to python-cryptography

Varun Mylaraiah (5)#

ui_tests: extend test_pwpolicy.py suite
Extend WebUI test_krbpolicy suite with the following test cases: test_verifying_button (verify button’s action in various scenarios) test_negative_value (verify invalid values) test_verifying_measurement_unit
WebUI tests: Extend netgroup tests with more scenarios
Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags
WebUI tests: Extend user group tests with more scenarios

Mohammad Rizwan Yusuf (9)#

Check if issuer DN is updated after self-signed > external-ca
Extended UI test for Certificates
Extended UI test for selfservice permission.
Test to check second replica installation after master restore
Before the fix, when ipa-backup was called for the first time, the LDAP database exported to /var/lib/dirsrv/slapd-/ldif/-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root.
Updated the TestExternalCA with the functions introduced for the steps of external CA installation.
When the dirsrv service, which gets started during the first ipa-server-install –external-ca phase, is not running when the second phase is run with –external-cert-file options, the ipa-server-install command fail.
IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address.
ipatest: replica install with existing entry on master

Nikhil Dehadrai (1)#

Test for improved Custodia key distribution

Armando Neto (1)#

ipaserver config plugin: Increase search records minimum limit

Nathaniel McCallum (3)#

Revert “Don’t allow OTP or RADIUS in FIPS mode”
Increase the default token key size
Fix OTP validation in FIPS mode

Petr Čech (3)#

webui:tests: Add tests for realmd domains
tests: Mark failing tests as failing
ipatests: Fix on logs collection

Pavel Picka (2)#

Adding WebUI Host test cases
WebUI Hostgroups tests cases added

Petr Vobornik (17)#

Update Dojo and Dojo builder to 1.13.0
WebUI build: use NodeJS instead of Rhino
WebUI build: replace uglifyjs with system package
Fix test_server_del::TestLastServices
server-del do not return early if CA renewal master cannot be changed
webui: refresh complex pages after modification
Fix order of commands in test for removing topology segments
webui tests: fix test_host:test_crud failure
realm domains: improve doc text
webui: hbactest: add tooltips to ‘enabled’ and ‘disabled’ checkboxes
Revert “temp commit to run the affected tests”
temp commit to run the affected tests
webui:tests: close big notifications in realm domains tests
webui:tests: realm domain add with DNS check
webui:tests: move DNS test data to separate file
fastcheck: do not test context in pycodestyle
browser config: cleanup after removal of Firefox extension

Pavel Vomacka (16)#

WebUI: make keytab tables on service and host pages writable
Include npm related files into Makefile and .gitignore
Update jsl.conf in tests subfolder
Edit TravisCI conf files to run WebUI unit tests
Update README about WebUI unit tests
Update tests
Create symlink to qunit.js
Update jsl to not warn about module in Gruntfile
Add Gruntfile and package.json to ui directory
Update QUnit CSS file to 2.4.1
Update qunit.js to version 2.4.1
Extend ui_driver to support geckodriver log_path
WebUI: make Domain Resolution Order writable
WebUI: Fix calling undefined method during reset passwords
WebUI: remove unused parameter from get_whoami_command
Adds whoami DS plugin in case that plugin is missing

Rob Crittenden (62)#

replicainstall: DS SSL replica install pick right certmonger host
Extend CALessBase::installer_server to accept extra_args
Handle subyptes in ACIs
server install: drop some print statements, change log level
Drop attr defaultServerList if removing the last server
Improve console logging for ipa-server-install
Replace some test case adjectives
Suppress missing cn=schema compat on installation
Use replace instead of add to set new default ipaSELinuxUserMapOrder
Disable Schema Compat plugin during server upgrade
Add tests for ipa-restore with DM password validation check
Validate the Directory Manager password before starting restore
Rename test class for testing simple commands, add test
Don’t try to set Kerberos extradata when there is no principal
Client install should handle automount unconfigured on uninstall
Return unique error when automount is already or not configured
VERSION.m4: Set back to git snapshot
Become IPA 4.6.90.pre2
Update 4.7 translations
Fix certificate retrieval in ipa-replica-prepare for DL0
Disable message about log in ipa-backup if IPA is not configured
Use a regex in installutils.get_directive instead of line splitting
Handle whitespace, add separator to regex in set_directive_lines
Validate the Directory Manager password before starting restore
Log service start/stop/restart message
Update project metadata in ipasetup.py.in
Allow dot as a valid character in an selinux identity name
Remove xfail from CALes test test_http_intermediate_ca
Some PKCS#12 errors are reported with full path names
ipa-server-certinstall failing, unknown option realm
Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
Break out of teardown in test_replica_promotion.py if no config
Remove the Continuous installer class, it is unused
Return a value if exceptions are raised in server uninstall
VERSION.m4: Set back to git snapshot
Become IPA 4.6.90.pre1
Update Contributors.txt
Redirect CRL requests to the http port, not the https port
Don’t try to backup CS.cfg during upgrade if CA is not configured
Don’t return None on mismatched interactive passwords
Update smart_card_auth advise script for mod_ssl
Add value in set_directive after a commented-out version
Don’t backup nss.conf on upgrade with the switch to mod_ssl
Enable upgrades from a mod_nss-installed master to mod_ssl
Convert ipa-pki-proxy.conf to use mod_ssl directives
Remove main function from the certmonger library
Use mod_ssl instead of mod_nss for Apache TLS for new installs
Fix detection of KRA installation so upgrades can succeed
Move Requires: pythonX-sssdconfig into conditional
Log contents of files created or modified by IPAChangeConf
Don’t manually generate default.conf in server, use IPAChangeConf
Enable ephemeral KRA requests
Make the path to CS.cfg a class variable
Run server upgrade in ipactl start/restart
If the cafile is not present or readable then raise an exception
Add test to ensure that properties are being set in rpcclient
Use the CA chain file from the RPC context
Fix cert-find for CA-less installations
Use 389-ds provided method for file limits tuning
Collect group membership without a size limit
Add exec to /var/lib/ipa/sysrestore for install status inquiries
Use TLS for the cert-find operation

Robbie Harwood (5)#

Fix elements not being removed in otpd_queue_pop_msgid()
Move krb5 snippet into freeipa-client-common
Enable SPAKE support using krb5.conf.d snippet
Log errors from NSS during FIPS OTP key import
ipa-kdb: support KDB DAL version 7.0

Rishabh Dave (1)#

ipa-ca-install: mention REPLICA_FILE as optional in help

Sumit Bose (1)#

ipa-kdb: reinit trusted domain data for enterprise principals

Sumit Bose (2)#

ipa-kdb: update trust information in all workers
ipa-kdb: use magic value to check if ipadb is used

John L (1)#

Remove special characters in host_add random OTP generation

Stanislav Laznicka (84)#

Move config directives handling code
Travis: ignore ‘line break after binary operator’
Allow user administrator to change user homedir
mod_ssl: add SSLVerifyDepth for external CA installs
Add absolute_import to test_authselect
Fix typo in ipa-getkeytab –help
Add absolute_import future imports
replica-install: pass –ip-address to client install
ipa_backup: Backup the password to HTTPD priv key
Fix upgrading of FreeIPA HTTPD
Remove py35 env from tox testing
Encrypt httpd key stored on disk
Dogtag configs: rename deprecated options
Backup HTTPD’s mod_ssl config and cert-key pair
vault: fix vault-retrieve to a file
Backup ssl.conf when migrating from mod_nss
Move HTTPD cert/key pair to /var/lib/ipa/certs
httpinstance fixup: remove commented-out lines
httpinstance: fix publishing of CA cert
httpinstance: verify priv key belongs to certificate
httpinstance: backup mod_nss conf instead of just removing it
service: rename import_ca_certs_* to export_*
fixup: add ipa-rewrite.conf to ssl.conf on upgrade
Make ipa-server-certinstall store HTTPD cert in a file
certupdate: don’t update HTTPD NSS db
x509: Fix docstring of write_certificate()
x509: Remove unused argument of load_certificate_from_file()
httpinstance: handle supplied PKCS#12 files in installation
mod_ssl migration: fix upload_cacrt.py plugin
Fix FileStore.backup_file() not to backup same file
Have all the scripts run in python 3 by default
replica_prepare: Remove the correct NSS DB files
Add a helpful comment to ca.py:install_check()
Don’t allow OTP or RADIUS in FIPS mode
caless tests: decode cert bytes in debug log
caless tests: make debug log of certificates sensible
Add indexing to improve host-find performance
Add the sub operation for fqdn index config
x509: remove subject_base() function
x509: remove the strip_header() function
py3: pass raw entries to LDIFWriter
ipatests: use python3 if built with python3
PRCI: use a new template for py3 testing
travis: pep8 changes to pycodestyle
csrgen_ffi: cast the DN value to unsigned char *
Remove pkcs10 module contents
Add tests for CertificateSigningRequest
parameters: introduce CertificateSigningRequest
parameters: relax type checks
csrgen: update docstring for py3
csrgen: accept public key info as Bytes
csrgen_ffi: pass bytes where “char *” is required
p11-kit: add serial number in DER format
travis: make tests fail if pep8 does not pass
Remove the `message` attribute from exceptions
rpc: don’t decode cookie_string if it’s None
Don’t write p11-kit EKU extension object if no EKU
pylint: fix missing module
travis: run the same tests in python2/3
certmap testing: fix wrong cert construction
ldap2: don’t use decode() on str instance
client: fix retrieving certs from HTTP
uninstall: remove deprecation warning
ldif: handle attribute names as strings
pkinit: don’t fail when no pkinit servers found
pkinit: fix sorting dictionaries
travis: remove “fast” from “makecache fast”
Change Travis CI container to FreeIPA-owned
Change the requirements for pylint in wheel
rpcserver: don’t call xmlserver.Command
secrets: disable relative-imports for custodia
pylint: disable __hash__ for some classes
install.util: disable no-value-for-parameter
pylint: make unsupported-assignment-operation check local
sudocmd: fix unsupported assignment
pylint: Iterate through dictionaries
parameters: convert Decimal.precision to int
dcerpc: disable unbalanced-tuple-unpacking
dcerpc: refactor assess_dcerpc_exception
pylint: fix no-member in schema plugin
csrgen: fix incorrect codec for pyasn BitString
pylint: fix not-context-manager false positives
travis: temporary workaround for Travis CI
Travis: archive logs of py3 jobs

Stanislav Levin (11)#

Fix link to browser configuration guide on Login page
Fix some untranslatable commands in Web UI API Browser
Apply validate_doc() to NO_CLI commands
Fix formatted translations of error messages in topology plugin
Fix formatted translations of error messages in serverroles plugin
Fix formatted translations in trust plugin
Fix translation of idrange_* commands description
Fix formatted translations in domainlevel plugin
Use intended format() method of translation object
Add support for format method to translation objects
Fix translation of commands description in API Browser

Sudhir Menon (2)#

Adding modified DOAP file
DOAP Description for IPA Project

Thierry Bordaz (2)#

Hardening of topology plugin to prevent erronous deletion of a replica agreement
389-ds-base crashed as part of ipa-server-intall in ipa-uuid

Tibor Dudlák (15)#

Use temporary pid file for chronyd -q task
Fix format string passed to pytest-multihost
Configure chrony with pool when server not set
Add enabling chrony daemon when not configured
Remove unnecessary option –force-chrony
Remove NTP server role while upgrading
Removes NTP server role from servroles and description
Update man pages for FreeIPA client, replica and server install
Adding method to ipa-server-upgrade to cleanup ntpd
Add –ntp-pool option to installers
FreeIPA server is time synchronization client only
Replace ntpd with chronyd in installation
Add dependency and paths for chrony
Removes ntp from dependencies and behave as there is always -N option
Do not check deleted files with `make fastlint`

Timo Aaltonen (9)#

Fix HTTPD SSL configuration for Debian.
ldapupdate: Add support for Debian multiarch
named.conf: Disable duplicate zone on debian, and modify data dir
Add mkhomedir support for Debian
paths: Fix some path definitions for Debian.
constants: Fix HTTPD_GROUP for Debian
Create kadm5.acl if it doesn’t exist
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Move config templates from install/conf to install/share

Tomas Krizek (20)#

test_dnssec: re-add named-pkcs11 workarounds
py3 dnssec: convert hexlify to str
py3: bindmgr: fix bytes issues
prci: bump ci-master-f27 template to 1.0.2
prci: define testing topologies
prci: start testing PRs on fedora 27
py3 spec: remove python2 dependencies from server-trust-ad
py3 spec: remove python2 dependencies from freeipa-server
py3 spec: use proper python2 package names
ipatests: fix circular import for collect_logs
ipatests: collect logs for external_ca test suite
prci: add external_ca test
ldap: limit the retro changelog to dns subtree
spec: bump 389-ds-base to 1.3.7.6-1
ipatests: set default 389-ds log level to 0
prci: update F26 template
spec: bump python-pyasn1 to 0.3.2-2
prci: use f26 template for master
VERSION: set 4.6 git snapshot
Contributors.txt: update

Thorsten Scherf (1)#

Add debug option to ipa-replica-manage and remove references to api_env var.

Highlights in 4.7.0

Contents