[ol7_latest_archive] ipa-server-common-4.4.0-14.0.1.el7_3.noarch

Name:	ipa-server-common
Version:	4.4.0
Release:	14.0.1.el7_3
Architecture:	noarch
Group:	System Environment/Base
Size:	2103708
License:	GPLv3+
RPM:	ipa-server-common-4.4.0-14.0.1.el7_3.noarch.rpm
Source RPM:	ipa-4.4.0-14.0.1.el7_3.src.rpm
Build Date:	Tue Dec 06 2016
Build Host:	x86-ol7-builder-01.us.oracle.com
Vendor:	Oracle America
URL:	http://www.freeipa.org/
Summary:	Common files used by IPA server
Description:	IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package.

Changelog (Show File list) (Show related packages)

Tue Dec 06 2016 Kevin Lyons <kevin.x.lyons@oracle.com> - 4.4.0-14.0.1

- Blank out header-logo.png product-name.png
  Replace login-screen-logo.png [20362818]

Tue Nov 01 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14

- Resolves: #1378353 Replica install fails with old IPA master sometimes during
  replication process
  - spec file: bump minimal required version of 389-ds-base
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
  - Fix missing file that fails DL1 replica installation
- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade
  - WebUI: services without canonical name are shown correctly
- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run
  - trustdomain-del: fix the way how subdomain is searched

Mon Oct 31 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-13

- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca
  - Keep NSS trust flags of existing certificates
- Resolves: #1360813 ipa-server-certinstall does not update all certificate
  stores and doesn't set proper trust permissions
  - Add cert checks in ipa-server-certinstall
- Resolves: #1371479 cert-find --all does not show information about revocation
  - cert: add revocation reason back to cert-find output
- Resolves: #1375133 WinSync users who have First.Last casing creates users who
  can have their password set
  - ipa passwd: use correct normalizer for user principals
- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers
  - Properly handle LDAP socket closures in ipa-otpd
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
  - Make httpd publish its CA certificate on DL1

Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12

- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.
- Resolves: #1375269 ipa trust-fetch-domains throws internal error

Tue Sep 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-11

- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
  - Fix regression introduced in ipa-certupdate

Wed Sep 07 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-10

- Resolves: #1355753 adding two way non transitive(external) trust displays
  internal error on the console
  - Always fetch forest info from root DCs when establishing two-way trust
  - factor out `populate_remote_domain` method into module-level function
  - Always fetch forest info from root DCs when establishing one-way trust
- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger
  after `ipa-replica-install`
  - Track lightweight CAs on replica installation
- Resolves: #1357488 ipa command stuck forever on higher versioned client with
  lower versioned server
  - compat: Save server's API version in for pre-schema servers
  - compat: Fix ping command call
  - schema cache: Store and check info for pre-schema servers
- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag
  - Fix man page ipa-replica-manage: remove duplicate -c option
    from --no-lookup
- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA
  when revoking certificate
  - cert: include CA name in cert command output
  - WebUI add support for sub-CAs while revoking certificates
- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI
  - Add support for additional options taken from table facet
  - WebUI: Fix showing certificates issued by sub-CA
- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts
  internactively
  - dns: normalize record type read interactively in dnsrecord_add
  - dns: prompt for missing record parts in CLI
  - dns: fix crash in interactive mode against old servers
- Resolves: #1370519 Certificate revocation in service-del and host-del isn't
  aware of Sub CAs
  - cert: fix cert-find --certificate when the cert is not in LDAP
  - Make host/service cert revocation aware of lightweight CAs
- Resolves: #1371901 Use OAEP padding with custodia
  - Use RSA-OAEP instead of RSA PKCS#1 v1.5
- Resolves: #1371915 When establishing external two-way trust, forest root
  Administrator account is used to fetch domain info
  - do not use trusted forest name to construct domain admin principal
- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in
  certificate request
  - Fix CA ACL Check on SubjectAltNames
- Resolves: #1373272 CLI always sends default command version
  - cli: use full name when executing a command
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
  - Fix ipa-certupdate for CA-less installation
- Resolves: #1373540 client-install with IPv6 address fails on link-local
  address (always)
  - Fix parse errors with link-local addresses

Fri Sep 02 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-9

- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env
  - Fix ipa-server-install in pure IPv6 environment
- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as
  reachable via the forest root
  - trust: make sure ID range is created for the child domain even if it exists
  - ipa-kdb: simplify trusted domain parent search
- Resolves: #1335567 Update Warning in IdM Web UI API browser
  - WebUI: add API browser is tech preview warning
- Resolves: #1348560 Mulitple domain Active Directory Trust conflict
  - ipaserver/dcerpc: reformat to make the code closer to pep8
  - trust: automatically resolve DNS trust conflicts for triangle trusts
- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
  certificate revocation
  - cert-revoke: fix permission check bypass (CVE-2016-5404)
- Resolves: #1353936 custodia.conf and server.keys file is world-readable.
  - Remove Custodia server keys from LDAP
  - Secure permissions of Custodia server.keys
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
  converted from CA-less to CA-full
  - custodia: include known CA certs in the PKCS#12 file for Dogtag
  - custodia: force reconnect before retrieving CA certs from LDAP
- Resolves: #1362333 ipa vault container owner cannot add vault
  - Fix: container owner should be able to add vault
- Resolves: #1365546 External trust with root domain is transitive
  - trust: make sure external trust topology is correctly rendered
- Resolves: #1365572 IPA server broken after upgrade
  - Require pki-core-10.3.3-7
- Resolves: #1367864 Server assumes latest version of command instead of
  version 1 for old / 3rd party clients
  - rpcserver: assume version 1 for unversioned command calls
  - rpcserver: fix crash in XML-RPC system commands
- Resolves: #1367773 thin client ignores locale change
  - schema cache: Fallback to 'en_us' when locale is not available
- Resolves: #1368754 ipa server uninstall fails with Python "Global Name error"
  - Fail on topology disconnect/last role removal
- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP
  - otptoken, permission: Convert custom type parameters on server
- Resolves: #1369414 ipa server-del fails with Python stack trace
  - Handled empty hostname in server-del command
- Resolves: #1369761 ipa-server must depend on a version of httpd that support
  mod_proxy with UDS
  - Require httpd 2.4.6-31 with mod_proxy Unix socket support
- Resolves: #1370512 Received ACIError instead of DuplicatedError in
  stageuser_tests
  - Raise DuplicatedEnrty error when user exists in delete_container
- Resolves: #1371479 cert-find --all does not show information about revocation
  - cert: add missing param values to cert-find output
- Renamed patch 1011 to 0100, as it was merged upstream

Wed Aug 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-8

- Resolves: #1298288 [RFE] Improve performance in large environments.
  - cert: speed up cert-find
- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card
  authentication
  - service: add flag to allow S4U2Self
  - Add 'trusted to auth as user' checkbox
  - Added new authentication method
- Resolves: #1353881 ipa-replica-install suggests about
  non-existent --force-ntpd option
  - Don't show --force-ntpd option in replica install
- Resolves: #1354441 DNS forwarder check is too strict: unable to add
  sub-domain to already-broken domain
  - DNS: allow to add forward zone to already broken sub-domain
- Resolves: #1356146 performance regression in CLI help
  - schema: Speed up schema cache
  - frontend: Change doc, summary, topic and NO_CLI to class properties
  - schema: Introduce schema cache format
  - schema: Generate bits for help load them on request
  - help: Do not create instances to get information about commands and topics
  - schema cache: Do not reset ServerInfo dirty flag
  - schema cache: Do not read fingerprint and format from cache
  - Access data for help separately
  - frontent: Add summary class property to CommandOverride
  - schema cache: Read server info only once
  - schema cache: Store API schema cache in memory
  - client: Do not create instance just to check isinstance
  - schema cache: Read schema instead of rewriting it when SchemaUpToDate
- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file
  - server install: do not prompt for cert file PIN repeatedly
- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create
  cache directory: [Errno 13] Permission denied: '/home/test_user'
  - schema: Speed up schema cache
- Resolves: #1366604 `cert-find` crashes on invalid certificate data
  - cert: do not crash on invalid data in cert-find
- Resolves: #1366612 Middle replica uninstallation in line topology works
  without '--ignore-topology-disconnect'
  - Fail on topology disconnect/last role removal
- Resolves: #1366626 caacl-add-service: incorrect error message when service
  does not exists
  - Fix ipa-caalc-add-service error message
- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11
  does not happen to run during dnf upgrade
  - DNS server upgrade: do not fail when DNS server did not respond
- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server
  with CA
  - Add warning about only one existing CA server
  - Set servers list as default facet in topology facet group
- Resolves: #1367773 thin client ignores locale change
  - schema check: Check current client language against cached one

Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-7

- Resolves: #1361119 UPN-based search for AD users does not match an entry in
  slapi-nis map cache
  - support multiple uid values in schema compatibility tree

Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-6

- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
  - Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
- Resolves: #1341249 Subsequent external CA installation fails
  - install: fix external CA cert validation
- Resolves: #1353831 ipa-server-install fails in container because of
  hostnamectl set-hostname
  - server-install: Fix --hostname option to always override api.env values
  - install: Call hostnamectl set-hostname only if --hostname option is used
- Resolves: #1356091 ipa-cacert-manage --help and man differ
  - Improvements for the ipa-cacert-manage man and help
- Resolves: #1360631 ipa-backup is not keeping the
  /etc/tmpfiles.d/dirsrv-<instance>.conf
  - ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
- Resolves: #1361047 ipa-replica-install --help usage line suggests the replica
  file is needed
  - Update ipa-replica-install documentation
- Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does
  not rpm-require it
  - client: RPM require initscripts to get *-domainname.service
- Resolves: #1364197 caacl: error when instantiating rules with service
  principals
  - caacl: fix regression in rule instantiation
- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm
  - parameters: move the `confirm` kwarg to Param
- Resolves: #1364464 Topology graph: ca and domain adders shows question marks
  instead of plus icon
  - Fix unicode characters in ca and domain adders
- Resolves: #1365083 Incomplete output returned for command ipa vault-add
  - client: add missing output params to client-side commands
- Resolves: #1365526 build fails during "make check"
  - ipa-kdb: Fix unit test after packaging changes in krb5