The Identity, Policy and Audit system
CentOS Sources
2015-12-08 2e93881d0d3d2a0ddd14caee6af8deff4484c3d6
import ipa-4.2.0-15.el7_2.3
16 files added
1 files deleted
3 files modified
1498 ■■■■■ changed files
SOURCES/0144-install-fix-command-line-option-validation.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch 111 ●●●●● patch | view | raw | blame | history
SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/0148-fix-caching-in-get_ipa_config.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch 56 ●●●●● patch | view | raw | blame | history
SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch 221 ●●●●● patch | view | raw | blame | history
SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch 117 ●●●●● patch | view | raw | blame | history
SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch 381 ●●●●● patch | view | raw | blame | history
SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch 8 ●●●● patch | view | raw | blame | history
SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch 8 ●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 84 ●●●● patch | view | raw | blame | history
SOURCES/0144-install-fix-command-line-option-validation.patch
New file
@@ -0,0 +1,60 @@
From 4ab54ece01d015f6b4e58542e377f60bc6726815 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 2 Nov 2015 15:32:35 +0100
Subject: [PATCH] install: fix command line option validation
The code which calls the validators was accidentally removed, re-add it.
https://fedorahosted.org/freeipa/ticket/5386
https://fedorahosted.org/freeipa/ticket/5391
https://fedorahosted.org/freeipa/ticket/5392
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipapython/install/cli.py  | 7 +++++--
 ipapython/install/core.py | 3 ++-
 2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/ipapython/install/cli.py b/ipapython/install/cli.py
index 1ba9a815c4c499dff0e7974f399f2de31eb932cd..f6cc0fc351fd1f9fc3f51987bbb938deca377fe1 100644
--- a/ipapython/install/cli.py
+++ b/ipapython/install/cli.py
@@ -275,7 +275,8 @@ class ConfigureTool(admintool.AdminTool):
         kwargs = {}
         transformed_cls = self._transform(self.configurable_class)
-        for owner_cls, name in transformed_cls.knobs():
+        knob_classes = {n: getattr(c, n) for c, n in transformed_cls.knobs()}
+        for name in knob_classes:
             value = getattr(self.options, name, None)
             if value is not None:
                 kwargs[name] = value
@@ -287,8 +288,10 @@ class ConfigureTool(admintool.AdminTool):
         try:
             cfgr = transformed_cls(**kwargs)
         except core.KnobValueError as e:
-            knob_cls = getattr(transformed_cls, e.name)
+            knob_cls = knob_classes[e.name]
             try:
+                if self.positional_arguments is None:
+                    raise IndexError
                 index = self.positional_arguments.index(e.name)
             except IndexError:
                 cli_name = knob_cls.cli_name or e.name.replace('_', '-')
diff --git a/ipapython/install/core.py b/ipapython/install/core.py
index c313c278e09cbf68e4f5c4b4c57f00d6e2870bea..91ae854cdb2a8846e2a2673a5bfe54b4f75f3823 100644
--- a/ipapython/install/core.py
+++ b/ipapython/install/core.py
@@ -226,7 +226,8 @@ class Configurable(object):
             except KeyError:
                 pass
             else:
-                setattr(self, name, value)
+                prop = knob_cls(self)
+                prop.__set__(self, value)
         if kwargs:
             extra = sorted(kwargs.keys())
--
2.4.3
SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch
New file
@@ -0,0 +1,28 @@
From 11856273c3819b58f8b5aa28aab2046ff113ffbe Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 19 Nov 2015 08:50:05 +0100
Subject: [PATCH] install: export KRA agent PEM file in ipa-kra-install
https://fedorahosted.org/freeipa/ticket/5462
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/krainstance.py | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 69fe636732e6d3a8c1e0c460b641f061e519df92..0000192745b6d7f9f402267e435f7223f1bf8849 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -262,6 +262,8 @@ class KRAInstance(DogtagInstance):
         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
+        export_kra_agent_pem()
+
         self.log.debug("completed creating KRA instance")
     def __create_kra_agent(self):
--
2.4.3
SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch
New file
@@ -0,0 +1,111 @@
From 09ead70bf9a081d8e2961a83d5dfe64d8f4c0399 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 9 Nov 2015 10:53:02 +0100
Subject: [PATCH] cert renewal: make renewal of ipaCert atomic
This prevents errors when renewing other certificates during the renewal of
ipaCert.
https://fedorahosted.org/freeipa/ticket/5436
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 install/restart_scripts/Makefile.am       |  1 +
 install/restart_scripts/renew_ra_cert     |  5 ++++-
 install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++
 ipaserver/install/cainstance.py           |  2 +-
 ipaserver/install/server/upgrade.py       |  4 ++--
 5 files changed, 26 insertions(+), 4 deletions(-)
 create mode 100755 install/restart_scripts/renew_ra_cert_pre
diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index 58057aa3198c892fc8ebb0df403495566ed77d1d..c4bf8195ea85ee0a9dba53fc2581e90c18a9127d 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -7,6 +7,7 @@ app_DATA =                              \
     renew_ca_cert            \
     renew_ra_cert            \
     stop_pkicad            \
+    renew_ra_cert_pre        \
     $(NULL)
 EXTRA_DIST =                            \
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index 3a36f739ae53391e502356f7b6b4fd96a536c3a6..988ada946aed47d1f2b76c1add48ea8c8d64a161 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -77,8 +77,11 @@ def _main():
 def main():
-    with certs.renewal_lock:
+    try:
         _main()
+    finally:
+        # lock acquired in renew_ra_cert_pre
+        certs.renewal_lock.release('renew_ra_cert')
 try:
diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre
new file mode 100755
index 0000000000000000000000000000000000000000..d0f743c099162e4c5afd7d96287e58492246db35
--- /dev/null
+++ b/install/restart_scripts/renew_ra_cert_pre
@@ -0,0 +1,18 @@
+#!/usr/bin/python2 -E
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+import syslog
+import traceback
+
+from ipaserver.install import certs
+
+
+def main():
+    certs.renewal_lock.acquire('renew_ra_cert')
+
+try:
+    main()
+except Exception:
+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index dfe023c08c9b8d1b28f1659b7c5a6395f3afe879..d230c9bdcab68f02cce32a2aeb89ca3e2143eefe 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1305,7 +1305,7 @@ class CAInstance(DogtagInstance):
                 pin=None,
                 pinfile=paths.ALIAS_PWDFILE_TXT,
                 secdir=paths.HTTPD_ALIAS_DIR,
-                pre_command=None,
+                pre_command='renew_ra_cert_pre',
                 post_command='renew_ra_cert')
         except RuntimeError, e:
             self.log.error(
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e0a45a097171613397db42e1c035f0d818a3ecf5..c8f744c392c7b859459bda63c1f397226553d4ba 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -799,7 +799,7 @@ def certificate_renewal_update(ca):
     dogtag_constants = dogtag.configured_constants()
     # bump version when requests is changed
-    version = 3
+    version = 4
     requests = (
         (
             dogtag_constants.ALIAS_DIR,
@@ -837,7 +837,7 @@ def certificate_renewal_update(ca):
             paths.HTTPD_ALIAS_DIR,
             'ipaCert',
             'dogtag-ipa-ca-renew-agent',
-            None,
+            'renew_ra_cert_pre',
             'renew_ra_cert',
             None,
         ),
--
2.4.3
SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch
New file
@@ -0,0 +1,73 @@
From a41ee5aef75e47667defc7b01b89a25309bd4c8d Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 19 Nov 2015 14:33:49 +0100
Subject: [PATCH] suppress errors arising from adding existing LDAP entries
 during KRA install
https://fedorahosted.org/freeipa/ticket/5346
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/krainstance.py | 16 ++++++++++++++--
 ipaserver/install/service.py     |  4 +++-
 2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 0000192745b6d7f9f402267e435f7223f1bf8849..a2514debae600bdc46afb92e426a5f616529fde2 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -47,6 +47,8 @@ from ipapython.ipa_log_manager import log_mgr
 IPA_KRA_RECORD = "ipa-kra"
+LDAPMOD_ERR_ALREADY_EXISTS = 68
+
 class KRAInstance(DogtagInstance):
     """
     We assume that the CA has already been installed, and we use the
@@ -308,8 +310,18 @@ class KRAInstance(DogtagInstance):
         conn.disconnect()
     def __add_vault_container(self):
-        self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix})
-        self.ldap_disconnect()
+        try:
+            self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix},
+                           raise_on_err=True)
+        except ipautil.CalledProcessError as e:
+            if e.returncode == LDAPMOD_ERR_ALREADY_EXISTS:
+                self.log.debug("Vault container already exists")
+            else:
+                self.log.error("Failed to add vault container: {0}".format(e))
+        finally:
+            # we need to disconnect from LDAP, because _ldap_mod() makes the
+            # connection without actually using it
+            self.ldap_disconnect()
     def __apply_updates(self):
         sub_dict = {
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 2f5f565b16b42bf82889f9d32b80cf6fa584d438..597c20a60c712a6e521a7b9471f6732cceb27fe7 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -155,7 +155,7 @@ class Service(object):
         self.admin_conn.unbind()
         self.admin_conn = None
-    def _ldap_mod(self, ldif, sub_dict=None):
+    def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=False):
         pw_name = None
         fd = None
         path = ipautil.SHARE_DIR + ldif
@@ -199,6 +199,8 @@ class Service(object):
             try:
                 ipautil.run(args, nolog=nologlist)
             except ipautil.CalledProcessError, e:
+                if raise_on_err:
+                    raise
                 root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
         finally:
             if pw_name:
--
2.4.3
SOURCES/0148-fix-caching-in-get_ipa_config.patch
New file
@@ -0,0 +1,31 @@
From 823340f96f16ee7924ba6ce54c8fe43e3ea41469 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 19 Nov 2015 13:25:49 +0100
Subject: [PATCH] fix caching in get_ipa_config
Different opbject types were compared thus always result of comparation
was False and caching does not work.
https://fedorahosted.org/freeipa/ticket/5463
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/ldap2.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index deb0592ab68ab8eb712a6d29fdffd8776e2e289a..5d2945f90f54ba2a099271a3715f4f9c14866e97 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -204,7 +204,7 @@ class ldap2(CrudBackend, LDAPClient):
         try:
             config_entry = getattr(context, 'config_entry')
-            if config_entry.conn is self.conn:
+            if config_entry.conn.conn is self.conn:
                 return config_entry
         except AttributeError:
             # Not in our context yet
--
2.4.3
SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch
New file
@@ -0,0 +1,56 @@
From 64dc38643ead5cb00f3f42562a92769de10ef7b5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Fri, 20 Nov 2015 09:35:43 +0100
Subject: [PATCH] client install: do not corrupt OpenSSH config with Match
 sections
https://fedorahosted.org/freeipa/ticket/5461
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipa-client/ipa-install/ipa-client-install | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 793de4fc950ad73b1d88f9ab4bd5178afc8b813d..543c6f027f2312792e7ad33533db8e7c10a3cddb 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1330,6 +1330,7 @@ def change_ssh_config(filename, changes, sections):
     section_keys = tuple(key.lower() for key in sections)
     lines = []
+    in_section = False
     for line in f:
         line = line.rstrip('\n')
         pline = line.strip()
@@ -1338,7 +1339,7 @@ def change_ssh_config(filename, changes, sections):
             continue
         option = pline.split()[0].lower()
         if option in section_keys:
-            lines.append(line)
+            in_section = True
             break
         if option in change_keys:
             line = '#' + line
@@ -1346,6 +1347,9 @@ def change_ssh_config(filename, changes, sections):
     for option, value in changes.items():
         if value is not None:
             lines.append('%s %s' % (option, value))
+    if in_section:
+        lines.append('')
+        lines.append(line)
     for line in f:
         line = line.rstrip('\n')
         lines.append(line)
@@ -1386,7 +1390,7 @@ def configure_ssh_config(fstore, options):
         changes['VerifyHostKeyDNS'] = 'yes'
         changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
-    change_ssh_config(ssh_config, changes, ['Host'])
+    change_ssh_config(ssh_config, changes, ['Host', 'Match'])
     root_logger.info('Configured %s', ssh_config)
 def configure_sshd_config(fstore, options):
--
2.4.3
SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch
New file
@@ -0,0 +1,221 @@
From 7623bc99813156ce11167ae429a756f920258151 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 20 Nov 2015 11:53:06 +0100
Subject: [PATCH] upgrade: fix migration of old dns forward zones
Plugins should call self.api not the global one during upgrade
https://fedorahosted.org/freeipa/ticket/5472
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipalib/plugins/dns.py | 51 +++++++++++++++++++++++++++------------------------
 1 file changed, 27 insertions(+), 24 deletions(-)
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index a3d562edb186682a872073e6c83a416b6a4cbc09..37a2c64cbacae5cc5626f17fac68848768af3242 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -1735,7 +1735,7 @@ def _normalize_zone(zone):
     return zone
-def _get_auth_zone_ldap(name):
+def _get_auth_zone_ldap(api, name):
     """
     Find authoritative zone in LDAP for name. Only active zones are considered.
     :param name:
@@ -1781,7 +1781,7 @@ def _get_auth_zone_ldap(name):
     return max(matched_auth_zones, key=len), truncated
-def _get_longest_match_ns_delegation_ldap(zone, name):
+def _get_longest_match_ns_delegation_ldap(api, zone, name):
     """
     Searches for deepest delegation for name in LDAP zone.
@@ -1857,7 +1857,7 @@ def _get_longest_match_ns_delegation_ldap(zone, name):
     return max(matched_records, key=len), truncated
-def _find_subtree_forward_zones_ldap(name, child_zones_only=False):
+def _find_subtree_forward_zones_ldap(api, name, child_zones_only=False):
     """
     Search for forwardzone <name> and all child forwardzones
     Filter: (|(*.<name>.)(<name>.))
@@ -1911,7 +1911,7 @@ def _find_subtree_forward_zones_ldap(name, child_zones_only=False):
     return result, truncated
-def _get_zone_which_makes_fw_zone_ineffective(fwzonename):
+def _get_zone_which_makes_fw_zone_ineffective(api, fwzonename):
     """
     Check if forward zone is effective.
@@ -1936,12 +1936,12 @@ def _get_zone_which_makes_fw_zone_ineffective(fwzonename):
     """
     assert isinstance(fwzonename, DNSName)
-    auth_zone, truncated_zone = _get_auth_zone_ldap(fwzonename)
+    auth_zone, truncated_zone = _get_auth_zone_ldap(api, fwzonename)
     if not auth_zone:
         return None, truncated_zone
     delegation_record_name, truncated_ns =\
-        _get_longest_match_ns_delegation_ldap(auth_zone, fwzonename)
+        _get_longest_match_ns_delegation_ldap(api, auth_zone, fwzonename)
     truncated = truncated_ns or truncated_zone
@@ -1951,12 +1951,12 @@ def _get_zone_which_makes_fw_zone_ineffective(fwzonename):
     return auth_zone, truncated
-def _add_warning_fw_zone_is_not_effective(result, fwzone, version):
+def _add_warning_fw_zone_is_not_effective(api, result, fwzone, version):
     """
     Adds warning message to result, if required
     """
     authoritative_zone, truncated = \
-        _get_zone_which_makes_fw_zone_ineffective(fwzone)
+        _get_zone_which_makes_fw_zone_ineffective(api, fwzone)
     if authoritative_zone:
         # forward zone is not effective and forwarding will not work
         messages.add_message(
@@ -2072,7 +2072,7 @@ class DNSZoneBase(LDAPObject):
     def _remove_permission(self, zone):
         permission_name = self.permission_name(zone)
         try:
-            api.Command['permission_del'](permission_name, force=True)
+            self.api.Command['permission_del'](permission_name, force=True)
         except errors.NotFound, e:
             if zone == DNSName.root:  # special case root zone
                 raise
@@ -2082,7 +2082,8 @@ class DNSZoneBase(LDAPObject):
                 zone.relativize(DNSName.root)
             )
             try:
-                api.Command['permission_del'](permission_name_rel, force=True)
+                self.api.Command['permission_del'](permission_name_rel,
+                                                   force=True)
             except errors.NotFound:
                 raise e  # re-raise original exception
@@ -2272,7 +2273,8 @@ class DNSZoneBase_add_permission(LDAPQuery):
                 keys[-1].relativize(DNSName.root)
             )
             try:
-                api.Object['permission'].get_dn_if_exists(permission_name_rel)
+                self.api.Object['permission'].get_dn_if_exists(
+                    permission_name_rel)
             except errors.NotFound:
                 pass
             else:
@@ -2283,7 +2285,7 @@ class DNSZoneBase_add_permission(LDAPQuery):
                     }
                 )
-        permission = api.Command['permission_add_noaci'](permission_name,
+        permission = self.api.Command['permission_add_noaci'](permission_name,
                          ipapermissiontype=u'SYSTEM'
                      )['result']
@@ -2643,12 +2645,12 @@ class dnszone(DNSZoneBase):
         """
         zone = keys[-1]
         affected_fw_zones, truncated = _find_subtree_forward_zones_ldap(
-            zone, child_zones_only=True)
+            self.api, zone, child_zones_only=True)
         if not affected_fw_zones:
             return
         for fwzone in affected_fw_zones:
-            _add_warning_fw_zone_is_not_effective(result, fwzone,
+            _add_warning_fw_zone_is_not_effective(self.api, result, fwzone,
                                                   options['version'])
@@ -2686,7 +2688,8 @@ class dnszone_add(DNSZoneBase_add):
         dn = super(dnszone_add, self).pre_callback(
             ldap, dn, entry_attrs, attrs_list, *keys, **options)
-        nameservers = [normalize_zone(x) for x in api.Object.dnsrecord.get_dns_masters()]
+        nameservers = [normalize_zone(x) for x in
+                       self.api.Object.dnsrecord.get_dns_masters()]
         server = normalize_zone(api.env.host)
         zone = keys[-1]
@@ -2735,7 +2738,7 @@ class dnszone_add(DNSZoneBase_add):
                 not zone.is_reverse() and
                 zone != DNSName.root):
             try:
-                api.Command['realmdomains_mod'](add_domain=unicode(zone),
+                self.api.Command['realmdomains_mod'](add_domain=unicode(zone),
                                                 force=True)
             except (errors.EmptyModlist, errors.ValidationError):
                 pass
@@ -2769,8 +2772,8 @@ class dnszone_del(DNSZoneBase_del):
                 not zone.is_reverse() and zone != DNSName.root
         ):
             try:
-                api.Command['realmdomains_mod'](del_domain=unicode(zone),
-                                                force=True)
+                self.api.Command['realmdomains_mod'](
+                    del_domain=unicode(zone), force=True)
             except (errors.AttrValueNotFound, errors.ValidationError):
                 pass
@@ -3476,12 +3479,12 @@ class dnsrecord(LDAPObject):
             record_name_absolute = record_name_absolute.derelativize(zone)
         affected_fw_zones, truncated = _find_subtree_forward_zones_ldap(
-            record_name_absolute)
+            self.api, record_name_absolute)
         if not affected_fw_zones:
             return
         for fwzone in affected_fw_zones:
-            _add_warning_fw_zone_is_not_effective(result, fwzone,
+            _add_warning_fw_zone_is_not_effective(self.api, result, fwzone,
                                                   options['version'])
@@ -3831,7 +3834,7 @@ class dnsrecord_mod(LDAPUpdate):
         # get DNS record first so that the NotFound exception is raised
         # before the helper would start
-        dns_record = api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result']
+        dns_record = self.api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result']
         rec_types = [rec_type for rec_type in dns_record if rec_type in _record_attributes]
         self.Backend.textui.print_plain(_("No option to modify specific record provided."))
@@ -4019,7 +4022,7 @@ class dnsrecord_del(LDAPUpdate):
         # get DNS record first so that the NotFound exception is raised
         # before the helper would start
-        dns_record = api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result']
+        dns_record = self.api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result']
         rec_types = [rec_type for rec_type in dns_record if rec_type in _record_attributes]
         self.Backend.textui.print_plain(_("No option to delete specific record provided."))
@@ -4334,7 +4337,7 @@ class dnsforwardzone(DNSZoneBase):
     def _warning_fw_zone_is_not_effective(self, result, *keys, **options):
         fwzone = keys[-1]
-        _add_warning_fw_zone_is_not_effective(result, fwzone,
+        _add_warning_fw_zone_is_not_effective(self.api, result, fwzone,
                                               options['version'])
     def _warning_if_forwarders_do_not_work(self, result, new_zone,
@@ -4374,7 +4377,7 @@ class dnsforwardzone(DNSZoneBase):
         # validation is configured just in named.conf per replica
         ipa_dns_masters = [normalize_zone(x) for x in
-                           api.Object.dnsrecord.get_dns_masters()]
+                           self.api.Object.dnsrecord.get_dns_masters()]
         if not ipa_dns_masters:
             # something very bad happened, DNS is installed, but no IPA DNS
--
2.4.3
SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch
New file
@@ -0,0 +1,62 @@
From c54278c3c90bb5999e1b7c2ed745f6f2b2a83d19 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 20 Nov 2015 15:39:00 +1100
Subject: [PATCH] TLS and Dogtag HTTPS request logging improvements
Pretty printing the TLS peer certificate to logs on every request
introduces a lot of noise; do not log it (subject name, key usage
and validity are still logged).
Fix and tidy up some HTTP logging messages for Dogtag requests.
Part of: https://fedorahosted.org/freeipa/ticket/5269
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipapython/dogtag.py | 9 ++++-----
 ipapython/nsslib.py | 3 ---
 2 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 3f0d08154d21a3072e344c311c3e70e414d9dee4..26b2de6ca77202fa9ccc61ee16ed7623e10ecb5f 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -314,7 +314,7 @@ def _httplib_request(
     if isinstance(host, unicode):
         host = host.encode('utf-8')
     uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path)
-    root_logger.debug('request %r', uri)
+    root_logger.debug('request %s %s', method, uri)
     root_logger.debug('request body %r', request_body)
     headers = headers or {}
@@ -337,9 +337,8 @@ def _httplib_request(
     except Exception, e:
         raise NetworkError(uri=uri, error=str(e))
-    root_logger.debug('request status %d',        http_status)
-    root_logger.debug('request reason_phrase %r', http_reason_phrase)
-    root_logger.debug('request headers %s',       http_headers)
-    root_logger.debug('request body %r',          http_body)
+    root_logger.debug('response status %d %s', http_status, http_reason_phrase)
+    root_logger.debug('response headers %s',   http_headers)
+    root_logger.debug('response body %r',      http_body)
     return http_status, http_reason_phrase, http_headers, http_body
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index def6b104e18fa67268a8c5a8629b533783fb5a95..79b8dc5be6a26cd6136ac62a4fa49572d765a9a0 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -39,9 +39,6 @@ def auth_certificate_callback(sock, check_sig, is_server, certdb):
     cert = sock.get_peer_certificate()
-    root_logger.debug("auth_certificate_callback: check_sig=%s is_server=%s\n%s",
-                              check_sig, is_server, str(cert))
-
     pin_args = sock.get_pkcs11_pin_arg()
     if pin_args is None:
         pin_args = ()
--
2.4.3
SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch
New file
@@ -0,0 +1,38 @@
From 08d26c374ae6198b5a1ec59556ca8814329b845f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 20 Nov 2015 15:59:11 +1100
Subject: [PATCH] Avoid race condition caused by profile delete and recreate
When importing IPA-managed certificate profiles into Dogtag,
profiles with the same name (usually caIPAserviceCert) are removed,
then immediately recreated with the new profile data.  This causes a
race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
thread could observe and process the deletion after the profile was
recreated, disappearing it again.
Update the profile instead of deleting and recreating it to avoid
this race condition.
Fixes: https://fedorahosted.org/freeipa/ticket/5269
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d230c9bdcab68f02cce32a2aeb89ca3e2143eefe..3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1812,8 +1812,7 @@ def _create_dogtag_profile(profile_id, profile_data):
                     root_logger.debug(
                         "Failed to disable profile '%s' "
                         "(it is probably already disabled)")
-                profile_api.delete_profile(profile_id)
-                profile_api.create_profile(profile_data)
+                profile_api.update_profile(profile_id, profile_data)
         # enable the profile
         try:
--
2.4.3
SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch
New file
@@ -0,0 +1,117 @@
From 87f6b21c9bc837cf90fc8b9d0708aeff060e48f3 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Mon, 23 Nov 2015 06:38:17 +0000
Subject: [PATCH] ipa-cacert-renew: Fix connection to ldap.
https://fedorahosted.org/freeipa/ticket/5468
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/ipa_cacert_manage.py | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 01ec805fc2094326d119827b4358c143f45f3ec4..8790b7066d7641864f8d83c6339cd0a73c620be0 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -105,9 +105,7 @@ class CACertManage(admintool.AdminTool):
         if ((command == 'renew' and options.external_cert_files) or
             command == 'install'):
-            self.conn = self.ldap_connect()
-        else:
-            self.conn = None
+            self.ldap_connect()
         try:
             if command == 'renew':
@@ -115,23 +113,21 @@ class CACertManage(admintool.AdminTool):
             elif command == 'install':
                 rc = self.install()
         finally:
-            if self.conn is not None:
-                self.conn.disconnect()
+            if api.Backend.ldap2.isconnected():
+                api.Backend.ldap2.disconnect()
         return rc
     def ldap_connect(self):
-        conn = ldap2(api)
-
         password = self.options.password
         if not password:
             try:
                 ccache = krbV.default_context().default_ccache()
-                conn.connect(ccache=ccache)
+                api.Backend.ldap2.connect(ccache=ccache)
             except (krbV.Krb5Error, errors.ACIError):
                 pass
             else:
-                return conn
+                return
             password = installutils.read_password(
                 "Directory Manager", confirm=False, validate=False)
@@ -139,9 +135,8 @@ class CACertManage(admintool.AdminTool):
                 raise admintool.ScriptError(
                     "Directory Manager password required")
-        conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
+        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
-        return conn
     def renew(self):
         ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
@@ -202,9 +197,10 @@ class CACertManage(admintool.AdminTool):
               "--external-cert-file=/path/to/external_ca_certificate")
     def renew_external_step_2(self, ca, old_cert):
-        print "Importing the renewed CA certificate, please wait"
+        print("Importing the renewed CA certificate, please wait")
         options = self.options
+        conn = api.Backend.ldap2
         cert_file, ca_file = installutils.load_external_cert(
             options.external_cert_files, x509.subject_base())
@@ -273,21 +269,21 @@ class CACertManage(admintool.AdminTool):
                 except RuntimeError:
                     break
                 certstore.put_ca_cert_nss(
-                    self.conn, api.env.basedn, ca_cert, nickname, ',,')
+                    conn, api.env.basedn, ca_cert, nickname, ',,')
         dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
                 ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
         try:
-            entry = self.conn.get_entry(dn, ['usercertificate'])
+            entry = conn.get_entry(dn, ['usercertificate'])
             entry['usercertificate'] = [cert]
-            self.conn.update_entry(entry)
+            conn.update_entry(entry)
         except errors.NotFound:
-            entry = self.conn.make_entry(
+            entry = conn.make_entry(
                 dn,
                 objectclass=['top', 'pkiuser', 'nscontainer'],
                 cn=[self.cert_nickname],
                 usercertificate=[cert])
-            self.conn.add_entry(entry)
+            conn.add_entry(entry)
         except errors.EmptyModlist:
             pass
@@ -362,7 +358,7 @@ class CACertManage(admintool.AdminTool):
         try:
             certstore.put_ca_cert_nss(
-                self.conn, api.env.basedn, cert, nickname, trust_flags)
+                api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags)
         except ValueError, e:
             raise admintool.ScriptError(
                 "Failed to install the certificate: %s" % e)
--
2.4.3
SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch
New file
@@ -0,0 +1,40 @@
From 23adad20399216198b34d9eadaf53b95f755d0be Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Mon, 23 Nov 2015 07:48:40 +0000
Subject: [PATCH] ipa-otptoken-import: Fix connection to ldap.
https://fedorahosted.org/freeipa/ticket/5475
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/ipa_otptoken_import.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 386ca4273c413d9f6a121956d0db3f0c44fe5c24..9be44cfe677a7d33ce3ec7725e23fdbf8141190a 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -507,10 +507,9 @@ class OTPTokenImport(admintool.AdminTool):
         api.bootstrap(in_server=True)
         api.finalize()
-        conn = ldap2(api)
         try:
             ccache = krbV.default_context().default_ccache()
-            conn.connect(ccache=ccache)
+            api.Backend.ldap2.connect(ccache=ccache)
         except (krbV.Krb5Error, errors.ACIError):
             raise admintool.ScriptError("Unable to connect to LDAP! Did you kinit?")
@@ -525,7 +524,7 @@ class OTPTokenImport(admintool.AdminTool):
                     self.log.info("Added token: %s", keypkg.id)
                     keypkg.remove()
         finally:
-            conn.disconnect()
+            api.Backend.ldap2.disconnect()
         # Write out the XML file without the tokens that succeeded.
         self.doc.save(self.output)
--
2.4.3
SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch
New file
@@ -0,0 +1,33 @@
From b5aec7bdc5a164133b247925c41d1d41e29a63e5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 23 Nov 2015 12:09:32 +1100
Subject: [PATCH] Do not erroneously reinit NSS in Dogtag interface
The Dogtag interface always attempts to (re)init NSS, which can fail
with SEC_ERROR_BUSY.  Do not reinitialise NSS when it has already
been initialised with the given dbdir.
Part of: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipapython/dogtag.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 26b2de6ca77202fa9ccc61ee16ed7623e10ecb5f..8996902ba92f0fdd6106e2650c2decde375c593b 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -255,7 +255,8 @@ def https_request(host, port, url, secdir, password, nickname,
     """
     def connection_factory(host, port):
-        conn = nsslib.NSSConnection(host, port, dbdir=secdir,
+        no_init = secdir == nsslib.current_dbdir
+        conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init,
                                     tls_version_min=api.env.tls_version_min,
                                     tls_version_max=api.env.tls_version_max)
         conn.set_debuglevel(0)
--
2.4.3
SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch
New file
@@ -0,0 +1,381 @@
From 5fb869896c9ed6327f5f004022cdee42f758f78c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 23 Nov 2015 12:09:32 +1100
Subject: [PATCH] Add profiles and default CA ACL on migration
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.
Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.
To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.
Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.
Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 install/share/Makefile.am                    |   1 -
 install/share/default-caacl.ldif             |  11 ---
 install/updates/50-dogtag10-migration.update |   1 +
 ipalib/plugins/caacl.py                      |   8 +++
 ipaserver/install/ca.py                      |   5 +-
 ipaserver/install/cainstance.py              | 100 ++++++++++++++++++++-------
 ipaserver/install/dsinstance.py              |   4 --
 ipaserver/install/server/replicainstall.py   |   3 +
 ipaserver/install/server/upgrade.py          |  13 +---
 9 files changed, 90 insertions(+), 56 deletions(-)
 delete mode 100644 install/share/default-caacl.ldif
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index d68c40e693a1d86c70d8ccd81ef2c915b2e1f61e..e4cca8708ab0042d6cb37eba31341e53e3cdac4d 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -29,7 +29,6 @@ app_DATA =                \
     bootstrap-template.ldif        \
     caJarSigningCert.cfg.template    \
     default-aci.ldif        \
-    default-caacl.ldif        \
     default-hbac.ldif        \
     default-smb-group.ldif        \
     default-trust-view.ldif        \
diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif
deleted file mode 100644
index f3cd5b4d4e3a79bc6638dc1ffdd7028596ded254..0000000000000000000000000000000000000000
--- a/install/share/default-caacl.ldif
+++ /dev/null
@@ -1,11 +0,0 @@
-# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services
-dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX
-changetype: add
-objectclass: ipaassociation
-objectclass: ipacaacl
-ipauniqueid: autogenerate
-cn: hosts_services_caIPAserviceCert
-ipaenabledflag: TRUE
-ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX
-hostcategory: all
-servicecategory: all
diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update
index 2ab9d15bd220540dbc6b3fcd7928fc15c42caf80..0070c308aefc39aa4c27a046d185ce6d268e6270 100644
--- a/install/updates/50-dogtag10-migration.update
+++ b/install/updates/50-dogtag10-migration.update
@@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi
 addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
 replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
 replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
+addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles
diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
index 247d6df143aef1fba9f0ee74a9f7d8386bef5180..64dbec16e11e9fa2a67287b195b4bd1180a379e7 100644
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -307,6 +307,14 @@ class caacl_del(LDAPDelete):
     msg_summary = _('Deleted CA ACL "%(value)s"')
+    def pre_callback(self, ldap, dn, *keys, **options):
+        if keys[0] == 'hosts_services_caIPAserviceCert':
+            raise errors.ProtectedEntryError(
+                label=_("CA ACL"),
+                key=keys[0],
+                reason=_("default CA ACL can be only disabled"))
+        return dn
+
 @register()
 class caacl_mod(LDAPUpdate):
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 498cc48a742d1b2d862eb9dfdb18743cfb211b78..0de992cb0c15f8161aae4937699baae2a94d305a 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -126,9 +126,10 @@ def install_step_0(standalone, replica_config, options):
         if standalone:
             api.Backend.ldap2.disconnect()
-        cainstance.install_replica_ca(replica_config, postinstall)
+        cainstance.install_replica_ca(replica_config, postinstall,
+                ra_p12=getattr(options, 'ra_p12', None))
-        if standalone:
+        if standalone and not api.Backend.ldap2.isconnected():
             api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
                                       bind_pw=dm_password)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49..189876f3c0d980e78165d73eed86b2830ac8c5b8 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -391,7 +391,7 @@ class CAInstance(DogtagInstance):
                            cert_file=None, cert_chain_file=None,
                            master_replication_port=None,
                            subject_base=None, ca_signing_algorithm=None,
-                           ca_type=None):
+                           ca_type=None, ra_p12=None):
         """Create a CA instance.
            For Dogtag 9, this may involve creating the pki-ca instance.
@@ -465,7 +465,10 @@ class CAInstance(DogtagInstance):
                 self.step("requesting RA certificate from CA", self.__request_ra_certificate)
                 self.step("issuing RA agent certificate", self.__issue_ra_cert)
                 self.step("adding RA agent as a trusted user", self.__create_ca_agent)
-                self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
+            elif ra_p12 is not None:
+                self.step("importing RA certificate from PKCS #12 file",
+                          lambda: self.import_ra_cert(ra_p12, configure_renewal=False))
+            self.step("authorizing RA to modify profiles", configure_profiles_acl)
             self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
             self.step("configure certificate renewals", self.configure_renewal)
             if not self.clone:
@@ -473,9 +476,12 @@ class CAInstance(DogtagInstance):
             self.step("configure Server-Cert certificate renewal", self.track_servercert)
             self.step("Configure HTTP to proxy connections",
                       self.http_proxy)
-            if not self.clone:
-                self.step("restarting certificate server", self.restart_instance)
-                self.step("Importing IPA certificate profiles", import_included_profiles)
+            self.step("restarting certificate server", self.restart_instance)
+            self.step("migrating certificate profiles to LDAP",
+                      migrate_profiles_to_ldap)
+            self.step("importing IPA certificate profiles",
+                      import_included_profiles)
+            self.step("adding default CA ACL", ensure_default_caacl)
         self.start_creation(runtime=210)
@@ -887,7 +893,7 @@ class CAInstance(DogtagInstance):
         export_kra_agent_pem()
-    def import_ra_cert(self, rafile):
+    def import_ra_cert(self, rafile, configure_renewal=True):
         """
         Cloned RAs will use the same RA agent cert as the master so we
         need to import from a PKCS#12 file.
@@ -903,7 +909,8 @@ class CAInstance(DogtagInstance):
         finally:
             os.remove(agent_name)
-        self.configure_agent_renewal()
+        if configure_renewal:
+            self.configure_agent_renewal()
         export_kra_agent_pem()
@@ -953,10 +960,6 @@ class CAInstance(DogtagInstance):
         conn.disconnect()
-    def __configure_profiles_acl(self):
-        """Allow the Certificate Manager Agents group to modify profiles."""
-        configure_profiles_acl()
-
     def __run_certutil(self, args, database=None, pwd_file=None, stdin=None):
         if not database:
             database = self.ra_agent_db
@@ -1491,7 +1494,7 @@ def replica_ca_install_check(config):
         exit('IPA schema missing on master CA directory server')
-def install_replica_ca(config, postinstall=False):
+def install_replica_ca(config, postinstall=False, ra_p12=None):
     """
     Install a CA on a replica.
@@ -1533,7 +1536,7 @@ def install_replica_ca(config, postinstall=False):
         ca.create_ra_agent_db = False
     ca.configure_instance(config.host_name, config.domain_name,
                           config.dirman_password, config.dirman_password,
-                          pkcs12_info=(cafile,),
+                          pkcs12_info=(cafile,), ra_p12=ra_p12,
                           master_host=config.master_host_name,
                           master_replication_port=config.ca_ds_port,
                           subject_base=config.subject_base)
@@ -1658,6 +1661,14 @@ def update_people_entry(dercert):
     return True
 def ensure_ldap_profiles_container():
+    ensure_entry(
+        DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
+        objectclass=['top', 'organizationalUnit'],
+        ou=['certificateProfiles'],
+    )
+
+
+def ensure_entry(dn, **attrs):
     server_id = installutils.realm_to_serverid(api.env.realm)
     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
@@ -1665,40 +1676,39 @@ def ensure_ldap_profiles_container():
     if not conn.isconnected():
         conn.connect(autobind=True)
-    dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))
     try:
         conn.get_entry(dn)
     except errors.NotFound:
         # entry doesn't exist; add it
-        entry = conn.make_entry(
-            dn,
-            objectclass=['top', 'organizationalUnit'],
-            ou=['certificateProfiles'],
-        )
+        entry = conn.make_entry(dn, **attrs)
         conn.add_entry(entry)
     conn.disconnect()
 def configure_profiles_acl():
+    """Allow the Certificate Manager Agents group to modify profiles."""
     server_id = installutils.realm_to_serverid(api.env.realm)
     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
     updated = False
     dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))
-    rule = (
+    new_rules = [
         'certServer.profile.configuration:read,modify:allow (read,modify) '
         'group="Certificate Manager Agents":'
-        'Certificate Manager agents may modify (create/update/delete) and read profiles'
-    )
-    modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])]
+        'Certificate Manager agents may modify (create/update/delete) and read profiles',
+
+        'certServer.ca.account:login,logout:allow (login,logout) '
+        'user="anybody":Anybody can login and logout',
+    ]
     conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
     if not conn.isconnected():
         conn.connect(autobind=True)
-    rules = conn.get_entry(dn).get('resourceACLS', [])
-    if rule not in rules:
-        conn.conn.modify_s(str(dn), modlist)
+    cur_rules = conn.get_entry(dn).get('resourceACLS', [])
+    add_rules = [rule for rule in new_rules if rule not in cur_rules]
+    if add_rules:
+        conn.conn.modify_s(str(dn), [(ldap.MOD_ADD, 'resourceACLS', add_rules)])
         updated = True
     conn.disconnect()
@@ -1718,6 +1728,17 @@ def import_included_profiles():
     if not conn.isconnected():
         conn.connect(autobind=True)
+    ensure_entry(
+        DN(('cn', 'ca'), api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['ca'],
+    )
+    ensure_entry(
+        DN(api.env.container_certprofile, api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['certprofiles'],
+    )
+
     api.Backend.ra_certprofile._read_password()
     api.Backend.ra_certprofile.override_port = 8443
@@ -1823,6 +1844,33 @@ def _create_dogtag_profile(profile_id, profile_data):
                 "(it is probably already enabled)")
+def ensure_default_caacl():
+    """Add the default CA ACL if missing."""
+    if not api.Backend.ldap2.isconnected():
+        try:
+            api.Backend.ldap2.connect(autobind=True)
+        except errors.PublicError as e:
+            root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
+            return
+
+    ensure_entry(
+        DN(('cn', 'ca'), api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['ca'],
+    )
+    ensure_entry(
+        DN(api.env.container_caacl, api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['certprofiles'],
+    )
+
+    if not api.Command.caacl_find()['result']:
+        api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
+            hostcategory=u'all', servicecategory=u'all')
+        api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
+            certprofile=(u'caIPAserviceCert',))
+
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
     ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index f33a9e03a4148dde69fc61441c878f5126f8e455..d78158532c4c88d9aa9acf3c65d278f5151458d8 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -310,7 +310,6 @@ class DsInstance(service.Service):
         self.step("adding range check plugin", self.__add_range_check_plugin)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
-        self.step("creating default CA ACL rule", self.add_caacl)
         self.step("adding entries for topology management", self.__add_topology_entries)
         self.__common_post_setup()
@@ -745,9 +744,6 @@ class DsInstance(service.Service):
     def add_hbac(self):
         self._ldap_mod("default-hbac.ldif", self.sub_dict)
-    def add_caacl(self):
-        self._ldap_mod("default-caacl.ldif", self.sub_dict)
-
     def change_admin_password(self, password):
         root_logger.debug("Changing admin password")
         dirname = config_dirname(self.serverid)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6f9a6141fe9af44806244ce52df59c191dc966b0..6e9157cabc49161ba27983cbf1de1428d1b48b7d 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -573,6 +573,9 @@ def install(installer):
         options.domain_name = config.domain_name
         options.host_name = config.host_name
+        if ipautil.file_exists(config.dir + "/cacert.p12"):
+            options.ra_p12 = config.dir + "/ra.p12"
+
         ca.install(False, config, options)
     krb = install_krb(config, setup_pkinit=not options.no_pkinit)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index c8f744c392c7b859459bda63c1f397226553d4ba..945cb3ebd63767cb1d57083e1da7c5605ac5a2f9 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1321,18 +1321,7 @@ def add_default_caacl(ca):
         return
     if ca.is_configured():
-        if not api.Backend.ldap2.isconnected():
-            try:
-                api.Backend.ldap2.connect(autobind=True)
-            except ipalib.errors.PublicError as e:
-                root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
-                return
-
-        if not api.Command.caacl_find()['result']:
-            api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
-                hostcategory=u'all', servicecategory=u'all')
-            api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
-                certprofile=(u'caIPAserviceCert',))
+        cainstance.ensure_default_caacl()
     sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
--
2.4.3
SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch
New file
@@ -0,0 +1,33 @@
From 245f54de1d4e2189b1234000916a7d591fa151b9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 24 Nov 2015 14:43:10 +0100
Subject: [PATCH] disconnect ldap2 backend after adding default CA ACL profiles
ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
could crash server/replica installation at later stages. This patch ensures
that after checking default CA ACL profiles the backend is disconnected.
https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipaserver/install/cainstance.py | 3 +++
 1 file changed, 3 insertions(+)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 189876f3c0d980e78165d73eed86b2830ac8c5b8..c72d11d1e0b86c040dc497744cda87aab22caafd 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1870,6 +1870,9 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
+    if api.Backend.ldap2.isconnected():
+        api.Backend.ldap2.disconnect()
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
--
2.4.3
SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch
New file
@@ -0,0 +1,39 @@
From bce98a84720aa6ffdec72e923248719c3cbea8d3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 24 Nov 2015 16:40:52 +0100
Subject: [PATCH] do not disconnect when using existing connection to check
 default CA ACLs
https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c72d11d1e0b86c040dc497744cda87aab22caafd..c20bf39c12cff0777d90efad2b0d8d136ee37ec9 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1846,7 +1846,8 @@ def _create_dogtag_profile(profile_id, profile_data):
 def ensure_default_caacl():
     """Add the default CA ACL if missing."""
-    if not api.Backend.ldap2.isconnected():
+    is_already_connected = api.Backend.ldap2.isconnected()
+    if not is_already_connected:
         try:
             api.Backend.ldap2.connect(autobind=True)
         except errors.PublicError as e:
@@ -1870,7 +1871,7 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
-    if api.Backend.ldap2.isconnected():
+    if not is_already_connected:
         api.Backend.ldap2.disconnect()
--
2.4.3
SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch
New file
@@ -0,0 +1,37 @@
From c466f49b39869ec9817cda4a0485b00a14c52782 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 25 Nov 2015 09:57:07 +0100
Subject: [PATCH] Fix upgrade of forwardzones when zone is in realmdomains
https://fedorahosted.org/freeipa/ticket/5472
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipalib/plugins/realmdomains.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index c53340591bd0f0f02fcc9db3142b74197aff551b..54c07a7a11a23e82717a30e4ac8a50502bfc7b51 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -185,7 +185,7 @@ class realmdomains_mod(LDAPUpdate):
             if d == api.env.domain:
                 continue
             try:
-                api.Command['dnsrecord_add'](
+                self.api.Command['dnsrecord_add'](
                     unicode(d),
                     u'_kerberos',
                     txtrecord=api.env.realm
@@ -200,7 +200,7 @@ class realmdomains_mod(LDAPUpdate):
             if d == api.env.domain:
                 continue
             try:
-                api.Command['dnsrecord_del'](
+                self.api.Command['dnsrecord_del'](
                     unicode(d),
                     u'_kerberos',
                     txtrecord=api.env.realm
--
2.4.3
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,4 +1,4 @@
From b8147e3295b16164f62d05a78dfd25bfa6f178e2 Mon Sep 17 00:00:00 2001
From 38e9b66a161f8e5c540c69f46a8bc699d0906636 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version
@@ -108,10 +108,10 @@
         cli_metavar='NAME',
     )
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6f9a6141fe9af44806244ce52df59c191dc966b0..2d34fdd02b57eb962cdffba508e53cfea0c922e1 100644
index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..2544db2875cc29b1c0f6f8acd855bcfa02fc645a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -655,6 +655,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
@@ -658,6 +658,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
 
     no_pkinit = Knob(
         bool, False,
@@ -120,5 +120,5 @@
     )
 
-- 
2.5.1
2.4.3
SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch
@@ -1,4 +1,4 @@
From e5e637ffe268e7a8d6fe893baac181bf1f74ee86 Mon Sep 17 00:00:00 2001
From 0ea5a5970f7661e240b6ff3ebec4ea2414c47837 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 21 Oct 2014 14:56:28 +0200
Subject: [PATCH] Do not allow installation in FIPS mode
@@ -29,10 +29,10 @@
     try:
         check_IPA_configuration()
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 793de4fc950ad73b1d88f9ab4bd5178afc8b813d..37b1547b815cbf08b2e32c6266d073e1635a1c84 100755
index 543c6f027f2312792e7ad33533db8e7c10a3cddb..586b11bdf37cf22f50980d6b84d6dcd12cfd50e7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -3047,6 +3047,10 @@ def main():
@@ -3051,6 +3051,10 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
@@ -76,5 +76,5 @@
 
     client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-- 
2.5.1
2.4.3
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name:           ipa
Version:        4.2.0
Release:        15%{?dist}
Release:        15%{?dist}.3
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -43,10 +43,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -194,6 +194,22 @@
Patch0141:      0141-schema-do-not-derive-ipaVaultPublicKey-from-ipaPubli.patch
Patch0142:      0142-upgrade-make-sure-ldap2-is-connected-in-export_kra_a.patch
Patch0143:      0143-vault-fix-private-service-vault-creation.patch
Patch0144:      0144-install-fix-command-line-option-validation.patch
Patch0145:      0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch
Patch0146:      0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch
Patch0147:      0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch
Patch0148:      0148-fix-caching-in-get_ipa_config.patch
Patch0149:      0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch
Patch0150:      0150-upgrade-fix-migration-of-old-dns-forward-zones.patch
Patch0151:      0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch
Patch0152:      0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch
Patch0153:      0153-ipa-cacert-renew-Fix-connection-to-ldap.patch
Patch0154:      0154-ipa-otptoken-import-Fix-connection-to-ldap.patch
Patch0155:      0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch
Patch0156:      0156-Add-profiles-and-default-CA-ACL-on-migration.patch
Patch0157:      0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch
Patch0158:      0158-do-not-disconnect-when-using-existing-connection-to-.patch
Patch0159:      0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -205,7 +221,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010:      1010-WebUI-add-API-browser-is-experimental-warning.patch
Patch1011:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -337,7 +352,7 @@
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
# Requires: redhat-access-plugin-ipa
Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -546,10 +561,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1146,8 +1161,51 @@
# RHEL spec file only: DELETED: Do not build tests
%changelog
* Thu Nov 19 2015 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos
- Roll in CentOS Branding
* Wed Nov 25 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.3
- Resolves: #1284052 IPA DNS Zone/DNS Forward Zone details missing after
  upgrade from RHEL 7.0 to RHEL 7.2
  - Fix upgrade of forwardzones when zone is in realmdomains
* Tue Nov 24 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.2
- Resolves: #1283890 installer options are not validated at the beginning of
  installation
  - Fix incorrectly rebased patch 0144
- Resolves: #1284803 Default CA ACL rule is not created during
  ipa-replica-install
  - disconnect ldap2 backend after adding default CA ACL profiles
  - do not disconnect when using existing connection to check default CA ACLs
* Tue Nov 24 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.1
- Resolves: #1283882 IPA certificate auto renewal fail with "Invalid
  Credential"
  - cert renewal: make renewal of ipaCert atomic
- Resolves: #1283883 ipa upgrade causes vault internal error
  - install: export KRA agent PEM file in ipa-kra-install
- Resolves: #1283884 ipa-kra-install: fails to apply updates
  - suppress errors arising from adding existing LDAP entries during KRA
    install
- Resolves: #1283890 installer options are not validated at the beginning of
  installation
  - install: fix command line option validation
- Resolves: #1283915 Caching of ipaconfig does not work in framework
  - fix caching in get_ipa_config
- Resolves: #1284025 sshd_config change on ipa-client-install can prevent sshd
  from starting up
  - client install: do not corrupt OpenSSH config with Match sections
- Resolves: #1284052 IPA DNS Zone/DNS Forward Zone details missing after
  upgrade from RHEL 7.0 to RHEL 7.2
  - upgrade: fix migration of old dns forward zones
- Resolves: #1284803 Default CA ACL rule is not created during
  ipa-replica-install
  - TLS and Dogtag HTTPS request logging improvements
  - Avoid race condition caused by profile delete and recreate
  - Do not erroneously reinit NSS in Dogtag interface
  - Add profiles and default CA ACL on migration
- Resolves: #1284811 ipa-cacert-manage renew fails on nonexistent ldap
  connection
  - ipa-cacert-renew: Fix connection to ldap.
- Resolves: #1284813 ipa-otptoken-import fails on nonexistent ldap connection
  - ipa-otptoken-import: Fix connection to ldap.
* Tue Oct 13 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15
- Resolves: #1252556 Missing CLI param and ACL for vault service operations