The Identity, Policy and Audit system
CentOS Sources
2016-11-03 403b09ab980c02ef36095973349a13e0181c794a
import ipa-4.4.0-12.el7
136 files added
209 files deleted
11 files modified
33344 ■■■■■ changed files
.gitignore 2 ●●● patch | view | raw | blame | history
.ipa.metadata 2 ●●● patch | view | raw | blame | history
SOURCES/0001-Fix-incorrect-check-for-principal-type-when-evaluati.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0001-Start-dirsrv-for-kdcproxy-upgrade.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0002-Fix-DNS-records-installation-for-replicas.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0002-uninstall-untrack-lightweight-CA-certs.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0003-Prevent-to-rename-certprofile-profile-id.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0003-ipa-nis-manage-Use-server-API-to-retrieve-plugin-sta.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0004-Stageusedr-activate-show-username-instead-of-DN.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0004-ipa-compat-manage-use-server-API-to-retrieve-plugin-.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0005-copy-schema-to-ca-allow-to-overwrite-schema-files.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0005-ipa-advise-correct-handling-of-plugin-namespace-iter.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0006-kdb-check-for-local-realm-in-enterprise-principals.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0006-spec-file-Update-minimum-required-version-of-krb5.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0007-Enable-vault-commands-on-client.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0007-do-not-import-memcache-on-client.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0008-selinux-enable-httpd_run_ipa-to-allow-communicating-.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0008-vault-add-set-the-default-vault-type-on-the-client-s.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0009-caacl-expand-plugin-documentation.patch 66 ●●●●● patch | view | raw | blame | history
SOURCES/0009-oddjob-avoid-chown-keytab-to-sssd-if-sssd-user-does-.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0010-host-find-do-not-show-SSH-key-by-default.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0010-webui-fix-user-reset-password-dialog.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0011-Removed-unused-method-parameter-from-migrate-ds.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0011-fix-hbac-rule-search-for-non-admin-users.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0012-Preserve-user-principal-aliases-during-rename-operat.patch 92 ●●●●● patch | view | raw | blame | history
SOURCES/0012-fix-selinuxusermap-search-for-non-admin-users.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0013-Validate-adding-privilege-to-a-permission.patch 113 ●●●●● patch | view | raw | blame | history
SOURCES/0013-messages-specify-message-type-for-ResultFormattingEr.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0014-migration-Use-api.env-variables.patch 85 ●●●●● patch | view | raw | blame | history
SOURCES/0014-schema-Fix-subtopic-topic-mapping.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0015-DNS-install-Ensure-that-DNS-servers-container-exists.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0015-sysrestore-copy-files-instead-of-moving-them-to-avoi.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0016-Allow-value-no-for-replica-certify-all-attr-in-abort.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0016-Heap-corruption-in-ipapwd-plugin.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0017-Use-server-API-in-com.redhat.idm.trust-fetch-domains.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0017-trusts-Check-for-AD-root-domain-among-our-trusted-do.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0018-enable-debugging-of-ntpd-during-client-installation.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0018-frontend-copy-command-arguments-to-output-params-on-.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0019-Show-full-error-message-for-selinuxusermap-add-hostg.patch 152 ●●●●● patch | view | raw | blame | history
SOURCES/0019-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch 288 ●●●●● patch | view | raw | blame | history
SOURCES/0020-allow-value-output-param-in-commands-without-primary.patch 157 ●●●●● patch | view | raw | blame | history
SOURCES/0020-ipa-client-install-Do-not-re-start-certmonger-and-DB.patch 138 ●●●●● patch | view | raw | blame | history
SOURCES/0021-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch 503 ●●●●● patch | view | raw | blame | history
SOURCES/0021-server-uninstall-fails-to-remove-krb-principals.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0022-expose-secret-option-in-radiusproxy-commands.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0022-ipaplatform-Add-constants-submodule.patch 147 ●●●●● patch | view | raw | blame | history
SOURCES/0023-DNS-check-if-DNS-package-is-installed.patch 170 ●●●●● patch | view | raw | blame | history
SOURCES/0023-prevent-search-for-RADIUS-proxy-servers-by-secret.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0024-dcerpc-Expand-explanation-for-WERR_ACCESS_DENIED.patch 76 ●●●●● patch | view | raw | blame | history
SOURCES/0024-trust-add-handle-all-raw-options-properly.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0025-dcerpc-Fix-UnboundLocalError-for-ccache_name.patch 26 ●●●●● patch | view | raw | blame | history
SOURCES/0025-unite-log-file-name-of-ipa-ca-install.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0026-Host-del-fix-behavior-of-updatedns-and-PTR-records.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0026-fix-broken-search-for-users-by-their-manager.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0027-dcerpc-Add-get_trusted_domain_object_type-method.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0027-help-Add-dnsserver-commands-to-help-topic-dns.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/0028-DNS-Locations-fix-update-system-records-unpacking-er.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0028-idviews-Restrict-anchor-to-name-and-name-to-anchor-c.patch 98 ●●●●● patch | view | raw | blame | history
SOURCES/0029-Fix-session-cookies.patch 136 ●●●●● patch | view | raw | blame | history
SOURCES/0029-idviews-Enforce-objectclass-check-in-idoverride-del.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0030-Use-copy-when-replacing-files-to-keep-SELinux-contex.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0030-idviews-Check-for-the-Default-Trust-View-only-if-app.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0031-baseldap-Fix-MidairCollision-instantiation-during-en.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0031-replication-Fix-incorrect-exception-invocation.patch 26 ●●●●● patch | view | raw | blame | history
SOURCES/0032-Create-indexes-for-krbCanonicalName-attribute.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0032-webui-add-Kerberos-configuration-instructions-for-Ch.patch 149 ●●●●● patch | view | raw | blame | history
SOURCES/0033-Remove-ico-files-from-Makefile.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0033-harden-the-check-for-trust-namespace-overlap-in-new-.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0034-ACI-plugin-correctly-parse-bind-rules-enclosed-in-pa.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0034-Revert-Enable-vault-commands-on-client.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/0035-ULC-Fix-stageused-add-from-delete-command.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0035-client-fix-hiding-of-commands-which-lack-server-supp.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0036-Minor-fix-in-ipa-replica-manage-MAN-page.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0036-webui-fix-regressions-failed-auth-messages.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/0037-Validate-vault-s-file-parameters.patch 139 ●●●●● patch | view | raw | blame | history
SOURCES/0037-compat-fix-ping-call.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0038-certprofile-import-do-not-require-profileId-in-profi.patch 58 ●●●●● patch | view | raw | blame | history
SOURCES/0038-replica-install-Fix-domain.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0039-idrange-fix-unassigned-global-variable.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0039-user-show-add-out-option-to-save-certificates-to-fil.patch 109 ●●●●● patch | view | raw | blame | history
SOURCES/0040-re-set-canonical-principal-name-on-migrated-users.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0040-store-certificates-issued-for-user-entries-as-userCe.patch 158 ●●●●● patch | view | raw | blame | history
SOURCES/0041-Do-not-initialize-API-in-ipa-client-automount-uninst.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0041-Fix-incorrect-type-comparison-in-trust-fetch-domains.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0042-Correct-path-to-HTTPD-s-systemd-service-directory.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0042-Fix-selector-of-protocol-for-LSA-RPC-binding-string.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0043-dcerpc-Simplify-generation-of-LSA-RPC-binding-string.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0043-vault-Catch-correct-exception-in-decrypt.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0044-Fixed-missing-KRA-agent-cert-on-replica.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0044-Increase-default-length-of-auto-generated-passwords.patch 138 ●●●●● patch | view | raw | blame | history
SOURCES/0045-vault-add-missing-salt-option-to-vault_mod.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0045-webui-add-LDAP-vs-Kerberos-behavior-description-to-u.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0046-Fix-ipa-hbactest-output.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0046-Fix-upgrade-of-sidgen-and-extdom-plugins.patch 99 ●●●●● patch | view | raw | blame | history
SOURCES/0047-Give-more-info-on-virtual-command-access-denial.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0047-install-fix-external-CA-cert-validation.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0048-Allow-SAN-extension-for-cert-request-self-service.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0048-caacl-fix-regression-in-rule-instantiation.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0049-Add-profile-for-DNP3-IEC-62351-8-certificates.patch 180 ●●●●● patch | view | raw | blame | history
SOURCES/0049-Update-ipa-replica-install-documentation.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0050-Work-around-python-nss-bug-on-unrecognised-OIDs.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0050-ipa-kdb-Fix-unit-test-after-packaging-changes-in-krb.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0051-Improvements-for-the-ipa-cacert-manage-man-and-help.patch 117 ●●●●● patch | view | raw | blame | history
SOURCES/0051-adtrust-install-Correctly-determine-4.2-FreeIPA-serv.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0052-Revert-spec-add-conflict-with-bind-chroot-to-freeipa.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0052-certprofile-import-improve-profile-format-documentat.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0053-Fix-default-CA-ACL-added-during-upgrade.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0053-Fix-unicode-characters-in-ca-and-domain-adders.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0054-Fix-KRB5PrincipalName-UPN-SAN-comparison.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0054-ipa-backup-backup-etc-tmpfiles.d-dirsrv-instance-.co.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0055-adjust-search-so-that-it-works-for-non-admin-users.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0055-client-RPM-require-initscripts-to-get-domainname.ser.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0056-parameters-move-the-confirm-kwarg-to-Param.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0056-validate-mutually-exclusive-options-in-vault-add.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0057-client-add-missing-output-params-to-client-side-comm.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0057-idranges-raise-an-error-when-local-IPA-ID-range-is-b.patch 110 ●●●●● patch | view | raw | blame | history
SOURCES/0058-install-Fix-server-and-replica-install-options.patch 211 ●●●●● patch | view | raw | blame | history
SOURCES/0058-server-install-Fix-hostname-option-to-always-overrid.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0059-certprofile-add-profile-format-explanation.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0059-install-Call-hostnamectl-set-hostname-only-if-hostna.patch 148 ●●●●● patch | view | raw | blame | history
SOURCES/0060-ULC-Prevent-preserved-users-from-being-assigned-memb.patch 155 ●●●●● patch | view | raw | blame | history
SOURCES/0060-schema-Speed-up-schema-cache.patch 415 ●●●●● patch | view | raw | blame | history
SOURCES/0061-Asymmetric-vault-validate-public-key-in-client.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0061-frontend-Change-doc-summary-topic-and-NO_CLI-to-clas.patch 378 ●●●●● patch | view | raw | blame | history
SOURCES/0062-add-permission-System-Manage-User-Certificates.patch 64 ●●●●● patch | view | raw | blame | history
SOURCES/0062-schema-Introduce-schema-cache-format.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0063-Add-permission-for-bypassing-CA-ACL-enforcement.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0063-schema-Generate-bits-for-help-load-them-on-request.patch 162 ●●●●● patch | view | raw | blame | history
SOURCES/0064-Added-CLI-param-and-ACL-for-vault-service-operations.patch 383 ●●●●● patch | view | raw | blame | history
SOURCES/0064-help-Do-not-create-instances-to-get-information-abou.patch 77 ●●●●● patch | view | raw | blame | history
SOURCES/0065-Fix-ipa-caalc-add-service-error-message.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0065-trusts-Detect-missing-Samba-instance.patch 189 ●●●●● patch | view | raw | blame | history
SOURCES/0066-Don-t-show-force-ntpd-option-in-replica-install.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0066-winsync-migrate-Add-warning-about-passsync.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0067-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0067-winsync-migrate-Expand-the-man-page.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0068-DNS-allow-to-add-forward-zone-to-already-broken-sub-.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0068-fix-typo-in-BasePathNamespace-member-pointing-to-ods.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0069-cert-speed-up-cert-find.patch 479 ●●●●● patch | view | raw | blame | history
SOURCES/0069-ipa-backup-archive-DNSSEC-zone-file-and-kasp.db.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0070-baseldap-Allow-overriding-member-param-label-in-LDAP.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0070-cert-do-not-crash-on-invalid-data-in-cert-find.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/0071-Add-warning-about-only-one-existing-CA-server.patch 151 ●●●●● patch | view | raw | blame | history
SOURCES/0071-vault-Fix-param-labels-in-output-of-vault-owner-comm.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0072-Fixed-vault-container-ownership.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0072-Set-servers-list-as-default-facet-in-topology-facet-.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0073-schema-cache-Do-not-reset-ServerInfo-dirty-flag.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0073-vault-normalize-service-principal-in-service-vault-o.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0074-schema-cache-Do-not-read-fingerprint-and-format-from.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0074-vault-validate-vault-type.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0075-Access-data-for-help-separately.patch 121 ●●●●● patch | view | raw | blame | history
SOURCES/0075-install-Fix-replica-install-with-custom-certificates.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0076-frontent-Add-summary-class-property-to-CommandOverri.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0076-trusts-harden-trust-fetch-domains-oddjobd-based-scri.patch 135 ●●●●● patch | view | raw | blame | history
SOURCES/0077-schema-cache-Read-server-info-only-once.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0077-user-undel-Fix-error-messages.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0078-Prohibit-deletion-of-predefined-profiles.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0078-schema-cache-Store-API-schema-cache-in-memory.patch 125 ●●●●● patch | view | raw | blame | history
SOURCES/0079-client-Do-not-create-instance-just-to-check-isinstan.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/0079-improve-the-handling-of-krb5-related-errors-in-dnsse.patch 92 ●●●●● patch | view | raw | blame | history
SOURCES/0080-client-Add-support-for-multiple-IP-addresses-during-.patch 398 ●●●●● patch | view | raw | blame | history
SOURCES/0080-schema-cache-Read-schema-instead-of-rewriting-it-whe.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0081-schema-check-Check-current-client-language-against-c.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0081-vault-Fix-vault-find-with-criteria.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0082-Fail-on-topology-disconnect-last-role-removal.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0082-vault-Add-container-information-to-vault-command-res.patch 112 ●●●●● patch | view | raw | blame | history
SOURCES/0083-Server-Upgrade-Start-DS-before-CA-is-started.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0083-server-install-do-not-prompt-for-cert-file-PIN-repea.patch 98 ●●●●● patch | view | raw | blame | history
SOURCES/0084-cert-request-remove-allowed-extensions-check.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0084-service-add-flag-to-allow-S4U2Self.patch 122 ●●●●● patch | view | raw | blame | history
SOURCES/0085-Add-trusted-to-auth-as-user-checkbox.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0085-client-Add-description-of-ip-address-and-all-ip-addr.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0086-Added-new-authentication-method.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/0086-Backup-resore-authentication-control-configuration.patch 115 ●●●●● patch | view | raw | blame | history
SOURCES/0087-Add-flag-to-list-all-service-and-user-vaults.patch 179 ●●●●● patch | view | raw | blame | history
SOURCES/0087-schema-cache-Fallback-to-en_us-when-locale-is-not-av.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0088-Add-user-stage-command.patch 205 ●●●●● patch | view | raw | blame | history
SOURCES/0088-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/0089-Fix-container-owner-should-be-able-to-add-vault.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0089-trusts-format-Kerberos-principal-properly-when-fetch.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0090-Change-internal-rsa_-public-private-_key-variable-na.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0090-ipaserver-dcerpc-reformat-to-make-the-code-closer-to.patch 1005 ●●●●● patch | view | raw | blame | history
SOURCES/0091-improve-the-usability-of-ipa-user-del-preserve-comma.patch 170 ●●●●● patch | view | raw | blame | history
SOURCES/0091-trust-automatically-resolve-DNS-trust-conflicts-for-.patch 382 ●●●●● patch | view | raw | blame | history
SOURCES/0092-DNSSEC-fix-forward-zone-forwarders-checks.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0092-trust-make-sure-external-trust-topology-is-correctly.patch 90 ●●●●● patch | view | raw | blame | history
SOURCES/0093-Added-support-for-changing-vault-encryption.patch 656 ●●●●● patch | view | raw | blame | history
SOURCES/0093-trust-make-sure-ID-range-is-created-for-the-child-do.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0094-ipa-kdb-simplify-trusted-domain-parent-search.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0094-vault-change-default-vault-type-to-symmetric.patch 115 ●●●●● patch | view | raw | blame | history
SOURCES/0095-Remove-Custodia-server-keys-from-LDAP.patch 78 ●●●●● patch | view | raw | blame | history
SOURCES/0095-fix-missing-information-in-object-metadata.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0096-Handled-empty-hostname-in-server-del-command.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0096-webui-add-option-to-establish-bidirectional-trust.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0097-Removed-clear-text-passwords-from-KRA-install-log.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0097-Secure-permissions-of-Custodia-server.keys.patch 69 ●●●●● patch | view | raw | blame | history
SOURCES/0098-Require-httpd-2.4.6-31-with-mod_proxy-Unix-socket-su.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0098-certprofile-prevent-rename-modrdn.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0099-Fix-ipa-server-install-in-pure-IPv6-environment.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0099-vault-Limit-size-of-data-stored-in-vault.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0100-ipactl-Do-not-start-stop-restart-single-service-mult.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0100-support-multiple-uid-values-in-schema-compatibility-.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0101-cert-renewal-Include-KRA-users-in-Dogtag-LDAP-update.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0101-custodia-include-known-CA-certs-in-the-PKCS-12-file-.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0102-cert-renewal-Automatically-update-KRA-agent-PEM-file.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0102-otptoken-permission-Convert-custom-type-parameters-o.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0103-DNSSEC-remove-DNSSEC-is-experimental-warnings.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0103-Raise-DuplicatedEnrty-error-when-user-exists-in-dele.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0104-Backup-back-up-the-hosts-file.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0104-cert-add-missing-param-values-to-cert-find-output.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0105-certprofile-remove-rename-option.patch 74 ●●●●● patch | view | raw | blame | history
SOURCES/0105-rpcserver-assume-version-1-for-unversioned-command-c.patch 130 ●●●●● patch | view | raw | blame | history
SOURCES/0106-Installer-do-not-modify-etc-hosts-before-user-agreem.patch 235 ●●●●● patch | view | raw | blame | history
SOURCES/0106-custodia-force-reconnect-before-retrieving-CA-certs-.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0107-DNSSEC-backup-and-restore-opendnssec-zone-list-file.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0107-rpcserver-fix-crash-in-XML-RPC-system-commands.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0108-DNSSEC-remove-ccache-and-keytab-of-ipa-ods-exporter.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/0108-compat-Save-server-s-API-version-in-for-pre-schema-s.patch 346 ●●●●● patch | view | raw | blame | history
SOURCES/0109-DNSSEC-prevent-ipa-ods-exporter-from-looping-after-s.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0109-compat-Fix-ping-command-call.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0110-DNSSEC-Fix-deadlock-in-ipa-ods-exporter-ods-enforcer.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/0110-Fix-man-page-ipa-replica-manage-remove-duplicate-c-o.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0111-DNSSEC-Fix-HSM-synchronization-in-ipa-dnskeysyncd-wh.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0111-cert-include-CA-name-in-cert-command-output.patch 112 ●●●●● patch | view | raw | blame | history
SOURCES/0112-DNSSEC-Fix-key-metadata-export.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0112-Fix-CA-ACL-Check-on-SubjectAltNames.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0113-DNSSEC-Wrap-master-key-using-RSA-OAEP-instead-of-old.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0113-do-not-use-trusted-forest-name-to-construct-domain-a.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0114-Always-fetch-forest-info-from-root-DCs-when-establis.patch 85 ●●●●● patch | view | raw | blame | history
SOURCES/0114-ldap-Make-ldap2-connection-management-thread-safe-ag.patch 177 ●●●●● patch | view | raw | blame | history
SOURCES/0115-Using-LDAPI-to-setup-CA-and-KRA-agents.patch 271 ●●●●● patch | view | raw | blame | history
SOURCES/0115-factor-out-populate_remote_domain-method-into-module.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/0116-Always-fetch-forest-info-from-root-DCs-when-establis.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/0116-load-RA-backend-plugins-during-standalone-CA-install.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0117-Handle-timeout-error-in-ipa-httpd-kdcproxy.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0117-cli-use-full-name-when-executing-a-command.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0118-Server-Upgrade-backup-CS.cfg-when-dogtag-is-turned-o.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0118-Use-RSA-OAEP-instead-of-RSA-PKCS-1-v1.5.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0119-Fix-ipa-certupdate-for-CA-less-installation.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0119-IPA-Restore-allows-to-specify-files-that-should-be-r.patch 75 ●●●●● patch | view | raw | blame | history
SOURCES/0120-Track-lightweight-CAs-on-replica-installation.patch 208 ●●●●● patch | view | raw | blame | history
SOURCES/0120-config-allow-user-host-attributes-with-tagging-optio.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0121-dns-normalize-record-type-read-interactively-in-dnsr.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0121-winsync-Add-inetUser-objectclass-to-the-passsync-sys.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0122-baseldap-make-subtree-deletion-optional-in-LDAPDelet.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0122-dns-prompt-for-missing-record-parts-in-CLI.patch 201 ●●●●● patch | view | raw | blame | history
SOURCES/0123-dns-fix-crash-in-interactive-mode-against-old-server.patch 106 ●●●●● patch | view | raw | blame | history
SOURCES/0123-vault-add-vault-container-commands.patch 364 ●●●●● patch | view | raw | blame | history
SOURCES/0124-schema-cache-Store-and-check-info-for-pre-schema-ser.patch 393 ●●●●● patch | view | raw | blame | history
SOURCES/0124-vault-set-owner-to-current-user-on-container-creatio.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0125-Fix-parse-errors-with-link-local-addresses.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0125-vault-update-access-control.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0126-Add-support-for-additional-options-taken-from-table-.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0126-vault-add-permissions-and-administrator-privilege.patch 196 ●●●●● patch | view | raw | blame | history
SOURCES/0127-WebUI-Fix-showing-certificates-issued-by-sub-CA.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0127-install-support-KRA-update.patch 213 ●●●●● patch | view | raw | blame | history
SOURCES/0128-WebUI-add-support-for-sub-CAs-while-revoking-certifi.patch 252 ●●●●● patch | view | raw | blame | history
SOURCES/0128-webui-use-manual-Firefox-configuration-for-Firefox-4.patch 130 ●●●●● patch | view | raw | blame | history
SOURCES/0129-cert-fix-cert-find-certificate-when-the-cert-is-not-.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0129-ipa-backup-Add-mechanism-to-store-empty-directory-st.patch 130 ●●●●● patch | view | raw | blame | history
SOURCES/0130-Make-host-service-cert-revocation-aware-of-lightweig.patch 184 ●●●●● patch | view | raw | blame | history
SOURCES/0130-install-create-kdcproxy-user-during-server-install.patch 131 ●●●●● patch | view | raw | blame | history
SOURCES/0131-Fix-regression-introduced-in-ipa-certupdate.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0131-destroy-httpd-ccache-after-stopping-the-service.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0132-Start-named-during-configuration-upgrade.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0132-platform-add-option-to-create-home-directory-when-ad.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0133-Catch-DNS-exceptions-during-emptyzones-named.conf-up.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0133-install-fix-kdcproxy-user-home-directory.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0134-trust-fetch-domains-contact-forest-DCs-when-fetching.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0134-winsync-migrate-Convert-entity-names-to-posix-friend.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0135-winsync-migrate-Properly-handle-collisions-in-the-na.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0136-Fix-an-integer-underflow-bug-in-libotp.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0137-do-not-overwrite-files-with-local-users-groups-when-.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0138-install-fix-KRA-agent-PEM-file-permissions.patch 153 ●●●●● patch | view | raw | blame | history
SOURCES/0139-install-always-export-KRA-agent-PEM-file.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/0140-vault-select-a-server-with-KRA-for-vault-operations.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0141-schema-do-not-derive-ipaVaultPublicKey-from-ipaPubli.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0142-upgrade-make-sure-ldap2-is-connected-in-export_kra_a.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0143-vault-fix-private-service-vault-creation.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0144-install-fix-command-line-option-validation.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch 111 ●●●●● patch | view | raw | blame | history
SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/0148-fix-caching-in-get_ipa_config.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch 56 ●●●●● patch | view | raw | blame | history
SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch 221 ●●●●● patch | view | raw | blame | history
SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch 117 ●●●●● patch | view | raw | blame | history
SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch 381 ●●●●● patch | view | raw | blame | history
SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0160-Fix-version-comparison.patch 114 ●●●●● patch | view | raw | blame | history
SOURCES/0161-DNS-fix-file-permissions.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0162-Explicitly-call-chmod-on-newly-created-directories.patch 121 ●●●●● patch | view | raw | blame | history
SOURCES/0163-Fix-replace-mkdir-with-chmod.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0164-DNSSEC-Improve-error-reporting-from-ipa-ods-exporter.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0165-DNSSEC-Make-sure-that-current-state-in-OpenDNSSEC-ma.patch 174 ●●●●● patch | view | raw | blame | history
SOURCES/0166-DNSSEC-Make-sure-that-current-key-state-in-LDAP-matc.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0167-DNSSEC-remove-obsolete-TODO-note.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0168-DNSSEC-add-debug-mode-to-ldapkeydb.py.patch 105 ●●●●● patch | view | raw | blame | history
SOURCES/0169-DNSSEC-logging-improvements-in-ipa-ods-exporter.patch 69 ●●●●● patch | view | raw | blame | history
SOURCES/0170-DNSSEC-remove-keys-purged-by-OpenDNSSEC-from-master-.patch 248 ●●●●● patch | view | raw | blame | history
SOURCES/0171-DNSSEC-ipa-dnskeysyncd-Skip-zones-with-old-DNSSEC-me.patch 125 ●●●●● patch | view | raw | blame | history
SOURCES/0172-DNSSEC-ipa-ods-exporter-add-ldap-cleanup-command.patch 142 ●●●●● patch | view | raw | blame | history
SOURCES/0173-DNSSEC-ipa-dnskeysyncd-call-ods-signer-ldap-cleanup-.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0174-DNSSEC-Log-debug-messages-at-log-level-DEBUG.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0175-Allow-to-used-mixed-case-for-sysrestore.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0176-prevent-crash-of-CA-less-server-upgrade-due-to-absen.patch 77 ●●●●● patch | view | raw | blame | history
SOURCES/0177-Upgrade-Fix-upgrade-of-NIS-Server-configuration.patch 251 ●●●●● patch | view | raw | blame | history
SOURCES/0178-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch 112 ●●●●● patch | view | raw | blame | history
SOURCES/0179-ipalib-assume-version-2.0-when-skip_version_check-is.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0180-always-start-certmonger-during-IPA-server-configurat.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch 145 ●●●●● patch | view | raw | blame | history
SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0183-installer-Propagate-option-values-from-components-in.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch 78 ●●●●● patch | view | raw | blame | history
SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch 74 ●●●●● patch | view | raw | blame | history
SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch 294 ●●●●● patch | view | raw | blame | history
SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch 66 ●●●●● patch | view | raw | blame | history
SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch 279 ●●●●● patch | view | raw | blame | history
SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/0194-Warn-user-if-trust-is-broken.patch 115 ●●●●● patch | view | raw | blame | history
SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0198-Fix-connections-to-DS-during-installation.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0199-Fix-broken-trust-warnings.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch 118 ●●●●● patch | view | raw | blame | history
SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch 115 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch 172 ●●●●● patch | view | raw | blame | history
SOURCES/1002-Remove-pkinit-plugin.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch 47 ●●●● patch | view | raw | blame | history
SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch 330 ●●●● patch | view | raw | blame | history
SOURCES/1005-Remove-pylint-from-build-process.patch 37 ●●●● patch | view | raw | blame | history
SOURCES/1006-Remove-i18test-from-build-process.patch 10 ●●●● patch | view | raw | blame | history
SOURCES/1007-Do-not-build-tests.patch 14 ●●●● patch | view | raw | blame | history
SOURCES/1008-RCUE.patch 4 ●●●● patch | view | raw | blame | history
SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch 80 ●●●●● patch | view | raw | blame | history
SOURCES/1009-Revert-Increased-mod_wsgi-socket-timeout.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/1010-WebUI-add-API-browser-is-experimental-warning.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/1010-WebUI-add-API-browser-is-tech-preview-warning.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 1856 ●●●●● patch | view | raw | blame | history
.gitignore
@@ -1,4 +1,4 @@
SOURCES/freeipa-4.2.0.tar.gz
SOURCES/freeipa-4.4.0.tar.gz
SOURCES/header-logo.png
SOURCES/login-screen-background.jpg
SOURCES/login-screen-logo.png
.ipa.metadata
@@ -1,4 +1,4 @@
40a1587de7d78f4e01bfb3775ab3f4e264c56e4c SOURCES/freeipa-4.2.0.tar.gz
441ef8cb2b0ac103723d03b0478da641d697e104 SOURCES/freeipa-4.4.0.tar.gz
77c318cf1f4fc25cf847de0692a77859a767c0e3 SOURCES/header-logo.png
8727245558422bf966d60677568925f081b8e299 SOURCES/login-screen-background.jpg
24a29d79efbd0906777be4639957abda111fca4b SOURCES/login-screen-logo.png
SOURCES/0001-Fix-incorrect-check-for-principal-type-when-evaluati.patch
New file
@@ -0,0 +1,34 @@
From 808772d7426dae6924c62ca327116c3152729a8e Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 1 Jul 2016 11:55:47 +0200
Subject: [PATCH] Fix incorrect check for principal type when evaluating CA
 ACLs
This error prevented hosts to request certificates for themselves.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipaserver/plugins/caacl.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index 3f813a7efb9e554abcb8dd2946eea73065c93414..9a60f7e27809c4f41b160647efafde94dbe90bf0 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -64,8 +64,10 @@ def _acl_make_request(principal_type, principal, ca_id, profile_id):
     req = pyhbac.HbacRequest()
     req.targethost.name = ca_id
     req.service.name = profile_id
-    if principal_type == 'user' or principal_type == 'host':
+    if principal_type == 'user':
         req.user.name = principal.username
+    elif principal_type == 'host':
+        req.user.name = principal.hostname
     elif principal_type == 'service':
         req.user.name = unicode(principal)
     groups = []
--
2.9.0
SOURCES/0001-Start-dirsrv-for-kdcproxy-upgrade.patch
File was deleted
SOURCES/0002-Fix-DNS-records-installation-for-replicas.patch
File was deleted
SOURCES/0002-uninstall-untrack-lightweight-CA-certs.patch
New file
@@ -0,0 +1,31 @@
From 8235b85d6960356fd49affca40b1b609f3cae827 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 4 Jul 2016 13:05:28 +1000
Subject: [PATCH] uninstall: untrack lightweight CA certs
Fixes: https://fedorahosted.org/freeipa/ticket/6020
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/cainstance.py | 6 ++++++
 1 file changed, 6 insertions(+)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5e3e8c7f9a1845b82d23de589f804aa065387b38..070498fe8a394802ea55f848a268e2b6563ec472 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1127,6 +1127,12 @@ class CAInstance(DogtagInstance):
         """
         super(CAInstance, self).stop_tracking_certificates(False)
+        # stop tracking lightweight CA signing certs
+        for request_id in certmonger.get_requests_for_dir(self.nss_db):
+            nickname = certmonger.get_request_value(request_id, 'key-nickname')
+            if nickname.startswith('caSigningCert cert-pki-ca '):
+                certmonger.stop_tracking(self.nss_db, nickname=nickname)
+
         try:
             certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname='ipaCert')
         except RuntimeError as e:
--
2.4.3
SOURCES/0003-Prevent-to-rename-certprofile-profile-id.patch
File was deleted
SOURCES/0003-ipa-nis-manage-Use-server-API-to-retrieve-plugin-sta.patch
New file
@@ -0,0 +1,28 @@
From db7950c119f71df018ae1759933c0a8dca1072df Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 4 Jul 2016 13:33:10 +0200
Subject: [PATCH] ipa-nis-manage: Use server API to retrieve plugin status
https://fedorahosted.org/freeipa/ticket/6027
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 install/tools/ipa-nis-manage | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage
index f70961309c34e48ea1b4c1b144c9c0df5860f667..64de9e848ff7c382ddaea0729352da2584be6031 100755
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@@ -116,7 +116,7 @@ def main():
     if not dirman_password:
         sys.exit("No password supplied")
-    api.bootstrap(context='cli', debug=options.debug)
+    api.bootstrap(context='cli', debug=options.debug, in_server=True)
     api.finalize()
     conn = None
--
2.4.3
SOURCES/0004-Stageusedr-activate-show-username-instead-of-DN.patch
File was deleted
SOURCES/0004-ipa-compat-manage-use-server-API-to-retrieve-plugin-.patch
New file
@@ -0,0 +1,28 @@
From 5d699a0bff0c42220d68fac54d08fbcdd2daae67 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 11 Jul 2016 10:46:34 +0200
Subject: [PATCH] ipa-compat-manage: use server API to retrieve plugin status
https://fedorahosted.org/freeipa/ticket/6033
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 install/tools/ipa-compat-manage | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage
index 2b13c4a68531c7b6261465399b59225db094aba2..178cef9792c703f868fa3639a3a570b963dc7ed6 100755
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@@ -103,7 +103,7 @@ def main():
         if dirman_password is None:
             sys.exit("Directory Manager password required")
-    api.bootstrap(context='cli', debug=options.debug)
+    api.bootstrap(context='cli', in_server=True, debug=options.debug)
     api.finalize()
     conn = None
--
2.4.3
SOURCES/0005-copy-schema-to-ca-allow-to-overwrite-schema-files.patch
File was deleted
SOURCES/0005-ipa-advise-correct-handling-of-plugin-namespace-iter.patch
New file
@@ -0,0 +1,40 @@
From c4d5331ec5361a5f607eca7bb576d5d387bf3824 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 11 Jul 2016 14:03:36 +0200
Subject: [PATCH] ipa-advise: correct handling of plugin namespace iteration
The API object namespace iterators now yield plugin classes themselves
instead of their names as strings. The method enumerating through available
plugins needs to be made aware of this change.
https://fedorahosted.org/freeipa/ticket/6044
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/advise/base.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index d083a3c506074f0adbb49e7a6d9935b8d338e941..a2dc9ccee93811da415c1e1eb0b57f47ac817a3f 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -167,12 +167,12 @@ class IpaAdvise(admintool.AdminTool):
     def print_config_list(self):
         self.print_header('List of available advices')
-        max_keyword_len = max((len(keyword) for keyword in advise_api.Advice))
+        max_keyword_len = max(
+            (len(advice.__name__) for advice in advise_api.Advice))
-        for keyword in advise_api.Advice:
-            advice = getattr(advise_api.Advice, keyword, '')
+        for advice in advise_api.Advice:
             description = getattr(advice, 'description', '')
-            keyword = keyword.replace('_', '-')
+            keyword = advice.__name__.replace('_', '-')
             # Compute the number of spaces needed for the table to be aligned
             offset = max_keyword_len - len(keyword)
--
2.4.3
SOURCES/0006-kdb-check-for-local-realm-in-enterprise-principals.patch
New file
@@ -0,0 +1,89 @@
From ed178aad6751ea7673d8e730bd5a6709921a1ff0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 6 Jul 2016 17:29:37 +0200
Subject: [PATCH] kdb: check for local realm in enterprise principals
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 52 +++++++++++++++++++++++++++---------
 1 file changed, 40 insertions(+), 12 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 6cdfa909452a4b55912b2a5a74648abd2053482a..5b80909475565d6bb4fa8cba67629094daf51eb3 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1198,30 +1198,58 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
             /* skip '@' and use part after '@' as an enterprise realm for comparison */
             realm++;
-            kerr = ipadb_is_princ_from_trusted_realm(kcontext,
-                                                     realm,
-                                                     upn->length - (realm - upn->data),
-                                                     &trusted_realm);
-            if (kerr == 0) {
-                kentry = calloc(1, sizeof(krb5_db_entry));
-                if (!kentry) {
+            /* check for our realm */
+            if (strncasecmp(ipactx->realm, realm,
+                            upn->length - (realm - upn->data)) == 0) {
+                /* it looks like it is ok to use malloc'ed strings as principal */
+                krb5_free_unparsed_name(kcontext, principal);
+                principal = strndup((const char *) upn->data, upn->length);
+                if (principal == NULL) {
                     kerr = ENOMEM;
                     goto done;
                 }
-                kerr = krb5_parse_name(kcontext, principal,
-                                       &kentry->princ);
+
+                ldap_msgfree(res);
+                res = NULL;
+                kerr = ipadb_fetch_principals(ipactx, flags, principal, &res);
                 if (kerr != 0) {
                     goto done;
                 }
-                kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
+                kerr = ipadb_find_principal(kcontext, flags, res, &principal,
+                                            &lentry);
                 if (kerr != 0) {
                     goto done;
                 }
-                *entry = kentry;
+            } else {
+
+                kerr = ipadb_is_princ_from_trusted_realm(kcontext,
+                                                         realm,
+                                                         upn->length - (realm - upn->data),
+                                                         &trusted_realm);
+                if (kerr == 0) {
+                    kentry = calloc(1, sizeof(krb5_db_entry));
+                    if (!kentry) {
+                        kerr = ENOMEM;
+                        goto done;
+                    }
+                    kerr = krb5_parse_name(kcontext, principal,
+                                           &kentry->princ);
+                    if (kerr != 0) {
+                        goto done;
+                    }
+
+                    kerr = krb5_set_principal_realm(kcontext, kentry->princ, trusted_realm);
+                    if (kerr != 0) {
+                        goto done;
+                    }
+                    *entry = kentry;
+                }
+                goto done;
             }
+        } else {
+            goto done;
         }
-        goto done;
     }
     kerr = ipadb_parse_ldap_entry(kcontext, principal, lentry, entry, &pol);
--
2.4.3
SOURCES/0006-spec-file-Update-minimum-required-version-of-krb5.patch
File was deleted
SOURCES/0007-Enable-vault-commands-on-client.patch
New file
@@ -0,0 +1,70 @@
From 0d3f6f147382625fc326a6f84bb6a950dd4386b1 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 8 Jul 2016 15:53:25 +0200
Subject: [PATCH] Enable vault-* commands on client
Client plugins fot vault commands were disabled by NO_CLI=True,
inherited from vault_add_interal, that is always NO_CLI=True.
Introduced by this commit 8278da6967dbe425b4e0c6cf37dc1c53052525b2
Removed NO_CLI=True from client side plugins for vault.
https://fedorahosted.org/freeipa/ticket/6035
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaclient/plugins/vault.py | 16 ----------------
 1 file changed, 16 deletions(-)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 11210d6e1339f42598b39bcf599d3e6eacb5b9d8..bf0242fc4290bb94f29faf9c787dd7454a8921bf 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -202,10 +202,6 @@ class vault_add(Local):
         ),
     )
-    @property
-    def NO_CLI(self):
-        return self.api.Command.vault_add_internal.NO_CLI
-
     def get_args(self):
         for arg in self.api.Command.vault_add_internal.args():
             yield arg
@@ -394,10 +390,6 @@ class vault_mod(Local):
         ),
     )
-    @property
-    def NO_CLI(self):
-        return self.api.Command.vault_mod_internal.NO_CLI
-
     def get_args(self):
         for arg in self.api.Command.vault_mod_internal.args():
             yield arg
@@ -572,10 +564,6 @@ class vault_archive(Local):
         ),
     )
-    @property
-    def NO_CLI(self):
-        return self.api.Command.vault_archive_internal.NO_CLI
-
     def get_args(self):
         for arg in self.api.Command.vault_archive_internal.args():
             yield arg
@@ -820,10 +808,6 @@ class vault_retrieve(Local):
         ),
     )
-    @property
-    def NO_CLI(self):
-        return self.api.Command.vault_retrieve_internal.NO_CLI
-
     def get_args(self):
         for arg in self.api.Command.vault_retrieve_internal.args():
             yield arg
--
2.4.3
SOURCES/0007-do-not-import-memcache-on-client.patch
File was deleted
SOURCES/0008-selinux-enable-httpd_run_ipa-to-allow-communicating-.patch
File was deleted
SOURCES/0008-vault-add-set-the-default-vault-type-on-the-client-s.patch
New file
@@ -0,0 +1,38 @@
From 5754f00a924bd74079fbf8dc386437ef671547b0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 12 Jul 2016 13:44:49 +0200
Subject: [PATCH] vault-add: set the default vault type on the client side if
 none was given
`vault-add` commands does much processing depending on the vault type even
before the request is forwarded to remote server. Since default values for
parameters are now filled only on server side, the client-side logic would
fail if the vault type was not explicitly given. In this case we have to
retrieve and use the default vault type from schema.
https://fedorahosted.org/freeipa/ticket/6047
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaclient/plugins/vault.py | 5 +++++
 1 file changed, 5 insertions(+)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index bf0242fc4290bb94f29faf9c787dd7454a8921bf..a3ce6fecbfd38b342f826d8d27940d991d821e90 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -221,6 +221,11 @@ class vault_add(Local):
     def forward(self, *args, **options):
         vault_type = options.get('ipavaulttype')
+
+        if vault_type is None:
+            internal_cmd = self.api.Command.vault_add_internal
+            vault_type = internal_cmd.params.ipavaulttype.default
+
         password = options.get('password')
         password_file = options.get('password_file')
         public_key = options.get('ipavaultpublickey')
--
2.4.3
SOURCES/0009-caacl-expand-plugin-documentation.patch
New file
@@ -0,0 +1,66 @@
From 39fdccd9216c7a58ba48ed2226a5588a4f19da51 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 12 Jul 2016 15:11:11 +1000
Subject: [PATCH] caacl: expand plugin documentation
Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
Fixes: https://fedorahosted.org/freeipa/ticket/6002
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/caacl.py | 34 ++++++++++++++++++++++++++++------
 1 file changed, 28 insertions(+), 6 deletions(-)
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index 3f813a7efb9e554abcb8dd2946eea73065c93414..1461c4814727e5774219ac206bab3d078f2daa7d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -23,14 +23,36 @@ if six.PY3:
 __doc__ = _("""
 Manage CA ACL rules.
-This plugin is used to define rules governing which principals are
-permitted to have certificates issued using a given certificate
-profile.
+This plugin is used to define rules governing which CAs and profiles
+may be used to issue certificates to particular principals or groups
+of principals.
-PROFILE ID SYNTAX:
+SUBJECT PRINCIPAL SCOPE:
-A Profile ID is a string without spaces or punctuation starting with a letter
-and followed by a sequence of letters, digits or underscore ("_").
+For a certificate request to be allowed, the principal(s) that are
+the subject of a certificate request (not necessarily the principal
+actually requesting the certificate) must be included in the scope
+of a CA ACL that also includes the target CA and profile.
+
+Users can be included by name, group or the "all users" category.
+Hosts can be included by name, hostgroup or the "all hosts"
+category.  Services can be included by service name or the "all
+services" category.  CA ACLs may be associated with a single type of
+principal, or multiple types.
+
+CERTIFICATE AUTHORITY SCOPE:
+
+A CA ACL can be associated with one or more CAs by name, or by the
+"all CAs" category.  For compatibility reasons, a CA ACL with no CA
+association implies an association with the 'ipa' CA (and only this
+CA).
+
+PROFILE SCOPE:
+
+A CA ACL can be associated with one or more profiles by Profile ID.
+The Profile ID is a string without spaces or punctuation starting
+with a letter and followed by a sequence of letters, digits or
+underscore ("_").
 EXAMPLES:
--
2.4.3
SOURCES/0009-oddjob-avoid-chown-keytab-to-sssd-if-sssd-user-does-.patch
File was deleted
SOURCES/0010-host-find-do-not-show-SSH-key-by-default.patch
New file
@@ -0,0 +1,30 @@
From 058e260ac530f09f5fb5566a14a87614c4bdff63 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 8 Jul 2016 13:40:02 +0200
Subject: [PATCH] host-find: do not show SSH key by default
Only function 'remove_sshpubkey_from_output_list_post' should be used in
postcallbacks of *-find, otherwise only one entry will be cleaned up
https://fedorahosted.org/freeipa/ticket/6043
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/plugins/host.py | 1 -
 1 file changed, 1 deletion(-)
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 2c5cf48cb80c6a49b6577836231a19cd13d824e2..f342b05c87b936ab7b99009cfb0f6d3acde4ef93 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -1077,7 +1077,6 @@ class host_find(LDAPSearch):
                 entry_attrs['managing'] = self.obj.get_managed_hosts(entry_attrs.dn)
             convert_sshpubkey_post(entry_attrs)
-            remove_sshpubkey_from_output_post(self.context, entry_attrs)
             convert_ipaassignedidview_post(entry_attrs, options)
         remove_sshpubkey_from_output_list_post(self.context, entries)
--
2.4.3
SOURCES/0010-webui-fix-user-reset-password-dialog.patch
File was deleted
SOURCES/0011-Removed-unused-method-parameter-from-migrate-ds.patch
New file
@@ -0,0 +1,31 @@
From 4132b63a5e02b019826053a07b2be79c879c1f6e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Mon, 11 Jul 2016 12:31:39 +0200
Subject: [PATCH] Removed unused method parameter from migrate-ds
An extra parameter on client side command override of migrate-ds output
was causing errors.
https://fedorahosted.org/freeipa/ticket/6034
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaclient/plugins/migration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/plugins/migration.py b/ipaclient/plugins/migration.py
index 8ac5f66bf1440b245c1268cd97d5a3e0dc2e6226..cf8d461bfa144f1287ef36a231f553fd9cd102b3 100644
--- a/ipaclient/plugins/migration.py
+++ b/ipaclient/plugins/migration.py
@@ -50,7 +50,7 @@ can use their Kerberos accounts.''')
                 option = option.clone_retype(option.name, File)
             yield option
-    def output_for_cli(self, textui, result, ldapuri, bindpw, **options):
+    def output_for_cli(self, textui, result, ldapuri, **options):
         textui.print_name(self.name)
         if not result['enabled']:
             textui.print_plain(self.migration_disabled_msg)
--
2.4.3
SOURCES/0011-fix-hbac-rule-search-for-non-admin-users.patch
File was deleted
SOURCES/0012-Preserve-user-principal-aliases-during-rename-operat.patch
New file
@@ -0,0 +1,92 @@
From 07ff43d198055bc5b95a0acdf516216d00a85cc3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 1 Jul 2016 18:09:04 +0200
Subject: [PATCH] Preserve user principal aliases during rename operation
When a MODRDN is performed on the user entry, the MODRDN plugin resets both
krbPrincipalName and krbCanonicalName to the value constructed from uid. In
doing so, hovewer, any principal aliases added to the krbPrincipalName are
wiped clean. In this patch old aliases are fetched before the MODRDN operation
takes place and inserted back after it is performed.
This also preserves previous user logins which can be used further for
authentication as aliases.
https://fedorahosted.org/freeipa/ticket/6028
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 ipaserver/plugins/baseuser.py | 46 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 0052e718afe639bcc1c0a698ded39ea8407a0551..e4288a5a131157815ffb2452692a7edb342f6ac3 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -498,6 +498,50 @@ class baseuser_mod(LDAPUpdate):
                             len = int(config.get('ipamaxusernamelength')[0])
                         )
                     )
+
+    def preserve_krbprincipalname_pre(self, ldap, entry_attrs, *keys, **options):
+        """
+        preserve user principal aliases during rename operation. This is the
+        pre-callback part of this. Another method called during post-callback
+        shall insert the principals back
+        """
+        if options.get('rename', None) is None:
+            return
+
+        try:
+            old_entry = ldap.get_entry(
+                entry_attrs.dn, attrs_list=(
+                    'krbprincipalname', 'krbcanonicalname'))
+
+            if 'krbcanonicalname' not in old_entry:
+                return
+        except errors.NotFound:
+            self.obj.handle_not_found(*keys)
+
+        self.context.krbprincipalname = old_entry.get(
+            'krbprincipalname', [])
+
+    def preserve_krbprincipalname_post(self, ldap, entry_attrs, **options):
+        """
+        Insert the preserved aliases back to the user entry during rename
+        operation
+        """
+        if options.get('rename', None) is None or not hasattr(
+                self.context, 'krbprincipalname'):
+            return
+
+        obj_pkey = self.obj.get_primary_key_from_dn(entry_attrs.dn)
+        canonical_name = entry_attrs['krbcanonicalname'][0]
+
+        principals_to_add = tuple(p for p in self.context.krbprincipalname if
+                                  p != canonical_name)
+
+        if principals_to_add:
+            result = self.api.Command.user_add_principal(
+                obj_pkey, principals_to_add)['result']
+
+            entry_attrs['krbprincipalname'] = result.get('krbprincipalname', [])
+
     def check_mail(self, entry_attrs):
         if 'mail' in entry_attrs:
             entry_attrs['mail'] = self.obj.normalize_and_validate_email(entry_attrs['mail'])
@@ -557,9 +601,11 @@ class baseuser_mod(LDAPUpdate):
         self.check_objectclass(ldap, dn, entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
+        self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options)
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
+        self.preserve_krbprincipalname_post(ldap, entry_attrs, **options)
         if options.get('random', False):
             try:
                 entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword'))
--
2.7.4
SOURCES/0012-fix-selinuxusermap-search-for-non-admin-users.patch
File was deleted
SOURCES/0013-Validate-adding-privilege-to-a-permission.patch
File was deleted
SOURCES/0013-messages-specify-message-type-for-ResultFormattingEr.patch
New file
@@ -0,0 +1,31 @@
From 0d5962e52aa9418ec0285f202aa786083aec67c3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 13 Jul 2016 18:22:04 +0200
Subject: [PATCH] messages: specify message type for ResultFormattingError
the ResultFormattingError message class was missing a `type` member which
could cause `otptoken-add` command to crash during QR image rendering using
suboptimal TTY settings
https://fedorahosted.org/freeipa/ticket/6081
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/messages.py | 1 +
 1 file changed, 1 insertion(+)
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 7288606f6ac923c2c87fadba5f2a6a2d9dadb7f5..6abad64a8259a8e164db60f63e75bbb9c230e7bf 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -363,6 +363,7 @@ class ResultFormattingError(PublicMessage):
     """
     **13019** Unable to correctly format some part of the result
     """
+    type = "warning"
     errno = 13019
--
2.7.4
SOURCES/0014-migration-Use-api.env-variables.patch
File was deleted
SOURCES/0014-schema-Fix-subtopic-topic-mapping.patch
New file
@@ -0,0 +1,29 @@
From a48b8aa5e4d45b238551c122f88dfc8151314c93 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Thu, 14 Jul 2016 10:15:59 +0200
Subject: [PATCH] schema: Fix subtopic -> topic mapping
https://fedorahosted.org/freeipa/ticket/6069
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/schema.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/schema.py b/ipaserver/plugins/schema.py
index a82b357899a483fd3b3dc9f7407bd26a4c03aada..8fd7c6ba1c4ed8cd6e27cb8b1b04f48694a4f1ff 100644
--- a/ipaserver/plugins/schema.py
+++ b/ipaserver/plugins/schema.py
@@ -399,7 +399,8 @@ class topic_(MetaObject):
                         continue
                     if topic_value is not None:
                         topic_name = unicode(topic_value)
-                        topic['topic_topic'] = topic_full_name
+                        topic['topic_topic'] = '{}/{}'.format(topic_name,
+                                                              topic_version)
                     else:
                         topic.pop('topic_topic', None)
--
2.7.4
SOURCES/0015-DNS-install-Ensure-that-DNS-servers-container-exists.patch
New file
@@ -0,0 +1,93 @@
From caceb3a08644dae0ecae05a5b1f18b91a522356d Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 14 Jul 2016 17:14:59 +0200
Subject: [PATCH] DNS install: Ensure that DNS servers container exists
during DNS installation it is assumed that the cn=servers,cn=dns container is
always present in LDAP backend when migrating DNS server info to LDAP.
This may not always be the case (e.g. when a new replica is set up against
older master) so the code must take additional steps to ensure this container
is present.
https://fedorahosted.org/freeipa/ticket/6083
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/install/bindinstance.py | 21 +++++++++++++++++++++
 ipaserver/install/plugins/dns.py  | 13 ++-----------
 2 files changed, 23 insertions(+), 11 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index f4ed63141cf25dfcfdc72d37d6ff4563e4acccf1..844fb04a9d9feca936211964b75a0b3468ba663b 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -546,6 +546,26 @@ def remove_master_dns_records(hostname, realm):
     bind.remove_server_ns_records(hostname)
+def ensure_dnsserver_container_exists(ldap, api_instance, logger=None):
+    """
+    Create cn=servers,cn=dns,$SUFFIX container. If logger is not None, emit a
+    message that the container already exists when DuplicateEntry is raised
+    """
+
+    entry = ldap.make_entry(
+        DN(api_instance.env.container_dnsservers, api_instance.env.basedn),
+        {
+            u'objectclass': [u'top', u'nsContainer'],
+            u'cn': [u'servers']
+        }
+    )
+    try:
+        ldap.add_entry(entry)
+    except errors.DuplicateEntry:
+        if logger is not None:
+            logger.debug('cn=servers,cn=dns container already exists')
+
+
 class DnsBackup(object):
     def __init__(self, service):
         self.service = service
@@ -942,6 +962,7 @@ class BindInstance(service.Service):
         )
     def __setup_server_configuration(self):
+        ensure_dnsserver_container_exists(self.admin_conn, self.api)
         try:
             self.api.Command.dnsserver_add(
                 self.fqdn, idnssoamname=DNSName(self.fqdn).make_absolute(),
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index 4fa30661e40748cd32cb25c232168191db20c461..32247eedbac7fc7e00c7277ef0bc593a74cd22e4 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -29,6 +29,7 @@ from ipapython.dn import DN
 from ipapython import dnsutil
 from ipapython.ipa_log_manager import root_logger
 from ipaserver.install import sysupgrade
+from ipaserver.install.bindinstance import ensure_dnsserver_container_exists
 from ipaserver.plugins.dns import dns_container_exists
 register = Registry()
@@ -521,17 +522,7 @@ class update_dnsserver_configuration_into_ldap(DNSUpdater):
             return False, []
         # create container first, if doesn't exist
-        entry = ldap.make_entry(
-            DN(self.api.env.container_dnsservers, self.api.env.basedn),
-            {
-                u'objectclass': [u'top', u'nsContainer'],
-                u'cn': [u'servers']
-            }
-        )
-        try:
-            ldap.add_entry(entry)
-        except errors.DuplicateEntry:
-            self.log.debug('cn=dnsservers container already exists')
+        ensure_dnsserver_container_exists(ldap, self.api, logger=self.log)
         try:
             self.api.Command.dnsserver_add(self.api.env.host)
--
2.7.4
SOURCES/0015-sysrestore-copy-files-instead-of-moving-them-to-avoi.patch
File was deleted
SOURCES/0016-Allow-value-no-for-replica-certify-all-attr-in-abort.patch
File was deleted
SOURCES/0016-Heap-corruption-in-ipapwd-plugin.patch
New file
@@ -0,0 +1,41 @@
From 98bdf4755d5c0256d26ba6a6aed6b9e649adf941 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Mon, 18 Jul 2016 15:00:02 +0200
Subject: [PATCH] Heap corruption in ipapwd plugin
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.
allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL
https://fedorahosted.org/freeipa/ticket/6030
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index 9c62f0560aa999b2179a7767040047dfa89288e0..7b2f341229b4f3bf48105c3856c0d6778da154a5 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -157,7 +157,7 @@ Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
         pwd.length = strlen(data->password);
     }
-    kset = malloc(sizeof(struct ipapwd_keyset));
+    kset = (struct ipapwd_keyset *) calloc(1, sizeof(struct ipapwd_keyset));
     if (!kset) {
         LOG_OOM();
         goto enc_error;
--
2.7.4
SOURCES/0017-Use-server-API-in-com.redhat.idm.trust-fetch-domains.patch
New file
@@ -0,0 +1,29 @@
From c5f48cd10b9aa3f0dd226aacab8abd8af996c861 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 14 Jul 2016 09:31:22 +0200
Subject: [PATCH] Use server API in com.redhat.idm.trust-fetch-domains oddjob
 helper
https://fedorahosted.org/freeipa/ticket/6082
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/oddjob/com.redhat.idm.trust-fetch-domains | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index a6b87cde917cfa5bfedf28442a6d1b2b512706f9..7c948fd53bd54bf3638ef3cc4407576b9011f4fb 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -76,7 +76,7 @@ env._bootstrap(debug=options.debug, log=None)
 env._finalize_core(**dict(DEFAULT_CONFIG))
 # Initialize the API with the proper debug level
-api.bootstrap(debug=env.debug, log=None)
+api.bootstrap(in_server=True, debug=env.debug, log=None)
 api.finalize()
 # Only import trust plugin after api is initialized or internal imports
--
2.7.4
SOURCES/0017-trusts-Check-for-AD-root-domain-among-our-trusted-do.patch
File was deleted
SOURCES/0018-enable-debugging-of-ntpd-during-client-installation.patch
File was deleted
SOURCES/0018-frontend-copy-command-arguments-to-output-params-on-.patch
New file
@@ -0,0 +1,39 @@
From 1297d5f1ba731e81b03a2fca997487813a2e962a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 18 Jul 2016 07:37:31 +0200
Subject: [PATCH] frontend: copy command arguments to output params on client
In commit f554078291d682d59956998af97f7d3066fbe7e7 we stopped copying
command arguments to output params in order to remove redundancies and
reduce API schema in size. Since then, output params were removed from
API schema completely and are reconstructed on the client.
Not including arguments in output params hides failed members from member
commands' CLI output. To fix this, copy arguments to output params again,
but only on the client side.
https://fedorahosted.org/freeipa/ticket/6026
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaclient/frontend.py | 4 ++++
 1 file changed, 4 insertions(+)
diff --git a/ipaclient/frontend.py b/ipaclient/frontend.py
index e8eacc068f4bec5ccdb21228b32a88aea24424df..1525c88b3dfeadccd8115cb4b6ba149caef22103 100644
--- a/ipaclient/frontend.py
+++ b/ipaclient/frontend.py
@@ -95,6 +95,10 @@ class ClientMethod(ClientCommand, Method):
     def get_output_params(self):
         seen = set()
+        for param in self.params():
+            if param.name not in self.obj.params:
+                seen.add(param.name)
+                yield param
         for output_param in super(ClientMethod, self).get_output_params():
             seen.add(output_param.name)
             yield output_param
--
2.7.4
SOURCES/0019-Show-full-error-message-for-selinuxusermap-add-hostg.patch
New file
@@ -0,0 +1,152 @@
From b79d70c9977a9b5026f8976e172122bf78885dd8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 20 Jul 2016 11:02:30 +0200
Subject: [PATCH] Show full error message for selinuxusermap-add-hostgroup
While investigating the issue for selinuxusermap-add-hostgroup,
we discovered that other commands were missing output.
A first patch fixes most of the issues:
freeipa-jcholast-677-frontend-copy-command-arguments-to-output-params-on-.patch
This patch fixes servicedelegation CLI, where
servicedelegation.takes_params was missing
ipaallowedtarget_servicedelegationtarget, ipaallowedtoimpersonate and
memberprincipal
https://fedorahosted.org/freeipa/ticket/6026
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/servicedelegation.py | 53 ++++++++++------------------------
 1 file changed, 15 insertions(+), 38 deletions(-)
diff --git a/ipaserver/plugins/servicedelegation.py b/ipaserver/plugins/servicedelegation.py
index 958c3b739a2dd465c2b685672c3deb1af8c36e4e..6f38c36a30363755c80081d02bf4c86d829eae34 100644
--- a/ipaserver/plugins/servicedelegation.py
+++ b/ipaserver/plugins/servicedelegation.py
@@ -96,30 +96,6 @@ PROTECTED_CONSTRAINT_TARGETS = (
 )
-output_params = (
-    Str(
-        'ipaallowedtarget_servicedelegationtarget',
-        label=_('Allowed Target'),
-    ),
-    Str(
-        'ipaallowedtoimpersonate',
-        label=_('Allowed to Impersonate'),
-    ),
-    Str(
-        'memberprincipal',
-        label=_('Member principals'),
-    ),
-    Str(
-        'failed_memberprincipal',
-        label=_('Failed members'),
-    ),
-    Str(
-        'ipaallowedtarget',
-        label=_('Failed targets'),
-    ),
-)
-
-
 class servicedelegation(LDAPObject):
     """
     Service Constrained Delegation base object.
@@ -175,6 +151,21 @@ class servicedelegation(LDAPObject):
             label=_('Delegation name'),
             primary_key=True,
         ),
+        Str(
+            'ipaallowedtarget_servicedelegationtarget',
+            label=_('Allowed Target'),
+            flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
+        ),
+        Str(
+            'ipaallowedtoimpersonate',
+            label=_('Allowed to Impersonate'),
+            flags={'no_create', 'no_update', 'no_search'},
+        ),
+        Str(
+            'memberprincipal',
+            label=_('Member principals'),
+            flags={'no_create', 'no_update', 'no_search'},
+        ),
     )
@@ -186,8 +177,6 @@ class servicedelegation_add_member(LDAPAddMember):
     principal_attr = 'memberprincipal'
     principal_failedattr = 'failed_memberprincipal'
-    has_output_params = LDAPAddMember.has_output_params + output_params
-
     def get_options(self):
         for option in super(servicedelegation_add_member, self).get_options():
             yield option
@@ -268,8 +257,6 @@ class servicedelegation_remove_member(LDAPRemoveMember):
     principal_attr = 'memberprincipal'
     principal_failedattr = 'failed_memberprincipal'
-    has_output_params = LDAPRemoveMember.has_output_params + output_params
-
     def get_options(self):
         for option in super(
                 servicedelegation_remove_member, self).get_options():
@@ -397,8 +384,6 @@ class servicedelegationrule_del(LDAPDelete):
 class servicedelegationrule_find(LDAPSearch):
     __doc__ = _('Search for service delegations rule.')
-    has_output_params = LDAPSearch.has_output_params + output_params
-
     msg_summary = ngettext(
         '%(count)d service delegation rule matched',
         '%(count)d service delegation rules matched', 0
@@ -409,8 +394,6 @@ class servicedelegationrule_find(LDAPSearch):
 class servicedelegationrule_show(LDAPRetrieve):
     __doc__ = _('Display information about a named service delegation rule.')
-    has_output_params = LDAPRetrieve.has_output_params + output_params
-
 @register()
 class servicedelegationrule_add_member(servicedelegation_add_member):
@@ -437,7 +420,6 @@ class servicedelegationrule_add_target(LDAPAddMember):
     attribute_members = {
         'ipaallowedtarget': ['servicedelegationtarget'],
     }
-    has_output_params = LDAPAddMember.has_output_params + output_params
 @register()
@@ -447,7 +429,6 @@ class servicedelegationrule_remove_target(LDAPRemoveMember):
     attribute_members = {
         'ipaallowedtarget': ['servicedelegationtarget'],
     }
-    has_output_params = LDAPRemoveMember.has_output_params + output_params
 @register()
@@ -492,8 +473,6 @@ class servicedelegationtarget_del(LDAPDelete):
 class servicedelegationtarget_find(LDAPSearch):
     __doc__ = _('Search for service delegation target.')
-    has_output_params = LDAPSearch.has_output_params + output_params
-
     msg_summary = ngettext(
         '%(count)d service delegation target matched',
         '%(count)d service delegation targets matched', 0
@@ -530,8 +509,6 @@ class servicedelegationtarget_find(LDAPSearch):
 class servicedelegationtarget_show(LDAPRetrieve):
     __doc__ = _('Display information about a named service delegation target.')
-    has_output_params = LDAPRetrieve.has_output_params + output_params
-
 @register()
 class servicedelegationtarget_add_member(servicedelegation_add_member):
--
2.7.4
SOURCES/0019-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch
File was deleted
SOURCES/0020-allow-value-output-param-in-commands-without-primary.patch
New file
@@ -0,0 +1,157 @@
From 829e708bf22e80373f1af167fbfb3e6b6bf8655e Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 18 Jul 2016 13:18:44 +0200
Subject: [PATCH] allow 'value' output param in commands without primary key
`PrimaryKey` output param works only for API objects that have primary keys,
otherwise it expects None (nothing is associated with this param). Since the
validation of command output was tightened durng thin client effort, some
commands not honoring this contract began to fail output validation.
A custom output was implemented for them to restore their functionality. It
should however be considered as a fix for broken commands and not used
further.
https://fedorahosted.org/freeipa/ticket/6037
https://fedorahosted.org/freeipa/ticket/6061
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 API.txt                         | 10 +++++-----
 VERSION                         |  4 ++--
 ipalib/output.py                | 10 ++++++++++
 ipaserver/plugins/automember.py |  3 +++
 ipaserver/plugins/trust.py      |  2 ++
 5 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/API.txt b/API.txt
index eb33c1fb7f94f5af45ec0b38fc7e45e484a1044e..535d8ec9a4990395207e2455a09a8c1bdef5529a 100644
--- a/API.txt
+++ b/API.txt
@@ -144,7 +144,7 @@ option: StrEnum('type', values=[u'group', u'hostgroup'])
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
-output: PrimaryKey('value')
+output: Output('value', type=[<type 'unicode'>])
 command: automember_default_group_set/1
 args: 0,6,3
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -155,7 +155,7 @@ option: StrEnum('type', values=[u'group', u'hostgroup'])
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
-output: PrimaryKey('value')
+output: Output('value', type=[<type 'unicode'>])
 command: automember_default_group_show/1
 args: 0,4,3
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -164,7 +164,7 @@ option: StrEnum('type', values=[u'group', u'hostgroup'])
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
-output: PrimaryKey('value')
+output: Output('value', type=[<type 'unicode'>])
 command: automember_del/1
 args: 1,2,3
 arg: Str('cn+', cli_name='automember_rule')
@@ -5574,7 +5574,7 @@ option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', val
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
-output: PrimaryKey('value')
+output: Output('value', type=[<type 'unicode'>])
 command: trustconfig_show/1
 args: 0,5,3
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -5584,7 +5584,7 @@ option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', val
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
-output: PrimaryKey('value')
+output: Output('value', type=[<type 'unicode'>])
 command: trustdomain_add/1
 args: 2,8,3
 arg: Str('trustcn', cli_name='trust')
diff --git a/VERSION b/VERSION
index 0559741451a858dd0adfa99a8bf653261d771601..ca489965050f32d2d8987dfd251ec2b2a0ba1768 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=210
-# Last change: Add --ca option to cert-status
+IPA_API_VERSION_MINOR=211
+# Last change: mbabinsk: allow 'value' output param in commands without primary key
diff --git a/ipalib/output.py b/ipalib/output.py
index 19dd9adadeb8521caf9f0dc52981ce57a7f0c8b6..b104584631629f33280164dd1d23922d21ddea49 100644
--- a/ipalib/output.py
+++ b/ipalib/output.py
@@ -217,3 +217,13 @@ simple_value = (
     Output('result', bool, _('True means the operation was successful')),
     Output('value', unicode, flags=['no_display']),
 )
+
+# custom shim for commands like `trustconfig-show`,
+# `automember-default-group-*` which put stuff into output['value'] despite not
+# having primary key themselves. Designing commands like this is not a very
+# good practice, so please do not use this for new code.
+simple_entry = (
+    summary,
+    Entry('result'),
+    Output('value', unicode, flags=['no_display']),
+)
diff --git a/ipaserver/plugins/automember.py b/ipaserver/plugins/automember.py
index dfa8498a6bd44352d854bff7f8eedaba8f731eef..8e9356a9d30c98b7c72735ffb9ac05c672546a0d 100644
--- a/ipaserver/plugins/automember.py
+++ b/ipaserver/plugins/automember.py
@@ -586,6 +586,7 @@ class automember_default_group_set(LDAPUpdate):
         ),
     ) + group_type
     msg_summary = _('Set default (fallback) group for automember "%(value)s"')
+    has_output = output.simple_entry
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         dn = DN(('cn', options['type']), api.env.container_automember,
@@ -609,6 +610,7 @@ class automember_default_group_remove(LDAPUpdate):
     takes_options = group_type
     msg_summary = _('Removed default (fallback) group for automember "%(value)s"')
+    has_output = output.simple_entry
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         dn = DN(('cn', options['type']), api.env.container_automember,
@@ -644,6 +646,7 @@ class automember_default_group_show(LDAPRetrieve):
     obj_name = 'automember_default_group'
     takes_options = group_type
+    has_output = output.simple_entry
     def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
         dn = DN(('cn', options['type']), api.env.container_automember,
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 8536202b9b785507bd27b3c7b1896b721f8c5927..d4676bd57054043edd07da5ec3321d755babf35c 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1288,6 +1288,7 @@ class trustconfig_mod(LDAPUpdate):
     takes_options = LDAPUpdate.takes_options + (_trust_type_option,)
     msg_summary = _('Modified "%(value)s" trust configuration')
+    has_output = output.simple_entry
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         self.obj._normalize_groupdn(entry_attrs)
@@ -1310,6 +1311,7 @@ class trustconfig_show(LDAPRetrieve):
     __doc__ = _('Show global trust configuration.')
     takes_options = LDAPRetrieve.takes_options + (_trust_type_option,)
+    has_output = output.simple_entry
     def execute(self, *keys, **options):
         result = super(trustconfig_show, self).execute(*keys, **options)
--
2.7.4
SOURCES/0020-ipa-client-install-Do-not-re-start-certmonger-and-DB.patch
File was deleted
SOURCES/0021-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch
File was deleted
SOURCES/0021-server-uninstall-fails-to-remove-krb-principals.patch
New file
@@ -0,0 +1,51 @@
From 028ae66827085960cdfa9861c413a7aeccea5221 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <frenaud@redhat.com>
Date: Mon, 11 Jul 2016 09:00:44 +0200
Subject: [PATCH] server uninstall fails to remove krb principals
This patch fixes the 3rd issue of ticket 6012:
ipa-server-install --uninstall -U
complains while removing Kerberos service principals from /etc/krb5.keytab
----
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-221.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5
----
This happens because the uninstaller performs the following sequence:
1/ restore pre-install files, including /etc/krb5.keytab
At this point /etc/krb5.keytab does not contain any principal for
IPA domain
2/ call ipa-client-install --uninstall, which in turns runs
ipa-rmkeytab -k /etc/krb5.keytab -r <domain>
to remove the principals.
The fix ignores ipa-rmkeytab's exit code 5 (Principal name or realm not
found in keytab)
https://fedorahosted.org/freeipa/ticket/6012
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 client/ipa-client-install | 7 +++++++
 1 file changed, 7 insertions(+)
diff --git a/client/ipa-client-install b/client/ipa-client-install
index cee202f89e0f40f4b7ee77e5c38a2c7d50e0dee9..45185d44feb43a8b8d30e412a26dd63121be4ad1 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -614,6 +614,13 @@ def uninstall(options, env):
             fp.close()
             realm = parser.get('global', 'realm')
             run([paths.IPA_RMKEYTAB, "-k", paths.KRB5_KEYTAB, "-r", realm])
+        except CalledProcessError as err:
+            if err.returncode != 5:
+                # 5 means Principal name or realm not found in keytab
+                # and can be ignored
+                root_logger.error(
+                    "Failed to remove Kerberos service principals: %s",
+                    str(err))
         except Exception as e:
             root_logger.error(
                 "Failed to remove Kerberos service principals: %s", str(e))
--
2.7.4
SOURCES/0022-expose-secret-option-in-radiusproxy-commands.patch
New file
@@ -0,0 +1,32 @@
From a9914cc13e0b04fbe8637214970c99b2328a2dfa Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 18 Jul 2016 10:45:48 +0200
Subject: [PATCH] expose `--secret` option in radiusproxy-* commands
Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.
https://fedorahosted.org/freeipa/ticket/6078
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/radiusproxy.py | 1 -
 1 file changed, 1 deletion(-)
diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 44d87b9ae1337278bb6237d471f64693b0eac3db..5657e002c1ce66335b7697b98f95a49207c61d87 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -126,7 +126,6 @@ class radiusproxy(LDAPObject):
             label=_('Secret'),
             doc=_('The secret used to encrypt data'),
             confirm=True,
-            flags=['no_option'],
         ),
         Int('ipatokenradiustimeout?',
             cli_name='timeout',
--
2.7.4
SOURCES/0022-ipaplatform-Add-constants-submodule.patch
File was deleted
SOURCES/0023-DNS-check-if-DNS-package-is-installed.patch
File was deleted
SOURCES/0023-prevent-search-for-RADIUS-proxy-servers-by-secret.patch
New file
@@ -0,0 +1,37 @@
From 57e8d1c6ff58bc58d50d0b1d501820f55a6f2837 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 21 Jul 2016 09:42:01 +0200
Subject: [PATCH] prevent search for RADIUS proxy servers by secret
radiusproxy-find should not allow search by proxy secret even for privileged
users so we should hide it from CLI.
https://fedorahosted.org/freeipa/ticket/6078
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/radiusproxy.py | 8 ++++++++
 1 file changed, 8 insertions(+)
diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 5657e002c1ce66335b7697b98f95a49207c61d87..3391b8aed77205fb1a586d5472d8cfdbc9fd1cd5 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -169,6 +169,14 @@ class radiusproxy_find(LDAPSearch):
         '%(count)d RADIUS proxy server matched', '%(count)d RADIUS proxy servers matched', 0
     )
+    def get_options(self):
+        for option in super(radiusproxy_find, self).get_options():
+            if option.name == 'ipatokenradiussecret':
+                option = option.clone(flags={'no_option'})
+
+            yield option
+
+
 @register()
 class radiusproxy_show(LDAPRetrieve):
     __doc__ = _('Display information about a RADIUS proxy server.')
--
2.7.4
SOURCES/0024-dcerpc-Expand-explanation-for-WERR_ACCESS_DENIED.patch
File was deleted
SOURCES/0024-trust-add-handle-all-raw-options-properly.patch
New file
@@ -0,0 +1,89 @@
From b18c50fb6f596896b35b80178368762d8b9d4a56 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 15 Jul 2016 12:38:00 +0200
Subject: [PATCH] trust-add: handle `--all/--raw` options properly
`trust-add` command did not handle these options correctly often resulting in
internal errors or mangled output. This patch implements a behavior which is
more in-line with the rest of the API commands.
https://fedorahosted.org/freeipa/ticket/6059
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/trust.py | 41 +++++++++++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 14 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index d4676bd57054043edd07da5ec3321d755babf35c..f2e0b1ee4b261ddc4f29477f46b7f4027af18892 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -710,6 +710,25 @@ sides.
     msg_summary = _('Added Active Directory trust for realm "%(value)s"')
     msg_summary_existing = _('Re-established trust to domain "%(value)s"')
+    def _format_trust_attrs(self, result, **options):
+
+        # Format the output into human-readable values
+        attributes = int(result['result'].get('ipanttrustattributes', [0])[0])
+
+        if not options.get('raw', False):
+            result['result']['trusttype'] = [trust_type_string(
+                result['result']['ipanttrusttype'][0], attributes)]
+            result['result']['trustdirection'] = [trust_direction_string(
+                result['result']['ipanttrustdirection'][0])]
+            result['result']['truststatus'] = [trust_status_string(
+                result['verified'])]
+
+        if attributes:
+            result['result'].pop('ipanttrustattributes', None)
+
+        result['result'].pop('ipanttrustauthoutgoing', None)
+        result['result'].pop('ipanttrustauthincoming', None)
+
     def execute(self, *keys, **options):
         ldap = self.obj.backend
@@ -729,10 +748,15 @@ sides.
         else:
             created_range_type = old_range['result']['iparangetype'][0]
+        attrs_list = self.obj.default_attributes
+        if options.get('all', False):
+            attrs_list.append('*')
+
         trust_filter = "cn=%s" % result['value']
         (trusts, truncated) = ldap.find_entries(
                          base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
-                         filter=trust_filter)
+                         filter=trust_filter,
+                         attrs_list=attrs_list)
         result['result'] = entry_to_dict(trusts[0], **options)
@@ -761,20 +785,9 @@ sides.
                 # add_new_domains_from_trust() on its own.
                 fetch_trusted_domains_over_dbus(self.api, self.log, result['value'])
-        # Format the output into human-readable values
-        attributes = int(result['result'].get('ipanttrustattributes', [0])[0])
-        result['result']['trusttype'] = [trust_type_string(
-            result['result']['ipanttrusttype'][0], attributes)]
-        result['result']['trustdirection'] = [trust_direction_string(
-            result['result']['ipanttrustdirection'][0])]
-        result['result']['truststatus'] = [trust_status_string(
-            result['verified'])]
-        if attributes:
-            result['result'].pop('ipanttrustattributes', None)
-
+        # Format the output into human-readable values unless `--raw` is given
+        self._format_trust_attrs(result, **options)
         del result['verified']
-        result['result'].pop('ipanttrustauthoutgoing', None)
-        result['result'].pop('ipanttrustauthincoming', None)
         return result
--
2.7.4
SOURCES/0025-dcerpc-Fix-UnboundLocalError-for-ccache_name.patch
File was deleted
SOURCES/0025-unite-log-file-name-of-ipa-ca-install.patch
New file
@@ -0,0 +1,54 @@
From 41b85da8629e69efcc9acf65ba81ab79d38dc609 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Fri, 15 Jul 2016 16:25:36 +0200
Subject: [PATCH] unite log file name of ipa-ca-install
ipa-ca-install said that it used
  /var/log/ipareplica-ca-install.log
but in fact it used
  /var/log/ipaserver-ca-install.log
This patch unites it to ipareplica-ca-install.log
It was chosen because of backwards compatibility - ipareplica-ca-install
was more commonly used. ipaserver-ca-install.log was used only in rare
CA less -> CA installation.
https://fedorahosted.org/freeipa/ticket/6086
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 install/tools/ipa-ca-install | 2 +-
 ipaplatform/base/paths.py    | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index ed685920cbadb9cd3fc80865afb1610ca42f8b13..985e7413aa06900976934c329757ce45da5ff12d 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -285,7 +285,7 @@ def main():
             cainstance.is_ca_installed_locally()):
         sys.exit("CA is already installed on this host.")
-    standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug)
+    standard_logging_setup(log_file_name, debug=options.debug)
     root_logger.debug("%s was invoked with options: %s,%s",
                       sys.argv[0], safe_options, filename)
     root_logger.debug("IPA version %s", version.VENDOR_VERSION)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index d6fbe32f6839a5db40148777132ba1454cbc3382..1507ac36da5b40447c951ee608053a09b2db2fc3 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -307,7 +307,6 @@ class BasePathNamespace(object):
     IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
     IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
     IPARESTORE_LOG = "/var/log/iparestore.log"
-    IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
     IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
     IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
     IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
--
2.7.4
SOURCES/0026-Host-del-fix-behavior-of-updatedns-and-PTR-records.patch
New file
@@ -0,0 +1,95 @@
From 57b757807a53400b8addb19d323f5691122c3ebb Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 21 Jul 2016 13:18:34 +0200
Subject: [PATCH] Host-del: fix behavior of --updatedns and PTR records
* target for ptr record must be absolute domain name
* zone is detected using DNS system instead of random splitting of
hostname
https://fedorahosted.org/freeipa/ticket/6060
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipaserver/plugins/host.py | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index f342b05c87b936ab7b99009cfb0f6d3acde4ef93..413dcf15e0423170d8334902b9dcf8fb5aa14de6 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -18,6 +18,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from __future__ import absolute_import
+
+import dns.resolver
 import string
 import six
@@ -134,7 +137,7 @@ register = Registry()
 host_pwd_chars = string.digits + string.ascii_letters + '_,.@+-='
-def remove_ptr_rec(ipaddr, host, domain):
+def remove_ptr_rec(ipaddr, fqdn):
     """
     Remove PTR record of IP address (ipaddr)
     :return: True if PTR record was removed, False if record was not found
@@ -143,13 +146,12 @@ def remove_ptr_rec(ipaddr, host, domain):
     try:
         revzone, revname = get_reverse_zone(ipaddr)
-        # in case domain is in FQDN form with a trailing dot, we needn't add
-        # another one, in case it has no trailing dot, dnsrecord-del will
-        # normalize the entry
-        delkw = {'ptrrecord': "%s.%s" % (host, domain)}
+        # assume that target in PTR record is absolute name (otherwise it is
+        # non-standard configuration)
+        delkw = {'ptrrecord': u"%s" % fqdn.make_absolute()}
         api.Command['dnsrecord_del'](revzone, revname, **delkw)
-    except errors.NotFound:
+    except (errors.NotFound, errors.AttrValueNotFound):
         api.log.debug('PTR record of ipaddr %s not found', ipaddr)
         return False
@@ -794,13 +796,15 @@ class host_del(LDAPDelete):
         if updatedns:
             # Remove A, AAAA, SSHFP and PTR records of the host
-            parts = fqdn.split('.')
-            domain = unicode('.'.join(parts[1:]))
+            fqdn_dnsname = DNSName(fqdn).make_absolute()
+            zone = DNSName(dns.resolver.zone_for_name(fqdn_dnsname))
+            relative_hostname = fqdn_dnsname.relativize(zone)
+
             # Get all resources for this host
             rec_removed = False
             try:
                 record = api.Command['dnsrecord_show'](
-                    domain, parts[0])['result']
+                    zone, relative_hostname)['result']
             except errors.NotFound:
                 pass
             else:
@@ -808,13 +812,13 @@ class host_del(LDAPDelete):
                 for attr in ('arecord', 'aaaarecord'):
                     for val in record.get(attr, []):
                         rec_removed = (
-                            remove_ptr_rec(val, parts[0], domain) or
+                            remove_ptr_rec(val, fqdn_dnsname) or
                             rec_removed
                         )
                 try:
                     # remove all A, AAAA, SSHFP records of the host
                     api.Command['dnsrecord_mod'](
-                        domain,
+                        zone,
                         record['idnsname'][0],
                         arecord=[],
                         aaaarecord=[],
--
2.7.4
SOURCES/0026-fix-broken-search-for-users-by-their-manager.patch
File was deleted
SOURCES/0027-dcerpc-Add-get_trusted_domain_object_type-method.patch
File was deleted
SOURCES/0027-help-Add-dnsserver-commands-to-help-topic-dns.patch
New file
@@ -0,0 +1,67 @@
From a7c1e25d3d1c065d0a56e63741c8e5b05ee880a6 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Fri, 15 Jul 2016 11:55:19 +0200
Subject: [PATCH] help: Add dnsserver commands to help topic 'dns'
https://fedorahosted.org/freeipa/ticket/6069
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipaserver/plugins/dnsserver.py | 7 +++++++
 1 file changed, 7 insertions(+)
diff --git a/ipaserver/plugins/dnsserver.py b/ipaserver/plugins/dnsserver.py
index beddec04230d810479fff9612721cf12260bbb3a..d635722a6b6aaea942d49456a04f5d0480d344c9 100644
--- a/ipaserver/plugins/dnsserver.py
+++ b/ipaserver/plugins/dnsserver.py
@@ -48,6 +48,8 @@ EXAMPLES:
 register = Registry()
+topic = None
+
 dnsserver_object_class = ['top', 'idnsServerConfigObject']
 @register()
@@ -149,6 +151,7 @@ class dnsserver(LDAPObject):
 @register()
 class dnsserver_mod(LDAPUpdate):
     __doc__ = _('Modify DNS server configuration')
+    topic = 'dns'
     msg_summary = _('Modified DNS server "%(value)s"')
@@ -156,6 +159,7 @@ class dnsserver_mod(LDAPUpdate):
 @register()
 class dnsserver_find(LDAPSearch):
     __doc__ = _('Search for DNS servers.')
+    topic = 'dns'
     msg_summary = ngettext(
         '%(count)d DNS server matched',
@@ -166,6 +170,7 @@ class dnsserver_find(LDAPSearch):
 @register()
 class dnsserver_show(LDAPRetrieve):
     __doc__=_('Display configuration of a DNS server.')
+    topic = 'dns'
 @register()
@@ -175,6 +180,7 @@ class dnsserver_add(LDAPCreate, Local):
     Be careful in future this will be transformed to public API call
     """
     __doc__ = _('Add a new DNS server.')
+    topic = 'dns'
     msg_summary = _('Added new DNS server "%(value)s"')
@@ -186,5 +192,6 @@ class dnsserver_del(LDAPDelete, Local):
     Be careful in future this will be transformed to public API call
     """
     __doc__ = _('Delete a DNS server')
+    topic = 'dns'
     msg_summary = _('Deleted DNS server "%(value)s"')
--
2.7.4
SOURCES/0028-DNS-Locations-fix-update-system-records-unpacking-er.patch
New file
@@ -0,0 +1,35 @@
From 0f655b619eae8320757cd6d18f9f1dda6ab2c6ed Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 22 Jul 2016 13:32:31 +0200
Subject: [PATCH] DNS Locations: fix update-system-records unpacking error
Method IPASystemRecords.records_list_from_node returns only list
consists only from record names not tuple, which caused unpacking error
https://fedorahosted.org/freeipa/ticket/6117
Reviewed-By: Nikhil Dehadrai <ndehadra@redhat.com>
---
 ipaserver/install/bindinstance.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 844fb04a9d9feca936211964b75a0b3468ba663b..7538e145cbe37dfc21963d97dea0e835e3bd5072 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1139,10 +1139,10 @@ class BindInstance(service.Service):
                 root_logger.error("Update of following records failed:")
                 for attr in (failed_ipa_rec, failed_loc_rec):
                     for rname, node, error in attr:
-                        for record, e in IPASystemRecords.records_list_from_node(
+                        for record in IPASystemRecords.records_list_from_node(
                                 rname, node
                         ):
-                            root_logger.error("%s (%s)", record, e)
+                            root_logger.error("%s (%s)", record, error)
     def check_global_configuration(self):
         """
--
2.7.4
SOURCES/0028-idviews-Restrict-anchor-to-name-and-name-to-anchor-c.patch
File was deleted
SOURCES/0029-Fix-session-cookies.patch
New file
@@ -0,0 +1,136 @@
From 059ced75270c681144462dba3772812901495054 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 21 Jul 2016 16:54:43 +0200
Subject: [PATCH] Fix session cookies
The CLI was not using session cookies for communication with IPA API.
The kernel_keyring code was expecting the keyname to be a string, but
in python 2 a unicode was supplied (the key is built using
ipa_session_cookie:%principal and principal is a unicode).
The patch fixes the assertions, allowing to store and retrieve the cookie.
It also adds a test with unicode key name.
https://fedorahosted.org/freeipa/ticket/5984
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipapython/kernel_keyring.py             | 15 ++++++++-------
 ipatests/test_ipapython/test_keyring.py | 15 +++++++++++++++
 2 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py
index ed4868a9d8eaffdae6f717928663296bd20c762e..651fd708667420d1769e3601a8fa0b6c52604a10 100644
--- a/ipapython/kernel_keyring.py
+++ b/ipapython/kernel_keyring.py
@@ -18,6 +18,7 @@
 #
 import os
+import six
 from ipapython.ipautil import run
@@ -45,7 +46,7 @@ def get_real_key(key):
     One cannot request a key based on the description it was created with
     so find the one we're looking for.
     """
-    assert isinstance(key, str)
+    assert isinstance(key, six.string_types)
     result = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
                  raiseonerr=False, capture_output=True)
     if result.returncode:
@@ -53,7 +54,7 @@ def get_real_key(key):
     return result.raw_output.rstrip()
 def get_persistent_key(key):
-    assert isinstance(key, str)
+    assert isinstance(key, six.string_types)
     result = run(['keyctl', 'get_persistent', KEYRING, key],
                  raiseonerr=False, capture_output=True)
     if result.returncode:
@@ -73,7 +74,7 @@ def has_key(key):
     """
     Returns True/False whether the key exists in the keyring.
     """
-    assert isinstance(key, str)
+    assert isinstance(key, six.string_types)
     try:
         get_real_key(key)
         return True
@@ -86,7 +87,7 @@ def read_key(key):
     Use pipe instead of print here to ensure we always get the raw data.
     """
-    assert isinstance(key, str)
+    assert isinstance(key, six.string_types)
     real_key = get_real_key(key)
     result = run(['keyctl', 'pipe', real_key], raiseonerr=False,
                  capture_output=True)
@@ -99,7 +100,7 @@ def update_key(key, value):
     """
     Update the keyring data. If they key doesn't exist it is created.
     """
-    assert isinstance(key, str)
+    assert isinstance(key, six.string_types)
     assert isinstance(value, bytes)
     if has_key(key):
         real_key = get_real_key(key)
@@ -114,7 +115,7 @@ def add_key(key, value):
     """
     Add a key to the kernel keyring.
     """
-    assert isinstance(key, str)
+    assert isinstance(key, six.string_types)
     assert isinstance(value, bytes)
     if has_key(key):
         raise ValueError('key %s already exists' % key)
@@ -127,7 +128,7 @@ def del_key(key):
     """
     Remove a key from the keyring
     """
-    assert isinstance(key, str)
+    assert isinstance(key, six.string_types)
     real_key = get_real_key(key)
     result = run(['keyctl', 'unlink', real_key, KEYRING],
                  raiseonerr=False)
diff --git a/ipatests/test_ipapython/test_keyring.py b/ipatests/test_ipapython/test_keyring.py
index e22841c8f5d229d17cdd05ab9c4248eeffaab249..c81e6d95f7ebdf585ee37ecf71151c01e0001912 100644
--- a/ipatests/test_ipapython/test_keyring.py
+++ b/ipatests/test_ipapython/test_keyring.py
@@ -28,6 +28,7 @@ import pytest
 pytestmark = pytest.mark.tier0
 TEST_KEY = 'ipa_test'
+TEST_UNICODEKEY = u'ipa_unicode'
 TEST_VALUE = b'abc123'
 UPDATE_VALUE = b'123abc'
@@ -49,6 +50,10 @@ class test_keyring(object):
             kernel_keyring.del_key(SIZE_256)
         except ValueError:
             pass
+        try:
+            kernel_keyring.del_key(TEST_UNICODEKEY)
+        except ValueError:
+            pass
     def test_01(self):
         """
@@ -150,3 +155,13 @@ class test_keyring(object):
         assert(result == SIZE_1024.encode('ascii'))
         kernel_keyring.del_key(TEST_KEY)
+
+    def test_10(self):
+        """
+        Test a unicode key
+        """
+        kernel_keyring.add_key(TEST_UNICODEKEY, TEST_VALUE)
+        result = kernel_keyring.read_key(TEST_UNICODEKEY)
+        assert(result == TEST_VALUE)
+
+        kernel_keyring.del_key(TEST_UNICODEKEY)
--
2.7.4
SOURCES/0029-idviews-Enforce-objectclass-check-in-idoverride-del.patch
File was deleted
SOURCES/0030-Use-copy-when-replacing-files-to-keep-SELinux-contex.patch
New file
@@ -0,0 +1,38 @@
From 602d1c5190cfb879f81ced19e60d1eb08bd559f0 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 21 Jul 2016 18:49:57 +0200
Subject: [PATCH] Use copy when replacing files to keep SELinux context
When installer replaces any file with newer, it must use 'copy' instead of
'mv' to keep SELinux context valid.
https://fedorahosted.org/freeipa/ticket/6111
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ipapython/ipautil.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 763a99c117e22a4ac49d8d34b38230f3da7c8435..9964fba4f694b57242b3bd3065a418917d977533 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -528,10 +528,14 @@ def dir_exists(filename):
     except Exception:
         return False
+
 def install_file(fname, dest):
+    # SELinux: use copy to keep the right context
     if file_exists(dest):
         os.rename(dest, dest + ".orig")
-    shutil.move(fname, dest)
+    shutil.copy(fname, dest)
+    os.remove(fname)
+
 def backup_file(fname):
     if file_exists(fname):
--
2.7.4
SOURCES/0030-idviews-Check-for-the-Default-Trust-View-only-if-app.patch
File was deleted
SOURCES/0031-baseldap-Fix-MidairCollision-instantiation-during-en.patch
New file
@@ -0,0 +1,38 @@
From 25b1fb956cc8029d5030d93cf48faed823778c5e Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 25 Jul 2016 14:05:08 +0200
Subject: [PATCH] baseldap: Fix MidairCollision instantiation during entry
 modification
https://fedorahosted.org/freeipa/ticket/6097
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/baseldap.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index 6107e43a6ee17d9b9a63d9dc109664d8b232069f..f7844e3e7c59c259b9c8367d135b2dbefc3f0016 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1466,7 +1466,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
                 entry_attrs.dn, attrs_list)
         except errors.NotFound:
             raise errors.MidairCollision(
-                format=_('the entry was deleted while being modified')
+                message=_('the entry was deleted while being modified')
             )
         self.obj.get_indirect_members(entry_attrs, attrs_list)
@@ -2344,7 +2344,7 @@ class BaseLDAPModAttribute(LDAPQuery):
                 entry_attrs.dn, attrs_list)
         except errors.NotFound:
             raise errors.MidairCollision(
-                format=_('the entry was deleted while being modified')
+                message=_('the entry was deleted while being modified')
             )
         for callback in self.get_callbacks('post'):
--
2.7.4
SOURCES/0031-replication-Fix-incorrect-exception-invocation.patch
File was deleted
SOURCES/0032-Create-indexes-for-krbCanonicalName-attribute.patch
New file
@@ -0,0 +1,54 @@
From 1eed28c173336da828ac60b64b09a8b01d79fab4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 22 Jul 2016 13:02:38 +0200
Subject: [PATCH] Create indexes for krbCanonicalName attribute
krbCanonicalName is for a long time among the attributes guarded by uniqueness
plugins, but there was never an index for it. Now that the attribute is really
used to store canonical principal names we need to add index for it to avoid
performance regressions.
https://fedorahosted.org/freeipa/ticket/6100
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
 install/share/indices.ldif        | 9 +++++++++
 install/updates/20-indices.update | 8 ++++++++
 2 files changed, 17 insertions(+)
diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 642c2f7aee78b684b3e451c2595e4f18950e449e..d853266025ae350dd7de83e11e463c6bb1ab9429 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -269,3 +269,12 @@ ObjectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+
+dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: krbCanonicalName
+objectClass: top
+objectClass: nsIndex
+nsSystemIndex: false
+nsIndexType: eq
+nsIndexType: sub
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 445eda5ab6939f21654335ea4dd50d7b2cab008f..74961d77875515d680f34af739c984a6533eb252 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -251,3 +251,11 @@ only: nsMatchingRule: caseIgnoreIA5Match
 only: nsMatchingRule: caseExactIA5Match
 only:nsIndexType: eq
 only:nsIndexType: sub
+
+dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default: cn: krbCanonicalName
+default: objectClass: top
+default: objectClass: nsIndex
+only: nsSystemIndex: false
+only: nsIndexType: eq
+only: nsIndexType: sub
--
2.7.4
SOURCES/0032-webui-add-Kerberos-configuration-instructions-for-Ch.patch
File was deleted
SOURCES/0033-Remove-ico-files-from-Makefile.patch
File was deleted
SOURCES/0033-harden-the-check-for-trust-namespace-overlap-in-new-.patch
New file
@@ -0,0 +1,43 @@
From 843d21620c118f283f53db77b1114d15d26dc176 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 20 Jul 2016 15:46:22 +0200
Subject: [PATCH] harden the check for trust namespace overlap in new
 principals
This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.
https://fedorahosted.org/freeipa/ticket/6099
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipalib/util.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/ipalib/util.py b/ipalib/util.py
index d101514cad4f35fd9a09d84b549ffa86de432f70..e0fc178c4af2056d04ad88a3923daa7d127fe307 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -968,11 +968,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys):
     trust_suffix_namespace = set()
     for obj in trust_objects:
-        trust_suffix_namespace.update(
-            set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
+        nt_suffixes = obj.get('ipantadditionalsuffixes', [])
         trust_suffix_namespace.update(
-            set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower())))
+            set(upn.lower() for upn in nt_suffixes))
+
+        if 'ipantflatname' in obj:
+            trust_suffix_namespace.add(obj['ipantflatname'][0].lower())
+
+        trust_suffix_namespace.add(obj['cn'][0].lower())
     for principal in keys[-1]:
         realm = principal.realm
--
2.7.4
SOURCES/0034-ACI-plugin-correctly-parse-bind-rules-enclosed-in-pa.patch
File was deleted
SOURCES/0034-Revert-Enable-vault-commands-on-client.patch
New file
@@ -0,0 +1,65 @@
From 872e67c0121250dd41e2d6953810582f1e5dda27 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 25 Jul 2016 14:00:08 +0200
Subject: [PATCH] Revert "Enable vault-* commands on client"
This reverts commit 9feeaca9fb552229638ce98086aa75905a45b48d.
https://fedorahosted.org/freeipa/ticket/6089
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaclient/plugins/vault.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index a3ce6fecbfd38b342f826d8d27940d991d821e90..b7e0cfffb2fff62fdbbf438964d124fc2dd8ac36 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -202,6 +202,10 @@ class vault_add(Local):
         ),
     )
+    @property
+    def NO_CLI(self):
+        return self.api.Command.vault_add_internal.NO_CLI
+
     def get_args(self):
         for arg in self.api.Command.vault_add_internal.args():
             yield arg
@@ -395,6 +399,10 @@ class vault_mod(Local):
         ),
     )
+    @property
+    def NO_CLI(self):
+        return self.api.Command.vault_mod_internal.NO_CLI
+
     def get_args(self):
         for arg in self.api.Command.vault_mod_internal.args():
             yield arg
@@ -569,6 +577,10 @@ class vault_archive(Local):
         ),
     )
+    @property
+    def NO_CLI(self):
+        return self.api.Command.vault_archive_internal.NO_CLI
+
     def get_args(self):
         for arg in self.api.Command.vault_archive_internal.args():
             yield arg
@@ -813,6 +825,10 @@ class vault_retrieve(Local):
         ),
     )
+    @property
+    def NO_CLI(self):
+        return self.api.Command.vault_retrieve_internal.NO_CLI
+
     def get_args(self):
         for arg in self.api.Command.vault_retrieve_internal.args():
             yield arg
--
2.7.4
SOURCES/0035-ULC-Fix-stageused-add-from-delete-command.patch
File was deleted
SOURCES/0035-client-fix-hiding-of-commands-which-lack-server-supp.patch
New file
@@ -0,0 +1,93 @@
From a23b8fd488ca33f3e6ffa42530debd6d5d3430ac Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 18 Jul 2016 09:37:24 +0200
Subject: [PATCH] client: fix hiding of commands which lack server support
Rather than checking the server counterpart's NO_CLI, which may be False
even for commands supported on the server, check wheter the server
counterpart is a command defined on the server or a local placeholder.
https://fedorahosted.org/freeipa/ticket/6089
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaclient/plugins/automount.py        |  3 ++-
 ipaclient/plugins/otptoken_yubikey.py |  3 ++-
 ipaclient/plugins/vault.py            | 12 ++++++++----
 3 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/ipaclient/plugins/automount.py b/ipaclient/plugins/automount.py
index 8405f9f4fe283d9c068d51e10717fb1396fa44bf..c6537bc6c24b905a8e1f7fb6a7e2c931b95374c7 100644
--- a/ipaclient/plugins/automount.py
+++ b/ipaclient/plugins/automount.py
@@ -54,7 +54,8 @@ class _fake_automountlocation_show(Method):
 class automountlocation_tofiles(MethodOverride):
     @property
     def NO_CLI(self):
-        return self.api.Command.automountlocation_show.NO_CLI
+        return isinstance(self.api.Command.automountlocation_show,
+                          _fake_automountlocation_show)
     def output_for_cli(self, textui, result, *keys, **options):
         maps = result['result']['maps']
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 5e0d994628ab997853a80d1f1118ba8ada9993d9..423b670de15dd7f803db1dcbb759bd0254827072 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -76,7 +76,8 @@ class otptoken_add_yubikey(Command):
     @property
     def NO_CLI(self):
-        return self.api.Command.otptoken_add.NO_CLI
+        return isinstance(self.api.Command.otptoken_add,
+                          _fake_otptoken_add)
     def get_args(self):
         for arg in self.api.Command.otptoken_add.args():
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index b7e0cfffb2fff62fdbbf438964d124fc2dd8ac36..e3a1ae3a0ad767bcee843b7fa3743a934e02d18b 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -204,7 +204,8 @@ class vault_add(Local):
     @property
     def NO_CLI(self):
-        return self.api.Command.vault_add_internal.NO_CLI
+        return isinstance(self.api.Command.vault_add_internal,
+                          _fake_vault_add_internal)
     def get_args(self):
         for arg in self.api.Command.vault_add_internal.args():
@@ -401,7 +402,8 @@ class vault_mod(Local):
     @property
     def NO_CLI(self):
-        return self.api.Command.vault_mod_internal.NO_CLI
+        return isinstance(self.api.Command.vault_mod_internal,
+                          _fake_vault_mod_internal)
     def get_args(self):
         for arg in self.api.Command.vault_mod_internal.args():
@@ -579,7 +581,8 @@ class vault_archive(Local):
     @property
     def NO_CLI(self):
-        return self.api.Command.vault_archive_internal.NO_CLI
+        return isinstance(self.api.Command.vault_archive_internal,
+                          _fake_vault_archive_internal)
     def get_args(self):
         for arg in self.api.Command.vault_archive_internal.args():
@@ -827,7 +830,8 @@ class vault_retrieve(Local):
     @property
     def NO_CLI(self):
-        return self.api.Command.vault_retrieve_internal.NO_CLI
+        return isinstance(self.api.Command.vault_retrieve_internal,
+                          _fake_vault_retrieve_internal)
     def get_args(self):
         for arg in self.api.Command.vault_retrieve_internal.args():
--
2.7.4
SOURCES/0036-Minor-fix-in-ipa-replica-manage-MAN-page.patch
New file
@@ -0,0 +1,51 @@
From 1087492c74ed4f823c49314454b9db8bddf29ed2 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Tue, 12 Jul 2016 17:08:06 +0530
Subject: [PATCH] Minor fix in ipa-replica-manage MAN page
Fixes: https://fedorahosted.org/freeipa/ticket/6058
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 install/tools/man/ipa-replica-manage.1 | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
index 68be0232fae9309b108e69f9144501be3277f503..34cd314a517ae2f74da7bc87d6336e62d7b57118 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-replica-manage" "1" "Mar 1 2013" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-replica-manage" "1" "Jul 12 2016" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-replica\-manage \- Manage an IPA replica
 .SH "SYNOPSIS"
@@ -163,15 +163,15 @@ Performing range changes as a delegated administrator (e.g. not using the Direct
 .TP
 List all masters:
  # ipa\-replica\-manage list
- srv1.example.com
- srv2.example.com
- srv3.example.com
- srv4.example.com
+ srv1.example.com: master
+ srv2.example.com: master
+ srv3.example.com: master
+ srv4.example.com: master
 .TP
 List a server's replication agreements.
  # ipa\-replica\-manage list srv1.example.com
- srv2.example.com
- srv3.example.com
+ srv2.example.com: replica
+ srv3.example.com: replica
 .TP
 Re\-initialize a replica:
  # ipa\-replica\-manage re\-initialize \-\-from srv2.example.com
--
2.7.4
SOURCES/0036-webui-fix-regressions-failed-auth-messages.patch
File was deleted
SOURCES/0037-Validate-vault-s-file-parameters.patch
File was deleted
SOURCES/0037-compat-fix-ping-call.patch
New file
@@ -0,0 +1,31 @@
From f557f7487d9aae0c901a740b9a446568677b8bb3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 25 Jul 2016 15:58:20 +0200
Subject: [PATCH] compat: fix ping call
Copy & paste accident caused the ping command to be called with an unwanted
argument, which results in an exception.
Remove the argument to fix it.
https://fedorahosted.org/freeipa/ticket/6129
---
 ipaclient/remote_plugins/compat.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/remote_plugins/compat.py b/ipaclient/remote_plugins/compat.py
index 40521af450aafca83f33d1723b4fd9e27ef8d96f..aef5718fcaade157487c0e65562c3bc8a11ad7de 100644
--- a/ipaclient/remote_plugins/compat.py
+++ b/ipaclient/remote_plugins/compat.py
@@ -39,7 +39,7 @@ def get_package(api, client):
     try:
         server_version = env['result']['api_version']
     except KeyError:
-        ping = client.forward(u'ping', u'api_version', version=u'2.0')
+        ping = client.forward(u'ping', version=u'2.0')
         try:
             match = re.search(u'API version (2\.[0-9]+)', ping['summary'])
         except KeyError:
--
2.7.4
SOURCES/0038-certprofile-import-do-not-require-profileId-in-profi.patch
File was deleted
SOURCES/0038-replica-install-Fix-domain.patch
New file
@@ -0,0 +1,71 @@
From 42c09751aedf6289f983d4238ae1ff3b44b5f572 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspacek@redhat.com>
Date: Mon, 25 Jul 2016 15:54:43 +0200
Subject: [PATCH] replica-install: Fix --domain
Replica installation must not check existence of --domain - the domain
must (logically) exist.
https://fedorahosted.org/freeipa/ticket/6130
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/server/common.py  |  5 -----
 ipaserver/install/server/install.py | 14 +++++++++++---
 2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
index 45fb2dc17976a08acab16783584524721411fb4e..e6093d15cd1067a83ed89945c4a9c983c66ec06f 100644
--- a/ipaserver/install/server/common.py
+++ b/ipaserver/install/server/common.py
@@ -284,11 +284,6 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
     @domain_name.validator
     def domain_name(self, value):
         validate_domain_name(value)
-        if (self.setup_dns and
-                not self.dns.allow_zone_overlap):  # pylint: disable=no-member
-            print("Checking DNS domain %s, please wait ..." % value)
-            check_zone_overlap(value, False)
-
     dm_password = Knob(
         str, None,
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index c0c676b870b481696ae75742c7bf88074b0ecf9c..65f9318201e648b30a3c13626e807ac6f3a9416d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -17,6 +17,7 @@ import six
 from ipapython import certmonger, ipaldap, ipautil, sysrestore
 from ipapython.dn import DN
+from ipapython.dnsutil import check_zone_overlap
 from ipapython.install import core
 from ipapython.install.common import step
 from ipapython.install.core import Knob
@@ -1199,13 +1200,20 @@ class ServerCA(BaseServerCA):
 class Server(BaseServer):
-    realm_name = Knob(BaseServer.realm_name)
-    domain_name = Knob(BaseServer.domain_name)
-
     setup_ca = None
     setup_kra = None
     setup_dns = Knob(BaseServer.setup_dns)
+    realm_name = Knob(BaseServer.realm_name)
+    domain_name = Knob(BaseServer.domain_name)
+
+    @domain_name.validator
+    def domain_name(self, value):
+        if (self.setup_dns and
+                not self.dns.allow_zone_overlap):  # pylint: disable=no-member
+            print("Checking DNS domain %s, please wait ..." % value)
+            check_zone_overlap(value, False)
+
     dm_password = Knob(
         BaseServer.dm_password,
         description="Directory Manager password",
--
2.7.4
SOURCES/0039-idrange-fix-unassigned-global-variable.patch
New file
@@ -0,0 +1,33 @@
From 89bfc7c0a4b08c873e5c8b8dfad54cf895b742cd Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 29 Jul 2016 16:46:09 +0200
Subject: [PATCH] idrange: fix unassigned global variable
Global variable '_dcerpc_bindings_installed' is in some cases used
before assigment. This patch ensures that _dcerpc_bindings_installed is
always initialized.
https://fedorahosted.org/freeipa/ticket/6082
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/idrange.py | 3 +++
 1 file changed, 3 insertions(+)
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index ccd67995e5b42634387e1064e7c819b711f3ef99..3e9db0b6b734513547423901a8b3212b3cee9147 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -35,6 +35,9 @@ if api.env.in_server and api.env.context in ['lite', 'server']:
         _dcerpc_bindings_installed = True
     except ImportError:
         _dcerpc_bindings_installed = False
+else:
+    _dcerpc_bindings_installed = False
+
 ID_RANGE_VS_DNA_WARNING = """=======
 WARNING:
--
2.7.4
SOURCES/0039-user-show-add-out-option-to-save-certificates-to-fil.patch
File was deleted
SOURCES/0040-re-set-canonical-principal-name-on-migrated-users.patch
New file
@@ -0,0 +1,86 @@
From 1dfba16f6d46a2811d0230f28abf0ea4621bfde2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 28 Jul 2016 10:42:58 +0200
Subject: [PATCH] re-set canonical principal name on migrated users
The migration procedure has been updated to re-set `krbcanonicalname`
attribute on migrated users as well as `krbprincipalname` so that migration
from FreeIPA versions supporting principal aliases does not break subsequent
authentication of migrated users.
https://fedorahosted.org/freeipa/ticket/6101
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/plugins/migration.py | 41 ++++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index 7f634a7ccf8c49a4c8e0cc3fe2b2dce84b5cadff..404c4aeb08ff2ee018799af3a9224bec93c26f82 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -36,6 +36,7 @@ if api.env.in_server and api.env.context in ['lite', 'server']:
 from ipalib import _
 from ipapython.dn import DN
 from ipapython.ipautil import write_tmp_file
+from ipapython.kerberos import Principal
 import datetime
 from ipaplatform.paths import paths
@@ -152,6 +153,32 @@ _supported_scopes = {u'base': SCOPE_BASE, u'onelevel': SCOPE_ONELEVEL, u'subtree
 _default_scope = u'onelevel'
+def _create_kerberos_principals(ldap, pkey, entry_attrs, failed):
+    """
+    Create 'krbprincipalname' and 'krbcanonicalname' attributes for incoming
+    user entry or skip it if there already is a user with such principal name.
+    The code does not search for `krbcanonicalname` since we assume that the
+    canonical principal name is always contained among values of
+    `krbprincipalname` attribute.Both `krbprincipalname` and `krbcanonicalname`
+    are set to default value generated from uid and realm.
+
+    Note: the migration does not currently preserve principal aliases
+    """
+    principal = Principal((pkey,), realm=api.env.realm)
+    try:
+        ldap.find_entry_by_attr(
+            'krbprincipalname', principal, 'krbprincipalaux', [''],
+            DN(api.env.container_user, api.env.basedn)
+        )
+    except errors.NotFound:
+        entry_attrs['krbprincipalname'] = principal
+        entry_attrs['krbcanonicalname'] = principal
+    except errors.LimitsExceeded:
+        failed[pkey] = unicode(_krb_failed_msg % unicode(principal))
+    else:
+        failed[pkey] = unicode(_krb_err_msg % unicode(principal))
+
+
 def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs):
     assert isinstance(dn, DN)
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
@@ -217,19 +244,7 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
             except ValueError:  # object class not present
                 pass
-    # generate a principal name and check if it isn't already taken
-    principal = u'%s@%s' % (pkey, api.env.realm)
-    try:
-        ldap.find_entry_by_attr(
-            'krbprincipalname', principal, 'krbprincipalaux', [''],
-            DN(api.env.container_user, api.env.basedn)
-        )
-    except errors.NotFound:
-        entry_attrs['krbprincipalname'] = principal
-    except errors.LimitsExceeded:
-        failed[pkey] = unicode(_krb_failed_msg % principal)
-    else:
-        failed[pkey] = unicode(_krb_err_msg % principal)
+    _create_kerberos_principals(ldap, pkey, entry_attrs, failed)
     # Fix any attributes with DN syntax that point to entries in the old
     # tree
--
2.7.4
SOURCES/0040-store-certificates-issued-for-user-entries-as-userCe.patch
File was deleted
SOURCES/0041-Do-not-initialize-API-in-ipa-client-automount-uninst.patch
New file
@@ -0,0 +1,41 @@
From c92d242a215c7fb312aaeb07dd02f5783aec1817 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 28 Jul 2016 09:47:39 +0200
Subject: [PATCH] Do not initialize API in ipa-client-automount uninstall
API is not needed in uninstallation, it may only produce errors.
https://fedorahosted.org/freeipa/ticket/6072
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 client/ipa-client-automount | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index f06aa7f8d53ba2528bc2c023792771d5fd341e7c..08209c849f155a8394acddc6bb961be8fa68073c 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -378,6 +378,9 @@ def main():
         paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
         filemode='a', console_format='%(message)s')
+    if options.uninstall:
+        return uninstall(fstore, statestore)
+
     cfg = dict(
         context='cli_installer',
         in_server=False,
@@ -392,9 +395,6 @@ def main():
     if os.path.exists(paths.IPA_CA_CRT):
         ca_cert_path = paths.IPA_CA_CRT
-    if options.uninstall:
-        return uninstall(fstore, statestore)
-
     if statestore.has_state('autofs'):
         sys.exit('automount is already configured on this system.\n')
--
2.7.4
SOURCES/0041-Fix-incorrect-type-comparison-in-trust-fetch-domains.patch
File was deleted
SOURCES/0042-Correct-path-to-HTTPD-s-systemd-service-directory.patch
New file
@@ -0,0 +1,37 @@
From 0a0f32622b06234deb64a01376b0706a03650681 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 2 Aug 2016 16:58:07 +0200
Subject: [PATCH] Correct path to HTTPD's systemd service directory
Ticket #5681 and commit 586fee293f42388510fa5436af19460bbe1fdec5 changed
the location of the ipa.conf for Apache HTTPD. The variables
SYSTEMD_SYSTEM_HTTPD_D_DIR and SYSTEMD_SYSTEM_HTTPD_IPA_CONF point to
the wrong directory /etc/systemd/system/httpd.d/. The path is corrected
to  /etc/systemd/system/httpd.service.d/.
https://fedorahosted.org/freeipa/ticket/6158
https://bugzilla.redhat.com/show_bug.cgi?id=1362537
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
---
 ipaplatform/base/paths.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 1507ac36da5b40447c951ee608053a09b2db2fc3..9c8eaf951df89d373796be3f354bd3c51a329902 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -126,8 +126,8 @@ class BasePathNamespace(object):
     SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
     SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/sysconfig/pki/tomcat/pki-tomcat"
     ETC_SYSTEMD_SYSTEM_DIR = "/etc/systemd/system/"
-    SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.d/"
-    SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.d/ipa.conf"
+    SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/httpd.service.d/"
+    SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/httpd.service.d/ipa.conf"
     SYSTEMD_CERTMONGER_SERVICE = "/etc/systemd/system/multi-user.target.wants/certmonger.service"
     SYSTEMD_IPA_SERVICE = "/etc/systemd/system/multi-user.target.wants/ipa.service"
     SYSTEMD_SSSD_SERVICE = "/etc/systemd/system/multi-user.target.wants/sssd.service"
--
2.7.4
SOURCES/0042-Fix-selector-of-protocol-for-LSA-RPC-binding-string.patch
File was deleted
SOURCES/0043-dcerpc-Simplify-generation-of-LSA-RPC-binding-string.patch
File was deleted
SOURCES/0043-vault-Catch-correct-exception-in-decrypt.patch
New file
@@ -0,0 +1,30 @@
From cc92fe8badfe32f4c55abfa8b249dc1f94936d7c Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Wed, 3 Aug 2016 10:35:40 +0200
Subject: [PATCH] vault: Catch correct exception in decrypt
ValueError is raised when decryption fails.
https://fedorahosted.org/freeipa/ticket/6160
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipaclient/plugins/vault.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index e3a1ae3a0ad767bcee843b7fa3743a934e02d18b..73ad09b38316d55b466b7973dbeffefc1b7bb528 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -164,7 +164,7 @@ def decrypt(data, symmetric_key=None, private_key=None):
                     label=None
                 )
             )
-        except AssertionError:
+        except ValueError:
             raise errors.AuthenticationError(
                 message=_('Invalid credentials'))
--
2.7.4
SOURCES/0044-Fixed-missing-KRA-agent-cert-on-replica.patch
File was deleted
SOURCES/0044-Increase-default-length-of-auto-generated-passwords.patch
New file
@@ -0,0 +1,138 @@
From 0d2e4dae80eb4140ea605ca88d9130b8bf3ec269 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 22 Jul 2016 16:41:29 +0200
Subject: [PATCH] Increase default length of auto generated passwords
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation
Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.
https://fedorahosted.org/freeipa/ticket/6116
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipapython/ipautil.py           | 3 ++-
 ipaserver/plugins/baseuser.py  | 5 +++--
 ipaserver/plugins/host.py      | 9 +++++++--
 ipaserver/plugins/stageuser.py | 5 +++--
 ipaserver/plugins/user.py      | 5 +++--
 5 files changed, 18 insertions(+), 9 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 9964fba4f694b57242b3bd3065a418917d977533..fdfebb65ecb8b62108852f6517b5ffb22fd7eedc 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -57,7 +57,8 @@ from ipapython.dn import DN
 SHARE_DIR = paths.USR_SHARE_IPA_DIR
 PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
-GEN_PWD_LEN = 12
+GEN_PWD_LEN = 22
+GEN_TMP_PWD_LEN = 12  # only for OTP password that is manually retyped by user
 # Having this in krb_utils would cause circular import
 KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index e4288a5a131157815ffb2452692a7edb342f6ac3..5e36a6620295351d4745bfc035f24349f8fb8295 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -34,7 +34,7 @@ from ipaserver.plugins.service import (
 from ipalib.request import context
 from ipalib import _
 from ipapython import kerberos
-from ipapython.ipautil import ipa_generate_password
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
 from ipapython.ipavalidate import Email
 from ipalib.util import (
     normalize_sshpubkey,
@@ -552,7 +552,8 @@ class baseuser_mod(LDAPUpdate):
     def check_userpassword(self, entry_attrs, **options):
         if 'userpassword' not in entry_attrs and options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 413dcf15e0423170d8334902b9dcf8fb5aa14de6..03c64c637cbba0aee1b6569f3b5dbe200953bff8 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -59,7 +59,11 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
     hostname_validator,
     set_krbcanonicalname
 )
-from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
+from ipapython.ipautil import (
+    ipa_generate_password,
+    CheckedIPAddress,
+    GEN_TMP_PWD_LEN
+)
 from ipapython.dnsutil import DNSName
 from ipapython.ssh import SSHPublicKey
 from ipapython.dn import DN
@@ -683,7 +687,8 @@ class host_add(LDAPCreate):
             if 'krbprincipal' in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].remove('krbprincipal')
         if options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(characters=host_pwd_chars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                characters=host_pwd_chars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
         certs = options.get('usercertificate', [])
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 3b9388f6020b9a6c40caedd36f3640a05a13da65..a219e3dace6da5e9c036122e9710b2acaaa42ebf 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -47,7 +47,7 @@ from ipalib.util import set_krbcanonicalname
 from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
-from ipapython.ipautil import ipa_generate_password
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
 from ipalib.capabilities import client_has_capability
 if six.PY3:
@@ -339,7 +339,8 @@ class stageuser_add(baseuser_add):
         # If requested, generate a userpassword
         if 'userpassword' not in entry_attrs and options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index b3ae7646fdcfa1dce10d90063dae2a24c091e8ee..935ea892cde9e2cb5b21f4714fd93e73c3fa53d5 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -63,7 +63,7 @@ from ipalib import _, ngettext
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
-from ipapython.ipautil import ipa_generate_password
+from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
 from ipalib.capabilities import client_has_capability
 if api.env.in_server:
@@ -517,7 +517,8 @@ class user_add(baseuser_add):
                 entry_attrs['gidnumber'] = group_attrs['gidnumber']
         if 'userpassword' not in entry_attrs and options.get('random'):
-            entry_attrs['userpassword'] = ipa_generate_password(baseuser_pwdchars)
+            entry_attrs['userpassword'] = ipa_generate_password(
+                baseuser_pwdchars, pwd_len=GEN_TMP_PWD_LEN)
             # save the password so it can be displayed in post_callback
             setattr(context, 'randompassword', entry_attrs['userpassword'])
--
2.7.4
SOURCES/0045-vault-add-missing-salt-option-to-vault_mod.patch
New file
@@ -0,0 +1,31 @@
From 001abcdca2026d0e1f51ca4e4e9d2cff052eadd7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 4 Aug 2016 14:14:15 +0200
Subject: [PATCH] vault: add missing salt option to vault_mod
The option was accidentally removed in commit
4b119e21a2f93ca16c5edf3d1058552b44feeaf8.
https://fedorahosted.org/freeipa/ticket/6154
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaclient/plugins/vault.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 73ad09b38316d55b466b7973dbeffefc1b7bb528..9026cbb0829a7557584df27a4262dfde640b4f28 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -413,7 +413,7 @@ class vault_mod(Local):
     def get_options(self):
         for option in self.api.Command.vault_mod_internal.options():
-            if option.name not in ('ipavaultsalt', 'version'):
+            if option.name != 'version':
                 yield option
         for option in super(vault_mod, self).get_options():
             yield option
--
2.7.4
SOURCES/0045-webui-add-LDAP-vs-Kerberos-behavior-description-to-u.patch
File was deleted
SOURCES/0046-Fix-ipa-hbactest-output.patch
New file
@@ -0,0 +1,46 @@
From 56f6fe1df44bc9d3f434b0bccd44bc11cda89999 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 2 Aug 2016 10:40:54 +0200
Subject: [PATCH] Fix ipa hbactest output
ipa hbactest command produces a Traceback (TypeError: cannot concatenate
'str' and 'bool' objects)
This happens because hbactest overrides output_for_cli but does not
properly handle the output for 'value' field. 'value' contains a boolean
but it should not be displayed (refer to ipalib/frontend.py,
Command.output_for_cli()).
Note that the issue did not appear before because the 'value' field
had a flag no_display.
https://fedorahosted.org/freeipa/ticket/6157
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaclient/plugins/hbactest.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py
index 2518719522c4eddff2e6bc341ee9a7c34b431938..1b54530b236cf654bc8ece7ab4e329850f5a6815 100644
--- a/ipaclient/plugins/hbactest.py
+++ b/ipaclient/plugins/hbactest.py
@@ -39,13 +39,15 @@ class hbactest(CommandOverride):
         # to be printed as our execute() method will return None for corresponding
         # entries and None entries will be skipped.
         for o in self.output:
+            if o == 'value':
+                continue
             outp = self.output[o]
             if 'no_display' in outp.flags:
                 continue
             result = output[o]
             if isinstance(result, (list, tuple)):
                 textui.print_attribute(unicode(outp.doc), result, '%s: %s', 1, True)
-            elif isinstance(result, (unicode, bool)):
+            elif isinstance(result, unicode):
                 if o == 'summary':
                     textui.print_summary(result)
                 else:
--
2.7.4
SOURCES/0046-Fix-upgrade-of-sidgen-and-extdom-plugins.patch
File was deleted
SOURCES/0047-Give-more-info-on-virtual-command-access-denial.patch
File was deleted
SOURCES/0047-install-fix-external-CA-cert-validation.patch
New file
@@ -0,0 +1,31 @@
From fdcaf9f8437fcd12220af125a4fe0871c6d33f47 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 4 Aug 2016 09:58:38 +0200
Subject: [PATCH] install: fix external CA cert validation
The code which loads the external CA cert chain was never executed because
of an incorrect usage of an iterator (iterating over it twice).
https://fedorahosted.org/freeipa/ticket/6166
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/installutils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 25f48aed1eeaa03353465bc40abf3484ec19bf3b..66ba33326adcdb47c2ba77c573ba9b66a82b365e 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1038,7 +1038,7 @@ def load_external_cert(files, subject_base):
<