diff --git a/src/index.rst b/src/index.rst index c4c20521..ccb760f5 100644 --- a/src/index.rst +++ b/src/index.rst @@ -52,6 +52,7 @@ Releases .. toctree:: :titlesonly: + /release-notes/4-13-0.rst /release-notes/4-12-5.rst /release-notes/4-12-4.rst /release-notes/4-12-3.rst @@ -59,7 +60,6 @@ Releases /release-notes/4-12-1.rst /release-notes/4-11-2.rst /release-notes/4-12-0.rst - /release-notes/4-11-1.rst Getting involved ---------------- diff --git a/src/release-notes/4-13-0.rst b/src/release-notes/4-13-0.rst new file mode 100644 index 00000000..e0f38ff5 --- /dev/null +++ b/src/release-notes/4-13-0.rst @@ -0,0 +1,1964 @@ +FreeIPA 4.13.0 +============== + +.. raw:: mediawiki + + {{ReleaseDate|2025-09-10}} + +The FreeIPA team would like to announce FreeIPA 4.13.0 release! + +It can be downloaded from http://www.freeipa.org/page/Downloads. Builds +for Fedora distributions will be available from the official repository +soon. + +.. _highlights_in_4.13.0: + +Highlights in 4.13.0 +-------------------- + +- Introducing the Modern WebUI (Beta) + + This FreeIPA release includes the first beta version of the new + modern WebUI. + + This interface has been rebuilt to provide a more intuitive + design, improved workflows, and a responsive layout. + + As a beta, this UI is not feature-complete and + may contain bugs. Current WebUI is still available for those who + prefer the classical view and can be used alongside the new + beta interface. + + A link to access the new modern Web UI is added to the login + page of the current web interface. + + Feedback is essential for stabilizing this new interface. The modern + WebUI is developed in its own repository: + https://github.com/freeipa/freeipa-webui. + Please report all UI-specific issues or suggestions directly to that + project's issue tracker: https://github.com/freeipa/freeipa-webui/issues. + +-------------- + +- 9605: Add support for DoT/DoH for Zero-Trust + + You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers. + + Administrators can enable DoT during the installation by using the `--dns-over-tls` option. + + The following options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service: + + * `--dot-forwarder` to specify an upstream DoT-enabled DNS server. + * `--dns-over-tls-key` and `--dns-over-tls-cert` to configure DoT certificates. + * `--dns-policy` to set a DNS security policy to either allow fallback to unencrypted DNS or enforce strict DoT usage. + + More details are available at: https://freeipa.readthedocs.io/en/ipa-4-12/designs/edns.html + +-------------- + +- 9842 Add support for LDAP system accounts + + FreeIPA now introduces support for LDAP-based system accounts through a dedicated sysaccount plugin. + Administrators can fully manage these accounts using a complete set of CLI commands: + add, delete, modify, find, show, enable, and disable, making automation and service integration + more consistent and reliable. + + We've also enhanced role handling and passsync management across the platform. + Roles and baseldap plugins now support system account membership, allowing system accounts + to be assigned permissions just like users or hosts. + +-------------- + +- 9612 [RFE]: add a tool to quickly detect and fix issues with IPA ID ranges + + With this update, FreeIPA provides the `ipa-idrange-fix` tool. You can use `ipa-idrange-fix` tool to + analyze existing IdM ID ranges, identify users and groups outside these ranges, and propose + to create new `ipa-local` ranges to include them. + + For more information, see the `ipa-idrange-fix(1)` man page. + +-------------- + +- 9652: IPA requires unique CA certificate subject names + + IPA actively prevented duplicate subjects. This requirement was relaxed with the following limitations: + 1) the certificates cannot be added with different trust flags + 2) the nickname of the CAs must be the same + 3) an Authority Key Identifier extension should be included in any CA otherwise the chain of trust will not behave as expected + +-------------- + +- 9661 Change the default CA serial number algorithm to random serial numbers + + With this update, automated removal of expired certificates is now enabled by default in FreeIPA on new replicas. + A prerequisite for this is the generation of random serial numbers for certificates using RSNv3, which is now also enabled by default. + + As a result, certificates are now created with random serial numbers and are removed automatically when expired, + after a default retention period of 30 days after expiry. + +-------------- + +- 9780: [RFE] ipa-client-automount should have an option to include + domain of the machine. + +-------------- + +- 9363: Set compat tree and NIS configuration disabled by default + when deploying FreeIPA. + +-------------- + +- 9757 Support full 32-bit ID range space + +-------------- + +- 9744 [RFE] Allow ipa tool to force running on specific server + + The ipa tool now supports the --force-server option. When this + option is specified, for instance like in "ipa --force-server + user-find", the CLI connects to the specified server instead of + using the server configured in /etc/ipa/ca.crt or the server found + in DNS SRV records. If the server does not reply, there is no + fallback mechanism. + +-------------- + +- 9835 RFE: Add support for libpwquality credit counting + +-------------- + +- 9852 Add support for Samba 4.23 + +-------------- + +- Automated FAST Armor + +-------------- + +Enhancements +~~~~~~~~~~~~ + +- `#9674 `__ Handle PKI 11.6.0 + uninstallation + +-------------- + +- `#9675 `__ Support GSSAPI in + Cockpit on IPA servers + +-------------- + +- `#9757 `__ Support full 32-bit + ID range space + +-------------- + +.. _bug_fixes: + +Bug fixes +~~~~~~~~~ + +FreeIPA 4.13.0 is a stabilization release for the features delivered as +a part of 4.13 version series. + +There are more than 170 bug-fixes since FreeIPA 4.12.5 release. Details +of the bug-fixes can be seen in the list of resolved tickets below. + +Upgrading +--------- + +Upgrade instructions are available on +`Upgrade `__ page. + +Feedback +-------- + +Please provide comments, bugs and other feedback via the freeipa-users +mailing list +(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) +or #freeipa channel on libera.chat. + +.. _resolved_tickets: + +Resolved tickets +---------------- + +- `#8924 `__ ipa-client-install + fails to install on Ubuntu 20.04 LTS due to incorrect cert name +- `#9002 `__ Nightly failure in + test_fips.py::TestInstallFIPS::test_basic::setup +- `#9135 `__ Nightly test failure + (f37+): reverse zone not created +- `#9202 `__ Generated QR codes + not being read by Android authentication apps +- `#9363 `__ Set compat tree and + NIS configuration disabled by default when deploying FreeIPA +- `#9365 `__ Covscan issues: + usage of free() instead of krb5_free_enctypes() +- `#9367 `__ Covscan issues: + Resource Leak +- `#9370 `__ kdb: support storing + and retrieving multiple master keys +- `#9387 `__ FreeIPA OTP Allows + Users with Expired Tokens to Authenticate +- `#9450 `__ Find and replace del + os.environ['foo'] with os.environ.pop('foo', None) +- `#9468 `__ Covscan issues in + ipa-4.11 +- `#9471 `__ Pre-authentication + with trusted domain object over IPA to IPA trust fails due to wrong + canonical name choice +- `#9488 `__ Nightly test failure + in test_trust.py::TestTrust::test_server_option_with_unreachable_ad +- `#9571 `__ Pytest 8 + compatibility +- `#9577 `__ Replica installation + fails in FIPS mode in fedora 39+ +- `#9584 `__ Race condition in + ipa-backup +- `#9603 `__ ipa-server-install: + token_password_file read in kra.install_check after calling + hsm_validator in ca.install_check +- `#9605 `__ Add support for + DoT/DoH for Zero-Trust +- `#9606 `__ Nightly test failure + (f40+) in + test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling +- `#9607 `__ Nightly test failure + (f40+) in test_commands.py::TestIPACommand::test_ssh_key_connection +- `#9609 `__ ipa-otptoken-import + fails to import encrypted file +- `#9610 `__ ipa-client rpm post + script creates always ssh_config.orig even if nothing needs to be + changed +- `#9611 `__ kdc.crt certificate + not getting automatically renewed by certmonger in IPA Hidden replica +- `#9612 `__ RFE: add a tool to + quickly detect and fix issues with IPA ID ranges +- `#9613 `__ After backup/restore + of dnssec master, zones are not signed +- `#9615 `__ Nightly test failure + (f40+) in test_sssd.py::TestNestedMembers::test_nested_group_members +- `#9616 `__ Nightly test failure + in test_backup_and_restore_TestReplicaInstallAfterRestore +- `#9617 `__ The ipa-advise, + ipa-backup, and ipa-restore manuals incorrectly show the --v option. +- `#9618 `__ Allow IPA SIDgen + task to continue if it finds an entity that SID can't be assigned to +- `#9619 `__ ipa-migrate starttls + does not work +- `#9620 `__ ipa-migrate remove + -V option +- `#9621 `__ ipa-migrate should + not update mapped attributes in managed entries +- `#9624 `__ A missing cccache + prevents Kerberos SSO +- `#9625 `__ Executing the -d + option results in an error. +- `#9626 `__ + ipa-replica/server-install with softhsm needs to check + permission/ownership of /var/lib/softhsm/tokens to avoid install + failure. +- `#9629 `__ Syntax error + uninstalling the selinux-luna subpackage +- `#9632 `__ Unconditionally add + MS-PAC to global config +- `#9633 `__ Remove RC4 and 3DES + default encryption types on update +- `#9635 `__ Ignore time skew + during CA replica installation +- `#9636 `__ misleading warning + for missing ipa-selinux-nfast package on luna hsm +- `#9637 `__ adtrustinstance only + prints issues in check_inst() and does not log them +- `#9640 `__ ipa-migrate - fix + migration issues with entries using ipaUniqueId in the RDN +- `#9641 `__ support for python + cryptography 43.0.0 +- `#9642 `__ ipa-migrate - + properly handle invalid certificates +- `#9643 `__ freeipa fails to + build with nodejs22 on f39 and f40 +- `#9644 `__ Fedora 40 pylint + issues with PY2/PY3 compatibility +- `#9645 `__ support for python + module netaddr 1.3.0 +- `#9648 `__ Nightly test + failures in test_hsm_TestHSMNegative +- `#9649 `__ Also enable SSSD's + ssh service when enabling sss_ssh_knownhosts +- `#9652 `__ IPA requires unique + CA certificate subject names +- `#9654 `__ Update SELinux + policy to mark IPA log files as ipa_log_t file context +- `#9655 `__ + upstream-adtrust-install: SSSD offline causing test-adtrust-install + failure +- `#9656 `__ Nightly test failure + in + test_ipa_idrange_fix.py::TestIpaIdrangeFix::test_idrange_no_rid_bases_reversed +- `#9657 `__ Prepare ipatests + environment to test multidomain ipa server +- `#9658 `__ Nightly test failure + in test_ipa_ipa_migration.py +- `#9661 `__ Change the default + CA serial number algorithm to random serial numbers +- `#9665 `__ Sentences truncated + in man pages +- `#9666 `__ Nightly test failure + (f42) in test_adtrust_install +- `#9667 `__ Nightly test failure + (f42) in test_trust +- `#9668 `__ Nightly test failure + (@pki/master) in + test_ipahealthcheck.py::TestIpaHealthCheck::test_source_pki_server_clones_connectivity_and_data +- `#9673 `__ Uninstall ACME + separately during PKI uninstallation +- `#9674 `__ Handle PKI 11.6.0 + uninstallation +- `#9675 `__ Support GSSAPI in + Cockpit on IPA servers +- `#9676 `__ move away from + setuptools and pkg_resources +- `#9680 `__ config-mod accepting + invalid e-mail addresses for "Default e-mail domain" +- `#9681 `__ Man page for + ipa-migrate refers to non-existing option --hostname +- `#9682 `__ ipa-migrate in stage + mode fails with TypeError: 'NoneType' object is not iterable +- `#9686 `__ ipa-migrate should + also migrate DNS forward zones +- `#9687 `__ 'Organization' + should not be required for Okta provider type +- `#9689 `__ vault-add fails in + FIPS mode +- `#9691 `__ pki.client: + /usr/libexec/ipa/ipa-pki-wait-running:61: The subsystem in + PKIConnection.\__init\_\_() has been deprecated + (https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes) +- `#9692 `__ ipa-kra-install + fails - Unable to add KRA connector for URL KRA connector already + exists +- `#9696 `__ Support OpenSSL + provider API +- `#9697 `__ IPA-to-IPA migration + tests should install destination server with --allow-zone-overlap +- `#9698 `__ Static code analysis + defects +- `#9699 `__ EnforceLDAPOTP + ldap-bind with sysaccount no longer possible +- `#9702 `__ ipa trust-add fails + in FIPS mode with an internal error has occurred +- `#9705 `__ In FIPS mode + HSM, + renewal of auditSigningCert cert-pki-kra prevents PKI restart +- `#9706 `__ Nightly test failure + in test_acme.py::TestACMEPrune::test_enable_pruning +- `#9707 `__ Nightly test failure + in test_webui/test_cert.py +- `#9708 `__ add support for + python cryptography 44.0.0 +- `#9709 `__ All user groups are + not being included during HSM token validation +- `#9711 `__ Regression: LDAP + bind is allowed without OTP in 4.12 +- `#9712 `__ [ipa-4-9] + ipa-server-upgrade fails after established trust with ad +- `#9715 `__ [testday] Fix typo + in ipa-migrate log file i.e 'Privledges' to 'Privileges' +- `#9720 `__ Workshop Vagrant + OOMs During Setup +- `#9721 `__ Nightly test failure + in test_webui/test_host.py::test_host::test_search +- `#9723 `__ Nightly test failure + after pkg uninstall/install +- `#9724 `__ Nightly test failure + (rawhide) in + test_integration/test_acme.py::TestACME::test_certbot_dns +- `#9725 `__ A slow HSM can cause + IPA server installation to fail setting up certificate tracking +- `#9730 `__ [tests] + test_ipahealthcheck_ds_configcheck fails against 389-ds-base 2.5.3 +- `#9734 `__ crash in ipa-otpd + with --client-secret-stdin use +- `#9735 `__ Installing IPA with + KRA creates invalid ca_admin.cert format +- `#9737 `__ ipa-migrate should + skip tombstone entries +- `#9738 `__ During server + installation don't use the PKI API directly to issue certificates +- `#9739 `__ Remove migration + support from mod_nss +- `#9740 `__ Suppress meaningless + errors when uninstalling the PKI ACME service +- `#9741 `__ Add message to end + of server install that service restart is happening +- `#9742 `__ Log then a user + attempts to authenticate using LDAP but is locked out due to policy +- `#9743 `__ The pki-tomcatd + service can time out starting with a slow HSM +- `#9748 `__ Server installation: + dot-forwarder not added as a forwarder +- `#9750 `__ Remove + fips-mode-setup +- `#9751 `__ Nightly test failure + (rawhide) in + test_trust.py::TestTrust::test_server_option_with_unreachable_ad +- `#9752 `__ ipatests: use "sos + report" instead of "sosreport" command +- `#9753 `__ Allow customizing + 'nobody' group per platform +- `#9754 `__ ipa vault-del + triggers a deprecation warning +- `#9756 `__ ipa dnsrecord-\* + --raw --structured throws internal error +- `#9757 `__ Support full 32-bit + ID range space +- `#9758 `__ Search size limit + tooltip has Search time limit tooltip text +- `#9760 `__ ipa-cert-fix + proceeds with the externally signed CA signing cert being expired +- `#9762 `__ The test + test_ca_show_error_handling should wait for replication +- `#9764 `__ Protect \*all\* IPA + service principals +- `#9765 `__ Regression in ipa + trust-add +- `#9768 `__ Disable --raw and + --structured tests are skipped +- `#9769 `__ Test failure on f42 + in test_integration/test_idp.py::TestIDPKeycloak::test_auth_sudo_idp +- `#9771 `__ Fix deprecation + warning in ipa-replica-manage +- `#9772 `__ ipa-sidgen: + important memory leak +- `#9776 `__ ipa-migrate does not + handle replication state data +- `#9777 `__ kdb: + ipadb_get_connection() succeeds but returns null LDAP context +- `#9779 `__ When creating an ID + range, should require a RID +- `#9780 `__ [RFE] + ipa-client-automount should have an option to include domain of the + machine. +- `#9781 `__ Give warning when + adding user with UID out of any ID range +- `#9782 `__ selinux avc when + installing dns server in selinux enforcing mode +- `#9784 `__ ipa-migrate + --migrate-dns fails to update the DNS record +- `#9787 `__ Rawhide: test + failure when installing a replica in CA less mode +- `#9788 `__ ipatests: Fix + test_integration/test_uninstallation.py::TestUninstallCleanup::test_clean_uninstall +- `#9790 `__ ipatests: + test_manual_renewal_master_transfer should wait for replication +- `#9791 `__ + test_ipa_healthcheck_fips_enabled xfail annotation is incorrect +- `#9794 `__ Unable to modify IPA + config; --ipaconfigstring="" causes internal error +- `#9799 `__ edns is not + available for older fedora +- `#9801 `__ Nightly failure in + test_integration/test_ipa_idrange_fix.py::TestIpaIdrangeFix::test_idrange_no_rid_bases + and test_idrange_no_rid_bases_reversed +- `#9804 `__ Description for + --dot-forwarder in man pages for ipa-server-install and + ipa-dns-install inconsistent +- `#9805 `__ client: DNSSEC + validation turned on for unbound by default +- `#9806 `__ ipa-client-install: + nsupdate issues when dns_over_tls is enabled +- `#9808 `__ Replica: Request + cert for DoT fails after setting up bind +- `#9809 `__ ipa-idrange-fix + should check if the server is configured +- `#9810 `__ Nightly test failure + in test_integration/test_fips.py - sed couldn't open temporary file +- `#9811 `__ Incorrect use of + GitHub and GitLab trademarks +- `#9812 `__ Test failure in + test_adtrust_install_with_non_ipa_user +- `#9813 `__ When using + --dns-over-tls in read-only container, ipa-server-install fails due + to /etc/resolv.conf operation +- `#9814 `__ eDNS: Conflict + between dnsconfd and IPA installer +- `#9824 `__ Error when sizing + output for a terminal +- `#9826 `__ With + rpm-5.99.91-1.fc43.x86_64, dnf installation of + freeipa-server-trust-ad-4.12.2-14.fc43.x86_64 now fails +- `#9831 `__ hsm validation fails + on systems with private tmp +- `#9836 `__ Fails to build on + fedora42+ with nodejs24 +- `#9838 `__ Nightly test failure + (rawhide) in + test_edns.py::TestDNSOverTLS::test_install_dnsovertls_master +- `#9843 `__ Bump samba version + for rawhide +- `#9848 `__ Test failure in + test_certmonger_ipa_responder_jsonrpc +- `#9849 `__ Random test failure + in test_otp +- `#9850 `__ Test failure in + test_xmlrpc/test_automember_plugin.py/TestAutomemberFindOrphans +- `#5614 `__ + (`rhbz#1310834 `__) + [tracker] mod_auth_gssapi additional NTLM auth request from Chrome +- `#5913 `__ Use augeas for + configuring krb5 +- `#2496 `__ + (`rhbz#797333 `__) + krbpasswordexpiration field in LDAP can not have value >= + 20380119031408Z +- `#9744 `__ [RFE] Allow ipa tool + to force running on specific server +- `#9763 `__ KRA install failure + if /root/.dogtag/pki-tomcat/ca_admin.cert is expired +- `#9785 `__ IPA fails to sign + zone in FIPS mode +- `#9833 `__ Nightly test failure + (f43+) in test_idp.py::TestIDPKeycloak::test_auth_keycloak_idp +- `#9835 `__ RFE: Add support for + libpwquality credit counting +- `#9842 `__ Add ability to + configure external password reset agents with ipa_pwd_extop +- `#9845 `__ ipatests: Port + downstream ipa-trust-functional test suite. +- `#9852 `__ Nightly tests + failure (rawhide): ipactl restart fails to restart winbindd +- `#9854 `__ Erroneous + case-sensitivity in offline DSE lookup +- `#9857 `__ Nightly failure in + test_commands.py::TestIPACommand::test_cacert_manage +- `#9858 `__ + TestIPAMigratewithBackupRestore fails in IdM CI environment +- `#9859 `__ Encrypted DNS: + disable dnsconfd prior to configuring Unbound +- `#9862 `__ Update breaks + krb5.conf if modified +- `#9865 `__ Support storing LWCA + private keys on an HSM +- `#9866 `__ [BUG] + ATTR_NAME_BY_OID is missing OID 2.5.4.97, organizationIdentifier +- `#9867 `__ IPA Modrdn plugin + performs duplicate replication changes +- `#9870 `__ backup-restore does + not restore /etc/krb5.conf.d/freeipa-realm +- `#9871 `__ + test_http_kdc_proxy.py::TestHttpKdcProxy failure during its setup +- `#9874 `__ Nightly test failure + in + test_sudo.py::TestSudo_Functional::test_007_sudorule_offline_caching_option_command +- `#9875 `__ The permission with + 'System: Modify System Accounts' fails to modify the description. +- `#9878 `__ ipa-server-install + fails in FIPS mode +- `#9879 `__ ipa-pkinit-manage + enable fails on replica without CA instance +- `#9881 `__ Test failure in + test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_dogtag_ca_connectivity_check +- `#9885 `__ Minor typo in + ipa_idrange_fix.py +- `#9888 `__ Nightly test failure + in + test_integration/test_ipa_cert_fix.py::TestIpaCertFix::test_expired_CA_cert::teardown + +.. _detailed_changelog_since_4.12.4: + +Detailed changelog since 4.12.4 +------------------------------- + +.. _alexander_bokovoy_41: + +Alexander Bokovoy (60) +~~~~~~~~~~~~~~~~~~~~~~ + +- sysaccounts: extend permissions to include description and account + lock + `commit `__ + `#9875 `__ +- sysaccount: make sure nsaccountlock is always present + `commit `__ + `#9842 `__ +- freeipa.spec: use proper package name when installing Web UI license + `commit `__ +- sysaccounts: add integration test + `commit `__ + `#9842 `__ +- Add system accounts (sysaccounts) + `commit `__ + `#9842 `__ +- ipa-pwd-extop: add SysAcctManagersDNs support + `commit `__ + `#9842 `__ +- Require krb5.conf.d because we install snippets there + `commit `__ +- krb5.conf templates: move IPA domain configuration into a separate + snippet + `commit `__ +- krb5.conf templates: remove Kerberos 4 support + `commit `__ +- API: correct ordering for password policy credits + `commit `__ +- makeapi: enforce en_US.UTF-8 locale when sorting API files + `commit `__ +- doc/api: regenerate notes + `commit `__ +- ipasam: remove definitions which included from ndr_drsblobs.h + `commit `__ +- GetEntryFromLDIF: handle DNs case-insensitive + `commit `__ + `#9854 `__ +- ipasam: define prototypes + `commit `__ +- ipasam: address signedness warnings + `commit `__ +- ipasam: simplify error handling in fill_pdb_trusted_domain + `commit `__ + `#9852 `__ +- dcerpc: Support Samba 4.23 + `commit `__ + `#9852 `__ +- dcerpc: make sure forest trust info structure version is 1 + `commit `__ + `#9852 `__ +- kdb: prevent double crash in RBCD ACL free + `commit `__ + `#9367 `__ +- freeipa.spec.in: protect scriptlets in environment where dbus or + systemd do not run + `commit `__ + `#9826 `__ +- test_schema: do not fool pytest with a non-test class name + `commit `__ +- Azure CI: do not run test_ipaserver/test_migratepw + `commit `__ +- Make IPAAbstractVersion available to all platforms + `commit `__ +- test_console: rework matching to adjust to Python 3.13 + `commit `__ +- pylint: do not use return at the end of flow + `commit `__ +- fix used-before-assignment errors where pylint cannot infer logic + `commit `__ +- Move wheel constraints to F41+ + `commit `__ +- freeipa.spec.in: do not recommend encrypted DNS on pre-F42 systems + `commit `__ +- freeipa.spec.in: update BIND-related dependencies + `commit `__ + `#9696 `__ +- ipa-dnskeysyncd: use systemd-tmpfiles to handle tokens + `commit `__ + `#9696 `__ +- DNS: detect when OpenSSL engine should be removed on upgrade + `commit `__ + `#9696 `__ +- Use OpenSSL provider with BIND for Fedora 42+ and RHEL10+ + `commit `__ + `#9696 `__ +- Revert "add sourcery.ai github action" + `commit `__ +- add sourcery.ai github action + `commit `__ +- ipatests: add a test to use full 32-bit ID range space + `commit `__ + `#9757 `__ +- baseuser: allow uidNumber and gidNumber of 32-bit range + `commit `__ + `#9757 `__ +- update_dna_shared_config: do not fail when config is not found + `commit `__ + `#9757 `__ +- config-mod: allow disabling subordinate ID integration + `commit `__ + `#9757 `__ +- Reintroduce test_idp to gating tests + `commit `__ + `#9734 `__ +- Migrate Keycloak tests to JDK 21 and Keycloak 26 + `commit `__ +- ipa-otpd: do not pass OIDC client secret if there is none to pass + `commit `__ + `#9734 `__ +- ipa tools: remove sensitive material from the commandline + `commit `__ +- Unify use of option parsers + `commit `__ +- ipa-pwd-extop: clarify OTP use over LDAP binds + `commit `__ + `#9699 `__, + `#9711 `__ +- ipalib/x509: support PyCA 44.0 + `commit `__ + `#9708 `__ +- Revert "readthedocs: install crypto 43.0.0" + `commit `__ +- ipaserver/dcerpc: support Samba 4.21 + `commit `__ + `#9702 `__ +- vault: handle pyca InternalError exception for PKCS#1 v1.5 padding + `commit `__ + `#9689 `__ +- web ui: Add explicit white border for QR code widget + `commit `__ + `#9202 `__ +- Extend nightly tests with Cockpit test + `commit `__ + `#9675 `__ +- Minimal test for Cockpit integration on IPA master + `commit `__ + `#9675 `__ +- selinux: allow Cockpit to use HTTP keytab on IPA servers + `commit `__ + `#9675 `__ +- selinux: add all IPA log files to ipa_log_t file context + `commit `__ + `#9654 `__ +- Remove NIS server support + `commit `__ + `#9363 `__ +- Get rid of unicode and long helpers in ipa-otptoken-import + `commit `__ + `#9641 `__ +- ipalib/constants.py: factor out TripleDES use + `commit `__ + `#9641 `__ +- ipalib/x509.py: get rid of unicode helper + `commit `__ + `#9644 `__ +- ipalib/x509.py: support Cryptography 43 + `commit `__ + `#9641 `__ + +.. _anuja_more_5: + +Anuja More (7) +~~~~~~~~~~~~~~ + +- ipatests: Refactor and port trust functional SUDO tests. + `commit `__ + `#9845 `__ +- Revert "Temp commit" + `commit `__ +- ipatests: Refactor and port trust functional HBAC tests. + `commit `__ + `#9845 `__ +- ipatests: Add comprehensive tests for ipa-client-automount --domain + option + `commit `__ + `#9780 `__ +- ipatests: Remove xfail from test_installation::test_number_of_zones + `commit `__ + `#9135 `__ +- ipatests: Update ipatests to test topology with multiple domain. + `commit `__ + `#9657 `__ +- Added template for ad_master_1replica_1client + `commit `__ + +.. _andi_chandler_2: + +Andi Chandler (3) +~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (English (United Kingdom)) + `commit `__ +- Translated using Weblate (English (United Kingdom)) + `commit `__ +- Translated using Weblate (English (United Kingdom)) + `commit `__ + +.. _antonio_torres_10: + +Antonio Torres (11) +~~~~~~~~~~~~~~~~~~~ + +- eDNS: disable dnsconfd before configuring Unbound + `commit `__ + `#9859 `__ +- dns: disable all previous Unbound configuration before deploying ours + `commit `__ + `#9814 `__ +- dns: only overwrite resolv.conf during eDNS setup when needed + `commit `__ + `#9813 `__ +- Fix inconsistency in manpage for DoT forwarder option + `commit `__ + `#9804 `__ +- dns: don't populate forwarders with DoT forwarders + `commit `__ + `#9748 `__ +- dns: only disable unbound when DoT is enabled + `commit `__ +- spec: add unbound requirement and template file + `commit `__ +- PRCI: add definitions for DNS over TLS tests + `commit `__ +- ipatests: add tests for DNS over TLS + `commit `__ +- Add DNS over TLS support + `commit `__ +- Bump to IPA 4.13 + `commit `__ + +.. _arif_budiman_2: + +Arif Budiman (2) +~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Indonesian) + `commit `__ +- Translated using Weblate (Indonesian) + `commit `__ + +.. _aleksandr_sharov_4: + +Aleksandr Sharov (6) +~~~~~~~~~~~~~~~~~~~~ + +- Correctly recognize OID 2.5.4.97, organizationIdentifier as a + subject/issuer DN of the CA certificate + `commit `__ + `#9866 `__ +- Allow ipa tool to force specific server + `commit `__ + `#9744 `__ +- Test fix for the update + `commit `__ + `#9760 `__ +- Add a check into ipa-cert-fix tool to avoid updating certs if CA is + close to being expired. + `commit `__ + `#9760 `__ +- Add PR-CI definitions + `commit `__ + `#9612 `__ +- Add ipa-idrange-fix + `commit `__ + `#9612 `__ + +.. _carla_martinez_1: + +Carla Martinez (2) +~~~~~~~~~~~~~~~~~~ + +- Modern WebUI version v0.1.7 + `commit `__ +- Fix: 'Organization' field in Okta not required + `commit `__ + `#9687 `__ + +.. _david_hanina_8: + +David Hanina (11) +~~~~~~~~~~~~~~~~ + +- Fix webui submodule copr build + `commit `__ +- Add info about modern webui + `commit `__ +- Add modern webui build + `commit `__ +- Fix terminal height for Rawhide + `commit `__ + `#9824 `__ +- Warn when UID is out of local ID ranges + `commit `__ + `#9781 `__ +- Require baserid and secondarybaserid + `commit `__ + `#9779 `__ +- Correct dnsrecord\_\* tests for --raw --structured + `commit `__ + `#9768 `__ +- Disallow removal of dogtag and ipa-dnskeysyncd services on IPA + servers + `commit `__ + `#9764 `__ +- Disable --raw and --structured together + `commit `__ + `#9756 `__ +- Skip for unpatched freeipa-healthcheck + `commit `__ +- Replace fips-mode-setup + `commit `__ + `#9750 `__ + +.. _erik_belko_2: + +Erik Belko (2) +~~~~~~~~~~~~~~ + +- man: fix formatting and syntax issues + `commit `__ +- ipatests: Update ipa-adtrust-install test + `commit `__ + `#9655 `__ + +.. _emilio_herrera_1: + +Emilio Herrera (1) +~~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Spanish) + `commit `__ + +.. _finn_krein_schuch_1: + +Finn Krein-Schuch (1) +~~~~~~~~~~~~~~~~~~~~~ + +- Use mod_auth_gssapi option GssapiNegotiateOnce + `commit `__ + `#5614 `__ + +.. _florence_blanc_renaud_84: + +Florence Blanc-Renaud (112) +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- ipatests: fix teardown of TestIpaCertFix + `commit `__ + `#9888 `__ +- test_ipahealthcheck_dogtag_ca_connectivity_check: update expected msg + `commit `__ + `#9881 `__ +- temp_commit: revert to the version pre 0b521f7 + `commit `__ +- ipatests: mark test_dnssec as xfail in fips mode + `commit `__ + `#9785 `__ +- FIPS mode: openssl pkcs12 command needs -nomacver option + `commit `__ + `#9878 `__ +- test_sudo: do not clean the cache for offline cache tests + `commit `__ + `#9874 `__ +- test_idp: use more recent keycloak server + `commit `__ + `#9833 `__ +- PRCI: switch testing from f41 and f42 to f42 and f43 + `commit `__ +- Backup-restore: backup krb5.conf.d snippet files + `commit `__ + `#9870 `__ +- TestHttpKdcProxy: use the snippet file for krb5 config + `commit `__ + `#9871 `__ +- Localization: remove zh_Hant file + `commit `__ +- Modern webui: refresh to the tip of main branch + `commit `__ +- Azure: fix WebUI tests + `commit `__ +- Azure: fix the configuration issue + `commit `__ +- Azure CI: Use F43 + `commit `__ +- ipatests: mark test_scale_add_subca as xfail + `commit `__ +- Integration test: fix teardown of test_expiration_date_post_2038 + `commit `__ +- test_cert: adapt the expect error message to PKI 11.7.0-5 + `commit `__ +- Revert "Tests xmlrpc: mark xfail tests requesting cert with subca" + `commit `__ +- PRCI tests: update vagrant image with latest PKI / certmonger package + `commit `__ +- ipatests: fix TestIpaClientAutomountDiscovery + `commit `__ +- Spec file: bump version for 389-ds + `commit `__ +- Tests xmlrpc: mark xfail tests requesting cert with subca + `commit `__ +- ipatests: extend test for unique krbcanonicalname + `commit `__ +- ipatests: fix TestIPAMigratewithBackupRestore setup + `commit `__ + `#9858 `__ +- ipatests: add xfail for TestKRAinstallAfterCertRenew + `commit `__ + `#9763 `__ +- ipatests: exclude TomcatFileCheck when RSN are enabled + `commit `__ +- ipatests: update the Let's Encrypt cert chain + `commit `__ + `#9857 `__ +- azure webui tests: force chromium version + `commit `__ +- ipatests: fix test_otp + `commit `__ + `#9849 `__ +- xmlrpc test: fix test_find_orphan_automember_rules + `commit `__ + `#9850 `__ +- ipatests: remove xfail for PKI 11.7 + `commit `__ + `#9606 `__ +- ipatests: fix test_certmonger_ipa_responder_jsonrpc + `commit `__ + `#9848 `__ +- DNS over TLS: use system trust store + `commit `__ + `#9838 `__ +- Spec file: bump samba version to 4.23.0 in f43 and above + `commit `__ + `#9843 `__ +- Spec file: use nodejs22 on fedora 41+ + `commit `__ + `#9836 `__ +- ipatests: fix test_adtrust_install_with_non_ipa_user + `commit `__ + `#9812 `__ +- ipa-idrange-fix: check that IPA server is installed + `commit `__ + `#9809 `__ +- ipatests: fix invalid range creation in test_ipa_idrange_fix.py + `commit `__ + `#9801 `__ +- ipatests: fix xfail annotation for test_ipa_healthcheck_fips_enabled + `commit `__ + `#9791 `__ +- ipatests: skip encrypted dns tests on fedora 41 + `commit `__ + `#9799 `__ +- ipa config-mod: fix internalerror when setting an empty + ipaconfigstring + `commit `__ + `#9794 `__ +- ipatests: test_manual_renewal_master_transfer must wait for + replication + `commit `__ + `#9790 `__ +- azure pipeline: disable InstallDNSSECFirst + `commit `__ +- ipatests: add extensions to server certificates for CAless mode + `commit `__ + `#9787 `__ +- dns install: fix selinux avc relabelto + `commit `__ + `#9782 `__ +- PRCI tests: update vagrant image with latest bind package + `commit `__ +- Azure CI: use podman instead of docker through emulation + `commit `__ +- azure pipeline: skip step disabling conflicting apparmor profile + `commit `__ +- azure pipeline: replace ubuntu-20.04 with 24.04 + `commit `__ +- ipatests: fix test_idp + `commit `__ + `#9769 `__ +- PRCI: switch testing from f40 and f41 to f41 and f42 + `commit `__ +- PRCI definitions: update vagrant box version for rawhide + `commit `__ +- ipatests: update fedora41 vagrant box to 0.0.2 + `commit `__ +- gating tests: add + test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust + `commit `__ +- idrange: use minvalue=0 for baserid and secondarybaserid + `commit `__ + `#9765 `__ +- ipatest: make test_cert more robust to replication delays + `commit `__ + `#9762 `__ +- Leapp upgrade: skip systemctl calls + `commit `__ +- ipatests: adapt error code and message for samba 4.22 + `commit `__ + `#9751 `__ +- WebUI: fix the tooltip for Search Size limit + `commit `__ + `#9758 `__ +- vault: remove PKIConnection deprecation warning + `commit `__ + `#9754 `__ +- ipatests: use "sos report" instead of "sosreport" command + `commit `__ + `#9752 `__ +- ipatests: simulate FIPS mode and install replica + `commit `__ + `#9002 `__ +- ipatests: on rhel10 do not install firefox + `commit `__ +- ipatests: restart dirsrv after time jumps + `commit `__ +- ipatests: skip test_ipahealthcheck_ds_configcheck for recent versions + `commit `__ + `#9730 `__ +- Nightly tests: add test_ipahelthcheck to 389ds pipeline + `commit `__ +- ipatests: force the version for uninstall/reinstall + `commit `__ + `#9723 `__ +- Fix pylint issue in ipatests/i18n.py + `commit `__ +- ipatests: certbot removed the --manual-public-ip-logging-ok parameter + `commit `__ + `#9724 `__ +- Temp commit: move to fedora 41 + `commit `__ +- Cert renewal: update the trust flags for audit cert + `commit `__ + `#9705 `__ +- Dogtag instance: add method to create temp password file + `commit `__ + `#9705 `__ +- KRA cert renewal: update ca.connector.KRA.transportCert + `commit `__ + `#9692 `__ +- Installation test: KRA on replica after cert renewal + `commit `__ + `#9692 `__ +- Fix copr build + `commit `__ +- readthedocs: install crypto 43.0.0 + `commit `__ +- webuitests: adapt to Random Serial Numbers + `commit `__ + `#9707 `__ +- ipatests: pruning is enabled by default with LMDB + `commit `__ + `#9706 `__ +- ipatests: install master with allow-zone-overlap + `commit `__ + `#9697 `__ +- Nightly test def: fix topology for test_IPAMigrateADTrust + `commit `__ +- Tests: migrate to f40/f41 + `commit `__ +- ipa-migrate man page: fix typos and errors + `commit `__ + `#9681 `__ +- test_ipahealthcheck: skip connectivity_and_data check + `commit `__ + `#9668 `__ +- Nightly test definition: use master_1repl topology for idrange_fix + `commit `__ +- test_adtrust_install: add --use-krb5-ccache to smbclient command + `commit `__ + `#9666 `__ +- ipatests: provide a ccache to rpcclient deletetrustdom + `commit `__ + `#9667 `__ +- azure pipeline: use latest version of DownloadPipelineArtifact task + `commit `__ +- UnsafeIPAddress: pass flag=0 to IPNetwork + `commit `__ + `#9645 `__ +- azure tests: move to fedora 40 + `commit `__ +- Custodia: in fips mode add -nomac or -nomacver to openssl pkcs12 + `commit `__ + `#9577 `__ +- ipatests: Add missing comma in test_idrange_no_rid_bases_reversed + `commit `__ + `#9656 `__ +- HSM: fix the module name + `commit `__ + `#9636 `__ +- trust-add: handle unavailable domain + `commit `__ + `#9488 `__ +- ipatests: skip HSM test if pki < 11.5.9 + `commit `__ + `#9648 `__ +- ipatests: increase the timeout for test_hsm.py::TestHSMInstall + `commit `__ +- Replica CA installation: ignore time skew during initial replication + `commit `__ + `#9635 `__ +- spec file: do not use nodejs-22 on f39 and f40 + `commit `__ + `#9643 `__ +- ipatests: remove xfail for test_ipa_migrate_stage_mode + `commit `__ + `#9621 `__ +- ipatests: remove xfail for test_ipa_migrate_version_option + `commit `__ + `#9620 `__ +- test_replica_install_after_restore: kinit after restore + `commit `__ + `#9613 `__ +- Uninstall: stop sssd-kcm before removing KCM ccaches database + `commit `__ + `#9616 `__ +- ipa-ods-enforcer: stop must also stop the socket + `commit `__ + `#9613 `__ +- ipatests: fix / permissions for test_nested_group_members + `commit `__ + `#9615 `__ +- ipatests: fix / permissions to allow ssh with private key + `commit `__ + `#9607 `__ +- ipatests: mark test_ca_show_error_handling as xfail + `commit `__ + `#9606 `__ +- Gating and nightly tests: move to f39/f40 + `commit `__ +- ipatests: add test for PKINIT renewal on hidden replica + `commit `__ + `#9611 `__ +- PKINIT certificate: fix renewal on hidden replica + `commit `__ + `#9611 `__ +- ipatests: add test for ticket 9610 + `commit `__ + `#9610 `__ +- spec file: do not create /etc/ssh/ssh_config.orig if unchanged + `commit `__ + `#9610 `__ +- ipa-otptoken-import: open the key file in binary mode + `commit `__ + `#9609 `__ + +.. _frederik_himpe_2: + +Frederik Himpe (2) +~~~~~~~~~~~~~~~~~~ + +- Make path of Samba lock directory configurable and use /run/samba on + Debian + `commit `__ +- Make name of nobody group configurable and use nogroup on Debian + `commit `__ + `#9753 `__ + +.. _fco._javier_f._serrador_2: + +Fco. Javier F. Serrador (2) +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Spanish) + `commit `__ +- Translated using Weblate (Spanish) + `commit `__ + + +.. _francisco_trivino_3: + +Francisco Trivino (2) +~~~~~~~~~~~~~~~~~~~~~ + +- doc/designs: add encrypted DNS design documents + `commit `__ + `#9605 `__ +- ipatests: increase delays for WebUI host test + `commit `__ + `#9721 `__ + +.. _fraser_tweedale_1: + +Fraser Tweedale (1) +~~~~~~~~~~~~~~~~~~~ + +- Refactor installer cert issuance to use pki python lib + `commit `__ + `#9738 `__ + +.. _dmytro_markevych_1: + +Dmytro Markevych (1) +~~~~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Ukrainian) + `commit `__ + +.. _ian_brown_1: + +Ian Brown (1) +~~~~~~~~~~~~~ + +- Replace instances of del os.environ with os.environ.pop + `commit `__ + `#9450 `__ + +.. _julien_rische_9: + +Julien Rische (11) +~~~~~~~~~~~~~~~~~ + +- ipatests: fix kdcproxy tests against AD + `commit `__ +- ipa-kdb: enforce PAC presence on TGT for TGS-REQ + `commit `__ +- Add test for master key upgrade + `commit `__ +- Use ipaplatform tasks for krb5 enctypes + `commit `__ +- ipa-kdb: support storing multiple KVNO for the same principal + `commit `__ + `#9370 `__ +- kdb: keep ipadb_get_connection() from succeeding with null LDAP + context + `commit `__ + `#9777 `__ +- ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op + `commit `__ + `#9772 `__ +- Remove RC4 and 3DES default encryption types on update + `commit `__ + `#9633 `__ +- Unconditionally add MS-PAC to global config on update + `commit `__ + `#9632 `__ +- kdb: apply combinatorial logic for ticket flags + `commit `__ +- kdb: fix vulnerability in GCD rules handling + `commit `__ + +.. _jonathan_steffan_1: + +Jonathan Steffan (1) +~~~~~~~~~~~~~~~~~~~~ + +- workshop: Increase RAM for VMs to Avoid OOM + `commit `__ + `#9720 `__ + +.. _léane_grasser_1: + +Léane GRASSER (1) +~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (French) + `commit `__ + +.. _takahashi_masatsuna_1: + +TAKAHASHI Masatsuna (1) +~~~~~~~~~~~~~~~~~~~~~~~ + +- ipa-advise ipa-backup ipa-restore: Fix --v option of the manual. + `commit `__ + `#9617 `__ + +.. _shunsuke_matsumoto_1: + +Shunsuke matsumoto (1) +~~~~~~~~~~~~~~~~~~~~~~ + +- The -d option of the ipa-advise command was able to used. + `commit `__ + `#9625 `__ + +.. _miro_hrončok_1: + +Miro Hrončok (1) +~~~~~~~~~~~~~~~~ + +- Stop using deprecated pkg_resources + `commit `__ + `#9676 `__ + +.. _michal_polovka_1: + +Michal Polovka (1) +~~~~~~~~~~~~~~~~~~ + +- ipatests: test_fips: Remove obsolete patch + `commit `__ + `#9810 `__ + +.. _mark_reynolds_14: + +Mark Reynolds (14) +~~~~~~~~~~~~~~~~~~ + +- ipa-migrate - only remove repl state attribute options + `commit `__ + `#9784 `__ +- ipa-migrate - improve suffix replacement + `commit `__ + `#9776 `__ +- ipa-migrate - do not process AD entgries in staging mode + `commit `__ + `#9776 `__ +- ipa-migrate - remove replication state information + `commit `__ + `#9776 `__ +- ipa-migrate - do not migrate tombstone entries, ignore + MidairCollisions, and krbpwdpolicyreference + `commit `__ + `#9737 `__ +- ipa-migrate should migrate dns forward zones + `commit `__ + `#9686 `__ +- ipa-migrate - dryrun write updates crashes when removing values + `commit `__ + `#9682 `__ +- Do not let user with an expired OTP token to log in if only OTP is + allowed + `commit `__ + `#9387 `__ +- ipa-migrate - fix alternate entry search filter + `commit `__ + `#9658 `__ +- ipa-migrate - fix migration issues with entries using ipaUniqueId in + the RDN + `commit `__ + `#9640 `__ +- ipa-migrate - properly handle invalid certificates + `commit `__ + `#9642 `__ +- Issue 9621 - ipa-migrate - should not update mapped attributes in + managed entries + `commit `__ + `#9621 `__ +- ipa-migrate - starttls does not work + `commit `__ + `#9619 `__ +- ipa-migrate - remove -V option + `commit `__ + `#9620 `__ + +.. _madhuri_upadhye_1: + +Madhuri Upadhye (1) +~~~~~~~~~~~~~~~~~~~ + +- ipatests: 2FA test cases + `commit `__ + +.. _mohammad_rizwan_3: + +Mohammad Rizwan (3) +~~~~~~~~~~~~~~~~~~~ + +- ipatests: refactor password file handling in TestHSMInstall + `commit `__ +- ipatests: Verify that SIDgen task continue even if it fails to assign + sid + `commit `__ + `#9618 `__ +- ipatests: tests related to --token-password-file + `commit `__ + `#9603 `__ + +.. _n_m_1: + +N M (1) +~~~~~~~ + +- Translated using Weblate (Spanish) + `commit `__ + +.. _weblate_translation_memory_1: + +Weblate Translation Memory (2) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Georgian) + `commit `__ +- Translated using Weblate (Finnish) + `commit `__ + +.. _weblate_1: + +Weblate (2) +~~~~~~~~~~~ + +- Update translation files + `commit `__ +- Update translation files + `commit `__ + +.. _oğuz_ersen_1: + +Oğuz Ersen (1) +~~~~~~~~~~~~~~ + +- Translated using Weblate (Turkish) + `commit `__ + +.. _piotr_drąg_1: + +Piotr Drąg (1) +~~~~~~~~~~~~~~ + +- Translated using Weblate (Polish) + `commit `__ + +.. _pejman_rezaei_1: + +Pejman Rezaei (1) +~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Persian) + `commit `__ + +.. _pranav_thube_1: + +PRANAV THUBE (4) +~~~~~~~~~~~~~~~~ + +- ipatests: Add new test cases with extended automount plugin + attributes + `commit `__ +- Port bash sudo tests. + `commit `__ +- Extended eDNS testsuite with Relaxed policy testcases. 1. Relaxed + policy without certs and including --no-dnssec-validation 2. Relaxed + policy with external CA and including --no-dnssec-validation + `commit `__ +- ipatests: Ignore /run/log/journal in test_uninstallation.py + `commit `__ + `#9788 `__ + +.. _rafael_fontenelle_1: + +Rafael Fontenelle (1) +~~~~~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Spanish) + `commit `__ + +.. _rob_crittenden_49: + +Rob Crittenden (73) +~~~~~~~~~~~~~~~~~~~ + +- Don't assume the server has a CA service when issuing certificates + `commit `__ + `#9879 `__ +- Revert "Temp commit" + `commit `__ +- PR-CI: Run test_installation_TestInstallKeySizes in the nightlies + `commit `__ + `#9738 `__ +- Move some functions to installutils to be more independent + `commit `__ + `#9738 `__ +- Detect the highest API version the remote server supports + `commit `__ + `#9738 `__ +- Refine restricting CA profiles to known subjects + `commit `__ + `#9738 `__ +- Sort when comparing tuples in the xmlrpc tests + `commit `__ +- Set minimum version of certmonger and PKI for PKI-API + `commit `__ + `#9738 `__ +- Reduce the log level before calling PKI functions + `commit `__ + `#9738 `__ +- Retrieve all cert profiles from the CA with --all + `commit `__ + `#9738 `__ +- Configure renewals to use the IPA JSON API + `commit `__ + `#9738 `__ +- Use PKIClient instead of deprecated PKIConnection + `commit `__ + `#9738 `__ +- Remove the RestClient class + `commit `__ + `#9738 `__ +- Use the APIClient instead of direct REST calls for ACME + `commit `__ + `#9738 `__ +- Replace REST with PKI python API for cert and LWCA + `commit `__ + `#9738 `__ +- Add config option for RSA key size for HTTP, DS, PKINIT, RA certs + `commit `__ + `#9738 `__ +- Use the pki tool to bootstrap certificates during installation + `commit `__ + `#9738 `__ +- Temp commit + `commit `__ +- Include the HSM token name when creating LWCAs + `commit `__ + `#9865 `__ +- Use Augeas when updating dbmodules in krb5.conf + `commit `__ + `#5913 `__, + `#9862 `__ +- Add support for libpwpolicy credit to password policy + `commit `__ + `#9835 `__ +- Enforce uniqueness across krbprincipalname and krbcanonicalname + `commit `__ +- Catch decoding errors in CertificateSigningRequest parameters + `commit `__ + `#9738 `__ +- Don't let lack of subca in PKI prevent LDAP deletion + `commit `__ + `#9738 `__ +- Test that password expiration date past 2038 works + `commit `__ + `#2496 `__ +- Test that certificates beyond 2038 can be parsed + `commit `__ + `#2496 `__ +- Add token options to immutables for pki override + `commit `__ +- Set krbCanonicalName=admin@REALM on the admin user + `commit `__ +- Fix some issues identified by a static analyzer + `commit `__ + `#9365 `__, + `#9468 `__ +- Add --domain option to ipa-client-automount for DNS discovery + `commit `__ + `#9780 `__ +- Test: dnf5 handles updating itself differently than dnf4 + `commit `__ +- Make the Azure template work with both dnf4 and dnf5 + `commit `__ +- Azure CI: Use F42 + `commit `__ +- Address deprecation warning in ipa-replica-manage + `commit `__ + `#9771 `__ +- Don't require certificates to have unique ipaCertSubject + `commit `__ + `#9652 `__ +- Drop python 2 support in ipaserver/install/ca.py + `commit `__ +- Drop python 2 support in installutils.py + `commit `__ +- Drop python v2 in ipaserver/install/certs.py for lint errors + `commit `__ + `#9738 `__ +- Log failed auth attempts over LDAP when a user is locked + `commit `__ + `#9742 `__ +- Remove the migration of the RA cert from mod_nss to mod_ssl + `commit `__ + `#9739 `__ +- Remove migration from mod_nss to mod_ssl + `commit `__ + `#9739 `__ +- Fix some memory errors identified by a static analyzer + `commit `__ + `#9698 `__ +- Use new(er) PKI connection API in ipa-pki-wait-running + `commit `__ + `#9691 `__ +- Validate the default e-mail domain in the config plugin + `commit `__ + `#9680 `__ +- Align startup_timeout with the systemd default and document it + `commit `__ + `#9743 `__ +- Configure the pki-tomcatd service systemd timeout + `commit `__ + `#9743 `__ +- Suppress spurious failure messages when uninstalling ACME + `commit `__ + `#9740 `__ +- Add a message where the ipa service restarted at end of install + `commit `__ + `#9741 `__ +- Write out the PKI admin certificate as a PEM file + `commit `__ + `#9735 `__ +- Apply certmonger_timeout to start_tracking and request_cert + `commit `__ + `#9725 `__ +- Add 30-second timeout for certmonger request/start tracking + `commit `__ + `#9725 `__ +- Pass all pkiuser groups as suplementary when validating an HSM + `commit `__ + `#9709 `__ +- Allow looking up constants.Group by gid in addition to name + `commit `__ + `#9709 `__ +- Don't drop certificates in cert-find if the LWCA was removed + `commit `__ + `#9661 `__ +- Enable pruning when Random Serial Numbers are enabled + `commit `__ + `#9661 `__ +- Set required version of 389-ds for VLV fix on F40/41 + `commit `__ +- Add RSN-by-default test to nightly builds + `commit `__ + `#9661 `__ +- ipatests: Test that when lmdb is available, enable RSN + `commit `__ + `#9661 `__ +- Change default to RSN when 389-ds uses the mdb backend + `commit `__ + `#9661 `__ +- Small fixup to determine which ACME uninstaller to use + `commit `__ + `#9673 `__, + `#9674 `__ +- Don't rely on removing the CA to uninstall the ACME depoyment + `commit `__ + `#9673 `__, + `#9674 `__ +- Fix some resource leaks identified by a static analyzer + `commit `__ + `#9367 `__ +- Ignore TripleDES python-cryptography import warnings + `commit `__ + `#9641 `__ +- Correct usage of public_key_algorithm_oid in ipalib/x509 + `commit `__ + `#9641 `__ +- Force a logout in KerberosSession if a login is needed + `commit `__ + `#9624 `__ +- Log errors reported by adtrustinstance.check_inst() using logger + `commit `__ + `#9637 `__ +- ipatests: Fix usage of token_password_file + `commit `__ + `#9603 `__ +- Run HSM validation as pkiuser to verify token permissions + `commit `__ + `#9626 `__ +- Fix a copy/paste issue when detecting the HSM SELinux subpackage + `commit `__ + `#9636 `__ +- Include token password options in ipa-kra-install man page + `commit `__ + `#9603 `__ +- Re-organize HSM validation to be more consistent/less duplication + `commit `__ + `#9603 `__ +- Fix syntax error in the selinux-luna %postun script + `commit `__ + `#9629 `__ +- Use a unique task name for each backend in ipa-backup + `commit `__ + `#9584 `__ + +.. _ricky_tigg_3: + +Ricky Tigg (3) +~~~~~~~~~~~~~~ + +- Translated using Weblate (Finnish) + `commit `__ +- Translated using Weblate (Finnish) + `commit `__ +- Translated using Weblate (Finnish) + `commit `__ + +.. _rafael_guterres_jeffman_1: + +Rafael Guterres Jeffman (2) +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- ipa-idrange-fix: Fix typo when ID under 1000 is present. + `commit `__ + `#9885 `__ +- Use correct capitalization for GitHub and GitLab + `commit `__ + `#9811 `__ + +.. _sam_morris_2: + +Sam Morris (2) +~~~~~~~~~~~~~~ + +- Fix ipa-client-install failure when a trusted CA's distinguished name + contains slash characters + `commit `__ + `#8924 `__ +- Fix a couple of instances of the "no-break control character" being + used inadvertently + `commit `__ + `#9665 `__ + +.. _sumit_bose_1: + +Sumit Bose (1) +~~~~~~~~~~~~~~ + +- ipa-otpd: use oidc_child's --client-secret-stdin option + `commit `__ + +.. _김인수_2: + +김인수 (2) +~~~~~~~~~~ + +- Translated using Weblate (Korean) + `commit `__ +- Translated using Weblate (Korean) + `commit `__ + +.. _stanislav_levin_4: + +Stanislav Levin (4) +~~~~~~~~~~~~~~~~~~~ + +- install: make use of shared temp directory for hsm validation + `commit `__ + `#9831 `__ +- adtrust: add missing ipaAllowedOperations objectclass + `commit `__ + `#9471 `__, + `#9712 `__ +- pyca: adapt import paths for TripleDES cipher + `commit `__ + `#9708 `__ +- ipatests: make TestDuplicates teardowns order agnostic + `commit `__ + `#9571 `__ + +.. _sumedh_sidhaye_2: + +Sumedh Sidhaye (2) +~~~~~~~~~~~~~~~~~~ + +- Temp commit + `commit `__ +- Validate message to check if not a trust agent/controller Previously + the check would return an empty SUCCESS message. + `commit `__ + + +.. _sudhir_menon_23: + +Sudhir Menon (22) +~~~~~~~~~~~~~~~~~ + +- ipatests: Nightly definitions for TestIPAMigratewithBackupRestore + `commit `__ +- ipatests: Tests for ipa-migrate tool with ldif file + `commit `__ + `#9776 `__ +- ipatests: prci nightly definitions for 32BitIdranges + `commit `__ +- ipatests: Tests for 32BitIdranges. + `commit `__ +- Added TestIPAHealthcheckWithCALess to nightly yaml file. + `commit `__ +- ipatests: ipahealthcheck warns for user provided certificates about + to expire + `commit `__ +- ipatests: Tests for krbLastSuccessfulAuth warning + `commit `__ +- ipatests: Test to check dot forwarders are added to unbound. + `commit `__ +- ipatests: Fix for ipa-healthcheck test in FIPS Mode + `commit `__ +- ipatests: Tests to check data in journal log + `commit `__ +- Fix the typo in ipa_migrate_constants. + `commit `__ + `#9715 `__ +- ipatests: Updated nightly definitions for ipa-ipa-migration + `commit `__ +- ipatests: Tests for ipa-migrate tool + `commit `__ +- ipatests: Test for ipa hbac rule duplication + `commit `__ + `#9640 `__ +- ipatests: Activate ssh in sssd.conf + `commit `__ + `#9649 `__ +- ipatests: Fixes for ipa-idrange-fix testsuite + `commit `__ +- ipatests: Check Default PAC type is added to config + `commit `__ + `#9632 `__ +- ipatests: Test to check that the configured value for + "nsslapd-ignore-time-skew" remains on even after a "force-sync" is + done + `commit `__ + `#9635 `__ +- ipatests: Replace 'usermod -r' command with 'gpasswd -d' in + test_hsm.py + `commit `__ + `#9626 `__ +- ipatests: ipa-migrate tool with -Z option (CACERTFILE) + `commit `__ +- Added new testsuite(ipa_ipa_migration) in prci definitions + `commit `__ +- ipatests: Tests for ipa-ipa migration tool + `commit `__ + +.. _temuri_doghonadze_3: + +Temuri Doghonadze (5) +~~~~~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Georgian) + `commit `__ +- Translated using Weblate (Georgian) + `commit `__ +- Translated using Weblate (Georgian) + `commit `__ +- Translated using Weblate (Georgian) + `commit `__ +- Translated using Weblate (Georgian) + `commit `__ + +.. _thomas_woerner_5: + +Thomas Woerner (5) +~~~~~~~~~~~~~~~~~~ + +- Replica: Request cert for DoT before setting up bind + `commit `__ + `#9808 `__ +- ipaserver/install/dns.py: Allow to Turn off DNSSEC validation for + unbound + `commit `__ + `#9805 `__ +- ipa-client-install: New --no-dnssec-validation option + `commit `__ + `#9805 `__ +- ipa-client-install: Fix nsupdate issues when dns_over_tls is enabled + `commit `__ + `#9806 `__ +- ipa_sidgen: Allow sidgen_task to continue after finding issues + `commit `__ + `#9618 `__ + +.. _vectinx_1: + +vectinx (1) +~~~~~~~~~~~ + +- slapi-plugins: Add replication checking to the Modrdn plugin + `commit `__ + `#9867 `__ + +.. _vasily_parfenov_1: + +Vasily Parfenov (1) +~~~~~~~~~~~~~~~~~~~ + +- man: fix incorrect groff syntax in man pages + `commit `__ + +.. _wouter_schoot_1: + +Wouter Schoot (1) +~~~~~~~~~~~~~~~~~ + +- Update 11-kerberos-ticket-policy.rst + `commit `__ + +.. _yaakov_selkowitz_1: + +Yaakov Selkowitz (1) +~~~~~~~~~~~~~~~~~~~~ + +- spec: Use nodejs22 on RHEL 10 and ELN + `commit `__ + +.. _yuri_chornoivan_1: + +Yuri Chornoivan (1) +~~~~~~~~~~~~~~~~~~~ + +- Translated using Weblate (Ukrainian) + `commit `__