-
Thu Nov 30 2017 EL Errata <el-errata_ww@oracle.com> - 4.5.0-22.0.1.el7_4
- Rebuild
- Blank out header-logo.png product-name.png
Replace login-screen-logo.png [20362818]
-
Fri Oct 27 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-22.el7
- Resolves: #1506528 In case full PKINIT configuration is failing during
server/replica install the error message should be more meaningful.
- Less confusing message for PKINIT configuration during install
- Resolves: #1506526 Use X509v3 Basic Constraints "CA:TRUE" instead of
"CA:FALSE" IPA CA CSR
- Include the CA basic constraint in CSRs when renewing a CA
- Resolves: #1506913 ipa-replica-install might fail because of an already
existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
- Checks if replica-s4u2proxy.ldif should be applied
- Resolves: #1506525 server-del doesn't remove dns-server configuration
from ldap
- server.py: Removes dns-server configuration from ldap
-
Wed Sep 20 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-21.el7.2.2
- Resolves: #1493410 ipa-server-upgrade timeouts on wait_for_open ports
expecting IPA services listening on IPv6 ports
- Make sure upgrade also checks for IPv6 stack
- control logging of host_port_open from caller
- log progress of wait_for_open_ports
- Resolves: #1493411 ipa help command returns traceback when no cache
is present
- Store help in Schema before writing to disk
- Disable pylint in get_help function because of type confusion.
-
Tue Sep 19 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-21.el7.2
- Resolves: #1486794 - [ipa-replica-install] - 406 Client Error: Failed to
validate message: Incorrect number of results (0) searching forpublic
key for host
- Always check peer has keys before connecting
- Resolves: #1489300 - Unable to set ca renewal master on replica
- Fix ipa config-mod --ca-renewal-master
- Resolves: #1489815 - TypeError in renew_ca_cert prevents from swiching
back to self-signed CA
- Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca)
- Resolves: #1489817 - ipa-server-upgrade failes with "This entry already exists"
- Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists
- Resolves: #1490331 - FreeIPA/IdM installations which were upgraded from
versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and
thus startup of Web UI fails
- Adds whoami DS plugin in case that plugin is missing
- Resolves: #1491545 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5
- Fixing how sssd.conf is updated when promoting a client to replica
- Resolves: #1492616 - ipa-otptoken-import - XML file is missing PBKDF2
parameters!
- ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
- Resolves: #1493153 - Updating from RHEL 7.3 fails with Server-Cert not found
(ipa-server-upgrade)
- Backport 4-5: Fix ipa-server-upgrade with server cert tracking
-
Wed Aug 16 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1.2
- Fixing issues reported by Errata tool
-
Tue Aug 15 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1.1
- Resolves: #1477046 Use CommonNameToSANDefault in default profile
(new installs only)
- Restore old version of caIPAserviceCert for upgrade only
-
Tue Aug 01 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1
- Resolves: #1473272 Provide a tooling automating the configuration
of Smart Card authentication on a FreeIPA master
- smart-card advises: configure systemwide NSS DB also on master
- smart-card advises: add steps to store smart card signing CA cert
- Allow to pass in multiple CA cert paths to the smart card advises
- add a class that tracks the indentation in the generated advises
- delegate the indentation handling in advises to dedicated class
- advise: add an infrastructure for formatting Bash compound statements
- delegate formatting of compound Bash statements to dedicated classes
- Fix indentation of statements in Smart card advises
- Use the compound statement formatting API for configuring PKINIT
- smart card advises: use a wrapper around Bash `for` loops
- smart card advise: use password when changing trust flags on HTTP cert
- smart-card-advises: ensure that krb5-pkinit is installed on client
- Resolves: #1477046 Use CommonNameToSANDefault in default profile
(new installs only)
- Add CommonNameToSANDefault to default cert profile
- Resolves: #1475664 NULL LDAP context in call to ldap_search_ext_s
during search in cn=ad,cn=trusts,dc=example,dc=com
- NULL LDAP context in call to ldap_search_ext_s during search
-
Wed Jul 12 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7
- Resolves: #1470125 Replica install fails to configure IPA-specific
temporary files/directories
- replica install: drop-in IPA specific config to tmpfiles.d
- Resolves: #1469978 bind package is not automatically updated during
ipa-server upgrade process
- Bumped Required version of bind-dyndb-ldap and bind package
-
Tue Jun 27 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-20.el7
- Resolves: #1452216 Replica installation grants HTTP principal
access in WebUI
- Make sure we check ccaches in all rpcserver paths
-
Wed Jun 21 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-19.el7
- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL
internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
- ipa-sam: replace encode_nt_key() with E_md4hash()
- ipa_pwd_extop: do not generate NT hashes in FIPS mode
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
IP address is not found on local interfaces
- Fix local IP address validation
- ipa-dns-install: remove check for local ip address
- refactor CheckedIPAddress class
- CheckedIPAddress: remove match_local param
- Remove ip_netmask from option parser
- replica install: add missing check for non-local IP address
- Remove network and broadcast address warnings