privacyidea-venv (3.0-1) jessie; urgency=medium

  Features:
  * Add Push Token that receives a Firebase push notification and allows login
    by confirming this notification. Works with privacyIDEA Authenticator. (#1342)
  * Add a queue to offload certain tasks from the original request. 
    Allow sending emails via queue. (#1290)
  * Add API to write your own statistics-DB-module to be able to write
    to a time series DB (#1289)
  * The matching policies per request get written to the audit log (#874)
  * Support Python 3 (#676)
  
  Enhancements:
  * Enhance challenge response text, allows headers and footers and HTML
    in the challenge text (#1384)
  * Event Handlers may now depend on the user and IP address (#1435)
  * Improve documentation about customization (#1377)
  * Allow to use the client IP from X-Forwarded-For for all endpoints (#1399)
  * The otp-counter-condition for event handlers can also match greater
    than and less than (#1383)
  * Allow a token to use another SMS gateway than the default (#1358)
  * The policy "reset_all_user_tokens" will also work with challenge response (#1348)
  * Create more readable temporary token passwords based on base58. (#1325)
  * Allow support button in the UI to point to more sensible locations (#1331)

  Fixes:
  * Update LDAP3 dependency to 2.6 and fixes broken objectGUID (#1526)
  * Allow tokentype endpoints /ttype only for the specific tokentypes (#1528)
  * When logging in to the webui the client IP is only determined by
    X-Forwarded-For if the original (REMOTE_ADDR) is allowed to overwrite the client ip.
    (Side effect of #1392)
  * Remove submodules/authmodules from git repository and from base package (#1516)
  * Allow userid as integer in SQLResolver (#1513)
  * Fix revocation of certificates (#1510)
  * Fix manual resync of TOTP token (#1479)
  * Fix audit log entry if token resync fails (#1416)
  * Fix authcache to actually *write* values to the authcache (#1386)
  * Fix UI language determiniation in IE (#1379)
  * Fix tokenjanitor which sometimes did not delete all matching tokens (#1322)
  * Fix bug in two step enrollment (#1347)
  * Do not pass LDAP service account credentials in GET /resolver (#1271)
  * Redirect to login page in case of missing authorization header (#1326)
  * Respond with 404 if a non-existing object (like deleting event handler)
    is accessed (#817)
  * fix setrealm policy not to fail, if the original user does not exist (#1205)
  * Optimize hidden SQL queries (#1457)
  * Improve installation process and schema migration by initially stamping
    the database (#1489)

  Redesign:
  * Remove flask imports from libs to make code more modular (#331)
  * Making Token-User relation an n:m relation by moving the token assignment
    into its own database table. This will allow to assign several users to
    one token (#1288)
  * Unify password hashing in SQLResolver by using passlib (#1372)
  * Redesign the cryptolayer and replace pycrypto with cryptography (#1340)
  * Remove the old statistics, that were based on the audit log in favour
    of the generic event handler based statistics (#1314)
  * Deterministic installation with pinned dependencies on all distributions (#1127)
  
 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Wed, 10 Apr 2019 10:00:00 +0200

privacyidea-venv (2.23.5-1) jessie; urgency=medium

  Fixes:
  * Fix authcache
  * Fix correct syncwindow for manually resyncing TOTP tokens

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Mon, 04 Mar 2019 18:00:00 +0200


privacyidea-venv (2.23.4-1) jessie; urgency=medium

  Fixes:
  * Make triggerchallenge HTTP response consistent
  * Add tokentype and message to response of triggerchallenge
  * Allow concurrent challenges
  * Fix accepted-language to support _only_ de-DE.
  * Avoid user resolving in event handler condition
  * Point the support button to better landing pages

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Wed, 06 Feb 2019 12:00:00 +0200

privacyidea-venv (2.23.3-1) jessie; urgency=medium

  Fixes:
  * Performance: avoid using wildcard serials in functions like
    get_tokens, get_realms_of_token and copy_token
  * Performance: avoid reload of static configuration
  * Performance: Clean up LDAP cache, so that it will not grow to big and
    further LDAP cache usage optimization (#1246)
  * Performance: Make signing the audit log configurable (#1262)
  * Performance: Make the auth counter per token configurable (#1262)
  * Performance: Fix HSM auto recovery after an HSM failure and make
    MAX_RETRIES configurable (#1278)
  * Fix the double get requests of challenges in the UI
  * Auditlog now honors the admin realm in the policies (#1244)
  * Fix description of realm dropdown policy (#1245)
  * Allow token janitor to use chunk sizes
  * Allow Audit rotation to be performed in chunks to avoid deadlocks.
  * Improve documentation about required and optinal parameters in
    the SQL Audit module.
  * Cast userid to string to avoid casts problems with PostgreSQL
  * Update pyopenssl dependency.

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Fri, 26 Oct 2018 15:00:00 +0200

privacyidea-venv (2.23.3~dev4-1) jessie; urgency=medium

  Fixes:
  * Allow SQL audit signing to be deactivated
  * Allow token auth counter to be deactivated

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Thu, 27 Sep 2018 17:00:00 +0200


privacyidea-venv (2.23.3~dev3-1) jessie; urgency=medium

  Fixes:
  * Remove double "get" of Token challenges in UI
  * Avoid reload of static configuration (#1523)

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Wed, 19 Sep 2018 19:30:00 +0200

privacyidea-venv (2.23.3~dev2-1) jessie; urgency=medium

  Fixes:
  * Fix performance issue with wildcard serials #1225
  * Make auditlog honor the admin realms #1244
  * Fix description of realm dropdown #1245

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Tue, 18 Sep 2018 17:00:00 +0200

privacyidea-venv (2.23.2-1) jessie; urgency=medium

  Fixes:
  * Fix problem with empty username (#1227)

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Fri, 07 Sep 2018 12:00:00 +0200

privacyidea-venv (2.23.1-1) jessie; urgency=medium

  Fixes:
  * Fix PassOnNoUser in combination with event handler (#1206)
  * Fix loading of Event handler detail view (#1210)
  * Fix Challenge-Response login at Web UI (#1216)
  * Fix triggerchallenge to only use active tokens (#1217)
  * Write all installed package to diagnostics file and
    also write the resolver config in privacyidea-diag

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Thu, 06 Sep 2018 10:00:00 +0200

privacyidea-venv (2.23-1) jessie; urgency=medium

  Features:
  * Add periodic tasks including a privacyidea-cron script. (#992) 
  * Add task module "Simple Stats" to generate time series of certain 
    important statistics values in privacyIDEA (#1105)
  * Add task module "Event Counter" that allows to create time series of 
    any arbitrary event. (#1029)
  * New token type: TAN list, that can also import a prefefined
    list of TANs (#1057)
  * Add Event Handler Pre-Handling, that e.g. allows for
    even more easy token enrollment concepts (#747)

  Enhancements:
  * Improve performance by adding SQL pooling for SQL Audit 
    and SQL Resolvers. (#1167, #1140)
  * Improve SQL Resolver to also verify bcrypt-hash passwords (#1172)
  * Allow multiple WHERE conditions in SQL Resolver (#1039)
  * Allow objectGUID as loginname in LDAP resolver for better 
    ownCloud support (#1076)
  * Add command in pi-manage to dump audit log information (#1120)
  * Add script to allow generation of AES keys on HSM (#1159)
  * Improve recovery mechanism from a lost HSM connection (#1069)
  * Improve Debug Logging to hide passwords in SQL connect strings (#1162)
  * Add script for easy privacyIDEA standalone setup (#1093)
  * ldap3, pyasn1, croniter updated in Ubuntu Launchpad repo (#1085)
  * Add a script that easily gathers support and diagnostic information (#829)
  * Add event handler management to pi-manage (#1119)
  * Allow to customize the challenge text for challenge response tokens (#1096)
  * Add user information to OATH CSV token import file (#998)
  * Improve migration scripts from LinOTP to also update counter values (#1075)
  * Add priority to policies to avoid contradicting policies (#1031)
  * The token event handler now can delete tokeninfo (#988)
  * Make the import of OATH CSV token specific, so that each 
    tokentype can define its own import strategy (#1066)
  * The Event Counter module now allows to decrease the counter (#991)
  * Allow time deltas to also contain seconds (#1033)

  Fixes:
  * Allow to use unicode passwords with non-ascii characters for the
    connect string in SQL Resolvers (#1181)
  * Fix problem that a wrong password hash was used, if user is created
    in SQL Resolver (#1114)
  * Fix performance issue with slow token listing (#1123)
  * Fix the QR code regeneration if the user already has the maximum number
    of allowed tokens (#1153)
  * Fix problem with privacyidea-pip-update in case of pip version 10 (#1128)
  * Fix problem if max_token_per_user was higher than 9 (#1117)
  * Fix hash algorithm in QR Code (#1088)
  * Set focus in username field in the login dialog (#205)
  * Fix disappearing scrollbar issue (#1020)
  * Fix import of SHA256 tokens (#1061)
  * Convert string values to unicode in the database model to 
    avoid misleading "error" messages (#1000)
  * Fix truncation of audit log in case of authentication failure (#1034)
  * Shorten audit information to fit into the database column (#1037)
  * Fix the RADIUS configuration test (#1042)


 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Wed, 29 Aug 2018 09:00:00 +0200

privacyidea-venv (2.23~dev9-1) jessie; urgency=medium

  * Development version

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Tue, 28 Aug 2018 07:30:00 +0200

privacyidea-venv (2.23~dev8-1) jessie; urgency=medium

  * Development version

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Wed, 22 Aug 2018 13:00:00 +0200


privacyidea-venv (2.22.1-1) jessie; urgency=medium

  Fixes in WebUI:
  * Allow to display the messages of several C/R tokens (#995, #1004)
  * Use ng-if instead of ng-show to avoid errors in the javascript console (#963)
  * Remove reference to not-used system.addons.js to avoid errors in the javascript console
  * Remove reference to not-used system.addons.html to avoid errors in the javascript console
  * Use ng-src instead of src to avoid errors in the javascript console
  * Avoid request to /false is image is not existing - avoid error in the javascript console
  * Fix handling of U2F token in the WebUI login
  * Require serial number in the assignment form (#1011)
  * Fix PIN comparison in token enroll and token assign (#1010)
  * Fix the empty username in token enroll or assign (#918)

  Fixes in Server:
  * Add check for serial number present (#1011)
  * Fix validation of OCRA and TiQR token (#1008)
  * Add retry to cope with HSM issues (#1003)
  * Fix unicode in resolverconf database table with Oracle (#999)

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Fri, 20 Apr 2018 15:00:00 +0200

privacyidea-venv (2.22-1) jessie; urgency=low

  Features:
  * Add automatic offline refill for Offline OTP tokens (#839)
  * Return realm and resolver of the user and allow mapping
    group membership to the RADIUS protocol (#896)
  * Add new tokenkind (hardware, software, virtual) for all tokens (#828)
  * Support Vasco tokens via Import and via Web Enrollment (#904, #903, #891)
  * Add arbitrary tokeninfo field to authorization policy (#873)
  * New SMPP SMS provider (#878)
  * New event handler Counter for counting events for statistics and monitoring (#951)

  Enhancements:
  * Enhance the statistics possibilities in WebUI (#950)
  * Allow reencryption of the database by importing PSKC to
    a new database (#940)
  * Allow token janitor to export "PW" token type to PSKC (#942)
  * Also export and import the counter values of HOTP/TOTP to PSKC (#943)
  * SMS token can dynamically read phone number from user source (#932)
  * Email token can dynamically read email address from user source (#932)
  * Add policy to ignore the validity of a U2F attestation certificate (#926)
  * Improve the speed of the LinOTP migration script to cope with tens of
    thousands of tokens (#914)
  * pi-manage can create API tokens with a chosen validity time (#931)
  * Allow user to set token description for HOTP and TOTP tokens 
    during enrollment (#928) (Thanks to Taylor Chase for this contribution!)
  * Add timeout to SMTP server configuration (#919)
  * Allow complex email templates for email tokens (#684)
  * LDAP resolver now supports arbitrary multivalue attributes (#881)
  * Allow Event Handler to match failing authentication (#971)

  Fixes:
  * Several fixes in LDAP resolver to cope with ldap3/pyasn1 version issues and
    other issues (#911, #980, #982, #887)
  * Skip misguiding LDAP error "AttributeError NonType" in log file (#948)
  * Add missing validity time in /validate/check response for email tokens (#946)
    (Thanks to Kleber Rocha/klinux for this contribution!)
  * Fix the handling of the SMS expiration date (#937)
  * Fix serial length in the audit table to match the serial length in the token table (#929)
    (Thanks to Salvo Rapisarda for this contribution!)
  * Fix Mail content sent by email token is rendered as attachment (#915)
  * Fix Editing SMTP Server definition clears the password (#923)
  * Fix pi-manage backup crash (Thanks to Pavol Ipoth for this contribution!)

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Tue, 26 Mar 2018 09:30:00 +0200


privacyidea-venv (2.21.1-1) jessie; urgency=low

  Features:
   * Allow export of tokens to PKSC file (#790)
   * Implement two-step enrollment of HOTP/TOTP tokens (#797, #863, #865, #866)
   * Allow WebUI customization via policies (#795)

  Enhancements:
   * Add script to decrypt safeword tokens
   * Allow using tags in the tokenissuer of smartphone tokens
   * Try to re-establish lost HSM connections (#787)
   * Allow to rotate audit log based on multiple conditions (#780, #833)
   * Add dry-run option to audit log rotation (#801)
   * Allow dots in realm names (#808)
   * Mark empty but required fields in WebUI (#810)
   * Display success information after PIN is set (#822)
   * Add further tags to the user notification event handler (#824)
   * Add number of users to the subscription view (#800)
   * Add HTTP/HTTPS proxy settings to HTTP SMS Provider (#835)
   * Federation Handler allows to forward the authorization token (#838)
   * Use token janitor to export a user list (#852)
   * Use HSM for random key generation if possible (#783)
   * HTTP SMS Provider now takes TIMEOUT parameter into account
   * Allow to configure length of generated serial numbers (#583)

  Fixes:
   * Fix handling of only_realm option in token event handler (#809)
   * Fix scrollbar issues in WebUI (#806, #823)
   * Fix OTP counter of offline token (#840)
   * Fix conflicts between check_tokentype and passthru policies (#846)
   * Properly reset tab tile after session has been locked (#850)
   * Fix handling of fixed key size during enrollment (#820)
   * Make sure that only active policies are honored (#825)
   * Fix various bugs with non-ASCII data (#754)
   * Fix failcounter_clear_timeout (#831)
   * Only remove apache host definitions on first installation (#834)
   * Allow to use TLS1.1 and TLS1.2 for LDAP Resolver (#876)

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Tue, 09 Jan 2018 12:30:00 +0200

privacyidea-venv (2.20.1-1) jessie; urgency=low

  Fixes:
   * /token/init allows to pass otpkey AND genkey=false (#793)
   * Cast date to string, to fix audit search for postgresql (#786)
   * Optimize the LDAP Resolver Redundancy to avoid LdapServerPoolExhaustedErrors (#802)
   * Preset default realm in token enrollment (#804)
   * Fix PassOnNoUser and PassOnNoToken (#798)
   * Fix genkey=0 error during token enrollment (#793)

 -- Cornelius Kölbel <cornelius.koelbel@netknights.it>  Mon, 30 Oct 2017 11:30:00 +0200


privacyidea-venv (2.19.1-1) jessie; urgency=low

  Enhancements:
  * Add "pi-manage policy load" and "pi-manage policy export". (#721)
  * Allow customization via pi.cfg file.
  * Add {username} and {realm} as tags for the tokenhandler. (#735)

  Fixes:
  * Fix pi-manage file permission for backup
  * Fix search for resolver in audit log
  * Allow to read old legacy time from validity period
  * Fix wrong enddate with lost_token
  * Fix typos
  * Improve documentation for yubikey
  * Improve documentation for cache decorator
  * Improve documentation for webui policy

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Sun, 02 Jul 2017 08:00:00 +0200

privacyidea-venv (2.19-1) wheezy; urgency=low

  Features:
  * Add generic User Cache to speed up authentication (#670, #683)
  * Support multiple challenge-response tokens with the same PIN (#654)
  * Restrict U2F registration based on assertion certificte (#648)
  * Restrict authentication with U2F devices based on assertion 
    certificate (#648)
  * Add privacyidea-token-janitor script, that can clean orpaned or 
    expired tokens (#692)
  * Add API for mutual key generation during enrollment for easy 
    Smartphone App development by introducing a generic 
    2-step-rollout process (#627)
  * Add /validate/radiuscheck which works with rlm_rest and only uses 
    HTTP return codes. (#703)

  Enhancements:
  * Allow to unset token validity period and other tokeninfo
    fields (#691)
  * Add a quick-resolver test for LDAP resolvers (#688)
  * Add additional tokeninfo tags {client_ip}, {ua_browser}, 
    {ua_string} in token handler (#687)
  * Allow to set decription of U2F tokens during enrollment (#685)
  * Reduce the number of LDAP requests to increase authentication
    performance (#664, #655, #650)
  * Realm administrator is only allowed to see actions on this allowed
    user realms (#663)
  * Add audit rotation to pi-manage (#657)
  * Speed up Audit Log calls by adding a second index (#656)
  * Allow to either lock und logout the UI after timeout (#653)
  * Allow string format {user}, {realm}, {serial}, {surname} in 
    tokenlabel policy (#646)
  * Move to a consistent time format for validity period and all other 
    user specific times also containing the timezone (#644)
  * Add TLS certificate check to LDAP machine resolver (#638)
  * Make TLS certificate the default option in LDAP resolvers (#639)
  * Allow to use privacyIDEA ownCloud App without subscription
    file with up to 50 users.

  Fixes:
  * Fix the datepicker for the token validity period (#644 / #693)
  * Fix LDAP resolver to respect all boolean configuration 
    options (#658)
  * Fix serial number in challenge response validation response (#649)

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Fri, 26 May 2017 08:30:00 +0200

privacyidea-venv (2.18-1) wheezy; urgency=low

  Features:
  * Allow to disable the WebUI (#605)
  * The WebUI will lock the screen after a timeout instead of  
    logging out the user. This allows to easily continue
    configuration work. (#621)
  * Improve the creation and handling of local CAs (#630, #632, #633)
    Allow certificate template for certificates with different runtime
    and x509v3 extensions.

  Enhancements
  Enhancements in Policies:
  * Allow regular expressions in usernames in policies. (#581)
  * Improve Policy creation with pi-manage from JSON formatted file.
  * WebUI: Add action grouping in policies.
  * WebUI: Add action filter in policy view.
  * Allow token specific PIN policies: The SPASS token can now
    have dedicated PIN policies.
  * Add PIN policies for administrators during enrollment and
    during assignment.
  * Add WebUI policy: only search on enter being pressed (#617)

  Enhancements in Event Handlers:
  * Add token_validity_period condition to event handlers. (#618)
  * Add additional options in token handler when creating 
    SMS, Email or mOTP tokens.
  * Allow tokenhandler to set tokeninfo field.
  * Allow tokenhandler to set syncwindow.
  * Add event handler condition for count_auth_success and
    cound_auth_fail
  * Add event handler condition for last_auth.
  * Improve Audit Log for Event Handler. Each triggered action 
    will now also create an audit entry. (#609)
  * Allow the use of {current_time} in tokenevent handler. (#628)

  Enhancements in LDAP Resolver:
  * Upgrade dependency to ldap3 version >=2.1.1 to improve LDAP 
    performance in regards to redundancy and security
  * LDAP Resolver: Use get_info in bind requests to avoid querying 
    of subschema. (#585)
  * LDAP Resolver: Support StartTLS over Port 389.
  * Simplify LDAP Resolver: Remove username from Attribute Mapping.
  * Simplefy LDAP Resolver: Remove reverse filter.

  Misc Enhancements:
  * Automatically add user's mobile number if tokentype is SMS.
  * Add example configuration for GTX messaging SMS gateway.
  * Add a script "privacyidea-get-unused-tokens" to find
    unused tokens
  * WebUI: Add a busy indicator spinner.
  * Improve the pi-manage script in regards to backup and restore.
    Let you choose whether to backup encryption key or not.
    Better handling for individual pathes. (#626, #623)

  Fixes:
  * LDAP Resolver: Verify SSL Certificate (Security)
  * LDAP Resolver: Allow special characters in NTLM password
  * LDAP Resolver: Allow searching for users with German umlaut
  * Remove the "unsafe" notation in the QR-Code link, so that 
    a smartphone may import the key during HOTP/TOTP token enrollment
    by clicking the link. (#620)
  * Use defusexml to avoid XML bombs on token import (Security)
  * Replace eval with ast.literal_evel (Security)
  * Add missing attributes for U2F tokens in 
    validate/triggerchallenge API
  * Let /validate/triggerchallenge write to audit log.
  * Fix mangle policy for users and realms
  * Avoid logging of password in check_user_pass in debug level 
    (level=10)
  * Set encrypted PIN on enrollment for certificate tokens (#625)
  * Remove unused policy action "motp_webprovision"
  * Allow emailtext policy in triggerchallenge API (#642)

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 09 Mar 2017 12:00:00 +0200

privacyidea-venv (2.17-1) wheezy; urgency=low

  Features
  * Token Handler. Using the token handler the administrator
    can defined actions in response to events, to modify tokens
    like deleting, modifying, initilizing... tokens (#532)
  * Script Event Handler or Shell Event Handler allows to
    trigger an external shell script, if some event occurs. (#536)
  * Add additional endpoint to trigger a challenge response
    like the sending of an SMS, if the token PIN is not
    available (#531)
  * Policy Handling to also check for secondary resolvers of
    a user. This way a user can authenticate with his primary 
    resolver but policy will also work for secondary resolvers (#543)

  Enhancements
  * The event handler conditions also determine a serial number
    even if there is no serial number in the request:
    If the user from the request only has one token assigned. (#571)
  * Allow event definitions to be disabled (#537)
  * Allow event to be addressed by a destinct name (#522)
  * Improving LDAP performace by addressing different functionality 
    of ldap3 version 1.x and 2.x. (#549)
  * Improve SQL Audit by adding the SQL Audit table to the schema.
    Table is not created during HTTP request. (#557)
  * Limit audit log entry age. Users may only view audit
    log entries up to a certain age. (#541)
  * Add checkbox to only display used actions in a policy (#573)
  * In event handler: Use serial number of a user's token if the 
    user has only one token (#571)
  * Download a filtered audit log (#539)

  Fixes
  * Add missing token serial number to audit log if token is
    deletes (#546)
  * Fix event handler saving (#551)
  * HttpSMSProvider accepts status codes 201 and 202 in addition
    to 200 (#562)
  * Fix checkbox bug in NOREFERRALS of LDAP resolver (#563)
  * Add documentation for SMS provider (#566)
  * Remove 301 redirects from WebUI (#576)

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 29 Dec 2016 16:30:00 +0200


privacyidea-venv (2.16-1) wheezy; urgency=low

  Featurs
  * Add HSM support via AES keys (#534)
  * Improved Event Handler for flexible notification (#511)
  * Signed subscription files for adding and checking
    for extra functionality during authentication request (#502)

  Enhancements
  * Allow additional filter attributes in the Audit Log (#519)
  * Show or hide realms in the login dialog via policy (#517)
  * Improve UI if admin is not allowed for certain actions (#516, #512)
  * Disable OTP PIN during enrollment via policy (#439)
  * Allow automatic sending of registration code via email (#514)

  Fixes
  * Allow compatibility with ldap3 >= 2.0.7 (#533 #535)
  * Fix problem with Notification when no tokenowner is available (#528)
  * Fix confusion of client HTTP parameters (#529)
  * Fix enabled flag with certain database types (#527)
  * Catch error in case of faulty overrideClient definition (#526)
  * Truncate Audit lines, that are too long for the DB table (#525)

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 10 Nov 2016 16:30:00 +0200


privacyidea-venv (2.15-1) wheezy; urgency=low

  Features
  * Client Overview. Display the type of the requesting
    authenticating clients (#489)
  * Support for NitroKey OTP mode (admin client)

  Enhancements
  * Builds on Ubuntu 16.04 Xenial
  * Performance enhancements using Caching singletons for
    Config, Realm, Resolver and Policies
  * Allow configuration of the registration email text (#494)
  * Return SAML attributes only in case of successful
    authentication (#500)
  * Policy "reset_all_user_tokens" allow to reset all
    failcounters on successful authentication (#471)
  * Client rewrite mapping also checks for
    X-Forwarded-For (#395, #495)

  Fixes
  * Fixing RemoteUser fails to display WebUI (#499)
  * String comparison in HOSTS resolver (#484)

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 06 Oct 2016 08:30:00 +0200


privacyidea-venv (2.14-1) wheezy; urgency=low

  Features
  * Import PGP encrypted seed files
  * Allow UserNotification for user actions
  * Allow UserNotification on validate/check events,
    to notify the user on a failed authentication or
    a locked token.

  Enhancements
  * Add thread ID in REST API Response
  * Performence improvement: Cache LDAP Requests #473
  * Performance improvement: Optimize resolver iteration #474
  * Add "Check OTP only" in WebUI
  * Improve "get serial by OTP" in WebUI
  * Add script to get serial by OTP

  Fixes
  * Restrict GET /user for corresponding admins #460

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 17 Aug 2016 00:03:00 +0200


privacyidea-venv (2.13-1) wheezy; urgency=low

  Features
  * Allow central definition of SMS gateways 
    to be used with tokens. #392
  * User SMS for User Notificaton Event Handler. #435
  * Add PIN change setting for each token. #429
  * Force PIN change in web UI. #432

  Enhancements
  * Performence enhancements
    * speed up loading of audit log in web UI.
    * avoid double loadin of tokens and audit entries in web UI. #436
  * Additional log level (enhanced Debug) to even log passwords in 
    debug mode.
  * Add new logo. #430
  * Add quick actions in the token list: reset failcounter, 
    toggle active. #426
  * REST API returns OTP length on successful authentication. #407
  * Add intelligent OverrideAuthorizationClient system setting,
    that allows defined proxies to reset the client IP. #395

  Fixes
  * Display token count in web UI. #437
  * Use correct default_tokentype in token enrollment. #427
  * Fix HOTP resync problems. #412
  

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 30 Jun 2016 12:00:00 +0200

privacyidea-venv (2.12-1) wheezy; urgency=low

  Features
  * Event Handler Framework #360
  * local CA connector can enroll certificates
    for users. Users can download PKCS12 file. #383
  * Add and edit users in LDAP resolvers #372
  * Time dependent policies #358

  Enhancements
  * Policy for web UI enrollment wizard #402
  * Realm dropdown box at login screen #400
  * Apply user policy settings #390
  * Improve QR Code for TOTP token enrollment #384
  * Add documentation for enrollment wizard #381
  * Improve pi-manage backup to use pymysql #375
  * Use X-Forwarded-For HTTP header as client IP #356
  * Add meta-package privacyidea-mysql #376

  Fixes
  * Adduser honors resolver setting in policy #403
  * Add documentation for SPASS token #399
  * Hide enrollment link (WebUI) is user can not enroll #398
  * Fix getSerial for TOTP tokens #393
  * Fix system config checkboxes #378
  * Allow a realm to be remove from a token #363
  * Improve the date handling in emails #352
  * Sending test emails #350
  * Authentication with active token not possible if
    the user has a disabled token #339

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Tue, 24 May 2016 16:00:00 +0200


privacyidea-venv (2.11-1) wheezy; urgency=low

  Features
  * RADIUS Servers: Allow central definition of RADIUS servers
  * RADIUS passthru policy: Authentication requests for users
    with no tokens can be forwarded to a specified RADIUS server

  Enhancements
  * Allow objectGUID in LDAP-Resolver of Active Directory
  * Use paged searches in LDAP. LDAP resolver will find all
    users in the LDAP directory.
  * Allow privacyIDEA instance name to be configured for
    the AUDIT log
  * Allow special characters in LDAP loginnames and passwords
  * Add arbitrary attributes to SAML Authentication response
  * Enhance the handling of YUBICO mode yubikeys with the
    YUBICO API. The prefix is handled correctly.
  * Allow in get_tokens to be filtered for tokeninfo.
  * Add paged search in LDAP resolver. This allows responses
    with more than 1000 objects.

  Fixes
  * Fix SMTP authentication
  * Fix Enrollment Wizard for non-default realm users
  * Registration process: If an email can not be delivered,
    the token is deleted, since it can not be used.

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Tue, 29 Mar 2016 08:30:00 +0200

privacyidea-venv (2.10-1) wheezy; urgency=low

  Features
  * User Registration: A user may register himself and thus create
    his new user account.
  * Password Reset: Using a recovery token a user may issue a
    password reset without bothering the administrator or the
    help desk.
  * Enrollment Wizard for easy user token enrollment
  * SMTP Servers: Define several system wide SMTP settings and use
    these for
    * Email token,
    * SMTP SMS Provider, 
    * registration process,
    * or password reset.

  Enhancements
  * Ease the Smartphone App (Google Authenticator) rollout.
    Hide otplen, hash, timestep in the UI if a policy is defined.
  * Add import of Aladdin/SafeNet XML file.
  * Add import of password encrypted PSKC files.
  * Add import of key encrypted PSKC files.

  Fixes
  * Support LDAP passwords with special non-ascii characters.
  * Support LDAP BIND with special non-ascii characters.
  * Fix problem with encrypted encryption key.
  * Fix upgrading DB Schema for postgresql+psycopg2.
  * Fix UI displaying of saved SMS Provider.
  * Do not start challenge response with a locked/disabled token.

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 11 Feb 2016 00:01:00 +0200

privacyidea-venv (2.9-1) wheezy; urgency=low

  Features
  * New token type: Security questions or questionnaire token.
  * New token type: Paper token. OTP values printed on a piece of paper.
  * Yubico Validation API: The yubikey tokens can authenticate via
    /ttype/yubikey which follows the Yubico Validation Protocol.

  Enhancements
  * Add Web UI view to display the active challenges.
  * The issuer for the Google Authenticator app can be configured.
  * The LDAP machine resolver uses an LDAP server pool.
  * The LDAP user resolver returns a list of mobile numbers.

  Fixes
  * The test email for the email token now has a sent date.
  * Fix problem when using encrypted encryption key.
  * Fix upper case problem when logging in to web UI
    with REMOTE_USER.
  * Fix allow set an empty PIN in the web UI.
  * Fix import of token file in Web UI.

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 21 Dec 2015 18:00:00 +0200

privacyidea-venv (2.8-1) wheezy; urgency=low

  Features
  * Improve U2F support with trusted facets
  * Add Challenge Response and U2F support to SAML
  * Add Web UI theming
  * Add possibility to use REMOTE_USER for authentication at Web UI
  * Fuzzy Authentication: restrict time since last authentication

  Enhancements
  * Allow mangle policy when fetching ssh keys
  * Add realm support to ownCloud plugin
  * Support Drupal passwords in SQL resolver
  * Add validity period to token enrollment
  * Set default enrollment token type in Web UI
  * Add scope to LDAP resolver

  Fixes
  * Fix failcounter reset for challenge response tokens
  * Fix confusing DB errors (column exist) during installation
  * Fix email token TLS checkbox saving
  * Fix TOTP testing in Web UI
  * Fix SMS config loading in Web UI

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 26 Nov 2015 23:30:00 +0200

privacyidea-venv (2.7-1) wheezy; urgency=low

  Features
  * Add support for U2F tokens
  * Add signature to the API JSON response. Thus
    the client can verify the response.

  Enhancements
  * When importing tokens, a realm can be chosen, so that all imported
    tokens are immediately inserted into this realm.
  * The user is able to change his password in the WebUI.
  * The user can assign a token in the WebUI.
  * Avoid the requiring of a PIN for some tokentypes like SSH
  * Migrate to pymysql, the pure python mysql implementation
  * The Audit Log tells if a previous OTP value was used again.

  Fixes
  * Enable login to WebUI with a loginname containing an @ sign.
  * Fix the writing of logfile privacyidea.log

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 07 Oct 2015 08:00:00 +0200


privacyidea-venv (2.6-1) wheezy; urgency=low

  Features
  * Add OCRA base TiQR token to authenticate by scanning
    a QR code.
  * Add Challenge Response authentication to Web UI
  * Add 4-Eyes token, to enable two man policy. Two tokens
    of two users are needed to authenticate.
  * "Revoke Token" lets you perform special action on token types.
    Tokens can be revoke, meaning they are blocked an can not
    be unblocked anymore.

  Enhancements
  * Add HA information in the documentation.
  * Add OpenVPN documentation.
  * Add challenge response policy, to define if e.g. HOTP or TOTP are 
    allowed to be used in challenge response mode.
  * Add hotkeys for easier use of Web Ui.
  * Remove wrong system wide PassOnNoUser and PassOnNoToken.
  * Set default language to "en" in Web UI.

  Fixes
  * Fix LDAP bug #179, which allows authentication with
    wrong password under certain conditions
  * Small fixes in coverage tests
  * Fix username in web UI during enrollment
  * Fix link to privacyIDEA logo in Web UI
  * Fixed bug, that user was not able to resync his own tokens.

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 09 Sep 2015 09:30:00 +0200

privacyidea-venv (2.5-1) wheezy; urgency=low

  Features
  * Add statistics
  * Add German translation
  * Add PinHandler in case of random PIN used
  * Add automatic documentation of system setup
  * Add ownCloud plugin
  
  Enhancements
  * Preset Email and SMS of a user when enrolling token
  * Enable LDAP anonymous bind
  * Add Hashalgorithms and digits to QR Code
  * Add support for CentOS 6 and 7
  
  Fixes
  * Fix registration token
  * Fix mOTP reuse problem


 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 22 Jul 2015 17:00:00 +0200


privacyidea-venv (2.4-1) wheezy; urgency=low

  * Add User Management
  * Add Admin Realms to policies, to allow better policies in bigger setups
  * Add API key, that can be used for accessing /validate/check
  * Load PSKC Token seed files.
  * WebUI: Registrtion token can be enrolled in WebUI
  * WebUI: The token seed can be displayed in WebUI after generation
  * WebUI: Only the token types that are allowed to be enrolled are displayed
  * WebUI: Login_Mode Policy: Disable access to WebUI for certain users
  * WebUI: Add reload button in Audit view
  * SQLResolver: The Where statement is used in all cases
  * SSH-Token Application: Only fetch keys of the requested user
  * Apache client can work with several hosts on one machine
  * Documentation: Tokentypes and Supported Hardware Tokens
  * Improve RADIUS module
  * WebUI: Fix download of audit log
  * Fix missing access right of user to GET /caconnector
  * Fix SMS token

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 24 Jun 2015 09:30:00 +0200

privacyidea-venv (2.3-1) wheezy; urgency=low

  * Add connector to remote Certificate Authority
  * Add Tokentype "certificate" to manage certificates for users
    Certificates or Certificate Requests can be uploaded.
    Certificate Requests (Keypair) can be generated in the browser.
  * Add Tokentype "registration" for easier enrollment scenarios.
  * Add TokenType "Email" to send OTP via Email.
  * Add "First Steps" to online documentation
  * Add handling of validity period of token
  * Enable download of Audit log as CSV
  * Add Resolver Priority, to handle a duplicate user in a realm
  * Add TYPO3 Plugin to enable OTP with TYPO3
  * Add SCIM Resolver to fetch users from SCIM services
  * Fix Failcounter issue
  * Fix NTLM password check
  * Fix timestep during enrollment

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Fri, 22 May 2015 15:30:00 +0200

privacyidea-venv (2.2-1) wheezy; urgency=low

  * pi-manage: create resolvers and realms
  * pi-manage: maange policies
  * Add LostToken UI
  * Add Offline Application
  * Add PAM authentication module with offline support
  * Add getSerialByOTP. You can determine the Token by providing an OTP value.
  * Add auth_count_max and auth_success_max for each token.
  * Add PIN encryption policy
  * Add API for SAML
  * Add bash script for ssh key fetching
  * Make WebUI logout time configurable via webui policy.
  
 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 09 Apr 2015 12:10:00 +0200

privacyidea-venv (2.1-1) wheezy; urgency=low

  * Add Machine-Application framework to support LUKS and SSH
    to manage SSH keys and provide Yubikeys to boot LUKS
    encrypted machines. #100, #10
  * Add Machine Resolvers for hosts and LDAP/AD #96
  * Migrate more policies like SMS policies. #95
  * Restructure WebUI code to ease development #97
  * Fix logout problem of user #92
  * Fix user list for AD (referrals) #99
  * Fix max_token_per_user policy #101

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Tue, 10 Mar 2015 10:30:00 +0200

privacyidea-venv (2.1~dev2) trusty; urgency=low

  * Add MachineTokens to Token.Details and Machine.Details view.

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 02 Mar 2015 15:50:00 +0200

privacyidea-venv (2.1~dev1) trusty; urgency=low

  * Fix logout problem of user

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Sat, 21 Feb 2015 16:00:00 +0200

python-privacyidea (2.0-1) trusty; urgency=low

  * Migrate to flask
  * change the name of the debian package as the package only
    contains the python module.

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Sat, 21 Feb 2015 14:00:00 +0200


privacyidea (1.5.1-1trusty) trusty; urgency=low

  * Fix splitting the @-sign to allow users like user@email.com

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 02 Feb 2015 09:08:00 +0200


privacyidea (1.5-1trusty) trusty; urgency=low

  * Fix the postinstall script for not broken repoze.who
  * adapt the dependency for python webob
  * add fix for users in policies.
  * Working on #61
  * Closing #63, allow upper and lower case DN in LDAP resolver
  * Fix the empty result audit search problem
  * Fix the port problem with SQL resolver

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 25 Dec 2014 16:30:00 +0200

privacyidea (1.4-1) trusty; urgency=low

  * Add "wrong password" message on login screen
  * Speed up tests
  * Add help on logon screen.
  * Add helper dialog to setup first realm
  * Add simplesamlphp module and deb package
  * Fixed the session timeout bug in the management UI

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 06 Oct 2014 16:50:00 +0200

privacyidea (1.4~dev5-1) trusty; urgency=low

  * Add wrong password message on login screen
  * Speed up tests

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 06 Oct 2014 09:10:00 +0200

privacyidea (1.4~dev4-1) trusty; urgency=low

  * Add help on logon screen.

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 02 Oct 2014 11:20:00 +0200

privacyidea (1.4~dev3-1) trusty; urgency=low

  * Add helper dialog to setup first realm

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Tue, 30 Sep 2014 11:10:00 +0200

privacyidea (1.4~dev2-1) trusty; urgency=low

  * Add simplesamlphp module and deb package

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 29 Sep 2014 11:40:00 +0200

privacyidea (1.4~dev1-1) trusty; urgency=low

  * Fixed the session timeout bug in the management UI

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 24 Sep 2014 19:10:00 +0200

privacyidea (1.3.2-1) trusty; urgency=low

  * Add uwsgi and nginx configuration
  * Add nginx package
  * Add meta packages to easily install radius dependencies. (#33)
  * Add package for appliance
  * Add appliance style: privacyidea-setup-tui
  * Add privacyidea-otrs and remove the authmodules from the
    core package
  * Add first implementation of Token2 token type
  * Change depend in builddepend
  * Add missing SSL certificate
  * Add missing python-dialog dependency
  * Remove pylons download link, that caused timeout problems.

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 22 Sep 2014 10:00:00 +0200

privacyidea (1.3.1-1) trusty; urgency=low

  * Fixed bug, that avoided to delete MachineTokens with options (#27)

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 20 Aug 2014 18:30:00 +0200

privacyidea (1.3-1) trusty; urgency=low

  * add support for Daplug dongle in keyboard mode
  * Allow login with admin@realm, even with RealmBox.  (#26)
  * inactive tokens will not work with the machine-app
  * Added MachineUser database moduel
  * PEP8 beautify
  * Add about dialog
  * added recommends for mysql and salt

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 18 Aug 2014 17:00:00 +0200

privacyidea (1.3~dev5-1) trusty; urgency=low

  * Allow login with admin@realm, even with RealmBox.  (#26)

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Fri, 15 Aug 2014 15:37:00 +0200

privacyidea (1.3~dev4-1) trusty; urgency=low

  * fix minor bugs in selfservice portal

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Tue, 13 Aug 2014 17:40:00 +0200

privacyidea (1.3~dev3-1) trusty; urgency=low

  * add support for Daplug dongle in keyboard mode

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Tue, 12 Aug 2014 18:32:00 +0200

privacyidea (1.3~dev2-1) trusty; urgency=low

  * machine requires IP address
  * the machine-app listing also returns the information, if the token
    is active

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 11 Aug 2014 10:40:00 +0200


privacyidea (1.3~dev1-1) trusty; urgency=low

  * Added MachineUser database moduel
  * PEP8 beautify
  * Add about dialog
  * added recommends for mysql and salt
 
 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 06 Aug 2014 14:14:00 +0200

privacyidea (1.3~dev0-2) trusty; urgency=low

  * Fixed the missing run directory (#23)

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Thu, 31 Jul 2014 09:28:00 +0200
 
privacyidea (1.3~dev0-1) trusty; urgency=low

  * Fix resolver error #22

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 30 Jul 2014 16:24:00 +0200

privacyidea (1.2.2-1) trusty; urgency=low

  * Fixed the sqlsoup dependency

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Wed, 23 Jul 2014 17:57:00 +0200


privacyidea (1.2.1-1) trusty; urgency=low

  * machine controller: make the challenge usable also in normal mode

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Fri, 18 Jul 2014 16:51:00 +0200


privacyidea (1.2-1) trusty; urgency=low

  * Added 

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Tue, 15 Jul 2014 15:15:55 +0200

privacyidea (1.2~dev2-1) trusty; urgency=low

  * initial ubuntu release

 -- Cornelius Kölbel <cornelius@privacyidea.org>  Mon, 14 Jul 2014 18:56:55 +0200
