URL: https://github.com/freeipa/freeipa/pull/2919
Author: frasertweedale
Title: #2919: Add ipa-cert-fix tool
Action: opened
PR body:
"""
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing additional
certificate requests for non-Dogtag IPA certificates and performing
additional actions. In particular:
- Run cert-fix with arguments particular to the IPA deployment.
- Update IPA RA certificate in the ipara user entry (if renewed).
- Add shared certificates (if renewed) to the ca_renewal LDAP
container for replication.
- Become the CA renewal master if shared certificates were renewed.
This ensures other CA replicas, including the previous CA renewal
master if not the current host, pick up those new certificates
when Certmonger attempts to renew them.
Fixes: https://pagure.io/freeipa/issue/7885
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2919/head:pr2919
git checkout pr2919
URL: https://github.com/freeipa/freeipa/pull/2960
Author: tiran
Title: #2960: [Backport][ipa-4-7] Fix installation when CA subject DN has escapes
Action: opened
PR body:
"""
This PR was opened automatically because PR #2857 was pushed to master and backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2960/head:pr2960
git checkout pr2960
URL: https://github.com/freeipa/freeipa/pull/2942
Author: xxblx
Title: #2942: [wip] Show a notification that sssd needs restarting after idrange-mod using
Action: opened
PR body:
"""
If the `ipa idrange-mod` command has been used show a notification that sssd.service needs restarting. It's needed for applying changes. E.g. after setup AD trust with a domain with more than 200000 objects (the highest RID > idm's default value, 200000) users with RIDs > 200000 are not able to login, the size needs to be increased via idrange-mod, but it makes an effect only after sssd restarting.
Fixes: https://pagure.io/freeipa/issue/7708
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2942/head:pr2942
git checkout pr2942
URL: https://github.com/freeipa/freeipa/pull/2584
Author: tiran
Title: #2584: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
Action: opened
PR body:
"""
The PR was originally PR @abbra's PR https://github.com/freeipa/freeipa/pull/2106. PR-CI was broken for that PR. I also squashed some intermediate commits.
## Original PR message
Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.
Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/h…
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2584/head:pr2584
git checkout pr2584
URL: https://github.com/freeipa/freeipa/pull/2857
Author: frasertweedale
Title: #2857: Fix installation when CA subject DN has escapes
Action: opened
PR body:
"""
There were several bugs across several projects preventing
installation when the CA subject DN contains characters that need
escaping in the string representation, e.g.
CN=Certificate Authority,O=Acme\, Inc.,ST=Massachusetts,C=US
The package versions containing relevant fixes are:
- 389-ds-base 1.4.0.20 (we already require >= 1.4.0.21)
- pki-core 10.5.5 (we already require >= 10.6.8)
- certmonger 0.79.7 (this commit bumps the dependency)
With this change, installation will now work. Integration tests are
left for a subsequent commit.
Fixes: https://pagure.io/freeipa/issue/7347
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2857/head:pr2857
git checkout pr2857
URL: https://github.com/freeipa/freeipa/pull/2958
Author: tiran
Title: #2958: [Backport][ipa-4-7] Extend test for orphan automember rules (issue/6476)
Action: opened
PR body:
"""
This PR was opened automatically because PR #2951 was pushed to master and backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2958/head:pr2958
git checkout pr2958
URL: https://github.com/freeipa/freeipa/pull/2959
Author: tiran
Title: #2959: [Backport][ipa-4-6] Extend test for orphan automember rules (issue/6476)
Action: opened
PR body:
"""
This PR was opened automatically because PR #2951 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2959/head:pr2959
git checkout pr2959
URL: https://github.com/freeipa/freeipa/pull/2951
Author: t-woerner
Title: #2951: Extend test for orphan automember rules (issue/6476)
Action: opened
PR body:
"""
The test was not executing ipa automember-rebuild --type hostgroup.
The test has been extended to execute it twice: Once when it needs to fail
because there is an orphan automember rule. Also after this orphan
automember rule has been removed. Here the test needs to succeed.
Fixes: https://pagure.io/freeipa/issue/7891
Signed-off-by: Thomas Woerner <twoerner(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2951/head:pr2951
git checkout pr2951