URL: https://github.com/freeipa/freeipa/pull/5199
Author: rcritten
Title: #5199: Change KRA profiles in certmonger tracking so they can renew
Action: opened
PR body:
"""
Change KRA profiles in certmonger tracking so they can renew
Internal profiles were assigned which prevented rewewals.
dogtag is providing a new profile for the audit signing cert,
caAuditSigningCert.
There are existing profiles for the transport (caTransportCert)
and storage (caStorageCert) certificates.
https://pagure.io/freeipa/issue/8545
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
**NOTE**: This is WIP because the necessary profile is only in the pki nightly repo. We want this backported to other supported IPA branches but they may be delayed depending on when pki builds are available.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5199/head:pr5199
git checkout pr5199
URL: https://github.com/freeipa/freeipa/pull/3275
Author: marcus2376
Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages
Action: opened
PR body:
"""
Description:
389-ds now stores a replication agreement status message in a JSON string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.htmlhttps://pagure.io/freeipa/issue/7975
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3275/head:pr3275
git checkout pr3275
URL: https://github.com/freeipa/freeipa/pull/5147
Author: mrizwan93
Title: #5147: External-CA scenarios for ACME service
Action: opened
PR body:
"""
Inherited the TestACME class by overriding install()
to install the ipa master with external CA. It will
setup the External-CA and will call all the test
method from TestACME class.
related: https://pagure.io/freeipa/issue/4751
Signed-off-by: Mohammad Rizwan <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5147/head:pr5147
git checkout pr5147
URL: https://github.com/freeipa/freeipa/pull/5203
Author: rcritten
Title: #5203: On password reset also set krbLastAdminUnlock to unlock account
Action: opened
PR body:
"""
On password reset also set krbLastAdminUnlock to unlock account
This fixes the case where an account is locked on one or more servers
and the password is reset by an administrator. The account would
remain locked on those servers for the duration of the lockout.
This is done by setting krbLastAdminUnlock to the current date and
time. The lockout plugin will see this and unlock the account. Since
the value should be replicated along with the password any server
that has the new password will also be unlocked.
This does incur an additional attribute that must be replicated,
whether it is needed or not, but since lockout is computed
per-server this is the only guaranteed way to be sure that the
account will be unlocked everywhere.
https://pagure.io/freeipa/issue/8551
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5203/head:pr5203
git checkout pr5203
URL: https://github.com/freeipa/freeipa/pull/5208
Author: rcritten
Title: #5208: Add ipwpwdpolicy objectclass to all policies on upgrade
Action: opened
PR body:
"""
Add ipwpwdpolicy objectclass to all policies on upgrade
ipapwdpolicy is the objectclass which defines the libpwquality
attributes. For older sytems it isn't strictly necessary (or
visible) but not having it included will result in policies
not being visible with pwpolicy-find.
https://pagure.io/freeipa/issue/8555
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5208/head:pr5208
git checkout pr5208
URL: https://github.com/freeipa/freeipa/pull/5220
Author: rcritten
Title: #5220: [Backport][ipa-4-8] ipatests: ipa-healthcheck test for EncryptionCheck
Action: opened
PR body:
"""
This PR was opened automatically because PR #5215 was pushed to master and backport to ipa-4-8 is required.
Adding ack because it was a very straight forward cherry-pick.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5220/head:pr5220
git checkout pr5220
URL: https://github.com/freeipa/freeipa/pull/5119
Author: rcritten
Title: #5119: Require an ipa-ca SAN on 3rd party certs if ACME is enabled
Action: opened
PR body:
"""
Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.
Add a status option to ipa-acme-manage.
https://pagure.io/freeipa/issue/8498
Marking as ipa-next since I'm sure yet if ACME is going to be backported to ipa-4-8.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5119/head:pr5119
git checkout pr5119
URL: https://github.com/freeipa/freeipa/pull/5212
Author: mreynolds389
Title: #5212: New validation efforts in 389-ds-base require that the backend entry for
Action: opened
PR body:
"""
a database be created before the mapping tree entry. This enforces that
the mapping tree entry (the suffix) actually belongs to an existing backend.
For IPA we simply need to reverse the order of the backend vs mapping tree
creation in cainstance.py -> __create_ds_db()
Fixes: https://pagure.io/freeipa/issue/8558
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5212/head:pr5212
git checkout pr5212