-
Tue Aug 01 2017 EL Errata <el-errata_ww@oracle.com> - 4.5.0-20.0.1
- Blank out header-logo.png product-name.png
Replace login-screen-logo.png [20362818]
-
Tue Jun 27 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-20.el7
- Resolves: #1452216 Replica installation grants HTTP principal
access in WebUI
- Make sure we check ccaches in all rpcserver paths
-
Wed Jun 21 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-19.el7
- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL
internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
- ipa-sam: replace encode_nt_key() with E_md4hash()
- ipa_pwd_extop: do not generate NT hashes in FIPS mode
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
IP address is not found on local interfaces
- Fix local IP address validation
- ipa-dns-install: remove check for local ip address
- refactor CheckedIPAddress class
- CheckedIPAddress: remove match_local param
- Remove ip_netmask from option parser
- replica install: add missing check for non-local IP address
- Remove network and broadcast address warnings
-
Thu Jun 15 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-18.el7
- Resolves: #1449189 ipa-kra-install timeouts on replica
- kra: promote: Get ticket before calling custodia
-
Wed Jun 14 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-17.el7
- Resolve: #1455946 Provide a tooling automating the configuration
of Smart Card authentication on a FreeIPA master
- server certinstall: update KDC master entry
- pkinit manage: introduce ipa-pkinit-manage
- server upgrade: do not enable PKINIT by default
- Extend the advice printing code by some useful abstractions
- Prepare advise plugin for smart card auth configuration
- Resolve: #1461053 allow to modify list of UPNs of a trusted forest
- trust-mod: allow modifying list of UPNs of a trusted forest
- WebUI: add support for changing trust UPN suffixes
-
Wed Jun 07 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-16.el7
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
IP address is not found on local interfaces
- Only warn when specified server IP addresses don't match intf
- Resolves: #1438016 gssapi errors after IPA server upgrade
- Bump version of python-gssapi
- Resolves: #1457942 certauth: use canonical principal for lookups
- ipa-kdb: use canonical principal in certauth plugin
- Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid
breaking older clients
- Add code to be able to set default kinit lifetime
- Revert setting sessionMaxAge for old clients
-
Wed Jun 07 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-15.el7
- Resolves: #1442233 IPA client commands fail when pointing to replica
- httpinstance: wait until the service entry is replicated
- Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then
not indexed
- Fix index definition for ipaAnchorUUID
- Resolves: #1438016 gssapi errors after IPA server upgrade
- Avoid possible endless recursion in RPC call
- rpc: preparations for recursion fix
- rpc: avoid possible recursion in create_connection
- Resolves: #1446087 services entries missing krbCanonicalName attribute.
- Changing cert-find to do not use only primary key to search in LDAP.
- Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers
- ipa-kdb: reload certificate mapping rules periodically
- Resolves: #1455541 after upgrade login from web ui breaks
- kdc.key should not be visible to all
- Resolves: #1435606 Add pkinit_indicator option to KDC configuration
- ipa-kdb: add pkinit authentication indicator in case of a successful
certauth
- Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate
issuance when ipa-ca records are not resolvable
- Turn off OCSP check
- Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 -
server_del - TypeError: 'NoneType' object is not iterable
- fix incorrect suffix handling in topology checks
-
Wed May 24 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-14.el7
- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to
handle PKINIT certificates/anchors
- certdb: add named trust flag constants
- certdb, certs: make trust flags argument mandatory
- certdb: use custom object for trust flags
- install: trust IPA CA for PKINIT
- client install: fix client PKINIT configuration
- install: introduce generic Kerberos Augeas lens
- server install: fix KDC PKINIT configuration
- ipapython.ipautil.run: Add option to set umask before executing command
- certs: do not export keys world-readable in install_key_from_p12
- certs: do not export CA certs in install_pem_from_p12
- server install: fix KDC certificate validation in CA-less
- replica install: respect --pkinit-cert-file
- cacert manage: support PKINIT
- server certinstall: support PKINIT
- Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file
option
- certs: do not export CA certs in install_pem_from_p12
- server install: fix KDC certificate validation in CA-less
- Resolves: #1451228 ipa-kra-install fails when primary KRA server has been
decommissioned
- ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
- Resolves: #1451712 KRA installation fails on server that was originally
installed as CA-less
- ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
- Resolves: #1441499 ipa cert-show does not raise error if no file name
specified
- ca/cert-show: check certificate_out in options
- Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
- Remove pkinit-anonymous command
- Resolves: #1449523 Provide an API command to retrieve PKINIT status
in the FreeIPA topology
- Allow for multivalued server attributes
- Refactor the role/attribute member reporting code
- Add an attribute reporting client PKINIT-capable servers
- Add the list of PKINIT servers as a virtual attribute to global config
- Add `pkinit-status` command
- test_serverroles: Get rid of MockLDAP and use ldap2 instead
- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI
- Fix rare race condition with missing ccache file
- Resolves: #1455045 Simple service uninstallers must be able to handle
missing service files gracefully
- only stop/disable simple service if it is installed
- Resolves: #1455541 after upgrade login from web ui breaks
- krb5: make sure KDC certificate is readable
- Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing
command "ipa cert-request --add" after upgrade
- Change python-cryptography to python2-cryptography
-
Thu May 18 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-13.el7
- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'"
error observed during ipa upgrade with latest package.
- ipa-server-install: fix uninstall
- Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break
replica
- ca install: merge duplicated code for DM password
- installutils: add DM password validator
- ca, kra install: validate DM password
-
Tue May 16 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-12.el7
- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy
- python2-ipalib: add missing python dependency
- installer service: fix typo in service entry
- upgrade: add missing suffix to http instance
- Resolves: #1444791 Update man page of ipa-kra-install
- ipa-kra-install manpage: document domain-level 1
- Resolves: #1441493 ipa cert-show raises stack traces when
--certificate-out=/tmp
- cert-show: writable files does not mean dirs
- Resolves: #1441192 Add the name of URL parameter which will be check for
username during cert login
- Bump version of ipa.conf file
- Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login
- Turn on NSSOCSP check in mod_nss conf
- Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting
template on
- renew agent: respect CA renewal master setting
- server upgrade: always fix certmonger tracking request
- cainstance: use correct profile for lightweight CA certificates
- renew agent: allow reusing existing certs
- renew agent: always export CSR on IPA CA certificate renewal
- renew agent: get rid of virtual profiles
- ipa-cacert-manage: add --external-ca-type
- Resolves: #1441593 error adding authenticator indicators to host
- Fixing adding authenticator indicators to host
- Resolves: #1449525 Set directory ownership in spec file
- Added plugins directory to ipaclient subpackages
- ipaclient: fix missing RPM ownership
- Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits'
- otptoken-add-yubikey: When --digits not provided use default value