User-related functions broken after load test
by a.matveev@lan-project.ru
Hello all!
My config is
VERSION: 4.4.0, API_VERSION: 2.213
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-514.16.1.el7.x86_64
Architecture: x86-64
For load test purpose i wrote script to automate user-creation in freeipa.
I use kinit and user-add in simple bash while do
#To obtain rights
kinit admin <<EOF
$admpass
EOF
ipa user-add $user --first=$name --last=$soname --password <<EOF
$pass
EOF
#To activate user (without web ui)
kinit $user <<EOF
$pass
$pass
$pass
EOF
After creation (and activation) about 3600 users (i run my script in 5-6 tty's at same time) something happened and script failed (with following error in all tty's)
Now, user-add (after kinit admin)
ipa user-add some-user --first=some --last=user --password
returns:
ipa: ERROR: ValueError: Extra data: line 1 column 81 - line 1 column 82 (char 80 - 81)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1348, in run api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in finalize self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in __do_if_not_done getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in load_plugins for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",line 112, in get_package server_info = ServerInfo(api)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 39, in __init__ self._read()
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 44, in _read self._dict = json.load(sc)
File "/usr/lib64/python2.7/json/__init__.py", line 290, in load **kw)
File "/usr/lib64/python2.7/json/__init__.py", line 338, in loads return _default_decoder.decode(s)
File "/usr/lib64/python2.7/json/decoder.py", line 369, in decode raise ValueError(errmsg("Extra data", s, end, len(s)))
ValueError: Extra data: line 1 column 81 - line 1 column 82 (char 80 - 81)
Other user related command also fails ( ipa user-find. user-mod etc).
Any suggestion what's going wrong and how to diagnose and fix it?
6 years, 11 months
CentOS 7 Letsencrypt CA
by Günther J. Niederwimmer
Hello,
after the mistake with Startcom CA (Class 3), now I look for a new
Certificate..
Is it possible and functional to install a Letsencrypt CA on a IPA-Server?
I have found a script on "github" to install a Letsencript CA for FreeIPA
(fedora), but can any tell me is this working with CentOS 7.(3).
Thanks for a answer,
--
mit freundlichen Grüssen / best regards
Günther J. Niederwimmer
6 years, 11 months
Odd behavior with groups in compat tree
by Robert Johnson
Red Hat Enterprise Linux Server release 7.3
ipa-server-4.4.0-14.el7_3.4.x86_64
389-ds-base-1.3.5.10-15.el7_3.x86_64
sssd-1.14.0-43.el7_3.11.x86_64
I have noticed some odd behavior when I perform ldap searches in the compat
tree for groups. I have approximately 20 posix groups including the
default "admins" group.
The default admins group comprises of the default admin user and a single
group called "unixadmins". The unixadmins group is a posix group and has
one member called "winadmins". The winadmins group is an external group
type which contains one external group called "winadmins(a)mywindomain.com".
That group on the windows domain has 2 members: 123456(a)mywindomain.com and
234567(a)mywindomain.com.
When i perform a search in the compat tree, I see multiple memberUID
entries which are:
admin
123456(a)mywindomain.com
234567(a)mywindomain.com
This is what I am looking for.
However, when I look at the compat tree entry for "unixadmins" (the posix
group used in the admins group), I don't see any memberUID entries at all.
This is the same result for all the other posix groups which have a similar
setup.
When I perform a "id 123456(a)mywindomain.com" I see that the user belongs to
the "admins", "unixadmins" and another posix group (I can also verify this
by looking at the users accounts tree).
On a hunch, I added the "admin" user to the unixadmins group and the other
posix group and now when I query the group compat tree then i see an entry
with the memberUid showing both the admin user and the windows users (ie
123456(a)mywindomain.com and 234567(a)mywindomain.com)
Is this a bug ?
Rob Johnson
6 years, 11 months
Request to Contribute a How/To Page
by Jason Sherrill
I would like to post the procedure that I used for configuring OS X 10.12
for use with IPA. My fedora account is jr_sherrill(a)yahoo.com, may it be
added to the editors group for the IPA's wiki? Thank you!
--
*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <(412)%20636-2073>
office: 412-362-0201 <(412)%20362-0201>
6 years, 11 months
Setting up IPA server on an already domain joined machine
by doug.kelly@wipro.com
Hi,
I'm wondering if anyone else has done something similar to us, and if so am wondering how you went about it or if it is indeed at all possible.
Our situation is:
* We have a few VMs which are domain joined to "internal.local" which is an Active Directory domain that we have no control over or administrative access
* We would like to install IPA on these VMs (replicated, with named for DNS) with a separate domain called "dev.zone"
* Authentication to the VM itself via SSH should be carried out against "internal.local" still – we will point our own services that we are going to install like GitLab directly at the IPA server
* "dev.zone" will be setup as a conditional forwarder on the Active Directory domain pointing at the IPA-installed named-pkcs11 service to do resolution for this domain
My initial findings are that IPA installs fine but it changes some things in /etc/krb5.conf like:
* Adding in "dev.zone" realm
* Modifies the "default_realm" to be "dev.zone"
* Leaves the "[realm]" definition for "internal.local" but empties it of the "kdc" and "admin_server" definitions
* Removes the kerberos tickets for "internal.local" that were in "net ads keytab list"
This ultimately results in IPA working fine but authentication to the server via SSH no longer works as it's looking to "dev.zone" now.
Is it possible to achieve what we're wanting to do? Can these two things co-exist peacefully?
Cheers,
Doug
Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in India at Bangalore with limited liability vide Reg no L99999KA1945PLC02800 with Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 mn)) Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
6 years, 11 months
krbLastSuccessfulAuth
by Chris Apsey
All,
We use freeIPA as the LDAP backend for OpenStack Keystone, GitLab, and a
few other things. We have been looking for a way to keep track of the
last time a user logged on, and the obvious answer seems to be the
krbLastSuccessfulAuth attribute. The problem is that this value for all
users is N/A:
-----------------------
Account disabled: False
-----------------------
Server: {{srv}}
Failed logins: 0
Last successful authentication: N/A
Last failed authentication: N/A
Time now: 2017-05-23T16:47:49Z
----------------------------
Number of entries returned 1
----------------------------
I checked to make sure that the ipaConfigString doesn't contain
KDC:Disable Last Success. Does krbLastSuccessfulAuth only get updated
when using kerberized logins? If so, is there a way to track the last
time a user successfully authenticated via pure LDAP (besides parsing
logs)?
Thanks in advance,
--
v/r
Chris Apsey
bitskrieg(a)bitskrieg.net
https://www.bitskrieg.net
6 years, 11 months
Chrome 58 - CN for IPA management console to include SANs
by Jake
Hey All,
I think this is fixed in 4.4.2 but since we use centos upstream we are limited to 4.4.0, is there a way to manually re-issue the SSL Certificates used for apache on the IPA masters for the web interface to include the DNS Names as Subject Alternative Names?
Greatly appreciate it!
Thanks,
- Jake
6 years, 11 months
Announcing FreeIPA 4.5.1
by Martin Bašti
Release date: 2017-05-23
The FreeIPA team would like to announce FreeIPA 4.5.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 25 and Fedora 26 will be available in the official
COPR repository
<https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-5/>.
This announcement is also available at
<http://www.freeipa.org/page/Releases/4.5.1>.
== Highlights in 4.5.1 ==
=== Enhancements ===
* HBAC rule names can be renamed (#6784)
HBAC rules can now be renamed.
* SUDO rules can be renamed (#2466)
The attribute "rdn_is_primary_key" of the LDAPObject class was renamed
to "allow_rename" because the name of the former did not reflect the
purpose of the attribute. Thanks to this objects whose primary key is
not in RDN can be now renamed. As a result of this, sudo rules can now
be renamed.
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.5.1 is a stabilization release for the features delivered as a
part of 4.5.0. There are more than 90 bug-fixes details of which can be
seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on page:
<https://www.freeipa.org/page/Upgrade>
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa
channel on Freenode.
== Resolved tickets ==
* 6950 ipa-server-install --uninstall fails with ERROR 'tuple' object
has no attribute 'append'
* 6934 ipa-kra-install timeouts on replica
* 6925 KRA installation fails on server that was originally installed as
CA-less
* 6924 Fix SELinux contex of http.keytab during upgrade
* 6923 Update warning message when KRA installation fails
* 6922 Update man page of ipa-kra-install
* 6921 ipa-server-install with external CA fails in
issue_selfsigned_pkinit_certs
* 6920 Upgrade from ipa-4.1 fails when enabling KDC proxy
* 6916 ipa-client-install: extra space in pkinit_anchors definition
* 6911 error adding authenticator indicators to host
* 6907 ipa vault-add raises TypeError
* 6904 pki_client_database_password is shown in ipaserver-install.log
* 6902 ipa restore fails to restore IPA user
* 6900 otptoken-add-yubikey KeyError: 'ipatokenotpdigits'
* 6899 ipa vault: archival and retrival is broken in IPA 4.5.0
* 6897 ipa-server-install with external-ca fails in FIPS mode
* 6896 Update get_attr_filter in LDAPSearch to handle nsaccountlock user
searches
* 6895 ipa-kra-install fails when primary KRA server has been decommissioned
* 6894 DNS forwarder address added during IPA installation shouldn't add
IP-Address '0.0.0.0'
* 6892 ipa-[ca|kra]-install with invalid DM password break replica
* 6883 ipa cert-show raises stack traces when --certificate-out=/tmp
* 6881 ipa.ipaserver.install.plugins.adtrust.update_tdo_gidnumber: ERROR
Default SMB Group not found
* 6878 Replica install fails during migration from older IPA master
* 6876 GET in KerberosSession.finalize_kerberos_acquisition() must use
FreeIPA CA
* 6875 Correct wheel package dependencies
* 6872 ipa server install fails with --external-ca option
* 6869 CA-less pkinit not installable with --pkinit-cert-file option
* 6866 ipa trust-fetch-domains: ValidationError: invalid 'Credentials':
Missing credentials for cross-forest communication
* 6864 minor spelling mistake #2
* 6862 WebUI cert auth fails after ipa-adtrust-install
* 6861 uninstall ipa client automount failed with RuntimeWarning
* 6860 Add the name of URL parameter which will be check for username
during cert login
* 6859 Console output message while adding trust should be mapped with
texts changed in Samba.
* 6854 CA less setup is broken
* 6853 Conversion of CA-less server to CA fails on CA instance spawn
* 6850 Use /usr/bin/env python for ipaclient via pypi / macOS fixes for
ipaclient
* 6846 Do not link libkrad, liblber, libldap_r and libsss_nss_idmap to
every binary in IPA
* 6839 [ipa-replica-install] - IncorrectPasswordException: Incorrect
client security database password
* 6838 [ipa-replica-install] - 406 Client Error: Failed to validate
message: Incorrect number of results (0) searching forpublic key for host
* 6833 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap
* 6831 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT
certificates/anchors
* 6830 Configure local PKINIT on DL0 or when '--no-pkinit' option is used
* 6828 error: implicit declaration of function ‘sss_nss_getlistbycert’
* 6827 ipasam: gidNumber attribute is not created in the trusted domain
entry
* 6826 IdM Server Smart Cards: extdom: improve cert request
* 6825 Allow erasing ipaDomainResolutionOrder attribute
* 6824 Add workaround for pki_pin for FIPS
* 6823 Bump packages versions for certificate login
* 6821 Deadlock between topology and schema-compat plugins
* 6819 Login into WebUI using certificate does not work - mod_wsgi
returns error
* 6817 4.5 replica install fails against <4.5 master due to rejected
PKINIT cert request
* 6816 BUILD_IPA_CERTAUTH_PLUGIN broke configure --disable-server
* 6813 Renewal of IPA RA fails on replica
* 6812 WebUI: in self-service Vault menu item is shown even if KRA is
not installed
* 6808 ipa cert-find runs a large number of searches, so IPA WebUI is
slow to display user details page
* 6807 Server CA-less impossible option check
* 6806 CA-less installation fails on publishing CA certificate
* 6803 Master tree fails to install
* 6801 Remove pkinit-related options from server/replica-install on DL0
* 6799 ipa-replica-install with DL0 fails to get annonymous keytab
* 6798 Changes to ipa-run-tests broke helper test tools
* 6797 As a ID user I cannot call a command with --rights option
* 6795 man ipa-cacert-manage install needs clarification
* 6792 Upgrade to FreeIPA 4.5.0 does not configure anonymous principal
for PKINIT
* 6787 Make KRA cert cache concurrency safe
* 6786 make sure that runtime hostname result is consistent with the
configuration in AD trust
* 6784 [RFE] HBAC rule names command rename
* 6777 ipa-replica-install can't install replica file produced by
ipa-replica-prepare on 4.5
* 6775 [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa
vault commands
* 6773 systemctl daemon-reload needs to be called after
httpd.service.d/ipa.conf is manipulated
* 6772 WebUI: Adding certificate mapping data using certificate fails
* 6771 Set GssProxy options to enable caching of ldap tickets
* 6768 debian: daemons/dnssec/*.service.in hardcode user/groupnames
* 6757 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit helper when
installing replica
* 6748 CLI doesn't work after ipa-restore
* 6743 [copr] Replica install failing
* 6716 cert-find does not find all certificates without sizelimit=0
* 6715 Uninstall fails with No such file or directory:
'/var/run/ipa/services.list'
* 6697 [Tracker] FIPS mode for trust to AD feature
* 6688 [tracker] ipa-replica-install fails with 406 Client Error: Key
name ca/caSigningCert%20cert-pki-ca does not match subject
ca/caSigningCert cert-pki-ca
* 6671 Privilege separation in IPA framework broke trust-add
* 6641 RPC client should use HTTP persistent connection
* 6618 "Truncated search results" pop-up appears in user details in WebUI
* 6549 replica install against IPA v3 master fails with ACIError
* 6494 Enumerate all available request type options in ipa cert-request help
* 6404 Need to have validation for idrange names
* 6370 [RFE] Web UI must check OCSP and CRL during smartcard login
* 6319 ipa cert-request limits key size to 1024,2048,3072,4096 bits
* 6183 ipa-replica-install may suggest --force-join option which does
not exist
* 5959 The framework needs to run in a spearate process
* 5952 Add git commit template
* 5799 Errors from AD when trying to sign ipa.csr, conflicting template on
* 5734 cert-request: PKCS #10 only is supported but `--request-type'
option suggests otherwise
* 5313 [RFE] disable last successful authentication by default in ipa.
* 4639 ipa-server-install does not clean /etc/httpd/alias
* 3242 [RFE] IPA WebUI login for AD Trusted User fails
* 2466 [RFE] Support SUDO command rename
== Detailed changelog since 4.5.0 ==
=== Alexander Bokovoy (5) ===
* trust: always use oddjobd helper for fetching trust information
* ipaserver/dcerpc: unify error processing
* adtrust: make sure that runtime hostname result is consistent with the
configuration
* server: make sure we test for sss_nss_getlistbycert
* ldap2: use LDAP whoami operation to retrieve bind DN for current
connection
=== Abhijeet Kasurde (2) ===
* Hide PKI Client database password in log file
* Hide request_type doc string in cert-request help
=== Christian Heimes (21) ===
* Correct PyPI package dependencies
* Vault: Explicitly default to 3DES CBC
* Use entry_points for ipa CLI
* Skip test_session_storage in ipaclient unittest mode
* Add make devcheck for developers
* Python 3: Fix session storage
* Use Custodia 0.3.1 features
* Simplify KRA transport cert cache
* Constrain wheel package versions
* Move remaining util functions to tasks module
* Ship ipatests.pytest_plugins.integration
* Move function run_repeatedly to tasks module
* Move hosts module to ipatests.pytest_plugins.integration.hosts
* Move tasks module to ipatests.pytest_plugins.integration.tasks
* Move env_config module to ipatests.pytest_plugins.integration.env_config
* Move config module to ipatests.pytest_plugins.integration.config
* Move helper code for integration plugin
* Increase Apache HTTPD's default keep alive timeout
* Add debug logging for keep-alive
* Use connection keep-alive
* Add options to run only ipaclient unittests
=== David Kupka (10) ===
* ipapython.ipautil.run: Add option to set umask before executing command
* otptoken-add-yubikey: When --digits not provided use default value
* Bump version of ipa.conf file
* Create system users for FreeIPA services during package installation
* WebUI: cert login: Configure name of parameter used to pass username
* httpinstance.disable_system_trust: Don't fail if module 'Root Certs'
is not available
* spec file: Bump requires to make Certificate Login in WebUI work
* rpcserver.login_x509: Actually return reply from __call__ method
* Create temporaty directories at the begining of uninstall
* ipapython.ipautil.nolog_replace: Do not replace empty value
=== felipe (1) ===
* Fixing replica install: fix ldap connection in domlvl 0
=== Felipe Volpone (1) ===
* Fixing adding authenticator indicators to host
=== Fabiano Fidêncio (1) ===
* Allow erasing ipaDomainResolutionOrder attribute
=== Florence Blanc-Renaud (16) ===
* ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
* ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
* ipa-server-install: fix uninstall
* ipa-kra-install manpage: document domain-level 1
* ipa-kra-install: fix check_host_keys
* ipa-server-install with external CA: fix pkinit cert issuance
* ipa-client-install: remove extra space in pkinit_anchors definition
* vault: piped input for ipa vault-add fails
* upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is
installed
* tests: add non-reg for idrange-add
* Upgrade: add gidnumber to trusted domain entry
* ipa-sam: create the gidNumber attribute in the trusted domain entry
* idrange-add: properly handle empty --dom-name option
* ipa-ca-install man page: Add domain level 1 help
* dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
* man ipa-cacert-manage install needs clarification
=== Fraser Tweedale (1) ===
* Support 8192-bit RSA keys in default cert profile
=== Jan Cholasta (38) ===
* server certinstall: support PKINIT
* cacert manage: support PKINIT
* replica install: respect --pkinit-cert-file
* server install: fix KDC certificate validation in CA-less
* certs: do not export CA certs in install_pem_from_p12
* certs: do not export keys world-readable in install_key_from_p12
* server install: fix KDC PKINIT configuration
* install: introduce generic Kerberos Augeas lens
* client install: fix client PKINIT configuration
* install: trust IPA CA for PKINIT
* certdb: use custom object for trust flags
* certdb, certs: make trust flags argument mandatory
* certdb: add named trust flag constants
* ipa-cacert-manage: add --external-ca-type
* renew agent: get rid of virtual profiles
* renew agent: always export CSR on IPA CA certificate renewal
* renew agent: allow reusing existing certs
* cainstance: use correct profile for lightweight CA certificates
* server upgrade: always fix certmonger tracking request
* renew agent: respect CA renewal master setting
* spec file: bump python-netaddr Requires
* spec file: bump krb5 Requires for certauth fixes
* configure: fix AC_CHECK_LIB usage
* cert: defer cert-find result post-processing
* renew agent, restart scripts: connect to LDAP after kinit
* renew agent: revert to host keytab authentication
* install: request service certs after host keytab is set up
* dsinstance, httpinstance: consolidate certificate request code
* httpinstance: avoid httpd restart during certificate request
* dsinstance: reconnect ldap2 after DS is restarted by certmonger
* httpinstance: make sure NSS database is backed up
* spec file: bump libsss_nss_idmap-devel BuildRequires
* spec file: bump krb5-devel BuildRequires for certauth
* cert: do not limit internal searches in cert-find
* replica prepare: fix wrong IPA CA nickname in replica file
* httpinstance: clean up /etc/httpd/alias on uninstall
* certs: do not implicitly create DS pin.txt
* tasks: run `systemctl daemon-reload` after httpd.service.d updates
=== Martin Babinsky (16) ===
* Travis CI: explicitly update pip before running the builds
* Do not test anonymous PKINIT after install/upgrade
* Upgrade: configure local/full PKINIT depending on the master status
* Use local anchor when armoring password requests
* Stop requesting anonymous keytab and purge all references of it
* Use only anonymous PKINIT to fetch armor ccache
* API for retrieval of master's PKINIT status and publishing it in LDAP
* Allow for configuration of all three PKINIT variants when deploying KDC
* separate function to set ipaConfigString values on service entry
* Revert "Store GSSAPI session key in /var/run/ipa"
* Remove duplicate functionality in upgrade
* Always check and create anonymous principal during KDC install
* Ensure KDC is propery configured after upgrade
* Split out anonymous PKINIT test to a separate method
* Remove unused variable from failed anonymous PKINIT handling
* Upgrade: configure PKINIT after adding anonymous principal
=== Martin Basti (13) ===
* Become IPA 4.5.1
* 4.5.1 Translation update
* 4.5.1 Contributors update
* ipasetup: fix dependencies handling based on python version
* ipaclient: fix missing RPM ownership
* ca_status: add HTTP timeout 30 seconds
* http_request: add timeout option
* Use proper SELinux context with http.keytab
* Store GSSAPI session key in /var/run/ipa
* Fix PKCS11 helper
* Remove surplus 'the' in output of ipa-adtrust-install
* Set "KDC:Disable Last Success" by default
* Set zanata version to ipa-4-5
=== Michal Reznik (2) ===
* test_caless: mark TestCertinstall intermediate CA tests as xfail
* test_caless: add pkinit option and test it
=== Oliver Gutierrez (1) ===
* Added plugins directory to ipaclient subpackages
=== Petr Vobornik (3) ===
* kerberos session: use CA cert with full cert chain for obtaining cookie
* restore: restart/reload gssproxy after restore
* automount install: fix checking of SSSD functionality on uninstall
=== Pavel Vomacka (8) ===
* Turn on NSSOCSP check in mod_nss conf
* WebUI: Allow to add certs to certmapping with CERT LINES around
* WebUI: Fix showing vault in selfservice view
* WebUI: suppress truncation warning in select widget
* WebUI: Add support for suppressing warnings
* WebUI: Add support for login for AD users
* WebUI: add method for disabling item in user dropdown menu
* WebUI: check principals in lowercase
=== Gabe (1) ===
* Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
=== Sumit Bose (7) ===
* IPA-KDB: use relative path in ipa-certmap config snippet
* extdom: improve cert request
* extdom: do reverse search for domain separator
* ipa-kdb: do not depend on certauth_plugin.h
* configure: fix --disable-server with certauth plugin
* IPA certauth plugin
* ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
=== Simo Sorce (7) ===
* Make sure remote hosts have our keys
* Fix s4u2self with adtrust
* Prevent churn on ccaches
* Work around issues fetching session data
* Handle failed authentication via cookie
* Avoid growing FILE ccaches unnecessarily
* Add options to allow ticket caching
=== Stanislav Laznicka (33) ===
* cert-show: writable files does not mean dirs
* Fix wrong message on Dogtag instances stop
* Make CA/KRA fail when they don't start
* Remove the cachedproperty class
* Refresh Dogtag RestClient.ca_host property
* Fix CA/server cert validation in FIPS
* compat plugin: Update link to slapi-nis project
* compat: ignore cn=topology,cn=ipa,cn=etc subtree
* Move the compat plugin setup at the end of install
* compat-manage: behave the same for all users
* Fix CAInstance.import_ra_cert for empty passwords
* Fix RA cert import during DL0 replication
* ext. CA: correctly write the cert chain
* server-install: No double Kerberos install
* Fix CA-less to CA-full upgrade
* replicainstall: better client install exception handling
* Add the force-join option to replica install
* server-install: remove broken no-pkinit check
* Add pki_pin only when needed
* Remove publish_ca_cert() method from NSSDatabase
* Get correct CA cert nickname in CA-less
* Remove redundant option check for cert files
* replica-prepare man: remove pkinit option refs
* Don't allow setting pkinit-related options on DL0
* Fix the order of cert-files check
* Generate PIN for PKI to help Dogtag in FIPS
* Backup CA cert from kerberos folder
* Allow renaming of the sudorule objects
* Allow renaming of the HBAC rule objects
* Reworked the renaming mechanism
* Bump samba version for FIPS and priv. separation
* Backup ipa-specific httpd unit-file
* Add debug log in case cookie retrieval went wrong
=== Timo Aaltonen (1) ===
* configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in
=== Tomas Krizek (7) ===
* ca, kra install: validate DM password
* installutils: add DM password validator
* ca install: merge duplicated code for DM password
* upgrade: add missing suffix to http instance
* installer service: fix typo in service entry
* python2-ipalib: add missing python dependency
* kra install: update installation failure message
--
Martin Bašti
Software Engineer
Red Hat Czech
6 years, 11 months