HTTP certificate expired
by Juan Pablo Lorier
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
I got it to this state:
Request ID '20191219011208':
status: MONITORING
ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired).
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after?
Thanks in advance
1 year, 4 months
ipa-healthcheck errors
by Rob Verduijn
Hello,
After todays update I noticed I am now running rocky 8.7
freeipa was updated just fine and is working nicely.
However after running ipa-healthcheck I was treated with a HUGE amount of
errors.
After some digging I found that certmonger stopped tracking of all my certs.
Figuring out how to get all the certs tracked again took quite some time
examples or hints on how to do this are sadly missing in ipa-healthcheck
they would have been very usefull
So now all untracked certs are tracked and no longer in ipa-healthcheck
output.
But there are still quite a few errors left which have no clue
Does anybody know how to fix the errors from ipa-healthcheck ? (see txt
below)
Any help would be appreciated
Rob
ipa-healthcheck
args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object',
'ctrls': [], 'ldap_request': "search_ext_s(('cn=changelog5,cn=config', 0,
'(objectClass=*)'),{'attrlist': ['nsslapd-changelogmaxentries'],
'serverctrls': None, '
clientctrls': None, 'escapehatch': 'i am sure'}) on instance
TJAKO-THUIS"},)
[
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "CRITICAL",
"uuid": "711d096f-c1a8-4528-873d-522498811fbf",
"when": "20221118235210Z",
"duration": "2.149582",
"kw": {
"exception": "bus, object_path and dbus_interface must not be None."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "CRITICAL",
"uuid": "06997e50-52cd-4240-9b90-41cd7bf9e9f6",
"when": "20221118235212Z",
"duration": "2.599630",
"kw": {
"exception": "bus, object_path and dbus_interface must not be None."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "CRITICAL",
"uuid": "5fe7388f-6ec6-433f-87df-4596eabee060",
"when": "20221118235224Z",
"duration": "2.801779",
"kw": {
"exception": "bus, object_path and dbus_interface must not be None."
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerCA",
"result": "ERROR",
"uuid": "7a588ee8-f3f0-4db4-91d0-b236a9dcbb81",
"when": "20221118235224Z",
"duration": "0.009275",
"kw": {
"key": "dogtag-ipa-ca-renew-agent-reuse",
"msg": "Certmonger CA '{key}' missing"
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "CRITICAL",
"uuid": "2e82818e-7210-4cf2-bd99-7490841348c6",
"when": "20221118235226Z",
"duration": "0.199291",
"kw": {
"exception": "bus, object_path and dbus_interface must not be None."
}
}
]
1 year, 4 months
'transportCert cert-pki-kra' mix up
by GH
I've got two ancient (3.1?) IPA servers that have been upgraded over time. Last January things got really goofy with certificates and I got it all sorted. However, now I've got an old issue creeping back in. The 'transportCert cert-pki-kra' is mismatched between the CS.cfg and the tracked certificate. This is a multi-master setup. The signing master seems to be the one that's off. It's tracking the updated original 'transportCert cert-pki-kra' certificate. However, the "secondary" master is tracking a newly generated 'transportCert cert-pki-kra', which is also what both CS.cfg's are referencing. Neither one of the certificates is expired. Everything else seems to be in working order. Here is ipa-healthcheck's only relevant error:
"source": "ipahealthcheck.dogtag.ca",
"kw": {
"msg": "Certificate 'transportCert cert-pki-kra' does not match the value of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"directive": "ca.connector.KRA.transportCert",
"key": "transportCert cert-pki-kra"
},
So, what should I copy where to get this sorted? It seems like the updated original 'transportCert cert-pki-kra' should be copied into the CS.cfg and then manually scp the NSS files from "primary" to "secondary"? What commands would you use to do this? I've got a lot of commands noted and am beginning to get confused as to which ones should be used to get this sorted. Thanks.
1 year, 4 months
Re: failed to add IPA Replica(Centos 8) on existing IPA cluster (Centos 7) with CA role enabled.
by Florence Blanc-Renaud
Hi,
please keep the list in copy as the resolution steps can often help other
users.
On Fri, Nov 25, 2022 at 4:55 PM Dushyant Khobragade <dushyantk.sun(a)gmail.com>
wrote:
> Hi Flo,
> Thank you for response.
> I could see below logs in /var/log/ipareplica-install.log
> <<Truncated>>>
> 2022-11-25T15:43:46Z DEBUG certmonger request is in state
> 'GENERATING_KEY_PAIR'
> 2022-11-25T15:43:46Z DEBUG certmonger request is in state 'SUBMITTING'
> 2022-11-25T15:44:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
> 2022-11-25T15:44:11Z DEBUG Cert request 20221125154346 failed:
> CA_UNREACHABLE (Server at https://innsv01p1.mylab.domain/ipa/json failed
> request, will retry: 4001 (The service principal for subject alt name
> ipa-ca. mylab.domain in certificate request does not exist).)
>
Is IPA configured as DNS server? You can check with
# ipa config-show | grep DNS
IPA DNS servers: fedora36.ipa.test
If there is at least one server in the IPA DNS servers list, then IPA is
configured as DNS server. It should contain a DNS record for
ipa-ca.mylab.domain with the IP addresses of all the CA servers:
# ipa dnsrecord-show mylab.domain ipa-ca
Record name: ipa-ca
A record: xxx.xxx.xxx.xxx
If you are using an external DNS server, make sure that there is an A
record for ipa-ca. You can generate an update file using
# ipa dns-update-system-records --dry-run
2022-11-25T15:44:11Z DEBUG Giving up on cert request 20221125154346
> 2022-11-25T15:44:11Z DEBUG certmonger request is in state 'GENERATING_CSR'
> 2022-11-25T15:44:12Z DEBUG certmonger request is in state 'SUBMITTING'
> 2022-11-25T15:44:13Z DEBUG certmonger request is in state 'POST_SAVED_CERT'
> 2022-11-25T15:44:14Z DEBUG certmonger request is in state 'MONITORING'
> 2022-11-25T15:44:14Z DEBUG Cert request 20221125154411 was successful
> <<Truncated>>>
> ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server",
> 'ctrls': [], 'info': 'error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> (certificate is not yet valid)'}
> 2022-11-25T15:45:40Z CRITICAL Failed to configure CA instance
>
It's not clear if this error or the previous one is the root cause, but the
content of /var/log/pki/pki-ca-spawn.<date>.log on the replica may give
some hints.
*Certificate not yet valid* would strongly suggest that the dates are not
in sync on the master and the replica.
flo
> 2022-11-25T15:45:40Z CRITICAL See the installation logs and the following
> files/directories for more information:
> 2022-11-25T15:45:40Z CRITICAL /var/log/pki/pki-tomcat
> 2022-11-25T15:45:40Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
> line 635, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
> line 621, in run_step
> method()
> File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
> line 627, in __spawn_instance
> nolog_list=nolog_list
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
> line 227, in spawn_instance
> self.handle_setup_error(e)
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py",
> line 606, in handle_setup_error
> ) from None
> RuntimeError: CA configuration failed.
> 2022-11-25T15:45:40Z DEBUG [error] RuntimeError: CA configuration failed.
> 2022-11-25T15:45:40Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
> >>Truncted>>
>
>
> Thanks & Regards,
> Dushyant
>
>
>
>
>
>
> On Fri, Nov 25, 2022 at 7:18 AM Florence Blanc-Renaud <flo(a)redhat.com>
> wrote:
>
>> Hi,
>>
>> On Fri, Nov 25, 2022 at 3:59 PM dushyant k via FreeIPA-users <
>> freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>>> I am trying to add new replica Centos 8 IPA v.4.7 to my existing centos
>>> 7 IPA cluster which has IPA version 4.6
>>>
>>> I am able to add centos 8 replica as ipa client however while adding as
>>> replica with setup-ca. it failing.
>>>
>>> Please provide the logs from the failing replica
>> (/var/log/ipareplica-install.log).
>>
>>
>>> Also it would be great if anyone can provide documents on migrating IPA
>>> to centos 8 from centos 7
>>>
>> The doc is available here:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>>
>> HTH,
>> flo
>>
>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam, report it:
>>> https://pagure.io/fedora-infrastructure/new_issue
>>>
>>
1 year, 4 months
Local account override IPA account
by Kevin Vasko
I know this is probably stupid but we have a server with a local account (let’s call this local user “user1”). This server and its install predated our IPA install. This local user also has sudoers exception for this account for a “NOPASSWD” locally on this machine and this machine alone.
After some period of time (it’s been like this for years), we added this “user1” account to FreeIPA so we could use it on other select machine. We kept using the local account as if nothing changed.
This server with the local “user1” account was on Ubuntu 18.04 and with this set up was working fine. We upgraded it to Ubuntu 20.04 and it broke the sudoers “NOPASSWD”. This local account can no longer execute commands without a password as it seems sssd is overriding the “local account” and going back to IPA and asking for its authentication (user1 on this box is local and has a uid of 1000, the freeipa user1 had the random freeIPA generated 123456789 UID).
In my nsswitch.conf
For passwd, group, sudoers all of them have “files” listed first which should instruct sssd to prioritize local account information first, correct?
If I remove “sss” from the nsswitch sudoers line it works as expected.
Is this a regression in sssd or something else Im missing?
-Kevin
1 year, 4 months
IPA servers stopped replicating and cannot get them to replicate again.
by kelly@fergason.com
Hello all,
I have inherited an IPA setup that has some issues. I was unfamiliar
with the IPA software, but am learning a lot
really fast. They had 4 servers, ipa01-04. Replication went from 01
to 02 to 03, and I don't recall how 04 was updated.
Replication stopped working from ipa01 to ipa02, and I have not been
able to get it going again.
At this time, we have one working ipa server, with no redundancy.
Ipa02 and 03 are shutdown at the moment, ipa04 was rebuilt and I used
it to try to create a new replica.
I have tried to reinitialize the replication to ipa02, and I have
tried to create new replicas.
These are set as domainlevel 1, so the process is to create a replica
by promoting a client.
The general process used here was to clear up any replication
agreements between servers and attempt to
reinitialize or install the new replica. It pretty much always fails
the same way.
We had a consultant work with us, and they were unable to determine
what the problem was.
Some basics about the setup. We are running Oracle Linux 7.9,
ipa-server 4.6.8-5.0.1. I have also tried
Oracle Linux 8, and ipa-server 4.9.10, but there is no difference.
DNS is not managed by the ipa server.
Replication seems to be the basis for DR and upgrading, so it would be
really nice to get this
working again.
I am attaching the console output of the ipa-replica-install command,
and the install log file.
Any insights as to how to get this going again would be greatly appreciated.
If anyone needs more information, please let me know.
Thanks,
Kelly
kelly(a)fergason.com
1 year, 4 months
freeipa dns resolving for non local domains fails
by Rob Verduijn
Hello,
I've found an issue with my ipa dns setup.
all local dns queries work fine.
However queries outside my ipa domain fail most of the time.
I found this error in the logs:
managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
I think that this causes my problems with external dns.
Anybody who knows how to deal with this ?
Rob
1 year, 5 months
FreeIPA 4.9.11
by Antonio Torres
The FreeIPA team would like to announce FreeIPA 4.9.11 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
[[highlights_in_4.9.11]]
== Highlights in 4.9.11
* 9083: Support MIT Kerberos KDB version 9
::
;;
FreeIPA now supports MIT Kerberos 1.20. Resource-based constrained
delegation is not yet implemented.
'''''
* 9187: [UX] Preserving a user account produces output saying it was
deleted
::
;;
Previously, the command to preserve a user account used to display a
confusing output "Deleted user: " although the user was preserved
and not deleted. The command now displays "Preserved user: " for
preserved users.
'''''
* 9228: ipa-client-install does not maintain server affinity during
installation
::
;;
ipa-client-install will use a single server for the duration of the
installation process, either one discovered or provided on the
command-line. Previously it would use a temporary configuration to
do enrollment, then switch to a final one for the remaining
operations. This could lead to the installer talking with multiple
servers. If the client installer is faster than replication this
could lead to errors.
'''''
* 9237: Show order in sudo rule list in web interface
::
;;
In the 'sudo rules' page, the WebUI is now displaying a 'sudo order'
column so that the users can easily see which rules override other
rules based on their order.
'''''
* 9258: Do not add TLS CA configuration to ldap.conf anymore
::
;;
FreeIPA client installer does not add explicit TLS CA configuration
to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
configuration is not required as OpenLDAP uses the default CA store
provided by OpenSSL and IPA CA is installed in the default store by
the installer already.
'''''
[[bug_fixes]]
=== Bug fixes
FreeIPA 4.9.11 is a stabilization release for the features delivered as
a part of 4.9 version series.
There are more than 50 bug-fixes since FreeIPA 4.9.10 release. Details
of the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on libera.chat.
[[resolved_tickets]]
== Resolved tickets
* https://pagure.io/freeipa/issue/8946[#8946] RFE: Add label name to
Certificates section in WebUI to enable testing
* https://pagure.io/freeipa/issue/8951[#8951] Test for RFE
ipa-healthcheck tool can include check to see if the system is FIPS
enabled or not
* https://pagure.io/freeipa/issue/9062[#9062] [ipatests] SID generation
and test_xmlrpc/test_user_plugin.py
* https://pagure.io/freeipa/issue/9083[#9083] Support MIT Kerberos KDB
version 9
* https://pagure.io/freeipa/issue/9158[#9158] Internal error when
setting dnsconfig or dnsforwardzone forwarders.
* https://pagure.io/freeipa/issue/9160[#9160]
cryptography.utils.register_interface is scheduled for removal
* https://pagure.io/freeipa/issue/9161[#9161] Nightly test failure in
test_selinuxusermap.py::test_selinuxusermap::test_misc
* https://pagure.io/freeipa/issue/9183[#9183] Timeout issue in
test_installation.py when using interactive mode
* https://pagure.io/freeipa/issue/9185[#9185] Fix missing parameter for
Suse ipaplatform task
* https://pagure.io/freeipa/issue/9187[#9187]
(https://bugzilla.redhat.com/show_bug.cgi?id=2022028[rhbz#2022028]) [UX]
Preserving a user account produces output saying it was deleted
* https://pagure.io/freeipa/issue/9188[#9188]
(https://bugzilla.redhat.com/show_bug.cgi?id=2098187[rhbz#2098187]) Add
warning for empty targetattr when creating ACI with RBAC
* https://pagure.io/freeipa/issue/9189[#9189] ipatests: Fix test_idp.py
for downstream idm-ci
* https://pagure.io/freeipa/issue/9190[#9190]
ipatests.test_ipaserver.test_secure_ajp_connector failing with python
3.6.8 with: TypeError: a bytes-like object is required, not 'str'
* https://pagure.io/freeipa/issue/9192[#9192]
(https://bugzilla.redhat.com/show_bug.cgi?id=2094672[rhbz#2094672]) IdM
WebUI Pagination Size should not allow empty value
* https://pagure.io/freeipa/issue/9198[#9198] [Tracker] nightly failure:
after ipa trust-add, cred cache contains cifs/master.ipa.test(a)IPA.TEST
instead of admin principal
* https://pagure.io/freeipa/issue/9204[#9204] [Tracker] In
ipa-server-upgrade ca_upgrade_schema() results in unnecessary pki
restarts
* https://pagure.io/freeipa/issue/9206[#9206]
(https://bugzilla.redhat.com/show_bug.cgi?id=2109236[rhbz#2109236]) ldap
bind occurs when admin user changes password with gracelimit=0
* https://pagure.io/freeipa/issue/9207[#9207] Failure in
AzurePipeline.freeipa (GATING InstallDNSSECFirst_1_to_5)
* https://pagure.io/freeipa/issue/9208[#9208] ap: Doc build fails
against Sphinx 5.1.0
* https://pagure.io/freeipa/issue/9211[#9211]
(https://bugzilla.redhat.com/show_bug.cgi?id=2109243[rhbz#2109243]) RFE:
Allow grace login limit to be set in IPA WebUI.
* https://pagure.io/freeipa/issue/9212[#9212]
(https://bugzilla.redhat.com/show_bug.cgi?id=2115475[rhbz#2115475])
Nightly test failure in
test_user.py::test_user::test_password_expiration_notification
* https://pagure.io/freeipa/issue/9214[#9214] Nightly failure in webui
test test_subid.py::test_subid::test_subid_range_deletion_not_allowed
* https://pagure.io/freeipa/issue/9218[#9218]
(https://bugzilla.redhat.com/show_bug.cgi?id=2116966[rhbz#2116966])
Random failure in test-winsyncmigrate
* https://pagure.io/freeipa/issue/9225[#9225] pytest library module
rename from quarkus to keycloak
* https://pagure.io/freeipa/issue/9226[#9226]
(https://bugzilla.redhat.com/show_bug.cgi?id=2124547[rhbz#2124547])
Infinite redirect loop in the WebUI for user root
* https://pagure.io/freeipa/issue/9228[#9228]
(https://bugzilla.redhat.com/show_bug.cgi?id=2148258[rhbz#2148258])
ipa-client-install does not maintain server affinity during installation
* https://pagure.io/freeipa/issue/9230[#9230] build failure against gcc
< 11
* https://pagure.io/freeipa/issue/9231[#9231] /run/ipa/ccaches uses all
available tmpfs space
* https://pagure.io/freeipa/issue/9237[#9237] Show order in sudo rule
list in web interface
* https://pagure.io/freeipa/issue/9243[#9243]
(https://bugzilla.redhat.com/show_bug.cgi?id=2127833[rhbz#2127833])
Password Policy Grace login limit allows invalid maximum value
* https://pagure.io/freeipa/issue/9245[#9245]
(https://bugzilla.redhat.com/show_bug.cgi?id=2117167[rhbz#2117167])
`extdom` plugin can return object from a wrong domain.
* https://pagure.io/freeipa/issue/9246[#9246] Nightly test failure in
test_user_permissions.TestInstallClientNoAdmin
* https://pagure.io/freeipa/issue/9248[#9248]
(https://bugzilla.redhat.com/show_bug.cgi?id=2124369[rhbz#2124369]) OTP
token sync always returns OK even with random numbers
* https://pagure.io/freeipa/issue/9249[#9249]
(https://bugzilla.redhat.com/show_bug.cgi?id=2108630[rhbz#2108630])
Deprecated feature idnssoaserial in IdM appears when creating reverse
dns zones
* https://pagure.io/freeipa/issue/9252[#9252]
(https://bugzilla.redhat.com/show_bug.cgi?id=2129895[rhbz#2129895])
[DDF] The Examples in the RHEL ipa(1) man page show "ipa help commands"
with content for "ipa halp topics" and "ipa hel
* https://pagure.io/freeipa/issue/9254[#9254] Exclude installed policy
module file from RPM verification
* https://pagure.io/freeipa/issue/9255[#9255] ipapython.dn_ctypes is not
compatible with libldap 2.6
* https://pagure.io/freeipa/issue/9257[#9257]
(https://bugzilla.redhat.com/show_bug.cgi?id=2104185[rhbz#2104185])
Introduction of URI records for kerberos breaks location functionality
* https://pagure.io/freeipa/issue/9258[#9258]
(https://bugzilla.redhat.com/show_bug.cgi?id=2094673[rhbz#2094673]) Do
not add TLS CA configuration to ldap.conf anymore
* https://pagure.io/freeipa/issue/9259[#9259]
(https://bugzilla.redhat.com/show_bug.cgi?id=2144737[rhbz#2144737])
vault interoperability with older RHEL systems is broken
* https://pagure.io/freeipa/issue/9269[#9269]
(https://bugzilla.redhat.com/show_bug.cgi?id=2143224[rhbz#2143224],
https://bugzilla.redhat.com/show_bug.cgi?id=2075452[rhbz#2075452])
ipa-certupdate does not restart/reload KDC on servers
* https://pagure.io/freeipa/issue/9271[#9271]
(https://bugzilla.redhat.com/show_bug.cgi?id=2143224[rhbz#2143224])
Support PKINIT with ipa-client-install
* https://pagure.io/freeipa/issue/9274[#9274] ipa-join: pass the curl
write function by name, not address
[[detailed_changelog_since_4.9.10]]
== Detailed changelog since 4.9.10
[[armando_neto_1]]
=== Armando Neto (1)
* webui: Do not allow empty pagination size
https://pagure.io/freeipa/c/991849cf58fa990ad4540a61214b5ab4fcd4baa1[commit]
https://pagure.io/freeipa/issue/9192[#9192]
[[alexander_bokovoy_10]]
=== Alexander Bokovoy (10)
* ipa-kdb: for delegation check, use different error codes before and
after krb5 1.20
https://pagure.io/freeipa/c/e12aa8bb782e1f3722ae93d63632cd93df06faab[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later
https://pagure.io/freeipa/c/a35cac3d6fa80d259240b0eb1d4952c321be9e92[commit]
* ipa-kdb: fix PAC requester check
https://pagure.io/freeipa/c/7e504647dd00202c02cd203ca3474a332d1e413e[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: handle empty S4U proxy in allowed_to_delegate
https://pagure.io/freeipa/c/4755bd42c0f4c8fcda6131ee89b6fa8308d8a75c[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: handle cross-realm TGT entries when generating PAC
https://pagure.io/freeipa/c/0dd3315afb1056e3ca5bfd6af161793b5a5b8d86[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: add krb5 1.20 support
https://pagure.io/freeipa/c/a0d840347b453bda141691ac587bc2ec851f15a5[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20
https://pagure.io/freeipa/c/9efa8fe49c08fc584189b9d9ab24dfa8560db824[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipaclient: do not set TLS CA options in ldap.conf anymore
https://pagure.io/freeipa/c/d9a56b51bbb350219d0f5cb0ea6b3cc00230d437[commit]
https://pagure.io/freeipa/issue/9258[#9258]
* fix canonicalization issue in Web UI
https://pagure.io/freeipa/c/109cd579e3b089b7fad4c92bf25594eba1af8a21[commit]
https://pagure.io/freeipa/issue/9226[#9226]
* ipa-otpd: initialize local pointers and handle gcc 10
https://pagure.io/freeipa/c/9290aa5500f752d0eedabdfc92c9fe6c0ee743b8[commit]
https://pagure.io/freeipa/issue/9230[#9230]
[[anuja_more_4]]
=== Anuja More (4)
* ipatests : Test query to AD specific attributes is successful.
https://pagure.io/freeipa/c/21cb86a8e571ac7aa0304c57961881ca9c4aeacb[commit]
https://pagure.io/freeipa/issue/9127[#9127]
* ipatests: Fix install_master for test_idp.py
https://pagure.io/freeipa/c/15f454f6f8d25275c9570e2cc3a97c4e030fc581[commit]
https://pagure.io/freeipa/issue/9189[#9189]
* ipatests: update prci definitions for test_idp.py
https://pagure.io/freeipa/c/50b4d9ab3fcb2e63edc8d20346e4a8a79f15692d[commit]
* Add end to end integration tests for external IdP
https://pagure.io/freeipa/c/857713c5a9c8e0b62c06dd92e69c09eeb34b2e99[commit]
https://pagure.io/freeipa/issue/8803[#8803],
https://pagure.io/freeipa/issue/8804[#8804],
https://pagure.io/freeipa/issue/8805[#8805]
[[antonio_torres_5]]
=== Antonio Torres (5)
* Update list of contributors
https://pagure.io/freeipa/c/4f3dd0538af82bc81b146b03f03743e5ccfc516d[commit]
* Update translations to FreeIPA ipa-4-9 state
https://pagure.io/freeipa/c/59bfe9d87c01f6a73fa359be700847b9f1bb616d[commit]
* Add basic API usage guide
https://pagure.io/freeipa/c/76aa6d2a4293e5d492a7cc087b17603b6d28e34e[commit]
* doc: generate API Reference
https://pagure.io/freeipa/c/beaab476903b2f182a722f45bf8af8fee611f0b7[commit]
* Back to git snapshots
https://pagure.io/freeipa/c/3e90842b3d94268f2ccd42c8decd0eecbcf88f1f[commit]
[[alexey_tikhonov_3]]
=== Alexey Tikhonov (3)
* extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns
object from a wrong domain (performance optimization)
https://pagure.io/freeipa/c/a07cece0c006b3a89fc467284244f979d39f0209[commit]
* extdom: make sure result doesn't miss domain part
https://pagure.io/freeipa/c/3de618f75416afd6c087c243fe35755739d229a4[commit]
https://pagure.io/freeipa/issue/9245[#9245]
* extdom: internal functions should be static
https://pagure.io/freeipa/c/666357649f4dfb8254cb3707e97e12c69e6714f7[commit]
[[carla_martinez_9]]
=== Carla Martinez (9)
* webui: Add name to 'Certificates' table
https://pagure.io/freeipa/c/76c8b47e4fb249db0b7c6185afcc0d11b78c5824[commit]
https://pagure.io/freeipa/issue/8946[#8946]
* webui: Add label name to 'Certificates' section
https://pagure.io/freeipa/c/98eda97648fb0d9a7ae9aac32938d4f889f8a213[commit]
https://pagure.io/freeipa/issue/8946[#8946]
* Update API and VERSION
https://pagure.io/freeipa/c/856edcc8d3c9fe64eff532db669536a0a78ba70d[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* webui: Set 'SOA serial' field as read-only
https://pagure.io/freeipa/c/9f8c9a4d96877bab1cb474615d77aca2fa586ece[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* ipatest: Remove warning message for 'idnssoaserial'
https://pagure.io/freeipa/c/76604df09d8b62795f4e2d1fbc99af9ed55ec5cd[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* Set 'idnssoaserial' to deprecated
https://pagure.io/freeipa/c/e9048daac53e24759a33e2031c8b4224a80a0e54[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* webui: Show 'Sudo order' column
https://pagure.io/freeipa/c/0513a83a4fcd5626168cb45132af8cd1b4a9ee03[commit]
https://pagure.io/freeipa/issue/9237[#9237]
* Set pkeys in test_selinuxusermap.py::test_misc::delete_record
https://pagure.io/freeipa/c/cefa8f1e5f5b01e6863d07e9f3849dfd4c485f22[commit]
https://pagure.io/freeipa/issue/9161[#9161]
* webui: Allow grace login limit
https://pagure.io/freeipa/c/ade5093b08f92b279c200f341e96972a74f644d8[commit]
https://pagure.io/freeipa/issue/9211[#9211]
[[christian_heimes_1]]
=== Christian Heimes (1)
* Add PKINIT support to ipa-client-install
https://pagure.io/freeipa/c/80da53eaada1b5ad61b8cff2f9ed1217fea600c9[commit]
https://pagure.io/freeipa/issue/9269[#9269],
https://pagure.io/freeipa/issue/9271[#9271]
[[jan_kuparinen_20]]
=== Jan Kuparinen (20)
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/841e0c673b222e686083cb96c210a55da6e09ff8[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/4d92e67a45b0caf72ce5028f8bbba06f4d63fb7f[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/e6accc7b3f39e0140e0d1dc3ee6bfcf6636d214d[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/20bcd69f38fb734dc80e5052cb2ed91c19b12994[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/49a41249e1d8cf6b349f895ba88c7490081ab462[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/20269ac630c451734dffef50298cba823ffe2624[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/1853d934d1e93dbf07d50799406ac12995a1d977[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/7037e5389006f1eeea0299918cbbae57893ef125[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/9df1672f479bee01efcd53c46e800e789762bc97[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/eb1a1f35849c1f2e43c282c555b62f7d12962e37[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/216cced00a1973f2103cf678ed94ef3b6c204190[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/e98691b491ae2a8d41c3eb6e7028f6e731dbdbae[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/4d306ee7ebe90275a47b4f182f66bc87bc397170[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/2203f3627f28ff4c81ab9fd24eed31669ae34ff5[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/15457a6d9fdb19466405f6882fbbc9e29510d40e[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/5dcb614691ed31a660edc936612b525b1be0ccae[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/c2061cf9c505c4821c7812a71c464afa367300b5[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/9d6d2e2dc9cfb7c1ef1e400ba90b27474866380f[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/6bdd02db7ace58cbb16d45d5c6dbfb1945e2bb43[commit]
* Added translation using Weblate (Finnish)
https://pagure.io/freeipa/c/6169eb47e1ea42c81ad6022ab02ef3222566f70f[commit]
[[david_pascual_2]]
=== David Pascual (2)
* ipatest: fix prci checker target masked return code & add pylint
https://pagure.io/freeipa/c/6483f33389c7bb1d185f2b39d68f407e131a282c[commit]
* ipatests: Checker script for prci definitions
https://pagure.io/freeipa/c/f33266c2ba9d794a5a1e9994e5fa029d2fa5de70[commit]
[[erik_belko_3]]
=== Erik Belko (3)
* ipatests: Add test for grace login limit
https://pagure.io/freeipa/c/fd92757fc4a20eb73ebe08573c3e7ac5fb5c6ae2[commit]
https://pagure.io/freeipa/issue/9211[#9211]
* ipatests: test for root using admin password in webUI
https://pagure.io/freeipa/c/80b18b08e8cf3aaa9f75769e703c2aab569b599e[commit]
https://pagure.io/freeipa/issue/9226[#9226]
* ipatests: healthcheck: test if system is FIPS enabled
https://pagure.io/freeipa/c/f962a0c2832619100046c923d15f21e8c10fce96[commit]
https://pagure.io/freeipa/issue/8951[#8951]
[[florence_blanc_renaud_15]]
=== Florence Blanc-Renaud (15)
* API doc: adapt the generated doc for 4.9 branch
https://pagure.io/freeipa/c/e725e9954737367fd6b2e5e3566d4f19ddd36295[commit]
* API reference: update dnszone_add generated doc
https://pagure.io/freeipa/c/0caa26daf2cf8f770b0111a22d89e31c763a1e89[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* API reference: update vault doc
https://pagure.io/freeipa/c/4d6eabd3caf629a14c801ced4ad50dd9faa8147e[commit]
https://pagure.io/freeipa/issue/9259[#9259]
* ipatests: update vagrant boxes
https://pagure.io/freeipa/c/ca486d1507a2eb0a05576f835354d8d42c178810[commit]
* Spec file: bump the selinux-policy version
https://pagure.io/freeipa/c/58ad9f2eec0afe494c57015c4449ae39748117e4[commit]
https://pagure.io/freeipa/issue/9198[#9198]
* webui tests: fix test_subid suite
https://pagure.io/freeipa/c/58e12bd93a9b7b1c9a39981ee0c6a724040e164f[commit]
https://pagure.io/freeipa/issue/9214[#9214]
* ipa man page: format the EXAMPLES section
https://pagure.io/freeipa/c/64ef2b9c07ec0b1b316555739ff9f98229258838[commit]
https://pagure.io/freeipa/issue/9252[#9252]
* ipatests: add negative test for otptoken-sync
https://pagure.io/freeipa/c/895a800e90a34f55f5d2789ece6e7bc8e6f5c0a6[commit]
https://pagure.io/freeipa/issue/9248[#9248]
* ipa otptoken-sync: return error when sync fails
https://pagure.io/freeipa/c/4cc94cd3b929ee1878767d23f98ad5e755583c6b[commit]
https://pagure.io/freeipa/issue/9248[#9248]
* gitignore: add install/oddjob/org.freeipa.server.config-enable-sid
https://pagure.io/freeipa/c/a7369944d8b68032eddcc4577b0cc5f9f603cda9[commit]
* ipatests: Fix expected object classes
https://pagure.io/freeipa/c/2385d1d90aa91d34c4b36842a17e72aa2399a733[commit]
https://pagure.io/freeipa/issue/9062[#9062]
* check_repl_update: in progress is a boolean
https://pagure.io/freeipa/c/05a298f56485222583cb7dd4f6a3a4c5c77fc8cf[commit]
https://pagure.io/freeipa/issue/9218[#9218]
* azure tests: disable TestInstallDNSSECFirst
https://pagure.io/freeipa/c/d40fd287836dc8440f69314d77ccb461c7e6ccea[commit]
https://pagure.io/freeipa/issue/9216[#9216]
* xmlrpc tests: updated expected output for preserved user
https://pagure.io/freeipa/c/4984ff210a169129e4e56b10e54e9c795520855c[commit]
https://pagure.io/freeipa/issue/9187[#9187]
* Preserve user: fix the confusing summary
https://pagure.io/freeipa/c/ff4152539b96d309dcceaf854a3e0a49f435acff[commit]
https://pagure.io/freeipa/issue/9187[#9187]
[[francisco_trivino_1]]
=== Francisco Trivino (1)
* Vault: fix interoperability issues with older RHEL systems
https://pagure.io/freeipa/c/c643e56e4c45b7cb61aa53989657143627c23e04[commit]
https://pagure.io/freeipa/issue/9259[#9259]
[[fraser_tweedale_2]]
=== Fraser Tweedale (2)
* install: suggest --skip-mem-check when mem check fails
https://pagure.io/freeipa/c/cbf2614d8acc11a1b41558a45dac8ec98b032732[commit]
https://pagure.io/freeipa/issue/8404[#8404]
* man: add --skip-mem-check to man pages
https://pagure.io/freeipa/c/585cebb1a9673e2fc083dd3c9545a6c080e171e3[commit]
https://pagure.io/freeipa/issue/8404[#8404]
[[matthew_davis_1]]
=== Matthew Davis (1)
* Add missing parameter to Suse modify_nsswitch_pam_stack
https://pagure.io/freeipa/c/4f15804270590fdf0f339fc53ed63bf440361b7b[commit]
https://pagure.io/freeipa/issue/9185[#9185]
[[jesse_sandberg_1]]
=== Jesse Sandberg (1)
* Fix ipa-ccache-sweeper activation timer and clean up service file
https://pagure.io/freeipa/c/358924455d87b67db6cd743f3cfe15522b4c0d91[commit]
https://pagure.io/freeipa/issue/9231[#9231]
[[julien_rische_1]]
=== Julien Rische (1)
* Generate CNAMEs for TXT+URI location krb records
https://pagure.io/freeipa/c/a0652f5dc8efc4580d8039e70c0e762638d3871d[commit]
https://pagure.io/freeipa/issue/9257[#9257]
[[michal_polovka_3]]
=== Michal Polovka (3)
* ipatests: Healthcheck use subject base from IPA not REALM
https://pagure.io/freeipa/c/afa94c7995f236c5eff516652f31c1a956466cf7[commit]
* ipatests: Healthcheck should ignore pki errors when CA is not
configured
https://pagure.io/freeipa/c/206e08d811c43ba8295816e609d4cb7148a774a3[commit]
* ipatests: Increase expect timeout for interactive mode
https://pagure.io/freeipa/c/a6a6781284658e77f36c07cb7fd35b43240946a2[commit]
https://pagure.io/freeipa/issue/9183[#9183]
[[marcin_stanclik_1]]
=== Marcin Stanclik (1)
* Translated using Weblate (Polish)
https://pagure.io/freeipa/c/d198a35cb885b6cc1622bf99b8546675b98c8aed[commit]
[[mohammad_rizwan_1]]
=== Mohammad Rizwan (1)
* ipatests: Test newly added certificate lable
https://pagure.io/freeipa/c/c0b438bc745666694f2c590859d4926178a0ca04[commit]
[[nikola_knazekova_1]]
=== Nikola Knazekova (1)
* Exclude installed policy module file from RPM verification
https://pagure.io/freeipa/c/c977cefa101e145b13b5c19ae5369e5ca7ef1ef8[commit]
https://pagure.io/freeipa/issue/9254[#9254]
[[pavel_březina_1]]
=== Pavel Březina (1)
* docs: add security section to idp
https://pagure.io/freeipa/c/170155b648084846111bf0c65459aba94a8e980d[commit]
https://pagure.io/freeipa/issue/8803[#8803],
https://pagure.io/freeipa/issue/8804[#8804],
https://pagure.io/freeipa/issue/8805[#8805]
[[piotr_drąg_1]]
=== Piotr Drąg (1)
* Translated using Weblate (Polish)
https://pagure.io/freeipa/c/3b0c1cafc16dc927449231a7a70b2876770ba962[commit]
[[hela_basa_3]]
=== Hela Basa (3)
* Added translation using Weblate (Korean)
https://pagure.io/freeipa/c/0a6246ea971282a2f1fc0b5fe3f09f7d656bbf2f[commit]
* Translated using Weblate (Sinhala)
https://pagure.io/freeipa/c/696a72f7aef3df7c0f619f0d67e5fe259cc80c37[commit]
* Added translation using Weblate (Sinhala)
https://pagure.io/freeipa/c/f9590de2e0bc1d2dde4f6a78c72b6a69f773bd99[commit]
[[rob_crittenden_12]]
=== Rob Crittenden (12)
* Pass the curl write callback by name instead of address
https://pagure.io/freeipa/c/9d184a295b1b581f1d5e189ee810c6b08bc0550b[commit]
https://pagure.io/freeipa/issue/9274[#9274]
* Move client certificate request after krb5.conf is created
https://pagure.io/freeipa/c/762d786bf7a3043fd56877949f02bccd077e2711[commit]
https://pagure.io/freeipa/issue/9246[#9246]
* Defer creating the final krb5.conf on clients
https://pagure.io/freeipa/c/69413325158a3ea06d1491acd77ee6e0955ee89a[commit]
https://pagure.io/freeipa/issue/9228[#9228]
* Fix upper bound of password policy grace limit
https://pagure.io/freeipa/c/91a02174a0a9694fd5611c071913ad4720be5ac9[commit]
https://pagure.io/freeipa/issue/9243[#9243]
* Set default on group pwpolicy with no grace limit in upgrade
https://pagure.io/freeipa/c/a4ddaaf3048c4e8d78a1807af7266ee40ab3a30b[commit]
https://pagure.io/freeipa/issue/9212[#9212]
* Set default gracelimit on group password policies to -1
https://pagure.io/freeipa/c/497a57e7a6872fa30d1855a1d91a455bfdbf9300[commit]
https://pagure.io/freeipa/issue/9212[#9212]
* doc: Update LDAP grace period design with default values
https://pagure.io/freeipa/c/434620ee342ac4767beccec647a318bfa7743dfa[commit]
https://pagure.io/freeipa/issue/9212[#9212]
* upgrades: Don't restart the CA on ACME and profile schema change
https://pagure.io/freeipa/c/aaf57185a2701b34948105e8b54075afe048ff18[commit]
https://pagure.io/freeipa/issue/9204[#9204]
* Disabling gracelimit does not prevent LDAP binds
https://pagure.io/freeipa/c/1316cd8b2252c2543cf2ef2186956a8833037b1e[commit]
https://pagure.io/freeipa/issue/9206[#9206]
* Warn for permissions with read/write/search/compare and no attrs
https://pagure.io/freeipa/c/b31631ad69f72fb42b5091375df8021580f8139a[commit]
https://pagure.io/freeipa/issue/9188[#9188]
* Only calculate LDAP password grace when the password is expired
https://pagure.io/freeipa/c/3675bd1d7aca443832bb9bb2f521cc4d3a088aec[commit]
https://pagure.io/freeipa/issue/1539[#1539]
* Fix test_secure_ajp_connector.py failing with Python 3.6.8
https://pagure.io/freeipa/c/de64d6724e028a1882c3a8be31c2752bebdd41fd[commit]
https://pagure.io/freeipa/issue/9190[#9190]
[[ricky_tigg_4]]
=== Ricky Tigg (4)
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/91b63fcae0a588fc174cf865b4e0135c8c0e48ec[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/e6451fe15acf406aa741d4eed296ab6eff7e9313[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/3392f31afe04e5b6b0d49d4e2f2906bc90b3643c[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/a8a2b2cf97bbf8b2b80acce08d0903b6c91c5f98[commit]
[[sumit_bose_1]]
=== Sumit Bose (1)
* ipa-kdb: do not fail if certmap rule cannot be added
https://pagure.io/freeipa/c/e51a0c927db4a4c9b3e1ab0c6dffca545532a2b4[commit]
[[김인수_44]]
=== 김인수 (44)
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/b8c39cca34b75a4ed3ed77a468836778f670027b[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/2c555646dd71911d1bcf860e6c3acbcfd3050ad2[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/53e4e7212b5b6fe0dceb809aaddc83158f8dfef4[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/29dba19aa8862ea7b3185dcc0dba789b8e4af5b8[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/425894153a17de0cdb827a83fad599343e2d3656[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/7f9588f36a2b82df3fd9ef7dd286886021e0ffa6[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/c07e0ec7a5acedef693b0f79fdc68529e64aa023[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/e6e638aea7fda83beb47fa6c2f75772673d351c2[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/994c43513950b4c82dd9e1ed38b56232f3efffaa[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/fd538803cf6c098b2a3386ecc1f4b1e3a27b9a88[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/aef749b632fd636e6d6b920757e13d64303da9d4[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/64b2c0ebfeb7035b8c9d9e38c2a75e046e855f62[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/a24adeab5ca162b3c79358128fcdee22d0bd18f2[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/b70041d904926e9d33423fe1f7b48ca0c3791718[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/246604ec696255674e8716610c387f0f2ef93d73[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/07a1cc5424760a4ef43ffc6734c901f1cc446909[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/e98e21709e2205c8c019cc7006d3f9ded94432ae[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/fe60d1f6f386734b7cb052f34fb798341130052a[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/5bd77e606cb6be3b3a133294027e284f5604b447[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/2c0924f38694603777bcbdab804d9b3331efa239[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/067cae55eced1c1c7bcdbbb0dd56a16d7127488c[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/aa00e7c3cff81e79a1dfce2c1e5348af9f3a3438[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/b5d6616aed77a46de2db53b3395aeaf531537df3[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/7ca1befe7e8ca463052f8b24f6c9b37093dabbaa[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/b2cf29ae168661a12a426bf72e98f43d769fb132[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/8b3ceace34a55fadb560a758c02632efa87ec96f[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/7d12b30e2c6762eda93eb66a1dab2e52770d94aa[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/20006cc713c7666c373804cd7d6415f9af6a6d27[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/9e2f7d041c1c72b329fdacac232451e57a4d0516[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/cf9f35e3eb2c90cb3b07a2c5ed33fdd2f3bfa0b3[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/d6ff8af62ee12517d438d9f3ff02f25219166da4[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/1e65336b3513cf7c6579ac5714c50cb4a965fd96[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/548afe9eed0696ceb4e8abdc3331b3f1f0fad6f2[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/715043df4ea1d416e64ce50b0e141faf36f6c45d[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/18346d99b214f6060ab7f6c83e02f2c4d56ec799[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/9658dbd3c31ad22e175e613f3c51073eb196c72c[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/27dba4a7c3605a1ab03c55458ad4bb47b7c4dbc7[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/d5726f04b6b73d6c1de183ee5b6b7bd96d590db5[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/eac046fd82d02105d3388af1f04527813546e6f7[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/77feee852ed01502c0a0e48d4d4e546332827885[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/00eba1f70445a5faf27db461fb762a030b0b5789[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/101460521cb228f68a52a934acf97eddcbbb9928[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/23fb8a4709af35db3e760159de405adad343c042[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/fd81a77d78423293dee4e117b58f2f9077cb0cbf[commit]
[[stanislav_levin_6]]
=== Stanislav Levin (6)
* ipapython: Support openldap 2.6
https://pagure.io/freeipa/c/7e93f46c589ba0a68c039d65ea3c0872644a0eb0[commit]
https://pagure.io/freeipa/issue/9255[#9255]
* x509: Replace removed register_interface with subclassing
https://pagure.io/freeipa/c/89fe83b03ac3b046685389ee1059ca75c73e53b0[commit]
https://pagure.io/freeipa/issue/9160[#9160]
* ap: Constrain supported docutils
https://pagure.io/freeipa/c/1ada42e3bce58a729e689377b1a41b6cfa90b508[commit]
https://pagure.io/freeipa/issue/9208[#9208]
* ap: Rearrange overloaded jobs
https://pagure.io/freeipa/c/b59baf31bc097821ff7787ecd75affb27ea2a7c3[commit]
https://pagure.io/freeipa/issue/9207[#9207]
* ap: Disable azure's security daemon
https://pagure.io/freeipa/c/98c6e96e8db3d5bdc0315094b8a7bf81d196479b[commit]
https://pagure.io/freeipa/issue/9207[#9207]
* ap: Raise dbus timeout
https://pagure.io/freeipa/c/e77b0b08d78d4d5ae7632ef23aebc577848ea507[commit]
https://pagure.io/freeipa/issue/9207[#9207]
[[scott_poore_1]]
=== Scott Poore (1)
* ipatests: Rename create_quarkus to create_keycloak
https://pagure.io/freeipa/c/88ea19b9a53d9c209105af049a1df100d07e081a[commit]
https://pagure.io/freeipa/issue/9225[#9225]
[[sudhir_menon_2]]
=== Sudhir Menon (2)
* ipatests: WebUI: do not allow subid range deletion
https://pagure.io/freeipa/c/58b026716c973f422b1b98e27eb9536e59919d82[commit]
https://pagure.io/freeipa/issue/9150[#9150]
* ipatests: ipa-client-install --subid adds entry in nsswitch.conf
https://pagure.io/freeipa/c/a5762621ef3ed1e699306a8d2eef634bc927a6fc[commit]
https://pagure.io/freeipa/issue/9159[#9159]
[[timo_aaltonen_2]]
=== Timo Aaltonen (2)
* ipaplatform/debian: Drop the path for ldap.so
https://pagure.io/freeipa/c/56c827099708d8613e194052857e121612fbd768[commit]
* ipaplatform/debian: Use multiarch path for libsofthsm2.so
https://pagure.io/freeipa/c/c39c2ee80db056296f6826746b5b7a5bf7ba7cc4[commit]
[[thomas_woerner_1]]
=== Thomas Woerner (1)
* DNSResolver: Fix use of nameservers with ports
https://pagure.io/freeipa/c/5e2e4664aec641886923c2bec61ce25b96edb62a[commit]
https://pagure.io/freeipa/issue/9158[#9158]
[[yuri_chornoivan_3]]
=== Yuri Chornoivan (3)
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/61dea74b405d251ea2778e209b03a167064b1bf6[commit]
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/842a6457fda382d78a11bce626b2ef0ef3749aa0[commit]
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/6353e45b5dd446b7acc46244d8bb10c38c39f9ce[commit]
1 year, 5 months
FreeIPA 4.10.1
by Antonio Torres
The FreeIPA team would like to announce FreeIPA 4.10.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
[[highlights_in_4.10.1]]
== Highlights in 4.10.1
* 8803: Add support for managing IdP references
::
;;
FreeIPA can now authenticate users with the help of OAuth 2.0
identity providers supporting OAuth 2.0 Device Authorization Flow.
IdPs known to work are Keycloak, Microsoft Azure, Google, Github,
and Okta. Details on how to use Keycloak can be found in FreeIPA
workshop:
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support...
'''''
* 9083: Support MIT Kerberos KDB version 9
::
;;
FreeIPA now supports MIT Kerberos 1.20. Resource-based constrained
delegation is not yet implemented.
'''''
* 9228: ipa-client-install does not maintain server affinity during
installation
::
;;
ipa-client-install will use a single server for the duration of the
installation process, either one discovered or provided on the
command-line. Previously it would use a temporary configuration to
do enrollment, then switch to a final one for the remaining
operations. This could lead to the installer talking with multiple
servers. If the client installer is faster than replication this
could lead to errors.
'''''
* 9237: Show order in sudo rule list in web interface
::
;;
In the 'sudo rules' page, the WebUI is now displaying a 'sudo order'
column so that the users can easily see which rules override other
rules based on their order.
'''''
* 9258: Do not add TLS CA configuration to ldap.conf anymore
::
;;
FreeIPA client installer does not add explicit TLS CA configuration
to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
configuration is not required as OpenLDAP uses the default CA store
provided by OpenSSL and IPA CA is installed in the default store by
the installer already.
'''''
* 9273: [RFE] Support IPA CA installation on an HSM
::
;;
FreeIPA CA can now be deployed with a hardware security module as a
CA storage device. Supported use case details can be found in HSM
design document:
https://freeipa.readthedocs.io/en/ipa-4-10/designs/hsm.html
'''''
[[bug_fixes]]
=== Bug fixes
FreeIPA 4.10.1 is a stabilization release for the features delivered as
a part of 4.10 version series.
There are more than 50 bug-fixes since FreeIPA 4.10.0 release. Details
of the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on libera.chat.
[[resolved_tickets]]
== Resolved tickets
* https://pagure.io/freeipa/issue/8803[#8803] Add support for managing
IdP references
* https://pagure.io/freeipa/issue/8804[#8804] Extend supported user
authentication methods in IPA to allow IdP auth
* https://pagure.io/freeipa/issue/8805[#8805] Extend `ipa-otpd` daemon
to recognize IdP references
* https://pagure.io/freeipa/issue/8946[#8946] RFE: Add label name to
Certificates section in WebUI to enable testing
* https://pagure.io/freeipa/issue/8951[#8951] Test for RFE
ipa-healthcheck tool can include check to see if the system is FIPS
enabled or not
* https://pagure.io/freeipa/issue/9062[#9062] [ipatests] SID generation
and test_xmlrpc/test_user_plugin.py
* https://pagure.io/freeipa/issue/9083[#9083] Support MIT Kerberos KDB
version 9
* https://pagure.io/freeipa/issue/9158[#9158] Internal error when
setting dnsconfig or dnsforwardzone forwarders.
* https://pagure.io/freeipa/issue/9160[#9160]
cryptography.utils.register_interface is scheduled for removal
* https://pagure.io/freeipa/issue/9161[#9161] Nightly test failure in
test_selinuxusermap.py::test_selinuxusermap::test_misc
* https://pagure.io/freeipa/issue/9179[#9179]
test_caless_TestServerCALessToExternalCA_RSN fails in teardown
* https://pagure.io/freeipa/issue/9188[#9188]
(https://bugzilla.redhat.com/show_bug.cgi?id=2098187[rhbz#2098187]) Add
warning for empty targetattr when creating ACI with RBAC
* https://pagure.io/freeipa/issue/9192[#9192]
(https://bugzilla.redhat.com/show_bug.cgi?id=2094672[rhbz#2094672]) IdM
WebUI Pagination Size should not allow empty value
* https://pagure.io/freeipa/issue/9198[#9198] [Tracker] nightly failure:
after ipa trust-add, cred cache contains cifs/master.ipa.test(a)IPA.TEST
instead of admin principal
* https://pagure.io/freeipa/issue/9204[#9204] [Tracker] In
ipa-server-upgrade ca_upgrade_schema() results in unnecessary pki
restarts
* https://pagure.io/freeipa/issue/9206[#9206]
(https://bugzilla.redhat.com/show_bug.cgi?id=2109236[rhbz#2109236]) ldap
bind occurs when admin user changes password with gracelimit=0
* https://pagure.io/freeipa/issue/9207[#9207] Failure in
AzurePipeline.freeipa (GATING InstallDNSSECFirst_1_to_5)
* https://pagure.io/freeipa/issue/9208[#9208] ap: Doc build fails
against Sphinx 5.1.0
* https://pagure.io/freeipa/issue/9211[#9211]
(https://bugzilla.redhat.com/show_bug.cgi?id=2109243[rhbz#2109243]) RFE:
Allow grace login limit to be set in IPA WebUI.
* https://pagure.io/freeipa/issue/9212[#9212]
(https://bugzilla.redhat.com/show_bug.cgi?id=2115475[rhbz#2115475])
Nightly test failure in
test_user.py::test_user::test_password_expiration_notification
* https://pagure.io/freeipa/issue/9214[#9214] Nightly failure in webui
test test_subid.py::test_subid::test_subid_range_deletion_not_allowed
* https://pagure.io/freeipa/issue/9218[#9218]
(https://bugzilla.redhat.com/show_bug.cgi?id=2116966[rhbz#2116966])
Random failure in test-winsyncmigrate
* https://pagure.io/freeipa/issue/9225[#9225] pytest library module
rename from quarkus to keycloak
* https://pagure.io/freeipa/issue/9226[#9226]
(https://bugzilla.redhat.com/show_bug.cgi?id=2124547[rhbz#2124547])
Infinite redirect loop in the WebUI for user root
* https://pagure.io/freeipa/issue/9227[#9227] Need test for Keycloak
Bridge authentication
* https://pagure.io/freeipa/issue/9228[#9228] ipa-client-install does
not maintain server affinity during installation
* https://pagure.io/freeipa/issue/9230[#9230] build failure against gcc
< 11
* https://pagure.io/freeipa/issue/9231[#9231] /run/ipa/ccaches uses all
available tmpfs space
* https://pagure.io/freeipa/issue/9237[#9237] Show order in sudo rule
list in web interface
* https://pagure.io/freeipa/issue/9238[#9238] Nightly test failure
(rawhide) in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ds_configcheck_passwordstorage
* https://pagure.io/freeipa/issue/9243[#9243]
(https://bugzilla.redhat.com/show_bug.cgi?id=2127833[rhbz#2127833])
Password Policy Grace login limit allows invalid maximum value
* https://pagure.io/freeipa/issue/9244[#9244] Nightly test failure in
test_commands.py::TestIPACommand::test_ipa_cacert_manage_prune
* https://pagure.io/freeipa/issue/9245[#9245]
(https://bugzilla.redhat.com/show_bug.cgi?id=2117167[rhbz#2117167])
`extdom` plugin can return object from a wrong domain.
* https://pagure.io/freeipa/issue/9246[#9246] Nightly test failure in
test_user_permissions.TestInstallClientNoAdmin
* https://pagure.io/freeipa/issue/9248[#9248]
(https://bugzilla.redhat.com/show_bug.cgi?id=2124369[rhbz#2124369]) OTP
token sync always returns OK even with random numbers
* https://pagure.io/freeipa/issue/9249[#9249]
(https://bugzilla.redhat.com/show_bug.cgi?id=2108630[rhbz#2108630])
Deprecated feature idnssoaserial in IdM appears when creating reverse
dns zones
* https://pagure.io/freeipa/issue/9250[#9250] Add basic test for
authenticating as Keycloak user on IPA client
* https://pagure.io/freeipa/issue/9252[#9252]
(https://bugzilla.redhat.com/show_bug.cgi?id=2129895[rhbz#2129895])
[DDF] The Examples in the RHEL ipa(1) man page show "ipa help commands"
with content for "ipa halp topics" and "ipa hel
* https://pagure.io/freeipa/issue/9254[#9254] Exclude installed policy
module file from RPM verification
* https://pagure.io/freeipa/issue/9255[#9255] ipapython.dn_ctypes is not
compatible with libldap 2.6
* https://pagure.io/freeipa/issue/9257[#9257]
(https://bugzilla.redhat.com/show_bug.cgi?id=2104185[rhbz#2104185])
Introduction of URI records for kerberos breaks location functionality
* https://pagure.io/freeipa/issue/9258[#9258]
(https://bugzilla.redhat.com/show_bug.cgi?id=2094673[rhbz#2094673]) Do
not add TLS CA configuration to ldap.conf anymore
* https://pagure.io/freeipa/issue/9259[#9259]
(https://bugzilla.redhat.com/show_bug.cgi?id=2144737[rhbz#2144737])
vault interoperability with older RHEL systems is broken
* https://pagure.io/freeipa/issue/9264[#9264] Nightly failure in
test_integration/test_sso.py::TestSsoBridge::test_ipa_login_with_sso_user
* https://pagure.io/freeipa/issue/9269[#9269]
(https://bugzilla.redhat.com/show_bug.cgi?id=2143224[rhbz#2143224],
https://bugzilla.redhat.com/show_bug.cgi?id=2075452[rhbz#2075452])
ipa-certupdate does not restart/reload KDC on servers
* https://pagure.io/freeipa/issue/9271[#9271]
(https://bugzilla.redhat.com/show_bug.cgi?id=2143224[rhbz#2143224])
Support PKINIT with ipa-client-install
* https://pagure.io/freeipa/issue/9273[#9273]
(https://bugzilla.redhat.com/show_bug.cgi?id=1405935[rhbz#1405935])
[RFE] Support IPA CA installation on an HSM
* https://pagure.io/freeipa/issue/9274[#9274] ipa-join: pass the curl
write function by name, not address
[[detailed_changelog_since_4.10.0]]
== Detailed changelog since 4.10.0
[[armando_neto_1]]
=== Armando Neto (1)
* webui: Do not allow empty pagination size
https://pagure.io/freeipa/c/02d3fb8266d8199fd1ed983de6c57b269546df82[commit]
https://pagure.io/freeipa/issue/9192[#9192]
[[alexander_bokovoy_11]]
=== Alexander Bokovoy (11)
* ipa-kdb: for delegation check, use different error codes before and
after krb5 1.20
https://pagure.io/freeipa/c/465d5f5c6a956109b66abf60af0edd31fa2bce41[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later
https://pagure.io/freeipa/c/d3c7a4faae8fd58a8d08bf6191d47fefe276ddba[commit]
* ipa-kdb: fix PAC requester check
https://pagure.io/freeipa/c/88c1293f3a92451b6d5d5f7cb1a81d55a789b793[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: handle empty S4U proxy in allowed_to_delegate
https://pagure.io/freeipa/c/1d4db340461298fed66607bde5fb0ca0f033c5aa[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: handle cross-realm TGT entries when generating PAC
https://pagure.io/freeipa/c/a5ca25003da5906703e8bd12b0759d48bc52e6b2[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: add krb5 1.20 support
https://pagure.io/freeipa/c/e9ae0e350dcee5c9bbcd5a6932b4eb0daa90fea7[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20
https://pagure.io/freeipa/c/f0c72dcb87f86b9b00d0c087a959e64ce10eea98[commit]
https://pagure.io/freeipa/issue/9083[#9083]
* ipaclient: do not set TLS CA options in ldap.conf anymore
https://pagure.io/freeipa/c/93b0e6a96a1aea45adc0d4c8bb26b226ce683573[commit]
https://pagure.io/freeipa/issue/9258[#9258]
* Remove empty translation for 'si' which breaks linter
https://pagure.io/freeipa/c/41ba166c77ca8011a35f80f2791a211c429a271e[commit]
* fix canonicalization issue in Web UI
https://pagure.io/freeipa/c/a0928fe164712303a7c24ee61500ac7326bd9e4a[commit]
https://pagure.io/freeipa/issue/9226[#9226]
* ipa-otpd: initialize local pointers and handle gcc 10
https://pagure.io/freeipa/c/9441d7ed1ac67dc74ca6177b474d10da97b06a2f[commit]
https://pagure.io/freeipa/issue/9230[#9230]
[[anuja_more_1]]
=== Anuja More (1)
* ipatests : Test query to AD specific attributes is successful.
https://pagure.io/freeipa/c/db7cd79858ec8fad7d094ca883d8b7d82c7c1ac1[commit]
https://pagure.io/freeipa/issue/9127[#9127]
[[andika_triwidada_1]]
=== Andika Triwidada (1)
* Translated using Weblate (Indonesian)
https://pagure.io/freeipa/c/3885bd6fd75e984f990dc0e0f760f61815139181[commit]
[[antonio_torres_6]]
=== Antonio Torres (6)
* Back to git snapshots
https://pagure.io/freeipa/c/657a7b2556e22b70802809dd784fe576d3edea95[commit]
* Become IPA 4.10.1
https://pagure.io/freeipa/c/e5819bcae6779b89b6d11a144f293a4838344738[commit]
* Update translations to FreeIPA ipa-4-10 state
https://pagure.io/freeipa/c/4baee5ca23b279d6905cdd5f01e95b75e5f08c96[commit]
* Add basic API usage guide
https://pagure.io/freeipa/c/4e490d20a031d619cb4cae46d27f66e1fc2c9dc5[commit]
* doc: generate API Reference
https://pagure.io/freeipa/c/5626976ef03dbfe271b6f3a1d76a69fabdf06e8a[commit]
* Back to git snapshots
https://pagure.io/freeipa/c/c9d9fb3a3a63f66d60541f21f2f3466b6d9a89b3[commit]
[[alexey_tikhonov_3]]
=== Alexey Tikhonov (3)
* extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns
object from a wrong domain (performance optimization)
https://pagure.io/freeipa/c/1360c8b09f0862fe961fbb015f55d6b3cbd9aee9[commit]
* extdom: make sure result doesn't miss domain part
https://pagure.io/freeipa/c/4685f9d881c09fa317cb68fba1b94c29e48a7a8b[commit]
https://pagure.io/freeipa/issue/9245[#9245]
* extdom: internal functions should be static
https://pagure.io/freeipa/c/113cb8d715cf7bed8bcc36845940acc20fed8e60[commit]
[[carla_martinez_9]]
=== Carla Martinez (9)
* webui: Add name to 'Certificates' table
https://pagure.io/freeipa/c/813df68b086113cb093108ebfec3bdad86703841[commit]
https://pagure.io/freeipa/issue/8946[#8946]
* webui: Add label name to 'Certificates' section
https://pagure.io/freeipa/c/54470c6b3b3958dbc0eeb2cda17e306123cb9f3a[commit]
https://pagure.io/freeipa/issue/8946[#8946]
* Update API and VERSION
https://pagure.io/freeipa/c/48b9cc3345f8596904bce14d580cd4b19bfbda15[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* webui: Set 'SOA serial' field as read-only
https://pagure.io/freeipa/c/9b274bc5d01c58806f18e549b566d93e25b40214[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* ipatest: Remove warning message for 'idnssoaserial'
https://pagure.io/freeipa/c/3d34673b8c04c9ec849f8276876fd8bbd4fe2234[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* Set 'idnssoaserial' to deprecated
https://pagure.io/freeipa/c/242ed2e500510f33f4595fb1b29adb25b1517982[commit]
https://pagure.io/freeipa/issue/9249[#9249]
* webui: Show 'Sudo order' column
https://pagure.io/freeipa/c/54b81617674be79577b8c3abf0949725d9a428c7[commit]
https://pagure.io/freeipa/issue/9237[#9237]
* Set pkeys in test_selinuxusermap.py::test_misc::delete_record
https://pagure.io/freeipa/c/ea792e11eb85a5b05b2b78f0215c147a52d2d265[commit]
https://pagure.io/freeipa/issue/9161[#9161]
* webui: Allow grace login limit
https://pagure.io/freeipa/c/7a1e1d9f1cb13679c28f12d05b156a08bcc4d856[commit]
https://pagure.io/freeipa/issue/9211[#9211]
[[christian_heimes_1]]
=== Christian Heimes (1)
* Add PKINIT support to ipa-client-install
https://pagure.io/freeipa/c/9d902d340793d01aa6b65d01a1facaf480819526[commit]
https://pagure.io/freeipa/issue/9269[#9269],
https://pagure.io/freeipa/issue/9271[#9271]
[[jan_kuparinen_14]]
=== Jan Kuparinen (14)
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/d4b9203376115508f596c6469c9c3be24d719ff2[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/242a0dadcf86bb27efccdc1be1946c39f0ba2931[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/98e80985bae7fa7104d8dd621c73c2b848630417[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/2b0c9d91285282df5f545fc6c331b5b9a219048e[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/dbe49df1b3d2fb254315ed26190792c8aaf89c38[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/0caffa37c01a7a77301368413854473520e5e055[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/63fceacb176162210cd5d64f73ecf10b1bf8d402[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/606ce6d52aa4b29e1af787c7830d30d6846c932e[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/10a51197f27d90fab78bdf6a4a0cae6779589299[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/1c1187beedb23f91614f131fda15c6c6f6264556[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/a1c0031c9044135ae00ac9f3e22beb22bd5fbb07[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/bcc5819830e23867a5c1471f3a37576d705ce8d8[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/3452c6fcf0730351b45ecbeb7d89ff318319f7c0[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/a4202264936dca51b476178f5061692cd569373b[commit]
[[david_pascual_2]]
=== David Pascual (2)
* ipatest: fix prci checker target masked return code & add pylint
https://pagure.io/freeipa/c/51f1321b9c2263edd3f725abe3f90e56678adf94[commit]
* ipatests: Checker script for prci definitions
https://pagure.io/freeipa/c/3d827979d2688607bd5376501ef71c2b63124603[commit]
[[erik_belko_3]]
=== Erik Belko (3)
* ipatests: Add test for grace login limit
https://pagure.io/freeipa/c/a2a3d45ed790aaa1a618413df0a1181f8eeb1aa8[commit]
https://pagure.io/freeipa/issue/9211[#9211]
* ipatests: test for root using admin password in webUI
https://pagure.io/freeipa/c/0085757806e32c63bc1e1a2a2d762d4df2036f73[commit]
https://pagure.io/freeipa/issue/9226[#9226]
* ipatests: healthcheck: test if system is FIPS enabled
https://pagure.io/freeipa/c/c55185d3dc3c6cd2ffebab77fbf8caa40a32bcd1[commit]
https://pagure.io/freeipa/issue/8951[#8951]
[[endi_sukma_dewata_2]]
=== Endi Sukma Dewata (2)
* Explicitly use legacy ID generators by default
https://pagure.io/freeipa/c/580881104e873e8eaf977e750b29660cfbeb680e[commit]
* Remove pki_restart_configured_instance
https://pagure.io/freeipa/c/79f765586e8f18e37f3dbe036b12715bef49e442[commit]
[[florence_blanc_renaud_20]]
=== Florence Blanc-Renaud (20)
* ipatests: update vagrant boxes
https://pagure.io/freeipa/c/f5fb8b05a75c4b88534cddd4aa298a741d221b59[commit]
* ipatests: remove xfail for tests using sssctl domain-status
https://pagure.io/freeipa/c/9a95c51577bfd5b4dcaf84369495585fbce57b20[commit]
https://pagure.io/freeipa/issue/9234[#9234]
* spec file: bump sssd version
https://pagure.io/freeipa/c/eb25f89f2d0e756579b2969e8408fd7563ac5aaf[commit]
https://pagure.io/freeipa/issue/9234[#9234]
* ipatests: re-enable dnssec tests
https://pagure.io/freeipa/c/9b1af71637cba49c7c9dd4eae36cb25fa5ecbd33[commit]
https://pagure.io/freeipa/issue/9216[#9216]
* Spec file: bump bind version on f37+
https://pagure.io/freeipa/c/1dfb5d56f14a532bfe0df2bbd2f8abc10651faab[commit]
https://pagure.io/freeipa/issue/9216[#9216]
* Spec file: bump the selinux-policy version
https://pagure.io/freeipa/c/4e201ec97e5c54ad8d5fa02285e628d1a36d9ea7[commit]
https://pagure.io/freeipa/issue/9198[#9198]
* webui tests: fix test_subid suite
https://pagure.io/freeipa/c/9936379c9f0d6c888785ccca8766ed7074054270[commit]
https://pagure.io/freeipa/issue/9214[#9214]
* ipatests: mark xfail tests using dnssec
https://pagure.io/freeipa/c/3d093c66f21c57afeb8cfc242390d0d032509ab3[commit]
https://pagure.io/freeipa/issue/9216[#9216]
* ipatests: mark xfail tests using sssctl domain-status
https://pagure.io/freeipa/c/40b9c6fc4746cfa32d8bf7c2038745cc037c673b[commit]
https://pagure.io/freeipa/issue/9234[#9234]
* Tests: test on f37 and f36
https://pagure.io/freeipa/c/a6485d6325585d0f80b659c473b3675728556ce1[commit]
* ipa man page: format the EXAMPLES section
https://pagure.io/freeipa/c/1546c0b206e02902b4aba631ee83f2f7ba5acb1f[commit]
https://pagure.io/freeipa/issue/9252[#9252]
* ipatests: add negative test for otptoken-sync
https://pagure.io/freeipa/c/d9f33b7cd7e336be90d889e2db4c4bce18753918[commit]
https://pagure.io/freeipa/issue/9248[#9248]
* ipa otptoken-sync: return error when sync fails
https://pagure.io/freeipa/c/221768f882784755c6449ff70f291fab780cce16[commit]
https://pagure.io/freeipa/issue/9248[#9248]
* ipa-cacert-manage prune: remove all expired certs
https://pagure.io/freeipa/c/c5bcaab8f1e09ab7a0464f5a532f154d43ffcadb[commit]
https://pagure.io/freeipa/issue/9244[#9244]
* gitignore: add install/oddjob/org.freeipa.server.config-enable-sid
https://pagure.io/freeipa/c/458dcebd2542de70c987ca89fe49f15d3f40ee82[commit]
* ipatests: Fix expected object classes
https://pagure.io/freeipa/c/b6520bef2ef05dd87636d8b57e3247d451af81d8[commit]
https://pagure.io/freeipa/issue/9062[#9062]
* check_repl_update: in progress is a boolean
https://pagure.io/freeipa/c/2003eb6b3d4a27a5de5eaa79418f115dd99886cd[commit]
https://pagure.io/freeipa/issue/9218[#9218]
* azure tests: disable TestInstallDNSSECFirst
https://pagure.io/freeipa/c/eb9f606ffd1ad3ccd846173c152c52a171be8f86[commit]
https://pagure.io/freeipa/issue/9216[#9216]
* Nightly tests: fix template for nightly_ipa-4-10_latest.yaml
https://pagure.io/freeipa/c/4499c7379b5531501bb1a5ea58ab575bf3b08907[commit]
* ipatests: add nightly definitions for ipa-4-10 branch
https://pagure.io/freeipa/c/6c6a43c9090b5f61726512182a36958cbdafc9a4[commit]
[[francisco_trivino_1]]
=== Francisco Trivino (1)
* Vault: fix interoperability issues with older RHEL systems
https://pagure.io/freeipa/c/ba962632cd008edd057f61e7e6fadbf464ff94f2[commit]
https://pagure.io/freeipa/issue/9259[#9259]
[[fraser_tweedale_2]]
=== Fraser Tweedale (2)
* install: suggest --skip-mem-check when mem check fails
https://pagure.io/freeipa/c/cebfb8792006af1a41c4c26c49372f0ea822dbaf[commit]
https://pagure.io/freeipa/issue/8404[#8404]
* man: add --skip-mem-check to man pages
https://pagure.io/freeipa/c/e7bee5b668fee083d8ada167f307857761c25d80[commit]
https://pagure.io/freeipa/issue/8404[#8404]
[[jesse_sandberg_1]]
=== Jesse Sandberg (1)
* Fix ipa-ccache-sweeper activation timer and clean up service file
https://pagure.io/freeipa/c/f6a661bdaf0560eac99ca63ffb25ec739281a19a[commit]
https://pagure.io/freeipa/issue/9231[#9231]
[[julien_rische_1]]
=== Julien Rische (1)
* Generate CNAMEs for TXT+URI location krb records
https://pagure.io/freeipa/c/b0d909968bfa323f16aae46f6126abf7625d11e9[commit]
https://pagure.io/freeipa/issue/9257[#9257]
[[mohammad_rizwan_1]]
=== Mohammad Rizwan (1)
* ipatests: Test newly added certificate lable
https://pagure.io/freeipa/c/580e62a1615483c9ae94fabce8bd8eacc83028f2[commit]
[[nikola_knazekova_1]]
=== Nikola Knazekova (1)
* Exclude installed policy module file from RPM verification
https://pagure.io/freeipa/c/ad7bdd46fb64c3fbb8104a9599459795fc193389[commit]
https://pagure.io/freeipa/issue/9254[#9254]
[[weblate_5]]
=== Weblate (5)
* Update translation files
https://pagure.io/freeipa/c/357dd550ce3568e37edebd4bb3394a706eb81182[commit]
* Update translation files
https://pagure.io/freeipa/c/c8c4e93fd64329df76b4754f74d70cfceed6c452[commit]
* Update translation files
https://pagure.io/freeipa/c/921fdd2ca879b8d6c1e601a17eb3eb9b197f9797[commit]
* Update translation files
https://pagure.io/freeipa/c/3500d05f8904d7bab84d950c81563d9bfb6d1474[commit]
* Update translation files
https://pagure.io/freeipa/c/d0b336025fd0408e1f81811330cac6682ba0bed6[commit]
[[pavel_březina_1]]
=== Pavel Březina (1)
* docs: add security section to idp
https://pagure.io/freeipa/c/56d287248039f56c7b6bba3860061cb2b4460337[commit]
https://pagure.io/freeipa/issue/8803[#8803],
https://pagure.io/freeipa/issue/8804[#8804],
https://pagure.io/freeipa/issue/8805[#8805]
[[piotr_drąg_2]]
=== Piotr Drąg (2)
* Translated using Weblate (Polish)
https://pagure.io/freeipa/c/31f7860d089a628a4ccfaf8db507ecadfaa75805[commit]
* Translated using Weblate (Polish)
https://pagure.io/freeipa/c/f9419bdad41a87aa4454fcb1d725988b27c634a1[commit]
[[rob_crittenden_13]]
=== Rob Crittenden (13)
* doc: Design for HSM support
https://pagure.io/freeipa/c/2aa8ec1df1468ef2ed8e54ec76f53b858ce0d241[commit]
https://pagure.io/freeipa/issue/9273[#9273]
* Support tokens and optional password files when opening an NSS db
https://pagure.io/freeipa/c/1de3f6c5580dfe57e39c72268dc54b9dfeb17e69[commit]
https://pagure.io/freeipa/issue/9273[#9273]
* Pass the curl write callback by name instead of address
https://pagure.io/freeipa/c/5631e4747073b7bba42a323e60a7822e712a740f[commit]
https://pagure.io/freeipa/issue/9274[#9274]
* Move client certificate request after krb5.conf is created
https://pagure.io/freeipa/c/f3c861b9fcbf7815161b46e5eab582813c1021dc[commit]
https://pagure.io/freeipa/issue/9246[#9246]
* Defer creating the final krb5.conf on clients
https://pagure.io/freeipa/c/3cbf2b25422100cc4105dfb09ee8c7bf87232198[commit]
https://pagure.io/freeipa/issue/9228[#9228]
* Fix upper bound of password policy grace limit
https://pagure.io/freeipa/c/3c4386ce057a0fd50c7494db43c71405c9674b8f[commit]
https://pagure.io/freeipa/issue/9243[#9243]
* Set default on group pwpolicy with no grace limit in upgrade
https://pagure.io/freeipa/c/de6f074538f6641fd9d84bed204a3d4d50eccbe5[commit]
https://pagure.io/freeipa/issue/9212[#9212]
* Set default gracelimit on group password policies to -1
https://pagure.io/freeipa/c/45e6d49b94da78cd82eb016b3266a17a1359a087[commit]
https://pagure.io/freeipa/issue/9212[#9212]
* doc: Update LDAP grace period design with default values
https://pagure.io/freeipa/c/1aa39529cda4ab9620539dbad705cedd23c21b42[commit]
https://pagure.io/freeipa/issue/9212[#9212]
* upgrades: Don't restart the CA on ACME and profile schema change
https://pagure.io/freeipa/c/459b81b196b7bf36100aa2f4e5c4d36b1e4526f6[commit]
https://pagure.io/freeipa/issue/9204[#9204]
* Disabling gracelimit does not prevent LDAP binds
https://pagure.io/freeipa/c/1bb4ff9ed2313fb3c2bd1418258c5bcec557b6a5[commit]
https://pagure.io/freeipa/issue/9206[#9206]
* Warn for permissions with read/write/search/compare and no attrs
https://pagure.io/freeipa/c/499f71729b8689d40608d9c99db703eb2c00a934[commit]
https://pagure.io/freeipa/issue/9188[#9188]
* Only calculate LDAP password grace when the password is expired
https://pagure.io/freeipa/c/33cd62e0daa68fa6a9b3ca495d97ac5ce8713349[commit]
https://pagure.io/freeipa/issue/1539[#1539]
[[ricky_tigg_3]]
=== Ricky Tigg (3)
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/67c54ce7a9b7c11a56475e1d8de586b18abce228[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/86f828a7e52ee09ae6e666dce11183c0dd091540[commit]
* Translated using Weblate (Finnish)
https://pagure.io/freeipa/c/4b10b6dab45c87472bb1fe0baeeee987ae1b23ba[commit]
[[sumit_bose_1]]
=== Sumit Bose (1)
* ipa-kdb: do not fail if certmap rule cannot be added
https://pagure.io/freeipa/c/ae445f72a009d14135e11ff932eded2dc2dc9c86[commit]
[[김인수_4]]
=== 김인수 (4)
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/d5ea8d6c9f7208a2ae8b5379c88ae36e7c4f62e6[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/4ea9b5ef0f3ee1361a59622e4d6c3274cf2e7ad4[commit]
* Translated using Weblate (Korean)
https://pagure.io/freeipa/c/9d1541f17d44cbb38bc9a477c5e88eaee71ce6d8[commit]
* Added translation using Weblate (Korean)
https://pagure.io/freeipa/c/f420c19bb62fb3c735563cb462fd6be7b8018691[commit]
[[stanislav_levin_6]]
=== Stanislav Levin (6)
* ipapython: Support openldap 2.6
https://pagure.io/freeipa/c/51c31e0ad3387c07aad1035f00871bdcc201812a[commit]
https://pagure.io/freeipa/issue/9255[#9255]
* x509: Replace removed register_interface with subclassing
https://pagure.io/freeipa/c/a7beaa0b4de6b6b00ee1b5b770f0d2e72fad58df[commit]
https://pagure.io/freeipa/issue/9160[#9160]
* ap: Constrain supported docutils
https://pagure.io/freeipa/c/e5f7356e7e83b605a821ece9f242ac924925f27e[commit]
https://pagure.io/freeipa/issue/9208[#9208]
* ap: Rearrange overloaded jobs
https://pagure.io/freeipa/c/8ff0c1a5ee33946202031a8bc83e855216cd0c95[commit]
https://pagure.io/freeipa/issue/9207[#9207]
* ap: Disable azure's security daemon
https://pagure.io/freeipa/c/acd1d127938aa9feefbbc7ee325963a2e44ef3c3[commit]
https://pagure.io/freeipa/issue/9207[#9207]
* ap: Raise dbus timeout
https://pagure.io/freeipa/c/260d6378ec59d244e5f247f4af81f7ae8c72ac87[commit]
https://pagure.io/freeipa/issue/9207[#9207]
[[scott_poore_5]]
=== Scott Poore (5)
* ipatests: xfail test_ipa_login_with_sso_user
https://pagure.io/freeipa/c/10604ead7d90a9573368dd09c8ab06740cf14bb7[commit]
https://pagure.io/freeipa/issue/9264[#9264]
* ipatests: add keycloak user login to ipa test
https://pagure.io/freeipa/c/e197c743f3ea1a98d444c0eb01339cc22eab64d5[commit]
https://pagure.io/freeipa/issue/9250[#9250]
* ipatests: add prci definitions for test_sso jobs
https://pagure.io/freeipa/c/db1d05176d8072b05fea179af2ac97caaeb65dd1[commit]
* ipatests: add Keycloak Bridge test
https://pagure.io/freeipa/c/ac776987d30ecd3444a9b25f49a714fddc3c4232[commit]
https://pagure.io/freeipa/issue/9227[#9227]
* ipatests: Rename create_quarkus to create_keycloak
https://pagure.io/freeipa/c/a0a104a42c2ccd89394e48c2375bb0eb95183c5b[commit]
https://pagure.io/freeipa/issue/9225[#9225]
[[sumedh_sidhaye_3]]
=== Sumedh Sidhaye (3)
* With the commit #99a74d7, 389-ds changed the message returned in
ipa-healthcheck.
https://pagure.io/freeipa/c/5477a07d91ef2c506cc943699612e5e27d0c93e4[commit]
https://pagure.io/freeipa/issue/9238[#9238]
* Additional tests for RSN v3
https://pagure.io/freeipa/c/bfe074ed478c20a9537dc2a714bba50dbc2cd34f[commit]
https://pagure.io/freeipa/issue/2016[#2016]
* Added a check while removing 'cert_dir'. The teardown method is called
even if all the tests are skipped since the required PKI version is not
present. The teardown is trying to remove a non-existent directory.
https://pagure.io/freeipa/c/aca97507cd119ad55e0c3c18ca65087cb5576c82[commit]
https://pagure.io/freeipa/issue/9179[#9179]
[[sudhir_menon_2]]
=== Sudhir Menon (2)
* ipatests: ipa-client-install --subid adds entry in nsswitch.conf
https://pagure.io/freeipa/c/a39af6b7228d8ba85b9e97aa5decbc056d081c77[commit]
https://pagure.io/freeipa/issue/9159[#9159]
* ipatests: WebUI: do not allow subid range deletion
https://pagure.io/freeipa/c/38e5bcf719a0e7c7550837ffb14300db8efe09e4[commit]
https://pagure.io/freeipa/issue/9150[#9150]
[[temuri_doghonadze_4]]
=== Temuri Doghonadze (4)
* Translated using Weblate (Georgian)
https://pagure.io/freeipa/c/3379aa0aa85ca40fbce94f9d2307c6b501054c5a[commit]
* Translated using Weblate (Georgian)
https://pagure.io/freeipa/c/054bd14bcfe999e7722c812e7509c31e6f012bb3[commit]
* Translated using Weblate (Georgian)
https://pagure.io/freeipa/c/a1e66f5c050d8c9226f23af9b7d0c68bfd32a4d9[commit]
* Added translation using Weblate (Georgian)
https://pagure.io/freeipa/c/a30db2030c730d835e28ceb8cdc3c64d18edb4f9[commit]
[[thomas_woerner_1]]
=== Thomas Woerner (1)
* DNSResolver: Fix use of nameservers with ports
https://pagure.io/freeipa/c/6c5530c509793f66a162ed4153d5425a0eda02d6[commit]
https://pagure.io/freeipa/issue/9158[#9158]
[[viacheslav_sychov_1]]
=== Viacheslav Sychov (1)
* fix: Handle /proc/1/sched missing error
https://pagure.io/freeipa/c/7aa845730999951c8f340f43ed5872c54458c6a3[commit]
[[yuri_chornoivan_6]]
=== Yuri Chornoivan (6)
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/6846b953361bc96b322734e23e566c93a1879046[commit]
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/867a38a4636915df62a28b61855780b02ff55d56[commit]
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/6de25a0f201f0591bc551503b95f8d22c79fe7aa[commit]
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/63d332ff9ebbdd59fac65748025f8eea4270704d[commit]
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/d6d7c5d28bcf7ed341f0a5d4e1b0f167a195a4c2[commit]
* Translated using Weblate (Ukrainian)
https://pagure.io/freeipa/c/a21bf7fe8213c6b041ab500ab533e2a5888d1c3e[commit]
1 year, 5 months