Debian Package Tracker

general

source: freeipa (main)
version: 4.8.6-1
maintainer: Debian FreeIPA Team (archive) (DMD)
uploaders: Timo Aaltonen [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 4.7.2-3
unstable: 4.8.6-1

versioned links

4.7.2-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.8.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

freeipa-client (3 bugs: 0, 2, 1, 0)
freeipa-client-samba
freeipa-common
freeipa-server
freeipa-server-dns
freeipa-server-trust-ad
freeipa-tests
python3-ipaclient
python3-ipalib
python3-ipaserver
python3-ipatests

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:05:01
Last run: 2020-07-24 03:02:08 UTC
Previous status: fail

testing: neutral (log)
The tests ran in 0:00:20
Last run: 2019-10-06 02:08:22 UTC
Previous status: neutral

Created: 2020-03-26 Last update: 2020-08-04 01:07

A new upstream version is available: 4.8.8 high

A new upstream version 4.8.8 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2020-08-03 23:38

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2020-1722: A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.
CVE-2019-14826: A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.

Please fix them.

Created: 2019-09-17 Last update: 2020-07-24 18:30

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2020-04-12 Last update: 2020-08-04 01:04

Depends on packages which need a new maintainer normal

The packages that freeipa depends on which need a new maintainer are:

rpm (#923352)
- Depends: librpm8
scriptaculous (#863696)
- Depends: libjs-scriptaculous
xmlrpc-c (#773435)
- Build-Depends: libxmlrpc-core-c3-dev
- Depends: libxmlrpc-core-c3

Created: 2019-11-22 Last update: 2020-08-03 23:43

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 4.8.8-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit d5faabcfc3f2f7526173558b3809d1ee3aa805f7
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Jul 28 19:27:33 2020 +0300

    .install: Updated.

commit 2b6d7cc807434c24f0b4e6c56e02913c1a385c97
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Jul 28 19:27:15 2020 +0300

    control: Add freeipa-client-epn package.

commit 2bc4ad7dbcbb75e02f9fe637349c52feed013a01
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Jul 28 18:52:12 2020 +0300

    control: Replace node-uglify build-dependency with python3-rjsmin.

commit ad2c34625dfbb0fc426ed457cc7edcbb026cacbb
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Jul 28 17:28:39 2020 +0300

    write-out-only-one-cert-per-file.diff, tasks-fixes.diff: Dropped, upstream.

commit 449cb579bb07501955c8cc787514375a52abc196
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Jul 28 16:57:28 2020 +0300

    bump the version

commit 428d215fa023b7182e5056ceba4ee7366c650a1b
Merge: 5688dd2c 86ab7590
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Tue Jul 28 16:56:07 2020 +0300

    Merge branch 'upstream'

commit 86ab7590779b9e25c6a52cf5a785925103d9ee8a
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon Jun 15 22:25:30 2020 +0300

    Become FreeIPA 4.8.8

commit 65c2736bd20ffb9d98769e71d905f71d1a4d857e
Author: Christian Heimes <cheimes@redhat.com>
Date:   Wed Jun 10 18:16:54 2020 +0200

    Prevent local account takeover
    
    It was found that if an account was created with a name corresponding to
    an account local to a system, such as 'root', was created via IPA, such
    account could access any enrolled machine with that account, and the local
    system privileges. This also bypass the absence of explicit HBAC rules.
    
    root principal alias
    -------------------
    
    The principal "root@REALM" is now a Kerberos principal alias for
    "admin". This prevent user with "User Administrator" role or
    "System: Add User" privilege to create an account with "root" principal
    name.
    
    Modified user permissions
    -------------------------
    
    Several user permissions no longer apply to admin users and filter on
    posixaccount object class. This prevents user managers from modifying admin
    acounts.
    
    - System: Manage User Certificates
    - System: Manage User Principals
    - System: Manage User SSH Public Keys
    - System: Modify Users
    - System: Remove Users
    - System: Unlock user
    
    ``System: Unlock User`` is restricted because the permission also allow a
    user manager to lock an admin account. ``System: Modify Users`` is restricted
    to prevent user managers from changing login shell or notification channels
    (mail, mobile) of admin accounts.
    
    New user permission
    -------------------
    
    - System: Change Admin User password
    
    The new permission allows manipulation of admin user password fields. By
    default only the ``PassSync Service`` privilege is allowed to modify
    admin user password fields.
    
    Modified group permissions
    --------------------------
    
    Group permissions are now restricted as well. Group admins can no longer
    modify the admins group and are limited to groups with object class
    ``ipausergroup``.
    
    - System: Modify Groups
    - System: Remove Groups
    
    The permission ``System: Modify Group Membership`` was already limited.
    
    Notes
    -----
    
    Admin users are mostly unaffected by the new restrictions, except for
    the fact that admins can no longer change krbPrincipalAlias of another
    admin or manipulate password fields directly. Commands like ``ipa passwd
    otheradmin`` still work, though. The ACI ``Admin can manage any entry``
    allows admins to modify other entries and most attributes.
    
    Managed permissions don't install ``obj.permission_filter_objectclasses``
    when ``ipapermtargetfilter`` is set. Group and user objects now have a
    ``permission_filter_objectclasses_string`` attribute that is used
    by new target filters.
    
    Misc changes
    ------------
    
    Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
    was raising a generic base class for LDAP execution errors.
    
    Fixes: https://pagure.io/freeipa/issue/8326
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 9d1d3547299a3b4dc6887636adf5a383459c0c70
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed Jun 10 22:24:02 2020 +0300

    Become FreeIPA 4.8.7

commit 89d5907e6871ee7c37fbd664adcdb7821aa5ebcc
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed Jun 10 22:21:52 2020 +0300

    ipa-4-8: update list of contributors
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

commit 071393626e0b2e34bcd96cbf15af92caf554a729
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed Jun 10 22:20:07 2020 +0300

    ipa-4-8: Update translation files before 4.8.7 release
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

commit b2c3c040ddb7cf3c509b8221ce25574b8d6774d0
Author: Christian Heimes <cheimes@redhat.com>
Date:   Wed Jun 10 11:16:07 2020 +0200

    Overhaul bind upgrade process
    
    /etc/named.conf is now owned by IPA. The file is overwritten on
    installation and all subsequent updates. All user modification will be
    lost. Config file creation and update use the same code paths.
    
    This simplifies upgrade process a lot. There is no errprone fiddling
    with config settings any more.
    
    During upgrade there is a one-time backup of named.conf to
    named.conf.ipa-backup. It allows users to salvage their customization
    and move them to one of two user config files which are included by
    named.conf.
    
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 1d3649ebb720d21ac06b23c947107abe20de2d1e
Author: Christian Heimes <cheimes@redhat.com>
Date:   Tue Jun 9 23:25:17 2020 +0200

    Fix named.conf named_conf_include_re
    
    Actually match one or more characters
    
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 03abb28afeb3983799a112ba96c2674e24cce81d
Author: Christian Heimes <cheimes@redhat.com>
Date:   Tue Jun 9 22:34:42 2020 +0200

    Remove named_validate_dnssec update step
    
    The upgrade step used to add "dnssec-validation no" to named.conf IFF
    named.conf did not contain "dnssec-validation" option at all. The
    option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. The function
    only removes the upgrade state.
    
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 6ddaead3d70f0de8aa40a3eef313fa1ff24eb25c
Author: Christian Heimes <cheimes@redhat.com>
Date:   Tue Jun 9 18:11:26 2020 +0200

    More upgrade tests
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit aa2f93262f187b122cb3e3e0c755e21d98bb95d3
Author: Christian Heimes <cheimes@redhat.com>
Date:   Tue Jun 9 15:08:20 2020 +0200

    Fix named.conf update bug NAMED_DNSSEC_VALIDATION
    
    Commit a5cbdb57e50cfc62f61affda19ce878b2abd33de introduced a bug when
    updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template
    variable was not declared.
    
    Fixes: https://pagure.io/freeipa/issue/8363
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit f1564cd228068d54b949277f7bdc00203b5da81a
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Tue Jun 9 17:21:25 2020 +1000

    upgrade: avoid stopping certmonger when fixing requests
    
    During upgrade, if discrepancies are detected in Certmonger tracking
    request configuration we remove and re-create tracking requests.
    The default behaviour of the CAInstance and KRAInstance
    stop_tracking_certificates() method is to stop certmonger after the
    requests have been removed.  This behaviour results in an
    unnecessary restart of certmonger and has also been observed to
    cause problems.  For example, subsequent certmonger operations have
    to start the certmonger process and can fail because certmonger is
    not yet properly initialised (manifesting as D-Bus errors).
    
    Suppress the unnecessary restart(s) of certmonger during tracking
    request update.
    
    Related: https://pagure.io/freeipa/issue/8186
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 00dd80b77e115734e6f8942339cd2e0d3cc7fbdc
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Tue Jun 9 16:06:42 2020 +1000

    httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure
    
    In the migration case of replica installation, if the CA server is
    an older version it may not support the ipa-ca.$DOMAIN dnsName in
    the HTTP cert (it is a special case in the cert_request command).
    Therefore if the request fails, try it again without the
    ipa-ca.$DOMAIN dnsName.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 0fbd29d5d956646f2babf5166a8df43b3c8c44c2
Author: Christian Heimes <cheimes@redhat.com>
Date:   Tue Jun 9 21:40:50 2020 +0200

    Auto-generated ipa-epn files to gitignore
    
    memcached has been removed a loooong time ago.
    
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit bf28d4c8d0f085329105a4232c1a2ff3d61f067f
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Tue Jun 9 16:02:30 2020 -0400

    IPA-EPN: Don't treat givenname differently
    
    This was returning givenname as a list and not as a single
    string which messed up the templating.
    
    https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit 4124bb6d6a665dc2fce665af577daa278e6b9f23
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Thu May 21 13:00:39 2020 -0400

    IPA-EPN: add test to validate smtp_delay value
    
    Configuration test to ensure that smtp_delay validation is
    properly enforced.
    
    Also reset the epn configuration when the tests are run.
    
    https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit 37a4a79cc00a036ae11640462d880b7ea1ba7524
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Thu May 21 12:59:02 2020 -0400

    IPA-EPN: add smtp_delay to limit the velocity of e-mails sent
    
    Provide a knob so the mail queue doesn't get completely flooded
    with new e-mails.
    
    Default to no wait, value in milliseconds.
    
    https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit 672c9f55b70a05aaa8f0baec6381a8b4ee935216
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Tue May 19 15:48:37 2020 -0400

    IPA-EPN: Add tests for --mail-test option
    
    Test sending a default template email to the smtp_admin user.
    
    Test that --mail-test and --dry-run cannot be used together.
    
    https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit dca3f116a41af5476a8abf860d0dda3b4c80f8b5
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Tue May 19 15:47:09 2020 -0400

    IPA-EPN: Add mail-test option for testing sending live email
    
    To make testing easier for administrators the --mail-test option
    can be used to send live e-mail from ipa-epn. It sends mail
    to the smtp_admin user processing the template with dummy data.
    
    https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit 6587edd4b283e37da7b214fce4c3c9d013fe1118
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Fri May 15 18:07:33 2020 -0400

    IPA-EPN: test using SSL against port 465
    
    Enable the postfix SSL listener on port 465. The certifiates
    and other configuration is already in place.
    
    Test that sending mail is successful.
    
    Fixes: https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit fc2b3aab5042a9125e74647493c0f4faecd87d20
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Fri May 15 16:52:27 2020 -0400

    IPA-EPN: Add test for starttls mode
    
    Get a certificate for postfix and configure it to allow starttls
    connections.
    
    Fixes: https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit bbe3397393c2fa7121fa05a656d682036bffbe9c
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Thu May 14 11:52:51 2020 -0400

    IPA-EPN: Add tests for sending real mail with auth and templates
    
    Send e-mail using postfix on localhost and read the contents to
    verify that the mail was delivered and that the template was
    applied correctly.
    
    Fixes: https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit ca1c374ebf58ccc5ed00346876835026958fe7bd
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Tue May 12 17:46:32 2020 -0400

    IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions
    
    Tested security mode with none, starttls and ssl security.
    
    Fixes: https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>

commit ab444db0accedeefc42264cd03c2abe4ed90ea19
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Fri May 15 11:50:45 2020 -0400

    Add index for krbPasswordExpiration for EPN
    
    Expiring Password Notifications search for expiring passwords
    between dates. Add an equality index for this attribute.
    
    https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 0869765536cd036221f6cd12921bac18e3e3df46
Author: Rob Crittenden <rcritten@redhat.com>
Date:   Tue May 12 10:05:50 2020 -0400

    Add a jinja2 e-mail template for EPN
    
    Add options for character set (default utf8) and message
    subtype (default plain). This will allow for more control
    for users to do either HTML mail or use ascii for the character
    set so the attachment is not base64-encoded to make it easier
    for all mail clients.
    
    Collect first and last name as well for each user in order to
    provide more options for the template engine.
    
    Make the From address configurable, defaulting to noreply@ipa_domain
    Make Subject configurable too.
    
    Don't rely on the MTA to set Message-Id: set it using the email
    module.
    
    Fixes: https://pagure.io/freeipa/issue/3687
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 3552185c3ca740b538d1516955cae094dc29bebd
Author: François Cami <fcami@redhat.com>
Date:   Thu May 7 16:55:07 2020 +0200

    IPA-EPN: Test suite.
    
    Initial test suite for EPN.
    
    Fixes: https://pagure.io/freeipa/issue/3687
    Signed-off-by: François Cami <fcami@redhat.com>
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 98bb4e94fdc6e683bcc59bb58377c504d172800f
Author: François Cami <fcami@redhat.com>
Date:   Tue May 5 15:59:11 2020 +0200

    IPA-EPN: First version.
    
    EPN stands for Expiring Password Notification. It is a standalone
    tool designed to build a list of users whose password would expire
    in the near future, and either display the list in a machine-readable
    format, or send email notifications to these users.
    
    EPN provides command-line options to display the list of affected users.
    This provides data introspection and helps understand how many emails
    would be sent for a given day, or a given date range.
    The command-line options can also be used by a monitoring system to alert
    whenever a number of emails over the SMTP quota would be sent.
    
    EPN is meant to be launched once a day from an IPA client (preferred)
    or replica from a systemd timer.
    
    EPN does not keep state. The list of affected users is built at runtime
    but never kept.
    
    TLS/STARTTLS SMTP code is untested and unlikely to work as-is.
    
    Parts of code contributed by Rob Crittenden.
    Ideas and feedback contributed by Christian Heimes and Michal Polovka.
    
    Fixes: https://pagure.io/freeipa/issue/3687
    Signed-off-by: François Cami <fcami@redhat.com>
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 2032a619bb0a618b0d39fee0f61fbbc0a71ad77c
Author: François Cami <fcami@redhat.com>
Date:   Mon Jun 8 19:03:45 2020 +0200

    ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py
    
    The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
    sometimes fails at kinit in create_active_user:
    ```
    kinit: Password has expired while getting initial credentials
    ```
    Use krb5_trace to catch the required debug information.
    
    Related-to: https://pagure.io/freeipa/issue/8353
    Related-to: https://pagure.io/freeipa/issue/8271
    Signed-off-by: François Cami <fcami@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Robbie Harwood <rharwood@redhat.com>

commit 01f27e292211e949c1ee2de727a203503ddfffa8
Author: François Cami <fcami@redhat.com>
Date:   Fri Jun 5 16:58:49 2020 +0200

    tasks.py: add krb5_trace to create_active_user and kinit_as_user
    
    The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
    sometimes fails when resetting a user's password using kinit in create_active_user.
    Add krb5_trace (default: False) to create_active_user and kinit_as_user.
    
    Related-to: https://pagure.io/freeipa/issue/8353
    Related-to: https://pagure.io/freeipa/issue/8271
    Signed-off-by: François Cami <fcami@redhat.com>
    Reviewed-By: Michal Polovka <mpolovka@redhat.com>
    Reviewed-By: Robbie Harwood <rharwood@redhat.com>

commit ca0a62eac36ecf6b55b0983eaa139a25ed2a1ca2
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon Jun 8 14:55:38 2020 +0300

    ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset
    
    "Kerberos principal expiration" is set in UTC and when server is in
    different timezone, the time difference between timezone is respected by
    the IPA server/client for Kerberos authentication.
    
    The problem is due to mktime() assuming default time zone but since we
    parse the time using Zulu (UTC+0) timezone, mktime() forces current time
    zone offset added.
    
    The method is using mktime() and comparing to the current time obtained
    with time(NULL). According to its man page, mktime is considering the
    time as local time:
    
       The mktime() function converts a broken-down time structure,  expressed
       as  local  time, to calendar time representation.
    
    Instead mktime() we should use timegm(). The problem is that it is
    non-standard GNU extension and it is recommended (in the man page for
    timegm(3)) to avoid its use. An alternative is to set TZ=UTC, call
    mktime(), unset TZ, but since we are running in a multi-threaded
    environment this is problematic.
    
    On the other hand, we already rely on GNU extensions and enable them
    with -D_DEFAULT_SOURCE=1, so use of timegm() is enabled already.
    
    The fix, therefore, is to use timegm() instead of mktime() in
    daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c in two places where we
    first do 'strptime()' with Zulu time zone (in ipapwd_pre_bind() and
    ipapwd_write_krb_keys()).
    
    Fixes: https://pagure.io/freeipa/issue/8362
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-by: Simo Sorce <simo@redhat.com>
    Reviewed-By: Simo Sorce <ssorce@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 6b0f8f3617378da41ead8640e194e5b9415a38b1
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Fri Jun 5 19:18:07 2020 +0300

    ipatests: test that adding Active Directory user to a role makes it an administrator
    
    Fixes: https://pagure.io/freeipa/issue/8357
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 99e613e478f7925d0f470a04d4de5a2f93385b7a
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed Jun 3 13:12:06 2020 +0300

    Web UI: allow users from trusted Active Directory forest manage IPA
    
    Extend Web UI logic to decide whether default Web UI view should have a
    full menu or should be confined to a self-service interface. Standard
    logic in FreeIPA Web UI is to combine two facts:
    
     * for IPA users membership in `admins` group is used to indicate full
       menu should be shown
    
     * for AD users the fact that ID override object is presented by IPA
       `whoami` command is used to confine to a self-service interface
    
    With the change to allow user ID overrides from a default trust view to
    be members of groups and roles, we can unify the administrative
    privileges checks for both IPA and AD users.
    
    Fixed: https://pagure.io/freeipa/issue/8335
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 5e8df37e4cca155bf58aa4e61b9fa3f28eddd526
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed Jun 3 13:11:01 2020 +0300

    tests: account for ID overrides as members of groups and roles
    
    Fixes: https://pagure.io/freeipa/issue/7255
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 8cce2bb31ab96f6ce6edba95f54575576f2b1a40
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed Jun 3 13:04:46 2020 +0300

    Support adding user ID overrides as group and role members
    
    Second part of adding support to manage IPA as a user from a trusted
    Active Directory forest.
    
    Treat user ID overrides as members of groups and roles.
    
    For example, adding an Active Directory user ID override as a member of
    'admins' group would make it equivalent to built-in FreeIPA 'admin'
    user.
    
    We already support self-service operations by Active Directory users if
    their user ID override does exist. When Active Directory user
    authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
    principal is automatically mapped to the user's ID override in the
    Default Trust View. LDAP server's access control plugin uses membership
    information of the corresponding LDAP entry to decide how access can be
    allowed.
    
    With the change, users from trusted Active Directory forests can
    manage FreeIPA resources if the groups are part of appropriate roles or
    their ID overrides are members of the roles themselves.
    
    Fixes: https://pagure.io/freeipa/issue/7255
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 2ffb4fd18fceb509773951ce4f02aa0c5e2f851a
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed Jun 3 12:52:55 2020 +0300

    idviews: handle unqualified ID override lookups from Web UI
    
    First part of the required changes to merge a plugin to manage IPA as
    a trusted Active Directory user.
    
    It is not possible to omit ID view in IPA API but a client might specify
    empty ID view. Up right now the empty view was considered an error. This
    prevented Web UI from resolving ID overrides in a group member adder
    dialog.
    
    Default to 'Default Trust View' if the ID view is None or empty string
    (''). Do this only for user ID overrides, as we do not support adding
    group ID overrides as group members in a plugin to manage IPA as a
    trusted Active Directory user[1].
    
    Being a group member means an object in LDAP must have an object class
    that allows 'memberOf' attribute because 389-ds 'memberof' plugin will
    attempt to link back to the object from the group. Allow use of
    'nsMemberOf' object class in ID overrides.
    
    Fixes: https://pagure.io/freeipa/issue/7255
    
    [1] https://github.com/abbra/freeipa-adusers-admins
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit afe9191f99e034bcf52475b57996d81609de6837
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed Jun 3 12:47:41 2020 +0300

    support using trust-related operations in the server console
    
    When using `ipa -e in_server=True console` on IPA master, the whole IPA
    framework is loaded in the same process ('ipa console'). The context
    defined for this configuration is 'cli'. Some trust-related operations
    need to load Samba bindings and guard itself to 'lite' and 'server'
    contexts.
    
    Upon reviewing these cases I came to conclusion that these guards are
    unnecessary. It is enough to require that the context is in the server
    code.
    
    Allow these operations if we are operating in server mode. This allows
    to debug trust-related issued directly in the IPA console on IPA trust
    controllers.
    
    Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 6abade3f8daed8dfa024936114209d19319c4f12
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Sat Jun 6 13:05:42 2020 +0300

    kdb: handle enterprise principal lookup in AS_REQ
    
    Refactoring of the get_principal() code in commit
    b5876f30d4000424cc8122498c411f812b3a0959 broke handling of enterprise
    principal lookup for AS request (kinit -E user@ipa.test@IPA.TEST).
    
    Related: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 47adde99c28d1f7da5180a29ebcd2d70158217b5
Author: Christian Heimes <cheimes@redhat.com>
Date:   Mon Jun 8 15:59:24 2020 +0200

    libotp: Replace NSS with OpenSSL HMAC
    
    Use OpenSSL's HMAC API instead of NSS.
    
    Fixes: Fixes: https://pagure.io/freeipa/issue/6857
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 1f22ae50be0268b7bb19ccb3f2f9cc832cd9f7c5
Author: Sergio Oliveira Campos <seocam@redhat.com>
Date:   Sat Apr 25 18:43:52 2020 -0300

    Add test for sssd ad trust lookup with dn in certmaprule
    
    Related to https://pagure.io/SSSD/sssd/issue/3721
    
    Signed-off-by: Sergio Oliveira Campos <seocam@redhat.com>
    Reviewed-By: Sumit Bose <sbose@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Anuja More <amore@redhat.com>

commit 782ee1162fbf82c6ab54cb7918d26aba8acbc665
Author: Christian Heimes <cheimes@redhat.com>
Date:   Thu May 28 12:25:19 2020 +0200

    Include named config files in backup
    
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 539d46918f5c0e0c912965addd286ee31bcb93e1
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Sat Apr 25 18:06:45 2020 +0200

    Split named custom config to allow changes in options stanza
    
    Upgrade path to add additional include to named.conf is not handled.
    
    Remove bindkeys-file directive from named config
    The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
    BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
    include a hard-coded copy of the root KSK which gets updates automatically
    according to RFC 5011.
    
    Move dnssec-enable directive to custom named config
    
    Move comment named config being managed by FreeIPA to the top
    
    Move settings which could be changed by administrators to
    ipa-options-ext.conf. Settings defined there are sole responsibility of the
    administrator. We do not check if they might collide with our settings in
    named.conf.
    
    Fixes: https://pagure.io/freeipa/issue/8287
    Co-authored-by: Peter Keresztes Schmidt <carbenium@outlook.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 41a20fef10382a3d2c7f3260a8e0fba8a29d809a
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Thu Jun 4 04:55:38 2020 +0200

    util: replace NSS usage with OpenSSL
    
    Fixes: https://pagure.io/freeipa/issue/6857
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 0fe645efc16995f159db31dc514c8a8e0e13c706
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Thu Jun 4 21:36:31 2020 +0200

    util: add unit test for pw hashing
    
    Related: https://pagure.io/freeipa/issue/6857
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit a29eec33fa2bc4b5e57f3f63c67d212aeb5c5ff4
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Sun Jun 7 09:48:17 2020 +0200

    po: remove zanata config since translation was moved to weblate
    
    Related: https://pagure.io/freeipa/issue/8159
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 1062caaae6380fcf79ed11eb3ec5b015c0102e6a
Author: Christian Heimes <cheimes@redhat.com>
Date:   Fri Jun 5 12:33:42 2020 +0200

    Handle DatabaseError in RPC-Server connect()
    
    DatabaseError exceptions with 'account inactivated' message are turned
    into 401 Unauthorized errors. The problem occurs when a user is disabled
    but has a valid cookie.
    
    Other DatabaseErrors are turned into 503 Service Unavailable. They
    usually occur when LDAP server is not available or broken.
    
    Fixes: https://pagure.io/freeipa/issue/8352
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit f2caafb58ec578002fdf88de9cca5a3f5eaa1b2e
Author: Christian Heimes <cheimes@redhat.com>
Date:   Tue Jun 2 15:08:16 2020 +0200

    Allow permissions with 'self' bindruletype
    
    Make it possible to create a managed permission with
    ipapermbindruletype="self". The ACI will have bind rule
    '(userdn = "ldap:///self")'.
    
    Example
    -------
    
    Allow users to modify their own fasTimezone and fasIRCNick attributes:
    
    ```
    managed_permissions = {
        "System: Self-Modify FAS user attributes": {
            "ipapermright": {"write"},
            "ipapermtargetfilter": ["(objectclass=fasuser)"],
            "ipapermbindruletype": "self",
            "ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
        }
    }
    ```
    
    See: https://github.com/fedora-infra/freeipa-fas/pull/107
    Fixes: https://pagure.io/freeipa/issue/8348
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit ac47599ebf006d34d06d23654cb93f707cbd7d1f
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Fri Jun 5 22:42:02 2020 +0200

    Specify min and max values for TTL of a DNS record
    
    Fixes: https://pagure.io/freeipa/issue/8358
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit ca4cc7abe1cad87cd1e80702aedaca43cb6660d1
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Fri Jun 5 23:54:19 2020 +0200

    WebUI: Add units to some DNS zone and IPA config fields
    
    Add also tooltips to ipasearchrecordslimit and ipasearchtimelimit
    to clarify the special value 0/-1.
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit df8bcc9637844c5058145eff5ed99097b6e9ca73
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Fri Jun 5 23:33:34 2020 +0200

    WebUI: Expose TTL of DNS records
    
    Fixes: https://pagure.io/freeipa/issue/3827
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 7dad4a5987fa001b1bc8f7740503e359ca0449e3
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Fri Jun 5 23:20:36 2020 +0200

    WebUI: Refresh DNS record data correctly after mod operation
    
    Fixes: https://pagure.io/freeipa/issue/8359
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 8e92190db866e7eb05aaaf41609b442f201d5c08
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Tue Mar 10 18:34:03 2020 +1100

    ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname
    
    Add integration test that confirms that on CA-ful installation, the
    (non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name.
    
    For detailed discussion on the purpose of this change and the design
    decisions made, see `git log -1 $THIS_COMMIT~4`.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit c445cefacf7713746f0bb0399d33b3f4008b71b4
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Mon Feb 3 12:29:49 2020 +1100

    upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
    
    For detailed discussion on the purpose of this change and the design
    decisions made, see `git log -1 $THIS_COMMIT~3`.
    
    If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName,
    resubmit the certificate request to add the name.  This action is
    performed after the tracking request has already been updated.
    
    Note: due to https://pagure.io/certmonger/issue/143, the resubmitted
    request, if it does not immediately succeed (fairly likely during
    ipa-server-upgrade) and if the notAfter date of the current cert is
    still far off (also likely), then Certmonger will wait 7 days before
    trying again (unless restarted).  There is not much we can do about
    that in the middle of ipa-server-upgrade.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 5275342b691b2f74b365cb3422459779544be16a
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Mon Feb 3 11:13:32 2020 +1100

    httpinstance: add ipa-ca.$DOMAIN alias in initial request
    
    For detailed discussion on the purpose of this change and the design
    decisions made, see `git log -1 $THIS_COMMIT~2`.
    
    For new server/replica installation, issue the HTTP server
    certificate with the 'ipa-ca.$DOMAIN' SAN dNSName.  This is
    accomplished by adding the name to the Certmonger tracking request.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 4b24129f9e1ceb322c5477f9a0869f7a6b521f09
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Fri Jan 31 23:03:08 2020 +1100

    cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
    
    For detailed discussion on the purpose of this change and the design
    decisions made, see `git log -1 $THIS_COMMIT~1`.
    
    ACME support requires TLS and we want ACME clients to access the
    service via the ipa-ca.$DOMAIN DNS name.  So we need to add the
    ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates.  To
    facilitiate this, add a special case to the cert-request command
    processing.  The rule is:
    
    - if the dnsName being validated is "ipa-ca.$DOMAIN"
    - and the subject principal is an "HTTP/..." service
    - and the subject principal's hostname is an IPA server
    
    Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed.
    Otherwise continue with the usual dnsName validation.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 52873581e7ab1de8c02a4d80cdeeb9bf27b2f168
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Fri Jan 31 22:12:46 2020 +1100

    httpinstance: add fqdn and ipa-ca alias to Certmonger request
    
    BACKGROUND:
    
    We are implementing ACME support in FreeIPA (umbrella ticket:
    https://pagure.io/freeipa/issue/4751).  ACME is defined in RFC 8555.
    HTTPS is REQUIRED (https://tools.ietf.org/html/rfc8555#section-6.1).
    Therefore, every FreeIPA server that provides the ACME service
    capability must be reachable by HTTPS.
    
    RFC 8555 does not say anything about which port to use for ACME.
    The default HTTPS port of 443 is implied.  Therefore, the FreeIPA
    ACME service will be reached via the Apache httpd server, which will
    be the TLS server endpoint.
    
    As a usability affordance for ACME clients, and as a maintainability
    consideration i.e. to allow the topology to change without having to
    reconfigure ACME clients, there should be a a single DNS name used
    to reach the IPA ACME service.
    
    The question then, is which DNS name to use.
    
    REQUIREMENTS:
    
    Each FreeIPA server that is also an ACME server must:
    
    1. Be reachable via a common DNS name
    
    2. Have an HTTP service certificate with that DNS name as a SAN
       dNSName value
    
    DESIGN CONSIDERATION - WHAT DNS NAME TO USE?:
    
    Some unrelated FreeIPA ACME design decisions provide important
    context for the DNS name decision:
    
    - The ACME service will be automatically and unconditionally
      deployed (but not necessarily *enabled*) on all CA servers.
    
    - Enabling or disabling the ACME service will have topology-wide
      effect, i.e. the ACME service is either enabled on all CA
      servers, or disabled on all CA servers.
    
    In a CA-ful FreeIPA deployment there is already a DNS name that
    resolves to all CA servers: ``ipa-ca.$DOMAIN``, e.g.
    ``ipa-ca.example.com``.  It is expected to point to all CA servers
    in the deployment, and *only* to CA servers.  If internal DNS is
    deployed, the DNS records for ``ipa-ca.$DOMAIN`` are created and
    updated automatically.  If internal DNS is not deployed,
    administrators are required to maintain these DNS records
    themselves.
    
    The ``ipa-ca.$DOMAIN`` alias is currently used for OCSP and CRL
    access.  TLS is not required for these applications (and it can
    actually be problematic for OCSP).  Enabling TLS for this name
    presents some risk of confusion for operators.  For example, if they
    see that TLS is available and alter the certificate profiles to
    include an HTTPS OCSP URL in the Authority Information Access (AIA)
    extension, OCSP-using clients may fail to validate such
    certificates.  But it is possible for administrators to make such a
    change to the profile, whether or not HTTPS is available.
    
    One big advantage to using the ``ipa-ca.$DOMAIN`` DNS name is that
    there are no new DNS records to manage, either in the FreeIPA
    implementation or for administrators in external DNS systems.
    
    The alternative approach is to define a new DNS name, e.g.
    ``ipa-acme.$DOMAIN``, that ACME clients would use.  For internal
    DNS, this means the FreeIPA implementation must manage the DNS
    records.  This is straightforward; whenever we add or remove an
    ``ipa-ca.$DOMAIN`` record, also add/remove the ``ipa-acme.$DOMAIN``
    record.  But for CA-ful deployments using external DNS, it is
    additional work for adminstrators and, unless automated, additional
    room for error.
    
    An advantage of using a different DNS name is ``ipa-ca.$DOMAIN`` can
    remain inaccessible over HTTPS.  This possibly reduces the risk of
    administrator confusion or creation of invalid AIA configuration in
    certificate profiles.
    
    Weighing up the advantages and disadvantages, I decided to use the
    ``ipa-ca.$DOMAIN`` DNS name.
    
    DESIGN CONSIDERATION - CA SERVERS, OR ALL SERVERS?:
    
    A separate decision from which name to use is whether to include it
    on the HTTP service certificate for ACME servers (i.e. CA servers)
    only, or on all IPA servers.
    
    Combined with the assumption that the chosen DNS name points to CA
    servers *only*, there does not seem to be any harm in adding it to
    the certificates on all IPA servers.
    
    The alternative is to only include the chosen DNS name on the HTTP
    service certificates of CA servers.  This approach entails some
    additional complexity:
    
    - If a non-CA replica gets promoted to CA replica (i.e. via
      ``ipa-ca-install``), its HTTP certificate must be re-issued with
      the relevant name.
    
    - ipa-server-upgrade code must consider whether the server is a CA
      replica when validating (and if necessary re-creating) Certmonger
      tracking requests
    
    - IPA Health Check must be made aware of this factor when checking
      certificates and Certmonger tracking requests.
    
    Weighing up the options, I decided to add the common DNS name to the
    HTTP service certificate on all IPA servers.  This avoids the
    implementation complexity discussed above.
    
    CHANGES IN THIS COMMIT
    
    When (re-)tracking the HTTP certificate, explicitly add the server
    FQDN and ipa-ca.$DOMAIN DNS names to the Certmonger tracking request.
    
    Related changes follow in subsequent commits.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit b127bad8a93967c09c24edadd31d7d6e5b812186
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Thu Jan 30 21:22:47 2020 +1100

    certmonger: support dnsname as request search criterion
    
    We need to be able to filter Certmonger tracking requests by the DNS
    names defined for the request.  The goal is to add the
    'ipa-ca.$DOMAIN' alias to the HTTP certificate tracking requests, so
    we will use that name as a search criterion.  Implement support for
    this.
    
    As a result of this commit it will be easy to add support for subset
    match of other Certmonger request list properties.  Just add the
    property name to the ARRAY_PROPERTIES list (and update the
    'criteria' description in the module docstring!)
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit ff7d0661a71ff2c9a66c8c9a1a48837d041f9099
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Thu Jan 30 21:03:15 2020 +1100

    certmonger: move 'criteria' description to module docstring
    
    The 'criteria' parameter is used by several subroutines in the
    ipalib.install.certmonger module.  It has incomplete documentation
    spread across several of these subroutines.  Move the documentation
    to the module docstring and reference it where appropriate.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 0e9b7773fb613889eacaa95504f1c40f21628c0f
Author: Fraser Tweedale <ftweedal@redhat.com>
Date:   Thu Jan 30 21:01:10 2020 +1100

    certmonger: avoid mutable default argument
    
    certmonger._get_requests has a mutable default argument.  Although
    at the present time it is never modified, this is an antipattern to
    be avoided.
    
    In fact, we don't even need the default argument, because it is
    always called with a dict() argument.  So just remove it.
    
    Part of: https://pagure.io/freeipa/issue/8186
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 8d759d3836aa36799978cd0333e1836ea2480f4b
Author: Christian Heimes <cheimes@redhat.com>
Date:   Thu May 14 11:09:50 2020 +0200

    make: serialize strip-po / strip-pot
    
    The strip-po target modifies files in place. This sometimes creates
    conflicts with other make targets when make is run in parallel mode.
    
    * split strip-po into strip-po and strip-pot
    * move strip-po[t] from dependency to explicit, serial execution
    * declare dependencies on POT/POFILES
    * don't run strip on clean
    
    Fixes: https://pagure.io/freeipa/issue/8323
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit 91f94612f3021a631dd8a97d08a6327c98f6e689
Author: Christian Heimes <cheimes@redhat.com>
Date:   Thu Jun 4 17:43:35 2020 +0200

    Remove obsolete BIND named.conf options
    
    ``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
    defaults to ``yes`` in all supported versions of bind. The option is
    removed when set to ``yes`` and a warning is emitted when the value is
    ``no``.
    
    DNSSEC lookaside validation has been deprecated by RFC 8749 and the
    feature removed from Bind 9.16. The only available lookaside provider
    dlv.isc.org no longer provides DLV information since 2017.
    
    Fixes: https://pagure.io/freeipa/issue/8349
    Fixes: https://pagure.io/freeipa/issue/8350
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit a571043380f0b08c6b3768a1fe176fee5073e2c5
Author: sumenon <sumenon@redhat.com>
Date:   Wed Jun 3 20:51:02 2020 +0530

    ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files
    
    This testcase changes the ownership of the tomcat config files
    on an IPA Master and then checks if healthcheck tools
    reports the status as WARNING
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 5aa5f678828033e109112c45547b55553a377895
Author: Christian Heimes <cheimes@redhat.com>
Date:   Thu Jun 4 11:12:08 2020 +0200

    Add ipa-print-pac to gitignore
    
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit c261a6eb768483f7ac45aab34994dcec01e819bd
Author: Christian Heimes <cheimes@redhat.com>
Date:   Tue Jun 2 11:02:38 2020 +0200

    Allow dnsrecord-add --force on clients
    
    See: https://pagure.io/freeipa/issue/8317
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>

commit 2af2373c57c6828db922008ce1e3b7fd9b3e0da8
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Sat May 30 18:32:34 2020 +0200

    WebUI: Fix invalid RPC calls when link widget has no pkey passed
    
    Fixes: https://pagure.io/freeipa/issue/8338
    Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>

commit 7e7d0d8397d466553268a52e3c4cf327f01a6957
Author: Peter Keresztes Schmidt <carbenium@outlook.com>
Date:   Sun May 31 01:40:45 2020 +0200

    WebUI: Use data adapter to load facet header data
    
    Fixes: https://pagure.io/freeipa/issue/8339
    Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>

commit c64075b127ce4a79889bf65f925dd07ae0d53f01
Author: sumenon <sumenon@redhat.com>
Date:   Thu May 14 19:25:39 2020 +0530

    ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck
    
    This test checks that healthcheck tools reports correct information
    when permissions of Tomcat config file are modified.
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>

commit 81f924f49a7736b808545db0e84b3796e35c6657
Author: sumenon <sumenon@redhat.com>
Date:   Thu Apr 23 15:53:01 2020 +0530

    ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck
    
    This test checks that when pki-tomcat service is stopped,
    DogtagCertsConnectivityCheck displays the result as ERROR
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    Reviewed-By: Sergey Orlov <sorlov@redhat.com>

commit 062022996d6efeef3c0a9d5d0611890bdf416e28
Author: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date:   Fri May 15 12:41:05 2020 +0200

    WebUI: Apply jQuery patch to fix htmlPrefilter issue
    
    Manually backport corresponding changes from jQuery 3.5.0:
    https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
    
    A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility
    with Bootstrap 3.4.1 which we currently use.
    
    Ticket: https://pagure.io/freeipa/issue/8325
    
    Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Petr Vobornik <pvoborni@redhat.com>

commit 5f292b2953460a7ae6b7784fd7dfb63d2994a28c
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon May 25 10:59:54 2020 +0300

    azure: do not run test_commands due to failures in low memory cases
    
    389-ds memory autotuning doesn't really work well in containerized
    environment as it only looks into host-wide /proc/meminfo. It gets
    fooled by 'missing' memory while there is still enough swap space.
    
    This is in particular affects test_commands test suite where
    ipa-adtrust-install cannot fully proceed and fails. We plan to rebalance
    test containers' memory split but right now just disable test_commands
    in Azure CI.
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit eeb70047c9849fcc59686bdd3edd2923ee1be134
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Fri May 1 13:01:29 2020 +0300

    test_smb: test S4U2Self operation by IPA service
    
    Kerberos service might request a ticket to itself on behalf of a user
    to perform protocol transition, so-called S4U2Self extension defined
    in [MS-SFU] specification. Processing of this request by KDC differs for
    in-realm and cross-realm configurations.
    
    Use SMB service to test S4U2Self performed against AD and IPA users.
    
    Fixes: https://pagure.io/freeipa/issue/8319
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 601151e7c6e99d67723af9e20e80252e71e9c49e
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon May 25 19:17:48 2020 +0300

    ipa-kdb: refactor principal lookup to support S4U2Self correctly
    
    Restructure logic of ipadb_get_principal() to separate retrieval of a
    principal by a name and by an alias. Separate enterprise principal name
    type processing into a helper function to be able to reuse it for own
    aliases.
    
    Unify code in client referrals part to do the same and use krb5 API to
    deal with principals rather than parsing strings. The end result is the
    same but we follow common rules in MIT Kerberos to process principals.
    
    An enterprise principal is typically "name@SOMEREALM@REALM", but any
    principal might be parsed as enterprise principal, so we could get
    "name@REALM" marked as such. When unparsing the enterprise principal,
    re-parse it again with default realm values, to get our realm
    normalization.
    
    This behavior would fix situations when GSSAPI calls are operating on a
    non-qualified principal name that was imported as a
    GSS_KRB5_NT_ENTERPRISE_NAME when calling gss_import_name().
    
    Related: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Signed-off-by: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 68a0790b9da12ccb9f3a9f211f6d806ca604a861
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon May 25 19:16:27 2020 +0300

    ipa-kdb: cache local TGS in the driver context
    
    For Kerberos principal lookup we always need to check whether principal
    is from our realm. Keep the reference to our realm TGS handy to avoid
    memory allocations on every lookup.
    
    Related: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 6c844c704d4f7ca8837f0d034325a379ec9294af
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon May 18 19:08:41 2020 +0300

    ipa-kdb: add primary group to list of groups in MS-PAC
    
    Somehow, we weren't adding primary group of the user to the list of
    groups in the PAC Logon Info structure.
    
    Related: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 741f64f4b5428ccfa8105c61a91de8e0fab37bc3
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Tue May 12 18:19:06 2020 +0300

    ipa-kdb: Always allow services to get PAC if needed
    
    Previously, FreeIPA only allowed to issue PAC record in a ticket
    for the following principal types:
       - for IPA users
       - for a host principal of one of IPA masters
       - for a cifs/ or HTTP/ service on one of IPA masters
    
    To allow S4U2Self operations over trust to AD, an impersonating service
    must have PAC record in its TGT to be able to ask AD DCs for a S4U2Self
    ticket. It means any IPA service performing S4U2Self would need to have
    PAC record and the constraints above prevent it from doing so.
    
    However, depending on whether the service or host principal belongs to
    one of IPA masters, we need to set proper primary RID to 516 (domain
    controllers) or 515 (domain computers).
    
    Fixes: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 110812b43b202c83d4a90d01aab1cf7610b2de41
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Tue May 12 22:44:12 2020 +0300

    ipa-kdb: add asserted identity SIDs
    
    Depending on whether identity of a principal was asserted by the KDC or
    by a service doing protocol transition (S4U2Self), AD DCs add a
    special extra SID to a PAC record:
    
     - S-1-18-1 is a SID for an Authentication Authority Asserted Identity
     - S-1-18-2 is a SID for a Service Asserted Identity
    
    This behavior is governed by [MS-SFU] 3.2.5.1.2 "KDC replies with Service
    Ticket".
    
    In order to add an asserted identity SID, we need to pass down the
    client flags as set by the KDC and check for a protocol transition bit.
    
    Fixes: https://pagure.io/freeipa/issue/8319
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 1990e3954b3c566a52697e38569ad472a62a7895
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Fri May 1 12:50:41 2020 +0300

    kdb: add minimal server referrals support for enterprise principals
    
    Implement minimal server referrals support for enterprise principals as
    defined in RFC 6806.
    
    Use krb5_pac_verify_ext() and krb5_pac_sign_ext() to support cross-realm
    S4U extensions. We have to verify/sign PAC and take the realm into
    account for S4U in these cases.
    
    The use of extended functions require krb5 1.17+.
    
    For PAC verification, we have to filter existing PAC CLIENT-INFO
    structure in cross-realm S4U case because otherwise old CLIENT-INFO
    would change the PAC principal due to adding or ommiting the realm in
    transition.  Since a new PAC CLIENT-INFO will be provided by
    k5_insert_client_info() anyway, we can filter it in all cases.
    
    Generate PAC only for the first S4U2Self request to the client realm
    (client != NULL). Otherwise, use the PAC from the cross-realm ticket.
    The latter PAC belongs to the impersonated user.
    
    Foreign (inner) principal look up in non-AS request returns
    KRB5_KDB_NOENTRY.
    
    Finally, in PAC signing we have to take the realm into account as well
    for S4U2Self cross-realm operation. This does not work when compiling
    against krb5 1.17 at the moment because sign_authdata() callback does
    not know whether we are dealing with an issuing referral or not. In 1.18
    a KDC will set a special client flag to signify this when asking KDB
    driver to sign a PAC record.
    
    Fixes: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Signed-off-by: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit ca99bf2abc793d77e889c91d2a436c3de96eb36e
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon May 18 11:05:29 2020 +0300

    ipa-tests: add a test to make sure MS-PAC is produced by KDC
    
    When ipa-adtrust-install is used, IPA KDC will be configured to issue
    tickets with MS-PAC record in them for users and services that have
    ipaNTSecurityIdentifier (SID) attribute in the LDAP record.
    
    Test that a newly added user can kinit and obtain a ticket that has
    a PAC structure.
    
    Test that a service can impersonate a user and the resulting S4U2Self
    requested service ticket also has PAC structure.
    
    Related: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 1a01e46aa0cd7e3cfd53b380b0ab3975ae1dc524
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon May 18 09:40:30 2020 +0300

    ipa-print-pac: acquire and print PAC record for a user
    
    Helper utility to investigate PAC content of users in trusted
    environments. Supports direct ticket acquisition and S4U2Self protocol
    transition.
    
    1. Direct ticket acquisition
    
    In direct ticket acquisition mode the utility first does one of the
    following actions:
     - obtain a TGT ticket for a user principal using supplied password
     - import existing TGT from a default credentials cache
    
    Once a user TGT is available, the utility will attempt to acquire a service
    ticket to a service which key is specified in a keytab (default or
    passed with --keytab option) and simulate establishing context to the
    service application.
    
    If establishing context succeeds, MS-PAC content of the service ticket
    will be printed out.
    
    2. S4U2Self protocol transition
    
    In protocol transition case a service application obtains own TGT using
    a key from the keytab and then requests a service ticket to itself in
    the name of the user principal, performing S4U2Self request.
    
    If accepting this service ticket succeeds, MS-PAC content of the service
    ticket will be printed out.
    
    If KDC does not support or rejects issuing MS-PAC record for a user, an
    error message 'KDC has no support for padata type' will be printed.
    
    Related: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Signed-off-by: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 4723100791663b8eb6053c6b9f17b8c34e362891
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Mon May 18 15:23:16 2020 +0300

    ipa-kdb: add UPN_DNS_INFO PAC structure
    
    UPN_DNS_INFO structure contains the client's user principal name (UPN)
    and a fully qualified domain name. It is used to provide the UPN and the
    FQDN that corresponds to the client of the ticket.
    
    The structure is defined in MS-PAC section 2.10. MS-KILE specification
    says in the section 3.3.5.6.4.5 that KDCs should return this buffer. It
    further clarifies in section 3.3.5.2 that if the user account object has no
    userPrincipalName attribute, UPN_DNS_INFO should be constructed by
    concatenating user name, the "@" symbol, and the DNS name of the domain.
    
    IPA users don't really have userPrincipalName attribute. Instead, we
    always construct their account names in LOGON Info3 structure by
    unparsing the canonical principal name without realm, meaning that user
    principal can be recovered by concatenating the account name and the
    realm (domain).
    
    Unless the account name and unparsed client principal name are different
    or the primary Info3 gid (group RID) is the one for machine accounts,
    mark the UPN as constructed.
    
    Related: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 7f2bfd9f7bfdc9b9e260e45b725b92521565570b
Author: Stanislav Levin <slev@altlinux.org>
Date:   Fri May 22 14:00:14 2020 +0300

    Azure: Make dnf repos consistent
    
    Build container(image registry.fedoraproject.org/f32/fedora-toolbox)
    has two more dnf repos enabled compared to Tests container(image
    fedora:32). This results in the packages built within the Build
    container can have dependencies which are unresolvable(missing)
    within Tests container.
    
    This enables updates-testing and updates-testing-modular,
    disables fedora-cisco-openh264 for Tests container.
    
    Fixes: https://pagure.io/freeipa/issue/8330
    Signed-off-by: Stanislav Levin <slev@altlinux.org>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

commit a457b79d1e5af3c1bd1d9517db07c5a85154c932
Author: Florence Blanc-Renaud <flo@redhat.com>
Date:   Mon May 18 11:12:26 2020 +0200

    ipatests: Check if user with 'User Administrator' role can delete group.
    
    Test scenario:
    - create a test user with the 'User Administrator' role
    - as this test user, create a new group
    - as this test user, delete the new group
    
    Related: https://pagure.io/freeipa/issue/6884
    
    Co-authored-by: Nikhil Dehadrai <ndehadra@redhat.com>
    Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>

commit c39a2e2bb90c0ccde9084edcfc17b0f29250a35b
Author: Sumedh Sidhaye <ssidhaye@redhat.com>
Date:   Wed Apr 15 22:10:39 2020 +0530

    Test for removing a subgroup
    
    Problem description:
    Removing an IPA sub-group should NOT remove the members
    from indirect parent that also belong to other subgroups
    
    The test:
    A user and three groups are created groupa,groupb,groupc
    'groupc' should be a child of 'groupb' so that you have groupa->groupb->groupc
    
    user is direct member of 'groupa' and as a result member of 'groupb'
    and 'groupc'. Now when one adds a direct membership to 'groupb' nothing will
    change.
    
    If one removes the direct membership to 'groupb' again,
    nothing should change as well
    
    Pagure Link: https://pagure.io/SSSD/sssd/issue/3636
    
    Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
    Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 363cb9fd7f3d8d57dcad91d92918bfb513164706
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Tue May 19 08:38:35 2020 +0300

    baseldap: de-duplicate passed attributes when checking for limits
    
    LDAP attribute options aren't enforced in the schema, thus we strip them
    when checking attribute conformance with the schema. This, however, can
    leave us with a situation when multiple base LDAP attribute names are
    present in the list of attribute names to check.
    
    Use set of attribute names to deduplicate the list.
    
    Fixes: https://pagure.io/freeipa/issue/8328
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit f0ef4180cfb7616482f8ded16ad5c46fcf9f5286
Author: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Date:   Tue May 5 13:45:10 2020 +0530

    ipatests: Test deletion of required principal throws proper error
    
    ipa service-del <Principal name> did not display proper principal
    name which is being deleted in error message.
    This test check if it throws error having proper principal name.
    
    related: https://pagure.io/freeipa/issue/7695
    
    Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 87377493bd67939d6e90f08d1e26d1fc3bcfd708
Author: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Date:   Mon May 4 21:03:32 2020 +0530

    Display principal name while del required principal
    
    Fix is to display the proper principal in error message
    while attempting to delete required principal.
    
    related: https://pagure.io/freeipa/issue/7695
    
    Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit d8c8ba7d476b4f2a9a03be5bebe8a75a8a5028a1
Author: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date:   Wed May 13 16:03:00 2020 +0200

    WebUI tests: Add confirmation step after changing default group in automember tests
    
    Ticket: https://pagure.io/freeipa/issue/8322
    
    Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit 5d3364a543a65eaa6ed94005cdab6dd1d3745c49
Author: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date:   Wed May 13 15:54:17 2020 +0200

    WebUI: Add confirmation dialog for changing default user/host group
    
    Changing default group on automember rules page is too easy.
    Add a confirmation dialog to avoid misclick in the case.
    
    Ticket: https://pagure.io/freeipa/issue/8322
    
    Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

commit f16a4b06b76412ac22763ca9e0a53d3560bfe4c1
Author: Christian Heimes <cheimes@redhat.com>
Date:   Fri May 15 09:24:47 2020 +0200

    Check for freeipa-server-dns package early
    
    The ``--setup-dns`` knob and interactive installer now check for
    presence of freeipa-server-dns early and stop the installer with an
    error.
    
    ```
    $ ipa-server-install
    ...
    Do you want to configure integrated DNS (BIND)? [no]: yes
    Integrated DNS requires 'freeipa-server-dns' package
    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
    ```
    
    ```
    $ ipa-server-install --setup-dns
    Usage: ipa-server-install [options]
    
    ipa-server-install: error: option setup-dns: Integrated DNS requires 'freeipa-server-dns' package
    The ipa-server-install command failed.
    ```
    
    Fixes: https://pagure.io/freeipa/issue/7577
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit c8009e1caf141d57f68590bd60e1966d46090481
Author: Alexander Bokovoy <abokovoy@redhat.com>
Date:   Wed May 13 19:29:42 2020 +0300

    service delegation: allow to add and remove host principals
    
    Service delegation rules and targets deal with Kerberos principals.
    As FreeIPA has separate service objects for hosts and Kerberos services,
    it is not possible to specify host principal in the service delegation
    rule or a target because the code assumes it always operates on Kerberos
    service objects.
    
    Simplify the code to add and remove members from delegation rules and
    targets. New code looks up a name of the principal in cn=accounts,$BASEDN
    as a krbPrincipalName attribute of an object with krbPrincipalAux object
    class. This search path is optimized already for Kerberos KDC driver.
    
    To support host principals, the specified principal name is checked to
    have only one component (a host name). Service principals have more than
    one component, typically service name and a host name, separated by '/'
    sign. If the principal name has only one component, the name is
    prepended with 'host/' to be able to find a host principal.
    
    The logic described above allows to capture also aliases of both
    Kerberos service and host principals. Additional check was added to
    allow specifying single-component aliases ending with '$' sign. These
    are typically used for Active Directory-related services like databases
    or file services.
    
    RN: service delegation rules and targets now allow to specify hosts as
    RN: a rule or a target's member principal.
    
    Fixes: https://pagure.io/freeipa/issue/8289
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 834b04b91dff670d3f0feb1b403705074a8f3d5b
Author: Christian Heimes <cheimes@redhat.com>
Date:   Thu May 14 14:40:29 2020 +0200

    Hard-code in_tree=True for tests
    
    Some integration tests use internal option ``force``. Re-add
    ``in_tree=True`` to make the tests pass until Pagure#8317 is fixed.
    
    See: https://pagure.io/freeipa/issue/8317
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 6cd2d44707c69b6c83c0eaae3a94d6f64c6c1622
Author: Christian Heimes <cheimes@redhat.com>
Date:   Mon May 4 19:41:38 2020 +0200

    Fix detection logic for api.env.in_tree
    
    The logic to detect in-tree builds was broken and ipatests/conftest.py
    had hard-coded in_tree=True.
    
    IPA now considers an environment as in-tree when the parent directory of
    the ``ipalib`` package contains ``ipasetup.py.in``. This file is only
    present in source and never installed.
    
    API bootstrap() does not use ```self.site_packages in site.getsitepackages()``
    because the function call can be expensive and would require path
    normalization, too. The function is also missing from venv site module.
    
    Fixes: https://pagure.io/freeipa/issue/8312
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit 3234892336f9bf1775127fb19504110c8dec70b1
Author: Christian Heimes <cheimes@redhat.com>
Date:   Wed May 13 14:30:28 2020 +0200

    Make api.env.mode consistent
    
    * use "developer" in Azure
    * fix man page: "development" to "developer"
    * list known modes in API bootstrap methods
    
    Other values for mode are still supported to avoid breaking existing
    installations.
    
    Fixes: https://pagure.io/freeipa/issue/8313
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>

commit c59106f005d520f1c84f12a15902cf005162d15c
Author: sumenon <sumenon@redhat.com>
Date:   Thu Sep 26 12:01:29 2019 +0530

    ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8
    
    Issue: https://pagure.io/freeipa/issue/8066
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>

commit 273f580b95ac5a2cb91ce336cf82b085eb7929e0
Author: Stanislav Levin <slev@altlinux.org>
Date:   Wed May 13 09:21:25 2020 +0300

    Azure: Always update apt cache
    
    Signed-off-by: Stanislav Levin <slev@altlinux.org>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>

commit 9d01875d12c20855d4be1351717ee4105e34e5ac
Author: Stanislav Levin <slev@altlinux.org>
Date:   Wed May 6 18:20:44 2020 +0300

    Azure: Allow chronyd to sync time
    
    Though time namespace support was added in Linux kernel 5.6, it
    is not landed on Azure VM (Ubuntu) yet.
    
    The syncing time stuff is required by IPA NTP tests. it's
    acceptable for testing 1 IPA environment on 1 Azure VM for such
    tests.
    
    Fixes: https://pagure.io/freeipa/issue/8316
    Signed-off-by: Stanislav Levin <slev@altlinux.org>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Created: 2020-07-28 Last update: 2020-08-03 07:03

lintian reports 5 warnings normal

Lintian reports 5 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2020-07-29 12:30

4 ignored security issues in buster low

There are 4 open security issues in buster.

4 issues skipped by the security teams:

CVE-2020-1722: A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.
CVE-2019-14867: A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.
CVE-2019-10195: A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
CVE-2019-14826: A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.

Please fix them.

Created: 2019-09-17 Last update: 2020-07-24 18:30

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2020-03-07 Last update: 2020-03-07 04:04

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migrates after: dogtag-pki
- Migration status for freeipa (- to 4.8.6-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- autopkgtest for freeipa/4.8.6-1: amd64: Regression ♻ , arm64: Regression ♻
- Build-Depends(-Arch): freeipa dogtag-pki
- Depends: freeipa dogtag-pki
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/f/freeipa.html
- 119 days old (needed 5 days)
- Not considered

news

[rss feed]

[2020-04-07] Accepted freeipa 4.8.6-1 (source) into unstable (Timo Aaltonen)
[2020-03-25] Accepted freeipa 4.8.5-1 (source) into unstable (Timo Aaltonen)
[2019-11-26] Accepted freeipa 4.8.3-1 (source) into unstable (Timo Aaltonen)
[2019-11-20] Accepted freeipa 4.8.2-1 (source) into unstable (Timo Aaltonen)
[2019-10-07] freeipa REMOVED from testing (Debian testing watch)
[2019-10-07] freeipa REMOVED from testing (Debian testing watch)
[2019-09-11] Accepted freeipa 4.8.1-2 (source) into unstable (Timo Aaltonen)
[2019-09-11] Accepted freeipa 4.8.1-1 (source amd64 all) into experimental, experimental (Timo Aaltonen)
[2019-06-12] freeipa 4.7.2-3 MIGRATED to testing (Debian testing watch)
[2019-05-06] Accepted freeipa 4.7.2-3 (source) into unstable (Timo Aaltonen)
[2019-02-24] freeipa 4.7.2-2 MIGRATED to testing (Debian testing watch)
[2019-02-12] Accepted freeipa 4.7.2-2+exp1 (source) into experimental (Timo Aaltonen)
[2019-02-12] Accepted freeipa 4.7.2-2 (source) into unstable (Timo Aaltonen)
[2019-02-11] freeipa 4.7.2-1 MIGRATED to testing (Debian testing watch)
[2019-02-05] Accepted freeipa 4.7.2-1+exp1 (source) into experimental (Timo Aaltonen)
[2019-02-05] Accepted freeipa 4.7.2-1 (source) into unstable (Timo Aaltonen)
[2018-12-06] Accepted freeipa 4.7.1-3 (source) into unstable (Timo Aaltonen)
[2018-10-18] Accepted freeipa 4.7.1-2 (source) into unstable (Timo Aaltonen)
[2018-10-09] Accepted freeipa 4.7.1-1 (source) into unstable (Timo Aaltonen)
[2018-09-28] Accepted freeipa 4.7.0-1 (source) into unstable (Timo Aaltonen)
[2018-07-22] Accepted freeipa 4.6.3-1.1 (source) into unstable (Sebastian Andrzej Siewior)
[2018-04-17] Accepted freeipa 4.7.0~pre1+git20180411-2 (source) into experimental (Timo Aaltonen)
[2018-04-12] Accepted freeipa 4.7.0~pre1+git20180411-1 (source) into experimental (Timo Aaltonen)
[2018-02-02] Accepted freeipa 4.6.3-1 (source) into unstable (Timo Aaltonen)
[2018-01-30] Accepted freeipa 4.6.2-4 (source) into unstable (Timo Aaltonen)
[2018-01-29] Accepted freeipa 4.6.2-3 (source) into unstable (Timo Aaltonen)
[2018-01-20] Accepted freeipa 4.6.2-2 (source) into unstable (Timo Aaltonen)
[2018-01-20] Accepted freeipa 4.6.2-1 (source) into unstable (Timo Aaltonen)
[2017-12-16] Accepted freeipa 4.4.4-4 (source) into unstable (Timo Aaltonen)
[2017-10-09] Accepted freeipa 4.4.4-3 (source) into unstable (Timo Aaltonen)

bugs [bug history graph]

all: 9
RC: 0
I&N: 8
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 5)
buildd: logs, checks, clang, cross
popcon
browse source code
edit tags
security tracker
l10n (-, 20)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.8.6-1ubuntu2
9 bugs
patches for 4.8.6-1ubuntu2