From Free IPA

Contents 1 Version 2.1.4 (12/06/2011) 2 Version 2.1.3 (10/19/2011) 3 Version 2.1.2 (not publicly released, ~ 10/07/2011) 4 Version 2.1.1 (09/08/2011) 5 Version 2.1.0 (08/17/2011) 6 Version 2.0.1 (05/02/2011) 7 Version 2.0.0 GA (03/25/2011) 8 Version 2.0.0 RC 3 (03/10/2011) 9 Version 2.0.0 RC 2 (02/28/2011) 10 Version 2.0.0 RC 1 (02/14/2011) 11 Version 2.0.0 Beta 2 (02/03/2011) 12 Version 2.0.0 Beta 1 (12/23/2010) 13 Version 2.0.0 Alpha 5 (11/11/2010) 14 Version 2.0.0 Alpha 4 (07/15/2010) 15 Version 2.0.0 Alpha 3 (05/07/2010) 16 Version 2.0.0 Alpha 2 (02/18/2010) 17 Version 2.0.0 Alpha 1 (10/28/2009) 18 Version 1.2.1 19 Version 1.2.0 20 Version 1.1.0 21 Version 1.0.0 22 Version 0.99

This isn't every single check-in between versions but will hopefully will provide the highlights of the changes.

Version 2.1.4 (12/06/2011)

Alexander Bokovoy (4):

• hbactest fails while you have svcgroup in hbacrule
• Add support for systemd environments and use it to support Fedora 16
• Spin for connection success also when socket is not (yet) available
• Quote multiple workers option

Endi S. Dewata (1):

• Added current password field.

Evgeny Sinelnikov (1):

• ipa_kpasswd: Update selinux policies for ldap and urandom

John Dennis (1):

• Unable to Download Certificate with Browser

Martin Kosek (8):

• Fix client krb5 domain mapping and DNS
• Fix ipa-managed-entries password option long form
• Fix ipa-server-install answer cache
• Fix ipa-replica-conncheck port labels
• Fix ipa-managed-entries bind procedure
• Let PublicError accept Gettext objects
• Enable automember for upgraded servers
• Make ipa-server-install clean after itself

Ondrej Hamada (1):

• Client install root privileges check

Rob Crittenden (4):

• Fix problems in help system
• Fix nis netgroup config entry so users appear in netgroup triple.
• Don't allow default objectclass list to be empty.
• Require an HTTP Referer header in the server. Send one in ipa tools. (CVE-2011-3636)

Simo Sorce (1):

• Modify random salt creation for interoperability

Version 2.1.3 (10/19/2011)

Adam Young (1):

• Fix dynamic display of UI tabs based on rights

Alexander Bokovoy (8):

• Increase number of 'getent passwd attempts' to 10
• Force kerberos realm to be a string
• Include indirect membership and canonicalize hosts during HBAC rules testing
• Refactor backup_and_replace_hostname() into a flexible config modification tool
• Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool
• Refactor authconfig use in ipa-client-install
• Document --preserve-sssd option of ipa-client-install
• Use set class instead of dictview class as set is wider supported

Jan Cholasta (3):

• Disallow deletion of global password policy.
• Don't leak passwords through kdb5_ldap_util command line arguments.
• Remove more redundant configuration values from krb5.conf.

John Dennis (1):

• Fix Spanish po translation file

Martin Kosek (12):

• Improve default user/group object class validation
• Fix i18n in config plugin
• Fix dnszone-add name_from_ip server validation
• Improve handling of GIDs when migrating groups
• ipa-client-install hangs if the discovered server is unresponsive
• Optimize member/memberof searches in LDAP
• Make IPv4 address parsing more strict
• Check hostname resolution sanity
• Hostname used by IPA must be a system hostname
• Check /etc/hosts file in ipa-server-install
• Fix ipa-client-install -U option alignment
• Improve hostgroup/netgroup collision checks

Petr Vobornik (2):

• Added missing fields to password policy page
• Fixed: Unable to add external user for RunAs User for Sudo rules

Rob Crittenden (12):

• Fix DNS permissions and membership in privileges
• Fix upgrades of selfsign server
• Make ipa-join work against an LDAP server that disallows anon binds
• Fix has_upg() to work with relocated managed entries configuration.
• Work around limits not being updatable in 389-ds.
• Save the value of hostname even if it doesn't appear in /etc/sysconfig/network
• Add explicit instructions to ipa-replica-manage for winsync replication
• Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324)
• Handle an empty value in a name/value pair in config_replace_variables()
• Update all LDAP configuration files that we can.
• If our domain is already configured in sssd.conf start with a new config.
• Fix typo in invalid PTR record error message

Simo Sorce (1):

• updates: Change default limits on ldap searches

Version 2.1.2 (not publicly released, ~ 10/07/2011)

Adam Young (4):

• split metadata call
• Make mod_nss renegotiation configuration a public function
• Execute pki proxy setup when server is upgraded if needed
• Force the upgrade of pki-setup when upgrading the RPMS

Alexander Bokovoy (13):

• Incorrect name in examples of ipa help hbactest
• Unroll groups when testing HBAC rules
• Introduce platform-specific adaptation for services used by FreeIPA.
• Convert server install code to platform-independent access to system services
• Convert client-side tools to platform-independent access to system services
• Convert installation tools to platform-independent access to system services
• Cleanup whitespace
• When external host is specified in HBAC rule, allow its use in simulation
• Unroll StrEnum values when displaying help
• Configure pam_krb5 on the client only if sssd is not configured
• Setup and restore ntp configuration on the client side properly
• Fix 'referenced before assignment' warning
• Before kinit, try to sync time with the NTP servers of the domain we are joining

Endi S. Dewata (24):

• Fixed unit test for entity select widget.
• Fixed layout problem in permission adder dialog.
• Fixed sudo rule association dialogs.
• Fixed missing optional field.
• Fixed labels for run-as users and groups.
• Fixed problem opening host adder dialog.
• Removed entitlement menu.
• Fixed posix group checkbox.
• Fixed columns in HBAC/sudo rules list pages.
• Fixed missing cancel button in unprovisioning dialog.
• Fixed problem enabling/disabling DNS zone.
• Fixed problem enrolling member with the same name.
• Modified dialog to use sections.
• Removed undo flags from dialog field specs.
• Fixed problem on combobox with search limit.
• Fixed problem displaying special characters.
• Fixed add/delete arrows position.
• Fixed duplicate entries in enrollment dialog.
• Updated color scheme.
• Fixed tab and dialog widths.
• Disable enroll button if nothing selected.
• Fixed missing default shell field.
• I18n clean-up.
• Disable sudo options Delete button if nothing selected.

JR Aquino (1):

• 25 Create Tool for Enabling/Disabling Managed Entry Plugins

Jakub Hrozek (1):

• Silence a compilation warning in ipa_kpasswd

Jan Cholasta (6):

• Check that install hostname matches the server hostname.
• Fix client install on IPv6 machines.
• Fix ipa-replica-prepare always warning the user about not using the system hostname.
• Validate name_from_ip parameter of dnszone.
• Add a function for formatting network locations of the form host:port for use in URLs.
• Work around pkisilent bugs.

Jr Aquino (1):

• Move Managed Entries into their own container in the replicated space.

Marko Myllynen (1):

• Don't remove /tmp when removing temp cert dir

Martin Kosek (21):

• Improve man pages structure
• Improve ipa-join man page
• Fix permissions in installers
• Fix configure.jar permissions
• Set bind and bind-dyndb-ldap min nvr
• Fix pylint false positive in hbactest module
• ipactl does not stop dirsrv
• dirsrv is not stopped correctly in the fallback
• Remove checks for ds-replication plugin
• Fix /usr/bin/ipa dupled server list
• Revert "Always require SSL in the Kerberos authorization block."
• Fix error messages in hbacrule
• Fix LDAPCreate search failure
• Fix HBAC tests hostnames
• ipa-client assumes a single namingcontext
• migrate process cannot handle multivalued pkey attribute
• Be more clear about selfsign option
• Install tools crash when password prompt is interrupted
• Improve ipa-replica-prepare DNS check
• Prevent collisions of hostgroup and netgroup
• Make sure ipa-client-install returns correct error code

Nalin Dahyabhai (2):

• list users from nested groups, too
• Update man pages to note that PKCS#12 files also contain private keys, and that the "pkinit" options refer to the KDC's credentials

Petr Vobornik (10):

• Fixed: JavaScript type error in entitlement page
• Fixed inconsistency in enabling delete buttons
• Code cleanup: widget creation
• Fixed: Column header for attributes table should be full width
• Fixed: Enrolment dialog offers to add entity to reflexive association.
• Fixed: Some widgets do not have space for validation error message
• Disables gid field if not posix group in group adder dialog
• Fixed links to images in config and migration pages
• Split Web UI initialization to several smaller calls #2
• Split Web UI initialization to several smaller calls

Rob Crittenden (20):

• Don't allow a OTP to be set on an enrolled host
• Remove normalizer that made role, privilege and permission names lower-case
• Improved handling for ipa-pki-proxy.conf
• The precendence on the modrdn plugin was set in the wrong location.
• Update ipa-ldap-updater man page saying it is not an end-user utility
• Skip the cert validator if the csr we are passed in is a valid filename
• Change the Requires for the server and server-selinux for proper order
• Suppress managed netgroups as indirect members of hosts.
• The return value of restorecon is not reliable, ignore it.
• Normalize uid in user principal to lower-case and do validation
• Shut down duplicated file handle when HTTP response code is not 200.
• Don't log one-time password in logs when configuring client.
• Always require SSL in the Kerberos authorization block.
• Include failed service and service groups in hbac rule management
• Add regular expression pattern to host names.
• Detect CA installation type in ipa-replica-prepare and ipa-ca-install.
• Require current password when using passwd to change your own password.
• Migration: don't assume there is only one naming context, add logging.
• When calculating indirect membership don't test nesting on users and hosts.

Simo Sorce (4):

• ipa-pwd-extop: Fix segfault in password change.
• ipa-pwd-extop: Enforce old password checks
• ipa-client-install: Fix joining when LDAP access is restricted
• replica-prepare: anonymous binds may be disallowed

Sumit Bose (2):

• Call standard_logging_setup() before any logging is done
• ipa-pwd-extop: allow password change on all connections with SSF>1

Yuri Chornoivan (1):

• Fix typos

Version 2.1.1 (09/08/2011)

Adam Young (1):

• enable proxy for dogtag

Alexander Bokovoy (1):

• Propagate environment when it is required.

Endi S. Dewata (19):

• Fixed browser configuration pages
• Hide activation/deactivation link from regular users.
• Fixed problem selecting value from combobox
• Fixed inconsistent layout for password reset dialog.
• Removed 'Hide already enrolled' checkbox.
• Replaced page dirty dialog title.
• Updated add and delete association dialog titles.
• Removed unnecessary HBAC/sudo rule category modification.
• Fixed command partial failure handling.
• Fixed default map type in automount map adder dialog.
• Fixed host OTP status.
• Fixed host keytab status after setting OTP.
• Fixed host adder dialog to show default DNS zone.
• Fixed hard-coded UI messages.
• Fixed problem adding hostgroup into netgroup.
• Fixed problem with combobox.
• Fixed hard-coded UI message in entity.js.
• Fixed missing permission filter field.
• Fixed problem with combobox using Sahi

Jan Cholasta (6):

• Make sure messagebus is running prior to starting certmonger.
• Verify that passwords specified through command line options of ipa-server-install meet the length requirement.
• Add option to install without the automatic redirect to the Web UI.
• Search for users in all the naming contexts present on the directory server.
• Add subscription-manager dependency for RHEL.
• Verify that the external CA certificate files are correct.

John Dennis (11):

• DN objects should support the insert method
• Test DN object non-latin Unicode support
• convert unittests to use DN objects
• invalid i18n string in dns.py
• update LINGUAS file, add missing po files
• Update all po files
• compute accurate translation statistics
• add documentation validation to makeapi tool
• internationalize help topics
• internationalize cli help framework
• improve i18n docstring extraction

Jr Aquino (2):

• Improve sudorule documentation
• Create FreeIPA CLI Plugin for the 389 Auto Membership plugin

Martin Kosek (6):

• Add missing attribute labels for sudorule
• Fix automountkey-mod
• Fix automountlocation-import conflicts
• ipa-client-install breaks network configuration
• Fix sudo help and summaries
• Let Bind track data changes

Petr Vobornik (8):

• error dialog for batch command
• Uncheck checkboxes in association after deletion
• Show error in adding associations
• Validation of details facet before update
• Modify serial associator to use batch
• Modifying sudo options refreshes the whole page
• Enable update and reset button only if dirty
• Attributes table not scrollable

Rob Crittenden (24):

• Add information on setting api.env.host in the ipactl.8 man page
• Log each command in a batch separately.
• Do batch logging on successful commands too, not just failures.
• Fix wording in examples of delegation plugin.
• Suppress 389-ds debug output when starting services
• Fix thread deadlock by using pthreads library instead of NSPR.
• Change the way has_keytab is determined, also check for password.
• Add additional pam ftp services to HBAC, and a ftp HBAC service group
• Add label for HBAC services to show as members
• Add option to only prompt once for passwords, use in entitle_register
• Retrieve password/keytab state when modifying a host.
• Disable reverse lookups in ipa-join and ipa-getkeytab
• Remove more 389-ds files/directories on uninstallation.
• Remove 389-ds upgrade state during uninstall
• Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505
• Add common is_installed() fn, better uninstall logging, check for errors.
• Add external source hosts to HBAC.
• Roll back changes if client installation fails.
• Add netgroup as possible memberOf for hostgroups
• Sort lists so order is predictable and tests pass as expected.
• Suppress managed netgroups from showing as memberof hostgroups.
• Use the IPA server cert profile in the installer.
• Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605
• Become IPA 2.1.1

Simo Sorce (1):

• conncheck: Fix List of ports to check

Version 2.1.0 (08/17/2011)

Adam Young (62):

• Fixed labels for sudo and hbac rules
• update metadata with label changes
• define entities using builder and more declarative syntax
• default all false no longer default to all: true for searches, only specify it for user searches
• code review fixes
• make use of new user-find columns.
• fix JSL error
• Upgrade to jquery 1.5.2
• action panel to top tabs
• remove jquery-cookie library
• update ipa init a simple script to update the metatdate et alles that comes from the ipa_init batch call
• whitespace and -x removal
• create entities on demand. fixed changes from code review
• automount UI
• redirect on show error.
• redirect on error Code for redirecting on error has been moved to IPA.facet so it can be called from both details and assocaiton facets.
• automount delete key indirect automount maps
• scrollable content areas
• dialog scrolling table
• JSON marshalling list
• dns multiple records show multiple records that share the same dnsname
• no redirect on search
• test for dirty
• test dirty textarea runs the testdirty check before setting the undo tag for a textarea
• test dirty multivalue test the multivalue widgets for changes before showing the undo link.
• test dirty onchange
• entity select widget for manager
• hide automount tabs.
• service host entity select Use the entity select widget for add service
• entity select undo
• no redirect on unknown error If the error name is indicates a server wide error, do not attempt to redirect.
• editable entity_select
• ipaddress for host add
• entity select for password policy
• tooltips for host add
• automountkey details
• identify target as section for permissions
• optional uid
• validate required fields
• Generate record type list from metadata
• shorten url cache state in a javascript variable, and leave on information about the current entity in the URL hash params
• containing entity pkeys
• undefined pkeys
• config fields
• ipadefaultemaildomain
• config widgets entity select default group checkbox for migration
• entity link for password policy
• validate ints
• password expiration label
• HBAC deny warning
• check required on add
• clear errors on reset
• indirect admins
• entity_select naming
• remove HBAC warning from static UI
• dnsrecord-mod ui
• no dns
• remove hardcoded DNS label for record name.
• move dns to identity tab
• removing setters setup and init
• dns section header i18n.
• use other_entity for adder columns

Alexander Bokovoy (10):

• Convert Bool to TRUE/FALSE when working with LDAP backend
• Minor typos in the examples
• Convert nsaccountlock to always work as bool towards Python code
• Rearrange logging for NSCD daemon.
• Fix sssd.conf to always have IPA certificate for the domain.
• Add hbactest command.
• Modify /etc/sysconfig/network on a client when IPA manages hostname
• Make proper LDAP configuration reporting for ipa-client-install
• Ensure network configuration file has proper permissions
• Pass empty options as empty arrays for supported dns record types.

Endi S. Dewata (114):

• Fixed undefined label in permission adder dialog box.
• Initial Selenium test cases.
• Added functional test runner.
• Refactored action panel and client area.
• Refactored builder interface.
• Refactored search facet.
• Entitlements.
• Updated Selenium tests.
• Merged IPA.cmd() into IPA.command().
• Entitlement registration.
• Entitlement import.
• Entitlement download.
• Moved adder dialog box into entity.
• Standardized action panel buttons creation.
• Entitlement quantity validation.
• Refactored navigation.
• Use entity names for tab state.
• Moved entity contents outside navigation.
• Added facet container.
• Fixed self-service UI.
• Updated Selenium tests.
• Updated Selenium tests.
• Updated DNS interface.
• Added Selenium tests for DNS.
• Added UUID field for entitlement registration.
• Added Self-Service and Delegation tests.
• Customizable facet groups.
• Read-only association facet.
• jQuery ordered map.
• Fixed problem disabling HBAC and SUDO rules.
• Fixed Ajax error handling.
• Fixed details tests.
• Fixed adder dialog title.
• Fixed Add and Edit without primary key.
• Fixed Selenium tests.
• Fixed URL parameter parsing.
• Added Update and Reset buttons into Dirty dialog.
• Fixed problem deleting value in text field.
• Added pagination for associations.
• Fixed pagination problem.
• Temporary fix for indirect member tabs.
• Fixed blank dialog box on internal error.
• Fixed resizing issues.
• Added selectable option for table widget.
• Entitlement status.
• Fixed tab navigation.
• Fixed build break.
• Fixed paging for indirect members.
• Renamed associate.js to association.js.
• Fixed self-service links.
• Merged direct and indirect association facets
• Storing page number in URL.
• Removed FreeWay font files.
• Fixed problem with navigation tabs on reload.
• Converted entity header into facet header.
• Added navigation breadcrumb.
• Added record count into association facet tabs.
• Added singular entity labels.
• Fixed entity labels.
• Fixed DNS records page title.
• Fixed undo all problem.
• Removed unused images.
• Fixed hard-coded messages.
• Added confirmation dialog for user activation.
• Fixed button style in Entitlements
• Removed invalid associations.
• Added arrow icons for details sections.
• Fixed object_name usage.
• Fixed HBAC/Sudo rules associations.
• Fixed blank self-service page.
• Fixed dirty dialog problems in HBAC/Sudo rules.
• Fixed test fixture file name.
• Fixed missing entitlement import button label
• Added sudo options.
• Fixed collapsed table in Chrome.
• Fixed object_name and object_name_plural internationalization
• Fixed label capitalization
• Entity select widget improvements
• Removed reverse zones from host adder dialog.
• Fixed host details fields.
• Added checkbox to remove hosts from DNS.
• Creating reverse zones from IP address.
• Removed entitlement registration UUID field.
• Fixed problem loading data in HBAC/sudo details page.
• Removed HBAC access time code.
• Removed custom layouts using HTML templates.
• Refactored IPA.current_facet().
• Fixed problem with navigation state loading.
• Fixed navigation problems.
• Fixed navigation unit test.
• Fixed click handlers on certificate buttons.
• New icons for entitlement buttons
• Fixed problem bookmarking Policy/IPA Server tabs
• Fixed problem setting host OTP.
• Fixed hard-coded labels in sudo rules.
• Fixed hard-coded label in Find button.
• Fixed missing section header in sudo command group.
• Fixed problem unprovisioning service.
• Fixed missing memberof definition in HBAC service.
• Added association facets for HBAC and sudo.
• Fixed certificate buttons.
• Fixed missing icons.
• Fixed misaligned search icon.
• Resizable adder dialog box.
• Linked entries in HBAC/sudo details page.
• Fixed 3rd level tab style.
• Fixed facet group labels.
• Fixed error after login on IE
• Fixed host adder dialog.
• Fixed DNS zone adder dialog.
• Fixed broken links in ipa_error.css and ipa_migration.css.
• Fixed problem clicking 3rd level tabs.
• Fixed link style in dialog box.
• Fixed problem with buttons in enrollment dialog.

Jakub Hrozek (1):

• Remove wrong kpasswd sysconfig

Jan Cholasta (34):

• Fix wording of error message.
• Add note about ipa-dns-install to ipa-server-install man page.
• Fix typo in ipa-server-install.
• Fix uninitialized variables.
• Fix double definition of output_for_cli.
• Add lint script for static code analysis.
• Fix lint false positives.
• Remove unused classes.
• Fix some minor issues uncovered by pylint.
• Fix uninitialized attributes.
• Run lint during each build.
• Several improvements of the lint script.
• Fix issues found by Coverity.
• Fix regressions introduced by pylint false positive fixes.
• Assume ipa help for plugins.
• Parse netmasks in IP addresses passed to server install.
• Honor netmask in DNS reverse zone setup.
• Do stricter checking of IP addressed passed to server install.
• Fix directory manager password validation in ipa-nis-manage.
• Improve IP address handling in the host-add command.
• Verify that the hostname is fully-qualified before accessing the service information in ipactl.
• Remove redundant configuration values from krb5.conf.
• Replace the 'private' option in netgroup-find with 'managed'.
• Configure SSSD to store user password if offline.
• Fix creation of reverse DNS zones.
• Add ability to specify DNS reverse zone name by IP network address.
• Fix exit status of ipa-nis-manage enable.
• Update minimum required version of python-netaddr.
• Clean up of IP address checks in install scripts.
• Don't delete NIS netgroup compat suffix on 'ipa-nis-manage disable'.
• Fix ipa-compat-manage not working after recent ipa-nis-manage change.
• Make sure that hostname specified by user is not an IP address.
• Fix external CA install.
• Ask for reverse DNS zone information in attended install right after asking for DNS forwarders, so that DNS configuration is done in one place.

John Dennis (9):

• Module for DN objects plus unit test
• assert_deepequal supports callback for equality testing
• Add backslash escape support for cvs reader
• Use DN class in get_primary_key_from_dn to return decoded value
• Update test_role_plugin test to include a comma in a privilege
• Ticket 1485 - DN pairwise grouping
• Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization.
• Clean up existing DN object usage
• transifex translation adjustment

Jr Aquino (15):

• Escape LDAP characters in member and memberof searches
• Add memberHost and memberUser to default indexes
• Optimize and dynamically verify group membership
• Delete the sudoers entry when disabling Schema Compat
• Return copy of config from ipa_get_config()
• Typo in host_nis_groups has been creating 2 CN's
• Add sudorule and hbacrule to memberof and indirectmemberof attributes
• Display remaining external hosts when removing from sudorule
• Raise DuplicateEntry Error when adding a duplicate sudo option
• Don't add empty tuple to entry_attrs['externalhost']
• oneliner correct typo in ipasudorunas_group
• Return correct "RunAs External Group" when removing members
• remove escapes from the cvs parser in ipaserver/install/ldapupdate
• Correct behavior for sudorunasgroup vs sudorunasuser
• Correct sudo runasuser and runasgroup attributes in schema

Martin Kosek (68):

• Inconsistent error message for duplicate user
• Replica installation fails for self-signed server
• Remove doc from API.txt
• Revert "Remove doc from API.txt"
• Password policy commands do not include cospriority
• Improve DNS PTR record validation
• Remove unwanted trimming in text fields
• Need force option in DNS zone adder dialog
• IPA replica is not started after the reboot
• Improve Directory Service open port checker
• Log temporary files in ipa-client-install
• Prevent uninstalling client on the IPA server
• pwpolicy-mod doesn't accept old attribute values
• Forbid reinstallation in ipa-client-install
• ipa-client-install uninstall does not work on IPA server
• LDAP Updater may crash IPA installer
• NS records not updated by replica
• Bad return values for ipa-rmkeytab command
• Update spec with missing BuildRequires for pylint check
• Let selinux-policy handle port 7390
• Limit passwd plugin to user container
• Consolidate man pages and IPA tools help
• Remove doc from API.txt
• Improve service manipulation in client install
• Running ipa-replica-manage as non-root cause errors
• KDC autodiscovery may fail when domain is not realm
• A new flag to disable creation of UPG
• Fix reverse zone creation in ipa-replica-prepare
• Improve interactive mode for DNS plugin
• Localization fails for MaxArgumentError
• Fix forward zone creation in ipa-replica-prepare
• Connection check program for replica installation
• Fix support for nss-pam-ldapd
• Skip know_host check for ipa-replica-conncheck
• IPA installation with --no-host-dns fails
• Handle LDAP search references
• Add ignore lists to migrate-ds command
• Improve DNS zone creation
• Add a list of managed hosts
• Missing krbprincipalname when uid is not set
• Add port 9443 to replica port checking
• Fix doc for sudorule runasuser commands
• Improve IP address handling in IPA option parser
• Multi-process build problems
• DNS installation fails when domain and host domain mismatch
• Fix IPA install for secure umask
• Allow recursion by default
• Add DNS record modification command
• Filter reverse zones in dnszone-find
• Remove sensitive information from logs
• Fix ipa-dns-install
• Fix self-signed replica installation
• Check IPA configuration in install tools
• Add new dnszone-find test
• Fix typo in ipa-replica-prepare
• Improve long integer type validation
• Fix sudorule-remove-user
• Add missing automount summaries
• Fix man page ipa-csreplica-manage
• Fix automountkey commands summary
• Fix invalid issuer in unit tests
• Hide continue option from automountkey-del
• Improve error message in ipactl
• Improve dnszone-add error message
• Fix idnsUpdatePolicy for reverse zone record
• Fix client enrollment
• Update 389-ds-base version
• Update pki-ca version

Nalin Dahyabhai (1):

• Select a server with a CA on it when submitting signing requests.

Pavel Zuna (1):

• Fix gidnumber option of user-add command.

Petr Vobornik (3):

• fixed empty dns record update
• Fixed adding host without DNS reverse zone
• Redirection after changing browser configuration

Rich Megginson (3):

• winsync enables disabled users in AD
• modify user deleted in AD crashes winsync
• memory leak in ipa_winsync_get_new_ds_user_dn_cb

Rob Crittenden (90):

• Allow a client to enroll using principal when the host has a OTP
• Make retrieval of the CA during DNS discovery non-fatal.
• Cache the value of get_ipa_config() in the request context.
• Change default gecos from uid to first and last name.
• Fix ORDERING in some attributetypes and remove other unnecessary elements.
• postalCode should be a string not an integer.
• Fix traceback in ipa-nis-manage.
• Suppress --on-master from ipa-client-install command-line and man page.
• Sort entries returned by *-find by the primary key (if any).
• The default groups we create should have ipaUniqueId set
• Always ask members in LDAP*ReverseMember commands.
• Provide attributelevelrights for the aci components in permission_show.
• Wait for memberof task and DS to start before proceeding in installation.
• Convert manager from userid to dn for storage and back for displaying.
• Modify the default attributes shown in user-find to match the UI design.
• Ensure that the zonemgr passed to the installer conforms to IA5String.
• Handle principal not found errors when converting replication a greements
• Bump version to 2.0.90 to distinguish between 2.0.x
• Properly handle --no-reverse being passed on the CLI in interactive mode
• Update min nvr for selinux-policy and pki-ca for F-15+
• Test for forwarded Kerberos credentials cache in wsgi code.
• Properly configure nsswitch.conf when using the --no-sssd option.
• Enable 389-ds SSL host checking by default
• Configure Managed Entries on replicas.
• Document that deleting and re-adding a replica requires a dirsrv restart.
• Fix migration to work between v2 servers and remove search/size limits.
• Add option to limit the attributes allowed in an entry.
• Include the word 'member' with autogenerated optional member labels.
• Do a lazy retrieval of the LDAP schema rather than at module load.
• Add UID, GID and e-mail to the user default attributes.
• Fix external CA installation
• Remove root autobind search restriction, fix upgrade logging & error handling
• Support initializing memberof during replication re-init using GSSAPI
• Do better detection on status of CA DS instance when installing.
• Fix indirect member calculation
• Remove automountinformation as part of the DN for automount.
• Don't let a JSON error get lost in cascading errors.
• Add message output summary to sudorule del, mod and find.
• Return an error message when revocation reason 7 is used
• Require an imported certificate's issuer to match our issuer.
• On a master configure sssd to only talk to the local master.
• The IP address provided to ipa-server-install must be local
• Do lazy LDAP schema retrieval in json handler.
• Make data type of certificates more obvious/predictable internally.
• Update translation files
• Let the framework be able to override the hostname.
• Make dogtag an optional (and default un-) installed component in a replica.
• Slight performance improvement by not doing some checking in production mode
• Set the client auth callback after creating the SSL connection.
• Add pwd expiration notif (ipapwdexpadvnotify) to config plugin def attr list
• Enforce class rules when query=True, continue to not run validators.
• find_entry_by_attr() should fail if multiple entries are found
• Fix error in AttrValueNotFound exception example
• Fix test failure in updater when adding values to a single-value attr
• Reset failed login count to 0 when admin resets password.
• Disallow direct modifications to enrolledBy.
• Document registering to an entitlement server with a UUID as not implemented.
• In sudo labels we should use RunAs and not Run As.
• Remove the ability to create new HBAC deny rules.
• Validate that the certificate subject base is in valid DN format.
• Use information from the certificate subject when setting the NSS nickname.
• Create tool to manage dogtag replication agreements
• Fix failing tests due to object name changes
• Set nickname of the RA to 'IPA RA' to avoid confusion with dogtag RA
• Set the ipa-modrdn plugin precedence to 60 so it runs last
• Generate a database password by default in all cases.
• Specify the package name when the replication plugin is missing.
• Change client enrollment principal prompt to hopefully be clearer.
• Optionally wait for 389-ds postop plugins to complete
• A removed external host is shown in output when removing external hosts.
• Don't set krbLastPwdChange when setting a host OTP password.
• Fix regression when calculating external groups.
• With the external user/group management fixed, correct the unit tests.
• Set a default minimum value for class Int, handle long values better.
• Make ipa-client-install error messages more understandable and relevant.
• Add Alexander Bokovoy and Jan Cholasta to contributors file
• Only call entry_from_entry() after waiting for the new entry.
• Hide the HBAC access type attribute now that deny is deprecated.
• Autofill the default revocation reason
• Don't check for leading/trailing spaces in a File parameter
• Add an arch-specific Requires on cyrus-sasl-gssapi
• Revert use of 'can be at least' to 'must be at least' in minvalue validator
• Don't leave dangling map if adding an indirect map fails
• Fix message in test case for checking minimum values
• When setting a host password don't set krbPasswordExpiration.
• Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile
• Deprecated managing users and runas user/group in sudorule add/mod
• Fix date order in changelog.
• Re-arrange CA configuration code to reduce the number of restarts.

Simo Sorce (4):

• Fix resource leaks.
• ipautil: Preserve environment unless explicitly overridden by caller.
• install-scripts: avoid using --list with chkconfig
• Don't set the password expiration to the current time

Yuri Chornoivan (1):

• Typos in freeIPA messages and man page

Kyle Baker (5):

• Background images and tab hover
• Search bar style and positioning changes
• List page spacing changes
• Tab and spacing on list
• Facet icon swap and tab sizing

Version 2.0.1 (05/02/2011)

• Fixed undefined label in permission adder dialog box.
• Add note about ipa-dns-install to ipa-server-install man page.
• Fix typo in ipa-server-install.
• Add lint script for static code analysis.
• Fix lint false positives.
• Escape LDAP characters in member and memberof searches
• Add memberHost and memberUser to default indexes
• Optimize and dynamically verify group membership
• Delete the sudoers entry when disabling Schema Compat
• Inconsistent error message for duplicate user
• Replica installation fails for self-signed server
• Password policy commands do not include cospriority
• Improve DNS PTR record validation
• IPA replica is not started after the reboot
• Improve Directory Service open port checker
• Log temporary files in ipa-client-install
• Prevent uninstalling client on the IPA server
• pwpolicy-mod doesn't accept old attribute values
• Fix gidnumber option of user-add command.
• Allow a client to enroll using principal when the host has a OTP
• Make retrieval of the CA during DNS discovery non-fatal.
• Cache the value of get_ipa_config() in the request context.
• Change default gecos from uid to first and last name.
• Fix ORDERING in some attributetypes and remove other unnecessary elements.
• postalCode should be a string not an integer.
• Fix traceback in ipa-nis-manage.
• Sort entries returned by *-find by the primary key (if any).
• The default groups we create should have ipaUniqueId set
• Provide attributelevelrights for the aci components in permission_show.
• Wait for memberof task and DS to start before proceeding in installation.
• Convert manager from userid to dn for storage and back for displaying.
• Modify the default attributes shown in user-find to match the UI design.
• Ensure that the zonemgr passed to the installer conforms to IA5String.
• Handle principal not found errors when converting replication agreements
• Fix resource leaks.
• ipautil: Preserve environment unless explicitly overridden by caller.

Version 2.0.0 GA (03/25/2011)

• pwpolicy priority Priority is now a required field in order to add a new password policy.
• Removed nested role from UI.
• Wait for Directory Server ports to open
• Prevent stacktrace when DNS AAAA record is added
• Update translation file (ipa.pot).
• Always consider domain and server when doing DNS discovery in client.
• Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.
• Ensure that the system hostname is lower-case.
• Automatically update IPA LDAP on rpm upgrades
• Domain to Realm Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same.
• Fix uninitialized variable.

Version 2.0.0 RC 3 (03/10/2011)

• i18n improvements
• Fixed the self-service page in the WebUI
• Use TLS for CA replication
• Setting up Winsync agreements has been fixed

Version 2.0.0 RC 2 (02/28/2011)

• Make Indirect membership clearer.
• Input validation fixes.
• WebUI improvements.
• Created default Roles.
• IPv6 support
• Documentation updates

Version 2.0.0 RC 1 (02/14/2011)

• Installation fixes.
• DNS improvements.
• WebUI improvements.

Version 2.0.0 Beta 2 (02/03/2011)

• Support of the latest Dogtag packages.
• Installation fixes.
• Changes in the DIT structure.
• New permissions defined against different elements of the tree.
• Better startup and shutdown handling.
• Replication improvements.
• Incremental improvements in IPv6 support.
• DNS improvements.
• The package name has been changed to "freeipa" to avoid

collision with IPA v1.x and many others.

Version 2.0.0 Beta 1 (12/23/2010)

• FreeIPA has changed its license to GPLv3+
• Having IPA manage the reverse zone is optional.
• The access control subsystem was re-written to be more understandable. For details see ttp://freeipa.org/page/Permissions
• Support for SUDO rules
• There is now a distinction between replicas and their replication agreements in the ipa-replica-manage command. It is now much easier to manage the replication toplogy.
• Renaming entries is easier with the --rename option of the mod commands.
• Fix special character handling in passwords, ensure that passwords are not logged.
• Certificates can be saved as PEM files in service-show and host-show commands.
• All IPA services are now started/stopped using the ipactl command. This gives us better control over the start/stop order during reboot/shutdown.
• Set up ntpd first so the time is sane.
• Better multi-valued value handle with --setattr and --addattr.
• Add support for both RFC2307 and RFC2307bis to migration.
• UID ranges were reduced by default from 1M to 200k.
• Add ability to add/remove DNS records when adding/removing a host entry.
• A number of i18n issues have been addressed.

Version 2.0.0 Alpha 5 (11/11/2010)

• Dropped our PKCS#10 parser to use the one provided by python-nss
• Started enforcing that hosts must be resolvable before adding them (use --force if you really want to add them).
• Provide a reason when adding members to a group fails.
• Allow de-coupling of user private groups (group-detach).
• Support for ipa tool failover.
• Hosts are allowed to retrieve keytabs for their services.
• More configurable logging, see http://freeipa.org/page/IPAv2_config_files
• Add support for ldap:///self aci rules
• Use global time and size limit values when searching.
• Don't include passwords in log files.
• Make ipactl a lot smarter and add a man page for it.
• Have certmonger track the IPA service certificates.
• Initial support for SUDO. You can create the objects but the client-side is not done yet.
• The delete commands now take multiple arguments: ipa user-del user1 user2 user3 ... usern
• Remove reliance on 'admin' as a special user. All access control now granted via groups.
• Groups are now created as POSIX by default.
• Add options to control NTLM hashes. By default LM hash is disabled.
• Remove the correct password from the history. We were mistakenly removing the latest password from the history instead of the oldest.
• Rename user-lock and user-unlock to user-enable user-disable.
• The ipa command should return non-zero when something fails.
• Add gettext support for the C utilities.
• Add capability to import automount files.
• Add basic support for user and group renames (more work is needed). For now use ipa user-mod --setattr uid=newuser olduser
• Add flag to group-find to only search on private groups.
• Set default python encoding to utf-8. This should resolve a number of i18n problems.
• Show indirect members (of groups, hostgroups, netgroups, etc).
• Remove group nesting from the HBAC service groups.
• Implement nested netgroups.
• Add basic support for kerberos lockout policy. You can control how many failed attempts are allowed before lockout. What is missing is a way to unlock a user. This depends on fixes from MIT Kerberos 1.9.
• Correct handling of userCategory and hostCategory in netgroups.
• Updated a lot of man pages.
• Support Fedora 14.

Version 2.0.0 Alpha 4 (07/15/2010)

• Moved our dogtag SELinux to be installed with the rpm instead of during configuration.
• Fedora 13 moved to gpg2 and dropped gpg. Fix our invocation so we work with either (this was preventing replica installations).
• Query remote server during replica installation to see if the replica already exists. This prevents lots of really strange errors during replica installation.
• Fixed SSL error in client enrollment.
• Changed the way services are handled in HBAC. There is now a separate service and servicegroup object that you associate with HBAC rules. sssd is already using this new mechanism.
• First pass at per-command documentation. It still needs a lot of work.
• Fix aci-mod command. It wasn't really working well in almost all cases.
• Add replication version checking. This is one step in better control during updates.
• Don't try to convert a host's password into a keytab with bulk enrollment (this was causing krbPasswordExpiration to be set).
• Add support for User-Private Groups.
• Worked on error handling in mod_wsgi. Now hopefully a shorter and less scary backtrace will be thrown when things go bump in the night.
• Add new API to disable service and host principals.
• Significant cleanup of crypto code. Using python-nss for a lot more (and more to come).
• Fixed some errors in and made ipa-compat-manage and ipa-nis-manage more bullet-proof.
• Fixed netgroups plugin, it was generating the wrong attributes.
• Other minor polish and bug fixes.

Version 2.0.0 Alpha 3 (05/07/2010)

• better i18n support including a few translations
• use mod_wsgi instead of mod_python
• the CA is a required component and is now configured by default. Pass --selfsign to the installer to use the old self-signed CA
• A default Host-Based Access Control (HBAC) rule is created that grants all users the ability to log into any host from any host. This was done to simplify initial testing, it is expected this rule, allow_all, will be removed before you deploy.
• We no longer enable nscd, sssd handles caching now

Version 2.0.0 Alpha 2 (02/18/2010)

• Draft Web-based UI
• Simplified migration of the users from IPA v1 or external LDAP server
• IPA client component to configure SSSD to integrate with IPA
• Integration with "certmonger" certificate tracking utility. The utility allows automatic provisioning, tracking and renewal of certificates on a member server.
• General improvements and enhancements across the whole project.

Version 2.0.0 Alpha 1 (10/28/2009)

• Pluggable and extensible framework for UI/CLI
• Optionally installable DNS server
• Optionally installable Certificate Authority to manage server certificates
• NIS compatibility plug-in

Version 1.2.1

• Add ipa-compat-manage utility
• Ensure the CA cert is always included when preparing a replica
• Fix error in validation when editing new groups via the UI 471808
• Fixed some crash conditions in the password plugin

Version 1.2.0

• Active Directory User Synchronization
• Schema Compatibility Plug-in (native Solaris nss_ldap now works)
• Fix group mapping /etc/ldap.conf so getent works 431603
• The ipa-addservice command failed if the realm name was included in the principal name. 437566
• The ipa_webgui service did not start after the initial installation. 440475
• IPA does not handle group names with spaces properly. 450613
• The ipa-moduser -f command may not change the appearance of the user's first name when shown as the full name. 451318
• The potential existed for Directory Server to crash if you nested groups too deeply. 451358
• IPA replicas did not fully synchronize in single-master, dual-replica topology environments. 468732
• Fix error in validation when adding new groups via the UI
• Add list of DNs that are not controlled by password policy. 471130

Version 1.1.0

• Ensure that the realm name is upper-case.
• When an LDAP connection fails, display the host one is trying to connect to. 450111
• Add our own SIGTERM handler to ipa_webgui so we can do clean shutdowns. 450211
• Make it clear which packages are being configured and which aren't. 450175
• Add -p/--password option so the DM password can be passed on the command-line.
• Don't make the search criteria lower-case so one can do case-sensitive searches (such as looking for HTTP principals). 449975
• Man page improvements.
• Fix issue of double logging in ipa_error.log.
• Add a Not Found (404) template
• Only print a traceback on 500 errors.
• Don't prompt regarding previous DS installations in unattended mode.
• Add two new options, --addattr and --setattr, to allow arbitrary attributes to be added and set when a new user or group is created. 449006
• Make password not mandatory in ipa-adduser
• Make ipa_kpasswd listen on each single interface explicitly instead of 0.0.0.0.
• Fix the case where domain != lower(REALM) add the domain to the ipa.conf file for apps that need to know. This should fix a bug in the replica setup.
• Move admin into cn=users,cn=accounts
• Move non-user-configurable configuration elements to TurboGears app.cfg file. 432908
• Change file mode of log files to 600. 446869
• Ensure hostnames are lower during installation and when adding service princs. 447381
• Remove broken link for IE configuration and replace sample domain/realm. Also fix some HTML errors. 447445
• Do uniqueness check on phone numbers and cn entered via the UI. 445286
• Don't pass the Directory Manager password on the command-line to ldapmodify. 446865
• Use split instead of find as split does not fail to provide a complete component if no '.' is found. This should better handle a realm with no periods in it.
• Improve DNA plugin and ensure that the numbers it hands out are unique.
• Don't ask the user again if he wants to replace bind configuration files if he specified --setup-bind. 430090
• Make sure all services are stopped during uninstall. 440322
• Hack to not require a First Name in the UI for the admin user since it lacks the inetOrgPerson objectclass.
• Display information on how to uninstall a partially installed server. 442454
• Include information on where to look if a hostname resolves to localhost. 442812
• On IPA Servers configure PAM and nss_ldap to connect to ourselves using localhost.
• Detect existing DS instances and prompt for removal during replica install.
• Don't allow the IPA server service principals to be removed.
• Move entire web space to be rooted in /ipa
• Add --verbose option so the HTTP headers and XML request/response can be seen in the ipa-* tools. 443987
• Fixed various memory leaks in memberOf plug-in.
• Make sure we always have the [domain-realm] section or kerberos libs misbehave.

Version 1.0.0

Lots of bug fixes

Version 0.99

Feature complete