On Monday, July 23, 2018 12:43:53 PM CDT Rob Crittenden via FreeIPA-users 
wrote:
> The FreeIPA team would like to announce FreeIPA 4.7.0 release!
> 
> It can be downloaded from http://www.freeipa.org/page/Downloads.
> 
> == Highlights in 4.7.0 ==
> 
> === Enhancements ===
> 
> ==== mod_ssl =====
> 
> IPA has switched to mod_ssl as the crypto engine for Apache. This change
> will be made automatically when upgrading.
> 
> ==== NSS sqlite database ====
> 
> Fedora 28 changed the default database format type from dbm to sqlite.
> Theoretically there should be no end-user difference but you will see
> different file names for your NSS databases: cert9.db, key4.db and
> pkcs11.txt.
> 
> ==== authselect ====
> 
> Fedora 28 switched to a new PAM configuration tool, authselect.
> https://fedoraproject.org/wiki/Changes/Authselect
> 
> ==== Time server change to chronyd ====
> 
> The ntpd service was deprecated in F28. It was replaced by chronyd. The
> client also uses chrony as its time client.
> 
> https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support
> 
> ==== Python 3 ====
> 
> FreeIPA now fully supports Python 3 and can be installed without any
> python 2 dependencies.
> 
> === Known Issues ===
> 
> === Bug fixes ===
> 
> FreeIPA 4.7.0 includes all of the bug fixes and enhancements from 4.6.1
> - 4.6.4.
> 
> There are more than 170 bug fixes, details of which can be seen in
> the list of resolved tickets below.
> 
> == Upgrading ==
> Upgrade instructions are available on [[Upgrade]] page.
> 
> == Feedback ==
> Please provide comments, bugs and other feedback via the freeipa-users
> mailing list
> (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos
> ted.org/)
 or #freeipa channel on Freenode.
> 
> == Resolved tickets ==
> * 7615 ipa_tests: ipa-replica-prepare stuck on user input
> * 7550 [WebUI] extend host test suite
> * 7547 ui_tests: checkbox click fix
> * 7546 ui_tests: improve "field_validation" method
> * 7544 ui_tests: extend test_selinuxusermap.py suite
> * 7542 CLI and Web UI allow to add more then one radius server into
> radius proxy
> * 7540 Extend WebUI test_krbpolicy suite with the following test cases:
> * 7535 ipa-restore fails because tmp/etc/ipa/ca.crt is missing
> * 7526 IdM servers:/usr/share/ipa/html/ca.crt does not include the
> complete chain
> * 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has
> occurred"
> * 7519 Adding SSH keys for AD users as I created overrides
> * 7510 validate_selinuxuser does not allow a period in selinux user
> identifier
> * 7505 WebUI tests: Extend netgroup tests
> * 7503 multiple occurrences of profileId in certprofile causes incorrect
> behaviour
> * 7485 Extending webui user group test
> * 7474 ipa-server-install --uninstall on replica fails with
> "NoOptionError: No option 'ldap_uri' in section: 'global'"
> * 7473 ERROR: No valid Negotiate header in server response
> * 7468 test_host.py::test_host::test_crud is failing in nightly tests
> * 7463 test_webui: add user life-cycles tests
> * 7447 test_create_host_with_ip is not fully covering possible return
> errors
 * 7436 ipa: Please log something after restarting the KDC
> * 7433 CRL url on replicas gets incorrectly redirected
> * 7432 make fasttest fails on fresh clone. fedora26
> * 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn
> -s CA
> * 7424 Improve Realm Domains doc text
> * 7411 Simplify CA, TLS and bytes warning configuration of LDAP connections
> * 7400 Add excludearch for i686 because 389-ds is no longer doing 32-bit
> builds
> * 7397 ipa host-add --ip-address... returns Internal error when
> forward-policy=none is defined
> * 7394 file conflicts between python2-mod_wsgi and freeipa-server
> * 7393 Installing 4.6.3-1 in rawhide/F28 fails with DuplicateEntry
> enabling TLS in 389-ds
> * 7390 cert-request: issuance of malformed certificate causes IPA
> Internal Error
> * 7389 F-27 upgrade to 4.6.3-1 fails with KRA update
> * 7383 user-add: user creation proceeds when password is wrong
> * 7381 Drop PyOpenSSL requirement
> * 7380 Possible regression for limited OTP characters in host-add
> * 7378 ipa-ods-exporter fails with socket activation did not return socket
> * 7374 IPA 'Generate OTP' option in web gui does not show OTP code when
> no reverse zone is managed
> * 7373 "An internal error has occurred" show up when trying to add a
> user to the Member User table in Vault.
> * 7371 uninstalling replica leaves orphained data in ldap
> * 7359 [RFE] extend topology plugin to clean up a removed replica ldap/
> principal
> * 7357 IntegrationTests do not fail even if the uninstall process fails
> * 7342 admins group is not including all permissions of Role "User
> Administrator"
> * 7338 FreeIPA server install/upgrade does not process schema.d/ files
> correctly
> * 7335 Integration tests are not collecting all logs
> * 7330 ipa-server-install --uninstall does not return error code on error
> * 7318 Cannot uninstall ipaserver after fresh install - {'desc': "Can't
> contact LDAP server", 'errno': 111, 'info': 'Connection refused'}
> * 7315 Packaging: use pylint 1.7.5 and remove disable for import stat
> * 7313 trust integration tests need to override test_establish_trust
> method when using different trust-add options
> * 7308 Help for ipa trust-add --range-type
> * 7299 RPM post-install scripts fail because they are run with python2
> * 7294 python3 incompatibility in vault_archive
> * 7275 Viewing DNS Records with WebUI fails
> * 7254 test_caless: fix http.p12 is not valid and provide domain_level
> for replica tests
> * 7253 Custodia keys are not removed on uninstall
> * 7240 ipa-dnskeysyncd broken (and ipactl doesn't tell)
> * 7226 Remove remaining references to Firefox configuration extension
> * 7220 Third KRA  installation in topology fails
> * 7210 Firefox reports insecure TLS configuration when visiting FreeIPA
> web UI after standard server deployment
> * 7208 freeipa: binary RPMs require both Python 2 and Python 3
> * 7190 Wrong info message from tasks.py
> * 7189 make check is failed
> * 7187 ipa-replica-manage should provide a debug option
> * 7186 testing: get back command outputs when running tests
> * 7162 [ipatests] disable replication debugging for 389-ds logs in
> integration tests
> * 7157 [tracker] pyasn1 fails to parse kerberos principal name
> * 7155 test_caless: add caless to external CA test
> * 7154 test_external_ca: switch to python-cryptography
> * 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start
> tracking certs
> * 7150 Ipa-server-install update dse.ldif with wrong SELinux context
> * 7148 py3: ipa cert-request --principal --database fails with
> BytesWarning: str() on a bytes instance
> * 7143 "unknown command 'undefined'" error when changing user's password
> via the web UI
> * 7136 ipa-restore command doesn't exit with failure if wrong directory
> manager's password is provided
> * 7135 Server deployment still sets up Firefox extension, this is no
> longer necessary and broken on F27+
> * 7134 ipa param-find: command displays internal error
> * 7132 [4.6] PyPI packages are broken
> * 7131 Finish Python3 support
> * 7129 ipa-server/replica-install fails with: "exception: BytesWarning:
> Comparison between bytes and string" when using '--dirsrv-config-file'
> parameter
> * 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite
> fails due to missing dns records
> * 7119 kdc_proxy: kinit admin fails with "Cannot contact any KDC for
> realm 'IPA.TEST' while getting initial credentials"
> * 7115 ipa-pki-retrieve-key: failure results in crash report
> * 7033 vault: TypeError: ... is not JSON serializable
> * 7027 Use TLS for cert-find
> * 7012 Users can delete their last active OTP token
> * 6994 RFE: Remove 389-ds tuning step
> * 6968 Consider moving upgrades from rpm install post
> * 6874 pylint 1.7.1 fails
> * 6858 RFE - Option to add custom OID or display name in IPA Cert
> * 6851 Don't use ctypes.util.find_library in ipaclient
> * 6844 ipa-restore fails when umask is set to 0027
> * 6721 While performing ipa-server-upgrade, sssd goes offline and stalls
> the upgrade process
> * 6703 Enable ephemeral KRA requests
> * 6609 A CA administrator fails to add CA for Insufficient 'add' privilege
> * 5922 ipa vault-archive overwrites an existing value without warning
> * 5887 IDNA domains does not work under py3
> * 5813 ipa-kra-install disrupts bind-dyndb-ldap
> * 5776 webui: some data disappear from user details page after the save
> action is performed
> * 5638 Port client code to Python 3
> * 5442 [tracker] SELinux 'execmem' denials
> * 7624 [WebUI] wrong link to browser configuration guide on Login page
> * 7609 [py37] Import from collections.abc
> * 7604 ipa-client-install --mkhomedir doesn't enable oddjobd
> * 7591 [freeipa] Drop requirements for 'initscripts' from specfile
> * 7590 lightweight subca: ca-show fails on replica
> * 7589 cacert renew fails on replica
> * 7585 Update to python3-lesscpy 0.13
> * 7581 Translated text is formed incorrectly (API Browser)
> * 7562 Regression: authselect 0.4-3 breaks FreeIPA sudo rules
> * 7560 Do not depend on gnupg (1.x), use gnupg2
> * 7559 UI LoginScreen widget cannot be translated
> * 7536 [F28] SubCA failing, keys are orphan
> * 7533 ipa-advise: remove plugin config-fedora-authconfig
> * 7530 external CA replica installation fails with CA_UNREACHABLE
> * 7529 AVC denials and errors for IPA server installed on Fedora28
> * 7524 ipa-client-install fails because of missing file
> /usr/share/ipa/freeipa.template
> * 7523 external CA installation: step two reports self-signed configuration
> * 7516 [F28] ipa-ca-install fails on replica
> * 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf
> despite the migration to ssl.conf
> * 7514 Allow to create Kerberos services without a corresponding host
> object
 * 7513 Allow Kerberos services to be members of IPA groups
> * 7500 FreeIPA can remove svrcore-devel requirement
> * 7498 [F28] CA replica fails with could not find certificate named
> "caSigningCert cert-pki-ca"
> * 7491 Unknown user 'ipaapi' when updating packages
> * 7490 installutils.set_directive doesn't handle debian ssl.conf properly
> * 7489 Test test_caless_TestCertInstall is failing in nightly
> * 7478 [F28] ipa-backup fails with "Failed to execute authconfig command"
> * 7471 [F28] replica pkispawn fails
> * 7469 ipa-replica-prepare fail with "stat: path should be string,
> bytes, os.PathLike or integer, not NoneType"
> * 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
> * 7465 [F28] oddjobd not started, replica install fails with dbus error
> in conn check
> * 7464 CI is failing with pkispawn timeout
> * 7461 Hardening of topology plugin to prevent erronous deletion of a
> replica agreement
> * 7426 DogtagInstance.backup_config creates backup with wrong owner
> * 7421 Store HTTPD private keys encrypted
> * 7418 [RFE] Improve ipa-client-install behaviour when non-standard
> ldap.conf is used
> * 7415 CA installer need to check availability of port 8080
> * 7410 ipa-replica-install --add-agents option doesn't install
> trust-agent on replica
> * 7396 ipa-client-automount --uninstall should return errcode
> CLIENT_NOT_CONFIGURED
> * 7377 Investigate and define plan of authconfig replacement in FreeIPA
> * 7354 Fedora 28: Support NSSDB SQL format
> * 7322 cert_find --subject is not finding by cert subject
> * 7311 Update ui_driver to allow set path for geckodriver.log
> * 7310 Integration tests don't collect logs from other replicas
> * 7309 Integration tests: CA-less -> CA-ful promotion; post-promotion
> checks
 * 7304 double ca acl provoke console error.
> * 7302 test_external_ca: add selfsigned > external_ca > selfsigned test
> case
 * 7301 Drop dependency on Python nose
> * 7300 test_x509: test very long OID
> * 7295 Build freeIPA with Python3 in @freeipa/freeipa-master-nightly
> * 7278 Run WebUI unit test in TravisCI
> * 7274 ipa-replica-install fails with PIN error [ CA-less environment ]
> * 7263 Typo in login screen
> * 7258 typo in accounts menu
> * 7257 DNSSEC isn't supported in Python3
> * 7251 f.flush() or os.fsync() don't sync
> * 7246 Report CA Subject DN and subject base before installing.
> * 7239 Using --auto-reverse and --allow-zone-overlap does not skip zone
> overlap check
> * 7225 CLI: view command / plugin help in pager
> * 7224 Logging: ipa-replica-conncheck is missing a /n
> * 7207 ipa-server-install should prevent installations with single label
> domains
> * 7201 ipa-replica-manage  re-initialize TypeError: 'NoneType' object
> does not support item assignment
> * 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall
> * 7095 [tracker] please rotate & compress
> /var/lib/pki/pki-tomcat/logs/ca/debug
> * 7049 Prepare for NSS switch default database to sqlite in F-27
> * 7024 freeipa depends on ntp
> * 6931 custodia user isn't created when FreeIPA RPMs are installed
> * 6890 Quickstart guide: mention how to open firewall ports
> * 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still
> deletes group
> * 6843 ipa-backup does not create log file at /var/log/
> * 6837 make ipa.conf and named.conf portable
> * 6760 Improve console message for "ipa-server-install --uninstall" command
> * 6604 Make pylint and jsl optional (and other issues)
> * 6589 client should require /etc/krb5.conf.d/
> * 6450 pylint: cyclic dep check sometimes makes build fail
> * 4853 Utilize system-wide crypto-policies
> * 4140 Configure the NSS shared database model in IPA servers
> * 3757 [RFE] Allow IPA to use either mod_ssl or mod_nss
> * 2536 Create DOAP description for the IPA project
> 
> == Detailed changelog since 4.6.4 ==
> 
> === Armando Neto (9) ===
> * Disable Pylint 2.0 violations
> * Fix Pylint 2.0 violations
> * Fix pylint 2.0 conditional-related violations
> * Fix pylint 2.0 return-related violations
> * Replace file.flush() calls with flush_sync() helper
> * ipa-server-install: fix zonemgr argument validator
> * ipa-client-install: Update how comments are added by ipachangeconf
> * ui_tests: fix test_config::test_size_limits
> * Prevent the creation on users and groups with numeric characters only
> 
> === Alexander Bokovoy (28) ===
> * ipaserver/dcerpc.py: handle indirect topology conflicts
> * pylint3: workaround false positives reported for W1662
> * group: allow services as members of groups
> * service: allow creating services without a host to manage them
> * group-del: add a warning to logs when password policy could not be
> removed
 * idoverrideuser-add: allow adding ssh key in web ui
> * ACL: Allow hosts to remove services they manage
> * install: validate AD trust-related options in installers
> * replication: support error messages from 389-ds 1.3.5 or later
> * upgrade: treat duplicate entry when updating as not an error
> * Allow anonymous access to parentID attribute
> * upgrade: Run configuration upgrade under empty ccache collection
> * use LDAP Whoami command when creating an OTP token
> * Update template directory with new variables when upgrading
> ipa.conf.template
> * Processing of server roles should ignore errors.EmptyResult
> * ipaserver/plugins/trust.py: pep8 compliance
> * trust: detect and error out when non-AD trust with IPA domain name exists
> * ipaserver/plugins/trust.py; fix some indenting issues
> * ipa-extdom-extop: refactor nsswitch operations
> * test_dns_plugin: cope with missing IPv6 in Travis
> * travis-ci: collect logs from cmocka tests
> * ipa-kdb: override krb5.conf when testing KDC code in cmocka
> * adtrust: filter out subdomains when defining our topology to AD
> * ipa-replica-manage: implicitly ignore initial time skew in force-sync
> * ds: ignore time skew during initial replication step
> * Make sure upgrade also checks for IPv6 stack
> * OTP import: support hash names with HMAC- prefix
> * dsinstance: Restore context after changing dse.ldif
> 
> === Abhijeet Kasurde (3) ===
> * Trivial typo fix.
> * ipatests: Fix interactive prompt in ca_less tests
> * tests: correct usage of hostname in logger in tasks
> 
> === Alexander Koksharov (4) ===
> * Fix replica_promotion-domlevel0 test failures
> * preventing ldap principal to be deleted
> * ensuring 389-ds plugins are enabled after install
> * kra-install: better warning message
> 
> === amitkuma (13) ===
> * Match Common Name attribute in Subject
> * ipa vault-archive overwrites an existing value without warning
> * ipa-advise: remove plugin config-fedora-authconfig
> * RFE: ipa client should setup openldap for GSSAPI
> * Correcting detect typo in server.m4
> * Correction of management spelling.
> * clear sssd cache when uninstalling client
> * clear sssd cache when uninstalling client
> * Error message while adding idrange with untrusted domain
> * Removing extra spaces present in man ipa-server-install
> * ipa-advise for smartcards updated
> * Custom ca-subject logging
> * Documenting kinit_lifetime in /etc/ipa/default.conf
> 
> === Anuja More (5) ===
> * Test for ipa-client-install should not use hardcoded admin principal
> * Test that host can remove there own services
> * Test for ipa-replica-install fails with PIN error for CA-less env.
> * Adding test-cases for ipa-cacert-manage
> * Adding test-cases for ipa-cacert-manage
> 
> === Aleksei Slaikovskii (17) ===
> * Revert "Fixing
> TestBackupAndRestore::test_full_backup_and_restore_with_removed_users"
> * Uninstall fix for named-pkcs11
> * Radius proxy multiservers fix
> * test_backup_and_restore.py Fix logging
> * Enable and start oddjobd after ipa-restore if it's not running.
> * Fixing translation problems
> * test_backup_and_restore.py AssertionError fix
> * ipalib/frontend.py output_for_cli loops optimization
> * View plugin/command help in pager
> * ipa-restore: Set umask to 0022 while restoring
> * Prevent installation with single label domains
> * Add a notice to restart ipa services after certs are installed
> * Fix TypeError while ipa-restore is restoring a backup
> * ipaclient.plugins.dns: Cast DNS name to unicode
> * Less confusing message for PKINIT configuration during install
> * Make tox tests to generate results in JUnit XML
> * Make WebUI unit tests to generate results as JUnit
> 
> === Brian J. Murrell (1) ===
> * Move ETag disabling to /ipa virtual server
> 
> === Christian Heimes (191) ===
> * Remove needless use of %defatt
> * Add more RHEL customizations to spec file
> * Update builddep command in BUILD.txt
> * Use python2_sitelib in spec file
> * Fedora 29: No longer build python2-ipaserver
> * Add pylint ignore to magic config.Env attributes
> * Teach pylint how our api works
> * Fix ipa console filename
> * Create helper function to upload to temp file
> * Add tab completion and history to ipa console
> * Handle races in replica config
> * pylint 2.0: node.path is a list
> * Fix XPASS in test_installation
> * Mark all expected failures as strict
> * Fix DNSSEC install regression
> * Wait for client certificates
> * Auto-retry failed certmonger requests
> * Tune DS replication settings
> * Fix race condition in get_locations_records()
> * Fix CA topology warning
> * Delay enabling services until end of installer
> * Only create DNS SRV records for ready server
> * Query for server role IPA master
> * Cleanup shebang and executable bit
> * Import ABCs from collections.abc
> * Require JSS 4.4.5 with replication fixes
> * Extend Sub CA replication test
> * pylint: Class node has been renamed to ClassDef
> * Pythhon3.7: re module has no re._pattern_type
> * Catch ACIError instead of invalid credentials
> * Fix permission of public files in upgrader
> * Make /etc/httpd/alias world readable & executable
> * Always make ipa.p11-kit world-readable
> * Ensure that public cert and CA bundle are readable
> * Use 4 WSGI workers on 64bit systems
> * Fix replication races in Dogtag admin code
> * Use common replication wait timeout of 5min
> * Improve and fix timeout bug in wait_for_entry()
> * Remove restarted_named and xfail
> * Tests: Set default TTL for DNS zones to 1 sec
> * Always set ca_host when installing replica
> * Start to deprecate Python 2 and 3.5
> * Sort and shuffle SRV record by priority and weight
> * Increase WSGI process count to 5 on 64bit
> * Fedora 29 renamed fedora-domainname.service
> * Use python3-lesscpy 0.13.0
> * Split external_ca PR-CI into two jobs
> * Always build Python 3 packages
> * Make Python 2 build dependency optional
> * Use one Custodia peer to retrieve all secrets
> * Move client templates to separate directory
> * Print version string in installer
> * Backport gzip.decompress for Python 2
> * Require JSS 4.4.4 with fix for sub CA replication
> * Refuse PORT, HOST in /etc/openldap/ldap.conf
> * Apply sane LDAP settings to C code
> * Use sane default settings for ldap connections
> * Add test case for allow-create-keytab
> * Use GnuPG 2 for backup/restore
> * Use GnuPG 2 for symmentric encryption
> * Require python-ldap >= 3.1.0
> * Reproducer for issue 5923 (bytes in error response)
> * Run PR-CI with Fedora 28
> * Revert "Validate the Directory Manager password"
> * Create missing /etc/httpd/alias for ipasession.key
> * Only run subset of external CA tests
> * Require Dogtag 10.6.1
> * Require nss with fix for nickname bug
> * ipa-client package needs sssd-tool
> * Make ipatests' create_external_ca a script
> * Load certificate files as binary data
> * Remove contrib/nssciphersuite
> * Compatibility with pytest 3.4
> * Use shutil to copy file
> * Use single Custodia instance in installers
> * Add augeas dependency to client package
> * Create users in server-common pre hook
> * Require 389-ds-base >= 1.4.0.8-1
> * CA replica PKCS12 workaround for SQL NSSDB
> * Add nsds5ReplicaReleaseTimeout to replica config
> * Fix Python dependencies
> * Remove os.chdir() from test_ipap11helper
> * certdb: Move chdir into subprocess call
> * Provide ldap_uri in Custodia uninstaller
> * Defer import of ipaclient.csrgen
> * Require more recent glibc on F27
> * Load librpm on demand for IPAVersion
> * Fix installer CA port check for port 8080
> * Temporarily disable authconfig backup and restore
> * Cleanup and remove more files on uninstall
> * Fix compatibility with latest pytest
> * More cleanup after uninstall
> * Require Dogtag PKI >= 10.6
> * Keep owner when backing up CA.cfg
> * Pylint 1.8.3 fixes
> * Relax message check in test_create_host_with_ip
> * Make fasttest pass without ~/.ipa/default.conf
> * Instrument installer to profile steps
> * autoconf prefers Python 3 over 2
> * Simplify Python package installation
> * Move DNS related files to server-dns package
> * Silence GCC warning in ipa_extdom
> * Silence GCC warning in ipa-kdb
> * Remove unused modutils wrappers from NSS/CertDB
> * Update /etc/ipa/nssdb in client scripts
> * NSS: Force restore of SELinux context
> * NSSDB: Let certutil decide its default db type
> * Prepare migration of mod_nss NSSDB to sql format
> * certmonger: Use explicit storage format
> * Remove deprecated -p option from ipa-dns-install
> * Add mocked test for named crypto policy update
> * Upgrade named.conf to include crypto policy
> * Use system-wide crypto-policies on Fedora
> * Add better CalledProcessError and run() logging
> * freeipa-server no longer supports i686 arch on F28
> * ipa-custodia-checker now uses python3 shebang
> * Unified ldap_initialize() function
> * Fix multiple uninstallation of server
> * Fix i18n test for Chinese translation
> * Run API and ACI under Python 2 and 3
> * Generate same API.txt under Python 2 and 3
> * Replace wsgi package conflict with config file
> * Restart named-pkcs11 after KRA installation
> * Update existing 389-DS cn=RSA,cn=encryption config
> * Replace hard-coded paths with path constants
> * Bump python-ldap version to fix syncrepl bug
> * Bump SELinux policy for DNSSEC
> * ipa-server-upgrade now checks custodia server keys
> * DNSSEC code cleanup
> * DNSSEC: Reformat lines to address PEP8 violations
> * Decode ODS commands
> * Run DNSSEC under Python 3
> * More DNSSEC house keeping
> * Remove unused PyOpenSSL from spec file
> * Give ODS socket a bit of time
> * Require dbus-python on F27
> * Fix pylint error in ipapython/dn.py
> * Lower python-ldap requirement for F27
> * ipa-run-tests: make --ignore absolute, too
> * Sort external schema files
> * LGTM: unnecessary else in for loop
> * LGTM: Use explicit string concatenation
> * LGTM: raise handle_not_found()
> * LGTM: Fix multiple use before assignment
> * LGTM: Remove redundant assignment
> * LGTM: Fix exception in permission_del
> * LGTM: Membership test with a non-container
> * LGTM: Name unused variable in loop
> * LGTM: Use of exit() or quit()
> * LGTM: Silence unmatchable dollar
> * Make fastlint even faster
> * ipa-run-tests: replace chdir with plugin
> * Include ipa_krb5.h without util prefix
> * Custodia uninstall: Don't fail when LDAP is down
> * Require python-ldap 3.0.0b2
> * Use pylint 1.7.5 with fix for bad python3 import
> * Vault: Add argument checks to encrypt/decrypt
> * Fix pylint warnings inconsistent-return-statements
> * Travis: Add workaround for missing IPv6 support
> * Replace nose with unittest and pytest
> * Add safe DirectiveSetter context manager
> * More log in verbs
> * Address more 'to login'
> * Fix grammar error: Log out
> * Fix grammar in login screen
> * Add make targets for fast linting and testing
> * Add marker needs_ipaapi and option to skip tests
> * Add python_requires to Python package metadata
> * Remove Custodia keys on uninstall
> * NSSDB: use preferred convert command
> * Skip test_rpcclient_context in client tests
> * Update to python-ldap 3.0.0
> * Update builddep command to install Python 3 and tox deps
> * Add workaround for pytest 3.3.0 bug
> * Fix dict iteration bug in dnsrecord_show
> * Reproducer for bug in structured dnsrecord_show
> * Use Python 3 on Travis
> * Prevent installation of Py2 and Py3 mod_wsgi
> * Require UTF-8 fs encoding
> * libotp: add libraries after objects
> * Run tox tests for PyPI packages on Travis
> * Support sqlite NSSDB
> * Py3: Fix vault tests
> * Test script for ipa-custodia
> * ipa-custodia: use Dogtag's alias/pwdfile.txt
> * Use namespace-aware meta importer for ipaplatform
> * Remove ignore_import_errors
> * Backup ipa-custodia conf and keys
> * Py3: fix fetching of tar files
> * Use os.path.isfile() and isdir()
> * Block PyOpenSSL to prevent SELinux execmem in wsgi
> 
> === David Kupka (2) ===
> * schema: Fix internal error in param-{find,show} with nonexistent object
> * tests: Add LDAP URI to ldappasswd explicitly
> 
> === Felipe Barreto (38) ===
> * Adding xfail to failing tests
> * Fixing tests on TestReplicaManageDel
> * Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
> * Fixing
> TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
> * Adding GSSPROXY_CONF to be backed up on ipa-backup
> * Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
> * Fix TestSubCAkeyReplication providing the right path to pki log
> * temp commit: adding test to PR CI run
> * Adding right parameters to install IPA in
> TestInstallMasterReservedIPasForwarder
> * Changing Django's CoC to reflect FreeIPA CoC
> * Adding Django's Code of Conduct
> * prci: Bump ci-master-f27 template to 1.0.3
> * Adding more tests to PR CI
> * Fixing cleanup process in test_caless
> * WebUI Tests: changing the ActionsChains.move_to_element to a new approach
> * WebUI Tests: fixing test_user.py::test_test_noprivate_posix
> * WebUI Tests: Changing how the initial load process is done
> * WebUI Tests: fixing test_range test case
> * WebUI Tests: changing how the login screen is detected
> * WebUI Tests: refactoring login method to be more readable
> * WebUI Tests: fixing test_navigation
> * WebUI Tests: fixing test_group
> * WebUI Tests: fixing test_hbac
> * Check if replication agreement exist before enable/disable it
> * Make IntegrationTest fail if an error happened during uninstall
> * IntegrationTests now collects logs from all test methods
> * Fixing vault-add-member to be compatible with py3
> * Fixing test_backup_and_restore assert to do not rely on the order
> * Fixing test_testconfig with proper asserts
> * Warning the user when using a loopback IP as forwarder
> * Removing replica-s4u2proxy.ldif since it's not used anymore
> * Fix log capture when running pytests_multihosts commands
> * Checks if replica-s4u2proxy.ldif should be applied
> * Fixing tox and pylint errors
> * Fixing param-{find,show} and output-{find,show} commands
> * Checks if Dir Server is installed and running before IPA installation
> * Changing idoverrideuser-* to treat objectClass case insensitively
> * Fixing how sssd.conf is updated when promoting a client to replica
> 
> === François Cami (1) ===
> * 10-config.update: remove nsslapd-sasl-max-buffer-size override as
> https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389
> Directory Server.
> 
> === Florence Blanc-Renaud (38) ===
> * ipa client uninstall: clean the state store when restoring hostname
> * Add test for ticket 7604: ipa-client-install --mkhomedir doesn't
> enable oddjobd
> * ipa-client-install: enable and start oddjobd if mkhomedir
> * fix dependency for *-domainname.service file
> * Installer: configure authselect with-sudo
> * Test for 7526
> * ipa-server-install: publish complete cert chain in
> /usr/share/ipa/html/ca.crt
> * authselect migration: use stable interface to query current config
> * authselect test: skip test if authselect is not available
> * ipa-advise: adapt config-client-for-smart-card-auth to authselect
> * Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
> * New tests for authselect migration
> * Migration from authconfig to authselect
> * ipa-advise config-server-for-smart-card-auth: use mod-ssl
> * ipa-replica-install: make sure that certmonger picks the right master
> * ipa-restore: remove /etc/httpd/conf.d/nss.conf
> * ipa-server-install: handle error when calling kdb5_util create
> * ipa host-add: do not raise exception when reverse record not added
> * ACI: grant access to admins group instead of admin user
> * 389-ds OTP lasttoken plugin: Add unit test
> * User must not be able to delete his last active otp token
> * ipa host-add --ip-address: properly handle NoNameservers
> * test_integration: backup custodia conf and keys
> * Idviews: fix objectclass violation on idview-add
> * Improve help message for ipa trust-add --range-type
> * Fix ca less IPA install on fips mode
> * Fix ipa-replica-install when key not protected by PIN
> * Fix ipa-restore (python2)
> * ipa-getkeytab man page: add more details about the -r option
> * Py3: fix ipa-replica-conncheck
> * Fix ipa-replica-conncheck when called with --principal
> * py3: fix ipa cert-request --database ...
> * ipa-cacert-manage renew: switch from ext-signed CA to self-signed
> * ipa-server-upgrade: do not add untracked certs to the request list
> * ipa-server-upgrade: fix the logic for tracking certs
> * Fix ipa-server-upgrade with server cert tracking
> * Python3: Fix winsync replication agreement
> * Fix ipa config-mod --ca-renewal-master
> 
> === Fraser Tweedale (52) ===
> * Add missing space in error string
> * Handle compressed responses from Dogtag
> * install: fix reported external CA configuration
> * csrgen: fix when attribute shortname is lower case
> * csrgen: drive-by docstring
> * csrgen: support initialising OpenSSL adaptor with key object
> * py3: fix csrgen error handling
> * certprofile: add tests for config profileId scenarios
> * certprofile: reject config with multiple profileIds
> * Fix upgrade (update_replica_config) in single master mode
> * Add commentary about PKI admin password
> * Fix upgrade when named.conf does not exist
> * replica-install: warn when there is only one CA in topology
> * install: configure dogtag status request timeout
> * upgrade: remove fix_trust_flags procedure
> * ldap2: fix implementation of can_add
> * ipaldap: allow GetEffectiveRights on individual operations
> * Update IPA CA issuer DN upon renewal
> * cert-request: avoid internal error when cert malformed
> * Improve warning message for malformed certificates
> * Don't use admin cert during KRA installation
> * Add uniqueness constraint on CA ACL name
> * Add tests for installutils.set_directive
> * installutils: refactor set_directive
> * pep8: reduce line lengths in CAInstance.__enable_crl_publish
> * Prevent set_directive from clobbering other keys
> * install: report CA Subject DN and subject base to be used
> * ipa_certupdate: avoid classmethod and staticmethod
> * Run certupdate after promoting to CA-ful deployment
> * ipa-ca-install: run certupdate as initial step
> * CertUpdate: make it easy to invoke from other programs
> * renew_ra_cert: fix update of IPA RA user entry
> * Re-enable some KRA installation tests
> * Use correct version of Python in RPM scripts
> * Remove caJarSigningCert profile and related code
> * CertDB: remove unused method issue_signing_cert
> * Remove XPI and JAR MIME types from httpd config
> * Remove mention of firefox plugin after CA-less install
> * Add missing space in ipa-replica-conncheck error
> * ipa-cacert-manage: avoid some duplicate string definitions
> * ipa-cacert-manage: handle alternative tracking request CA name
> * Add tests for external CA profile specifiers
> * ipa-cacert-manage: support MS V2 template extension
> * certmonger: add support for MS V2 template
> * certmonger: refactor 'resubmit_request' and 'modify'
> * ipa-ca-install: add --external-ca-profile option
> * install: allow specifying external CA template
> * Remove duplicate references to external CA type
> * cli: simplify parsing of arbitrary types
> * py3: fix pkcs7 file processing
> * ipa-pki-retrieve-key: ensure we do not crash
> * issue_server_cert: avoid application of str to bytes
> 
> === Ganna Kaihorodova (7) ===
> * check nsds5ReplicaReleaseTimeout option was set
> * Fix trust tests for Posix Support
> * Fix for integration tests dns_locations
> * Fix in IPA's multihost fixture
> * TestBasicADTrust.test_ipauser_authentication
> * Fix for test TestInstallMasterReservedIPasForwarder
> * Overide trust methods for integration tests
> 
> === John Morris (1) ===
> * Increase dbus client timeouts during CA install
> 
> === Justin Stephenson (1) ===
> * Skip zone overlap check with auto-reverse
> 
> === Kaleemullah Siddiqui (1) ===
> * Test coverage for multiservers for radius proxy
> 
> === Martin Basti (3) ===
> * py3: bindmgr: fix iteration over bytes
> * py3: ipa-dnskeysyncd: fix bytes issues
> * py3: set samba dependencies
> 
> === Takeshi MIZUTA (1) ===
> * Fix some typos in man page
> 
> === Michal Reznik (54) ===
> * Mark DL0 TestReplicaManageDel tests as xfail
> * ipa_tests: ipa-replica-prepare stuck on user input
> * ui_tests: stabilization fixes
> * ui_tests: extend test_config.py suite
> * ui_tests: fixes for issues with sending key and focus on element
> * ui_tests: add click_undo_button() func
> * ui_tests: extend test_selinuxusermap.py suite
> * ui_tests: improve "field_validation" method
> * ui_tests: checkbox click fix
> * ui_tests: introduce new test_misc cases file
> * ui_driver: extension and modifications related to test_user
> * ui_tests: extend test_user suite
> * test_web_ui: extend ui_driver methods
> * test_webui: add user life-cycles tests
> * ui_tests: run ipa-get/rmkeytab command on UI host
> * ui_tests: select_combobox() fixes
> * ui_tests: test cancel and delete without button
> * ui_tests: make associations cancelable
> * ui_tests: add function to run cmd on UI host
> * ui_tests: add funcs to add/remove users public SSH key
> * ui_tests: add assert_field_required()
> * ui_tests: add assert_notification()
> * ui_tests: add more test cases
> * ui_tests: add more test cases to test_certification
> * ui_tests: add_service() support func in test_service
> * ui_tests: add_host() support func in test_service
> * ui_tests: change get_http_pkey() function
> * test_caless: adjust try/except to capture also IOError
> * ipa_tests: test signing request with subca on replica
> * tests: ca-less to ca-full - remove certupdate
> * ipa_tests: test subca key replication
> * test_caless: add SAN extension to other certs
> * prci: run full external_ca test suite
> * tests: move CA related modules to pytest_plugins
> * test_external_ca: selfsigned->ext_ca->selfsigned
> * test_tasks: add sign_ca_and_transport() function
> * paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
> * test_caless: test PKINIT install and anchor update
> * test_renewal_master: add ipa csreplica-manage test
> * test_cert_plugin: check if SAN is added with default profile
> * test_help: test "help" command without cache
> * test_x509: test very long OID
> * test_batch_plugin: fix py2/3 failing assertion
> * test_vault: increase WAIT_AFTER_ARCHIVE
> * test_caless: fix http.p12 is not valid
> * test_caless: fix TypeError on domain_level compare
> * manpage: ipa-replica-conncheck - fix minor typo
> * test_external_dns: add missing test cases
> * test_caless: open CA cert in binary mode
> * test_forced_client: decode get_file_contents() result
> * tests: add host zone with overlap
> * tests_py3: decode get_file_contents() result
> * test_caless: add caless to external CA test
> * test_external_ca: switch to python-cryptography
> 
> === Varun Mylaraiah (5) ===
> * ui_tests: extend test_pwpolicy.py suite
> * Extend WebUI test_krbpolicy suite with the following test cases:
> test_verifying_button (verify button's action in various scenarios)
> test_negative_value (verify invalid values) test_verifying_measurement_unit
> * WebUI tests: Extend netgroup tests with more scenarios
> * Fixed improper clean-up in test_host::test_kerberos_flags added
> closing the notification in kerberos flags
> * WebUI tests: Extend user group tests with more scenarios
> 
> === Mohammad Rizwan Yusuf (9) ===
> * Check if issuer DN is updated after self-signed > external-ca
> * Extended UI test for Certificates
> * Extended UI test for selfservice permission.
> * Test to check second replica installation after master restore
> * Before the fix, when ipa-backup was called for the first time, the
> LDAP database exported to
> /var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif
> is called for this and it runs under root, hence files were owned by root.
> * Updated the TestExternalCA with the functions introduced for the steps
> of external CA installation.
> * When the dirsrv service, which gets started during the first
> ipa-server-install --external-ca phase, is not running when the second
> phase is run with --external-cert-file options, the ipa-server-install
> command fail.
> * IANA reserved IP address can not be used as a forwarder. This test
> checks if ipa server installation throws an error when 0.0.0.0 is
> specified as forwarder IP address.
> * ipatest: replica install with existing entry on master
> 
> === Nikhil Dehadrai (1) ===
> * Test for improved Custodia key distribution
> 
> === Armando Neto (1) ===
> * ipaserver config plugin: Increase search records minimum limit
> 
> === Nathaniel McCallum (3) ===
> * Revert "Don't allow OTP or RADIUS in FIPS mode"
> * Increase the default token key size
> * Fix OTP validation in FIPS mode
> 
> === Petr Čech (3) ===
> * webui:tests: Add tests for realmd domains
> * tests: Mark failing tests as failing
> * ipatests: Fix on logs collection
> 
> === Pavel Picka (2) ===
> * Adding WebUI Host test cases
> * WebUI Hostgroups tests cases added
> 
> === Petr Vobornik (17) ===
> * Update Dojo and Dojo builder to 1.13.0
> * WebUI build: use NodeJS instead of Rhino
> * WebUI build: replace uglifyjs with system package
> * Fix test_server_del::TestLastServices
> * server-del do not return early if CA renewal master cannot be changed
> * webui: refresh complex pages after modification
> * Fix order of commands in test for removing topology segments
> * webui tests: fix test_host:test_crud failure
> * realm domains: improve doc text
> * webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes
> * Revert "temp commit to run the affected tests"
> * temp commit to run the affected tests
> * webui:tests: close big notifications in realm domains tests
> * webui:tests: realm domain add with DNS check
> * webui:tests: move DNS test data to separate file
> * fastcheck: do not test context in pycodestyle
> * browser config: cleanup after removal of Firefox extension
> 
> === Pavel Vomacka (16) ===
> * WebUI: make keytab tables on service and host pages writable
> * Include npm related files into Makefile and .gitignore
> * Update jsl.conf in tests subfolder
> * Edit TravisCI conf files to run WebUI unit tests
> * Update README about WebUI unit tests
> * Update tests
> * Create symlink to qunit.js
> * Update jsl to not warn about module in Gruntfile
> * Add Gruntfile and package.json to ui directory
> * Update QUnit CSS file to 2.4.1
> * Update qunit.js to version 2.4.1
> * Extend ui_driver to support geckodriver log_path
> * WebUI: make Domain Resolution Order writable
> * WebUI: Fix calling undefined method during reset passwords
> * WebUI: remove unused parameter from get_whoami_command
> * Adds whoami DS plugin in case that plugin is missing
> 
> === Rob Crittenden (62) ===
> * replicainstall: DS SSL replica install pick right certmonger host
> * Extend CALessBase::installer_server to accept extra_args
> * Handle subyptes in ACIs
> * server install: drop some print statements, change log level
> * Drop attr defaultServerList if removing the last server
> * Improve console logging for ipa-server-install
> * Replace some test case adjectives
> * Suppress missing cn=schema compat on installation
> * Use replace instead of add to set new default ipaSELinuxUserMapOrder
> * Disable Schema Compat plugin during server upgrade
> * Add tests for ipa-restore with DM password validation check
> * Validate the Directory Manager password before starting restore
> * Rename test class for testing simple commands, add test
> * Don't try to set Kerberos extradata when there is no principal
> * Client install should handle automount unconfigured on uninstall
> * Return unique error when automount is already or not configured
> * VERSION.m4: Set back to git snapshot
> * Become IPA 4.6.90.pre2
> * Update 4.7 translations
> * Fix certificate retrieval in ipa-replica-prepare for DL0
> * Disable message about log in ipa-backup if IPA is not configured
> * Use a regex in installutils.get_directive instead of line splitting
> * Handle whitespace, add separator to regex in set_directive_lines
> * Validate the Directory Manager password before starting restore
> * Log service start/stop/restart message
> * Update project metadata in ipasetup.py.in
> * Allow dot as a valid character in an selinux identity name
> * Remove xfail from CALes test test_http_intermediate_ca
> * Some PKCS#12 errors are reported with full path names
> * ipa-server-certinstall failing, unknown option realm
> * Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
> * Break out of teardown in test_replica_promotion.py if no config
> * Remove the Continuous installer class, it is unused
> * Return a value if exceptions are raised in server uninstall
> * VERSION.m4: Set back to git snapshot
> * Become IPA 4.6.90.pre1
> * Update Contributors.txt
> * Redirect CRL requests to the http port, not the https port
> * Don't try to backup CS.cfg during upgrade if CA is not configured
> * Don't return None on mismatched interactive passwords
> * Update smart_card_auth advise script for mod_ssl
> * Add value in set_directive after a commented-out version
> * Don't backup nss.conf on upgrade with the switch to mod_ssl
> * Enable upgrades from a mod_nss-installed master to mod_ssl
> * Convert ipa-pki-proxy.conf to use mod_ssl directives
> * Remove main function from the certmonger library
> * Use mod_ssl instead of mod_nss for Apache TLS for new installs
> * Fix detection of KRA installation so upgrades can succeed
> * Move Requires: pythonX-sssdconfig into conditional
> * Log contents of files created or modified by IPAChangeConf
> * Don't manually generate default.conf in server, use IPAChangeConf
> * Enable ephemeral KRA requests
> * Make the path to CS.cfg a class variable
> * Run server upgrade in ipactl start/restart
> * If the cafile is not present or readable then raise an exception
> * Add test to ensure that properties are being set in rpcclient
> * Use the CA chain file from the RPC context
> * Fix cert-find for CA-less installations
> * Use 389-ds provided method for file limits tuning
> * Collect group membership without a size limit
> * Add exec to /var/lib/ipa/sysrestore for install status inquiries
> * Use TLS for the cert-find operation
> 
> === Robbie Harwood (5) ===
> * Fix elements not being removed in otpd_queue_pop_msgid()
> * Move krb5 snippet into freeipa-client-common
> * Enable SPAKE support using krb5.conf.d snippet
> * Log errors from NSS during FIPS OTP key import
> * ipa-kdb: support KDB DAL version 7.0
> 
> === Rishabh Dave (1) ===
> * ipa-ca-install: mention REPLICA_FILE as optional in help
> 
> === Sumit Bose (1) ===
> * ipa-kdb: reinit trusted domain data for enterprise principals
> 
> === Sumit Bose (2) ===
> * ipa-kdb: update trust information in all workers
> * ipa-kdb: use magic value to check if ipadb is used
> 
> === John L (1) ===
> * Remove special characters in host_add random OTP generation
> 
> === Stanislav Laznicka (84) ===
> * Move config directives handling code
> * Travis: ignore 'line break after binary operator'
> * Allow user administrator to change user homedir
> * mod_ssl: add SSLVerifyDepth for external CA installs
> * Add absolute_import to test_authselect
> * Fix typo in ipa-getkeytab --help
> * Add absolute_import future imports
> * replica-install: pass --ip-address to client install
> * ipa_backup: Backup the password to HTTPD priv key
> * Fix upgrading of FreeIPA HTTPD
> * Remove py35 env from tox testing
> * Encrypt httpd key stored on disk
> * Dogtag configs: rename deprecated options
> * Backup HTTPD's mod_ssl config and cert-key pair
> * vault: fix vault-retrieve to a file
> * Backup ssl.conf when migrating from mod_nss
> * Move HTTPD cert/key pair to /var/lib/ipa/certs
> * httpinstance fixup: remove commented-out lines
> * httpinstance: fix publishing of CA cert
> * httpinstance: verify priv key belongs to certificate
> * httpinstance: backup mod_nss conf instead of just removing it
> * service: rename import_ca_certs_* to export_*
> * fixup: add ipa-rewrite.conf to ssl.conf on upgrade
> * Make ipa-server-certinstall store HTTPD cert in a file
> * certupdate: don't update HTTPD NSS db
> * x509: Fix docstring of write_certificate()
> * x509: Remove unused argument of load_certificate_from_file()
> * httpinstance: handle supplied PKCS#12 files in installation
> * mod_ssl migration: fix upload_cacrt.py plugin
> * Fix FileStore.backup_file() not to backup same file
> * Have all the scripts run in python 3 by default
> * replica_prepare: Remove the correct NSS DB files
> * Add a helpful comment to ca.py:install_check()
> * Don't allow OTP or RADIUS in FIPS mode
> * caless tests: decode cert bytes in debug log
> * caless tests: make debug log of certificates sensible
> * Add indexing to improve host-find performance
> * Add the sub operation for fqdn index config
> * x509: remove subject_base() function
> * x509: remove the strip_header() function
> * py3: pass raw entries to LDIFWriter
> * ipatests: use python3 if built with python3
> * PRCI: use a new template for py3 testing
> * travis: pep8 changes to pycodestyle
> * csrgen_ffi: cast the DN value to unsigned char *
> * Remove pkcs10 module contents
> * Add tests for CertificateSigningRequest
> * parameters: introduce CertificateSigningRequest
> * parameters: relax type checks
> * csrgen: update docstring for py3
> * csrgen: accept public key info as Bytes
> * csrgen_ffi: pass bytes where "char *" is required
> * p11-kit: add serial number in DER format
> * travis: make tests fail if pep8 does not pass
> * Remove the `message` attribute from exceptions
> * rpc: don't decode cookie_string if it's None
> * Don't write p11-kit EKU extension object if no EKU
> * pylint: fix missing module
> * travis: run the same tests in python2/3
> * certmap testing: fix wrong cert construction
> * ldap2: don't use decode() on str instance
> * client: fix retrieving certs from HTTP
> * uninstall: remove deprecation warning
> * ldif: handle attribute names as strings
> * pkinit: don't fail when no pkinit servers found
> * pkinit: fix sorting dictionaries
> * travis: remove "fast" from "makecache fast"
> * Change Travis CI container to FreeIPA-owned
> * Change the requirements for pylint in wheel
> * rpcserver: don't call xmlserver.Command
> * secrets: disable relative-imports for custodia
> * pylint: disable __hash__ for some classes
> * install.util: disable no-value-for-parameter
> * pylint: make unsupported-assignment-operation check local
> * sudocmd: fix unsupported assignment
> * pylint: Iterate through dictionaries
> * parameters: convert Decimal.precision to int
> * dcerpc: disable unbalanced-tuple-unpacking
> * dcerpc: refactor assess_dcerpc_exception
> * pylint: fix no-member in schema plugin
> * csrgen: fix incorrect codec for pyasn BitString
> * pylint: fix not-context-manager false positives
> * travis: temporary workaround for Travis CI
> * Travis: archive logs of py3 jobs
> 
> === Stanislav Levin (11) ===
> * Fix link to browser configuration guide on Login page
> * Fix some untranslatable commands in Web UI API Browser
> * Apply validate_doc() to NO_CLI commands
> * Fix formatted translations of error messages in topology plugin
> * Fix formatted translations of error messages in serverroles plugin
> * Fix formatted translations in trust plugin
> * Fix translation of idrange_* commands description
> * Fix formatted translations in domainlevel plugin
> * Use intended format() method of translation object
> * Add support for format method to translation objects
> * Fix translation of commands description in API Browser
> 
> === Sudhir Menon (2) ===
> * Adding modified DOAP file
> * DOAP Description for IPA Project
> 
> === Thierry Bordaz (2) ===
> * Hardening of topology plugin to prevent erronous deletion of a replica
> agreement
> * 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
> 
> === Tibor Dudlák (15) ===
> * Use temporary pid file for chronyd -q task
> * Fix format string passed to pytest-multihost
> * Configure chrony with pool when server not set
> * Add enabling chrony daemon when not configured
> * Remove unnecessary option --force-chrony
> * Remove NTP server role while upgrading
> * Removes NTP server role from servroles and description
> * Update man pages for FreeIPA client, replica and server install
> * Adding method to ipa-server-upgrade to cleanup ntpd
> * Add --ntp-pool option to installers
> * FreeIPA server is time synchronization client only
> * Replace ntpd with chronyd in installation
> * Add dependency and paths for chrony
> * Removes ntp from dependencies and behave as there is always -N option
> * Do not check deleted files with `make fastlint`
> 
> === Timo Aaltonen (9) ===
> * Fix HTTPD SSL configuration for Debian.
> * ldapupdate: Add support for Debian multiarch
> * named.conf: Disable duplicate zone on debian, and modify data dir
> * Add mkhomedir support for Debian
> * paths: Fix some path definitions for Debian.
> * constants: Fix HTTPD_GROUP for Debian
> * Create kadm5.acl if it doesn't exist
> * ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
> * Move config templates from install/conf to install/share
> 
> === Tomas Krizek (20) ===
> * test_dnssec: re-add named-pkcs11 workarounds
> * py3 dnssec: convert hexlify to str
> * py3: bindmgr: fix bytes issues
> * prci: bump ci-master-f27 template to 1.0.2
> * prci: define testing topologies
> * prci: start testing PRs on fedora 27
> * py3 spec: remove python2 dependencies from server-trust-ad
> * py3 spec: remove python2 dependencies from freeipa-server
> * py3 spec: use proper python2 package names
> * ipatests: fix circular import for collect_logs
> * ipatests: collect logs for external_ca test suite
> * prci: add external_ca test
> * ldap: limit the retro changelog to dns subtree
> * spec: bump 389-ds-base to 1.3.7.6-1
> * ipatests: set default 389-ds log level to 0
> * prci: update F26 template
> * spec: bump python-pyasn1 to 0.3.2-2
> * prci: use f26 template for master
> * VERSION: set 4.6 git snapshot
> * Contributors.txt: update
> 
> === Thorsten Scherf (1) ===
> * Add debug option to ipa-replica-manage and remove references to
> api_env var.

I have two full (DNS, CA, KRA) FreeIPA instances still running F27 for 
stability based on the recommendations at the time of the F28 release.  Is 
*this[1]* FreeIPA release recommended for a full OS dnf upgrade from F27 to 
F28?

[1]: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f6a8f8036d

-- 
Anthony - https://messinet.com
F9B6 560E 68EA 037D 8C3D  D1C9 FF31 3BDB D9D8 99B6

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/BO3GKS73BGVQ4R647XDE3MJNHR7B4KKX/

Reply via email to