|
|
|
|
Changelog for ipa-server-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64.rpm :
* Tue Jan 12 2021 Rafael Jeffman - 4.8.7-14- wgi/plugins.py: ignore empty plugin directories Resolves: RHBZ#1895910- rpcserver: fallback to non-armored kinit in case of trusted domains Resolves: RHBZ#1914821- pylint: remove unused variable Resolves: RHBZ#1914821- ipa-kdb: support subordinate/superior UPN suffixes Resolves: RHBZ#1914823- ad trust: accept subordinate domains of the forest trust root Resolves: RHBZ#1914823- ipatests: support subordinate upn suffixes Resolves: RHBZ#1914823 * Thu Oct 08 2020 Thomas Woerner - 4.8.7-13- Fix nsslapd-db-lock tuning of BDB backend Resolves: RHBZ#1882472 * Wed Sep 23 2020 Thomas Woerner - 4.8.7-12- Require selinux sub package in the proper version Related: RHBZ#1868432- SELinux: do not double-define node_t and pki_tomcat_cert_t Related: RHBZ#1868432- SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests Related: RHBZ#1868432- dogtaginstance.py: add --debug to pkispawn Resolves: RHBZ#1879604 * Thu Sep 10 2020 Thomas Woerner - 4.8.7-11- SELinux Policy: let custodia replicate keys Resolves: RHBZ#1868432 * Wed Aug 19 2020 Thomas Woerner - 4.8.7-10- Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations Resolves: RHBZ#1870202 * Mon Aug 17 2020 Thomas Woerner - 4.8.7-9- CAless installation: set the perms on KDC cert file Resolves: RHBZ#1863616- EPN: handle empty attributes Resolves: RHBZ#1866938- IPA-EPN: enhance input validation Resolves: RHBZ#1866291- EPN: enhance input validation Resolves: RHBZ#1863079- Require new samba build 4.12.3-52 Related: RHBZ#1868558- Require new selinux-policy build 3.14.3-52 Related: RHBZ#1869311 * Fri Jul 31 2020 Thomas Woerner - 4.8.7-8- [WebUI] IPA Error 3007: RequirmentError\" while adding members in \"User ID overrides\" tab (updated) Resolves: RHBZ#1757045- ipa-client-install: use the authselect backup during uninstall Resolves: RHBZ#1810179- Replace SSLCertVerificationError with CertificateError for py36 Resolves: RHBZ#1858318- Fix AVC denial during ipa-adtrust-install --add-agents Resolves: RHBZ#1859213 * Wed Jul 15 2020 Thomas Woerner - 4.8.7-7- replica install failing with avc denial for custodia component Resolves: RHBZ#1857157 * Tue Jul 14 2020 Thomas Woerner - 4.8.7-6- selinux don\'t audit rules deny fetching trust topology Resolves: RHBZ#1845596- fix iPAddress cert issuance for >1 host/service Resolves: RHBZ#1846352- Specify cert_paths when calling PKIConnection Resolves: RHBZ#1849155- Update crypto policy to allow AD-SUPPORT when installing IPA Resolves: RHBZ#1851139- Add version to ipa-idoverride-memberof obsoletes Related: RHBZ#1846434 * Thu Jul 02 2020 Thomas Woerner - 4.8.7-5- Add missing ipa-selinux package Resolves: RHBZ#1853263 * Mon Jun 29 2020 Thomas Woerner - 4.8.7-4- Remove client-epn left over files for ONLY_CLIENT Related: RHBZ#1847999 * Mon Jun 29 2020 Thomas Woerner - 4.8.7-3- [WebUI] IPA Error 3007: RequirmentError\" while adding members in \"User ID overrides\" tab Resolves: RHBZ#1757045- EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn Resolves: RHBZ#1847999- FreeIPA - Utilize 256-bit AJP connector passwords Resolves: RHBZ#1849914- ipa: typo issue in ipanthomedirectoryrive deffinition Resolves: RHBZ#1851411 * Thu Jun 11 2020 Thomas Woerner - 4.8.7-2- Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 Resolves: RHBZ#1846434 * Thu Jun 11 2020 Thomas Woerner - 4.8.7-1- Upstream release FreeIPA 4.8.7- Require new samba build 4.12.3-0 Related: RHBZ#1818765- New client-epn sub package Resolves: RHBZ#913799 * Tue Jun 02 2020 Thomas Woerner - 4.8.6-2- Support krb5 1.18 Resolves: RHBZ#1817579 * Tue Apr 28 2020 Thomas Woerner - 4.8.6-1- Upstream release FreeIPA 4.8.6- New SELinux sub package to provide own module- Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in SELinux external policy support Related: RHBZ#1818765 * Mon Feb 17 2020 Thomas Woerner - 4.8.4-6- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit Resolves: RHBZ#1790663 * Mon Feb 17 2020 Thomas Woerner - 4.8.4-5- Fixed weekday in 4.8.4-2 changelog date Related: RHBZ#1784003- adtrust: print DNS records for external DNS case after role is enabled Resolves: RHBZ#1665051- AD user without override receive InternalServerError with API Resolves: RHBZ#1782572- ipa-client-automount fails after repeated installation/uninstallation Resolves: RHBZ#1790886- install/updates: move external members past schema compat update Resolves: RHBZ#1803165- kdb: make sure audit_as_req callback signature change is preserved Resolves: RHBZ#1803786 * Wed Jan 29 2020 Thomas Woerner - 4.8.4-4- Update dependencies for samba, 389-ds and sssd Resolves: RHBZ#1792848 * Fri Jan 17 2020 Alexander Bokovoy - 4.8.4-3- Depend on krb5-kdb-version-devel for BuildRequires- Update nss dependency to 3.44.0-4- Reset per-indicator Kebreros policy Resolves: RHBZ#1784761 * Sat Dec 14 2019 Thomas Woerner - 4.8.4-2- DNS install check: Fix overlapping DNS zone from the master itself Resolves: RHBZ#1784003 * Sat Dec 14 2019 Thomas Woerner - 4.8.4-1- Rebase to upstream release 4.8.4 - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 Resolves: RHBZ#1782658 Resolves: RHBZ#1782169 Resolves: RHBZ#1783046 Related: RHBZ#1748987 * Mon Dec 02 2019 Thomas Woerner - 4.8.3-3- Fix otptoken_sync plugin Resolves: RHBZ#1777811 * Mon Dec 02 2019 Thomas Woerner - 4.8.3-2- Use default crypto policy for TLS and enable TLS 1.3 support Resolves: RHBZ#1777809- Covscan fixes Resolves: RHBZ#1777920- Change pki_version to 10.8.0 Related: RHBZ#1748987 * Thu Nov 28 2019 Alexander Bokovoy - 4.8.3-1- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) Resolves: RHBZ#1767304 Resolves: RHBZ#1776939- Support KDC ticket policies for authentication indicators Resolves: RHBZ#1777564 * Tue Nov 26 2019 Alexander Bokovoy - 4.8.2-4- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() Resolves: RHBZ#1767304- CVE-2019-10195: Don\'t log passwords embedded in commands in calls using batch Resolves: RHBZ#1776939 * Fri Nov 22 2019 Thomas Woerner - 4.8.2-3- Use default ssh host key algorithms Resolves: RHBZ#1756432- Do not run trust upgrade code if master lacks Samba bindings Resolves: RHBZ#1757064- Finish group membership management UI Resolves: RHBZ#1773528 * Mon Nov 18 2019 Thomas Woerner - 4.8.2-2- Update dependency for bind-dndb-ldap to 11.2-2 Related: RHBZ#1762813 * Thu Nov 14 2019 Thomas Woerner - 4.8.2-1- Rebase to upstream release 4.8.2 - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 - Updated branding patch Resolves: RHBZ#1748987 * Thu Aug 29 2019 Thomas Woerner - 4.8.0-10- Fix automount behavior with authselect Resolves: RHBZ#1740167 * Mon Aug 19 2019 Thomas Woerner - 4.8.0-9- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT Resolves: RHBZ#1741530 * Thu Aug 15 2019 Thomas Woerner - 4.8.0-8- FreeIPA 4.8.0 tarball lacks two update files that are in git Resolves: RHBZ#1741170 * Tue Aug 13 2019 Thomas Woerner - 4.8.0-7- Allow insecure binds for migration Resolves: RHBZ#1731963 * Fri Aug 02 2019 Thomas Woerner - 4.8.0-6- Fix --external-ca-profile not passed to CSR Resolves: RHBZ#1731813 * Tue Jul 30 2019 Thomas Woerner - 4.8.0-5- Remove posixAccount from service_find search filter Resolves: RHBZ#1731437- Fix repeated uninstallation of ipa-client-samba crashes Resolves: RHBZ#1732529- WebUI: Add PKINIT status field to \'Configuration\' page Resolves: RHBZ#1518153 * Tue Jul 16 2019 Alexander Bokovoy - 4.8.0-4- Fix krb5-kdb-server -> krb5-kdb-version Related: RHBZ#1700121 * Mon Jul 15 2019 Alexander Bokovoy - 4.8.0-3- Make sure ipa-server depends on krb5-kdb-version to pick up right MIT Kerberos KDB ABI Related: RHBZ#1700121- User field separator uses \'$$\' within ipaSELInuxUserMapOrder Fixes: RHBZ#1729099 * Wed Jul 03 2019 Thomas Woerner - 4.8.0-2- Fixed kdcproxy_version to 0.4-3- Fixed krb5_version to 1.17-7 Related: RHBZ#1684528 * Wed Jul 03 2019 Thomas Woerner - 4.8.0-1- New upstream release 4.8.0 - New subpackage: freeipa-client-samba - Added command ipa-cert-fix with man page - New sysconfdir sysconfig/certmonger- Updated pki_version, certmonger_version, sssd_version and kdcproxy_version Related: RHBZ#1684528 * Tue May 21 2019 Alexander Bokovoy - 4.7.90-3- Fix upgrade issue with AD trust when no trust yet established Fixes: RHBZ#1708874 Related: RHBZ#1684528 * Thu May 09 2019 Alexander Bokovoy - 4.7.90-2- Require certmonger 0.79.7-1 Related: RHBZ#1708095 * Mon May 06 2019 Thomas Woerner - 4.7.90-1- Update to 4.7.90-pre1 Related: RHBZ#1684528- Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1- Added new patches 0001-revert-minssf-defaults.patch and 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch * Tue Apr 16 2019 Alexander Bokovoy - 4.7.1-12- Remove strict dependencies to krb5-server version in order to allow update of krb5 to 1.17 and change dependency to KDB DAL version. Resolves: RHBZ#1700121 * Wed Feb 27 2019 Rob Crittenden - 4.7.1-11- Handle NFS configuration file changes. nfs-utils moved the configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. Resolves: RHBZ#1676981 * Tue Jan 15 2019 Christian Heimes - 4.7.1-10- Fix systemd-user HBAC rule Resolves: RHBZ#1664974 * Mon Jan 14 2019 Thomas Woerner - 4.7.1-9- Resolve user/group names in idoverride *-find Resolves: RHBZ#1657745 * Mon Jan 14 2019 Christian Heimes - 4.7.1-8- Create systemd-user HBAC service and rule Resolves: RHBZ#1664974- ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned Resolves: RHBZ#1664023 * Fri Dec 14 2018 Thomas Woerner - 4.7.1-7.el8- Fix misleading errors during client install rollback Resolves: RHBZ#1658283- ipa-advise: update url of cacerdir_rehash tool Resolves: RHBZ#1658287- Handle NTP configuration in a replica server installation Resolves: RHBZ#1651679- Fix defects found by static analysis Resolves: RHBZ#1658182- ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad Resolves: RHBZ#1658294- ipaldap: invalid modlist when attribute encoding can vary Resolves: RHBZ#1658302- Allow ipaapi and Apache user to access SSSD IFP Resolves: RHBZ#1639910- Add sysadm_r to default SELinux user map order Resolves: RHBZ#1658303- certdb: ensure non-empty Subject Key Identifier and validate server cert sig Resolves: RHBZ#1641988- ipa-replica-install: password and admin-password options mutually exclusive Resolves: RHBZ#1658309- ipa upgrade: handle double-encoded certificates Resolves: RHBZ#1658310- PKINIT: fix ipa-pkinit-manage enable|disable Resolves: RHBZ#1658313- Enable LDAP debug output in client to display TLS errors in join Resolves: RHBZ#1658316- rpc: always read response Resolves: RHBZ#1639890- ipa vault-retrieve: fix internal error Resolves: RHBZ#1658485- Move ipa\'s systemd tmpfiles from /var/run to /run Resolves: RHBZ#1658487- Fix authselect invocations to work with 1.0.2 Resolves: RHBZ#1654291- ipa-client-automount and NFS unit name changes Resolves: RHBZ#1645501- Fix compile issue with new 389-ds Resolves: RHBZ#1659448 * Thu Nov 15 2018 LumÃr Balhar - 4.7.1-6.el8- Require platform-python-setuptools instead of python3-setuptools- Resolves: rhbz#1650139 * Mon Oct 29 2018 Alexander Bokovoy - 4.7.1-5.el8- Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing- Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter * Tue Oct 16 2018 Alexander Bokovoy - 4.7.1-4.el8- Fix mapping of BUILTIN\\Guests to \'nobody\' group during upgrade to not use generated Samba config at this point- Related: rhbz#1623895 * Mon Oct 15 2018 Thomas Woerner - 4.7.1-3.el8- New command automember-find-orphans to find and remove orphan automemeber rules has been added Resolves: RHBZ#1638373- Moved ipa/idm logos and background to redhat-logos-ipa-80.4: header-logo.png, login-screen-background.jpg, login-screen-logo.png, product-name.png New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common Resolves: RHBZ#1626507 * Wed Oct 10 2018 Alexander Bokovoy - 4.7.1-2.el8- Move initialization of Guests mapping after cifs/ principal is created- Related: rhbz#1623895 * Sun Oct 07 2018 Alexander Bokovoy - 4.7.1-1.el8- 4.7.1- Fixes: rhbz#1633105 - rebase to 4.7.1 * Tue Sep 25 2018 Tomas Orsava - 4.7.0-6.el8- Require the Python interpreter directly instead of using the package name- Related: rhbz#1619153 * Thu Sep 13 2018 Rob Crittenden - 4.7.0-5.el8- sudo rule for \"admins\" members should be created by default (#1609873) * Thu Sep 06 2018 Rob Crittenden - 4.7.0-4.el8- ipaclient-install: chmod needs octal permissions (#1609880) * Thu Aug 16 2018 Thomas Woerner - 4.7.0-3.1.el8- Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of errors.NotFound- Resolves: #1615765 do-not-use-RC4-in-FIPS-mode - Move fips_enabled to a common library to share across different plugins - ipasam: do not use RC4 in FIPS mode * Mon Aug 13 2018 Thomas Woerner - 4.7.0-3.el8- Resolves: #1614301 Remove --no-sssd and --noac options- Resolves: #1613879 Disable Domain Level 0 - New patch sets to disable domain level 0 - New adapted patch to disable DL0 specific tests (pytest_ipa vs. pytest_plugins) - Adapted branding patch in ipa-replica-install.1 due to DL0 removal * Wed Jul 25 2018 Alexander Bokovoy - 4.7.0-2.el8- Require 389-ds-base-legacy-tools for setup tools * Thu Jul 19 2018 Rob Crittenden - 4.7.0-1.el8- Update to upstream 4.7.0 GA * Mon May 21 2018 Rob Crittenden - 4.6.90.pre1-2.el8- Set krb5 DAL version to 7.0 (#1580711)- Rebuild aclocal and configure during build * Mon Mar 26 2018 Rob Crittenden - 4.6.90.pre1-1.el8- Update to upstream 4.6.90.pre1 * Mon Jan 29 2018 Troy Dawson - 4.5.4-5.el8.1- Use java-1.8.0-openjdk-devel * Thu Nov 30 2017 Alexander Bokovoy - 4.5.4-5.el7- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads * Fri Nov 03 2017 Pavel Vomacka - 4.5.4-4.el7- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. - ldap: limit the retro changelog to dns subtree- Resolves: #1427798 Use X509v3 Basic Constraints \"CA:TRUE\" instead of \"CA:FALSE\" IPA CA CSR - Include the CA basic constraint in CSRs when renewing a CA- Resolves: #1493145 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX - Checks if replica-s4u2proxy.ldif should be applied- Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - ds: ignore time skew during initial replication step - ipa-replica-manage: implicitly ignore initial time skew in force-sync - Resolves: #1500218 Replica installation at domain-level 0 fails against upgraded ipa-server - Fix ipa-replica-conncheck when called with --principal- Resolves: #1506188 server-del doesn\'t remove dns-server configuration from ldap * Thu Oct 26 2017 Rob Crittenden - 4.5.4-3.el7- Drop workaround for building on AArch64 (#1482244)- Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) * Tue Oct 24 2017 Felipe Barreto - 4.5.4-2.el7- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 parameters!- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad, cn=trusts,dc=example,dc=com- Resolves: #1467887 iommu platform support for ipxe- Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host- Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to 4.5- Resolves: #1480102 ipa-server-upgrade failes with \"This entry already exists\"- Resolves: #1482802 Unable to set ca renewal master on replica- Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade)- Resolves: #1484826 FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn\'t have whomai plugin enabled and thus startup of Web UI fails- Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back to self-signed CA- Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories- Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only)- Resolves: #1477703 IPA upgrade fails for latest ipa package * Fri Oct 20 2017 Pavel Vomacka - 4.5.4-1.el7- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in buildroot- Resolves: #1470177 - Rebase IPA to latest 4.5.x version- Resolves: #1398594 ipa topologysuffix-verify should only warn about maximum number of replication agreements. - Resolves: #1404236 Web UI: Change \"Host Based\" and \"Role Based\" to \"Host-Based\" and \"Role-Based\" - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running- Resolves: #1451576 ipa cert-request failed to generate certificate from csr - Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values- Resolves: #1458169 --force-join option is not mentioned in ipa-replica-install man page - Resolves: #1463186 IPA shouldn\'t allow objectclass if not all in lower case - Resolves: #1478322 user-show command fails when sizelimit is configured to number <= number of entity which is user member of - Resolves: #1496775 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC- Resolves: #1502533 Changing cert-find to go through the proxy instead of using the port 8080- Resolves: #1502663 pkinit-status command fails after an upgrade from a pre-4.5 IPA- Resolves: #1498168 Error when trying to modify a PTR record- Resolves: #1457876 ipa-backup fails silently- Resolves: #1493531 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful.- Resolves: #1449985 Suggest CA installation command in KRA installation warning * Wed Sep 20 2017 Felipe Barreto - 4.5.0-21.el7.2.2- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports expecting IPA services listening on IPv6 ports - Make sure upgrade also checks for IPv6 stack - control logging of host_port_open from caller - log progress of wait_for_open_ports- Resolves: #1477243 ipa help command returns traceback when no cache is present - Store help in Schema before writing to disk - Disable pylint in get_help function because of type confusion. * Tue Sep 19 2017 Felipe Barreto - 4.5.0-21.el7.2- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Always check peer has keys before connecting- Resolves: #1482802 - Unable to set ca renewal master on replica - Fix ipa config-mod --ca-renewal-master- Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching back to self-signed CA - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca)- Resolves: #1480102 - ipa-server-upgrade failes with \"This entry already exists\" - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists- Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from versions with 389 DS prior to 1.3.3.0 doesn\'t have whomai plugin enabled and thus startup of Web UI fails - Adds whoami DS plugin in case that plugin is missing- Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - Fixing how sssd.conf is updated when promoting a client to replica- Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 parameters! - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace- Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade) - Backport 4-5: Fix ipa-server-upgrade with server cert tracking * Thu Aug 17 2017 Pavel Vomacka - 4.5.0-21.el7.1.2- Resolves: #1477703 IPA upgrade fails for latest ipa package - Restore old version of caIPAserviceCert for upgrade only * Tue Aug 15 2017 Pavel Vomacka - 4.5.0-21.el7.1.1- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Restore old version of caIPAserviceCert for upgrade only * Fri Jul 28 2017 Pavel Vomacka - 4.5.0-21.el7.1- Resolves: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - smart-card advises: configure systemwide NSS DB also on master - smart-card advises: add steps to store smart card signing CA cert - Allow to pass in multiple CA cert paths to the smart card advises - add a class that tracks the indentation in the generated advises - delegate the indentation handling in advises to dedicated class - advise: add an infrastructure for formatting Bash compound statements - delegate formatting of compound Bash statements to dedicated classes - Fix indentation of statements in Smart card advises - Use the compound statement formatting API for configuring PKINIT - smart card advises: use a wrapper around Bash `for` loops - smart card advise: use password when changing trust flags on HTTP cert - smart-card-advises: ensure that krb5-pkinit is installed on client- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Add CommonNameToSANDefault to default cert profile- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during search in cn=ad,cn=trusts,dc=example,dc=com - NULL LDAP context in call to ldap_search_ext_s during search * Wed Jul 12 2017 Pavel Vomacka - 4.5.0-21.el7- Resolves: #1469246 Replica install fails to configure IPA-specific temporary files/directories - replica install: drop-in IPA specific config to tmpfiles.d- Resolves: #1469480 bind package is not automatically updated during ipa-server upgrade process - Bumped Required version of bind-dyndb-ldap and bind package * Tue Jun 27 2017 Pavel Vomacka - 4.5.0-20.el7- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Make sure we check ccaches in all rpcserver paths * Wed Jun 21 2017 Pavel Vomacka - 4.5.0-19.el7- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - ipa-sam: replace encode_nt_key() with E_md4hash() - ipa_pwd_extop: do not generate NT hashes in FIPS mode- Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Fix local IP address validation - ipa-dns-install: remove check for local ip address - refactor CheckedIPAddress class - CheckedIPAddress: remove match_local param - Remove ip_netmask from option parser - replica install: add missing check for non-local IP address - Remove network and broadcast address warnings * Thu Jun 15 2017 Pavel Vomacka - 4.5.0-18.el7- Resolves: #1449189 ipa-kra-install timeouts on replica - kra: promote: Get ticket before calling custodia * Wed Jun 14 2017 Pavel Vomacka - 4.5.0-17.el7- Resolve: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - server certinstall: update KDC master entry - pkinit manage: introduce ipa-pkinit-manage - server upgrade: do not enable PKINIT by default - Extend the advice printing code by some useful abstractions - Prepare advise plugin for smart card auth configuration- Resolve: #1461053 allow to modify list of UPNs of a trusted forest - trust-mod: allow modifying list of UPNs of a trusted forest - WebUI: add support for changing trust UPN suffixes * Wed Jun 07 2017 Pavel Vomacka - 4.5.0-16.el7- Resolves: #1377973 ipa-server-install fails when the provided or resolved IP address is not found on local interfaces - Only warn when specified server IP addresses don\'t match intf- Resolves: #1438016 gssapi errors after IPA server upgrade - Bump version of python-gssapi- Resolves: #1457942 certauth: use canonical principal for lookups - ipa-kdb: use canonical principal in certauth plugin- Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid breaking older clients - Add code to be able to set default kinit lifetime - Revert setting sessionMaxAge for old clients * Wed Jun 07 2017 Pavel Vomacka - 4.5.0-15.el7- Resolves: #1442233 IPA client commands fail when pointing to replica - httpinstance: wait until the service entry is replicated- Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then not indexed - Fix index definition for ipaAnchorUUID- Resolves: #1438016 gssapi errors after IPA server upgrade - Avoid possible endless recursion in RPC call - rpc: preparations for recursion fix - rpc: avoid possible recursion in create_connection- Resolves: #1446087 services entries missing krbCanonicalName attribute. - Changing cert-find to do not use only primary key to search in LDAP.- Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - ipa-kdb: reload certificate mapping rules periodically- Resolves: #1455541 after upgrade login from web ui breaks - kdc.key should not be visible to all - Resolves: #1435606 Add pkinit_indicator option to KDC configuration - ipa-kdb: add pkinit authentication indicator in case of a successful certauth- Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate issuance when ipa-ca records are not resolvable - Turn off OCSP check- Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - server_del - TypeError: \'NoneType\' object is not iterable - fix incorrect suffix handling in topology checks * Wed May 24 2017 Pavel Vomacka - 4.5.0-14.el7- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors - certdb: add named trust flag constants - certdb, certs: make trust flags argument mandatory - certdb: use custom object for trust flags - install: trust IPA CA for PKINIT - client install: fix client PKINIT configuration - install: introduce generic Kerberos Augeas lens - server install: fix KDC PKINIT configuration - ipapython.ipautil.run: Add option to set umask before executing command - certs: do not export keys world-readable in install_key_from_p12 - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less - replica install: respect --pkinit-cert-file - cacert manage: support PKINIT - server certinstall: support PKINIT- Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file option - certs: do not export CA certs in install_pem_from_p12 - server install: fix KDC certificate validation in CA-less- Resolves: #1451228 ipa-kra-install fails when primary KRA server has been decommissioned - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname - Resolves: #1451712 KRA installation fails on server that was originally installed as CA-less - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt- Resolves: #1441499 ipa cert-show does not raise error if no file name specified - ca/cert-show: check certificate_out in options- Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ - Remove pkinit-anonymous command- Resolves: #1449523 Provide an API command to retrieve PKINIT status in the FreeIPA topology - Allow for multivalued server attributes - Refactor the role/attribute member reporting code - Add an attribute reporting client PKINIT-capable servers - Add the list of PKINIT servers as a virtual attribute to global config - Add `pkinit-status` command - test_serverroles: Get rid of MockLDAP and use ldap2 instead- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - Fix rare race condition with missing ccache file- Resolves: #1455045 Simple service uninstallers must be able to handle missing service files gracefully - only stop/disable simple service if it is installed- Resolves: #1455541 after upgrade login from web ui breaks - krb5: make sure KDC certificate is readable- Resolves: #1455862 \"ipa: ERROR: an internal error has occurred\" on executing command \"ipa cert-request --add\" after upgrade - Change python-cryptography to python2-cryptography * Thu May 18 2017 Pavel Vomacka - 4.5.0-13.el7- Resolves: #1451804 \"AttributeError: \'tuple\' object has no attribute \'append\'\" error observed during ipa upgrade with latest package. - ipa-server-install: fix uninstall- Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break replica - ca install: merge duplicated code for DM password - installutils: add DM password validator - ca, kra install: validate DM password * Tue May 16 2017 Pavel Vomacka - 4.5.0-12.el7- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy - python2-ipalib: add missing python dependency - installer service: fix typo in service entry - upgrade: add missing suffix to http instance- Resolves: #1444791 Update man page of ipa-kra-install - ipa-kra-install manpage: document domain-level 1- Resolves: #1441493 ipa cert-show raises stack traces when --certificate-out=/tmp - cert-show: writable files does not mean dirs - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - Bump version of ipa.conf file- Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login - Turn on NSSOCSP check in mod_nss conf- Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting template on - renew agent: respect CA renewal master setting - server upgrade: always fix certmonger tracking request - cainstance: use correct profile for lightweight CA certificates - renew agent: allow reusing existing certs - renew agent: always export CSR on IPA CA certificate renewal - renew agent: get rid of virtual profiles - ipa-cacert-manage: add --external-ca-type- Resolves: #1441593 error adding authenticator indicators to host - Fixing adding authenticator indicators to host- Resolves: #1449525 Set directory ownership in spec file - Added plugins directory to ipaclient subpackages - ipaclient: fix missing RPM ownership- Resolves: #1451279 otptoken-add-yubikey KeyError: \'ipatokenotpdigits\' - otptoken-add-yubikey: When --digits not provided use default value * Wed May 10 2017 Jan Cholasta - 4.5.0-11.el7- Resolves: #1449189 ipa-kra-install timeouts on replica - ipa-kra-install: fix check_host_keys * Wed May 03 2017 Jan Cholasta - 4.5.0-10.el7- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to validate message: Incorrect number of results (0) searching forpublic key for host - Make sure remote hosts have our keys- Resolves: #1442815 Replica install fails during migration from older IPA master - Refresh Dogtag RestClient.ca_host property - Remove the cachedproperty class- Resolves: #1444787 Update warning message when KRA installation fails - kra install: update installation failure message- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - ipa-server-install with external CA: fix pkinit cert issuance- Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() must use FreeIPA CA - kerberos session: use CA cert with full cert chain for obtaining cookie- Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors definition - ipa-client-install: remove extra space in pkinit_anchors definition- Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade - Use proper SELinux context with http.keytab * Fri Apr 28 2017 Jan Cholasta - 4.5.0-9.el7- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - spec file: bump krb5 Requires for certauth fixes- Resolves: #1438729 Configure local PKINIT on DL0 or when \'--no-pkinit\' option is used - separate function to set ipaConfigString values on service entry - Allow for configuration of all three PKINIT variants when deploying KDC - API for retrieval of master\'s PKINIT status and publishing it in LDAP - Use only anonymous PKINIT to fetch armor ccache - Stop requesting anonymous keytab and purge all references of it - Use local anchor when armoring password requests - Upgrade: configure local/full PKINIT depending on the master status - Do not test anonymous PKINIT after install/upgrade- Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. update_tdo_gidnumber: ERROR Default SMB Group not found - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed- Resolves: #1442932 ipa restore fails to restore IPA user - restore: restart/reload gssproxy after restore- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - Fix CA/server cert validation in FIPS- Resolves: #1444947 Deadlock between topology and schema-compat plugins - compat-manage: behave the same for all users - Move the compat plugin setup at the end of install - compat: ignore cn=topology,cn=ipa,cn=etc subtree- Resolves: #1445358 ipa vault-add raises TypeError - vault: piped input for ipa vault-add fails- Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault - Vault: Explicitly default to 3DES CBC- Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning - automount install: fix checking of SSSD functionality on uninstall- Resolves: #1446137 pki_client_database_password is shown in ipaserver-install.log - Hide PKI Client database password in log file * Thu Apr 20 2017 Jan Cholasta - 4.5.0-8.el7- Resolves: #1443869 Command \"openssl pkcs12 ...\" failed during IPA upgrade - Fix CAInstance.import_ra_cert for empty passwords * Wed Apr 19 2017 Jan Cholasta - 4.5.0-7.el7- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA WebUI is slow to display user details page - cert: defer cert-find result post-processing- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - server-install: No double Kerberos install- Resolves: #1437502 ipa-replica-install fails with requirement to use --force-join that is a client install option. - Add the force-join option to replica install - replicainstall: better client install exception handling- Resolves: #1437953 Server CA-less impossible option check - server-install: remove broken no-pkinit check- Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies - Add debug log in case cookie retrieval went wrong- Resolves: #1441548 ipa server install fails with --external-ca option - ext. CA: correctly write the cert chain- Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance spawn - Fix CA-less to CA-full upgrade- Resolves: #1442133 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to every binary in IPA - configure: fix AC_CHECK_LIB usage- Resolves: #1442815 Replica install fails during migration from older IPA master - Fix RA cert import during DL0 replication- Related: #1442004 Building IdM/FreeIPA internally on all architectures - filtering unsupported packages - Build all subpackages on all architectures * Wed Apr 12 2017 Pavel Vomacka - 4.5.0-6.el7- Resolves: #1382053 Need to have validation for idrange names - idrange-add: properly handle empty --dom-name option- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when installing replica - dsinstance: reconnect ldap2 after DS is restarted by certmonger - httpinstance: avoid httpd restart during certificate request - dsinstance, httpinstance: consolidate certificate request code - install: request service certs after host keytab is set up - renew agent: revert to host keytab authentication - renew agent, restart scripts: connect to LDAP after kinit- Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted domain entry - ipa-sam: create the gidNumber attribute in the trusted domain entry - Upgrade: add gidnumber to trusted domain entry- Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: Incorrect client security database password - Add pki_pin only when needed- Resolves: #1438348 Console output message while adding trust should be mapped with texts changed in Samba. - ipaserver/dcerpc: unify error processing- Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid \'Credentials\': Missing credentials for cross-forest communication - trust: always use oddjobd helper for fetching trust information- Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - WebUI: cert login: Configure name of parameter used to pass username- Resolves: #1437879 [copr] Replica install failing - Create system users for FreeIPA services during package installation- Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install - Fix s4u2self with adtrust * Wed Apr 05 2017 Jan Cholasta - 4.5.0-5.el7- Resolves: #1318186 Misleading error message during external-ca IPA master install - httpinstance: make sure NSS database is backed up- Resolves: #1331443 Re-installing ipa-server after uninstall fails with \"ERROR CA certificate chain in ... incomplete\" - httpinstance: make sure NSS database is backed up- Resolves: #1393726 Enumerate all available request type options in ipa cert-request help - Hide request_type doc string in cert-request help- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - spec file: bump libsss_nss_idmap-devel BuildRequires - server: make sure we test for sss_nss_getlistbycert- Resolves: #1437378 ipa-adtrust-install produced an error and failed on starting smb when hostname is not FQDN - adtrust: make sure that runtime hostname result is consistent with the configuration- Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous keytab - Always check and create anonymous principal during KDC install - Remove duplicate functionality in upgrade- Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal for PKINIT - Upgrade: configure PKINIT after adding anonymous principal - Remove unused variable from failed anonymous PKINIT handling - Split out anonymous PKINIT test to a separate method - Ensure KDC is propery configured after upgrade- Resolves: #1437951 Remove pkinit-related options from server/replica-install on DL0 - Fix the order of cert-files check - Don\'t allow setting pkinit-related options on DL0 - replica-prepare man: remove pkinit option refs - Remove redundant option check for cert files- Resolves: #1438490 CA-less installation fails on publishing CA certificate - Get correct CA cert nickname in CA-less - Remove publish_ca_cert() method from NSSDatabase- Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap - IPA-KDB: use relative path in ipa-certmap config snippet- Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute - Allow erasing ipaDomainResolutionOrder attribute * Wed Mar 29 2017 Jan Cholasta - 4.5.0-4.el7- Resolves: #1434032 Run ipa-custodia with custom SELinux context - Require correct custodia version * Tue Mar 28 2017 Jan Cholasta - 4.5.0-3.el7- Resolves: #800545 [RFE] Support SUDO command rename - Reworked the renaming mechanism - Allow renaming of the sudorule objects- Resolves: #872671 IPA WebUI login for AD Trusted User fails - WebUI: check principals in lowercase - WebUI: add method for disabling item in user dropdown menu - WebUI: Add support for login for AD users- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit) - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() - IPA certauth plugin - ipa-kdb: do not depend on certauth_plugin.h - spec file: bump krb5-devel BuildRequires for certauth- Resolves: #1264370 RFE: disable last successful authentication by default in ipa. - Set \"KDC:Disable Last Success\" by default- Resolves: #1318186 Misleading error message during external-ca IPA master install - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall- Resolves: #1331443 Re-installing ipa-server after uninstall fails with \"ERROR CA certificate chain in ... incomplete\" - certs: do not implicitly create DS pin.txt - httpinstance: clean up /etc/httpd/alias on uninstall- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - configure: fix --disable-server with certauth plugin - rpcserver.login_x509: Actually return reply from __call__ method - spec file: Bump requires to make Certificate Login in WebUI work- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - extdom: do reverse search for domain separator - extdom: improve cert request- Resolves: #1430363 [RFE] HBAC rule names command rename - Reworked the renaming mechanism - Allow renaming of the HBAC rule objects- Resolves: #1433082 systemctl daemon-reload needs to be called after httpd.service.d/ipa.conf is manipulated - tasks: run `systemctl daemon-reload` after httpd.service.d updates- Resolves: #1434032 Run ipa-custodia with custom SELinux context - Use Custodia 0.3.1 features- Resolves: #1434384 RPC client should use HTTP persistent connection - Use connection keep-alive - Add debug logging for keep-alive - Increase Apache HTTPD\'s default keep alive timeout- Resolves: #1434729 man ipa-cacert-manage install needs clarification - man ipa-cacert-manage install needs clarification- Resolves: #1434910 replica install against IPA v3 master fails with ACIError - Fixing replica install: fix ldap connection in domlvl 0- Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is used during typing Directory Manager password - ipapython.ipautil.nolog_replace: Do not replace empty value- Resolves: #1435397 ipa-replica-install can\'t install replica file produced by ipa-replica-prepare on 4.5 - replica prepare: fix wrong IPA CA nickname in replica file- Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if KRA is not installed - WebUI: Fix showing vault in selfservice view- Resolves: #1435718 As a ID user I cannot call a command with --rights option - ldap2: use LDAP whoami operation to retrieve bind DN for current connection- Resolves: #1436319 \"Truncated search results\" pop-up appears in user details in WebUI - WebUI: Add support for suppressing warnings - WebUI: suppress truncation warning in select widget- Resolves: #1436333 Uninstall fails with No such file or directory: \'/var/run/ipa/services.list\' - Create temporaty directories at the begining of uninstall- Resolves: #1436334 WebUI: Adding certificate mapping data using certificate fails - WebUI: Allow to add certs to certmapping with CERT LINES around- Resolves: #1436338 CLI doesn\'t work after ipa-restore - Backup ipa-specific httpd unit-file - Backup CA cert from kerberos folder- Resolves: #1436342 Bump samba version, required for FIPS mode and privilege separation - Bump samba version for FIPS and priv. separation- Resolves: #1436642 [ipalib/rpc.py] - \"maximum recursion depth exceeded\" with ipa vault commands - Avoid growing FILE ccaches unnecessarily - Handle failed authentication via cookie - Work around issues fetching session data - Prevent churn on ccaches- Resolves: #1436657 Add workaround for pki_pin for FIPS - Generate PIN for PKI to help Dogtag in FIPS- Resolves: #1436714 [vault] cache KRA transport cert - Simplify KRA transport cert cache- Resolves: #1436723 cert-find does not find all certificates without sizelimit=0 - cert: do not limit internal searches in cert-find- Resolves: #1436724 Renewal of IPA RA fails on replica - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function- Resolves: #1436753 Master tree fails to install - httpinstance.disable_system_trust: Don\'t fail if module \'Root Certs\' is not available * Tue Mar 21 2017 Jan Cholasta - 4.5.0-2.el7- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient - Remove csrgen- Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets - Add options to allow ticket caching * Wed Mar 15 2017 Jan Cholasta - 4.5.0-1.el7- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install- Resolves: #1160555 ipa-server-install: Cannot handle double hyphen \"--\" in hostname- Resolves: #1286288 Insufficient \'write\' privilege to the \'ipaExternalMember\' attribute- Resolves: #1321652 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes- Resolves: #1327207 ipa cert-revoke --help doesn\'t provide enough info on revocation reasons- Resolves: #1340880 ipa-server-install: improve prompt on interactive installation- Resolves: #1353841 ipa-replica-install fails to install when resolv.conf incomplete entries- Resolves: #1356104 cert-show command does not display Subject Alternative Names- Resolves: #1357511 Traceback message seen when ipa is provided with invalid configuration file name- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication- Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE- Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain- Resolves: #1371927 Implement ca-enable/disable commands.- Resolves: #1372202 Add Users into User Group editors fails to show Full names- Resolves: #1373091 Adding an auth indicator from the CLI creates an extra check box in the UI- Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error message- Resolves: #1375905 \"Normal\" group type in the UI is confusing- Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback- Resolves: #1376630 IDM admin password gets written to /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf- Resolves: #1376729 ipa-server-install script option --no_hbac_allow should match other options- Resolves: #1378461 IPA Allows Password Reuse with History value defined when admin resets the password.- Resolves: #1379029 conncheck failing intermittently during single step replica installs- Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck- Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace- Resolves: #1392778 Update man page for ipa-adtrust-install by removing --no-msdcs option- Resolves: #1392858 Rebase to FreeIPA 4.5+ - Rebase to 4.5.0- Resolves: #1399133 Delete option shouldn\'t be available for hosts applied to view.- Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA should contain full trust chain- Resolves: #1400416 RFE: Provide option to take backup of IPA server before uninstalling IPA server- Resolves: #1400529 cert-request is not aware of Kerberos principal aliases- Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but not on details page- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping- Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when non-FQDN name of IPA server is first in /etc/hosts- Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using nsupdate- Resolves: #1413742 Backport request for bug/issue Change IP address validation errors to warnings- Resolves: #1415652 IPA replica install log shows password in plain text- Resolves: #1427897 different behavior regarding system wide certs in master and replica.- Resolves: #1430314 The ipa-managed-entries command failed, exception: AttributeError: ldap2 * Tue Mar 14 2017 Jan Cholasta - 4.4.0-14.7- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica with cert errors (untrusted) - added ssl verification using IPA trust anchor- Resolves: #1428472 batch param compatibility is incorrect - compat: fix `Any` params in `batch` and `dnsrecord`- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream * Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.6- Resolves: #1416454 replication race condition prevents IPA to install - wait_for_entry: use only DN as parameter - Wait until HTTPS principal entry is replicated to replica - Use proper logging for error messages * Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.5- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is installed without CA - Set up DS TLS on replica in CA-less topology- Resolves: #1398600 IPA replica install fails with dirsrv errors. - Do not configure PKI ajp redirection to use \"::1\"- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands - ca: correctly authorise ca-del, ca-enable and ca-disable * Fri Dec 16 2016 Jan Cholasta - 4.4.0-14.4- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - ipa-kdb: search for password policies globally- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream * Tue Dec 13 2016 Jan Cholasta - 4.4.0-14.3- Resolves: #1398670 Check IdM Topology for broken record caused by replication conflict before upgrading it - Check for conflict entries before raising domain level * Tue Dec 13 2016 Jan Cholasta - 4.4.0-14.2- Resolves: #1382812 Creation of replica for disconnected environment is failing with CA issuance errors; Need good steps. - gracefully handle setting replica bind dn group on old masters- Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a temporary CA admin - replication: ensure bind DN group check interval is set on replica config - add missing attribute to ipaca replica during CA topology update- Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of named-pkcs11 - bindinstance: use data in named.conf to determine configuration status * Mon Dec 12 2016 Jan Cholasta - 4.4.0-14.1- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy - password policy: Add explicit default password policy for hosts and services- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod - certprofile-mod: correctly authorise config update * Tue Nov 01 2016 Jan Cholasta - 4.4.0-14- Resolves: #1378353 Replica install fails with old IPA master sometimes during replication process - spec file: bump minimal required version of 389-ds-base- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Fix missing file that fails DL1 replica installation- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade - WebUI: services without canonical name are shown correctly- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run - trustdomain-del: fix the way how subdomain is searched * Mon Oct 31 2016 Jan Cholasta - 4.4.0-13- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca - Keep NSS trust flags of existing certificates- Resolves: #1360813 ipa-server-certinstall does not update all certificate stores and doesn\'t set proper trust permissions - Add cert checks in ipa-server-certinstall- Resolves: #1371479 cert-find --all does not show information about revocation - cert: add revocation reason back to cert-find output- Resolves: #1375133 WinSync users who have First.Last casing creates users who can have their password set - ipa passwd: use correct normalizer for user principals- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers - Properly handle LDAP socket closures in ipa-otpd- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - Make httpd publish its CA certificate on DL1 * Fri Sep 16 2016 Petr Vobornik - 4.4.0-12- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.- Resolves: #1375269 ipa trust-fetch-domains throws internal error * Tue Sep 13 2016 Jan Cholasta - 4.4.0-11- Resolves: #1373359 ipa-certupdate fails with \"CA is not configured\" - Fix regression introduced in ipa-certupdate * Wed Sep 07 2016 Jan Cholasta - 4.4.0-10- Resolves: #1355753 adding two way non transitive(external) trust displays internal error on the console - Always fetch forest info from root DCs when establishing two-way trust - factor out `populate_remote_domain` method into module-level function - Always fetch forest info from root DCs when establishing one-way trust- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` - Track lightweight CAs on replica installation- Resolves: #1357488 ipa command stuck forever on higher versioned client with lower versioned server - compat: Save server\'s API version in for pre-schema servers - compat: Fix ping command call - schema cache: Store and check info for pre-schema servers- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag - Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA when revoking certificate - cert: include CA name in cert command output - WebUI add support for sub-CAs while revoking certificates- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI - Add support for additional options taken from table facet - WebUI: Fix showing certificates issued by sub-CA- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts internactively - dns: normalize record type read interactively in dnsrecord_add - dns: prompt for missing record parts in CLI - dns: fix crash in interactive mode against old servers- Resolves: #1370519 Certificate revocation in service-del and host-del isn\'t aware of Sub CAs - cert: fix cert-find --certificate when the cert is not in LDAP - Make host/service cert revocation aware of lightweight CAs- Resolves: #1371901 Use OAEP padding with custodia - Use RSA-OAEP instead of RSA PKCS#1 v1.5- Resolves: #1371915 When establishing external two-way trust, forest root Administrator account is used to fetch domain info - do not use trusted forest name to construct domain admin principal- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in certificate request - Fix CA ACL Check on SubjectAltNames- Resolves: #1373272 CLI always sends default command version - cli: use full name when executing a command- Resolves: #1373359 ipa-certupdate fails with \"CA is not configured\" - Fix ipa-certupdate for CA-less installation- Resolves: #1373540 client-install with IPv6 address fails on link-local address (always) - Fix parse errors with link-local addresses * Fri Sep 02 2016 Jan Cholasta - 4.4.0-9- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env - Fix ipa-server-install in pure IPv6 environment- Resolves: #1318169 Tree-root domains in a trusted AD forest aren\'t marked as reachable via the forest root - trust: make sure ID range is created for the child domain even if it exists - ipa-kdb: simplify trusted domain parent search- Resolves: #1335567 Update Warning in IdM Web UI API browser - WebUI: add API browser is tech preview warning- Resolves: #1348560 Mulitple domain Active Directory Trust conflict - ipaserver/dcerpc: reformat to make the code closer to pep8 - trust: automatically resolve DNS trust conflicts for triangle trusts- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation - cert-revoke: fix permission check bypass (CVE-2016-5404)- Resolves: #1353936 custodia.conf and server.keys file is world-readable. - Remove Custodia server keys from LDAP - Secure permissions of Custodia server.keys- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full - custodia: include known CA certs in the PKCS#12 file for Dogtag - custodia: force reconnect before retrieving CA certs from LDAP- Resolves: #1362333 ipa vault container owner cannot add vault - Fix: container owner should be able to add vault- Resolves: #1365546 External trust with root domain is transitive - trust: make sure external trust topology is correctly rendered- Resolves: #1365572 IPA server broken after upgrade - Require pki-core-10.3.3-7- Resolves: #1367864 Server assumes latest version of command instead of version 1 for old / 3rd party clients - rpcserver: assume version 1 for unversioned command calls - rpcserver: fix crash in XML-RPC system commands- Resolves: #1367773 thin client ignores locale change - schema cache: Fallback to \'en_us\' when locale is not available- Resolves: #1368754 ipa server uninstall fails with Python \"Global Name error\" - Fail on topology disconnect/last role removal- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP - otptoken, permission: Convert custom type parameters on server- Resolves: #1369414 ipa server-del fails with Python stack trace - Handled empty hostname in server-del command- Resolves: #1369761 ipa-server must depend on a version of httpd that support mod_proxy with UDS - Require httpd 2.4.6-31 with mod_proxy Unix socket support- Resolves: #1370512 Received ACIError instead of DuplicatedError in stageuser_tests - Raise DuplicatedEnrty error when user exists in delete_container- Resolves: #1371479 cert-find --all does not show information about revocation - cert: add missing param values to cert-find output- Renamed patch 1011 to 0100, as it was merged upstream * Wed Aug 17 2016 Jan Cholasta - 4.4.0-8- Resolves: #1298288 [RFE] Improve performance in large environments. - cert: speed up cert-find- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card authentication - service: add flag to allow S4U2Self - Add \'trusted to auth as user\' checkbox - Added new authentication method- Resolves: #1353881 ipa-replica-install suggests about non-existent --force-ntpd option - Don\'t show --force-ntpd option in replica install- Resolves: #1354441 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain - DNS: allow to add forward zone to already broken sub-domain- Resolves: #1356146 performance regression in CLI help - schema: Speed up schema cache - frontend: Change doc, summary, topic and NO_CLI to class properties - schema: Introduce schema cache format - schema: Generate bits for help load them on request - help: Do not create instances to get information about commands and topics - schema cache: Do not reset ServerInfo dirty flag - schema cache: Do not read fingerprint and format from cache - Access data for help separately - frontent: Add summary class property to CommandOverride - schema cache: Read server info only once - schema cache: Store API schema cache in memory - client: Do not create instance just to check isinstance - schema cache: Read schema instead of rewriting it when SchemaUpToDate- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file - server install: do not prompt for cert file PIN repeatedly- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: \'/home/test_user\' - schema: Speed up schema cache- Resolves: #1366604 `cert-find` crashes on invalid certificate data - cert: do not crash on invalid data in cert-find- Resolves: #1366612 Middle replica uninstallation in line topology works without \'--ignore-topology-disconnect\' - Fail on topology disconnect/last role removal- Resolves: #1366626 caacl-add-service: incorrect error message when service does not exists - Fix ipa-caalc-add-service error message- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade - DNS server upgrade: do not fail when DNS server did not respond- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server with CA - Add warning about only one existing CA server - Set servers list as default facet in topology facet group- Resolves: #1367773 thin client ignores locale change - schema check: Check current client language against cached one * Wed Aug 10 2016 Jan Cholasta - 4.4.0-7- Resolves: #1361119 UPN-based search for AD users does not match an entry in slapi-nis map cache - support multiple uid values in schema compatibility tree * Wed Aug 10 2016 Jan Cholasta - 4.4.0-6- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - Revert \"spec: add conflict with bind-chroot to freeipa-server-dns\"- Resolves: #1341249 Subsequent external CA installation fails - install: fix external CA cert validation- Resolves: #1353831 ipa-server-install fails in container because of hostnamectl set-hostname - server-install: Fix --hostname option to always override api.env values - install: Call hostnamectl set-hostname only if --hostname option is used- Resolves: #1356091 ipa-cacert-manage --help and man differ - Improvements for the ipa-cacert-manage man and help- Resolves: #1360631 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf- Resolves: #1361047 ipa-replica-install --help usage line suggests the replica file is needed - Update ipa-replica-install documentation- Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does not rpm-require it - client: RPM require initscripts to get *-domainname.service- Resolves: #1364197 caacl: error when instantiating rules with service principals - caacl: fix regression in rule instantiation- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm - parameters: move the `confirm` kwarg to Param- Resolves: #1364464 Topology graph: ca and domain adders shows question marks instead of plus icon - Fix unicode characters in ca and domain adders- Resolves: #1365083 Incomplete output returned for command ipa vault-add - client: add missing output params to client-side commands- Resolves: #1365526 build fails during \"make check\" - ipa-kdb: Fix unit test after packaging changes in krb5 * Fri Aug 05 2016 Jan Cholasta - 4.4.0-5- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. - Do not initialize API in ipa-client-automount uninstall- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - idrange: fix unassigned global variable- Resolves: #1360792 Migrating users doesn\'t update krbCanonicalName - re-set canonical principal name on migrated users- Resolves: #1362012 ipa hbactest produces error about cannot concatenate \'str\' and \'bool\' objects - Fix ipa hbactest output- Resolves: #1362260 ipa vault-mod no longer allows defining salt - vault: add missing salt option to vault_mod- Resolves: #1362312 ipa vault-retrieve internal error when using the wrong public key - vault: Catch correct exception in decrypt- Resolves: #1362537 ipa-server-install fails to create symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ - Correct path to HTTPD\'s systemd service directory- Resolves: #1363756 Increase length of passwords generated by installer - Increase default length of auto generated passwords * Fri Jul 29 2016 Jan Cholasta - 4.4.0-4- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - harden the check for trust namespace overlap in new principals- Resolves: #1351142 CLI is not using session cookies for communication with IPA API - Fix session cookies- Resolves: #1353888 Fix the help for ipa otp and other topics - help: Add dnsserver commands to help topic \'dns\'- Resolves: #1354406 host-del updatedns options complains about missing ptr record for host - Host-del: fix behavior of --updatedns and PTR records- Resolves: #1355718 ipa-replica-manage man page example output differs actual command output - Minor fix in ipa-replica-manage MAN page- Resolves: #1358229 Traceback message should be fixed, seen while editing winsync migrated user information in Default trust view. - baseldap: Fix MidairCollision instantiation during entry modification- Resolves: #1358849 CA replica install logs to wrong log file - unite log file name of ipa-ca-install- Resolves: #1359130 ipa-server-install command fails to install IPA server. - DNS Locations: fix update-system-records unpacking error- Resolves: #1359237 AVC on dirsrv config caused by IPA installer - Use copy when replacing files to keep SELinux context- Resolves: #1359692 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server - compat: fix ping call- Resolves: #1359738 ipa-replica-install --domain= option does not work - replica-install: Fix --domain- Resolves: #1360778 Vault commands are available in CLI even when the server does not support them - Revert \"Enable vault- * commands on client\" - client: fix hiding of commands which lack server support- Related: #1281704 Rebase to softhsm 2.1.0 - Remove the workaround for softhsm bug #1293340- Related: #1298288 [RFE] Improve performance in large environments. - Create indexes for krbCanonicalName attribute * Fri Jul 22 2016 Jan Cholasta - 4.4.0-3- Resolves: #1296140 Remove redhat-access-plugin-ipa support - Obsolete and conflict redhat-access-plugin-ipa- Resolves: #1351119 Multiple issues while uninstalling ipa-server - server uninstall fails to remove krb principals- Resolves: #1351758 ipa commands not showing expected error messages - frontend: copy command arguments to output params on client - Show full error message for selinuxusermap-add-hostgroup- Resolves: #1352883 Traceback on adding default automember group and hostgroup set - allow \'value\' output param in commands without primary key- Resolves: #1353888 Fix the help for ipa otp and other topics - schema: Fix subtopic -> topic mapping- Resolves: #1354348 ipa trustconfig-show throws internal error. - allow \'value\' output param in commands without primary key- Resolves: #1354381 ipa trust-add with raw option gives internal error. - trust-add: handle `--all/--raw` options properly- Resolves: #1354493 Replica install fails with old IPA master - DNS install: Ensure that DNS servers container exists- Resolves: #1354628 ipa hostgroup-add-member does not return error message when adding itself as member - frontend: copy command arguments to output params on client- Resolves: #1355856 ipa otptoken-add --type=totp gives internal error - messages: specify message type for ResultFormattingError- Resolves: #1356063 \"ipa radiusproxy-add\" command needs to prompt to enter secret key - expose `--secret` option in radiusproxy- * commands - prevent search for RADIUS proxy servers by secret- Resolves: #1356099 Bug in the ipapwd plugin - Heap corruption in ipapwd plugin- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin client changes - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper- Resolves: #1356964 Renaming a user removes all of his principal aliases - Preserve user principal aliases during rename operation * Fri Jul 15 2016 Petr Vobornik - 4.4.0-2.1- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas- Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD- Related: #1356134 \'kinit -E\' does not work for IPA user * Thu Jul 14 2016 Petr Vobornik - 4.4.0-2- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA with certmonger - uninstall: untrack lightweight CA certs- Resolves: #1351807 ipa-nis-manage config.get_dn missing - ipa-nis-manage: Use server API to retrieve plugin status- Resolves: #1353452 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn() - ipa-compat-manage: use server API to retrieve plugin status- Resolves: #1353899 ipa-advise: object of type \'type\' has no len() - ipa-advise: correct handling of plugin namespace iteration- Resolves: #1356134 \'kinit -E\' does not work for IPA user - kdb: check for local realm in enterprise principals- Resolves: #1353072 ipa unknown command vault-add - Enable vault- * commands on client - vault-add: set the default vault type on the client side if none was given- Resolves: #1353995 Default CA can be used without a CA ACL - caacl: expand plugin documentation- Resolves: #1356144 host-find should not print SSH keys by default, only SSH fingerprints - host-find: do not show SSH key by default- Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 - Removed unused method parameter from migrate-ds * Fri Jul 01 2016 Jan Cholasta - 4.4.0-1- Resolves: #747612 [RFE] IPA should support and manage DNS sites- Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user\'s password expiration (krbPasswordExpiration) to be 90 days- Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records- Resolves: #1084018 [RFE] Add IdM user password change support for legacy client compat tree- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos aliases) - Fix incorrect check for principal type when evaluating CA ACLs- Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI- Resolves: #1238190 ipasam unable to lookup group in directory yet manual search works- Resolves: #1250110 search by users which don\'t have read rights for all attrs in search_attributes fails- Resolves: #1263764 Show Certificate displays in useless format- Resolves: #1272491 [WebUI] Certificate action dropdown does not display all the options after adding new certificate- Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0- Resolves: #1294503 IPA fails to issue 3rd party certs- Resolves: #1298242 [RFE] API compatibility - compatibility of clients- Resolves: #1298848 [RFE] Centralized topology management- Resolves: #1298966 [RFE] Extend Smart Card support- Resolves: #1315146 Multiple clients cannot join domain simultaneously: /var/run/httpd/ipa/clientcaches race condition?- Resolves: #1318903 ipa server install failing when SUBCA signs the cert- Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper console output- Resolves: #1324055 IPA always qualify requests for admin- Resolves: #1328552 [RFE] Allow users to authenticate with alternative names- Resolves: #1334582 Inconsistent UI and CLI options for removing certificate hold- Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl)- Resolves: #1349281 Fix `Conflicts` with ipa-python- Resolves: #1350695 execution of copy-schema script fails- Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z- Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test execution to 7.3- Resolves: #1351276 ipa-server-install with dns cannot resolve itself to create ipa-ca entry- Related: #1343422 [RFE] Add GssapiImpersonate option * Wed Jun 22 2016 Jan Cholasta - 4.4.0-0.2.alpha1- Resolves: #1348948 IPA server install fails with build ipa-server-4.4.0-0.el7.1.alpha1 - Revert \"Increased mod_wsgi socket-timeout\" * Wed Jun 22 2016 Jan Cholasta - 4.4.0-0.1.alpha1- Resolves: #712109 \"krbExtraData not allowed\" is logged in DS error log while setting password for default sudo binddn.- Resolves: #747612 [RFE] IPA should support and manage DNS sites- Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name- Resolves: #825391 [RFE] Replica installation should provide a means for inheriting nssldap security access settings- Resolves: #921497 Incorrect *.py[co] files placement- Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support- Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas- Resolves: #1196958 IPA replica installation failing with high number of users (160000).- Resolves: #1219402 IPA suggests to uninstall a client when the user needs to uninstall a replica- Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on Authentication Indicator- Resolves: #1234222 [WebUI] UI error message is not appropriate for \"Kerberos principal expiration\"- Resolves: #1234223 [WebUI] General invalid password error message appearing for \"Locked user\"- Resolves: #1254267 ipa-server-install failure applying ldap updates with limits exceeded- Resolves: #1258626 realmdomains-mod --add-domain command throwing error when doamin already is in forwardzone.- Resolves: #1259020 ipa-server-adtrust-install doesn\'t allow NetBIOS-name=EXAMPLE-TEST.COM (dash character)- Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error message when DNSSEC master not installed- Resolves: #1262747 dnssec options missing in ipa-dns-install man page- Resolves: #1265900 Fail installation immediately after dirsrv fails to install using ipa-server-install- Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not resolvable anymore- Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - LimitsExceeded: limits exceeded for this query- Resolves: #1269089 Certificate of managed-by host/service fails to resubmit- Resolves: #1269200 ipa-server crashing while trying to preserve admin user- Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults- Resolves: #1271579 Automember rule expressions disappear from tables on single expression delete- Resolves: #1275816 Incomplete ports for IPA ad-trust- Resolves: #1276351 [RFE] Remove /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases- Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI- Resolves: #1278426 Better error message needed for invalid ca-signing-algo option- Resolves: #1279932 ipa-client-install --request-cert needs workaround in anaconda chroot- Resolves: #1282521 Creating a user w/o private group fails when doing so in WebUI- Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced by \"IPA is not configured on this system\"- Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert file- Resolves: #1287194 [RFE] Support of UPN for trusted domains- Resolves: #1288967 Normalize Manager entry in ipa user-add- Resolves: #1289487 Priority field missing in Password Policy detail tab- Resolves: #1291140 ipa client should configure kpasswd_server directive in krb5.conf- Resolves: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.4.0.alpha1- Resolves: #1298848 [RFE] Centralized topology management- Resolves: #1300576 Browser setup page includes instructions for Internet Explorer- Resolves: #1301586 ipa host-del --updatedns should remove related dns entries.- Resolves: #1304618 Residual Files After IPA Server Uninstall- Resolves: #1305144 ipa-python does not require its dependencies- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6- Resolves: #1313798 Console output post ipa-winsync-migrate command should be corrected.- Resolves: #1314786 [RFE] External Trust with Active Directory domain- Resolves: #1319023 Include description for \'status\' option in man page for ipactl command.- Resolves: #1319912 ipa-server-install does not completely change hostname and named-pkcs11 fails- Resolves: #1320891 IPA Error 3009: Validation error: Invalid \'ptrrecord\': Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given- Resolves: #1327207 ipa cert-revoke --help doesn\'t provide enough info on revocation reasons- Resolves: #1328549 \"ipa-kra-install\" command reports incorrect message when it is executed on server already installed with KRA.- Resolves: #1329209 ipa-nis-manage enable: change service name from \'portmap\' to \'rpcbind\'- Resolves: #1329275 ipa-nis-manage command should include status option- Resolves: #1330843 \'man ipa\' should be updated with latest commands- Resolves: #1333755 ipa cert-request causes internal server error while requesting certificate- Resolves: #1337484 EOF is not handled for ipa-client-install command- Resolves: #1338031 Insufficient \'write\' privilege on some attributes for the members of the role which has \"User Administrators\" privilege.- Resolves: #1343142 IPA DNS should do better verification of DNS zones- Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in browser * Wed May 25 2016 Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files - Fix incorrect rebase of patch 1001 * Tue May 24 2016 Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3- Resolves: #1339233 CA installed on replica is always marked as renewal master- Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605241723GIT1b427d3 * Tue May 24 2016 Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies - Rebuild with krb5-1.14.1 * Fri May 20 2016 Jan Cholasta - 4.3.1-0.201605191449GITf8edf37- Resolves: #837369 [RFE] Switch to client promotion to replica model- Resolves: #1199516 [RFE] Move replication topology to the shared tree- Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)- Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend- Resolves: #1267206 ipa-server-install uninstall should warn if no installation found- Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when ipa-client-automount is executed.- Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2.- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install because of missing dependencies- Related: #1292141 Rebase to FreeIPA 4.4+ - Rebase to 4.3.1.201605191449GITf8edf37 * Mon Apr 18 2016 Jan Cholasta - 4.2.0-16- Resolves: #1277696 IPA certificate auto renewal fail with \"Invalid Credential\" - cert renewal: make renewal of ipaCert atomic- Resolves: #1278330 installer options are not validated at the beginning of installation - install: fix command line option validation- Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd from starting up - client install: do not corrupt OpenSSH config with Match sections- Resolves: #1282935 ipa upgrade causes vault internal error - install: export KRA agent PEM file in ipa-kra-install- Resolves: #1283429 Default CA ACL rule is not created during ipa-replica-install - TLS and Dogtag HTTPS request logging improvements - Avoid race condition caused by profile delete and recreate - Do not erroneously reinit NSS in Dogtag interface - Add profiles and default CA ACL on migration - disconnect ldap2 backend after adding default CA ACL profiles - do not disconnect when using existing connection to check default CA ACLs- Resolves: #1283430 ipa-kra-install: fails to apply updates - suppress errors arising from adding existing LDAP entries during KRA install- Resolves: #1283748 Caching of ipaconfig does not work in framework - fix caching in get_ipa_config- Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after upgrade from RHEL 7.0 to RHEL 7.2 - upgrade: fix migration of old dns forward zones - Fix upgrade of forwardzones when zone is in realmdomains- Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap connection - ipa-cacert-renew: Fix connection to ldap.- Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection - ipa-otptoken-import: Fix connection to ldap.- Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using \"yum update ipa * sssd\" - Set minimal required version for openssl- Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps - Upgrade: Fix upgrade of NIS Server configuration- Resolves: #1289311 umask setting causes named-pkcs11 issue with directory permissions on /var/lib/ipa/dnssec - DNS: fix file permissions - Explicitly call chmod on newly created directories - Fix: replace mkdir with chmod- Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison - Fix version comparison - use FFI call to rpmvercmp function for version comparison- Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix groups are missing - ipa-kdb: map_groups() consider all results- Resolves: #1293870 User should be notified for wrong password in password reset page - Fixed login error message box in LoginScreen page- Resolves: #1296196 Sysrestore did not restore state if a key is specified in mixed case - Allow to used mixed case for sysrestore- Resolves: #1296214 DNSSEC key purging is not handled properly - DNSSEC: Improve error reporting from ipa-ods-exporter - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP - DNSSEC: Make sure that current key state in LDAP matches key state in BIND - DNSSEC: remove obsolete TODO note - DNSSEC: add debug mode to ldapkeydb.py - DNSSEC: logging improvements in ipa-ods-exporter - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP - DNSSEC: ipa-ods-exporter: add ldap-cleanup command - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal - DNSSEC: Log debug messages at log level DEBUG- Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running - prevent crash of CA-less server upgrade due to absent certmonger - always start certmonger during IPA server configuration upgrade- Resolves: #1297811 The ipa -e skip_version_check=1 still issues incompatibility error when called against RHEL 6 server - ipalib: assume version 2.0 when skip_version_check is enabled- Resolves: #1298289 install fails when locale is \"fr_FR.UTF-8\" - Do not decode HTTP reason phrase from Dogtag- Resolves: #1300252 shared certificateProfiles container is missing on a freshly installed RHEL7.2 system - upgrade: unconditional import of certificate profiles into LDAP- Resolves: #1301674 --setup-dns and other options is forgotten for using an external PKI - installer: Propagate option values from components instead of copying them. - installer: Fix logic of reading option values from cache.- Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA IPA setup - ipa-ca-install: print more specific errors when CA is already installed - cert renewal: import all external CA certs on IPA CA cert renewal - CA install: explicitly set dogtag_version to 10 - fix standalone installation of externally signed CA on IPA master - replica install: validate DS and HTTP server certificates - replica install: improvements in the handling of CA-related IPA config entries- Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups - slapi-nis: update configuration to allow external members of IPA groups- Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find returns \"0 trusts matched\" - upgrade: fix config of sidgen and extdom plugins - trusts: use ipaNTTrustPartner attribute to detect trust entries - Warn user if trust is broken - fix upgrade: wait for proper DS socket after DS restart - Insure the admin_conn is disconnected on stop - Fix connections to DS during installation - Fix broken trust warnings- Resolves: #1321092 Installers fail when there are multiple versions of the same certificate - certdb: never use the -r option of certutil- Related: #1317381 Crash during IPA upgrade due to slapd - spec file: update minimum required version of slapi-nis- Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [rhel-7.3] - Rebuild against newer Samba version * Tue Oct 13 2015 Jan Cholasta - 4.2.0-15- Resolves: #1252556 Missing CLI param and ACL for vault service operations - vault: fix private service vault creation * Mon Oct 12 2015 Jan Cholasta - 4.2.0-14- Resolves: #1262996 ipa vault internal error on replica without KRA - upgrade: make sure ldap2 is connected in export_kra_agent_pem- Resolves: #1270608 IPA upgrade fails for server with CA cert signed by external CA - schema: do not derive ipaVaultPublicKey from ipaPublicKey * Thu Oct 08 2015 Jan Cholasta - 4.2.0-13- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - Fix an integer underflow bug in libotp- Resolves: #1262996 ipa vault internal error on replica without KRA - install: always export KRA agent PEM file - vault: select a server with KRA for vault operations- Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files - do not overwrite files with local users/groups when restoring authconfig- Renamed patch 1011 to 0138, as it was merged upstream * Wed Sep 23 2015 Jan Cholasta - 4.2.0-12- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts - winsync-migrate: Convert entity names to posix friendly strings - winsync-migrate: Properly handle collisions in the names of external groups- Resolves: #1261074 Adjust Firefox configuration to new extension signing policy - webui: use manual Firefox configuration for Firefox >= 40- Resolves: #1263337 IPA Restore failed with installed KRA - ipa-backup: Add mechanism to store empty directory structure- Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate and private key in world readable file [rhel-7.2] - install: fix KRA agent PEM file permissions- Resolves: #1265086 Mark IdM API Browser as experimental - WebUI: add API browser is experimental warning- Resolves: #1265277 Fix kdcproxy user creation - install: create kdcproxy user during server install - platform: add option to create home directory when adding user - install: fix kdcproxy user home directory- Resolves: #1265559 GSS failure after ipa-restore - destroy httpd ccache after stopping the service * Thu Sep 17 2015 Jan Cholasta - 4.2.0-11- Resolves: #1258965 ipa vault: set owner of vault container - baseldap: make subtree deletion optional in LDAPDelete - vault: add vault container commands - vault: set owner to current user on container creation - vault: update access control - vault: add permissions and administrator privilege - install: support KRA update- Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses - config: allow user/host attributes with tagging options- Resolves: #1262315 Unable to establish winsync replication - winsync: Add inetUser objectclass to the passsync sysaccount * Wed Sep 16 2015 Jan Cholasta - 4.2.0-10- Resolves: #1260663 crash of ipa-dnskeysync-replica component during ipa-restore - IPA Restore: allows to specify files that should be removed- Resolves: #1261806 Installing ipa-server package breaks httpd - Handle timeout error in ipa-httpd-kdcproxy- Resolves: #1262322 Failed to backup CS.cfg message in upgrade. - Server Upgrade: backup CS.cfg when dogtag is turned off * Wed Sep 09 2015 Jan Cholasta - 4.2.0-9- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not tracked - cert renewal: Include KRA users in Dogtag LDAP update - cert renewal: Automatically update KRA agent PEM file- Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: remove \'rename\' option- Resolves: #1257968 kinit stop working after ipa-restore - Backup: back up the hosts file- Resolves: #1258926 Remove \'DNSSEC is experimental\' warnings - DNSSEC: remove \"DNSSEC is experimental\" warnings- Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts - Installer: do not modify /etc/hosts before user agreement- Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 zone - DNSSEC: backup and restore opendnssec zone list file - DNSSEC: remove ccache and keytab of ipa-ods-exporter - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master - DNSSEC: Fix key metadata export - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.- Resolves: #1258964 revert to use ldapi to add kra agent in KRA install - Using LDAPI to setup CA and KRA agents.- Resolves: #1259848 server closes connection and refuses commands after deleting user that is still logged in - ldap: Make ldap2 connection management thread-safe again- Resolves: #1259996 AttributeError: \'NameSpace\' object has no attribute \'ra_certprofile\' while ipa-ca-install - load RA backend plugins during standalone CA install on CA-less IPA master * Wed Aug 26 2015 Jan Cholasta - 4.2.0-8- Resolves: #1254689 Storing big file as a secret in vault raises traceback - vault: Limit size of data stored in vault- Resolves: #1255880 ipactl status should distinguish between different pki-tomcat services - ipactl: Do not start/stop/restart single service multiple times * Wed Aug 26 2015 Jan Cholasta - 4.2.0-7- Resolves: #1256840 [webui] majority of required fields is no longer marked as required - fix missing information in object metadata- Resolves: #1256842 [webui] no option to choose trust type when creating a trust - webui: add option to establish bidirectional trust- Resolves: #1256853 Clear text passwords in KRA install log - Removed clear text passwords from KRA install log.- Resolves: #1257072 The \"Standard Vault\" MUST not be the default and must be discouraged - vault: change default vault type to symmetric- Resolves: #1257163 renaming certificatte profile with --rename option leads to integrity issues - certprofile: prevent rename (modrdn) * Wed Aug 26 2015 Jan Cholasta - 4.2.0-6- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone - DNSSEC: fix forward zone forwarders checks- Resolves: #1250190 idrange is not added for sub domain - trusts: format Kerberos principal properly when fetching trust topology- Resolves: #1252334 User life cycle: missing ability to provision a stage user from a preserved user - Add user-stage command- Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to start. - spec file: Add Requires(post) on selinux-policy- Resolves: #1254304 Changing vault encryption attributes - Change internal rsa_(public|private)_key variable names - Added support for changing vault encryption.- Resolves: #1256715 Executing user-del --preserve twice removes the user pernamently - improve the usability of `ipa user-del --preserve` command * Wed Aug 19 2015 Jan Cholasta - 4.2.0-5- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - user-undel: Fix error messages.- Resolves: #1200694 [RFE] Support for multiple cert profiles - Prohibit deletion of predefined profiles- Resolves: #1232819 testing ipa-restore on fresh system install fails - Backup/resore authentication control configuration- Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 server - Require Dogtag PKI >= 10.2.6- Resolves: #1245225 Asymmetric vault drops traceback when the key is not proper - Asymmetric vault: validate public key in client- Resolves: #1248399 Missing DNSSEC related files in backup - fix typo in BasePathNamespace member pointing to ods exporter config - ipa-backup: archive DNSSEC zone file and kasp.db- Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is finished - winsync-migrate: Add warning about passsync - winsync-migrate: Expand the man page- Resolves: #1248524 User can\'t find any hosts using \"ipa host-find $HOSTNAME\" - adjust search so that it works for non-admin users- Resolves: #1250093 ipa certprofile-import accepts invalid config - Require Dogtag PKI >= 10.2.6- Resolves: #1250107 IPA framework should not allow modifying trust on AD trust agents - trusts: Detect missing Samba instance- Resolves: #1250111 User lifecycle - preserved users can be assigned membership - ULC: Prevent preserved users from being assigned membership- Resolves: #1250145 Add permission for user to bypass caacl enforcement - Add permission for bypassing CA ACL enforcement- Resolves: #1250190 idrange is not added for sub domain - idranges: raise an error when local IPA ID range is being modified - trusts: harden trust-fetch-domains oddjobd-based script- Resolves: #1250928 Man page for ipa-server-install is out of sync - install: Fix server and replica install options- Resolves: #1251225 IPA default CAACL does not allow cert-request for services after upgrade - Fix default CA ACL added during upgrade- Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey - validate mutually exclusive options in vault-add- Resolves: #1251579 ipa vault-add --user should set container owner equal to user on first run - Fixed vault container ownership.- Resolves: #1252517 cert-request rejects request with correct krb5PrincipalName SAN - Fix KRB5PrincipalName / UPN SAN comparison- Resolves: #1252555 ipa vault-find doesn\'t work for services - vault: Add container information to vault command results - Add flag to list all service and user vaults- Resolves: #1252556 Missing CLI param and ACL for vault service operations - Added CLI param and ACL for vault service operations.- Resolves: #1252557 certprofile: improve profile format documentation - certprofile-import: improve profile format documentation - certprofile: add profile format explanation- Resolves: #1253443 ipa vault-add creates vault with invalid type - vault: validate vault type- Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing owner - baseldap: Allow overriding member param label in LDAPModMember - vault: Fix param labels in output of vault owner commands- Resolves: #1253511 ipa vault-find does not use criteria - vault: Fix vault-find with criteria- Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 - install: Fix replica install with custom certificates- Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc - improve the handling of krb5-related errors in dnssec daemons- Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with starting CA and named-pkcs11.service - Server Upgrade: Start DS before CA is started.- Resolves: #1254637 Add ACI and permission for managing user userCertificate attribute - add permission: System: Manage User Certificates- Resolves: #1254641 Remove CSR allowed-extensions restriction - cert-request: remove allowed extensions check- Resolves: #1254693 vault --service does not normalize service principal - vault: normalize service principal in service vault operations- Resolves: #1254785 ipa-client-install does not properly handle dual stacked hosts - client: Add support for multiple IP addresses during installation. - Add dependency to SSSD 1.13.1 - client: Add description of --ip-address and --all-ip-addresses to man page * Tue Aug 11 2015 Jan Cholasta - 4.2.0-4- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM - store certificates issued for user entries as - user-show: add --out option to save certificates to file- Resolves: #1145748 [RFE] IPA running with One Way Trust - Fix upgrade of sidgen and extdom plugins- Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - Use \'mv -Z\' in specfile to restore SELinux context- Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior for combinations of \"User authentication types\" - webui: add LDAP vs Kerberos behavior description to user auth- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - ULC: Fix stageused-add --from-delete command- Resolves: #1200694 [RFE] Support for multiple cert profiles - certprofile-import: do not require profileId in profile data - Give more info on virtual command access denial - Allow SAN extension for cert-request self-service - Add profile for DNP3 / IEC 62351-8 certificates - Work around python-nss bug on unrecognised OIDs- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - Validate vault\'s file parameters - Fixed missing KRA agent cert on replica.- Resolves: #1225866 display browser config options that apply to the browser. - webui: add Kerberos configuration instructions for Chrome - Remove ico files from Makefile- Resolves: #1246342 Unapply idview raises internal error - idviews: Check for the Default Trust View only if applying the view- Resolves: #1248102 [webui] regression - incorrect/no failed auth messages - webui: fix regressions failed auth messages- Resolves: #1248396 Internal error in DomainValidator.__search_in_dc - dcerpc: Fix UnboundLocalError for ccache_name- Resolves: #1249455 ipa trust-add failed CIFS server configuration does not allow access to \\\\pipe\\lsarpc - Fix selector of protocol for LSA RPC binding string - dcerpc: Simplify generation of LSA-RPC binding strings- Resolves: #1250192 Error in ipa trust-fecth-domains - Fix incorrect type comparison in trust-fetch-domains- Resolves: #1251553 Winsync setup fails with unexpected error - replication: Fix incorrect exception invocation- Resolves: #1251854 ipa aci plugin is not parsing aci\'s correctly. - ACI plugin: correctly parse bind rules enclosed in- Resolves: #1252414 Trust agent install does not detect available replicas to add to master - adtrust-install: Correctly determine 4.2 FreeIPA servers * Fri Jul 24 2015 Jan Cholasta - 4.2.0-3- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains that conflicts with AD DC - trusts: Check for AD root domain among our trusted domains- Resolves: #1195339 ipa-client-install changes the label on various files which causes SELinux denials - sysrestore: copy files instead of moving them to avoind SELinux issues- Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned commands / ntpd -qgc $tmpfile hangs - enable debugging of ntpd during client installation- Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled - migration: Use api.env variables.- Resolves: #1212719 abort-clean-ruv subcommand should allow replica-certifyall: no - Allow value \'no\' for replica-certify-all attr in abort-clean-ruv subcommand- Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has occurred - dcerpc: Expand explanation for WERR_ACCESS_DENIED - dcerpc: Fix UnboundLocalError for ccache_name- Resolves: #1222778 idoverride group-del can delete user and user-del can delete group - dcerpc: Add get_trusted_domain_object_type method - idviews: Restrict anchor to name and name to anchor conversions - idviews: Enforce objectclass check in idoverride *-del- Resolves: #1234919 Be able to request certificates without certmonger service running - cermonger: Use private unix socket when DBus SystemBus is not available. - ipa-client-install: Do not (re)start certmonger and DBus daemons.- Resolves: #1240939 Please add dependency on bind-pkcs11 - Create server-dns sub-package. - ipaplatform: Add constants submodule - DNS: check if DNS package is installed- Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow calling out oddjobd-activated services - selinux: enable httpd_run_ipa to allow communicating with oddjobd services- Resolves: #1243261 non-admin users cannot search hbac rules - fix hbac rule search for non-admin users - fix selinuxusermap search for non-admin users- Resolves: #1243652 Client has missing dependency on memcache - do not import memcache on client- Resolves: #1243835 [webui] user change password dialog does not work - webui: fix user reset password dialog- Resolves: #1244802 spec: selinux denial during kdcproxy user creation - Fix selinux denial during kdcproxy user creation- Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user - oddjob: avoid chown keytab to sssd if sssd user does not exist- Resolves: #1246136 Adding a privilege to a permission avoids validation - Validate adding privilege to a permission- Resolves: #1246141 DNS Administrators cannot search in zones - DNS: Consolidate DNS RR types in API and schema- Resolves: #1246143 User plugin - user-find doesn\'t work properly with manager option - fix broken search for users by their manager * Wed Jul 15 2015 Jan Cholasta - 4.2.0-2- Resolves: #1131907 [ipa-client-install] cannot write certificate file \'/etc/ipa/ca.crt.new\': must be string or buffer, not None- Resolves: #1195775 unsaved changes dialog internally inconsistent- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - Stageusedr-activate: show username instead of DN- Resolves: #1200694 [RFE] Support for multiple cert profiles - Prevent to rename certprofile profile id- Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error- Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files - copy-schema-to-ca: allow to overwrite schema files- Resolves: #1241941 kdc component installation of IPA failed - spec file: Update minimum required version of krb5- Resolves: #1242036 Replica install fails to update DNS records - Fix DNS records installation for replicas- Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy - Start dirsrv for kdcproxy upgrade * Thu Jul 09 2015 Jan Cholasta - 4.2.0-1- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API- Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP client- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to users in IdM- Resolves: #1115294 [RFE] Add support for DNSSEC- Resolves: #1145748 [RFE] IPA running with One Way Trust- Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities- Resolves: #1200694 [RFE] Support for multiple cert profiles- Resolves: #1200728 [RFE] Replicate PKI Profile information- Resolves: #1200735 [RFE] Allow issuing certificates for user accounts- Resolves: #1204054 SSSD database is not cleared between installs and uninstalls of ipa- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to Trusts- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality- Resolves: #1204504 [RFE] Add access control so hosts can create their own services- Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default- Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default- Resolves: #1209476 package ipa-client does not require package dbus-python- Resolves: #1211589 [RFE] Add option to skip the verify_client_version- Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597)- Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone- Resolves: #1217010 OTP Manager field is not exposed in the UI- Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in libc-2.17.so- Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0 - Move /etc/ipa/kdcproxy to the server subpackage * Tue Jun 23 2015 Jan Cholasta - 4.2.0-0.2.alpha1- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install- Related: #1204809 Rebase ipa to 4.2 - Fix minimum version of slapi-nis - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) * Mon Jun 22 2015 Jan Cholasta - 4.2.0-0.1.alpha1- Resolves: #805188 [RFE] \"ipa migrate-ds\" ldapsearches with scope=1- Resolves: #1019272 With 20000+ users, adding a user to a group intermittently throws Internal server error- Resolves: #1035494 Unable to add Kerberos principal via kadmin.local- Resolves: #1045153 ipa-managed-entries --list -p still requires DM password- Resolves: #1125950 ipa-server-install --uinstall doesn\'t remove port 7389 from ldap_port_t- Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI- Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not matching uidgid- Resolves: #1176036 IDM client registration failure in a high load environment- Resolves: #1183116 Remove Requires: subscription-manager- Resolves: #1186054 permission-add does not prompt to enter --right option in interactive mode- Resolves: #1187524 Replication agreement with replica not disabled when ipa-restore done without IPA installed- Resolves: #1188195 Fax number not displayed for user-show when kinit\'ed as normal user.- Resolves: #1189034 \"an internal error has occurred\" during ipa host-del --updatedns- Resolves: #1193554 ipa-client-automount: failing with error LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled.- Resolves: #1193759 IPA extdom plugin fails when encountering large groups- Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.- Resolves: #1194633 Default trust view can be deleted in lower case- Resolves: #1196455 ipa-server-install step [8/27]: starting certificate server instance - confusing CA staus message on TLS error- Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis- Resolves: #1199527 [RFE] Use datepicker component for datetime fields- Resolves: #1200867 [RFE] Make OTP validation window configurable- Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi- Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using get_user_grouplist() [rhel-7.2]- Resolves: #1204637 slow group operations- Resolves: #1204642 migrate-ds: slow add o users to default group- Resolves: #1208461 IPA CA master server update stuck on checking getStatus via https- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)- Resolves: #1211708 ipa-client-install gets stuck during NTP sync- Resolves: #1215197 ipa-client-install ignores --ntp-server option during time sync- Resolves: #1215200 ipa-client-install configures IPA server as NTP source even if IPA server has not ntpd configured- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens- Related: #1204809 Rebase ipa to 4.2 - Update to upstream 4.2.0.alpha1 * Thu Mar 19 2015 Jan Cholasta - 4.1.0-18.3- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) * Wed Mar 18 2015 Alexander Bokovoy - 4.1.0-18.2- IPA extdom plugin fails when encountering large groups (#1193759)- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1202998) * Thu Mar 05 2015 Jan Cholasta - 4.1.0-18.1- \"an internal error has occurred\" during ipa host-del --updatedns (#1198431)- Renamed patch 1013 to 0114, as it was merged upstream- Fax number not displayed for user-show when kinit\'ed as normal user. (#1198430)- Replication agreement with replica not disabled when ipa-restore done without IPA installed (#1199060)- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) * Thu Jan 29 2015 Martin Kosek - 4.1.0-18- Fix ipa-pwd-extop global configuration caching (#1187342)- group-detach does not add correct objectclasses (#1187540) * Tue Jan 27 2015 Jan Cholasta - 4.1.0-17- Wrong directories created on full restore (#1186398)- ipa-restore crashes if replica is unreachable (#1186396)- idoverrideuser-add option --sshpubkey does not work (#1185410) * Wed Jan 21 2015 Jan Cholasta - 4.1.0-16- PassSync does not sync passwords due to missing ACIs (#1181093)- ipa-replica-manage list does not list synced domain (#1181010)- Do not assume certmonger is running in httpinstance (#1181767)- ipa-replica-manage disconnect fails without password (#1183279)- Put LDIF files to their original location in ipa-restore (#1175277)- DUA profile not available anonymously (#1184149)- IPA replica missing data after master upgraded (#1176995) * Wed Jan 14 2015 Jan Cholasta - 4.1.0-15- Re-add accidentally removed patches for #1170695 and #1164896 * Wed Jan 14 2015 Jan Cholasta - 4.1.0-14- IPA Replicate creation fails with error \"Update failed! Status: [10 Total update abortedLDAP error: Referral]\" (#1166265)- running ipa-server-install --setup-dns results in a crash (#1072502)- DNS zones are not migrated into forward zones if 4.0+ replica is added (#1175384)- gid is overridden by uid in default trust view (#1168904)- When migrating warn user if compat is enabled (#1177133)- Clean up debug log for trust-add (#1168376)- No error message thrown on restore(full kind) on replica from full backup taken on master (#1175287)- ipa-restore proceed even IPA not configured (#1175326)- Data replication not working as expected after data restore from full backup (#1175277)- IPA externally signed CA cert expiration warning missing from log (#1178128)- ipa-upgradeconfig fails in CA-less installs (#1181767)- IPA certs fail to autorenew simultaneouly (#1173207)- More validation required on ipa-restore\'s options (#1176034) * Wed Dec 17 2014 Jan Cholasta - 4.1.0-13- Expand the token auth/sync windows (#919228)- Access is not rejected for disabled domain (#1172598)- krb5kdc crash in ldap_pvt_search (#1170695)- RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) * Wed Dec 10 2014 Jan Cholasta - 4.1.0-12- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible (#1169591)- CLI doesn\'t show SSHFP records with SHA256 added via nsupdate (regression) (#1172578) * Tue Dec 09 2014 Jan Cholasta - 4.1.0-11- Throw zonemgr error message before installation proceeds (#1163849)- Winsync: Setup is broken due to incorrect import of certificate (#1169867)- Enable last token deletion when password auth type is configured (#919228)- ipa-otp-lasttoken loads all user\'s tokens on every mod/del (#1166641)- add --hosts and --hostgroup options to allow/retrieve keytab methods (#1007367)- Extend host-show to add the view attribute in set of default attributes (#1168916)- Prefer TCP connections to UDP in krb5 clients (#919228)- [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214)- webui: increase notification duration (#1171089)- RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931)- RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert (#1170003)- Improve validation of --instance and --backend options in ipa-restore (#951581)- RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964)- Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) * Wed Nov 26 2014 Jan Cholasta - 4.1.0-10- Use NSS protocol range API to set available TLS protocols (#1156466) * Tue Nov 25 2014 Jan Cholasta - 4.1.0-9- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails (#1167196)- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756)- \"ipa trust-add ... \" cmd says : (Trust status: Established and verified) while in the logs we see \"WERR_ACCESS_DENIED\" during verification step. (#1144121)- POODLE: force using safe ciphers (non-SSLv3) in IPA client and server (#1156466)- Add support/hooks for a one-time password system like SecureID in IPA (#919228)- Tracebacks with latest build for --zonemgr cli option (#1167270)- ID Views: Support migration from the sync solution to the trust solution (#891984) * Mon Nov 24 2014 Jan Cholasta - 4.1.0-8- Improve otptoken help messages (#919228)- Ensure users exist when assigning tokens to them (#919228)- Enable QR code display by default in otptoken-add (#919228)- Show warning instead of error if CA did not start (#1158410)- CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774)- Traceback when adding zone with long name (#1164859)- Backup & Restore mechanism (#951581)- ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap (#1159816)- Allow ipa-getkeytab to optionally fetch existing keys (#1007367)- Failure when installing on dual stacked system with external ca (#1128380)- ipa-server should keep backup of CS.cfg (#1059135)- Tracebacks with latest build for --zonemgr cli option (#1167270)- webui: use domain name instead of domain SID in idrange adder dialog (#891984)- webui: normalize idview tab labels (#891984) * Wed Nov 19 2014 Jan Cholasta - 4.1.0-7- ipa-csreplica-manage connect fails (#1157735)- error message which is not understandable when IDNA2003 characters are present in --zonemgr (#1163849)- Fix warning message should not contain CLI commands (#1114013)- Renewing the CA signing certificate does not extend its validity period end (#1163498)- RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd (#1159330) * Thu Nov 13 2014 Jan Cholasta - 4.1.0-6- Fix: DNS installer adds invalid zonemgr email (#1056202)- ipaplatform: Use the dirsrv service, not target (#951581)- Fix: DNS policy upgrade raises asertion error (#1161128)- Fix upgrade referint plugin (#1161128)- Upgrade: fix trusts objectclass violationi (#1161128)- group-add doesn\'t accept gid parameter (#1149124) * Tue Nov 11 2014 Jan Cholasta - 4.1.0-5- Update slapi-nis dependency to pull 0.54-2 (#891984)- ipa-restore: Don\'t crash if AD trust is not installed (#951581)- Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791)- Trust setting not restored for CA cert with ipa-restore command (#1159011)- ipa-server-install fails when restarting named (#1162340) * Thu Nov 06 2014 Jan Cholasta - 4.1.0-4- Update Requires on pki-ca to 10.1.2-4 (#1129558)- build: increase java stack size for all arches- Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984)- Fix dns zonemgr validation regression (#1056202)- Handle profile changes in dogtag-ipa-ca-renew-agent (#886645)- Do not wait for new CA certificate to appear in LDAP in ipa-certupdate (#886645)- Add bind-dyndb-ldap working dir to IPA specfile- Fail if certmonger can\'t see new CA certificate in LDAP in ipa-cacert-manage (#886645)- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756)- Deadlock in schema compat plugin (#1161131)- ipactl stop should stop dirsrv last (#1161129)- Upgrade 3.3.5 to 4.1 failed (#1161128)- CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) * Wed Oct 22 2014 Jan Cholasta - 4.1.0-3- Do not check if port 8443 is available in step 2 of external CA install (#1129481) * Wed Oct 22 2014 Jan Cholasta - 4.1.0-2- Update Requires on selinux-policy to 3.13.1-4 * Tue Oct 21 2014 Jan Cholasta - 4.1.0-1- Update to upstream 4.1.0 (#1109726) * Mon Sep 29 2014 Jan Cholasta - 4.1.0-0.1.alpha1- Update to upstream 4.1.0 Alpha 1 (#1109726) * Fri Sep 26 2014 Petr Vobornik - 4.0.3-3- Add redhat-access-plugin-ipa dependency * Thu Sep 25 2014 Jan Cholasta - 4.0.3-2- Re-enable otptoken_yubikey plugin * Mon Sep 15 2014 Jan Cholasta - 4.0.3-1- Update to upstream 4.0.3 (#1109726) * Thu Aug 14 2014 Martin Kosek - 3.3.3-29- Server installation fails using external signed certificates with \"IndexError: list index out of range\" (#1111320)- Add rhino to BuildRequires to fix Web UI build error * Tue Apr 01 2014 Martin Kosek - 3.3.3-28- ipa-client-automount fails with incompatibility error when installed against older IPA server (#1083108) * Wed Mar 26 2014 Martin Kosek - 3.3.3-27- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future PKI versions (#1080865) * Tue Mar 25 2014 Martin Kosek - 3.3.3-26- When IdM server trusts multiple AD forests, IPA client returns invalid group membership info (#1079498) * Thu Mar 13 2014 Martin Kosek - 3.3.3-25- Deletion of active subdomain range should not be allowed (#1075615) * Thu Mar 13 2014 Martin Kosek - 3.3.3-24- PKI database is ugraded during replica installation (#1075118) * Wed Mar 12 2014 Martin Kosek - 3.3.3-23- Unable to add trust successfully with --trust-secret (#1075704) * Wed Mar 12 2014 Martin Kosek - 3.3.3-22- ipa-replica-install never checks for 7389 port (#1075165)- Non-terminated string may be passed to LDAP search (#1075091)- ipa-sam may fail to translate group SID into GID (#1073829)- Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) * Thu Mar 06 2014 Martin Kosek - 3.3.3-21- Do not fetch a principal two times, remove potential memory leak (#1070924) * Wed Mar 05 2014 Martin Kosek - 3.3.3-20- trustdomain-find with pkey-only fails (#1068611)- Invalid credential cache in trust-add (#1069182)- ipa-replica-install prints unexpected error (#1069722)- Too big font in input fields in details facet in Firefox (#1069720)- trust-add for POSIX AD does not fetch trustdomains (#1070925)- Misleading trust-add error message in some cases (#1070926)- Access is not rejected for disabled domain (#1070924) * Wed Feb 26 2014 Martin Kosek - 3.3.3-19- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) * Wed Feb 12 2014 Martin Kosek - 3.3.3-18- Display server name in ipa command\'s verbose mode (#1061703)- Remove sourcehostcategory from default HBAC rule (#1061187)- dnszone-add cannot add classless PTR zones (#1058688)- Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) * Tue Feb 04 2014 Martin Kosek - 3.3.3-17- Lockout plugin crashed during ipa-server-install (#912725) * Fri Jan 31 2014 Martin Kosek - 3.3.3-16- Fallback to global policy in ipa lockout plugin (#912725)- Migration does not add users to default group (#903232) * Fri Jan 24 2014 Daniel Mach - 3.3.3-15- Mass rebuild 2014-01-24 * Thu Jan 23 2014 Martin Kosek - 3.3.3-14- Fix NetBIOS name generation in CLDAP plugin (#1030517) * Mon Jan 20 2014 Martin Kosek - 3.3.3-13- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218)- Increase default timeout for IPA services (#1033273)- Error while running trustdomain-find (#1054376)- group-show lists SID instead of name for external groups (#1054391)- Fix IPA server NetBIOS name in samba configuration (#1030517)- dnsrecord-mod produces missing API version warning (#1054869)- Hide trust-resolve command as internal (#1052860)- Add Trust domain Web UI (#1054870)- ipasam cannot delete multiple child trusted domains (#1056120) * Wed Jan 15 2014 Martin Kosek - 3.3.3-12- Missing objectclasses when empty password passed to host-add (#1052979)- sudoOrder missing in sudoers (#1052983)- Missing examples in sudorule help (#1049464)- Client automount does not uninstall when fstore is empty (#910899)- Error not clear for invalid realm given to trust-fetch-domains (#1052981)- trust-fetch-domains does not add idrange for subdomains found (#1049926)- Add option to show if an AD subdomain is enabled/disabled (#1052973)- ipa-adtrust-install still failed with long NetBIOS names (#1030517)- Error not clear for invalid relam given to trustdomain-find (#1049455)- renewed client cert not recognized during IPA CA renewal (#1033273) * Fri Jan 10 2014 Martin Kosek - 3.3.3-11- hbactest does not work for external users (#848531) * Wed Jan 08 2014 Martin Kosek - 3.3.3-10- PKI service restart after CA renewal failed (#1040018) * Mon Jan 06 2014 Martin Kosek - 3.3.3-9- Move ipa-tests package to separate srpm (#1032668) * Fri Jan 03 2014 Martin Kosek - 3.3.3-8- Fix status trust-add command status message (#910453)- NetBIOS was not trimmed at 15 characters (#1030517)- Harden CA subsystem certificate renewal on CA clones (#1040018) * Fri Dec 27 2013 Daniel Mach - 3.3.3-7- Mass rebuild 2013-12-27 * Mon Dec 02 2013 Martin Kosek - 3.3.3-6- Remove \"Listen 443 http\" hack from deployed nss.conf (#1029046)- Re-adding existing trust fails (#1033216)- IPA uninstall exits with a samba error (#1033075)- Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260)- Fixed ownership of /usr/share/ipa/ui/js (#1026260)- ipa-tests: support external names for hosts (#1032668)- ipa-client-install fail due fail to obtain host TGT (#1029354) * Fri Nov 22 2013 Martin Kosek - 3.3.3-5- Trust add tries to add same value of --base-id for sub domain, causing an error (#1033068)- Improved error reporting for adding trust case (#1029856) * Wed Nov 13 2013 Martin Kosek - 3.3.3-4- Winsync agreement cannot be created (#1023085) * Wed Nov 06 2013 Martin Kosek - 3.3.3-3- Installer did not detect different server and IPA domain (#1026845)- Allow kernel keyring CCACHE when supported (#1026861) * Tue Nov 05 2013 Martin Kosek - 3.3.3-2- ipa-server-install crashes when AD subpackage is not installed (#1026434) * Fri Nov 01 2013 Martin Kosek - 3.3.3-1- Update to upstream 3.3.3 (#991064) * Tue Oct 29 2013 Martin Kosek - 3.3.2-5- Temporarily move ipa-backup and ipa-restore functionality back to make them available in public Beta (#1003933) * Tue Oct 29 2013 Martin Kosek - 3.3.2-4- Server install failure during client enrollment shouldn\'t roll back (#1023086)- nsds5ReplicaStripAttrs are not set on agreements (#1023085)- ipa-server conflicts with mod_ssl (#1018172) * Wed Oct 16 2013 Martin Kosek - 3.3.2-3- Reinstalling ipa server hangs when configuring certificate server (#1018804) * Fri Oct 11 2013 Martin Kosek - 3.3.2-2- Deprecate --serial-autoincrement option (#1016645)- CA installation always failed on replica (#1005446)- Re-initializing a winsync connection exited with error (#994980) * Fri Oct 04 2013 Martin Kosek - 3.3.2-1- Update to upstream 3.3.2 (#991064)- Add delegation info to MS-PAC (#915799)- Warn about incompatibility with AD when IPA realm and domain differs (#1009044)- Allow PKCS#12 files with empty password in install tools (#1002639)- Privilege \"SELinux User Map Administrators\" did not list permissions (#997085)- SSH key upload broken when client joins an older server (#1009024) * Mon Sep 23 2013 Martin Kosek - 3.3.1-5- Remove dependency on python-paramiko (#1002884)- Broken redirection when deleting last entry of DNS resource record (#1006360) * Tue Sep 10 2013 Martin Kosek - 3.3.1-4- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) * Mon Sep 09 2013 Martin Kosek - 3.3.1-3- Replica installation fails for RHEL 6.4 master (#1004680)- Server uninstallation crashes if DS is not available (#998069) * Thu Sep 05 2013 Martin Kosek - 3.3.1-2- Unable to remove replica by ipa-replica-manage (#1001662)- Before uninstalling a server, warn about active replicas (#998069) * Thu Aug 29 2013 Rob Crittenden - 3.3.1-1- Update to upstream 3.3.1 (#991064)- Update minimum version of bind-dyndb-ldap to 3.5 * Tue Aug 20 2013 Rob Crittenden - 3.3.0-7- Fix replica installation failing on certificate subject (#983075) * Tue Aug 13 2013 Martin Kosek - 3.3.0-6- Allow ipa-tests to work with older version (1.7.7) of python-paramiko * Tue Aug 13 2013 Martin Kosek - 3.3.0-5- Prevent multilib failures in *.pyo and *.pyc files * Mon Aug 12 2013 Martin Kosek - 3.3.0-4- ipa-server-install fails if --subject parameter is other than default realm (#983075)- do not allow configuring bind-dyndb-ldap without persistent search (#967876) * Mon Aug 12 2013 Martin Kosek - 3.3.0-3- diffstat was missing as a build dependency causing multilib problems * Thu Aug 08 2013 Martin Kosek - 3.3.0-2- Remove ipa-server-selinux obsoletes as upgrades from version prior to 3.3.0 are not allowed- Wrap server-trust-ad subpackage description better- Add (noreplace) flag for %{_sysconfdir}/tmpfiles.d/ipa.conf- Change permissions on default_encoding_utf8.so to fix ipa-python Provides * Thu Aug 08 2013 Martin Kosek - 3.3.0-1- Update to upstream 3.3.0 (#991064) * Thu Aug 08 2013 Martin Kosek - 3.3.0-0.2.beta2- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release * Wed Aug 07 2013 Martin Kosek - 3.3.0-0.1.beta2- Update to upstream 3.3.0 Beta 2 (#991064) * Thu Jul 18 2013 Martin Kosek - 3.2.2-1- Update to upstream 3.2.2- Drop ipa-server-selinux subpackage- Drop redundant directory /var/cache/ipa/sessions- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency issues when there are still old parts of software (like entitlements plugin) * Fri Jun 14 2013 Martin Kosek - 3.2.1-1- Update to upstream 3.2.1- Drop dogtag-pki-server-theme requires, it won\'t be build for RHEL-7.0 * Tue May 14 2013 Rob Crittenden - 3.2.0-2- Add OTP patches- Add patch to set KRB5CCNAME for 389-ds-base * Fri May 10 2013 Rob Crittenden - 3.2.0-1- Update to upstream 3.2.0 GA- ipa-client-install fails if /etc/ipa does not exist (#961483)- Certificate status is not visible in Service and Host page (#956718)- ipa-client-install removes needed options from ldap.conf (#953991)- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)- Require nss 3.14.3-12.0 to address certutil certificate import errors (#953485)- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 environments. (#953464)- ipa-client-install removes \'sss\' from /etc/nsswitch.conf (#953453)- ipa-server-install --uninstall doesn\'t stop dirsrv instances (#953432)- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for socket based connections (#960222)- Require libsss_nss_idmap-python- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to member is now done automatically and having it in the config file raises an error.- Add backup and restore tools, directory.- require at least systemd 38 which provides the journal (we no longer need to require syslog.target)- Update Requires on policycoreutils to 2.1.14-37- Update Requires on selinux-policy to 3.12.1-42- Update Requires on 389-ds-base to 1.3.1.0- Remove a Requires for java-atk-wrapper * Tue Apr 23 2013 Rob Crittenden - 3.2.0-0.4.beta1- Remove release from krb5-server in strict sub-package to allow for rebuilds. * Mon Apr 22 2013 Rob Crittenden - 3.2.0-0.3.beta1- Add a Requires for java-atk-wrapper until we can determine which package should be pulling it in, dogtag or tomcat. * Tue Apr 16 2013 Rob Crittenden - 3.2.0-0.2.beta1- Update to upstream 3.2.0 Beta 1 * Tue Apr 02 2013 Martin Kosek - 3.2.0-0.1.pre1- Update to upstream 3.2.0 Prerelease 1- Use upstream reference spec file as a base for Fedora spec file * Sat Mar 30 2013 Kevin Fenzi 3.1.2-4- Rebuild for broken deps- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 * Sat Feb 23 2013 Kevin Fenzi - 3.1.2-3- Rebuild for broken deps in rawhide- Fix 389-ds-base strict dep to be 1.3.0.3 * Wed Feb 13 2013 Fedora Release Engineering - 3.1.2-2- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Wed Jan 23 2013 Rob Crittenden - 3.1.2-1- Update to upstream 3.1.2- CVE-2012-4546: Incorrect CRLs publishing- CVE-2012-5484: MITM Attack during Join process- CVE-2013-0199: Cross-Realm Trust key leak- Updated strict dependencies to 389-ds-base = 1.3.0.2 and pki-ca = 10.0.1 * Thu Dec 20 2012 Martin Kosek - 3.1.0-2- Remove redundat Requires versions that are already in Fedora 17- Replace python-crypto Requires with m2crypto- Add missing Requires(post) for client and server-trust-ad subpackages- Restart httpd service when server-trust-ad subpackage is installed- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes * Mon Dec 10 2012 Rob Crittenden - 3.1.0-1- Updated to upstream 3.1.0 GA- Set minimum for sssd to 1.9.2- Set minimum for pki-ca to 10.0.0-1- Set minimum for 389-ds-base to 1.3.0- Set minimum for selinux-policy to 3.11.1-60- Remove unneeded dogtag package requires * Tue Oct 23 2012 Martin Kosek - 3.0.0-3- Update Requires on krb5-server to 1.11 * Fri Oct 12 2012 Rob Crittenden - 3.0.0-2- Configure CA replication to use TLS instead of SSL * Fri Oct 12 2012 Rob Crittenden - 3.0.0-1- Updated to upstream 3.0.0 GA- Set minimum for samba to 4.0.0-153.- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so plugin to /dev/null since they cannot be used when trusts are configured- Restrict krb5-server to 1.10.- Update BR for 389-ds-base to 1.3.0- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca- Add Requires on zip for generating FF browser extension * Fri Oct 05 2012 Rob Crittenden - 3.0.0-0.10- Updated to upstream 3.0.0 rc 2- Include new FF configuration extension- Set minimum Requires of selinux-policy to 3.11.1-33- Set minimum Requires dogtag to 10.0.0-0.43.b1- Add new optional strict sub-package to allow users to limit other package upgrades. * Tue Oct 02 2012 Martin Kosek - 3.0.0-0.9- Require samba packages instead of obsoleted samba4 packages * Fri Sep 21 2012 Rob Crittenden - 3.0.0-0.8- Updated to upstream 3.0.0 rc 1- Update BR for 389-ds-base to 1.2.11.14- Update BR for krb5 to 1.10- Update BR for samba4-devel to 4.0.0-139 (rc1)- Add BR for python-polib- Update BR and Requires on sssd to 1.9.0- Update Requires on policycoreutils to 2.1.12-5- Update Requires on 389-ds-base to 1.2.11.14- Update Requires on selinux-policy to 3.11.1-21- Update Requires on dogtag to 10.0.0-0.33.a1- Update Requires on certmonger to 0.60- Update Requires on tomcat to 7.0.29- Update minimum version of bind to 9.9.1-10.P3- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1- Remove Requires on authconfig from python sub-package * Wed Sep 05 2012 Rob Crittenden - 3.0.0-0.7- Rebuild against samba4 beta8 * Fri Aug 31 2012 Rob Crittenden - 3.0.0-0.6- Rebuild against samba4 beta7 * Wed Aug 22 2012 Alexander Bokovoy - 3.0.0-0.5- Adopt to samba4 beta6 (libsecurity -> libsamba-security)- Add dependency to samba4-winbind * Fri Aug 17 2012 Rob Crittenden - 3.0.0-0.4- Updated to upstream 3.0.0 beta 2 * Mon Aug 06 2012 Martin Kosek - 3.0.0-0.3- Updated to current upstream state of 3.0.0 beta 2 development * Mon Jul 23 2012 Alexander Bokovoy - 3.0.0-0.2- Rebuild against samba4 beta4 * Mon Jul 02 2012 Rob Crittenden - 3.0.0-0.1- Updated to upstream 3.0.0 beta 1 | |