URL: https://github.com/freeipa/freeipa/pull/4909
Author: fcami
Title: #4909: Add unauthenticated nsupdate
Action: opened
PR body:
"""
ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.
Fixes: https://pagure.io/freeipa/issue/8402
+
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.
Fixes: https://pagure.io/freeipa/issue/8402
####
This is purely WIP:
- it needs a proper test
- there are more nsupdate calls that should be adapted.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4909/head:pr4909
git checkout pr4909
URL: https://github.com/freeipa/freeipa/pull/4923
Author: RichardKalinec
Title: #4923: Add support for app passwords
Action: opened
PR body:
"""
Users will be able to have additional passwords besides the primary one - app passwords. They will be usable for accessing all systems and services that his/her FreeIPA account is used for, but not to manage the account (including configuring the app passwords).
Resolves: https://pagure.io/freeipa/issue/4510
Design page and its discussion: https://github.com/freeipa/freeipa/pull/4061
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4923/head:pr4923
git checkout pr4923
URL: https://github.com/freeipa/freeipa/pull/4061
Author: RichardKalinec
Title: #4061: doc/designs: Add a design page for application-specific passwords
Action: opened
PR body:
"""
This design page describes a new enhancement: application-specific
passwords and permissions management for them. Users will be able to
have additional passwords besides the primary one, and set permissions
for them specifying what systems and services will each
application-specific password have access to. Application-specific
passwords will also be usable with other authentication mechanisms
incorporating passwords, namely otp, radius and hardened. They will
also be supported by ipa-kdb for Kerberos authentication.
https://pagure.io/freeipa/issue/4510
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4061/head:pr4061
git checkout pr4061
URL: https://github.com/freeipa/freeipa/pull/5071
Author: fcami
Title: #5071: 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
Action: opened
PR body:
"""
Some IPA updates are expensive in term of processing and #page hit.
The likelihood to generate a DS Berkeley DB database deadlock can be high
for some common operations.
When a deadlock is detected one deadlocking thread needs to be
rejected to let the other(s) complete.
DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation
fails in favor to the oldest one.
DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
of the writers even if the reader(s) are older.
Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and
also existing installs at update time.
This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
and therefore is valid on 389-DS 1.4.2.3 and higher.
Explanation provided by Thierry Bordaz.
Fixes: https://pagure.io/freeipa/issue/8479
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5071/head:pr5071
git checkout pr5071
URL: https://github.com/freeipa/freeipa/pull/3275
Author: marcus2376
Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages
Action: opened
PR body:
"""
Description:
389-ds now stores a replication agreement status message in a JSON string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.htmlhttps://pagure.io/freeipa/issue/7975
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3275/head:pr3275
git checkout pr3275
URL: https://github.com/freeipa/freeipa/pull/5147
Author: mrizwan93
Title: #5147: External-CA scenarios for ACME service
Action: opened
PR body:
"""
Inherited the TestACME class by overriding install()
to install the ipa master with external CA. It will
setup the External-CA and will call all the test
method from TestACME class.
related: https://pagure.io/freeipa/issue/4751
Signed-off-by: Mohammad Rizwan <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5147/head:pr5147
git checkout pr5147
URL: https://github.com/freeipa/freeipa/pull/5119
Author: rcritten
Title: #5119: Require an ipa-ca SAN on 3rd party certs if ACME is enabled
Action: opened
PR body:
"""
Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.
Add a status option to ipa-acme-manage.
https://pagure.io/freeipa/issue/8498
Marking as ipa-next since I'm sure yet if ACME is going to be backported to ipa-4-8.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5119/head:pr5119
git checkout pr5119
URL: https://github.com/freeipa/freeipa/pull/5107
Author: tiran
Title: #5107: [Container] Unify access to FQDN
Action: opened
PR body:
"""
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.
Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.
C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5107/head:pr5107
git checkout pr5107
URL: https://github.com/freeipa/freeipa/pull/5160
Author: rcritten
Title: #5160: Add libpwquality checking to IPA password policy
Action: opened
PR body:
"""
This adds support for some of the libpwquality password checking features:
* palindromes (automatic)
* maximum number of repeats in a row
* maximum number of monotonic sequences (abcde, 1234, etc)
* check for username in the password
* dict check via cracklib
I attempted to retain backwards compatibility so didn't enable the character class evaluations. We could totally do this but it add six more knobs.
I didn't enable the gecos check to avoid an nss lookup which would pass through a lot of libraries only to end up back at IPA :-)
Note that pwquality has a minimum character limit of six which is different than IPA so a limit of six is enforced if any of the pwqualtiy values are set.
I suspect the SELinux policy I wrote isn't awesome.
TODO: finalize the IANA attributes and objectclasses values
TODO: merge the test into another class or determine frequency to execute
TODO: I'm open to ipa-next only
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5160/head:pr5160
git checkout pr5160
URL: https://github.com/freeipa/freeipa/pull/5055
Author: rebeccc
Title: #5055: Add krbtpolicy for jittered lifetime
Action: opened
PR body:
"""
Continuation of #5029
This KDC extension will create a jittered lifetime for services with a lifetime greater than 60 minutes. The lifetime will be set to a random number between max_life - 60 minutes and max_life.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5055/head:pr5055
git checkout pr5055
URL: https://github.com/freeipa/freeipa/pull/5144
Author: tiran
Title: #5144: Reduce runtime of server installer by nearly a minute
Action: opened
PR body:
"""
This experimental patch speeds up installer by tightening poll/sleep loops, reducing timeouts for DNS and NTP to a sensible value, avoiding duplicate work.
## Add helper for poll/sleep loops with timeout
The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.
## Faster certmonger wait_for_request()
wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off
15 to 20 seconds from ipa-server-install while marginally increased
load on the system.
## Remove root-autobind configuration
The new lib389-based installer configured 389-DS with LDAPI support and
autobind for root.
cn=root-autobind,cn=config entry is no longer needed.
## Skip offline dse.ldif patching by default
The installer now stop and patches dse.ldif only when the option
--dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a
new step.
This speeds up installer by 4 or more seconds on a fast system.
## Retry chronyc waitsync only once
It's unlikely that a third chrony synchronization attempt is going to
succeed after the the first two attempts have failed. Only retry chronyc
waitsync once. Each retry adds a 10 second delay.
This speed up installer by 10 seconds on systems without fully
configured chronyd or no chronyd (e.g. containers).
## Reduce CA record DNS timeout to 10s
30 seconds is still a lot of time for a DNS query. Clients typically
do not wait that long. OpenSSH uses 10 seconds for reverse DNS lookup.
That's considered a long timeout already. It's unlikely that a DNS query
is going to succeed after 10 seconds of failed lookups.
At this point during the installer IPA's BIND DNS instance has been
running long enough to be fully available, too.
The changeset reduces installation time by 40 seconds when ipa-ca DNS
has not been created yet.
See: https://pagure.io/freeipa/issue/6176
## Skip duplicate import of cert profiles
All supported Dogtag versions import the cert profiles during pkispawn
when using the LDAP profile backend.
This reduces the installation time by 9 to 14 seconds
## Use single update LDIF for indices
Index definitions were split across four files. indices.ldif contained
the initial subset of indices. Three update files partly duplicated the
indices and partly added new indices.
All indices are now defined in a single update file that is sorted
alphanumerically.
The changeset avoids two additional index tasks and reduces installation
time by 5 to 10 seconds.
Fixes: https://pagure.io/freeipa/issue/8493
## Remove magic sleep from create_index_task
11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock
bug in memberOf plugin. Thierry is not aware of any outstanding issues
with memberOf plugin that could lead to a deadlock.
## Add timings to install logs
The logging manager now adds timings for installation steps to the
installer logs. The information can be extracted and dumped to a CSV
file with a simple grep command:
grep -Po 'TIMING: \K.*' /var/log/ipaserver.log > ipaserver.csv
## Use separate install logs for AD and DNS instance
ipa-dns-install and ipa-adtrust-install no longer overwrite
ipaserver-install.log. Instead they use a separate log file.
Add AD-Trust, DNS, KRA, and replica log files to backups.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5144/head:pr5144
git checkout pr5144
URL: https://github.com/freeipa/freeipa/pull/5128
Author: fcami
Title: #5128: ipatests: kinit_as_user: collect kdcinfo.REALM on failure
Action: opened
PR body:
"""
When requesting a tgt fails after a password reset, collecting:
/var/lib/sss/pubconf/kdcinfo.$REALM
will help determine how SSSD was selecting which KRB5KDC to use.
Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5128/head:pr5128
git checkout pr5128
URL: https://github.com/freeipa/freeipa/pull/5167
Author: tiran
Title: #5167: Speed up PKI installer steps
Action: opened
PR body:
"""
## Skip duplicate import of cert profiles
All supported Dogtag versions import the cert profiles during pkispawn
when using the LDAP profile backend.
This reduces the installation time by 9 to 14 seconds
## Dogtag: Remove set_audit_renewal step
The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump
renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before
Dogtag 10.0 came out, see https://github.com/dogtagpki/pki/commit/f5b8ea5b087f642a0208c228dce6f700cd7…
The update step would also no longer work. Profiles have been migrated
to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all
of Dogtag's default profiles. FreeIPA does not overwrite any existing
profiles.
Win: 11 to 50 seconds
## Spawn PKI: Execute more steps early
Move several steps to an earlier phase of CA spawn. RA and ACME agent
ACLs are now configured while the server is down. This avoids yet
another restart and saves between 11 and 50 seconds per installation.
Total: ~30s to ~90s
Related: https://pagure.io/freeipa/issue/8521
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5167/head:pr5167
git checkout pr5167
URL: https://github.com/freeipa/freeipa/pull/5164
Author: tiran
Title: #5164: Speed up DS related installer steps
Action: opened
PR body:
"""
## Remove root-autobind configuration
The new lib389-based installer configured 389-DS with LDAPI support and
autobind for root.
cn=root-autobind,cn=config entry is no longer needed.
## Skip offline dse.ldif patching by default
The installer now stop and patches dse.ldif only when the option
--dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a
new step. This speeds up installer by 4 or more seconds on a fast system.
## Remove magic sleep from create_index_task
11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock
bug in memberOf plugin. Thierry is not aware of any outstanding issues
with memberOf plugin that could lead to a deadlock.
Total speedup: ~10s
Related: https://pagure.io/freeipa/issue/8521
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5164/head:pr5164
git checkout pr5164
URL: https://github.com/freeipa/freeipa/pull/5135
Author: menonsudhir
Title: #5135: ipatests: ipa-healthcheck test fixes running on RHEL
Action: opened
PR body:
"""
ipatests: ipa-healthcheck test fixes running on RHEL
1. Added function in tasks.py to get healthcheck version.
2. Added if else condition to certain tests to check healthcheck version and then assert the expected test output
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5135/head:pr5135
git checkout pr5135
URL: https://github.com/freeipa/freeipa/pull/5166
Author: tiran
Title: #5166: Retry chronyc waitsync only once
Action: opened
PR body:
"""
It's unlikely that a third chrony synchronization attempt is going to
succeed after the the first two attempts have failed. Only retry chronyc
waitsync once. Each retry adds a 10 second delay.
This speed up installer by 10 seconds on systems without fully
configured chronyd or no chronyd (e.g. containers).
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5166/head:pr5166
git checkout pr5166
URL: https://github.com/freeipa/freeipa/pull/5168
Author: tiran
Title: #5168: [Backport][ipa-4-8] configure_dns_resolver: call self.restore_context
Action: opened
PR body:
"""
This PR was opened automatically because PR #5162 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5168/head:pr5168
git checkout pr5168
URL: https://github.com/freeipa/freeipa/pull/5162
Author: tiran
Title: #5162: configure_dns_resolver: call self.restore_context
Action: opened
PR body:
"""
Use the platform implementation of restore_context() instead of the base
implementation.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5162/head:pr5162
git checkout pr5162
URL: https://github.com/freeipa/freeipa/pull/5165
Author: tiran
Title: #5165: Reduce long sleeps in certmonger wait_for_request()
Action: opened
PR body:
"""
## Add helper for poll/sleep loops with timeout
The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.
## Faster certmonger wait_for_request()
wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off
15 to 20 seconds from ipa-server-install while marginally increased
load on the system.
Related: https://pagure.io/freeipa/issue/8521
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5165/head:pr5165
git checkout pr5165
URL: https://github.com/freeipa/freeipa/pull/5163
Author: tiran
Title: #5163: [Backport][ipa-4-8] Add missing fedora_container platform members
Action: opened
PR body:
"""
This PR was opened automatically because PR #5161 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5163/head:pr5163
git checkout pr5163
URL: https://github.com/freeipa/freeipa/pull/5159
Author: tiran
Title: #5159: [Backport][ipa-4-8] Use single update LDIF for indices and add more indices
Action: closed
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5159/head:pr5159
git checkout pr5159
URL: https://github.com/freeipa/freeipa/pull/5161
Author: tiran
Title: #5161: Add missing fedora_container platform members
Action: opened
PR body:
"""
The fedora_container platform was missing User and Group members.
Add test case to verify that all known platforms define correct module
API.
Fixes: https://pagure.io/freeipa/issue/8519
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5161/head:pr5161
git checkout pr5161
URL: https://github.com/freeipa/freeipa/pull/5157
Author: tiran
Title: #5157: Use single update LDIF for indices and add more indices
Action: opened
PR body:
"""
## Use single update LDIF for indices
Index definitions were split across four files. indices.ldif contained
the initial subset of indices. Three update files partly duplicated the
indices and partly added new indices.
All indices are now defined in a single update file that is sorted
alphanumerically.
The changeset avoids two additional index tasks and reduces installation
time by 5 to 10 seconds.
## Add more indices
ipaCASubjectDN is used by lightweight sub CA feature.
ipaExternalMember is used by ipasam code to assemble MS-PAC records.
ipaNTSecurityIdentifier was only index for "pres" and was missing an
index on "eq". Samba performs queries with SID string.
memberPrincipal is used by S4U2Proxy constrained delegation and by
ipa-custodia.
Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and
ipaKeyUsage are currently not index because an index would rarely used
or have a poor selectivity.
Fixes: https://pagure.io/freeipa/issue/8493
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5157/head:pr5157
git checkout pr5157
URL: https://github.com/freeipa/freeipa/pull/5158
Author: tiran
Title: #5158: [Backport][ipa-4-8] Ensure that resolved.conf.d is accessible
Action: opened
PR body:
"""
This PR was opened automatically because PR #5156 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5158/head:pr5158
git checkout pr5158
URL: https://github.com/freeipa/freeipa/pull/5156
Author: tiran
Title: #5156: Ensure that resolved.conf.d is accessible
Action: opened
PR body:
"""
systemd-resolved runs as user systemd-resolve. Ensure that
resolved.conf.d drop-in directory is accessible when installer runs with
restricted umask. Also ensure the file and directory has correct SELinux
context.
The parent directory /etc/systemd exists on all platforms.
Fixes: Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5156/head:pr5156
git checkout pr5156
URL: https://github.com/freeipa/freeipa/pull/5155
Author: tiran
Title: #5155: [Backport][ipa-4-8] Pre-populate IP addresses for the name server upgrades
Action: opened
PR body:
"""
This PR was opened automatically because PR #5153 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5155/head:pr5155
git checkout pr5155
URL: https://github.com/freeipa/freeipa/pull/5153
Author: abbra
Title: #5153: Pre-populate IP addresses for the name server upgrades
Action: opened
PR body:
"""
Setting up resolv.conf in BIND instance expects IP addresses of the
server to be provided. This is done wiht BindInstance.setup() method
call. However, when reusing resolver setup during upgrade BIND instance
has no IP addresses configured and fails with an assert in
tasks.configure_dns_resolver().
Pass through the server's IP addresses during upgrade.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5153/head:pr5153
git checkout pr5153
URL: https://github.com/freeipa/freeipa/pull/5151
Author: fcami
Title: #5151: IPA-EPN: Make ipa-epn.timer a configuration file
Action: opened
PR body:
"""
The time at which ipa-epn runs using the timer should be configurable.
Currently, ipa-epn.timer is not marked as a config file, resulting in
overwriting the file at each update.
Add %config(noreplace) so that customisation can persist.
Fixes: https://pagure.io/freeipa/issue/8517
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5151/head:pr5151
git checkout pr5151
URL: https://github.com/freeipa/freeipa/pull/5146
Author: serg-cymbaluk
Title: #5146: [Backport][ipa-4-8] WebUI: Fix jQuery DOM manipulation issues
Action: opened
PR body:
"""
This PR was opened automatically because PR #5122 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5146/head:pr5146
git checkout pr5146
URL: https://github.com/freeipa/freeipa/pull/5145
Author: tiran
Title: #5145: Fix nsslapd-db-lock tuning of BDB backend
Action: opened
PR body:
"""
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.
Also skip offline dse.ldif patching by default. The installer now stop and
patches dse.ldif only when the option --dirsrv-config-file is used. LDBM
nsslapd-db-locks are increased in a new step. This speeds up installer by 4
or more seconds on a fast system.
Fixes: https://pagure.io/freeipa/issue/8515
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5145/head:pr5145
git checkout pr5145
URL: https://github.com/freeipa/freeipa/pull/5122
Author: serg-cymbaluk
Title: #5122: WebUI: Fix jQuery DOM manipulation issues
Action: opened
PR body:
"""
The commit includes the following jQuery patches:
- Manipulation: Make jQuery.htmlPrefilter an identity function
(jquery/jquery#4642)
- Manipulation: Skip the select wrapper for <option> outside of IE 9
(jquery/jquery#4647)
In addition there is included a script that helps to patch and build
the new version of jQuery:
` $ install/ui/util/make-jquery.js 3.4.1`
Ticket: https://pagure.io/freeipa/issue/8507
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5122/head:pr5122
git checkout pr5122
URL: https://github.com/freeipa/freeipa/pull/5137
Author: tiran
Title: #5137: [Backport][ipa-4-8] Clean up entire /run/ipa/ccaches directory not just files
Action: opened
PR body:
"""
This PR was opened automatically because PR #5124 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5137/head:pr5137
git checkout pr5137
URL: https://github.com/freeipa/freeipa/pull/5143
Author: tiran
Title: #5143: [Backport][ipa-4-8] Reduce the memory requirement from 1.6 to 1.2 GB
Action: opened
PR body:
"""
This PR was opened automatically because PR #5142 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5143/head:pr5143
git checkout pr5143
URL: https://github.com/freeipa/freeipa/pull/5141
Author: tiran
Title: #5141: [Backport][ipa-4-8] Add systemd-resolved support
Action: opened
PR body:
"""
Manual backport of PR #5125 to 4.8 branch.
61ec5de2640c300bbf21ae68faed62e5b8d80d4a had a minor conflict in ``ipaserver/install/bindinstance.py``.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5141/head:pr5141
git checkout pr5141
URL: https://github.com/freeipa/freeipa/pull/5138
Author: tiran
Title: #5138: [Backport][ipa-4-8] Delay import of psutil to avoid AVC
Action: opened
PR body:
"""
This PR was opened automatically because PR #5132 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5138/head:pr5138
git checkout pr5138
URL: https://github.com/freeipa/freeipa/pull/5142
Author: rcritten
Title: #5142: Reduce the memory requirement from 1.6 to 1.2 GB
Action: opened
PR body:
"""
We know from practical experience in PR-CI and Azure that 1.2
is the absolute minimum necessary for a base installation.
https://pagure.io/freeipa/issue/8404
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5142/head:pr5142
git checkout pr5142
URL: https://github.com/freeipa/freeipa/pull/5139
Author: tiran
Title: #5139: [Backport][ipa-4-8] Make git a build requirement
Action: opened
PR body:
"""
This PR was opened automatically because PR #5126 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5139/head:pr5139
git checkout pr5139
URL: https://github.com/freeipa/freeipa/pull/5140
Author: tiran
Title: #5140: [Backport][ipa-4-8] Add ipa_pki_retrieve_key_exec() interface
Action: opened
PR body:
"""
This PR was opened automatically because PR #5131 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5140/head:pr5140
git checkout pr5140
URL: https://github.com/freeipa/freeipa/pull/5136
Author: tiran
Title: #5136: [Backport][ipa-4-8] SELinux: do not double-define node_t and pki_tomcat_cert_t
Action: opened
PR body:
"""
This PR was opened automatically because PR #5133 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5136/head:pr5136
git checkout pr5136
URL: https://github.com/freeipa/freeipa/pull/5125
Author: tiran
Title: #5125: Add systemd-resolved support
Action: opened
PR body:
"""
Fedora 33 switched to systemd-resolved
- [X] Add helpers to get forwarders from resolve1 D-BUS API
- [X] Configure NetworkManager to use systemd-resolved
- [X] Use new API for auto-forwarders
- [X] Configure systemd-resolved to use IPA's BIND server
- [ ] Update DNS resolver configuration in ``ipa-server-upgrade``
- [ ] Add IPA's DNSSEC keys to systemd-resolved
- [ ] Enable DNSSEC support of systemd-resolved
See: https://pagure.io/freeipa/issue/8275
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5125/head:pr5125
git checkout pr5125
URL: https://github.com/freeipa/freeipa/pull/5126
Author: tiran
Title: #5126: Make git a build requirement
Action: opened
PR body:
"""
FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5126/head:pr5126
git checkout pr5126