File freeipa.changes of Package freeipa-patched
------------------------------------------------------------------- Sun Jan 18 15:44:29 UTC 2026 - mhurron <mhurron@saminds.com> - Update to version 4.13.1+git0.914aa64f: * Become IPA.4.13.1 * Adding option --force-server to specify a server to ipa-certupdate tool. * Update webui to v.0.1.9 * ipa-migrate: avoid KeyError before attributes are normalized * Delete modern-ui images for RHEL * ipa-pwd-extop: Don't manipulate the config if not retrieved * Upgrade: use openssl_engine on rhel9 * ipatests: Refactor and port hbac functional tests. * ipatests: do not allow zone overlap for TestInstallWithCA_DNS4 * ipa-pwd-extop: fix valueset memory leak in `ipapwd_get_cur_kvno()` * ipa-pwd-extop: fix memory leaks in `ipapwd_gen_hashes()` error path * ipa-pwd-extop: fix password history values memory leak * ipa-pwd-extop: fix NT hash string memory leak * ipa-pwd-extop: fix bind DN memory leaks in pre-op handlers * ipa-pwd-extop: fix memory leaks in `ipapwd_pre_add()` * ipa-pwd-extop: fix memory leaks of bind DN * Extended eDNS testsuite with Enforced DNS policy testcases. * ipatests: Add the remote IP before running ipa-migrate * ipatests: allow dns zone overlap where dns is handled externaly * Fix incorrect error handling in ipapython/graph.py * ipatests: sysaccounts: add missing integration/webui/xmlrpc tests * sysaccount_mod: Use object.__setattr__ to set allow_empty_update in exception handler * ipa-pwd-extop: fix memory leaks * ipa-pwd-extop: free krbcfg in all exit paths * topology: fix memory leaks * ipa-enrollment: fix memory leaks * ipa-extdom-extop: fix memory leaks * ipa-range-check: fix memory leak * ipa-sidgen: fix memory leaks * ipa-pwd-extop: fix memory leaks * ipa-lockout: fix memory leaks * ipa-graceperiod: fix memory leaks * Fix: Incorrect auth error message * ipatest: add an integration test for samba upgrade * Trust: fix tdo with WITH_FOREST * Nightly test definitions: configure 4.13 branch * Back to git snapshots ------------------------------------------------------------------- Sun Jan 18 15:43:35 UTC 2026 - mhurron <mhurron@saminds.com> - Update to version 4.13.0+git0.dd8ba509: * Become IPA 4.13.0 * Update list of contributors * ipatests: fix teardown of TestIpaCertFix * eDNS: disable dnsconfd before configuring Unbound * Use mod_auth_gssapi option GssapiNegotiateOnce * ipa-idrange-fix: Fix typo when ID under 1000 is present. * Translated using Weblate (Indonesian) * Don't assume the server has a CA service when issuing certificates * test_ipahealthcheck_dogtag_ca_connectivity_check: update expected msg * ipatests: fix kdcproxy tests against AD * Revert "Temp commit" * Temp commit * Validate message to check if not a trust agent/controller Previously the check would return an empty SUCCESS message. * temp_commit: revert to the version pre 0b521f7 * ipatests: mark test_dnssec as xfail in fips mode * FIPS mode: openssl pkcs12 command needs -nomacver option * PR-CI: Run test_installation_TestInstallKeySizes in the nightlies * Move some functions to installutils to be more independent * Detect the highest API version the remote server supports * Refine restricting CA profiles to known subjects * Sort when comparing tuples in the xmlrpc tests * Set minimum version of certmonger and PKI for PKI-API * Reduce the log level before calling PKI functions * Retrieve all cert profiles from the CA with --all * Configure renewals to use the IPA JSON API * Use PKIClient instead of deprecated PKIConnection * Remove the RestClient class * Use the APIClient instead of direct REST calls for ACME * Replace REST with PKI python API for cert and LWCA * Refactor installer cert issuance to use pki python lib * Add config option for RSA key size for HTTP, DS, PKINIT, RA certs * Use the pki tool to bootstrap certificates during installation * Translated using Weblate (Spanish) * Modern WebUI version v0.1.7 * Correctly recognize OID 2.5.4.97, organizationIdentifier as a subject/issuer DN of the CA certificate * sysaccounts: extend permissions to include description and account lock * test_sudo: do not clean the cache for offline cache tests * test_idp: use more recent keycloak server * PRCI: switch testing from f41 and f42 to f42 and f43 * ipatests: Add new test cases with extended automount plugin attributes * sysaccount: make sure nsaccountlock is always present * Backup-restore: backup krb5.conf.d snippet files * TestHttpKdcProxy: use the snippet file for krb5 config * Port bash sudo tests. * freeipa.spec: use proper package name when installing Web UI license * Localization: remove zh_Hant file * Translated using Weblate (Indonesian) * Translated using Weblate (English (United Kingdom)) * Translated using Weblate (German) * Translated using Weblate (Persian) * Translated using Weblate (Spanish) * Translated using Weblate (Georgian) * Translated using Weblate (Georgian) * Translated using Weblate (Polish) * Update translation files * Translated using Weblate (Spanish) * Translated using Weblate (Spanish) * Translated using Weblate (Georgian) * Added translation using Weblate (Chinese (Traditional Han script)) * Modern webui: refresh to the tip of main branch * sysaccounts: add integration test * Add system accounts (sysaccounts) * ipa-pwd-extop: add SysAcctManagersDNs support * ipatests: Refactor and port trust functional SUDO tests. * Require krb5.conf.d because we install snippets there * krb5.conf templates: move IPA domain configuration into a separate snippet * krb5.conf templates: remove Kerberos 4 support * Azure: fix WebUI tests * Azure: fix the configuration issue * Azure CI: Use F43 * slapi-plugins: Add replication checking to the Modrdn plugin * Revert "Temp commit" * API: correct ordering for password policy credits * makeapi: enforce en_US.UTF-8 locale when sorting API files * doc/api: regenerate notes * Temp commit * Include the HSM token name when creating LWCAs * ipatests: mark test_scale_add_subca as xfail * Integration test: fix teardown of test_expiration_date_post_2038 * test_cert: adapt the expect error message to PKI 11.7.0-5 * Revert "Tests xmlrpc: mark xfail tests requesting cert with subca" * PRCI tests: update vagrant image with latest PKI / certmonger package * Allow ipa tool to force specific server * Fix webui submodule copr build * Use Augeas when updating dbmodules in krb5.conf * Extended eDNS testsuite with Relaxed policy testcases. 1. Relaxed policy without certs and including --no-dnssec-validation 2. Relaxed policy with external CA and including --no-dnssec-validation * ipatests: Refactor and port trust functional HBAC tests. * Add support for libpwpolicy credit to password policy * ipatests: fix TestIpaClientAutomountDiscovery * Spec file: bump version for 389-ds * Tests xmlrpc: mark xfail tests requesting cert with subca * ipatests: extend test for unique krbcanonicalname * ipa-kdb: enforce PAC presence on TGT for TGS-REQ * Enforce uniqueness across krbprincipalname and krbcanonicalname * Add info about modern webui * Add modern webui build * ipatests: fix TestIPAMigratewithBackupRestore setup * ipasam: remove definitions which included from ndr_drsblobs.h * Catch decoding errors in CertificateSigningRequest parameters * Don't let lack of subca in PKI prevent LDAP deletion * ipatests: add xfail for TestKRAinstallAfterCertRenew * ipatests: exclude TomcatFileCheck when RSN are enabled * GetEntryFromLDIF: handle DNs case-insensitive * Test that password expiration date past 2038 works * Test that certificates beyond 2038 can be parsed * ipatests: update the Let's Encrypt cert chain * ipasam: define prototypes * ipasam: address signedness warnings * ipasam: simplify error handling in fill_pdb_trusted_domain * dcerpc: Support Samba 4.23 * dcerpc: make sure forest trust info structure version is 1 * azure webui tests: force chromium version * ipatests: fix test_otp * xmlrpc test: fix test_find_orphan_automember_rules * ipatests: remove xfail for PKI 11.7 * ipatests: fix test_certmonger_ipa_responder_jsonrpc * DNS over TLS: use system trust store * Spec file: bump samba version to 4.23.0 in f43 and above * Fix ipa-client-install failure when a trusted CA's distinguished name contains slash characters * ipatests: Add comprehensive tests for ipa-client-automount --domain option * Update 11-kerberos-ticket-policy.rst * Spec file: use nodejs22 on fedora 41+ * ipatests: Remove xfail from test_installation::test_number_of_zones * dns: disable all previous Unbound configuration before deploying ours * ipatests: test_fips: Remove obsolete patch * ipatests: Nightly definitions for TestIPAMigratewithBackupRestore * ipatests: Tests for ipa-migrate tool with ldif file * install: make use of shared temp directory for hsm validation * Fix terminal height for Rawhide * kdb: prevent double crash in RBCD ACL free * freeipa.spec.in: protect scriptlets in environment where dbus or systemd do not run * Use correct capitalization for GitHub and GitLab * dns: only overwrite resolv.conf during eDNS setup when needed * Replica: Request cert for DoT before setting up bind * ipaserver/install/dns.py: Allow to Turn off DNSSEC validation for unbound * ipa-client-install: New --no-dnssec-validation option * ipatests: prci nightly definitions for 32BitIdranges * ipatests: Tests for 32BitIdranges. * ipatests: fix test_adtrust_install_with_non_ipa_user * ipa-migrate - only remove repl state attribute options * Add test for master key upgrade * Use ipaplatform tasks for krb5 enctypes * ipa-kdb: support storing multiple KVNO for the same principal * Add token options to immutables for pki override * ipa-idrange-fix: check that IPA server is installed * Set krbCanonicalName=admin@REALM on the admin user * ipa-client-install: Fix nsupdate issues when dns_over_tls is enabled * Fix inconsistency in manpage for DoT forwarder option * ipatests: fix invalid range creation in test_ipa_idrange_fix.py * Warn when UID is out of local ID ranges * ipatests: fix xfail annotation for test_ipa_healthcheck_fips_enabled * ipatests: skip encrypted dns tests on fedora 41 * Added TestIPAHealthcheckWithCALess to nightly yaml file. * ipatests: ipahealthcheck warns for user provided certificates about to expire * ipatests: Tests for krbLastSuccessfulAuth warning * Fix some issues identified by a static analyzer * ipatests: Test to check dot forwarders are added to unbound. * ipa config-mod: fix internalerror when setting an empty ipaconfigstring * ipatests: Ignore /run/log/journal in test_uninstallation.py * Require baserid and secondarybaserid * ipatests: test_manual_renewal_master_transfer must wait for replication * azure pipeline: disable InstallDNSSECFirst * ipatests: add extensions to server certificates for CAless mode * dns install: fix selinux avc relabelto * PRCI tests: update vagrant image with latest bind package * Add --domain option to ipa-client-automount for DNS discovery * kdb: keep ipadb_get_connection() from succeeding with null LDAP context * test_schema: do not fool pytest with a non-test class name * Azure CI: do not run test_ipaserver/test_migratepw * Stop using deprecated pkg_resources * Make IPAAbstractVersion available to all platforms * test_console: rework matching to adjust to Python 3.13 * pylint: do not use return at the end of flow * fix used-before-assignment errors where pylint cannot infer logic * Move wheel constraints to F41+ * Test: dnf5 handles updating itself differently than dnf4 * Make the Azure template work with both dnf4 and dnf5 * Azure CI: Use F42 * freeipa.spec.in: do not recommend encrypted DNS on pre-F42 systems * freeipa.spec.in: update BIND-related dependencies * ipa-dnskeysyncd: use systemd-tmpfiles to handle tokens * DNS: detect when OpenSSL engine should be removed on upgrade * Use OpenSSL provider with BIND for Fedora 42+ and RHEL10+ * ipa-migrate - improve suffix replacement * ipa-migrate - do not process AD entgries in staging mode * ipa-migrate - remove replication state information * Azure CI: use podman instead of docker through emulation * azure pipeline: skip step disabling conflicting apparmor profile * azure pipeline: replace ubuntu-20.04 with 24.04 * Translated using Weblate (Georgian) * ipatests: fix test_idp * PRCI: switch testing from f40 and f41 to f41 and f42 * ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op * ipatests: Fix for ipa-healthcheck test in FIPS Mode * Translated using Weblate (Finnish) * Correct dnsrecord_* tests for --raw --structured * Address deprecation warning in ipa-replica-manage * PRCI definitions: update vagrant box version for rawhide * Revert "add sourcery.ai github action" * add sourcery.ai github action * Test fix for the update * Add a check into ipa-cert-fix tool to avoid updating certs if CA is close to being expired. * doc/designs: add encrypted DNS design documents * dns: don't populate forwarders with DoT forwarders * Don't require certificates to have unique ipaCertSubject * ipatests: Tests to check data in journal log * ipatests: update fedora41 vagrant box to 0.0.2 * Disallow removal of dogtag and ipa-dnskeysyncd services on IPA servers * gating tests: add test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust * idrange: use minvalue=0 for baserid and secondarybaserid * Translated using Weblate (Georgian) * ipatests: add a test to use full 32-bit ID range space * baseuser: allow uidNumber and gidNumber of 32-bit range * update_dna_shared_config: do not fail when config is not found * config-mod: allow disabling subordinate ID integration * Disable --raw and --structured together * ipatest: make test_cert more robust to replication delays * Leapp upgrade: skip systemctl calls * Drop python 2 support in ipaserver/install/ca.py * Drop python 2 support in installutils.py * Drop python v2 in ipaserver/install/certs.py for lint errors * Make path of Samba lock directory configurable and use /run/samba on Debian * man: fix incorrect groff syntax in man pages * man: fix formatting and syntax issues * ipatests: adapt error code and message for samba 4.22 * WebUI: fix the tooltip for Search Size limit * Log failed auth attempts over LDAP when a user is locked * Skip for unpatched freeipa-healthcheck * Replace fips-mode-setup * vault: remove PKIConnection deprecation warning * Remove the migration of the RA cert from mod_nss to mod_ssl * Remove migration from mod_nss to mod_ssl * Make name of nobody group configurable and use nogroup on Debian * Fix some memory errors identified by a static analyzer * Use new(er) PKI connection API in ipa-pki-wait-running * ipatests: use "sos report" instead of "sosreport" command * Validate the default e-mail domain in the config plugin * ipa-migrate - do not migrate tombstone entries, ignore MidairCollisions, and krbpwdpolicyreference * dns: only disable unbound when DoT is enabled * spec: add unbound requirement and template file * PRCI: add definitions for DNS over TLS tests * ipatests: add tests for DNS over TLS * Add DNS over TLS support * Align startup_timeout with the systemd default and document it * Configure the pki-tomcatd service systemd timeout * Translated using Weblate (English (United Kingdom)) * ipatests: simulate FIPS mode and install replica * ipatests: on rhel10 do not install firefox * Suppress spurious failure messages when uninstalling ACME * Add a message where the ipa service restarted at end of install * Write out the PKI admin certificate as a PEM file * ipatests: increase delays for WebUI host test * Apply certmonger_timeout to start_tracking and request_cert * Reintroduce test_idp to gating tests * Migrate Keycloak tests to JDK 21 and Keycloak 26 * ipa-otpd: do not pass OIDC client secret if there is none to pass * ipatests: restart dirsrv after time jumps * ipatests: skip test_ipahealthcheck_ds_configcheck for recent versions * Nightly tests: add test_ipahelthcheck to 389ds pipeline * ipatests: force the version for uninstall/reinstall * Fix pylint issue in ipatests/i18n.py * ipa-otpd: use oidc_child's --client-secret-stdin option * ipa tools: remove sensitive material from the commandline * Unify use of option parsers * Translated using Weblate (Finnish) * Add 30-second timeout for certmonger request/start tracking * ipatests: certbot removed the --manual-public-ip-logging-ok parameter * Temp commit: move to fedora 41 * Cert renewal: update the trust flags for audit cert * Dogtag instance: add method to create temp password file * KRA cert renewal: update ca.connector.KRA.transportCert * Installation test: KRA on replica after cert renewal * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * workshop: Increase RAM for VMs to Avoid OOM * ipatests: Fixes for ipa-ipa-migration tool * Fix the typo in ipa_migrate_constants. * Fix copr build * adtrust: add missing ipaAllowedOperations objectclass * ipa-pwd-extop: clarify OTP use over LDAP binds * pyca: adapt import paths for TripleDES cipher * ipalib/x509: support PyCA 44.0 * Revert "readthedocs: install crypto 43.0.0" * Pass all pkiuser groups as suplementary when validating an HSM * Allow looking up constants.Group by gid in addition to name * Translated using Weblate (English (United Kingdom)) * readthedocs: install crypto 43.0.0 * webuitests: adapt to Random Serial Numbers * ipatests: pruning is enabled by default with LMDB * Don't drop certificates in cert-find if the LWCA was removed * Enable pruning when Random Serial Numbers are enabled * Set required version of 389-ds for VLV fix on F40/41 * Add RSN-by-default test to nightly builds * ipatests: Test that when lmdb is available, enable RSN * Change default to RSN when 389-ds uses the mdb backend * Translated using Weblate (Ukrainian) * Translated using Weblate (Ukrainian) * ipaserver/dcerpc: support Samba 4.21 * ipatests: install master with allow-zone-overlap * Fix: 'Organization' field in Okta not required * Nightly test def: fix topology for test_IPAMigrateADTrust * Tests: migrate to f40/f41 * ipatests: Updated nightly definitions for ipa-ipa-migration * ipatests: Tests for ipa-migrate tool * ipatests: Update ipatests to test topology with multiple domain. * vault: handle pyca InternalError exception for PKCS#1 v1.5 padding * Small fixup to determine which ACME uninstaller to use * ipa-migrate should migrate dns forward zones * web ui: Add explicit white border for QR code widget * ipa-migrate - dryrun write updates crashes when removing values * ipatests: 2FA test cases * ipatests: Test for ipa hbac rule duplication * ipa-migrate man page: fix typos and errors * Replace instances of del os.environ with os.environ.pop * ipatests: refactor password file handling in TestHSMInstall * Extend nightly tests with Cockpit test * Minimal test for Cockpit integration on IPA master * selinux: allow Cockpit to use HTTP keytab on IPA servers * ipatests: Activate ssh in sssd.conf * test_ipahealthcheck: skip connectivity_and_data check * Nightly test definition: use master_1repl topology for idrange_fix * Do not let user with an expired OTP token to log in if only OTP is allowed * Translated using Weblate (Korean) * spec: Use nodejs22 on RHEL 10 and ELN * ipatests: Fixes for ipa-idrange-fix testsuite * Don't rely on removing the CA to uninstall the ACME depoyment * test_adtrust_install: add --use-krb5-ccache to smbclient command * ipatests: provide a ccache to rpcclient deletetrustdom * Fix a couple of instances of the "no-break control character" being used inadvertently * ipatests: make TestDuplicates teardowns order agnostic * azure pipeline: use latest version of DownloadPipelineArtifact task * UnsafeIPAddress: pass flag=0 to IPNetwork * azure tests: move to fedora 40 * Custodia: in fips mode add -nomac or -nomacver to openssl pkcs12 * ipa-migrate - fix alternate entry search filter * Installer: activate ssh service in sssd.conf * ipatests: Update ipa-adtrust-install test * ipatests: Add missing comma in test_idrange_no_rid_bases_reversed * ipa-migrate - fix migration issues with entries using ipaUniqueId in the RDN * Add PR-CI definitions * Add ipa-idrange-fix * selinux: add all IPA log files to ipa_log_t file context * Remove NIS server support * ipatests: Check Default PAC type is added to config * ipatests: Test to check that the configured value for "nsslapd-ignore-time-skew" remains on even after a "force-sync" is done * ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py * Fix some resource leaks identified by a static analyzer * Ignore TripleDES python-cryptography import warnings * Correct usage of public_key_algorithm_oid in ipalib/x509 * HSM: fix the module name * trust-add: handle unavailable domain * ipatests: skip HSM test if pki < 11.5.9 * ipatests: ipa-migrate tool with -Z option (CACERTFILE) * ipatests: Verify that SIDgen task continue even if it fails to assign sid * ipatests: increase the timeout for test_hsm.py::TestHSMInstall * Force a logout in KerberosSession if a login is needed * Log errors reported by adtrustinstance.check_inst() using logger * Replica CA installation: ignore time skew during initial replication * Get rid of unicode and long helpers in ipa-otptoken-import * ipalib/constants.py: factor out TripleDES use * ipalib/x509.py: get rid of unicode helper * ipalib/x509.py: support Cryptography 43 * ipatests: Fix usage of token_password_file * Run HSM validation as pkiuser to verify token permissions * ipa-migrate - properly handle invalid certificates * spec file: do not use nodejs-22 on f39 and f40 * Translated using Weblate (Spanish) * Fix a copy/paste issue when detecting the HSM SELinux subpackage * ipatests: remove xfail for test_ipa_migrate_stage_mode * ipatests: remove xfail for test_ipa_migrate_version_option * Remove RC4 and 3DES default encryption types on update * Unconditionally add MS-PAC to global config on update * Issue 9621 - ipa-migrate - should not update mapped attributes in managed entries * ipa-pwd-extop: differentiate OTP requirements in LDAP binds * ipa-migrate - starttls does not work * Include token password options in ipa-kra-install man page * ipatests: tests related to --token-password-file * Re-organize HSM validation to be more consistent/less duplication * Fix syntax error in the selinux-luna %postun script * ipa-migrate - remove -V option * The -d option of the ipa-advise command was able to used. * Added new testsuite(ipa_ipa_migration) in prci definitions * ipa_sidgen: Allow sidgen_task to continue after finding issues * test_replica_install_after_restore: kinit after restore * Uninstall: stop sssd-kcm before removing KCM ccaches database * ipa-ods-enforcer: stop must also stop the socket * Translated using Weblate (Georgian) * Translated using Weblate (French) * Translated using Weblate (Turkish) * Update translation files * Translated using Weblate (Korean) * ipatests: Tests for ipa-ipa migration tool * ipa-advise ipa-backup ipa-restore: Fix --v option of the manual. * ipatests: Test replica installation using AD admin. * Added template for ad_master_1replica_1client * ipatests: fix / permissions for test_nested_group_members * Clean up more files and directories created by the installer(s) * ipatests: fix / permissions to allow ssh with private key * ipatests: mark test_ca_show_error_handling as xfail * Gating and nightly tests: move to f39/f40 * ipatests: add test for PKINIT renewal on hidden replica * PKINIT certificate: fix renewal on hidden replica * ipatests: add test for ticket 9610 * spec file: do not create /etc/ssh/ssh_config.orig if unchanged * ipa-otptoken-import: open the key file in binary mode * Add iparepltopoconf objectclass to topology permissions * kdb: apply combinatorial logic for ticket flags * kdb: fix vulnerability in GCD rules handling * Use a unique task name for each backend in ipa-backup * Bump to IPA 4.13 ------------------------------------------------------------------- Sun Oct 12 20:41:59 UTC 2025 - mhurron <mhurron@saminds.com> - Update to version 4.12.5+git0.96ea6f94: * Become IPA 4.12.5 * ipatests: extend test for unique krbcanonicalname * ipa-kdb: enforce PAC presence on TGT for TGS-REQ * Enforce uniqueness across krbprincipalname and krbcanonicalname * Become IPA 4.12.4 * Set krbCanonicalName=admin@REALM on the admin user * kdb: keep ipadb_get_connection() from succeeding with null LDAP context ------------------------------------------------------------------- Sun Apr 06 03:13:15 UTC 2025 - mhurron@saminds.com - Update to version 4.12.3+git0.f33a0e8e: * Become IPA 4.12.3 * ipa-otpd: use oidc_child's --client-secret-stdin option * ipa tools: remove sensitive material from the commandline * Unify use of option parsers * Become IPA v4.12.2 * ipatests: Test to check that the configured value for "nsslapd-ignore-time-skew" remains on even after a "force-sync" is done * ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py * Fix some resource leaks identified by a static analyzer * Ignore TripleDES python-cryptography import warnings * Correct usage of public_key_algorithm_oid in ipalib/x509 ------------------------------------------------------------------- Sun Aug 25 20:47:21 UTC 2024 - mhurron@saminds.com - Update to version 4.12.2+git0.c7da7e0d: * Become IPA v4.12.2 * ipatests: Test to check that the configured value for "nsslapd-ignore-time-skew" remains on even after a "force-sync" is done * ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py * Fix some resource leaks identified by a static analyzer * Ignore TripleDES python-cryptography import warnings * Correct usage of public_key_algorithm_oid in ipalib/x509 * trust-add: handle unavailable domain * HSM: fix the module name * ipatests: skip HSM test if pki < 11.5.9 * ipatests: ipa-migrate tool with -Z option (CACERTFILE) ------------------------------------------------------------------- Sat Jun 01 17:27:33 UTC 2024 - mhurron@saminds.com - Update to version 4.12.0+git0.407408e9: * Become IPA 4.12.0 * Update list of contributors * Update translations to FreeIPA master state * ipa-replica-manage list-ruvs: display FQDN in the output * console: for public errors only print a final one * custodia: do not use deprecated jwcrypto wrappers * frontend: add systemd journal audit of executed API commands * ipalib/rpc: Reformat after moving json code around * ipalib: move json formatter to a separate file * batch: add keeponly option ------------------------------------------------------------------- Tue Mar 26 18:15:45 UTC 2024 - mhurron@saminds.com - Update to version 4.11.1+git0.e18ac353: * Become IPA 4.11.1 * Integration tests for verifying Referer header in the UI * Check the HTTP Referer header on all requests * Become IPA 4.11.0 * Update contributors list * Update translations to FreeIPA ipa-4-11 state * Covscan issues: deadcode and Use after free * Add context manager to ipalib.API * Use datetime.timezone.utc instead of newer datetime.UTC alias * Workshop: fix broken Sphinx cross-references. ------------------------------------------------------------------- Thu Aug 10 16:11:17 UTC 2023 - malcolmlewis@opensuse.org - Update to version 4.10.2+git33.ff6cfcac: * ipatests: remove fixture call and wait to get things settle. * ipatests: update expected webui msg for admin deletion. * ipa-kdb: fix error handling of is_master_host(). * Prevent the admin user from being deleted. * idp: when adding an IdP allow to override IdP options. * Fix memory leak in the OTP last token plugin. * ipatests: update expected cksum for epn.conf. * component: mail_from_realname config setting added to IPA-EPN. * selinux: Update SELinux policy. * xmlrpc tests: add a test for user plugin with non-existing idp. ------------------------------------------------------------------- Sun Feb 05 11:06:14 UTC 2023 - ecsos@opensuse.org - Update to version 4.10.1+git69.d24b6998: * tests: add wrapper around ACME RSNv3 test * ipatests: fix (prci_checker) duplicated check & error return code * automember-rebuild: add a notice about high CPU usage * doc: add the --run command for manual job execution * ipa-acme-manage: add certificate/request pruning management * tests: Configure DNSResolver as platform agnostic resolver * tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck * tests: Add ipa_ca_name checking to DNS system records * spec: Drop no longer used build dependency on paste * ipatests: healthcheck: Handle missing fips-mode-setup * doc: Design for certificate pruning * trust-add: handle missing msSFU30MaxGidNumber * Spec file: use %autosetup instead of %setup * Spec file: unify with RHEL9 spec * API doc: validate generated reference * ipa tests: Add LANG before kinit command to fix issue with locale settings * Installer: create RID base before domain object * Tests: force key type in ACME tests * server install: remove error log about missing bkup file * ipatests: mark test_smb as xfail * pylint: Replace deprecated cgi module * pylint: Fix useless-object-inheritance * pylint: Fix unhashable-member * pylint: Fix unnecessary-lambda-assignment * pylint: Fix modified-iterating-list * pylint: Fix used-before-assignment * pylint: Replace deprecated pipes * pylint: Fix cyclic-import * pylint: Replace deprecated extension-pkg-whitelist * pylint: More allowed C extensions * pylint: Lint in single process mode * pylint: disable deprecated-module message * pylint: fix comparison-of-constants * pylint: disable comparison-of-constants * pylint: fix consider-iterating-dictionary * pylint: globally disable useless-object-inheritance * pylint: disable unhashable-member * pylint: disable invalid-sequence-index * pylint: fix deprecated-class SafeConfigParser * pylint: fix duplicate-value * pylint: fix implicit-str-concat * pylint: disable missing-timeout message * pylint: globally disable unnecessary-lambda-assignment message * pylint: disable unnecessary-dunder-call message * pylint: disable using-constant-test * pylint: remove arguments-renamed warnings * pylint: disable modified-iterating-list * pylint: replace deprecated distutils module * pylint: disable used-before-assignment * pylint: disable redefined-slots-in-subclass * pylint: remove useless suppression * pylint: remove unneeded disable=unused-private-member * azure tests: move to fedora 37 * ipatests: update the xfail annotation for test_number_of_zones * Spec file: bump krb5_kdb_version on rawhide * FIPS setup: fix typo filtering camellia encryption * cert utilities: MAC verification is incompatible with FIPS mode * ipatests: update the fake fips mode expected message * Fixes: ipa-otpd@.service: deprecated syslog setting * ipatests: xfail on all fedora for test_ipa_login_with_sso_user * Spec file: ipa-client depends on krb5-pkinit-openssl * API doc: add basic user management guide * ipa-certupdate: Update client certs before KDC/HTTPd restart * webui tests: fix assertion in test_subid.py * PRCI: update memory reqs for each topology * updates: fix memberManager ACI to allow managers from a specified group * API reference: update dnszone_add generated doc * API reference: update vault doc * Back to git snapshots * Become IPA 4.10.1 * Update translations to FreeIPA ipa-4-10 state * Generate CNAMEs for TXT+URI location krb records * ipatests: update vagrant boxes * ipatests: remove xfail for tests using sssctl domain-status * spec file: bump sssd version * Vault: fix interoperability issues with older RHEL systems * ipatests: re-enable dnssec tests * Spec file: bump bind version on f37+ * doc: Design for HSM support * Support tokens and optional password files when opening an NSS db * docs: add security section to idp * Add basic API usage guide * doc: generate API Reference * Pass the curl write callback by name instead of address * Add PKINIT support to ipa-client-install * webui: Add name to 'Certificates' table * ipatests: Test newly added certificate lable * webui: Add label name to 'Certificates' section * ipa-kdb: for delegation check, use different error codes before and after krb5 1.20 * ipatests: Add test for grace login limit * ipatests: test for root using admin password in webUI * Explicitly use legacy ID generators by default * ipatests: xfail test_ipa_login_with_sso_user * ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later * ipa-kdb: fix PAC requester check * ipa-kdb: handle empty S4U proxy in allowed_to_delegate * ipa-kdb: handle cross-realm TGT entries when generating PAC * ipa-kdb: add krb5 1.20 support * ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20 * Spec file: bump the selinux-policy version * ipatests: add keycloak user login to ipa test * webui tests: fix test_subid suite * ipatests : Test query to AD specific attributes is successful. * Exclude installed policy module file from RPM verification * With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck. * fix: Handle /proc/1/sched missing error * ipaclient: do not set TLS CA options in ldap.conf anymore * ipa-kdb: do not fail if certmap rule cannot be added * ipapython: Support openldap 2.6 * extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization) * extdom: make sure result doesn't miss domain part * extdom: internal functions should be static * ipatests: mark xfail tests using dnssec * ipatests: mark xfail tests using sssctl domain-status * Tests: test on f37 and f36 * Remove empty translation for 'si' which breaks linter * Translated using Weblate (Korean) * Translated using Weblate (Korean) * Translated using Weblate (Korean) * Added translation using Weblate (Korean) * Translated using Weblate (Georgian) * Translated using Weblate (Georgian) * Translated using Weblate (Georgian) * Translated using Weblate (Finnish) * Translated using Weblate (Ukrainian) * Update translation files * Added translation using Weblate (Georgian) * Translated using Weblate (Finnish) * Translated using Weblate (Ukrainian) * Update translation files * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Polish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Indonesian) * Translated using Weblate (Finnish) * Translated using Weblate (Ukrainian) * Update translation files * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Polish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Finnish) * Translated using Weblate (Ukrainian) * Translated using Weblate (Ukrainian) * Translated using Weblate (Ukrainian) * Update translation files * Translated using Weblate (Finnish) * Update translation files * ipa man page: format the EXAMPLES section * Update API and VERSION * webui: Set 'SOA serial' field as read-only * ipatest: Remove warning message for 'idnssoaserial' * Set 'idnssoaserial' to deprecated * Move client certificate request after krb5.conf is created * ipatests: add negative test for otptoken-sync * ipa otptoken-sync: return error when sync fails * Defer creating the final krb5.conf on clients * ipatests: add prci definitions for test_sso jobs * ipatests: add Keycloak Bridge test * webui: Show 'Sudo order' column * ipa-cacert-manage prune: remove all expired certs * Fix upper bound of password policy grace limit * x509: Replace removed register_interface with subclassing * Set pkeys in test_selinuxusermap.py::test_misc::delete_record * fix canonicalization issue in Web UI * Fix ipa-ccache-sweeper activation timer and clean up service file * ipa-otpd: initialize local pointers and handle gcc 10 * Remove pki_restart_configured_instance * ipatests: Rename create_quarkus to create_keycloak * Set default on group pwpolicy with no grace limit in upgrade * Set default gracelimit on group password policies to -1 * doc: Update LDAP grace period design with default values * gitignore: add install/oddjob/org.freeipa.server.config-enable-sid * ipatests: Fix expected object classes * DNSResolver: Fix use of nameservers with ports * upgrades: Don't restart the CA on ACME and profile schema change * check_repl_update: in progress is a boolean * Additional tests for RSN v3 * webui: Allow grace login limit * ipatests: ipa-client-install --subid adds entry in nsswitch.conf * azure tests: disable TestInstallDNSSECFirst * ipatest: fix prci checker target masked return code & add pylint * ipatests: WebUI: do not allow subid range deletion * Disabling gracelimit does not prevent LDAP binds * ipatests: healthcheck: test if system is FIPS enabled * ap: Constrain supported docutils * ap: Rearrange overloaded jobs * ap: Disable azure's security daemon * ap: Raise dbus timeout * Warn for permissions with read/write/search/compare and no attrs * ipatests: Checker script for prci definitions * Nightly tests: fix template for nightly_ipa-4-10_latest.yaml * webui: Do not allow empty pagination size * Only calculate LDAP password grace when the password is expired * Added a check while removing 'cert_dir'. The teardown method is called even if all the tests are skipped since the required PKI version is not present. The teardown is trying to remove a non-existent directory. * install: suggest --skip-mem-check when mem check fails * man: add --skip-mem-check to man pages * ipatests: add nightly definitions for ipa-4-10 branch * Back to git snapshots ------------------------------------------------------------------- Sun Feb 05 11:05:21 UTC 2023 - ecsos@opensuse.org - Update to version 4.10.0+git0.082ec006: * Become IPA 4.10.0 * Update FreeIPA translations to FreeIPA master state * Fix test_secure_ajp_connector.py failing with Python 3.6.8 * Add missing parameter to Suse modify_nsswitch_pam_stack * ipatests: Fix install_master for test_idp.py * ipaplatform/debian: Drop the path for ldap.so * ipaplatform/debian: Use multiarch path for libsofthsm2.so * ipatests: Healthcheck use subject base from IPA not REALM * Add end to end integration tests for external IdP * ipatests: update prci definitions for test_idp.py ------------------------------------------------------------------- Sun Feb 05 10:28:15 UTC 2023 - ecsos@opensuse.org - Update to version 4.9.11+git26.398e0918: * ipatests: fix (prci_checker) duplicated check & error return code * automember-rebuild: add a notice about high CPU usage * With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck. * tests: Configure DNSResolver as platform agnostic resolver * tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck * tests: Add ipa_ca_name checking to DNS system records * spec: Drop no longer used build dependency on paste * ipatests: healthcheck: Handle missing fips-mode-setup * trust-add: handle missing msSFU30MaxGidNumber * API doc: validate generated reference ------------------------------------------------------------------- Fri Jun 24 00:13:51 UTC 2022 - Matthew Davis <opensuse@virtual.drop.net> - Update to version 4.9.10+git12: * Removed local patch for missing parameter in module. * Resolved rpmlint issue missing systemd scripts * Resolved rpmlint issues of config files outside of /etc or /var * Resolved rpmlint issue of missing rcipa-epd symlink * Resovled rpmlint issue of too many duplicate files * Resolved rpmlint issue of none standard group apache * Added rpmlintrc to resolve remaining rpmlint issues. * Updated Groups: in subpackages to be more accurate. * Enforce setting reported version number based on GIT tag ------------------------------------------------------------------- Thu Jun 16 03:36:32 UTC 2022 - opensuse@virtual.drop.net - Update to version 4.9.10+git1.3e90842b3: * Back to git snapshots * Become IPA 4.9.10 * Update list of contributors * Update translations to FreeIPA ipa-4-9 state * Create missing SSSD_PUBCONF_KRB5_INCLUDE_D_DIR * ipatests: xfail for test_ipahealthcheck_hidden_replica to respect pki version * Suse compatibility fix * idviews: use cached ipaOriginalUid value when resolving ID override anchor * Add switch for LDAP cache debug output * Remove extraneous AJP secret from server.xml on upgrades ------------------------------------------------------------------- Tue Sep 21 15:03:06 UTC 2021 - david.mulder@suse.com - krb5-client_paths.patch: Fix krb5-client paths in Tumbleweed and Leap > 15.4. - Add client dependencies krb5-client and python3-augeas. ------------------------------------------------------------------- Mon Sep 20 21:30:09 UTC 2021 - david.mulder@suse.com - Update to version 4.9.7+git28.865886401: * ipatests: Test that a user can be issued multiple certificates * Don't store entries with a usercertificate in the LDAP cache * ipatests: Log debug messages for locator plugin * krb5: Pin kpasswd server to a primary one * azure: Ignore tar errors * ipatests: fix expected msg in tasks.run_ssh_cmd * docs: Make use of `text` highlighting * ipatests: fix logic waiting for repl in TestIPACommand * migrate-ds: workaround to detect compat tree * ipatests: rpcclient now uses --use-kerberos=desired ------------------------------------------------------------------- Wed Feb 7 15:38:41 UTC 2018 - mrueckert@suse.de - Require sssd-ad for sssd_pac - split out freeipa-client-common ------------------------------------------------------------------- Tue Feb 6 16:36:01 UTC 2018 - mrueckert@suse.de - BR all the python libraries that we require in the client package - switch most BR to pkgconfig() flavor ------------------------------------------------------------------- Tue Feb 6 12:26:04 UTC 2018 - mrueckert@suse.de - switch to service ------------------------------------------------------------------- Thu Feb 1 19:42:27 UTC 2018 - mrueckert@suse.de - use python3 ------------------------------------------------------------------- Thu Feb 1 18:11:55 UTC 2018 - mrueckert@suse.de - add requires to the package and split out the client and common package ------------------------------------------------------------------- Thu Feb 1 18:11:48 UTC 2018 - mrueckert@suse.de - switch to patch for adding suse support ------------------------------------------------------------------- Thu Feb 1 14:05:46 UTC 2018 - mrueckert@suse.de - client support seems to work ------------------------------------------------------------------- Fri Mar 24 12:21:49 UTC 2017 - mrueckert@suse.de - initial package
