"Fossies" - the Fresh Open Source Software Archive

Member "privacyidea-3.6.2/Changelog" (22 Jul 2021, 63732 Bytes) of package /linux/misc/privacyidea-3.6.2.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "Changelog": 3.6.1_vs_3.6.2.

    1 Version 3.6.2, 2021-07-22
    2 
    3   Fixes:
    4   * Fix LDAP Resolver for old Python versions like in CentOS 7 #2835
    5   * Fix typo in pi-manage that breaks config restore #2829
    6 
    7 Version 3.6.1, 2021-07-19
    8 
    9   Fixes:
   10   * Remove importlib-metadata from doc requirements
   11   * Add a safe_store feature #2794
   12   * Decode URL parameters for forms #2800
   13   * Prepare ADFS subscription #2801
   14 
   15 Version 3.6, 2021-06-07
   16 
   17   Features:
   18   * Add custom user attributes that can be managed within privacyIDEA #680
   19   * Extended policy conditions can match on any token attribute #2590
   20 
   21   Enhancements:
   22   * Allow to use Push tokens without Firebase #2720
   23   * privacyidea-cron allow to choose retry if action failed #1179
   24   * UI: allow token rollover e.g. for smartphone swap #2613
   25   * pi-manage: allow configuration export and import #2467
   26   * Allow different PIN policies for different token types #2142
   27   * UI: Search in policy description, not only in policy action #2574
   28   * UI: Highlight found locations of search term in web UI #2577
   29   * UI: Allow configurable entry point for custom web UI #2592
   30   * UI: Add more descriptive tooltip to token when assigning to machine #2516
   31   * Import AES mode yubikeys created with Yubico Personalization tool #2594
   32   * token janitor can export arbitrary user fields #2569
   33   * token janitor: CSV token export can either export hex or base32 encoded seeds #2648
   34   * token janitor: CSV token export contains token owner #2664
   35   * Remote Token can now be configured with a privacyIDEA configuration
   36     instead of a distinct URL #2124
   37   * Allow additional tags like {username} in SMS token #2677
   38   * improve privacyidea-diag #2555
   39   * auth_cache can now cache the credentials for a certain number of usages #1059
   40   * Policy "add_user_in_response" also checks for user-realms #2642
   41   * Stamp the database version automatically during installation #2708
   42   * Audit Rotation is automatically added on new installation #1427
   43 
   44   Documentation:
   45   * Add note about SMS text formats #2151
   46   * Rewrite Yubikey enrollment documentation #2318
   47 
   48   Hardening:
   49   * Replace ecdsa module with stable pyca module #2410
   50   * LDAP resolver supports TLS 1.3 #2637
   51   * Update dependencies / requirements #2570
   52   * Choose more secure configuration defaults #2408
   53 
   54   Fixes:
   55   * Do not trigger disabled PUSH tokens #2723
   56   * Configuration default truncate Audit log #2699
   57   * Policy: Fix problems with extended policy conditions #2676
   58   * UI: Remove table borders in list views #2585
   59   * UI: Do not translate date in audit log #2579
   60   * Remove deprecated oauth2client #1990
   61   * Fix visibility of subscription for administrator #2609
   62   * Remove non-existing getOTP from documentation #2636
   63   * Remove undocumented and unused parameter aladdin_hashlib in token import #2634
   64   * Fix visibility of token wizard #2632
   65   * Create policy button is disabled if no scope is selected #1888
   66   * Re-enable enroll button in case of error during token enrollment #2717
   67   * Save fractions of seconds in the audit log #2706
   68   * Fix pi-manage restore #2728
   69 
   70 
   71 Version 3.5.2, 2021-03-23
   72 
   73   Fixes:
   74   * Add serial to the request object in /ttype/ endpoint (#2605)
   75   * Fix missing audit entries missing_line and sig_check (#2627)
   76   * Fix backup on Ubuntu 20.04 (#2646)
   77   * Fix missing priority in policy import (#2643)
   78   * Fix DB migrate URI if it contains char % (#2661)
   79   * Fix long default POOLING_LOOP_TIMEOUT (#2662)
   80 
   81 Version 3.5.1, 2021-01-28
   82 
   83   Fixes:
   84   * Fix DB migration script for update from prior of 3.3. (#2582)
   85   * Fix the internal interface of container audit module (#2562)
   86   * Add missing headers to /auth request (#2599)
   87   * Fix tokeninfo value filter with Oracle db (#2602)
   88 
   89 
   90 Version 3.5, 2020-12-22
   91 
   92   Features:
   93   * 4Eyes token uses multi challenge authentication (#2317)
   94   * Require attestation certificate when enrolling
   95     certificate token (#2152)
   96 
   97   Enhancements:
   98   * Tokens
   99     * Allow to update firebase_token of a Push Token (#2436)
  100     * Support WebAuthn tokens without sign_count (#2361)
  101     * PSKC import now verifies the MAC of the token secrets (#2312)
  102     * Configure length and contents of registration token via policy (#2284)
  103     * The questionnaire token can now ask several questions from the list (#2137)
  104   * Event handler:
  105     * Choose SMS Gateway Identifier in Tokenhandler
  106       when enrolling SMS token (#2506)
  107     * Choose SMTP Identifier in Tokenhandler
  108       when enrolling Email token (#2452)
  109     * Increase or decrease failcounter in Tokenhandler (#2402)
  110     * Allow to set maxfail counter in event handlers (#2541)
  111   * Policies:
  112     * Add extended conditions for tokeninfo (#1947)
  113   * Web UI
  114     * PIN can be changed with Challlenge Response when authenticating
  115       at the WebUI (#2474)
  116     * Hide some audit log columns for service desk users (#2372)
  117     * Allow to configure a link to a policy statement/GDPR (#2325)
  118     * Audit log now contains start time, end time and
  119       duration of a request (#2254)
  120     * The length of the audit columns to be truncated can be
  121       configured in pi.cfg (#1756)
  122     * Action grouping in scope authorization (#2438)
  123     * Redesign welcome message for community version (#2397)
  124     * Add usernames and serials of failed authentications
  125       as shortlink into dashboard (#2475)
  126     * Policy to add node name in the web UI (#1961)
  127     * Make event conditions searchable (#2148)
  128     * Align search layout in event conditions and policy actions (#2557)
  129   * pi-manage: export resolver configuration (#1329)
  130   * Documentation:
  131     * Add note about SELinux and using non-standard ports (#2459)
  132     * Explain sync_to_database for script handlers (#2450)
  133     * Add documentation for RADIUS configuration (#2448)
  134 
  135   Fixes:
  136   * Allow equal signs in policy actions (#2494)
  137   * Challenge Response is now checked independently on the presence
  138     of a challenge in the database (#2491)
  139   * Fix enrollment of two tokens using double click (#2487)
  140   * Fix wrong (to few) number of authentication requests
  141     in the dashboard (#2473)
  142   * Allow setting an empty PIN in the UI (#2472)
  143   * The dashboard only displays information, which an admin is
  144     allowed to see, without throwing errors (#2456)
  145   * Fix length of hashed password column in auth_cache table (#2446)
  146   * Fix url_decode (#2345)
  147   * Fix missing adminuser when importing policies (#2340)
  148   * Hide browser autocomplete in user search field (#2292)
  149   * Disable browser autocomple fields that clash with
  150     search fields in the UI (#2401)
  151   * Fix challenge response with multiple FIDO2 tokens (#2092)
  152 
  153 
  154 Version 3.4.1, 2020-10-09
  155 
  156   Fixes:
  157    * Fix the deletion of the registration token (#2356)
  158    * Add "messages" to JSON response in case of multi challenge
  159      pin change (2346)
  160    * Move from PBKDF2 to Argon2 for password hashes. Might want to
  161      reset local admin passwords to use new hashing algo (#2412)
  162    * Hide dashboard for normal users (#2384)
  163    * Fix problem with missing templates in CA conncetor (#2374)
  164    * Fix missing successful authentications in dashboard (#2394)
  165    * Improve error handling in token janitor in case of
  166      problematic user (#2405)
  167    * remove PI_PEPPER and pyCrypto (#2409)
  168    * only check for existing JWT algorithms (#2407)
  169    * Use Argon2 for PINs and local admins (#2413)
  170    * Fix error when logging in with REMOTE_USER (#2423)
  171    * Use a secure way to compare strings to avoid
  172      theoretical side channel attacks (#2415)
  173 
  174 Version 3.4, 2020-09-08
  175 
  176   Features:
  177    * Add ScriptSMSProvider, that can send SMS through external
  178      Gateways using arbitrary scripts (#2236)
  179    * Add HTTP Resolver that can read users from web services
  180      via JSON responses (#2083)
  181    * Add a basic dashboard as start screen in the WebUI (#2177)
  182    * Allow using dynamic 3rd party token classes (#2321)
  183    * Allow multiple consecutive challenge responses for authentication
  184      or tasks like changing the token PIN (#2361)
  185    * PUSH token can communicate with privacyIDEA via polling
  186      as fallback to Google Push Service or Apple Notification Service (#2262)
  187 
  188   Enhancements:
  189    * Allow deletion of validity period via UI (#2263)
  190    * Remove marker for missing translations and allow to set a
  191      custom marker (#2223)
  192    * Add support for Python 3.8 (#2190)
  193    * Allow hiding description field for users during
  194      token enrollment (#2173)
  195    * Improve error message during token import (#2073)
  196    * Add Dutch translation (#2314)
  197    * Allow application to choose tokentypes in
  198      /validate/check and /validate/triggerchallenge (#2047)
  199    * HTTPSMSProvider can now have header parameters in the
  200      provider definition (#1963)
  201    * Events
  202      * Add failcounter as condition in event handlers (#2147)
  203      * The script handler allows to sync the database before
  204        running the script (#2293 #2302)
  205      * Allow using user_obj in pre event handlers for
  206        /auth event. (#2303)
  207    * Policies
  208      * Allow to define characters for set_random_pin policy (#2121)
  209      * Add privacyIDEA nodes to policy condition (#2108)
  210      * Add new authz policy action is_authorized to basically
  211        allow or deny access (#2275)
  212    * Allow ECDSA and other SSH key types (#2274)
  213    * pi-manage can import tokens including HOTP token counter (#2285)
  214    * Allow the token janitor to set tokenrealms (#2299)
  215    * Use our general webauthn client component in the
  216      privacyIDEA WebUI (#2273)
  217 
  218   Fixes:
  219    * Add missing audit data to container audit (#2264)
  220    * Add tokeninfo failsafe for LinOTP migration script (#2253)
  221    * Fix certain problems with the type of the userid
  222      in SQL-Resolvers with Oracle DB (#2219)
  223    * Fix default empty string problems with Oracle DB (#2218)
  224    * Fix a policy issue that would require admin policies to
  225      import tokens (#2209)
  226    * Fix inconsistent enrollment templates. Have description
  227      field for all tokentypes (#2208)
  228    * Fix floating problems with multiple QR images in enrollment UI (#2175)
  229    * Allow to edit realms without resolver priority (#2171)
  230    * Fix empty (None) values in SQL Resolver connect string (#2271)
  231    * Fix missing options parameter in RADIUS and REMOTE token (#2276)
  232    * Use UTC for challenge timestamp (#1586)
  233    * Fix exceeding max tokens when enabling a disabled token (#2215)
  234    * split@Sign setting is also applied to REMOTE_USER (#1954)
  235    * Fix privacyidea-diag and privacyidea-standalone to run with Python 3 (#1874)
  236    * Fix possible recursion error in 4eyes token (#1892)
  237    * Improve tests by fixing deprecation warnings (#2298)
  238    * Clean up the code for /validate/samlcheck
  239    * Fix censoring of Oracle connect strings (#2304)
  240    * Treat unsupported WebAuthn attestation as None attestation (#2342)
  241    * Fix admin/scope in import/export of policies with pi-manage (#2359)
  242    * Fix url_decode (#2360)
  243    * Fix token settings for Yubikey in UI enrollment (#2365, #2366)
  244 
  245 
  246 Version 3.3.3, 2020-05-19
  247 
  248   Fixes:
  249     * Fix failing Challenge Response in WebUI (#2192)
  250     * Add better logging for contradciting policy calls
  251     * Case insensitive user check failsafe in policy matching (#2198)
  252 
  253 Version 3.3.2, 2020-05-04
  254 
  255   Fixes:
  256     * Fix restricted audit log for helpdesk users (#2181)
  257 
  258 Version 3.3.1, 2020-04-29
  259 
  260   Fixes:
  261     * Fix broken U2F support (#2157)
  262     * Fix creation of PGP keys with pi-maange (#2165)
  263 
  264 Version 3.3, 2020-04-06
  265 
  266   Features:
  267     * New token type: WebAuthn/FIDO2 token is initially supported by privacyIDEA (#1468)
  268     * New token type: Indexed Secret token allows user
  269       to authenticate with a pre-known secret that can be
  270       initialized from the user store. (#1986)
  271     * New Event Handler Module: Logging module enables custom event-driven logging (#1580)
  272 
  273   Enhancements:
  274     * Event Handler:
  275       * The OTP token QR code can now be added not only inline but also as an attachment
  276         to email notifications (#1226)
  277     * Policies:
  278       * Added a policy to define the allowed characters for PINs (#2051)
  279       * Add policies to limit the number of destinct tokentypes per user (#1375)
  280       * Improved distinction between the username of the administrator
  281         and the username of the user. Add an admin username to policies. (#1867)
  282         Thus allowing:
  283         * User attribute conditions in admin policies
  284         * default settings for hashlib and otplen for HOTP and TOTP token
  285          and default timestep for TOTP token can now be dependent on
  286          admin user and for which user the admin does the enrollment
  287         * Enrollment settings for push tokens can distinguish better
  288          between admin users and user
  289         * Random PIN settings can be user dependent
  290     * WebUI
  291       * Added the option to filter tokens by tokenrealm (#545)
  292       * Prior to enrollment of soft tokens, such as HOTP, TOTP and PUSH the user is
  293         offered with a QR codes to direct him to the Authenticator App stores (#1919).
  294       * Adding version hashes to WebUI components to avoid working with outdated
  295         templates (#1871)
  296       * Updated bootstrap and AngularJS (#830)
  297       * Rework policy matching (#1691 #2024 #2038)
  298     * Documentation
  299       * The documentation was restructured and updated (#1967 #1981 #1504 #2049 #2089 #2090).
  300     * Tools
  301       * Added a migration script to update the database schema from 2.23.5 to 3.2.2 (#2040)
  302     * Misc
  303       * Added the remote serial to the tokeninfo of a remote token to better track
  304         authenticated devices (#2031)
  305       * Use dictConfig instead of fileConfig to read configurations (#2059)
  306       * Support logging configuration file in YAML format (#2080)
  307       * Support custom audit logger names (#2106)
  308 
  309   Fixes:
  310     * Fix unauthorized statistics view (#1238)
  311     * Fix a bug which caused an exception during PSKC key file container import (#1915)
  312     * Fix link on privacyIDEA logo in the WebUI when no user is logged in (#1944)
  313     * Updated CA files in testdata which were about to expire (#1960)
  314     * Fix API endpoints to avoid redirects (#1999)
  315     * Fix url_decode padding before it could cause any issues (#2000)
  316     * Initialize rtype in user_object correctly (#2007)
  317     * Fix an inconsistency of start_tls with postgres SQL (#2025)
  318     * Fix wrong type splitting of questionnaire token (#2026)
  319     * Fix a bug which could cause missing audit entries when using the
  320       ContainerAudit module (#2029)
  321     * Fix a bug which prevented defining an SQL resolver without a password (#2030)
  322     * Fix missing "position" argument on event import with pi-manage (#2036)
  323     * Fix timing issues in tests (#2041)
  324     * Fix documentation (#2049)
  325     * Fix sorting token table by column (#2111)
  326 
  327 Version 3.2.2, 2020-01-17
  328 
  329   Fixes:
  330   * Fix Popen calls like with pi-manage backup restore
  331   * Fix retrieving the correct database for restore (#1993)
  332   * Fix caconnectorread policy (#1994)
  333 
  334 Version 3.2.1, 2019-12-30
  335 
  336   Fixes:
  337   * Fix the wording and translation of the lost token scenario
  338 
  339 Version 3.2, 2019-12-02
  340 
  341   Features:
  342   * New Event Handler: RequestMangler to modify request attributes (#1810)
  343   * New Event Handler: ResponseMangler to modify the response data (#1138)
  344   * New Audit Module to write to a file (#1072)
  345   * New Container Audit Module to write to several audit modules at once (#1072)
  346   * Applications can use the API with predefined asymmetric JWT (#1773)
  347 
  348   Enhancements:
  349   * Authentication:
  350     * Add endpoint /validate/polltransaction for an improved workflow
  351       for out-of-band challenges-responses like PUSH token (#1838)
  352     * Allow registration token to work as challenge/response (#1897)
  353     * RADIUS token also uses timeout and retries (#1931)
  354     * Improve the handling of splitAtSign, so that a multi-realm
  355       setup will be more consistent (#1808)
  356     * Use authentication and authorization policies also for the
  357       /auth endpoint (#1722, #1537)
  358   * Policies and events:
  359     * Allow HTTP AGENT and any arbitrary HTTP header in extended policy conditions (#1425)
  360     * Allow HTTP AGENT as condition for event handlers (#1260)
  361     * Event Handlers can match for the rollout_state (#1801)
  362     * Add write-to-file action to the notification handler (#717)
  363     * Allow user endpoints to trigger events (#1822)
  364   * Management:
  365     * Allow help desk to trigger a token PIN reset without actually seeing the PIN (#1196)
  366     * Allow "file:" syntax in email notification handler (#1939)
  367     * Allow more sophisticated Proxy settings for the OverrideClient settings (#1868)
  368     * LinOTP migration script to work with LDAP mixed endian notation (#1883)
  369     * triggerchallenge also writes the serial of the triggered token
  370       to the audit log (#1862)
  371     * Allow a dash ("-") in policy names (#1813)
  372     * The token janitor can return a list of users with tokens (#1705)
  373     * Restrict OTP length, hash and timestep also in admin policies (#1566)
  374   * User experience:
  375     * Clean up event handler view and put handler and
  376       position in extra columns (#1920)
  377     * Improve the serial number checking for disallowed characters (#1826)
  378     * The event handler list can be sorted and filtered (#1818)
  379     * The policy list can be sorted and filtered (#1817)
  380     * Show disallowed policy name characters in the UI (#1674)
  381     * Ask before deleting a hardware token (#954)
  382   * Performance:
  383     * Improve performance by reading event handlers only if the
  384       configuration has changed (#1823)
  385     * Store statistics data like event counters per node to improve
  386       HA and replication performance (#1819)
  387     * Improve performance of the pre-auth event handler (#1686)
  388 
  389   Fixes:
  390   * Delete entries from database tables, when the parent object
  391     is deleted (fixed for machineresolverconfig, resolverconfig,
  392     eventhandleroption) (#1927)
  393   * Comply to new pyredis parameters for apache auth module (#1925)
  394   * Fix filename parameter of HostMachineResolver (#1912)
  395   * Fix JSON content detection for endpoints like /validate/radiuscheck (#1850)
  396   * Fix integer UID with PostgreSQL databases (#1825)
  397   * Make the policy creation at the command line with pi-manage more
  398     consistent (#1807)
  399 
  400 
  401 Version 3.1.2, 2019-11-15
  402 
  403   Fixes:
  404   * Fix the missing phone number field for SMS token, when a user
  405     wants to enroll an SMS token. (#1929)
  406 
  407 Version 3.1.1, 2019-09-25
  408 
  409   Fixes:
  410   * Fix the wrong token_type key in the audit log which caused the tokentype
  411     to not be contained in the audit (#1846)
  412 
  413 
  414 Version 3.1, 2019-09-04
  415 
  416   Features:
  417   * Allow user attributes in policy conditions (#1645)
  418   * Assign tokens and set old PIN during migration (#1619)
  419   * Admins can only see tokens within the realm they are allowed to manage (#1713)
  420     **Note**: During update a policy "pi-update-policy-b9131d0686eb" is added, which
  421     gives admins the previous read rights on tokens.
  422   * Add adminread policies for policies, events, resolvers, system, machineresolvers,
  423     smtpserver, radiusserver, privacyidea server, periodic tasks, smsgateways. (#1495)
  424     **Note**: During update a policy "pi-update-policy-3d7f8b29cbb1" is added, which
  425     gives read rights to all admins to provide backward compatibility
  426 
  427   Enhancements:
  428   * Authentication and Challenge Response:
  429     * RADIUS token supports a single AccessChallenge with the remote RADIUS server (#1790)
  430     * Improving Push token performance by reusing still valid access token (#1795)
  431     * Improving TiQR token: It returns the remaining attemps after a wrong PIN is given (#1777)
  432     * Improving TiQR token: Make TiQR info URL configurable (#1782)
  433     * Enhance validate check logic in regards to serials and user names (#1768)
  434     * User may now have several TiQR tokens at the same time (#1739)
  435     * Do not increase fail counter when *checking* for an answered challenge (#1697)
  436     * Allow additional token specific checks when answering challenge response (#1695)
  437     * Endpoint GET /token/challenges also takes transaction_id (#1689)
  438     * Push token can delay the response of /validate/check, so that there is no need
  439       to query the server to check if the push notification has been answered (#1583)
  440   * User experience:
  441     * Improve user experience when enrolling Yubikeys via ykpersonalize - Automatically
  442       removing whitespaces (#1735)
  443     * Allow user to change the token description (#1717)
  444     * Customize Web UI page title (#1624, #1243)
  445     * *search_on_enter* also applies to audit log (#1493)
  446     * Allow a welcome message in the Web UI if the user has no token (#1074)
  447     * Do not display token configuration hints in the UI to normal users (#1789)
  448   * Management:
  449     * Event handlers allow rollout_state as condition (#1801)
  450     * Add script to export OTP counters (#1728)
  451     * Allow many additional tags in email notifications: serial, user, givenname,
  452       surname, username, userrealm, tokentype, recipient_givenname, recipient_surname,
  453       time, date (#1703)
  454     * Improve diagnostics script by adding SQLAlchemy URL (#1667)
  455     * Add resolver conditions to several policy checks (#1646)
  456     * /auth entries in the audit log now also fill in resolver and serial (#1593)
  457     * `pi-manage backup` also backs up the FreeRADIUS configuration (#1575)
  458     * Allow event handlers on /auth endpoint (#1567)
  459     * Allow to force a PIN on tokens in the privacyIDEA Authenticator App (#1295)
  460     * New policy *max_active_tokens_per_user* (#1241)
  461     * Add image url to the otpauth QR code, allow images in e.g. FreeOTP (#1228)
  462     * Add MAC to PSKC token export (#1663)
  463   * Performance:
  464     * Make the serverpool in LDAP resolver persistant improving redundancy performance (#1396)
  465 
  466   Fixes:
  467   * Improve the stability of the schema-update-script (#1760)
  468   * Rearrange update order in migration scripts (#1733)
  469   * Adapt privacyidea-token-janitor to run with the TokenOwner table (#1709)
  470   * Reordering decorators and policy checks to avoid unnecessary error messages (#1751)
  471   * Fix user enrollment for tokens that require certain read rights for RADIUS and
  472     certificates by adding additional endpoint /system/names/... (#1749, #1748)
  473   * Use same transaction ID for all user tokens even with a  TiQR token (#1723)
  474   * Improve challenge response to also check the matching of the transaction ID
  475     right at the beginning (#1699)
  476   * Add event API requests to Audit log (#1600)
  477   * Fix configuring pre-eventhandler with empty condition makes authentication fail (#1658)
  478   * Improve UI by changing the cursor on all clickable elements (#1725)
  479   * Web UI: Focus the filter entry field in tables, when the filter is activated (#1661)
  480   * Fix some broken links in UI (#1610)
  481   * Fix double listing in policy list (#1132)
  482   * Remove additional empty line in audit log in case of an error (#1707)
  483   * Fix enrollment of certificate tokens under Python 3 (#1799)
  484 
  485 
  486 Version 3.0.2, 2019-06-17
  487 
  488   Fixes:
  489   * Fix creation of table tokenover and update with PostgreSQL DB
  490   * Fix user assignment migration with non-ascii characters in userid
  491 
  492 Version 3.0.1, 2019-05-23
  493 
  494   Fixes:
  495   * Fix PUSH token issues:
  496     * Add logic checking to setup of PUSH token (#1592)
  497     * Remove double enrollment notification of PUSH token in WebUI (#1598)
  498     * Fix to allow spaces in Firebase configuration (#1599)
  499     * Add support for iOS Firebase configuration (#1608)
  500     * Fix to allow PUSH token enrollment, even with Label-policy (#1589)
  501     * Fix to mark PUSH token challenge answered in the database (#1584)
  502   * Fix the validity period of the registration token (#1587)
  503   * Beautify the vertical alignment in the Web UI top menu (#1559)
  504   * Fix user cache configuration read - defaults to 0 (#1596)
  505   * Remove links in audit log for normal users (#1497)
  506   * Check UI rights for user resolvers (#1496)
  507   * Fix placeholder in realm dropdown in login dialog (#1498)
  508   * Fix enckey creation in Python 3 (#1594)
  509   * Allow the usage if "browserLanguage" in custom templates (#1620)
  510   * Open all accordions when searching for policy action (#1558)
  511   * Fix to hide support links also in menu (#1626)
  512 
  513 Version 3.0, 2019-04-10
  514 
  515   Features:
  516   * Add Push Token that receives a Firebase push notification and allows login
  517     by confirming this notification. Works with privacyIDEA Authenticator. (#1342)
  518   * Add a queue to offload certain tasks from the original request.
  519     Allow sending emails via queue. (#1290)
  520   * Add API to write your own statistics-DB-module to be able to write
  521     to a time series DB (#1289)
  522   * The matching policies per request get written to the audit log (#874)
  523   * Support Python 3 (#676)
  524 
  525   Enhancements:
  526   * Enhance challenge response text, allows headers and footers and HTML
  527     in the challenge text (#1384)
  528   * Event Handlers may now depend on the user and IP address (#1435)
  529   * Improve documentation about customization (#1377)
  530   * Allow to use the client IP from X-Forwarded-For for all endpoints (#1399)
  531   * The otp-counter-condition for event handlers can also match greater
  532     than and less than (#1383)
  533   * Allow a token to use another SMS gateway than the default (#1358)
  534   * The policy "reset_all_user_tokens" will also work with challenge response (#1348)
  535   * Create more readable temporary token passwords based on base58. (#1325)
  536   * Allow support button in the UI to point to more sensible locations (#1331)
  537 
  538   Fixes:
  539   * Update LDAP3 dependency to 2.6 and fixes broken objectGUID (#1526)
  540   * Allow tokentype endpoints /ttype only for the specific tokentypes (#1528)
  541   * When logging in to the webui the client IP is only determined by
  542     X-Forwarded-For if the original (REMOTE_ADDR) is allowed to overwrite the client ip.
  543     (Side effect of #1392)
  544   * Remove submodules/authmodules from git repository and from base package (#1516)
  545   * Allow userid as integer in SQLResolver (#1513)
  546   * Fix revocation of certificates (#1510)
  547   * Fix manual resync of TOTP token (#1479)
  548   * Fix audit log entry if token resync fails (#1416)
  549   * Fix authcache to actually *write* values to the authcache (#1386)
  550   * Fix UI language determiniation in IE (#1379)
  551   * Fix tokenjanitor which sometimes did not delete all matching tokens (#1322)
  552   * Fix bug in two step enrollment (#1347)
  553   * Do not pass LDAP service account credentials in GET /resolver (#1271)
  554   * Redirect to login page in case of missing authorization header (#1326)
  555   * Respond with 404 if a non-existing object (like deleting event handler)
  556     is accessed (#817)
  557   * fix setrealm policy not to fail, if the original user does not exist (#1205)
  558   * Optimize hidden SQL queries (#1457)
  559   * Improve installation process and schema migration by initially stamping
  560     the database (#1489)
  561 
  562   Redesign:
  563   * Remove flask imports from libs to make code more modular (#331)
  564   * Making Token-User relation an n:m relation by moving the token assignment
  565     into its own database table. This will allow to assign several users to
  566     one token (#1288)
  567   * Unify password hashing in SQLResolver by using passlib (#1372)
  568   * Redesign the cryptolayer and replace pycrypto with cryptography (#1340)
  569   * Remove the old statistics, that were based on the audit log in favour
  570     of the generic event handler based statistics (#1314)
  571   * Deterministic installation with pinned dependencies on all distributions (#1127)
  572 
  573 
  574 Version 2.23.5, 2019-03-04
  575 
  576   Fixes:
  577   * Fix authcache
  578   * Fix correct syncwindow for manually resyncing TOTP tokens
  579 
  580 
  581 Version 2.23.4, 2019-02-06
  582 
  583   Fixes:
  584   * Make triggerchallenge HTTP response consistent
  585   * Add tokentype and message to response of triggerchallenges
  586   * Allow concurrent challenges
  587   * Fix accepted-language to support _only_ de-DE.
  588   * Avoid user resolving in event handler condition
  589   * Point the support button to better landing pages
  590 
  591 Version 2.23.3, 2018-10-26
  592 
  593   Fixes:
  594   * Performance: avoid using wildcard serials in functions like
  595     get_tokens, get_realms_of_token and copy_token
  596   * Performance: avoid reload of static configuration
  597   * Performance: Clean up LDAP cache, so that it will not grow to big and
  598     further LDAP cache usage optimization (#1246)
  599   * Performance: Make signing the audit log configurable (#1262)
  600   * Performance: Make the auth counter per token configurable (#1262)
  601   * Performance: Fix HSM auto recovery after an HSM failure and make
  602     MAX_RETRIES configurable (#1278)
  603   * Fix the double get requests of challenges in the UI
  604   * Auditlog now honors the admin realm in the policies (#1244)
  605   * Fix description of realm dropdown policy (#1245)
  606   * Allow token janitor to use chunk sizes
  607   * Allow Audit rotation to be performed in chunks to avoid deadlocks.
  608   * Improve documentation about required and optional parameters in
  609     the SQL Audit module.
  610   * Cast userid to string to avoid casts problems with PostgreSQL
  611   * Update pyopenssl dependency.
  612 
  613 Version 2.23.2, 2018-09-07
  614 
  615   Fixes:
  616   * Fix problem with empty username (#1227)
  617 
  618 Version 2.23.1, 2018-09-06
  619 
  620   Fixes:
  621   * Fix PassOnNoUser in combination with event handler (#1206)
  622   * Fix loading of Event handler detail view (#1210)
  623   * Fix Challenge-Response login at Web UI (#1216)
  624   * Fix triggerchallenge to only use active tokens (#1217)
  625   * Write all installed package to diagnostics file and
  626     also write the resolver config in privacyidea-diag
  627 
  628 Version 2.23, 2018-08-29
  629 
  630   Features:
  631   * Add periodic tasks including a privacyidea-cron script. (#992)
  632   * Add task module "Simple Stats" to generate time series of certain
  633     important statistics values in privacyIDEA (#1105)
  634   * Add task module "Event Counter" that allows to create time series of
  635     any arbitrary event. (#1029)
  636   * New token type: TAN list, that can also import a prefefined
  637     list of TANs (#1057)
  638   * Add Event Handler Pre-Handling, that e.g. allows for
  639     even more easy token enrollment concepts (#747)
  640 
  641   Enhancements:
  642   * Improve performance by adding SQL pooling for SQL Audit
  643     and SQL Resolvers. (#1167, #1140)
  644   * Improve SQL Resolver to also verify bcrypt-hash passwords (#1172)
  645   * Allow multiple WHERE conditions in SQL Resolver (#1039)
  646   * Allow objectGUID as loginname in LDAP resolver for better
  647     ownCloud support (#1076)
  648   * Add command in pi-manage to dump audit log information (#1120)
  649   * Add script to allow generation of AES keys on HSM (#1159)
  650   * Improve recovery mechanism from a lost HSM connection (#1069)
  651   * Improve Debug Logging to hide passwords in SQL connect strings (#1162)
  652   * Add script for easy privacyIDEA standalone setup (#1093)
  653   * ldap3, pyasn1, croniter updated in Ubuntu Launchpad repo (#1085)
  654   * Add a script that easily gathers support and diagnostic information (#829)
  655   * Add event handler management to pi-manage (#1119)
  656   * Allow to customize the challenge text for challenge response tokens (#1096)
  657   * Add user information to OATH CSV token import file (#998)
  658   * Improve migration scripts from LinOTP to also update counter values (#1075)
  659   * Add priority to policies to avoid contradicting policies (#1031)
  660   * The token event handler now can delete tokeninfo (#988)
  661   * Make the import of OATH CSV token specific, so that each
  662     tokentype can define its own import strategy (#1066)
  663   * The Event Counter module now allows to decrease the counter (#991)
  664   * Allow time deltas to also contain seconds (#1033)
  665 
  666   Fixes:
  667   * Allow to use unicode passwords with non-ascii characters for the
  668     connect string in SQL Resolvers (#1181)
  669   * Fix problem that a wrong password hash was used, if user is created
  670     in SQL Resolver (#1114)
  671   * Fix performance issue with slow token listing (#1123)
  672   * Fix the QR code regeneration if the user already has the maximum number
  673     of allowed tokens (#1153)
  674   * Fix problem with privacyidea-pip-update in case of pip version 10 (#1128)
  675   * Fix problem if max_token_per_user was higher than 9 (#1117)
  676   * Fix hash algorithm in QR Code (#1088)
  677   * Set focus in username field in the login dialog (#205)
  678   * Fix disappearing scrollbar issue (#1020)
  679   * Fix import of SHA256 tokens (#1061)
  680   * Convert string values to unicode in the database model to
  681     avoid misleading "error" messages (#1000)
  682   * Fix truncation of audit log in case of authentication failure (#1034)
  683   * Shorten audit information to fit into the database column (#1037)
  684   * Fix the RADIUS configuration test (#1042)
  685 
  686 
  687 Version 2.22.1, 2018-04-20
  688 
  689   Fixes in WebUI:
  690   * Allow to display the messages of several C/R tokens (#995, #1004)
  691   * Use ng-if instead of ng-show to avoid errors in the javascript console (#963)
  692   * Remove reference to not-used system.addons.js to avoid errors in the javascript console
  693   * Remove reference to not-used system.addons.html to avoid errors in the javascript console
  694   * Use ng-src instead of src to avoid errors in the javascript console
  695   * Avoid request to /false is image is not existing - avoid error in the javascript console
  696   * Fix handling of U2F token in the WebUI login
  697   * Require serial number in the assignment form (#1011)
  698   * Fix PIN comparison in token enroll and token assign (#1010)
  699   * Fix the empty username in token enroll or assign (#918)
  700 
  701   Fixes in Server:
  702   * Add check for serial number present (#1011)
  703   * Fix validation of OCRA and TiQR token (#1008)
  704   * Add retry to cope with HSM issues (#1003)
  705   * Fix unicode in resolverconf database table with Oracle (#999)
  706 
  707 
  708 Version 2.22, 2018-03-27
  709 
  710   Features:
  711   * Add automatic offline refill for Offline OTP tokens (#839)
  712   * Return realm and resolver of the user and allow mapping
  713     group membership to the RADIUS protocol (#896)
  714   * Add new tokenkind (hardware, software, virtual) for all tokens (#828)
  715   * Support Vasco tokens via Import and via Web Enrollment (#904, #903, #891)
  716   * Add arbitrary tokeninfo field to authorization policy (#873)
  717   * New SMPP SMS provider (#878)
  718   * New event handler Counter for counting events for statistics and monitoring (#951)
  719 
  720   Enhancements:
  721   * Enhance the statistics possibilities in WebUI (#950)
  722   * Allow reencryption of the database by importing PSKC to
  723     a new database (#940)
  724   * Allow token janitor to export "PW" token type to PSKC (#942)
  725   * Also export and import the counter values of HOTP/TOTP to PSKC (#943)
  726   * SMS token can dynamically read phone number from user source (#932)
  727   * Email token can dynamically read email address from user source (#932)
  728   * Add policy to ignore the validity of a U2F attestation certificate (#926)
  729   * Improve the speed of the LinOTP migration script to cope with tens of
  730     thousands of tokens (#914)
  731   * pi-manage can create API tokens with a chosen validity time (#931)
  732   * Allow user to set token description for HOTP and TOTP tokens
  733     during enrollment (#928) (Thanks to Taylor Chase for this contribution!)
  734   * Add timeout to SMTP server configuration (#919)
  735   * Allow complex email templates for email tokens (#684)
  736   * LDAP resolver now supports arbitrary multivalue attributes (#881)
  737   * Allow Event Handler to match failing authentication (#971)
  738 
  739   Fixes:
  740   * Several fixes in LDAP resolver to cope with ldap3/pyasn1 version issues and
  741     other issues (#911, #980, #982, #887)
  742   * Skip misguiding LDAP error "AttributeError NonType" in log file (#948)
  743   * Add missing validity time in /validate/check response for email tokens (#946)
  744     (Thanks to Kleber Rocha/klinux for this contribution!)
  745   * Fix the handling of the SMS expiration date (#937)
  746   * Fix serial length in the audit table to match the serial length in the token table (#929)
  747     (Thanks to Salvo Rapisarda for this contribution!)
  748   * Fix Mail content sent by email token is rendered as attachment (#915)
  749   * Fix Editing SMTP Server definition clears the password (#923)
  750   * Fix pi-manage backup crash (Thanks to Pavol Ipoth for this contribution!)
  751 
  752 
  753 Version 2.21.4, 2018-01-24
  754 
  755   Fixes:
  756   * HTTP Timeout of HTTP SMS Gateway (#889)
  757   * Remove console.log from webui
  758 
  759 
  760 Version 2.21.1, 2018-01-09
  761 
  762   Fixes:
  763   * Allow to use TLS1.1 and TLS1.2 for LDAP Resolver (#876)
  764 
  765 Version 2.21, 2017-12-20
  766 
  767   Features:
  768 
  769    * Allow export of tokens to PKSC file (#790)
  770    * Implement two-step enrollment of HOTP/TOTP tokens (#797, #863, #865, #866)
  771    * Allow WebUI customization via policies (#795)
  772 
  773   Enhancements:
  774 
  775    * Add script to decrypt safeword tokens
  776    * Allow using tags in the tokenissuer of smartphone tokens
  777    * Try to re-establish lost HSM connections (#787)
  778    * Allow to rotate audit log based on multiple conditions (#780, #833)
  779    * Add dry-run option to audit log rotation (#801)
  780    * Allow dots in realm names (#808)
  781    * Mark empty but required fields in WebUI (#810)
  782    * Display success information after PIN is set (#822)
  783    * Add further tags to the user notification event handler (#824)
  784    * Add number of users to the subscription view (#800)
  785    * Add HTTP/HTTPS proxy settings to HTTP SMS Provider (#835)
  786    * Federation Handler allows to forward the authorization token (#838)
  787    * Use token janitor to export a user list (#852)
  788    * Use HSM for random key generation if possible (#783)
  789    * HTTP SMS Provider now takes TIMEOUT parameter into account
  790    * Allow to configure length of generated serial numbers (#583)
  791 
  792   Fixes:
  793 
  794    * Fix handling of only_realm option in token event handler (#809)
  795    * Fix scrollbar issues in WebUI (#806, #823)
  796    * Fix OTP counter of offline token (#840)
  797    * Fix conflicts between check_tokentype and passthru policies (#846)
  798    * Properly reset tab tile after session has been locked (#850)
  799    * Fix handling of fixed key size during enrollment (#820)
  800    * Make sure that only active policies are honored (#825)
  801    * Fix various bugs with non-ASCII data (#754)
  802    * Fix failcounter_clear_timeout (#831)
  803    * Only remove apache host definitions on first installation (#834)
  804 
  805 Version 2.20.1, 2017-10-30
  806 
  807   Fixes:
  808    * /token/init allows to pass otpkey AND genkey=false (#793)
  809    * Cast date to string, to fix audit search for postgresql (#786)
  810    * Optimize the LDAP Resolver Redundancy to avoid LdapServerPoolExhaustedErrors (#802)
  811    * Preset default realm in token enrollment (#804)
  812    * Fix PassOnNoUser and PassOnNoToken (#798)
  813    * Fix genkey=0 error during token enrollment (#793)
  814 
  815 Version 2.20, 2017-09-27
  816 
  817   Features:
  818 
  819    * New Token-Type OCRA and DisplayTAN to support
  820      transaction signing for online banking (#767)
  821    * Federation Handler allows to forward authentication
  822      requests and other REST API requests to a child
  823      privacyIDEA system (#711)
  824    * Improved Subscription Handling
  825    * Allow to login with multiple loginnames (#713)
  826    * Authentication Cache policy (#729)
  827 
  828   Enhancements:
  829 
  830    * !!!NOTE!!! following policies now also honor the resolvers,
  831     which they did not previously:
  832     (AUTH, challenge_response), (AUTH, otppin),
  833     (AUTHZ, auth_max_success), (AUTHZ, auth_max_fail),
  834     (AUTHZ, last_auth), (WEBUI, login_mode),
  835     (ENROLL,losttoken_pw_contents), (ENROLL,losttoken_validity),
  836     (ENROLL, losttoken_pw_len) (#736)
  837    * User can regenerate the QR Code during enrollment
  838      of smartphone app (#766)
  839    * Administrator can define remote privacyIDEA servers
  840      centrally (#711)
  841    * Events can now be ordered. This is important for the
  842      federation handling (#711)
  843    * Specify the hash algorithm that is used to save
  844      SQL users passwords (#745)
  845    * Add welcome dialog for administrator (#716)
  846    * Allow creating oracle DB (#752)
  847    * Event Handler can use timestamps and time offsets in
  848      conditions (#741)
  849    * Use challenge/response token to unlock the screen of
  850      the web UI (#702)
  851    * Support multiple challenge/response token at the same
  852      time (#722)
  853    * GPG keys are generated during package installation and
  854      show the GPG key in the import dialog (#742)
  855    * Failcounter clearing timeout in UI (#719)
  856    * Allow to send challenge data (like banking transaction) in
  857      email text and SMS text.
  858 
  859   Fixes:
  860 
  861    * Set default loglevel from DEBUG to INFO (#765)
  862    * Fixed PIN logging, which could lead to exceptions
  863    * Fixed unicode handling in log messages
  864    * Make LDAP Resolver work with utf8 (#738)
  865    * User can only choose hash algo according to policy (#723)
  866    * Add time period 30/60s to rollout URI (#744)
  867    * Fix deprecation warning for flask_migrate (#734)
  868    * Allow multiple tries for challenge/response (#708)
  869    * Fix problem with certificate serial number (#737)
  870 
  871 
  872 Version 2.19.1, 2017-07-02
  873 
  874   Enhancements:
  875 
  876   * Add "pi-manage policy load" and "pi-manage policy export". (#721)
  877   * Allow customization via pi.cfg file.
  878   * Add {username} and {realm} as tags for the tokenhandler. (#735)
  879 
  880  Fixes:
  881 
  882   * Fix pi-manage file permission for backup
  883   * Fix search for resolver in audit log
  884   * Allow to read old legacy time from validity period
  885   * Fix wrong enddate with lost_token
  886   * Fix typos
  887   * Improve documentation for yubikey
  888   * Improve documentation for cache decorator
  889   * Improve documentation for webui policy
  890 
  891 
  892 Version 2.19, 2017-05-25
  893 
  894   Features:
  895   * Add generic User Cache to speed up authentication (#670, #683)
  896   * Support multiple challenge-response tokens with the same PIN (#654)
  897   * Restrict U2F registration based on assertion certificte (#648)
  898   * Restrict authentication with U2F devices based on assertion
  899     certificate (#648)
  900   * Add privacyidea-token-janitor script, that can clean orphaned or
  901     expired tokens (#692)
  902   * Add API for mutual key generation during enrollment for easy
  903     Smartphone App development by introducing a generic
  904     2-step-rollout process (#627)
  905   * Add /validate/radiuscheck which works with rlm_rest and only uses
  906     HTTP return codes. (#703)
  907 
  908   Enhancements:
  909 
  910   * Allow to unset token validity period and other tokeninfo
  911     fields (#691)
  912   * Add a quick-resolver test for LDAP resolvers (#688)
  913   * Add additional tokeninfo tags {client_ip}, {ua_browser},
  914     {ua_string} in token handler (#687)
  915   * Allow to set decription of U2F tokens during enrollment (#685)
  916   * Reduce the number of LDAP requests to increase authentication
  917     performance (#664, #655, #650)
  918   * Realm administrator is only allowed to see actions on this allowed
  919     user realms (#663)
  920   * Add audit rotation to pi-manage (#657)
  921   * Speed up Audit Log calls by adding a second index (#656)
  922   * Allow to either lock und logout the UI after timeout (#653)
  923   * Allow string format {user}, {realm}, {serial}, {surname} in
  924     tokenlabel policy (#646)
  925   * Move to a consistent time format for validity period and all other
  926     user specific times also containing the timezone (#644)
  927   * Add TLS certificate check to LDAP machine resolver (#638)
  928   * Make TLS certificate the default option in LDAP resolvers (#639)
  929   * Allow to use privacyIDEA ownCloud App without subscription
  930     file with up to 50 users.
  931 
  932   Fixes:
  933   * Fix the datepicker for the token validity period (#644 / #693)
  934   * Fix LDAP resolver to respect all boolean configuration
  935     options (#658)
  936   * Fix serial number in challenge response validation response (#649)
  937 
  938   Commits added in version 2.19 by:
  939   (In the order of appearance)
  940   * Cornelius K├Âlbel
  941   * Quynh Nguyen
  942   * Friedrich Weber
  943   * Quoc Doan
  944   * blinkiz
  945   * Bernd Nicklas
  946 
  947 Version 2.18, 2017-03-09
  948 
  949   Features:
  950   * Allow to disable the WebUI (#605)
  951   * The WebUI will lock the screen after a timeout instead of
  952     logging out the user. This allows to easily continue
  953     configuration work. (#621)
  954   * Improve the creation and handling of local CAs (#630, #632, #633)
  955     Allow certificate template for certificates with different runtime
  956     and x509v3 extensions.
  957 
  958   Enhancements
  959   Enhancements in Policies:
  960   * Allow regular expressions in usernames in policies. (#581)
  961   * Improve Policy creation with pi-manage from JSON formatted file.
  962   * WebUI: Add action grouping in policies.
  963   * WebUI: Add action filter in policy view.
  964   * Allow token specific PIN policies: The SPASS token can now
  965     have dedicated PIN policies.
  966   * Add PIN policies for administrators during enrollment and
  967     during assignment.
  968   * Add WebUI policy: only search on enter being pressed (#617)
  969 
  970   Enhancements in Event Handlers:
  971   * Add token_validity_period condition to event handlers. (#618)
  972   * Add additional options in token handler when creating
  973     SMS, Email or mOTP tokens.
  974   * Allow tokenhandler to set tokeninfo field.
  975   * Allow tokenhandler to set syncwindow.
  976   * Add event handler condition for count_auth_success and
  977     cound_auth_fail
  978   * Add event handler condition for last_auth.
  979   * Improve Audit Log for Event Handler. Each triggered action
  980     will now also create an audit entry. (#609)
  981   * Allow the use of {current_time} in tokenevent handler. (#628)
  982 
  983   Enhancements in LDAP Resolver:
  984   * Upgrade dependency to ldap3 version >=2.1.1 to improve LDAP
  985     performance in regards to redundancy and security
  986   * LDAP Resolver: Use get_info in bind requests to avoid querying
  987     of subschema. (#585)
  988   * LDAP Resolver: Support StartTLS over Port 389.
  989   * Simplify LDAP Resolver: Remove username from Attribute Mapping.
  990   * Simplefy LDAP Resolver: Remove reverse filter.
  991 
  992   Misc Enhancements:
  993   * Automatically add user's mobile number if tokentype is SMS.
  994   * Add example configuration for GTX messaging SMS gateway.
  995   * Add a script "privacyidea-get-unused-tokens" to find
  996     unused tokens
  997   * WebUI: Add a busy indicator spinner.
  998   * Improve the pi-manage script in regards to backup and restore.
  999     Let you choose whether to backup encryption key or not.
 1000     Better handling for individual pathes. (#626, #623)
 1001 
 1002   Fixes:
 1003   * LDAP Resolver: Verify SSL Certificate (Security)
 1004   * LDAP Resolver: Allow special characters in NTLM password
 1005   * LDAP Resolver: Allow searching for users with German umlaut
 1006   * Remove the "unsafe" notation in the QR-Code link, so that
 1007     a smartphone may import the key during HOTP/TOTP token enrollment
 1008     by clicking the link. (#620)
 1009   * Use defusexml to avoid XML bombs on token import (Security)
 1010   * Replace eval with ast.literal_evel (Security)
 1011   * Add missing attributes for U2F tokens in
 1012     validate/triggerchallenge API
 1013   * Let /validate/triggerchallenge write to audit log.
 1014   * Fix mangle policy for users and realms
 1015   * Avoid logging of password in check_user_pass in debug level
 1016     (level=10)
 1017   * Set encrypted PIN on enrollment for certificate tokens (#625)
 1018   * Remove unused policy action "motp_webprovision"
 1019   * Allow emailtext policy in triggerchallenge API (#642)
 1020 
 1021 
 1022 Version 2.17, 2016-12-29
 1023 
 1024   Features
 1025   * Token Handler. Using the token handler the administrator
 1026     can defined actions in response to events, to modify tokens
 1027     like deleting, modifying, initilizing... tokens (#532)
 1028   * Script Event Handler or Shell Event Handler allows to
 1029     trigger an external shell script, if some event occurs. (#536)
 1030   * Add additional endpoint to trigger a challenge response
 1031     like the sending of an SMS, if the token PIN is not
 1032     available (#531)
 1033   * Policy Handling to also check for secondary resolvers of
 1034     a user. This way a user can authenticate with his primary
 1035     resolver but policy will also work for secondary resolvers (#543)
 1036 
 1037   Enhancements
 1038   * The event handler conditions also determine a serial number
 1039     even if there is no serial number in the request:
 1040     If the user from the request only has one token assigned. (#571)
 1041   * Allow event definitions to be disabled (#537)
 1042   * Allow event to be addressed by a destinct name (#522)
 1043   * Improving LDAP performance by addressing different functionality
 1044     of ldap3 version 1.x and 2.x. (#549)
 1045   * Improve SQL Audit by adding the SQL Audit table to the schema.
 1046     Table is not created during HTTP request. (#557)
 1047   * Limit audit log entry age. Users may only view audit
 1048     log entries up to a certain age. (#541)
 1049   * Add checkbox to only display used actions in a policy (#573)
 1050   * In event handler: Use serial number of a user's token if the
 1051     user has only one token (#571)
 1052   * Download a filtered audit log (#539)
 1053 
 1054   Fixes
 1055   * Add missing token serial number to audit log if token is
 1056     deletes (#546)
 1057   * Fix event handler saving (#551)
 1058   * HttpSMSProvider accepts status codes 201 and 202 in addition
 1059     to 200 (#562)
 1060   * Fix checkbox bug in NOREFERRALS of LDAP resolver (#563)
 1061   * Add documentation for SMS provider (#566)
 1062   * Remove 301 redirects from WebUI (#576)
 1063 
 1064 
 1065 Version 2.16, 2016-11-10
 1066 
 1067   Featurs
 1068   * Add HSM support via AES keys (#534)
 1069   * Improved Event Handler for flexible notification (#511)
 1070   * Signed subscription files for adding and checking
 1071     for extra functionality during authentication request (#502)
 1072 
 1073   Enhancements
 1074   * Allow additional filter attributes in the Audit Log (#519)
 1075   * Show or hide realms in the login dialog via policy (#517)
 1076   * Improve UI if admin is not allowed for certain actions (#516, #512)
 1077   * Disable OTP PIN during enrollment via policy (#439)
 1078   * Allow automatic sending of registration code via email (#514)
 1079 
 1080   Fixes
 1081   * Allow compatibility with ldap3 >= 2.0.7 (#533 #535)
 1082   * Fix problem with Notification when no tokenowner is available (#528)
 1083   * Fix confusion of client HTTP parameters (#529)
 1084   * Fix enabled flag with certain database types (#527)
 1085   * Catch error in case of faulty overrideClient definition (#526)
 1086   * Truncate Audit lines, that are too long for the DB table (#525)
 1087 
 1088 
 1089 Version 2.15, 2016-10-06
 1090 
 1091   Features
 1092   * Client Overview. Display the type of the requesting
 1093     authenticating clients (#489)
 1094   * Support for NitroKey OTP mode (admin client)
 1095 
 1096   Enhancements
 1097   * Performance enhancements using Caching singletons for
 1098     Config, Realm, Resolver and Policies
 1099   * Allow configuration of the registration email text (#494)
 1100   * Return SAML attributes only in case of successful
 1101     authentication (#500)
 1102   * Policy "reset_all_user_tokens" allow to reset all
 1103     failcounters on successful authentication (#471)
 1104   * Client rewrite mapping also checks for
 1105     X-Forwarded-For (#395, #495)
 1106 
 1107   Fixes
 1108   * Fixing RemoteUser fails to display WebUI (#499)
 1109   * String comparison in HOSTS resolver (#484)
 1110 
 1111 
 1112 Version 2.14, 2016-08-17
 1113 
 1114   Features
 1115   * Import PGP encrypted seed files
 1116   * Allow UserNotification for user actions
 1117   * Allow UserNotification on validate/check events,
 1118     to notify the user on a failed authentication or
 1119     a locked token.
 1120 
 1121   Enhancements
 1122   * Add thread ID in REST API Response
 1123   * Performance improvement: Cache LDAP Requests #473
 1124   * Performance improvement: Optimize resolver iteration #474
 1125   * Add "Check OTP only" in WebUI
 1126   * Improve "get serial by OTP" in WebUI
 1127   * Add script to get serial by OTP
 1128 
 1129   Fixes
 1130   * Restrict GET /user for corresponding admins #460
 1131 
 1132 
 1133 Version 2.13, 2016-06-30
 1134 
 1135   Features
 1136   * Allow central definition of SMS gateways
 1137     to be used with tokens. #392
 1138   * User SMS for User Notificaton Event Handler. #435
 1139   * Add PIN change setting for each token. #429
 1140   * Force PIN change in web UI. #432
 1141 
 1142   Enhancements
 1143   * Performence enhancements
 1144     * speed up loading of audit log in web UI.
 1145     * avoid double loadin of tokens and audit entries in web UI. #436
 1146   * Additional log level (enhanced Debug) to even log passwords in
 1147     debug mode.
 1148   * Add new logo. #430
 1149   * Add quick actions in the token list: reset failcounter,
 1150     toggle active. #426
 1151   * REST API returns OTP length on successful authentication. #407
 1152   * Add intelligent OverrideAuthorizationClient system setting,
 1153     that allows defined proxies to reset the client IP. #395
 1154 
 1155   Fixes
 1156   * Display token count in web UI. #437
 1157   * Use correct default_tokentype in token enrollment. #427
 1158   * Fix HOTP resync problems. #412
 1159 
 1160 
 1161 
 1162 Version 2.12, 2016-05-24
 1163 
 1164   Features
 1165   * Event Handler Framework #360
 1166   * local CA connector can enroll certificates
 1167     for users. Users can download PKCS12 file. #383
 1168   * Add and edit users in LDAP resolvers #372
 1169   * Hardware Security Module support via PKCS11
 1170   * Time dependent policies #358
 1171 
 1172   Enhancements
 1173   * Policy for web UI enrollment wizard #402
 1174   * Realm dropdown box at login screen #400
 1175   * Apply user policy settings #390
 1176   * Improve QR Code for TOTP token enrollment #384
 1177   * Add documentation for enrollment wizard #381
 1178   * Improve pi-manage backup to use pymysql #375
 1179   * Use X-Forwarded-For HTTP header as client IP #356
 1180   * Add meta-package privacyidea-mysql #376
 1181 
 1182   Fixes
 1183   * Adduser honors resolver setting in policy #403
 1184   * Add documentation for SPASS token #399
 1185   * Hide enrollment link (WebUI) is user can not enroll #398
 1186   * Fix getSerial for TOTP tokens #393
 1187   * Fix system config checkboxes #378
 1188   * Allow a realm to be remove from a token #363
 1189   * Improve the date handling in emails #352
 1190   * Sending test emails #350
 1191   * Authentication with active token not possible if
 1192     the user has a disabled token #339
 1193 
 1194 
 1195 Version 2.11, 2016-03-29
 1196 
 1197   Features
 1198   * RADIUS Servers: Allow central definition of RADIUS servers
 1199   * RADIUS passthru policy: Authentication requests for users
 1200     with no tokens can be forwarded to a specified RADIUS server
 1201 
 1202   Enhancements
 1203   * Allow objectGUID in LDAP-Resolver of Active Directory
 1204   * Use paged searches in LDAP. LDAP resolver will find all
 1205     users in the LDAP directory.
 1206   * Allow privacyIDEA instance name to be configured for
 1207     the AUDIT log
 1208   * Allow special characters in LDAP loginnames and passwords
 1209   * Add arbitrary attributes to SAML Authentication response
 1210   * Enhance the handling of YUBICO mode yubikeys with the
 1211     YUBICO API. The prefix is handled correctly.
 1212   * Allow in get_tokens to be filtered for tokeninfo.
 1213   * Add paged search in LDAP resolver. This allows responses
 1214     with more than 1000 objects.
 1215 
 1216   Fixes
 1217   * Fix SMTP authentication
 1218   * Fix Enrollment Wizard for non-default realm users
 1219   * Registration process: If an email can not be delivered,
 1220     the token is deleted, since it can not be used.
 1221 
 1222 
 1223 Version 2.10, 2016-02-11
 1224 
 1225   Features
 1226   * User Registration: A user may register himself and thus create
 1227     his new user account.
 1228   * Password Reset: Using a recovery token a user may issue a
 1229     password reset without bothering the administrator or the
 1230     help desk.
 1231   * Enrollment Wizard for easy user token enrollment
 1232   * SMTP Servers: Define several system wide SMTP settings and use
 1233     these for
 1234     * Email token,
 1235     * SMTP SMS Provider,
 1236     * registration process,
 1237     * or password reset.
 1238 
 1239   Enhancements
 1240   * Ease the Smartphone App (Google Authenticator) rollout.
 1241     Hide otplen, hash, timestep in the UI if a policy is defined.
 1242   * Add import of Aladdin/SafeNet XML file.
 1243   * Add import of password encrypted PSKC files.
 1244   * Add import of key encrypted PSKC files.
 1245 
 1246   Fixes
 1247   * Support LDAP passwords with special non-ascii characters.
 1248   * Support LDAP BIND with special non-ascii characters.
 1249   * Fix problem with encrypted encryption key.
 1250   * Fix upgrading DB Schema for postgresql+psycopg2.
 1251   * Fix UI displaying of saved SMS Provider.
 1252   * Do not start challenge response with a locked/disabled token.
 1253 
 1254 Version 2.9, 2015-12-21
 1255 
 1256   Features
 1257   * New token type: Security questions or questionnaire token.
 1258   * New token type: Paper token. OTP values printed on a piece of paper.
 1259   * Yubico Validation API: The yubikey tokens can authenticate via
 1260     /ttype/yubikey which follows the Yubico Validation Protocol.
 1261 
 1262   Enhancements
 1263   * Add Web UI view to display the active challenges.
 1264   * The issuer for the Google Authenticator app can be configured.
 1265   * The LDAP machine resolver uses an LDAP server pool.
 1266   * The LDAP user resolver returns a list of mobile numbers.
 1267 
 1268   Fixes
 1269   * The test email for the email token now has a sent date.
 1270   * Fix problem when using encrypted encryption key.
 1271   * Fix upper case problem when logging in to web UI
 1272     with REMOTE_USER.
 1273   * Fix allow set an empty PIN in the web UI.
 1274   * Fix import of token file in Web UI.
 1275 
 1276 Version 2.8, 2015-11-26
 1277 
 1278   Features
 1279   * Improve U2F support with trusted facets
 1280   * Add Challenge Response and U2F support to SAML
 1281   * Add Web UI theming
 1282   * Add possibility to use REMOTE_USER for authentication at Web UI
 1283   * Fuzzy Authentication: restrict time since last authentication
 1284 
 1285   Enhancements
 1286   * Allow mangle policy when fetching ssh keys
 1287   * Add realm support to ownCloud plugin
 1288   * Support Drupal passwords in SQL resolver
 1289   * Add validity period to token enrollment
 1290   * Set default enrollment token type in Web UI
 1291   * Add scope to LDAP resolver
 1292 
 1293   Fixes
 1294   * Fix failcounter reset for challenge response tokens
 1295   * Fix confusing DB errors (column exist) during installation
 1296   * Fix email token TLS checkbox saving
 1297   * Fix TOTP testing in Web UI
 1298   * Fix SMS config loading in Web UI
 1299 
 1300 
 1301 Version 2.7, 2015-10-03
 1302 
 1303   Features
 1304   * Add support for U2F tokens
 1305   * Add signature to the API JSON response. Thus
 1306     the client can verify the response.
 1307 
 1308   Enhancements
 1309   * When importing tokens, a realm can be chosen, so that all imported
 1310     tokens are immediately inserted into this realm.
 1311   * The user is able to change his password in the WebUI.
 1312   * The user can assign a token in the WebUI.
 1313   * Avoid the requiring of a PIN for some tokentypes like SSH
 1314   * Migrate to pymysql, the pure python mysql implementation
 1315   * The Audit Log tells if a previous OTP value was used again.
 1316 
 1317   Fixes
 1318   * Enable login to WebUI with a loginname containing an @ sign.
 1319   * Fix the writing of logfile privacyidea.log
 1320 
 1321 Version 2.6, 2015-09-09
 1322 
 1323   Features
 1324   * Add OCRA base TiQR token to authenticate by scanning
 1325     a QR code.
 1326   * Add Challenge Response authentication to Web UI
 1327   * Add 4-Eyes token, to enable two man policy. Two tokens
 1328     of two users are needed to authenticate.
 1329   * "Revoke Token" lets you perform special action on token types.
 1330     Tokens can be revoke, meaning they are blocked an can not
 1331     be unblocked anymore.
 1332 
 1333   Enhancements
 1334   * Add HA information in the documentation.
 1335   * Add OpenVPN documentation.
 1336   * Add challenge response policy, to define if e.g. HOTP or TOTP are
 1337     allowed to be used in challenge response mode.
 1338   * Add hotkeys for easier use of Web Ui.
 1339   * Remove wrong system wide PassOnNoUser and PassOnNoToken.
 1340   * Set default language to "en" in Web UI.
 1341 
 1342   Fixes
 1343   * Fix LDAP bug #179, which allows authentication with
 1344     wrong password under certain conditions
 1345   * Small fixes in coverage tests
 1346   * Fix username in web UI during enrollment
 1347   * Fix link to privacyIDEA logo in Web UI
 1348   * Fixed bug, that user was not able to resync his own tokens.
 1349 
 1350 
 1351 Version 2.5, 2015-07-23
 1352   Features
 1353   * Add statistics
 1354   * Add German translation
 1355   * Add PinHandler in case of random PIN used
 1356   * Add automatic documentation of system setup
 1357   * Add ownCloud plugin
 1358 
 1359   Enhancements
 1360   * Preset Email and SMS of a user when enrolling token
 1361   * Enable LDAP anonymous bind
 1362   * Add Hashalgorithms and digits to QR Code
 1363   * Add support for CentOS 6 and 7
 1364 
 1365   Fixes
 1366   * Fix registration token
 1367   * Fix mOTP reuse problem
 1368 
 1369 Version 2.4, 2015-06-24
 1370 
 1371   * Add User Management
 1372   * Add Admin Realms to policies, to allow better policies in bigger setups
 1373   * Add API key, that can be used for accessing /validate/check
 1374   * Load PSKC Token seed files.
 1375   * Add more sophisticated logging. Severe errors via Email
 1376   * WebUI: Registrtion token can be enrolled in WebUI
 1377   * WebUI: The token seed can be displayed in WebUI after generation
 1378   * WebUI: Only the token types that are allowed to be enrolled are displayed
 1379   * WebUI: Login_Mode Policy: Disable access to WebUI for certain users
 1380   * WebUI: Add reload button in Audit view
 1381   * SQLResolver: The Where statement is used in all cases
 1382   * SSH-Token Application: Only fetch keys of the requested user
 1383   * Apache client can work with several hosts on one machine
 1384   * Documentation: Tokentypes and Supported Hardware Tokens
 1385   * Improve RADIUS module
 1386   * WebUI: Fix download of audit log
 1387   * Fix missing access right of user to GET /caconnector
 1388 
 1389 
 1390 Version 2.3, 2015-05-22
 1391 
 1392   * Add connector to remote Certificate Authority
 1393   * Add Tokentype "certificate" to manage certificates for users
 1394     Certificates or Certificate Requests can be uploaded.
 1395     Certificate Requests (Keypair) can be generated in the browser.
 1396   * Add Tokentype "registration" for easier enrollment scenarios.
 1397   * Add TokenType "Email" to send OTP via Email.
 1398   * Add "First Steps" to online documentation
 1399   * Add handling of validity period of token
 1400   * Enable download of Audit log as CSV
 1401   * Add Resolver Priority, to handle a duplicate user in a realm
 1402   * Add TYPO3 Plugin to enable OTP with TYPO3
 1403   * Add SCIM Resolver to fetch users from SCIM services
 1404   * Fix Failcounter issue
 1405   * Fix NTLM password check
 1406   * Fix timestep during enrollment
 1407 
 1408 Version 2.2, 2015-04-09
 1409 
 1410   * pi-manage.py: create resolvers and realms
 1411   * pi-manage.py: manage policies
 1412   * Add LostToken UI
 1413   * Add Offline Application
 1414   * Add PAM authentication module with offline support
 1415   * Add getSerialByOTP. You can determine the Token by providing an OTP value.
 1416   * Add auth_count_max and auth_success_max for each token.
 1417   * Add PIN encryption policy
 1418   * Add API for SAML
 1419   * Add bash script for ssh key fetching
 1420   * Make WebUI logout time configurable via webui policy.
 1421   * Add NTLM authentication to the LDAP resolver.
 1422 
 1423 
 1424 Version 2.1, 2015-03-10
 1425 
 1426   * Add Machine-Application framework to support LUKS and SSH
 1427     to manage SSH keys and provide Yubikeys to boot LUKS
 1428     encrypted machines. #100, #10
 1429   * Add Machine Resolvers for hosts and LDAP/AD #96
 1430   * Migrate more policies like SMS policies. #95
 1431   * Restructure WebUI code to ease development #97
 1432   * Fix logout problem of user #92
 1433   * Fix user list for AD (referrals) #99
 1434   * Fix max_token_per_user policy #101
 1435 
 1436 
 1437 Version 2.0, 2015-02-21
 1438 
 1439   * Migrate privacyIDEA to Flask Web framework
 1440   * The WebUI was migrated to bootstrap and angularJS
 1441   * The database model was restructered to allow an easier handling and
 1442     programming
 1443   * Use the pi-manage.py tool to migrate old data
 1444   * provide ubuntu packages for privacyidea base package and
 1445     privacyidea-apache2 and privacyidea-nginx
 1446   * provide pi-manage.py tool to manage the installation and create new admins.
 1447   * policies are restructered. Internally the policies now use decorators to
 1448     have a minimum code impact. No all policies are migrated, yet.
 1449   * OCRA token and Email token is not migrated, yet.
 1450 
 1451 
 1452 Version 1.5.1, 2015-01-12
 1453 
 1454   * Fix splitting the @-sign to allow users like user@email.com@realm1
 1455 
 1456 
 1457 Version 1.5, 2014-12-25
 1458 
 1459   * Fix the postinstall script for not broken repoze.who
 1460   * adapt the dependency for python webob
 1461   * add fix for users in policies.
 1462   * Working on #61
 1463   * Closing #63, allow upper and lower case DN in LDAP resolver
 1464   * Fix the empty result audit search problem
 1465   * Fix the port problem with SQL resolver
 1466 
 1467 
 1468 Version 1.4, 2014-10-06
 1469 
 1470   * Add "wrong password" message on login screen
 1471   * Add simplesamlphp module and deb package
 1472   * Add helper dialog to easily setup first realm
 1473   * Add QR enrollment of mOTP token (Token2)
 1474   * Add admin/checkserial policy
 1475   * Add help on logon screen
 1476   * Fixed the session timeout bug in the management UI
 1477 
 1478 
 1479 Version 1.3.2, 2014-09-22
 1480 
 1481  * Add uwsgi and nginx configuration
 1482  * Add nginx package
 1483  * Add meta packages to easily install radius dependencies. (#33)
 1484  * Add package for appliance
 1485  * Add appliance style: privacyidea-setup-tui
 1486  * Add privacyidea-otrs and remove the authmodules from the
 1487    core package
 1488  * Add first implementation of Token2 token type
 1489  * Change depend in builddepend
 1490  * Add missing SSL certificate
 1491  * Add missing python-dialog dependency
 1492  * Remove pylons download link, that caused timeout problems.
 1493 
 1494 Version 1.3, 2014-08-18
 1495 
 1496  * add support for Daplug dongle in keyboard mode
 1497  * Allow login with admin@realm, even with RealmBox.  (#26)
 1498  * inactive tokens will not work with the machine-app
 1499  * Added MachineUser database model
 1500  * PEP8 beautify
 1501  * Add about dialog
 1502  * added recommends for mysql and salt
 1503 
 1504 Version 1.2, 2014-07-15
 1505 
 1506  * added application for machines like LUKS and SSH
 1507  * send SMS via sipgate
 1508  * add RADIUS support
 1509  * SQL audit janitor
 1510  * improved SMS provider UI
 1511  * added possibility to do basic authentication instead of session auth.
 1512 
 1513 Version 1.1, 2014-06-25
 1514 
 1515  * Added documentation and in-UI-context-help.:q
 1516  * Fixed the token config to be filled with sensible data, so
 1517    that you do not need to configure ALL token types.
 1518  * Added script to clean up old audit logs.