The Identity, Policy and Audit system
CentOS Sources
2015-11-19 590d180adcbf36133f0b1a25f8e6e746d9658a53
import ipa-4.2.0-15.el7
144 files added
134 files deleted
12 files modified
43778 ■■■■■ changed files
.gitignore 2 ●●● patch | view | raw | blame | history
.ipa.metadata 2 ●●● patch | view | raw | blame | history
SOURCES/0001-Do-not-check-if-port-8443-is-available-in-step-2-of-.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0001-Start-dirsrv-for-kdcproxy-upgrade.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0002-Add-ipaSshPubkey-and-gidNumber-to-the-ACI-to-read-ID.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0002-Fix-DNS-records-installation-for-replicas.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0003-Fix-dns-zonemgr-validation-regression.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0003-Prevent-to-rename-certprofile-profile-id.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0004-Handle-profile-changes-in-dogtag-ipa-ca-renew-agent.patch 181 ●●●●● patch | view | raw | blame | history
SOURCES/0004-Stageusedr-activate-show-username-instead-of-DN.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0005-Do-not-wait-for-new-CA-certificate-to-appear-in-LDAP.patch 170 ●●●●● patch | view | raw | blame | history
SOURCES/0005-copy-schema-to-ca-allow-to-overwrite-schema-files.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0006-Fail-if-certmonger-can-t-see-new-CA-certificate-in-L.patch 101 ●●●●● patch | view | raw | blame | history
SOURCES/0006-spec-file-Update-minimum-required-version-of-krb5.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0007-Fix-possible-NULL-dereference-in-ipa-kdb.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0007-do-not-import-memcache-on-client.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0008-Fix-memory-leaks-in-ipa-extdom-extop.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0008-selinux-enable-httpd_run_ipa-to-allow-communicating-.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0009-Fix-various-bugs-in-ipa-opt-counter-and-ipa-otp-last.patch 102 ●●●●● patch | view | raw | blame | history
SOURCES/0009-oddjob-avoid-chown-keytab-to-sssd-if-sssd-user-does-.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0010-Fix-memory-leak-in-ipa-pwd-extop.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0010-webui-fix-user-reset-password-dialog.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0011-Fix-memory-leaks-in-ipa-join.patch 107 ●●●●● patch | view | raw | blame | history
SOURCES/0011-fix-hbac-rule-search-for-non-admin-users.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0012-Fix-various-bugs-in-ipap11helper.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0012-fix-selinuxusermap-search-for-non-admin-users.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0013-Deadlock-in-schema-compat-plugin-between-automember_.patch 83 ●●●●● patch | view | raw | blame | history
SOURCES/0013-Validate-adding-privilege-to-a-permission.patch 113 ●●●●● patch | view | raw | blame | history
SOURCES/0014-Stop-dirsrv-last-in-ipactl-stop.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0014-migration-Use-api.env-variables.patch 85 ●●●●● patch | view | raw | blame | history
SOURCES/0015-Fix-upgrade-do-not-use-invalid-ldap-connection.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0015-sysrestore-copy-files-instead-of-moving-them-to-avoi.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0016-Allow-value-no-for-replica-certify-all-attr-in-abort.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0016-Ensure-that-a-password-exists-after-OTP-validation.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/0017-ipa-restore-Don-t-crash-if-AD-trust-is-not-installed.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0017-trusts-Check-for-AD-root-domain-among-our-trusted-do.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0018-enable-debugging-of-ntpd-during-client-installation.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0018-ranges-prohibit-setting-rid-base-with-ipa-trust-ad-p.patch 159 ●●●●● patch | view | raw | blame | history
SOURCES/0019-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch 288 ●●●●● patch | view | raw | blame | history
SOURCES/0019-ldapupdater-set-baserid-to-0-for-ipa-ad-trust-posix-.patch 102 ●●●●● patch | view | raw | blame | history
SOURCES/0020-idrange-include-raw-range-type-in-output.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0020-ipa-client-install-Do-not-re-start-certmonger-and-DB.patch 138 ●●●●● patch | view | raw | blame | history
SOURCES/0021-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch 503 ●●●●● patch | view | raw | blame | history
SOURCES/0021-webui-prohibit-setting-rid-base-with-ipa-trust-ad-po.patch 153 ●●●●● patch | view | raw | blame | history
SOURCES/0022-Fix-CA-certificate-backup-and-restore.patch 208 ●●●●● patch | view | raw | blame | history
SOURCES/0022-ipaplatform-Add-constants-submodule.patch 147 ●●●●● patch | view | raw | blame | history
SOURCES/0023-DNS-check-if-DNS-package-is-installed.patch 170 ●●●●● patch | view | raw | blame | history
SOURCES/0023-Fix-DNS-installer-adds-invalid-zonemgr-email.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0024-dcerpc-Expand-explanation-for-WERR_ACCESS_DENIED.patch 76 ●●●●● patch | view | raw | blame | history
SOURCES/0024-ipaplatform-Use-the-dirsrv-service-not-target.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0025-Fix-DNS-policy-upgrade-raises-asertion-error.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0025-dcerpc-Fix-UnboundLocalError-for-ccache_name.patch 26 ●●●●● patch | view | raw | blame | history
SOURCES/0026-Fix-upgrade-referint-plugin.patch 153 ●●●●● patch | view | raw | blame | history
SOURCES/0026-fix-broken-search-for-users-by-their-manager.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0027-Upgrade-fix-trusts-objectclass-violationi.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/0027-dcerpc-Add-get_trusted_domain_object_type-method.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0028-Produce-better-error-in-group-add-command.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0028-idviews-Restrict-anchor-to-name-and-name-to-anchor-c.patch 98 ●●●●● patch | view | raw | blame | history
SOURCES/0029-Search-using-proper-scope-when-connecting-CA-instanc.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0029-idviews-Enforce-objectclass-check-in-idoverride-del.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0030-Fix-zonemgr-must-be-unicode-value.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0030-idviews-Check-for-the-Default-Trust-View-only-if-app.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0031-Fix-warning-message-should-not-contain-CLI-commands.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/0031-replication-Fix-incorrect-exception-invocation.patch 26 ●●●●● patch | view | raw | blame | history
SOURCES/0032-Fix-wrong-expiration-date-on-renewed-IPA-CA-certific.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0032-webui-add-Kerberos-configuration-instructions-for-Ch.patch 149 ●●●●● patch | view | raw | blame | history
SOURCES/0033-Do-not-restore-SELinux-settings-that-were-not-backed.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0033-Remove-ico-files-from-Makefile.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0034-ACI-plugin-correctly-parse-bind-rules-enclosed-in-pa.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0034-Improve-otptoken-help-messages.patch 121 ●●●●● patch | view | raw | blame | history
SOURCES/0035-Ensure-users-exist-when-assigning-tokens-to-them.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0035-ULC-Fix-stageused-add-from-delete-command.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0036-Enable-QR-code-display-by-default-in-otptoken-add.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0036-webui-fix-regressions-failed-auth-messages.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/0037-Show-warning-instead-of-error-if-CA-did-not-start.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0037-Validate-vault-s-file-parameters.patch 139 ●●●●● patch | view | raw | blame | history
SOURCES/0038-certprofile-import-do-not-require-profileId-in-profi.patch 58 ●●●●● patch | view | raw | blame | history
SOURCES/0038-webui-fix-potential-XSS-vulnerabilities.patch 131 ●●●●● patch | view | raw | blame | history
SOURCES/0039-Raise-right-exception-if-domain-name-is-not-valid.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0039-user-show-add-out-option-to-save-certificates-to-fil.patch 109 ●●●●● patch | view | raw | blame | history
SOURCES/0040-Restore-file-extended-attributes-and-SELinux-context.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0040-store-certificates-issued-for-user-entries-as-userCe.patch 158 ●●●●● patch | view | raw | blame | history
SOURCES/0041-Fix-incorrect-type-comparison-in-trust-fetch-domains.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0041-restore-clear-httpd-ccache-after-restore.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0042-Fix-selector-of-protocol-for-LSA-RPC-binding-string.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0042-Fix-user-group-ignore-attribute-in-migration-plugin.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0043-Fix-filtering-of-enctypes-in-server-code.patch 98 ●●●●● patch | view | raw | blame | history
SOURCES/0043-dcerpc-Simplify-generation-of-LSA-RPC-binding-string.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0044-Add-asn1c-generated-code-for-keytab-controls.patch 13109 ●●●●● patch | view | raw | blame | history
SOURCES/0044-Fixed-missing-KRA-agent-cert-on-replica.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0045-Use-asn1c-helpers-to-encode-decode-the-getkeytab-con.patch 813 ●●●●● patch | view | raw | blame | history
SOURCES/0045-webui-add-LDAP-vs-Kerberos-behavior-description-to-u.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0046-Fix-read_ip_addresses-should-return-ipaddr-object.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0046-Fix-upgrade-of-sidgen-and-extdom-plugins.patch 99 ●●●●● patch | view | raw | blame | history
SOURCES/0047-Give-more-info-on-virtual-command-access-denial.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0047-Use-correct-service-name-in-cainstance.backup_config.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0048-Allow-SAN-extension-for-cert-request-self-service.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0048-ipa-restore-Check-if-directory-is-provided-better-er.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0049-Add-profile-for-DNP3-IEC-62351-8-certificates.patch 180 ●●●●● patch | view | raw | blame | history
SOURCES/0049-Stop-tracking-certificates-before-restoring-them-in-.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0050-Fix-detection-of-encoding-in-zonemgr-option.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0050-Work-around-python-nss-bug-on-unrecognised-OIDs.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0051-adtrust-install-Correctly-determine-4.2-FreeIPA-serv.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0051-webui-use-domain-name-instead-of-domain-SID-in-idran.patch 149 ●●●●● patch | view | raw | blame | history
SOURCES/0052-certprofile-import-improve-profile-format-documentat.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0052-webui-normalize-idview-tab-labels.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0053-Fix-default-CA-ACL-added-during-upgrade.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0053-copy_schema_to_ca-Fallback-to-old-import-location-fo.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0054-Fix-KRB5PrincipalName-UPN-SAN-comparison.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0054-Remove-redefinition-of-LOG-from-ipa-otp-lasttoken.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0055-Unload-P11_Helper-object-s-library-when-it-is-finali.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/0055-adjust-search-so-that-it-works-for-non-admin-users.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0056-Fix-Kerberos-error-handling-in-ipa-sam.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0056-validate-mutually-exclusive-options-in-vault-add.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0057-Fix-unchecked-return-value-in-ipa-kdb.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0057-idranges-raise-an-error-when-local-IPA-ID-range-is-b.patch 110 ●●●●● patch | view | raw | blame | history
SOURCES/0058-Fix-unchecked-return-values-in-ipa-winsync.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0058-install-Fix-server-and-replica-install-options.patch 211 ●●●●● patch | view | raw | blame | history
SOURCES/0059-Fix-unchecked-return-value-in-ipa-join.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0059-certprofile-add-profile-format-explanation.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0060-Fix-unchecked-return-value-in-krb5-common-utils.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0060-ULC-Prevent-preserved-users-from-being-assigned-memb.patch 155 ●●●●● patch | view | raw | blame | history
SOURCES/0061-Asymmetric-vault-validate-public-key-in-client.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0061-Fix-memory-leak-in-GetKeytabControl-asn1-code.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0062-AD-trust-improve-trust-validation.patch 75 ●●●●● patch | view | raw | blame | history
SOURCES/0062-add-permission-System-Manage-User-Certificates.patch 64 ●●●●● patch | view | raw | blame | history
SOURCES/0063-Add-TLS-1.2-to-the-protocol-list-in-mod_nss-config.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0063-Add-permission-for-bypassing-CA-ACL-enforcement.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0064-Added-CLI-param-and-ACL-for-vault-service-operations.patch 383 ●●●●● patch | view | raw | blame | history
SOURCES/0064-webui-add-radius-fields-to-user-page.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0065-Fix-zonemgr-option-encoding-detection.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0065-trusts-Detect-missing-Samba-instance.patch 189 ●●●●● patch | view | raw | blame | history
SOURCES/0066-Catch-USBError-during-YubiKey-location.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0066-winsync-migrate-Add-warning-about-passsync.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0067-Use-NSS-protocol-range-API-to-set-available-TLS-prot.patch 149 ●●●●● patch | view | raw | blame | history
SOURCES/0067-winsync-migrate-Expand-the-man-page.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0068-Throw-zonemgr-error-message-before-installation-proc.patch 136 ●●●●● patch | view | raw | blame | history
SOURCES/0068-fix-typo-in-BasePathNamespace-member-pointing-to-ods.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0069-certs-Fix-incorrect-flag-handling-in-load_cacert.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0069-ipa-backup-archive-DNSSEC-zone-file-and-kasp.db.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0070-Preliminary-refactoring-of-libotp-files.patch 2309 ●●●●● patch | view | raw | blame | history
SOURCES/0070-baseldap-Allow-overriding-member-param-label-in-LDAP.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0071-Move-authentication-configuration-cache-into-libotp.patch 1207 ●●●●● patch | view | raw | blame | history
SOURCES/0071-vault-Fix-param-labels-in-output-of-vault-owner-comm.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0072-Enable-last-token-deletion-when-password-auth-type-i.patch 327 ●●●●● patch | view | raw | blame | history
SOURCES/0072-Fixed-vault-container-ownership.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0073-add-hosts-and-hostgroup-options-to-allow-retrieve-ke.patch 878 ●●●●● patch | view | raw | blame | history
SOURCES/0073-vault-normalize-service-principal-in-service-vault-o.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0074-hosts-Display-assigned-ID-view-by-default-in-host-fi.patch 152 ●●●●● patch | view | raw | blame | history
SOURCES/0074-vault-validate-vault-type.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0075-Prefer-TCP-connections-to-UDP-in-krb5-clients.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0075-install-Fix-replica-install-with-custom-certificates.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0076-trusts-harden-trust-fetch-domains-oddjobd-based-scri.patch 135 ●●●●● patch | view | raw | blame | history
SOURCES/0076-webui-fix-service-unprovisioning.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0077-user-undel-Fix-error-messages.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0077-webui-increase-duration-of-notification-messages.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0078-Fix-automatic-CA-cert-renewal-endless-loop-in-dogtag.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0078-Prohibit-deletion-of-predefined-profiles.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0079-Do-not-renew-the-IPA-CA-cert-by-serial-number-in-dog.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0079-improve-the-handling-of-krb5-related-errors-in-dnsse.patch 92 ●●●●● patch | view | raw | blame | history
SOURCES/0080-Improve-validation-of-instance-and-backend-options-i.patch 169 ●●●●● patch | view | raw | blame | history
SOURCES/0080-client-Add-support-for-multiple-IP-addresses-during-.patch 398 ●●●●● patch | view | raw | blame | history
SOURCES/0081-revert-removal-of-cn-attribute-from-idnsRecord.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0081-vault-Fix-vault-find-with-criteria.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0082-Check-subject-name-encoding-in-ipa-cacert-manage-ren.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0082-vault-Add-container-information-to-vault-command-res.patch 112 ●●●●● patch | view | raw | blame | history
SOURCES/0083-Refer-the-user-to-freeipa.org-when-something-goes-wr.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0083-Server-Upgrade-Start-DS-before-CA-is-started.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0084-Show-SSHFP-record-containing-space-in-fingerprint.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0084-cert-request-remove-allowed-extensions-check.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0085-Always-add-etc-hosts-record-when-DNS-is-being-config.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0085-client-Add-description-of-ip-address-and-all-ip-addr.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0086-Avoid-calling-ldap-functions-without-a-context.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0086-Backup-resore-authentication-control-configuration.patch 115 ●●●●● patch | view | raw | blame | history
SOURCES/0087-Add-flag-to-list-all-service-and-user-vaults.patch 179 ●●●●● patch | view | raw | blame | history
SOURCES/0087-Remove-the-removal-of-the-ccache.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0088-Add-user-stage-command.patch 205 ●●●●● patch | view | raw | blame | history
SOURCES/0088-Fix-Upgrade-forwardzones-zones-after-adding-newer-re.patch 145 ●●●●● patch | view | raw | blame | history
SOURCES/0089-Fix-zone-find-during-forwardzone-upgrade.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0089-trusts-format-Kerberos-principal-properly-when-fetch.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0090-Change-internal-rsa_-public-private-_key-variable-na.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0090-migrate-ds-fix-compat-plugin-check.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0091-improve-the-usability-of-ipa-user-del-preserve-comma.patch 170 ●●●●● patch | view | raw | blame | history
SOURCES/0091-rpcclient-use-json_encode_binary-for-verbose-output.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0092-DNSSEC-fix-forward-zone-forwarders-checks.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0092-Remove-ipanttrustauthincoming-ipanttrustauthoutgoing.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0093-Abort-backup-restoration-on-not-matching-host.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0093-Added-support-for-changing-vault-encryption.patch 656 ●●●●● patch | view | raw | blame | history
SOURCES/0094-Fix-ipa-restore-on-systems-without-IPA-installed.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0094-vault-change-default-vault-type-to-symmetric.patch 115 ●●●●● patch | view | raw | blame | history
SOURCES/0095-Remove-RUV-from-LDIF-files-before-using-them-in-ipa-.patch 76 ●●●●● patch | view | raw | blame | history
SOURCES/0095-fix-missing-information-in-object-metadata.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0096-Fix-CA-certificate-renewal-syslog-alert.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0096-webui-add-option-to-establish-bidirectional-trust.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0097-Do-not-crash-on-unknown-services-in-installutils.sto.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0097-Removed-clear-text-passwords-from-KRA-install-log.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0098-Restart-dogtag-when-its-server-certificate-is-renewe.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/0098-certprofile-prevent-rename-modrdn.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0099-Make-certificate-renewal-process-synchronized.patch 581 ●●●●● patch | view | raw | blame | history
SOURCES/0099-vault-Limit-size-of-data-stored-in-vault.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0100-Fix-validation-of-ipa-restore-options.patch 313 ●●●●● patch | view | raw | blame | history
SOURCES/0100-ipactl-Do-not-start-stop-restart-single-service-mult.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0101-Allow-PassSync-user-to-locate-and-update-NT-users.patch 284 ●●●●● patch | view | raw | blame | history
SOURCES/0101-cert-renewal-Include-KRA-users-in-Dogtag-LDAP-update.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0102-Allow-Replication-Administrators-manipulate-Winsync-.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0102-cert-renewal-Automatically-update-KRA-agent-PEM-file.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0103-DNSSEC-remove-DNSSEC-is-experimental-warnings.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0103-Do-not-assume-certmonger-is-running-in-httpinstance.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/0104-Backup-back-up-the-hosts-file.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0104-Replication-Administrators-cannot-remove-replication.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0105-Put-LDIF-files-to-their-original-location-in-ipa-res.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0105-certprofile-remove-rename-option.patch 74 ●●●●● patch | view | raw | blame | history
SOURCES/0106-Add-anonymous-read-ACI-for-DUA-profile.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0106-Installer-do-not-modify-etc-hosts-before-user-agreem.patch 235 ●●●●● patch | view | raw | blame | history
SOURCES/0107-DNSSEC-backup-and-restore-opendnssec-zone-list-file.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0107-Revert-Make-all-ipatokenTOTP-attributes-mandatory.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0108-Create-correct-log-directories-during-full-restore-i.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0108-DNSSEC-remove-ccache-and-keytab-of-ipa-ods-exporter.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/0109-DNSSEC-prevent-ipa-ods-exporter-from-looping-after-s.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0109-Do-not-crash-when-replica-is-unreachable-in-ipa-rest.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0110-DNSSEC-Fix-deadlock-in-ipa-ods-exporter-ods-enforcer.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/0110-idviews-Allow-setting-ssh-public-key-on-ipauseroverr.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0111-DNSSEC-Fix-HSM-synchronization-in-ipa-dnskeysyncd-wh.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0111-Fix-ipa-pwd-extop-global-configuration-caching.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0112-DNSSEC-Fix-key-metadata-export.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0112-group-detach-does-not-add-correct-objectclasses.patch 25 ●●●●● patch | view | raw | blame | history
SOURCES/0113-Always-return-absolute-idnsname-in-dnszone-commands.patch 103 ●●●●● patch | view | raw | blame | history
SOURCES/0113-DNSSEC-Wrap-master-key-using-RSA-OAEP-instead-of-old.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0114-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0114-ldap-Make-ldap2-connection-management-thread-safe-ag.patch 177 ●●●●● patch | view | raw | blame | history
SOURCES/0115-Using-LDAPI-to-setup-CA-and-KRA-agents.patch 271 ●●●●● patch | view | raw | blame | history
SOURCES/0115-ipalib-Make-sure-correct-attribute-name-is-reference.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0116-Restore-default.conf-and-use-it-to-build-API.patch 164 ●●●●● patch | view | raw | blame | history
SOURCES/0116-load-RA-backend-plugins-during-standalone-CA-install.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0117-Handle-timeout-error-in-ipa-httpd-kdcproxy.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0117-Limit-deadlocks-between-DS-plugin-DNA-and-slapi-nis.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0118-Add-configure-check-for-cwrap-libraries.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0118-Server-Upgrade-backup-CS.cfg-when-dogtag-is-turned-o.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0119-IPA-Restore-allows-to-specify-files-that-should-be-r.patch 75 ●●●●● patch | view | raw | blame | history
SOURCES/0119-extdom-handle-ERANGE-return-code-for-getXXYYY_r-call.patch 776 ●●●●● patch | view | raw | blame | history
SOURCES/0120-config-allow-user-host-attributes-with-tagging-optio.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0120-extdom-make-nss-buffer-configurable.patch 254 ●●●●● patch | view | raw | blame | history
SOURCES/0121-extdom-return-LDAP_NO_SUCH_OBJECT-to-the-client.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0121-winsync-Add-inetUser-objectclass-to-the-passsync-sys.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0122-baseldap-make-subtree-deletion-optional-in-LDAPDelet.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0122-extdom-fix-memory-leak.patch 25 ●●●●● patch | view | raw | blame | history
SOURCES/0123-certstore-Make-certificate-retrieval-more-robust.patch 128 ●●●●● patch | view | raw | blame | history
SOURCES/0123-vault-add-vault-container-commands.patch 364 ●●●●● patch | view | raw | blame | history
SOURCES/0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0124-vault-set-owner-to-current-user-on-container-creatio.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0125-client-Fix-ca_is_enabled-calls.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0125-vault-update-access-control.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch 106 ●●●●● patch | view | raw | blame | history
SOURCES/0126-vault-add-permissions-and-administrator-privilege.patch 196 ●●●●● patch | view | raw | blame | history
SOURCES/0127-install-support-KRA-update.patch 213 ●●●●● patch | view | raw | blame | history
SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch 155 ●●●●● patch | view | raw | blame | history
SOURCES/0128-webui-use-manual-Firefox-configuration-for-Firefox-4.patch 130 ●●●●● patch | view | raw | blame | history
SOURCES/0129-ipa-backup-Add-mechanism-to-store-empty-directory-st.patch 130 ●●●●● patch | view | raw | blame | history
SOURCES/0130-install-create-kdcproxy-user-during-server-install.patch 131 ●●●●● patch | view | raw | blame | history
SOURCES/0131-destroy-httpd-ccache-after-stopping-the-service.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0132-platform-add-option-to-create-home-directory-when-ad.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0133-install-fix-kdcproxy-user-home-directory.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0134-winsync-migrate-Convert-entity-names-to-posix-friend.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0135-winsync-migrate-Properly-handle-collisions-in-the-na.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0136-Fix-an-integer-underflow-bug-in-libotp.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0137-do-not-overwrite-files-with-local-users-groups-when-.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0138-install-fix-KRA-agent-PEM-file-permissions.patch 153 ●●●●● patch | view | raw | blame | history
SOURCES/0139-install-always-export-KRA-agent-PEM-file.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/0140-vault-select-a-server-with-KRA-for-vault-operations.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0141-schema-do-not-derive-ipaVaultPublicKey-from-ipaPubli.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0142-upgrade-make-sure-ldap2-is-connected-in-export_kra_a.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0143-vault-fix-private-service-vault-creation.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch 151 ●●●●● patch | view | raw | blame | history
SOURCES/1002-Remove-pkinit-plugin.patch 8 ●●●● patch | view | raw | blame | history
SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch 18 ●●●● patch | view | raw | blame | history
SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch 197 ●●●●● patch | view | raw | blame | history
SOURCES/1005-Remove-pylint-from-build-process.patch 8 ●●●● patch | view | raw | blame | history
SOURCES/1006-Remove-i18test-from-build-process.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/1007-Do-not-build-tests.patch 8 ●●●● patch | view | raw | blame | history
SOURCES/1008-RCUE.patch 56 ●●●● patch | view | raw | blame | history
SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch 84 ●●●● patch | view | raw | blame | history
SOURCES/1010-Disable-DNSSEC-support.patch 512 ●●●●● patch | view | raw | blame | history
SOURCES/1010-WebUI-add-API-browser-is-experimental-warning.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/1011-Disable-TLS-1.2-in-nss.conf-until-mod_nss-supports-i.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/1012-Expand-the-token-auth-sync-windows.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/1013-extdom-fix-wrong-realloc-size.patch 25 ●●●●● patch | view | raw | blame | history
SOURCES/1014-fix-Makefile.am-for-daemons.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 953 ●●●● patch | view | raw | blame | history
.gitignore
@@ -1,4 +1,4 @@
SOURCES/freeipa-4.1.0.tar.gz
SOURCES/freeipa-4.2.0.tar.gz
SOURCES/header-logo.png
SOURCES/login-screen-background.jpg
SOURCES/login-screen-logo.png
.ipa.metadata
@@ -1,4 +1,4 @@
40a07c0e64a696dccb5d377c635db136cbc7c2a5 SOURCES/freeipa-4.1.0.tar.gz
40a1587de7d78f4e01bfb3775ab3f4e264c56e4c SOURCES/freeipa-4.2.0.tar.gz
77c318cf1f4fc25cf847de0692a77859a767c0e3 SOURCES/header-logo.png
8727245558422bf966d60677568925f081b8e299 SOURCES/login-screen-background.jpg
24a29d79efbd0906777be4639957abda111fca4b SOURCES/login-screen-logo.png
SOURCES/0001-Do-not-check-if-port-8443-is-available-in-step-2-of-.patch
File was deleted
SOURCES/0001-Start-dirsrv-for-kdcproxy-upgrade.patch
New file
@@ -0,0 +1,72 @@
From 5e1ff6ef5fa35715a5b9995388c6d7b16375ac23 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 10 Jul 2015 18:18:29 +0200
Subject: [PATCH] Start dirsrv for kdcproxy upgrade
The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv
instance. Under some circumstances the dirsrv isn't running. The patch
rearranges some upgrade steps and starts DS before enable_kdcproxy().
https://fedorahosted.org/freeipa/ticket/5113
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/server/upgrade.py | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 84a5b06accb10663eaa4d995f66796366040e9c8..f295655dc2aa592e0215f15017c9b65af49eef80 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1396,22 +1396,6 @@ def upgrade_configuration():
     http.change_mod_nss_port_from_http()
     http.configure_certmonger_renewal_guard()
-    if not http.is_kdcproxy_configured():
-        root_logger.info('[Enabling KDC Proxy]')
-        if http.admin_conn is None:
-            http.ldapi = True
-            http.fqdn = fqdn
-            http.realm = api.env.realm
-            http.suffix = ipautil.realm_to_suffix(api.env.realm)
-            http.ldap_connect()
-        http.create_kdcproxy_conf()
-        http.enable_kdcproxy()
-
-    http.stop()
-    update_mod_nss_protocol(http)
-    fix_trust_flags()
-    http.start()
-
     ds = dsinstance.DsInstance()
     ds.configure_dirsrv_ccache()
@@ -1433,6 +1417,25 @@ def upgrade_configuration():
     ds.suffix = ipautil.realm_to_suffix(api.env.realm)
     ds_enable_sidgen_extdom_plugins(ds)
+    # Now 389-ds is available, run the remaining http tasks
+    if not http.is_kdcproxy_configured():
+        root_logger.info('[Enabling KDC Proxy]')
+        if http.admin_conn is None:
+             # 389-ds needs to be running
+            ds.start()
+            http.ldapi = True
+            http.fqdn = fqdn
+            http.realm = api.env.realm
+            http.suffix = ipautil.realm_to_suffix(api.env.realm)
+            http.ldap_connect()
+        http.create_kdcproxy_conf()
+        http.enable_kdcproxy()
+
+    http.stop()
+    update_mod_nss_protocol(http)
+    fix_trust_flags()
+    http.start()
+
     uninstall_selfsign(ds, http)
     simple_service_list = (
--
2.1.0
SOURCES/0002-Add-ipaSshPubkey-and-gidNumber-to-the-ACI-to-read-ID.patch
File was deleted
SOURCES/0002-Fix-DNS-records-installation-for-replicas.patch
New file
@@ -0,0 +1,33 @@
From 8610ddbee7025286881c1b470e13f0a5ff6a4452 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 10 Jul 2015 12:58:19 -0400
Subject: [PATCH] Fix DNS records installation for replicas
Ticket: https:/fedorahosted.org/freeipa/ticket/5116
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index a78eeb331c1f3f4f2233abb9e65bdde79eee4000..1ad291a1eada080361031a5723a0ea61679fc72e 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -503,9 +503,9 @@ def install_check(installer):
     if options.setup_dns:
         dns.install_check(False, True, options, config.host_name)
     else:
-        installutils.get_server_ip_address(config.host_name, fstore,
-                                           not installer.interactive, False,
-                                           options.ip_addresses)
+        config.ips = installutils.get_server_ip_address(
+            config.host_name, fstore, not installer.interactive, False,
+            options.ip_addresses)
     # check connection
     if not options.skip_conncheck:
--
2.1.0
SOURCES/0003-Fix-dns-zonemgr-validation-regression.patch
File was deleted
SOURCES/0003-Prevent-to-rename-certprofile-profile-id.patch
New file
@@ -0,0 +1,29 @@
From 51f03f45f6cdab9da0479f48093951ccdd7cdab0 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 9 Jul 2015 17:17:21 +0200
Subject: [PATCH] Prevent to rename certprofile profile id
https://fedorahosted.org/freeipa/ticket/5074
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/certprofile.py | 3 +++
 1 file changed, 3 insertions(+)
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index 6f9a41875b2a276b521219156e630817a9c41fdc..5550ed942521dbab2e783fba1570520268f9b378 100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -291,6 +291,9 @@ class certprofile_mod(LDAPUpdate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         ca_enabled_check()
+        # Once a profile id is set it cannot be changed
+        if 'cn' in entry_attrs:
+            raise errors.ACIError(info=_('cn is immutable'))
         if 'file' in options:
             with self.api.Backend.ra_certprofile as profile_api:
                 profile_api.disable_profile(keys[0])
--
2.1.0
SOURCES/0004-Handle-profile-changes-in-dogtag-ipa-ca-renew-agent.patch
File was deleted
SOURCES/0004-Stageusedr-activate-show-username-instead-of-DN.patch
New file
@@ -0,0 +1,36 @@
From 5fb2c0f8c7237214f870d341cc10a2ccda48d117 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 10 Jul 2015 14:47:59 +0200
Subject: [PATCH] Stageusedr-activate: show username instead of DN
If activate user already exists, show name of this user in error message
instead of user DN.
Error message reworder to keep the same format as stageuser-add,
user-add.
https://fedorahosted.org/freeipa/ticket/5038
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipalib/plugins/stageuser.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py
index 35e636ded4474b00ad635c60340aaf66e6b41752..6cbc8f4ab07f2c1172f2b2c45bfe8f30a74938b3 100644
--- a/ipalib/plugins/stageuser.py
+++ b/ipalib/plugins/stageuser.py
@@ -682,8 +682,9 @@ class stageuser_activate(LDAPQuery):
                 active_dn, ['dn']
             )
             assert isinstance(staging_dn, DN)
-            raise errors.DuplicateEntry(message=_('Active user %(user)s already exists') % dict(
-                            user=test_entry_attrs.dn))
+            raise errors.DuplicateEntry(
+                message=_('active user with name "%(user)s" already exists') %
+                dict(user=args[-1]))
         except errors.NotFound:
             pass
--
2.1.0
SOURCES/0005-Do-not-wait-for-new-CA-certificate-to-appear-in-LDAP.patch
File was deleted
SOURCES/0005-copy-schema-to-ca-allow-to-overwrite-schema-files.patch
New file
@@ -0,0 +1,72 @@
From 7919e3c6b245adb0f6d6743edaf03da704259b5d Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 10 Jul 2015 14:17:02 +0200
Subject: [PATCH] copy-schema-to-ca: allow to overwrite schema files
If content of source and target file differs, the script will ask user
for permission to overwrite target file.
https://fedorahosted.org/freeipa/ticket/5034
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 install/share/copy-schema-to-ca.py | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
index 1614e11636c2f52e231ea2ff40d882209194c60a..ff6c3568586f9f4b3fac7f848869e74d0db0df34 100755
--- a/install/share/copy-schema-to-ca.py
+++ b/install/share/copy-schema-to-ca.py
@@ -15,6 +15,8 @@ import sys
 import pwd
 import shutil
+from hashlib import sha1
+
 from ipapython import ipautil, dogtag
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipaserver.install.dsinstance import DS_USER, schema_dirname
@@ -42,6 +44,11 @@ SCHEMA_FILENAMES = (
 )
+def _sha1_file(filename):
+    with open(filename, 'rb') as f:
+        return sha1(f.read()).hexdigest()
+
+
 def add_ca_schema():
     """Copy IPA schema files into the CA DS instance
     """
@@ -54,9 +61,25 @@ def add_ca_schema():
             root_logger.debug('File does not exist: %s', source_fname)
             continue
         if os.path.exists(target_fname):
-            root_logger.info(
-                'Target exists, not overwriting: %s', target_fname)
-            continue
+            target_sha1 = _sha1_file(target_fname)
+            source_sha1 = _sha1_file(source_fname)
+            if target_sha1 != source_sha1:
+                target_size = os.stat(target_fname).st_size
+                source_size = os.stat(source_fname).st_size
+                root_logger.info('Target file %s exists but the content is '
+                                 'different', target_fname)
+                root_logger.info('\tTarget file: sha1: %s, size: %s B',
+                                 target_sha1, target_size)
+                root_logger.info('\tSource file: sha1: %s, size: %s B',
+                                 source_sha1, source_size)
+                if not ipautil.user_input("Do you want replace %s file?" %
+                                          target_fname, True):
+                    continue
+
+            else:
+                root_logger.info(
+                    'Target exists, not overwriting: %s', target_fname)
+                continue
         try:
             shutil.copyfile(source_fname, target_fname)
         except IOError, e:
--
2.1.0
SOURCES/0006-Fail-if-certmonger-can-t-see-new-CA-certificate-in-L.patch
File was deleted
SOURCES/0006-spec-file-Update-minimum-required-version-of-krb5.patch
New file
@@ -0,0 +1,48 @@
From 6bc5c6e1d7af6229e8c6f547951b0b3314ca5f12 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 15 Jul 2015 08:45:53 +0000
Subject: [PATCH] spec file: Update minimum required version of krb5
Automatically require the krb5 version used at build time.
https://fedorahosted.org/freeipa/ticket/5132
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 freeipa.spec.in | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index e78ad1a0851186c7fdb5ab0a4649b64b2b1e010f..a819710b2bad16a5c17b77670cdb29cb4b09ad8f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -11,6 +11,8 @@
 %global selinux_policy_version 3.12.1-179
 %endif
+%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
+
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
@@ -52,7 +54,7 @@ BuildRequires:  nspr-devel
 BuildRequires:  nss-devel
 BuildRequires:  openssl-devel
 BuildRequires:  openldap-devel
-BuildRequires:  krb5-devel >= 1.11
+BuildRequires:  krb5-devel >= 1.13
 BuildRequires:  krb5-workstation
 BuildRequires:  libuuid-devel
 BuildRequires:  libcurl-devel >= 7.21.7-2
@@ -119,7 +121,7 @@ Requires: 389-ds-base >= 1.3.4.0
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
-Requires: krb5-server >= 1.11.5-5
+Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
--
2.1.0
SOURCES/0007-Fix-possible-NULL-dereference-in-ipa-kdb.patch
File was deleted
SOURCES/0007-do-not-import-memcache-on-client.patch
New file
@@ -0,0 +1,41 @@
From 0def5f5e160f6ebdf766d956721b70c26372a0b6 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Thu, 16 Jul 2015 10:17:26 +0200
Subject: [PATCH] do not import memcache on client
Fixes regression caused by cd3ca94ff2ef738cb3a9eae502193413058f976d.
Which caused:
* client installation failure (missing memcache)
* invalid warning in CLI on server
https://fedorahosted.org/freeipa/ticket/5133
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipalib/plugins/session.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/session.py b/ipalib/plugins/session.py
index 3fd566d3224a13b5fbaa4450f02855329a13bc4c..b03b6b41032ab7f00ff9b75e23b5f998353a7ea5 100644
--- a/ipalib/plugins/session.py
+++ b/ipalib/plugins/session.py
@@ -2,11 +2,13 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
-from ipalib import Command
+from ipalib import api, Command
 from ipalib.request import context
-from ipalib.session import session_mgr
 from ipalib.plugable import Registry
+if api.env.in_server:
+    from ipalib.session import session_mgr
+
 register = Registry()
--
2.4.3
SOURCES/0008-Fix-memory-leaks-in-ipa-extdom-extop.patch
File was deleted
SOURCES/0008-selinux-enable-httpd_run_ipa-to-allow-communicating-.patch
New file
@@ -0,0 +1,49 @@
From aad359de280a0c28e9a9305fd93b48cd40ddddd8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 14 Jul 2015 11:11:36 +0000
Subject: [PATCH] selinux: enable httpd_run_ipa to allow communicating with
 oddjobd services
A new SELinux policy allows communication between IPA framework running
under Apache with oddjobd-based services via DBus.
This communication is crucial for one-way trust support and also is required
for any out of band tools which may be executed by IPA framework.
Details of out of band communication and SELinux policy can be found in a bug
https://bugzilla.redhat.com/show_bug.cgi?id=1238165
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 freeipa.spec.in                   | 2 +-
 ipaserver/install/httpinstance.py | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index a819710b2bad16a5c17b77670cdb29cb4b09ad8f..5790f7941d2117ed95d3c99556f1579c27917270 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -8,7 +8,7 @@
 %global selinux_policy_version 3.12.1-153
 %else
 %global samba_version 2:4.0.5-1
-%global selinux_policy_version 3.12.1-179
+%global selinux_policy_version 3.13.1-128.6
 %endif
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index f5f2a86fca3a1ff3e9123d08052a7e57b50a94fe..792825621f68844a2b0b1265eeeb37e4247d66f8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -46,6 +46,7 @@ from ipaplatform import services
 SELINUX_BOOLEAN_SETTINGS = dict(
     httpd_can_network_connect='on',
     httpd_manage_ipa='on',
+    httpd_run_ipa='on',
 )
--
2.4.3
SOURCES/0009-Fix-various-bugs-in-ipa-opt-counter-and-ipa-otp-last.patch
File was deleted
SOURCES/0009-oddjob-avoid-chown-keytab-to-sssd-if-sssd-user-does-.patch
New file
@@ -0,0 +1,50 @@
From cc4f00b7fcbd01dcdfd920feda39cdd0344e7cd7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 16 Jul 2015 14:11:26 +0300
Subject: [PATCH] oddjob: avoid chown keytab to sssd if sssd user does not
 exist
If sssd user does not exist, it means SSSD does not run as sssd user.
Currently SSSD has too tight check for keytab permissions and ownership.
It assumes the keytab has to be owned by the same user it runs under
and has to have 0600 permissions. ipa-getkeytab creates the file with
right permissions and 'root:root' ownership.
Jakub Hrozek promised to enhance SSSD keytab permissions check so that
both sssd:sssd and root:root ownership is possible and then when SSSD
switches to 'sssd' user, the former becomes the default. Since right now
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
version trigger.
https://fedorahosted.org/freeipa/ticket/5136
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 install/oddjob/com.redhat.idm.trust-fetch-domains | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index 85e3cc993b28f983f7e7ae068d9f9f135bab876e..e50c81e50e73b258bf08737c2d9a13a8832eb69f 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -45,8 +45,13 @@ def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
                                             env={'KRB5CCNAME': ccache_name, 'LANG': 'C'},
                                             raiseonerr=False)
     # Make sure SSSD is able to read the keytab
-    sssd = pwd.getpwnam('sssd')
-    os.chown(oneway_keytab_name, sssd[2], sssd[3])
+    try:
+        sssd = pwd.getpwnam('sssd')
+        os.chown(oneway_keytab_name, sssd[2], sssd[3])
+    except KeyError as e:
+        # If user 'sssd' does not exist, we don't need to chown from root to sssd
+        # because it means SSSD does not run as sssd user
+        pass
 def parse_options():
--
2.4.3
SOURCES/0010-Fix-memory-leak-in-ipa-pwd-extop.patch
File was deleted
SOURCES/0010-webui-fix-user-reset-password-dialog.patch
New file
@@ -0,0 +1,61 @@
From 29bc4045aebbe06c9c4dc6985749b809b12d785e Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Tue, 14 Jul 2015 17:55:48 +0200
Subject: [PATCH] webui: fix user reset password dialog
Could not open user password dialog.
regression introduced in ed78dcfa3acde7aeb1f381f49988c6911c5277ee
https://fedorahosted.org/freeipa/ticket/5131
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 install/ui/src/freeipa/dialogs/password.js | 1 -
 install/ui/src/freeipa/user.js             | 5 +++--
 2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/install/ui/src/freeipa/dialogs/password.js b/install/ui/src/freeipa/dialogs/password.js
index f25f7ac60477b1c85b5a6ede23cd93724a89e642..aa9bf44fc49b890fb5393119335b13c622f48879 100644
--- a/install/ui/src/freeipa/dialogs/password.js
+++ b/install/ui/src/freeipa/dialogs/password.js
@@ -48,7 +48,6 @@ dialogs.password.default_fields_pre_op =  function(spec) {
     spec.title = spec.title || '@i18n:password.reset_password';
     spec.width = spec.width || 400;
-    spec.method = spec.method || 'mod';
     spec.success_message = spec.success_message || '@i18n:password.password_change_complete';
     spec.confirm_button_label = spec.confirm_button_label || '@i18n:password.reset_password';
     spec.sections = spec.sections || [
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index e30311bbf0763d9efbc38fdb19e80e114e7636c9..0e828c16b999ffd58504bc4e53d2748bcd16b042 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -29,13 +29,14 @@ define([
         './reg',
         './rpc',
         './text',
+        './dialog',
         './dialogs/password',
         './details',
         './search',
         './association',
         './entity',
         './certificate'],
-    function(builder, IPA, $, phases, reg, rpc, text, password_dialog) {
+    function(builder, IPA, $, phases, reg, rpc, text, dialogs) {
 /**
  * User module
@@ -638,7 +639,7 @@ IPA.user.password_dialog_pre_op = function(spec) {
 IPA.user.password_dialog = function(spec) {
-    var that = password_dialog.dialog(spec);
+    var that = dialogs.command_dialog(spec);
     that.is_self_service = function() {
         var self_service = that.args[0] === IPA.whoami.uid[0];
--
2.4.3
SOURCES/0011-Fix-memory-leaks-in-ipa-join.patch
File was deleted
SOURCES/0011-fix-hbac-rule-search-for-non-admin-users.patch
New file
@@ -0,0 +1,35 @@
From f8a4727b7e77e377e4c63c0ebd98a67f4f84bdb4 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Tue, 14 Jul 2015 18:04:33 +0200
Subject: [PATCH] fix hbac rule search for non-admin users
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.
Therefore all searches with filter set fail.
https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipalib/plugins/hbacrule.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 34bdc9bdfe03f01662851bd5aea9daf9e28823d0..82a52bd80f58ede43249264db69acd193233448d 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -124,7 +124,7 @@ class hbacrule(LDAPObject):
         'description', 'usercategory', 'hostcategory',
         'servicecategory', 'ipaenabledflag',
         'memberuser', 'sourcehost', 'memberhost', 'memberservice',
-        'memberhostgroup', 'externalhost',
+        'externalhost',
     ]
     uuid_attribute = 'ipauniqueid'
     rdn_attribute = 'ipauniqueid'
--
2.4.3
SOURCES/0012-Fix-various-bugs-in-ipap11helper.patch
File was deleted
SOURCES/0012-fix-selinuxusermap-search-for-non-admin-users.patch
New file
@@ -0,0 +1,30 @@
From d234274f7e99a7eeff89e4039cf176a4b15147ec Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 16 Jul 2015 15:07:05 +0200
Subject: [PATCH] fix selinuxusermap search for non-admin users
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.
Related to https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 ipalib/plugins/selinuxusermap.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 76668b4692d4374fd09a83d6c28cb6cb2b20c958..e1a16af5004a5f4fd01166230ddd586068b6b556 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -143,7 +143,7 @@ class selinuxusermap(LDAPObject):
         'cn', 'ipaenabledflag',
         'description', 'usercategory', 'hostcategory',
         'ipaenabledflag', 'memberuser', 'memberhost',
-        'memberhostgroup', 'seealso', 'ipaselinuxuser',
+        'seealso', 'ipaselinuxuser',
     ]
     uuid_attribute = 'ipauniqueid'
     rdn_attribute = 'ipauniqueid'
--
2.4.3
SOURCES/0013-Deadlock-in-schema-compat-plugin-between-automember_.patch
File was deleted
SOURCES/0013-Validate-adding-privilege-to-a-permission.patch
New file
@@ -0,0 +1,113 @@
From 8ad2b5d6b81986235d0da6aa9349cfefaec06fcb Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 9 Jul 2015 16:48:36 +0200
Subject: [PATCH] Validate adding privilege to a permission
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.
https://fedorahosted.org/freeipa/ticket/5075
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/permission.py |  7 ++++++
 ipalib/plugins/privilege.py  | 51 ++++++++++++++++++++++----------------------
 2 files changed, 33 insertions(+), 25 deletions(-)
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f2e896935cc777801ec3a70262372f296b1ea2b8..7d2a4dd156693d9d9b7d6f042488856274fb3f64 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -21,6 +21,7 @@ import re
 import traceback
 from ipalib.plugins import baseldap
+from ipalib.plugins.privilege import validate_permission_to_privilege
 from ipalib import errors
 from ipalib.parameters import Str, StrEnum, DNParam, Flag
 from ipalib import api, _, ngettext
@@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
     """Add members to a permission."""
     NO_CLI = True
+    def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
+        # We can only add permissions with bind rule type set to
+        # "permission" (or old-style permissions)
+        validate_permission_to_privilege(self.api, keys[-1])
+        return dn
+
 @register()
 class permission_remove_member(baseldap.LDAPRemoveMember):
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 867544359f76fdcb44cd3015f7466a46ba492bec..ffb903e03dbfaafbe2bb7135038494ae49a7d8a8 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -45,6 +45,31 @@ See role and permission for additional information.
 register = Registry()
+def validate_permission_to_privilege(api, permission):
+    ldap = api.Backend.ldap2
+    ldapfilter = ldap.combine_filters(rules='&', filters=[
+        '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
+        ldap.make_filter_from_attr('cn', permission, rules='|')])
+    try:
+        entries, truncated = ldap.find_entries(
+            filter=ldapfilter,
+            attrs_list=['cn', 'ipapermbindruletype'],
+            base_dn=DN(api.env.container_permission, api.env.basedn),
+            size_limit=1)
+    except errors.NotFound:
+        pass
+    else:
+        entry = entries[0]
+        message = _('cannot add permission "%(perm)s" with bindtype '
+                    '"%(bindtype)s" to a privilege')
+        raise errors.ValidationError(
+            name='permission',
+            error=message % {
+                'perm': entry.single_value['cn'],
+                'bindtype': entry.single_value.get(
+                    'ipapermbindruletype', 'permission')})
+
+
 @register()
 class privilege(LDAPObject):
     """
@@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember):
         if options.get('permission'):
             # We can only add permissions with bind rule type set to
             # "permission" (or old-style permissions)
-            ldapfilter = ldap.combine_filters(rules='&', filters=[
-                '(objectClass=ipaPermissionV2)',
-                '(!(ipaPermBindRuleType=permission))',
-                ldap.make_filter_from_attr('cn', options['permission'],
-                                           rules='|'),
-            ])
-            try:
-                entries, truncated = ldap.find_entries(
-                    filter=ldapfilter,
-                    attrs_list=['cn', 'ipapermbindruletype'],
-                    base_dn=DN(self.api.env.container_permission,
-                               self.api.env.basedn),
-                    size_limit=1)
-            except errors.NotFound:
-                pass
-            else:
-                entry = entries[0]
-                message = _('cannot add permission "%(perm)s" with bindtype '
-                            '"%(bindtype)s" to a privilege')
-                raise errors.ValidationError(
-                    name='permission',
-                    error=message % {
-                        'perm': entry.single_value['cn'],
-                        'bindtype': entry.single_value.get(
-                            'ipapermbindruletype', 'permission')})
+            validate_permission_to_privilege(self.api, options['permission'])
         return dn
--
2.4.3
SOURCES/0014-Stop-dirsrv-last-in-ipactl-stop.patch
File was deleted
SOURCES/0014-migration-Use-api.env-variables.patch
New file
@@ -0,0 +1,85 @@
From c626fcb564404d41cd06db83a299e97959fa3c4e Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Thu, 16 Jul 2015 10:15:36 +0200
Subject: [PATCH] migration: Use api.env variables.
Use api.env.basedn instead of anonymously accessing LDAP to get base DN.
Use api.env.basedn instead of searching filesystem for ldapi socket.
https://fedorahosted.org/freeipa/ticket/4953
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/migration/migration.py | 33 +++++----------------------------
 1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/install/migration/migration.py b/install/migration/migration.py
index b629b1c9ff7bd58f1ea64e4c2b2433428a939f28..8c440175a0358b01acba227ea3179318af50fa32 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -22,14 +22,13 @@ Password migration script
 import cgi
 import errno
-import glob
 from wsgiref.util import request_uri
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import get_ipa_basedn
 from ipapython.dn import DN
 from ipapython.ipaldap import IPAdmin
-from ipalib import errors
+from ipalib import errors, create_api
 from ipaplatform.paths import paths
@@ -45,23 +44,6 @@ def get_ui_url(environ):
     return full_url[:index] + "/ipa/ui"
-def get_base_dn(ldap_uri):
-    """
-    Retrieve LDAP server base DN.
-    """
-    try:
-        conn = IPAdmin(ldap_uri=ldap_uri)
-        conn.do_simple_bind(DN(), '')
-        base_dn = get_ipa_basedn(conn)
-    except Exception, e:
-        root_logger.error('migration context search failed: %s' % e)
-        return ''
-    finally:
-        conn.unbind()
-
-    return base_dn
-
-
 def bind(ldap_uri, base_dn, username, password):
     if not base_dn:
         root_logger.error('migration unable to get base dn')
@@ -90,16 +72,11 @@ def application(environ, start_response):
     if not form_data.has_key('username') or not form_data.has_key('password'):
         return wsgi_redirect(start_response, 'invalid.html')
-    slapd_sockets = glob.glob(paths.ALL_SLAPD_INSTANCE_SOCKETS)
-    if slapd_sockets:
-        ldap_uri = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
-    else:
-        ldap_uri = 'ldaps://localhost:636'
-
-    base_dn = get_base_dn(ldap_uri)
-
+    # API object only for configuration, finalize() not needed
+    api = create_api(mode=None)
+    api.bootstrap(context='server', in_server=True)
     try:
-        bind(ldap_uri, base_dn,
+        bind(api.env.ldap_uri, api.env.basedn,
              form_data['username'].value, form_data['password'].value)
     except IOError as err:
         if err.errno == errno.EPERM:
--
2.4.3
SOURCES/0015-Fix-upgrade-do-not-use-invalid-ldap-connection.patch
File was deleted
SOURCES/0015-sysrestore-copy-files-instead-of-moving-them-to-avoi.patch
New file
@@ -0,0 +1,44 @@
From 630a9b60995e2d6eb02281a3dd176f0252f632db Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 15 Jul 2015 16:20:59 +0200
Subject: [PATCH] sysrestore: copy files instead of moving them to avoind
 SELinux issues
Copying files restores SELinux context.
https://fedorahosted.org/freeipa/ticket/4923
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipapython/sysrestore.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py
index 580df9a4fd6d0fae35602dad1f81d498fa8f0173..1a111258bc0f6dd503673028d3a990821f077fef 100644
--- a/ipapython/sysrestore.py
+++ b/ipapython/sysrestore.py
@@ -187,7 +187,9 @@ class FileStore:
         if new_path is not None:
             path = new_path
-        shutil.move(backup_path, path)
+        shutil.copy(backup_path, path)  # SELinux needs copy
+        os.remove(backup_path)
+
         os.chown(path, int(uid), int(gid))
         os.chmod(path, int(mode))
@@ -218,7 +220,9 @@ class FileStore:
                 root_logger.debug("  -> Not restoring - '%s' doesn't exist", backup_path)
                 continue
-            shutil.move(backup_path, path)
+            shutil.copy(backup_path, path)  # SELinux needs copy
+            os.remove(backup_path)
+
             os.chown(path, int(uid), int(gid))
             os.chmod(path, int(mode))
--
2.4.3
SOURCES/0016-Allow-value-no-for-replica-certify-all-attr-in-abort.patch
New file
@@ -0,0 +1,68 @@
From c2b5f7b164268ec8d15916031260c87dc6c9ffd5 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 16 Jul 2015 16:26:55 +0200
Subject: [PATCH] Allow value 'no' for replica-certify-all attr in
 abort-clean-ruv subcommand
--force option set replica-certify-all to 'no' during abort-clean-ruv
subcommand
https://fedorahosted.org/freeipa/ticket/4988
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 install/tools/ipa-replica-manage       | 2 +-
 install/tools/man/ipa-replica-manage.1 | 2 +-
 ipaserver/install/replication.py       | 3 ++-
 3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index e525a02f4c60350b7a943abab4b4aedd957e984a..50a57f70ec452c0df5bf2ea55d2a136e8149aa41 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -470,7 +470,7 @@ def abort_clean_ruv(realm, ruv, options):
     print
     thisrepl = replication.ReplicationManager(realm, options.host,
                                               options.dirman_passwd)
-    thisrepl.abortcleanallruv(ruv)
+    thisrepl.abortcleanallruv(ruv, options.force)
     print "Cleanup task stopped"
diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
index 8a7c78f39eeb6c7902ed99e7bed37e32eb0e92dc..c09ed362f3143e6e38716e1b3a96e90001a64674 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -49,7 +49,7 @@ Manages the replication agreements of an IPA server. The available commands are:
 \- Run the CLEANALLRUV task to remove a replication ID.
 .TP
 \fBabort\-clean\-ruv\fR [REPLICATION_ID]
-\- Abort a running CLEANALLRUV task.
+\- Abort a running CLEANALLRUV task. With \-\-force option the task does not wait for all the replica servers to have been sent the abort task, or be online, before completing.
 .TP
 \fBlist\-clean\-ruv\fR
 \- List all running CLEANALLRUV and abort CLEANALLRUV tasks.
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 0f420106e093e8a7a277016857d27aaa48daa4dc..e9af88dc4356d4fd5495f4fea399ab09c75db953 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1451,7 +1451,7 @@ class ReplicationManager(object):
         wait_for_task(self.conn, dn)
-    def abortcleanallruv(self, replicaId):
+    def abortcleanallruv(self, replicaId, force=False):
         """
         Create a task to abort a CLEANALLRUV operation.
         """
@@ -1465,6 +1465,7 @@ class ReplicationManager(object):
                 'replica-id': [replicaId],
                 'objectclass': ['top', 'extensibleObject'],
                 'cn': ['abort %d' % replicaId],
+                'replica-certify-all': ['no'] if force else ['yes'],
             }
         )
         try:
--
2.4.3
SOURCES/0016-Ensure-that-a-password-exists-after-OTP-validation.patch
File was deleted
SOURCES/0017-ipa-restore-Don-t-crash-if-AD-trust-is-not-installed.patch
File was deleted
SOURCES/0017-trusts-Check-for-AD-root-domain-among-our-trusted-do.patch
New file
@@ -0,0 +1,68 @@
From eb8651626099df8df14e12b905aace0be5c37ded Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Wed, 15 Jul 2015 14:22:48 +0200
Subject: [PATCH] trusts: Check for AD root domain among our trusted domains
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.
This prevents creation of a failing setup, as trusts would not work
properly in this case.
https://fedorahosted.org/freeipa/ticket/4799
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/plugins/trust.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 196df5926e7965dc1f0165f301bd5ac11528d1cd..6232e4fe9d3d5e957d22a3557cdcf4bb12cec0ea 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -640,6 +640,8 @@ sides.
                            self.params['realm_passwd'].label, confirm=False)
     def validate_options(self, *keys, **options):
+        trusted_realm_domain = keys[-1]
+
         if not _bindings_installed:
             raise errors.NotFound(
                 name=_('AD Trust setup'),
@@ -692,6 +694,23 @@ sides.
                 )
             )
+        # Obtain a list of IPA realm domains
+        result = self.api.Command.realmdomains_show()['result']
+        realm_domains = result['associateddomain']
+
+        # Do not allow the AD's trusted realm domain in the list
+        # of our realm domains
+        if trusted_realm_domain.lower() in realm_domains:
+            raise errors.ValidationError(
+                name=_('AD Trust setup'),
+                error=_(
+                    'Trusted domain %(domain)s is included among '
+                    'IPA realm domains. It needs to be removed '
+                    'prior to establishing the trust. See the '
+                    '"ipa realmdomains-mod --del-domain" command.'
+                ) % dict(domain=trusted_realm_domain)
+            )
+
         self.realm_server = options.get('realm_server')
         self.realm_admin = options.get('realm_admin')
         self.realm_passwd = options.get('realm_passwd')
@@ -702,7 +721,7 @@ sides.
             if len(names) > 1:
                 # realm admin name is in UPN format, user@realm, check that
                 # realm is the same as the one that we are attempting to trust
-                if keys[-1].lower() != names[-1].lower():
+                if trusted_realm_domain.lower() != names[-1].lower():
                     raise errors.ValidationError(
                         name=_('AD Trust setup'),
                         error=_(
--
2.4.3
SOURCES/0018-enable-debugging-of-ntpd-during-client-installation.patch
New file
@@ -0,0 +1,71 @@
From 941941733a9a2af27ae4fd73714a87a08931e76a Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 30 Mar 2015 12:29:04 +0200
Subject: [PATCH] enable debugging of ntpd during client installation
When installing IPA client in debug mode, the ntpd command spawned during
initial time-sync with master KDC will also run in debug mode.
https://fedorahosted.org/freeipa/ticket/4931
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipa-client/ipa-install/ipa-client-install | 5 +++--
 ipa-client/ipaclient/ntpconf.py           | 7 +++++--
 2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index a1564583ca2d461413da7ea5929b91851cd3f3e1..96b30b486585bc60b0882263cff58292a3538df9 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2388,12 +2388,13 @@ def install(options, env, fstore, statestore):
             ntp_servers = options.ntp_servers
         for s in ntp_servers:
-            synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+            synced_ntp = ipaclient.ntpconf.synconce_ntp(s, options.debug)
             if synced_ntp:
                 break
         if not synced_ntp and not options.ntp_servers:
-            synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
+            synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0],
+                                                        options.debug)
         if not synced_ntp:
             root_logger.warning("Unable to sync time with NTP " +
                 "server, assuming the time is in sync. Please check " +
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index c22fba401d33009b3b95d1418dc7c8a03328d569..9a7db6544b54288569dc7699e67ddc865bb88db4 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -137,7 +137,7 @@ def config_ntp(ntp_servers, fstore = None, sysstore = None):
     services.knownservices.ntpd.restart()
-def synconce_ntp(server_fqdn):
+def synconce_ntp(server_fqdn, debug=False):
     """
     Syncs time with specified server using ntpd.
     Primarily designed to be used before Kerberos setup
@@ -150,13 +150,16 @@ def synconce_ntp(server_fqdn):
         return False
     tmp_ntp_conf = ipautil.write_tmp_file('server %s' % server_fqdn)
+    args = [ntpd, '-qgc', tmp_ntp_conf.name]
+    if debug:
+        args.append('-d')
     try:
         # The ntpd command will never exit if it is unable to reach the
         # server, so timeout after 15 seconds.
         timeout = 15
         root_logger.info('Attempting to sync time using ntpd.  '
                          'Will timeout after %d seconds' % timeout)
-        ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name], timeout=timeout)
+        ipautil.run(args, timeout=timeout)
         return True
     except ipautil.CalledProcessError:
         return False
--
2.4.3
SOURCES/0018-ranges-prohibit-setting-rid-base-with-ipa-trust-ad-p.patch
File was deleted
SOURCES/0019-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch
New file
@@ -0,0 +1,288 @@
From 3cec31570b04fa9ece1f3d02768a676c6c2f35ff Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Tue, 7 Jul 2015 15:49:27 +0200
Subject: [PATCH] cermonger: Use private unix socket when DBus SystemBus is not
 available.
https://fedorahosted.org/freeipa/ticket/5095
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaplatform/base/paths.py |   4 ++
 ipapython/certmonger.py   | 137 +++++++++++++++++++++++++++++++---------------
 2 files changed, 98 insertions(+), 43 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9fef3e7a1351dd42895fe560bb3c1bc5a1c852b4..5756040172126438d42275b734f4d766d53048fe 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -348,3 +348,7 @@ class BasePathNamespace(object):
     BAK2DB = '/usr/sbin/bak2db'
     DB2BAK = '/usr/sbin/db2bak'
     KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
+    CERTMONGER = '/usr/sbin/certmonger'
+
+
+path_namespace = BasePathNamespace
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 4baaaa85da08bb943d6b9f0091a1d2acc36b18d6..b37676872a8b983636c7b2dc5590e83c8b08ea98 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -27,6 +27,8 @@ import sys
 import time
 import dbus
 import shlex
+import subprocess
+import tempfile
 from ipapython import ipautil
 from ipapython import dogtag
 from ipapython.ipa_log_manager import *
@@ -35,6 +37,7 @@ from ipaplatform import services
 DBUS_CM_PATH = '/org/fedorahosted/certmonger'
 DBUS_CM_IF = 'org.fedorahosted.certmonger'
+DBUS_CM_NAME = 'org.fedorahosted.certmonger'
 DBUS_CM_REQUEST_IF = 'org.fedorahosted.certmonger.request'
 DBUS_CM_CA_IF = 'org.fedorahosted.certmonger.ca'
 DBUS_PROPERTY_IF = 'org.freedesktop.DBus.Properties'
@@ -44,7 +47,7 @@ class _cm_dbus_object(object):
     """
     Auxiliary class for convenient DBus object handling.
     """
-    def __init__(self, bus, object_path, object_dbus_interface,
+    def __init__(self, bus, parent, object_path, object_dbus_interface,
                  parent_dbus_interface=None, property_interface=False):
         """
         bus - DBus bus object, result of dbus.SystemBus() or dbus.SessionBus()
@@ -60,6 +63,7 @@ class _cm_dbus_object(object):
         if parent_dbus_interface is None:
             parent_dbus_interface = object_dbus_interface
         self.bus = bus
+        self.parent = parent
         self.path = object_path
         self.obj_dbus_if = object_dbus_interface
         self.parent_dbus_if = parent_dbus_interface
@@ -69,36 +73,83 @@ class _cm_dbus_object(object):
             self.prop_if = dbus.Interface(self.obj, DBUS_PROPERTY_IF)
-def _start_certmonger():
-    """
-    Start certmonger daemon. If it's already running systemctl just ignores
-    the command.
-    """
-    if not services.knownservices.certmonger.is_running():
+class _certmonger(_cm_dbus_object):
+    """
+    Create a connection to certmonger.
+    By default use SystemBus. When not available use private connection
+    over Unix socket.
+    This solution is really ugly and should be removed as soon as DBus
+    SystemBus is available at system install time.
+    """
+    timeout = 300
+
+    def _start_private_conn(self):
+        sock_filename = os.path.join(tempfile.mkdtemp(), 'certmonger')
+        self._proc = subprocess.Popen([paths.CERTMONGER, '-n', '-L', '-P',
+                                       sock_filename])
+        for t in range(0, self.timeout, 5):
+            if os.path.exists(sock_filename):
+                return "unix:path=%s" % sock_filename
+            time.sleep(5)
+        self._stop_private_conn()
+        raise RuntimeError("Failed to start certmonger: Timed out")
+
+    def _stop_private_conn(self):
+        if self._proc:
+            retcode = self._proc.poll()
+            if retcode is not None:
+                return
+            self._proc.terminate()
+            for t in range(0, self.timeout, 5):
+                retcode = self._proc.poll()
+                if retcode is not None:
+                    return
+                time.sleep(5)
+            root_logger.error("Failed to stop certmonger.")
+
+    def __del__(self):
+        self._stop_private_conn()
+
+    def __init__(self):
+        self._proc = None
+        self._bus = None
         try:
-            services.knownservices.certmonger.start()
-        except Exception, e:
-            root_logger.error('Failed to start certmonger: %s' % e)
-            raise
-
-
-def _connect_to_certmonger():
-    """
-    Start certmonger daemon and connect to it via DBus.
-    """
-    try:
-        _start_certmonger()
-    except (KeyboardInterrupt, OSError), e:
-        root_logger.error('Failed to start certmonger: %s' % e)
-        raise
-
-    try:
-        bus = dbus.SystemBus()
-        cm = _cm_dbus_object(bus, DBUS_CM_PATH, DBUS_CM_IF)
-    except dbus.DBusException, e:
-        root_logger.error("Failed to access certmonger over DBus: %s", e)
-        raise
-    return cm
+            self._bus = dbus.SystemBus()
+        except dbus.DBusException as e:
+            err_name = e.get_dbus_name()
+            if err_name not in ['org.freedesktop.DBus.Error.NoServer',
+                                'org.freedesktop.DBus.Error.FileNotFound']:
+                root_logger.error("Failed to connect to certmonger over "
+                                  "SystemBus: %s" % e)
+                raise
+            try:
+                self._private_sock = self._start_private_conn()
+                self._bus = dbus.connection.Connection(self._private_sock)
+            except dbus.DBusException as e:
+                root_logger.error("Failed to connect to certmonger over "
+                                  "private socket: %s" % e)
+                raise
+        else:
+            try:
+                self._bus.get_name_owner(DBUS_CM_NAME)
+            except dbus.DBusException:
+                try:
+                    services.knownservices.certmonger.start()
+                except Exception as e:
+                    root_logger.error("Failed to start certmonger: %s" % e)
+                    raise
+
+                for t in range(0, self.timeout, 5):
+                    try:
+                        self._bus.get_name_owner(DBUS_CM_NAME)
+                        break
+                    except dbus.DBusException:
+                        pass
+                    time.sleep(5)
+                    raise RuntimeError('Failed to start certmonger')
+
+        super(_certmonger, self).__init__(self._bus, None, DBUS_CM_PATH,
+                                          DBUS_CM_IF)
 def _get_requests(criteria=dict()):
@@ -108,7 +159,7 @@ def _get_requests(criteria=dict()):
     if not isinstance(criteria, dict):
         raise TypeError('"criteria" must be dict.')
-    cm = _connect_to_certmonger()
+    cm = _certmonger()
     requests = []
     requests_paths = []
     if 'nickname' in criteria:
@@ -119,12 +170,12 @@ def _get_requests(criteria=dict()):
         requests_paths = cm.obj_if.get_requests()
     for request_path in requests_paths:
-        request = _cm_dbus_object(cm.bus, request_path, DBUS_CM_REQUEST_IF,
+        request = _cm_dbus_object(cm.bus, cm, request_path, DBUS_CM_REQUEST_IF,
                                   DBUS_CM_IF, True)
         for criterion in criteria:
             if criterion == 'ca-name':
                 ca_path = request.obj_if.get_ca()
-                ca = _cm_dbus_object(cm.bus, ca_path, DBUS_CM_CA_IF,
+                ca = _cm_dbus_object(cm.bus, cm, ca_path, DBUS_CM_CA_IF,
                                      DBUS_CM_IF)
                 value = ca.obj_if.get_nickname()
             else:
@@ -133,6 +184,7 @@ def _get_requests(criteria=dict()):
                 break
         else:
             requests.append(request)
+
     return requests
@@ -166,7 +218,7 @@ def get_request_value(request_id, directive):
     if request:
         if directive == 'ca-name':
             ca_path = request.obj_if.get_ca()
-            ca = _cm_dbus_object(request.bus, ca_path, DBUS_CM_CA_IF,
+            ca = _cm_dbus_object(request.bus, request, ca_path, DBUS_CM_CA_IF,
                                  DBUS_CM_IF)
             return ca.obj_if.get_nickname()
         else:
@@ -250,7 +302,7 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
     """
     Execute certmonger to request a server certificate.
     """
-    cm = _connect_to_certmonger()
+    cm = _certmonger()
     ca_path = cm.obj_if.find_ca_by_nickname('IPA')
     if not ca_path:
         raise RuntimeError('IPA CA not found')
@@ -264,7 +316,7 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
     result = cm.obj_if.add_request(request_parameters)
     try:
         if result[0]:
-            request = _cm_dbus_object(cm.bus, result[1], DBUS_CM_REQUEST_IF,
+            request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF,
                                       DBUS_CM_IF, True)
     except TypeError:
         root_logger.error('Failed to get create new request.')
@@ -283,7 +335,7 @@ def start_tracking(nickname, secdir, password_file=None, command=None):
     Returns certificate nickname.
     """
-    cm = _connect_to_certmonger()
+    cm = _certmonger()
     params = {'TRACK': True}
     params['cert-nickname'] = nickname
     params['cert-database'] = os.path.abspath(secdir)
@@ -302,7 +354,7 @@ def start_tracking(nickname, secdir, password_file=None, command=None):
     result = cm.obj_if.add_request(params)
     try:
         if result[0]:
-            request = _cm_dbus_object(cm.bus, result[1], DBUS_CM_REQUEST_IF,
+            request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF,
                                       DBUS_CM_IF, True)
     except TypeError, e:
         root_logger.error('Failed to add new request.')
@@ -330,8 +382,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
         root_logger.error('Failed to get request: %s' % e)
         raise
     if request:
-        cm = _connect_to_certmonger()
-        cm.obj_if.remove_request(request.path)
+        request.parent.obj_if.remove_request(request.path)
 def modify(request_id, profile=None):
@@ -357,9 +408,9 @@ def _find_IPA_ca():
     We can use find_request_value because the ca files have the
     same file format.
     """
-    cm = _connect_to_certmonger()
+    cm = _certmonger()
     ca_path = cm.obj_if.find_ca_by_nickname('IPA')
-    return _cm_dbus_object(cm.bus, ca_path, DBUS_CM_CA_IF, DBUS_CM_IF, True)
+    return _cm_dbus_object(cm.bus, cm, ca_path, DBUS_CM_CA_IF, DBUS_CM_IF, True)
 def add_principal_to_cas(principal):
@@ -423,7 +474,7 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command,
     Both commands can be None.
     """
-    cm = _connect_to_certmonger()
+    cm = _certmonger()
     certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE
     params = {'TRACK': True}
--
2.4.3
SOURCES/0019-ldapupdater-set-baserid-to-0-for-ipa-ad-trust-posix-.patch
File was deleted
SOURCES/0020-idrange-include-raw-range-type-in-output.patch
File was deleted
SOURCES/0020-ipa-client-install-Do-not-re-start-certmonger-and-DB.patch
New file
@@ -0,0 +1,138 @@
From 42353682a3d9e92f4053877d66f54e44f516bb53 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Tue, 7 Jul 2015 15:49:51 +0200
Subject: [PATCH] ipa-client-install: Do not (re)start certmonger and DBus
 daemons.
When DBus is present in the system it is always running.
Starting of certmomger is handled in ipapython/certmonger.py module if
necessary. Restarting is no longer needed since freeipa is not changing
certmonger's files.
https://fedorahosted.org/freeipa/ticket/5095
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipa-client/ipa-install/ipa-client-install | 71 +++++++------------------------
 1 file changed, 15 insertions(+), 56 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 96b30b486585bc60b0882263cff58292a3538df9..91323ae115a27d221bcbc43fee887c56d99c8635 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -522,20 +522,7 @@ def uninstall(options, env):
     ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
     sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-    # Always start certmonger. We can't untrack something if it isn't
-    # running
-    messagebus = services.knownservices.messagebus
-    try:
-        messagebus.start()
-    except Exception, e:
-        log_service_error(messagebus.service_name, 'start', e)
-
     cmonger = services.knownservices.certmonger
-    try:
-        cmonger.start()
-    except Exception, e:
-        log_service_error(cmonger.service_name, 'start', e)
-
     if ipa_db.has_nickname('Local IPA host'):
         try:
             certmonger.stop_tracking(paths.IPA_NSSDB_DIR,
@@ -576,14 +563,14 @@ def uninstall(options, env):
                                   nickname, sys_db.secdir, e)
                 break
+    # Remove any special principal names we added to the IPA CA helper
+    certmonger.remove_principal_from_cas()
+
     try:
         cmonger.stop()
     except Exception, e:
         log_service_error(cmonger.service_name, 'stop', e)
-    # Remove any special principal names we added to the IPA CA helper
-    certmonger.remove_principal_from_cas()
-
     try:
         cmonger.disable()
     except Exception, e:
@@ -1138,41 +1125,14 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
             "Not requesting host certificate.")
         return
-    started = True
     principal = 'host/%s@%s' % (hostname, cli_realm)
-    messagebus = services.knownservices.messagebus
-    try:
-        messagebus.start()
-    except Exception, e:
-        log_service_error(messagebus.service_name, 'start', e)
-
-    # Ensure that certmonger has been started at least once to generate the
-    # cas files in /var/lib/certmonger/cas.
-    cmonger = services.knownservices.certmonger
-    try:
-        cmonger.restart()
-    except Exception, e:
-        log_service_error(cmonger.service_name, 'restart', e)
-
     if options.hostname:
-        # It needs to be stopped if we touch them
-        try:
-            cmonger.stop()
-        except Exception, e:
-            log_service_error(cmonger.service_name, 'stop', e)
         # If the hostname is explicitly set then we need to tell certmonger
         # which principal name to use when requesting certs.
         certmonger.add_principal_to_cas(principal)
-    try:
-        cmonger.restart()
-    except Exception, e:
-        log_service_error(cmonger.service_name, 'restart', e)
-        root_logger.warning(
-            "Automatic certificate management will not be available")
-        started = False
-
+    cmonger = services.knownservices.certmonger
     try:
         cmonger.enable()
     except Exception, e:
@@ -1183,18 +1143,17 @@ def configure_certmonger(fstore, subject_base, cli_realm, hostname, options,
             "Automatic certificate management will not be available")
     # Request our host cert
-    if started:
-        subject = str(DN(('CN', hostname), subject_base))
-        passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
-        try:
-            certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
-                                    nickname='Local IPA host',
-                                    subject=subject,
-                                    principal=principal,
-                                    passwd_fname=passwd_fname)
-        except Exception:
-            root_logger.error("%s request for host certificate failed",
-                              cmonger.service_name)
+    subject = str(DN(('CN', hostname), subject_base))
+    passwd_fname = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
+    try:
+        certmonger.request_cert(nssdb=paths.IPA_NSSDB_DIR,
+                                nickname='Local IPA host',
+                                subject=subject,
+                                principal=principal,
+                                passwd_fname=passwd_fname)
+    except Exception:
+        root_logger.error("%s request for host certificate failed",
+                          cmonger.service_name)
 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, client_domain, client_hostname):
     try:
--
2.4.3
SOURCES/0021-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch
New file
@@ -0,0 +1,503 @@
From eeec6dd88ea1e6f2c24ee87d70a8d6aa98cbd0e4 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 15 Jul 2015 09:44:07 +0200
Subject: [PATCH] DNS: Consolidate DNS RR types in API and schema
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.
* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema
* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)
https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ACI.txt                       |   4 +-
 API.txt                       |  28 ++----------
 VERSION                       |   4 +-
 install/share/60ipadns.ldif   |   8 +++-
 install/share/dns.ldif        |   2 +-
 install/updates/40-dns.update |   4 +-
 ipalib/plugins/dns.py         | 101 ++++++++++++++++++++++--------------------
 7 files changed, 71 insertions(+), 80 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 76a7ff70e27c032bdd8fa26e076271e02b23d3b3..60607b98deb74d0b7f45d24ee9359b0cf8162b0d 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -61,13 +61,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Add Groups";allow (add) groupdn = "ldap:///cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index c68bee94e3a9ed6182f6bd2152070222e32c7532..6ab30ddab41715fdbccb4f37aa1852621bca62b4 100644
--- a/API.txt
+++ b/API.txt
@@ -1054,7 +1054,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: dnsrecord_add
-args: 2,100,3
+args: 2,95,3
 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
 arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True)
 option: Str('a6_part_data', attribute=False, cli_name='a6_data', multivalue=False, option_group=u'A6 Record', required=False)
@@ -1087,7 +1087,6 @@ option: DLVRecord('dlvrecord', attribute=True, cli_name='dlv_rec', csv=True, mul
 option: DNSNameParam('dname_part_target', attribute=False, cli_name='dname_target', multivalue=False, option_group=u'DNAME Record', required=False)
 option: DNAMERecord('dnamerecord', attribute=True, cli_name='dname_rec', csv=True, multivalue=True, option_group=u'DNAME Record', required=False)
 option: StrEnum('dnsclass', attribute=True, cli_name='class', multivalue=False, required=False, values=(u'IN', u'CS', u'CH', u'HS'))
-option: DNSKEYRecord('dnskeyrecord', attribute=True, cli_name='dnskey_rec', csv=True, multivalue=True, option_group=u'DNSKEY Record', required=False)
 option: Int('dnsttl', attribute=True, cli_name='ttl', multivalue=False, required=False)
 option: Int('ds_part_algorithm', attribute=False, cli_name='ds_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DS Record', required=False)
 option: Str('ds_part_digest', attribute=False, cli_name='ds_digest', multivalue=False, option_group=u'DS Record', pattern='^[0-9a-fA-F]+$', required=False)
@@ -1125,7 +1124,6 @@ option: Str('naptr_part_replacement', attribute=False, cli_name='naptr_replaceme
 option: Str('naptr_part_service', attribute=False, cli_name='naptr_service', multivalue=False, option_group=u'NAPTR Record', required=False)
 option: NAPTRRecord('naptrrecord', attribute=True, cli_name='naptr_rec', csv=True, multivalue=True, option_group=u'NAPTR Record', required=False)
 option: DNSNameParam('ns_part_hostname', attribute=False, cli_name='ns_hostname', multivalue=False, option_group=u'NS Record', required=False)
-option: NSEC3Record('nsec3record', attribute=True, cli_name='nsec3_rec', csv=True, multivalue=True, option_group=u'NSEC3 Record', required=False)
 option: NSECRecord('nsecrecord', attribute=True, cli_name='nsec_rec', csv=True, multivalue=True, option_group=u'NSEC Record', required=False)
 option: NSRecord('nsrecord', attribute=True, cli_name='ns_rec', csv=True, multivalue=True, option_group=u'NS Record', required=False)
 option: DNSNameParam('ptr_part_hostname', attribute=False, cli_name='ptr_hostname', multivalue=False, option_group=u'PTR Record', required=False)
@@ -1146,14 +1144,11 @@ option: Str('sshfp_part_fingerprint', attribute=False, cli_name='sshfp_fingerpri
 option: Int('sshfp_part_fp_type', attribute=False, cli_name='sshfp_fp_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'SSHFP Record', required=False)
 option: SSHFPRecord('sshfprecord', attribute=True, cli_name='sshfp_rec', csv=True, multivalue=True, option_group=u'SSHFP Record', required=False)
 option: Flag('structured', autofill=True, default=False)
-option: TARecord('tarecord', attribute=True, cli_name='ta_rec', csv=True, multivalue=True, option_group=u'TA Record', required=False)
-option: TKEYRecord('tkeyrecord', attribute=True, cli_name='tkey_rec', csv=True, multivalue=True, option_group=u'TKEY Record', required=False)
 option: Str('tlsa_part_cert_association_data', attribute=False, cli_name='tlsa_cert_association_data', multivalue=False, option_group=u'TLSA Record', required=False)
 option: Int('tlsa_part_cert_usage', attribute=False, cli_name='tlsa_cert_usage', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False)
 option: Int('tlsa_part_matching_type', attribute=False, cli_name='tlsa_matching_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False)
 option: Int('tlsa_part_selector', attribute=False, cli_name='tlsa_selector', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False)
 option: TLSARecord('tlsarecord', attribute=True, cli_name='tlsa_rec', csv=True, multivalue=True, option_group=u'TLSA Record', required=False)
-option: TSIGRecord('tsigrecord', attribute=True, cli_name='tsig_rec', csv=True, multivalue=True, option_group=u'TSIG Record', required=False)
 option: Str('txt_part_data', attribute=False, cli_name='txt_data', multivalue=False, option_group=u'TXT Record', required=False)
 option: TXTRecord('txtrecord', attribute=True, cli_name='txt_rec', csv=True, multivalue=True, option_group=u'TXT Record', required=False)
 option: Str('version?', exclude='webui')
@@ -1161,7 +1156,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: dnsrecord_del
-args: 2,39,3
+args: 2,34,3
 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
 arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
 option: A6Record('a6record', attribute=True, autofill=False, cli_name='a6_rec', csv=True, multivalue=True, option_group=None, required=False)
@@ -1176,7 +1171,6 @@ option: DHCIDRecord('dhcidrecord', attribute=True, autofill=False, cli_name='dhc
 option: DLVRecord('dlvrecord', attribute=True, autofill=False, cli_name='dlv_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: DNAMERecord('dnamerecord', attribute=True, autofill=False, cli_name='dname_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: StrEnum('dnsclass', attribute=True, autofill=False, cli_name='class', multivalue=False, required=False, values=(u'IN', u'CS', u'CH', u'HS'))
-option: DNSKEYRecord('dnskeyrecord', attribute=True, autofill=False, cli_name='dnskey_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: Int('dnsttl', attribute=True, autofill=False, cli_name='ttl', multivalue=False, required=False)
 option: DSRecord('dsrecord', attribute=True, autofill=False, cli_name='ds_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: HIPRecord('hiprecord', attribute=True, autofill=False, cli_name='hip_rec', csv=True, multivalue=True, option_group=None, required=False)
@@ -1186,7 +1180,6 @@ option: KXRecord('kxrecord', attribute=True, autofill=False, cli_name='kx_rec',
 option: LOCRecord('locrecord', attribute=True, autofill=False, cli_name='loc_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: MXRecord('mxrecord', attribute=True, autofill=False, cli_name='mx_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: NAPTRRecord('naptrrecord', attribute=True, autofill=False, cli_name='naptr_rec', csv=True, multivalue=True, option_group=None, required=False)
-option: NSEC3Record('nsec3record', attribute=True, autofill=False, cli_name='nsec3_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: NSECRecord('nsecrecord', attribute=True, autofill=False, cli_name='nsec_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: NSRecord('nsrecord', attribute=True, autofill=False, cli_name='ns_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: PTRRecord('ptrrecord', attribute=True, autofill=False, cli_name='ptr_rec', csv=True, multivalue=True, option_group=None, required=False)
@@ -1197,10 +1190,7 @@ option: SPFRecord('spfrecord', attribute=True, autofill=False, cli_name='spf_rec
 option: SRVRecord('srvrecord', attribute=True, autofill=False, cli_name='srv_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: SSHFPRecord('sshfprecord', attribute=True, autofill=False, cli_name='sshfp_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: Flag('structured', autofill=True, default=False)
-option: TARecord('tarecord', attribute=True, autofill=False, cli_name='ta_rec', csv=True, multivalue=True, option_group=None, required=False)
-option: TKEYRecord('tkeyrecord', attribute=True, autofill=False, cli_name='tkey_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: TLSARecord('tlsarecord', attribute=True, autofill=False, cli_name='tlsa_rec', csv=True, multivalue=True, option_group=None, required=False)
-option: TSIGRecord('tsigrecord', attribute=True, autofill=False, cli_name='tsig_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: TXTRecord('txtrecord', attribute=True, autofill=False, cli_name='txt_rec', csv=True, multivalue=True, option_group=None, required=False)
 option: Str('version?', exclude='webui')
 output: Output('result', <type 'dict'>, None)
@@ -1216,7 +1206,7 @@ output: Output('result', <type 'dict'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: ListOfPrimaryKeys('value', None, None)
 command: dnsrecord_find
-args: 2,44,4
+args: 2,39,4
 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
 arg: Str('criteria?', noextrawhitespace=False)
 option: A6Record('a6record', attribute=True, autofill=False, cli_name='a6_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
@@ -1231,7 +1221,6 @@ option: DHCIDRecord('dhcidrecord', attribute=True, autofill=False, cli_name='dhc
 option: DLVRecord('dlvrecord', attribute=True, autofill=False, cli_name='dlv_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: DNAMERecord('dnamerecord', attribute=True, autofill=False, cli_name='dname_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: StrEnum('dnsclass', attribute=True, autofill=False, cli_name='class', multivalue=False, query=True, required=False, values=(u'IN', u'CS', u'CH', u'HS'))
-option: DNSKEYRecord('dnskeyrecord', attribute=True, autofill=False, cli_name='dnskey_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: Int('dnsttl', attribute=True, autofill=False, cli_name='ttl', multivalue=False, query=True, required=False)
 option: DSRecord('dsrecord', attribute=True, autofill=False, cli_name='ds_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: HIPRecord('hiprecord', attribute=True, autofill=False, cli_name='hip_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
@@ -1242,7 +1231,6 @@ option: KXRecord('kxrecord', attribute=True, autofill=False, cli_name='kx_rec',
 option: LOCRecord('locrecord', attribute=True, autofill=False, cli_name='loc_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: MXRecord('mxrecord', attribute=True, autofill=False, cli_name='mx_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: NAPTRRecord('naptrrecord', attribute=True, autofill=False, cli_name='naptr_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
-option: NSEC3Record('nsec3record', attribute=True, autofill=False, cli_name='nsec3_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: NSECRecord('nsecrecord', attribute=True, autofill=False, cli_name='nsec_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: NSRecord('nsrecord', attribute=True, autofill=False, cli_name='ns_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -1256,11 +1244,8 @@ option: SPFRecord('spfrecord', attribute=True, autofill=False, cli_name='spf_rec
 option: SRVRecord('srvrecord', attribute=True, autofill=False, cli_name='srv_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: SSHFPRecord('sshfprecord', attribute=True, autofill=False, cli_name='sshfp_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: Flag('structured', autofill=True, default=False)
-option: TARecord('tarecord', attribute=True, autofill=False, cli_name='ta_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: Int('timelimit?', autofill=False, minvalue=0)
-option: TKEYRecord('tkeyrecord', attribute=True, autofill=False, cli_name='tkey_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: TLSARecord('tlsarecord', attribute=True, autofill=False, cli_name='tlsa_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
-option: TSIGRecord('tsigrecord', attribute=True, autofill=False, cli_name='tsig_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: TXTRecord('txtrecord', attribute=True, autofill=False, cli_name='txt_rec', csv=True, multivalue=True, option_group=None, query=True, required=False)
 option: Str('version?', exclude='webui')
 output: Output('count', <type 'int'>, None)
@@ -1268,7 +1253,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: dnsrecord_mod
-args: 2,100,3
+args: 2,95,3
 arg: DNSNameParam('dnszoneidnsname', cli_name='dnszone', multivalue=False, only_absolute=True, primary_key=True, query=True, required=True)
 arg: DNSNameParam('idnsname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('a6_part_data', attribute=False, autofill=False, cli_name='a6_data', multivalue=False, option_group=u'A6 Record', required=False)
@@ -1300,7 +1285,6 @@ option: DLVRecord('dlvrecord', attribute=True, autofill=False, cli_name='dlv_rec
 option: DNSNameParam('dname_part_target', attribute=False, autofill=False, cli_name='dname_target', multivalue=False, option_group=u'DNAME Record', required=False)
 option: DNAMERecord('dnamerecord', attribute=True, autofill=False, cli_name='dname_rec', csv=True, multivalue=True, option_group=u'DNAME Record', required=False)
 option: StrEnum('dnsclass', attribute=True, autofill=False, cli_name='class', multivalue=False, required=False, values=(u'IN', u'CS', u'CH', u'HS'))
-option: DNSKEYRecord('dnskeyrecord', attribute=True, autofill=False, cli_name='dnskey_rec', csv=True, multivalue=True, option_group=u'DNSKEY Record', required=False)
 option: Int('dnsttl', attribute=True, autofill=False, cli_name='ttl', multivalue=False, required=False)
 option: Int('ds_part_algorithm', attribute=False, autofill=False, cli_name='ds_algorithm', maxvalue=255, minvalue=0, multivalue=False, option_group=u'DS Record', required=False)
 option: Str('ds_part_digest', attribute=False, autofill=False, cli_name='ds_digest', multivalue=False, option_group=u'DS Record', pattern='^[0-9a-fA-F]+$', required=False)
@@ -1337,7 +1321,6 @@ option: Str('naptr_part_replacement', attribute=False, autofill=False, cli_name=
 option: Str('naptr_part_service', attribute=False, autofill=False, cli_name='naptr_service', multivalue=False, option_group=u'NAPTR Record', required=False)
 option: NAPTRRecord('naptrrecord', attribute=True, autofill=False, cli_name='naptr_rec', csv=True, multivalue=True, option_group=u'NAPTR Record', required=False)
 option: DNSNameParam('ns_part_hostname', attribute=False, autofill=False, cli_name='ns_hostname', multivalue=False, option_group=u'NS Record', required=False)
-option: NSEC3Record('nsec3record', attribute=True, autofill=False, cli_name='nsec3_rec', csv=True, multivalue=True, option_group=u'NSEC3 Record', required=False)
 option: NSECRecord('nsecrecord', attribute=True, autofill=False, cli_name='nsec_rec', csv=True, multivalue=True, option_group=u'NSEC Record', required=False)
 option: NSRecord('nsrecord', attribute=True, autofill=False, cli_name='ns_rec', csv=True, multivalue=True, option_group=u'NS Record', required=False)
 option: DNSNameParam('ptr_part_hostname', attribute=False, autofill=False, cli_name='ptr_hostname', multivalue=False, option_group=u'PTR Record', required=False)
@@ -1360,14 +1343,11 @@ option: Str('sshfp_part_fingerprint', attribute=False, autofill=False, cli_name=
 option: Int('sshfp_part_fp_type', attribute=False, autofill=False, cli_name='sshfp_fp_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'SSHFP Record', required=False)
 option: SSHFPRecord('sshfprecord', attribute=True, autofill=False, cli_name='sshfp_rec', csv=True, multivalue=True, option_group=u'SSHFP Record', required=False)
 option: Flag('structured', autofill=True, default=False)
-option: TARecord('tarecord', attribute=True, autofill=False, cli_name='ta_rec', csv=True, multivalue=True, option_group=u'TA Record', required=False)
-option: TKEYRecord('tkeyrecord', attribute=True, autofill=False, cli_name='tkey_rec', csv=True, multivalue=True, option_group=u'TKEY Record', required=False)
 option: Str('tlsa_part_cert_association_data', attribute=False, autofill=False, cli_name='tlsa_cert_association_data', multivalue=False, option_group=u'TLSA Record', required=False)
 option: Int('tlsa_part_cert_usage', attribute=False, autofill=False, cli_name='tlsa_cert_usage', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False)
 option: Int('tlsa_part_matching_type', attribute=False, autofill=False, cli_name='tlsa_matching_type', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False)
 option: Int('tlsa_part_selector', attribute=False, autofill=False, cli_name='tlsa_selector', maxvalue=255, minvalue=0, multivalue=False, option_group=u'TLSA Record', required=False)
 option: TLSARecord('tlsarecord', attribute=True, autofill=False, cli_name='tlsa_rec', csv=True, multivalue=True, option_group=u'TLSA Record', required=False)
-option: TSIGRecord('tsigrecord', attribute=True, autofill=False, cli_name='tsig_rec', csv=True, multivalue=True, option_group=u'TSIG Record', required=False)
 option: Str('txt_part_data', attribute=False, autofill=False, cli_name='txt_data', multivalue=False, option_group=u'TXT Record', required=False)
 option: TXTRecord('txtrecord', attribute=True, autofill=False, cli_name='txt_rec', csv=True, multivalue=True, option_group=u'TXT Record', required=False)
 option: Str('version?', exclude='webui')
diff --git a/VERSION b/VERSION
index b2f7a9a3e73b5f38741f7266054e3429803d7036..678d1f8a7e588d480b16441e12e4d527d9c1cd98 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=146
-# Last change: pvoborni - move session_logout to ipalib/plugins
+IPA_API_VERSION_MINOR=147
+# Last change: mbasti - Consolidate DNS RR in API and schema
diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif
index 9e5b7feb2ee1809fb67b23cb2017a536d1bacb0a..e0ed0ab869cea0478d9640bb509c6267abed1a01 100644
--- a/install/share/60ipadns.ldif
+++ b/install/share/60ipadns.ldif
@@ -10,6 +10,7 @@ attributeTypes: (1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain name poi
 attributeTypes: (1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'host information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'mailbox or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text string, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+attributeTypes: (1.3.6.1.4.1.2428.20.1.17 NAME 'RPRecord' DESC 'Responsible Person, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' DESC 'for AFS Data Base location, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signature, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
@@ -22,12 +23,17 @@ attributeTypes: (1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Exchange Del
 attributeTypes: (1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'certificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Record Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributeTypes: (1.3.6.1.4.1.2428.20.1.42 NAME 'APLRecord' DESC 'Lists of Address Prefixes, RFC 3132' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Delegation Signer, RFC 3658' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+attributeTypes: (1.3.6.1.4.1.2428.20.1.45 NAME 'IPSECKEYRecord' DESC 'IPSECKEY, RFC 4025' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+attributeTypes: (1.3.6.1.4.1.2428.20.1.49 NAME 'DHCIDRecord' DESC 'Dynamic Host Configuration Protocol (DHCP) Information, RFC 4701' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' DESC 'RFC 5155' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.52 NAME 'TLSARecord' DESC 'DNS-Based Authentication of Named Entities - Transport Layer Security Protocol, RFC 6698' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+attributeTypes: (1.3.6.1.4.1.2428.20.1.55 NAME 'HIPRecord' DESC 'Host Identity Protocol (HIP) Domain Name System (DNS) Extension, RFC 5205' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+attributeTypes: (1.3.6.1.4.1.2428.20.1.99 NAME 'SPFRecord' DESC 'Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, RFC 7208' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.1.32769 NAME 'DLVRecord' DESC 'DNSSEC Lookaside Validation, RFC 4431' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributeTypes: (1.3.6.1.4.1.2428.20.4 NAME 'UnknownRecord' DESC 'unknown DNS record, RFC 3597' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseIgnoreIA5Match  SUBSTR caseIgnoreIA5SubstringsMatch )
 attributeTypes: (0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
@@ -64,7 +70,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNSKE
 attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
 attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' )
 attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' )
-objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ UnknownRecord ) )
+objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ DHCIDRecord $ HIPRecord $ SPFRecord ) )
 objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) )
 objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) )
 objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY MUST idnsName MAY managedBy X-ORIGIN 'IPA v3' )
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index c9e368677006b55d0e748f54d297d83bdd69e205..42b41a8d706a8a3fd826320aff6c9333264128fc 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -9,7 +9,7 @@ ipaConfigString: DNSVersion 1
 aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,$SUFFIX" or userattr = "parent[0,1].managedby#GROUPDN";)
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
-aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
 changetype: add
diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update
index c06d8158d85fd811be0253ac0f1146a623fae2b2..9f64a2f707db5cb0e3503259a0e64d9831ae92f2 100644
--- a/install/updates/40-dns.update
+++ b/install/updates/40-dns.update
@@ -5,7 +5,8 @@ addifexist: objectClass: idnsConfigObject
 addifexist: objectClass: ipaConfigObject
 addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
 addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
-addifexist: aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
+addifexist: aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
+
 # replace DNS tree deny rule with managedBy enhanced allow rule
 dn: cn=dns, $SUFFIX
@@ -16,6 +17,7 @@ replace:aci:(targetattr = "*")(version 3.0; acl "Allow read access"; allow (read
 dn: cn=dns, $SUFFIX
 remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
+remove:aci:(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders || dlvrecord || idnssecinlinesigning || nsec3paramrecord || tlsarecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
 # add DNS plugin
 dn: cn=IPA DNS,cn=plugins,cn=config
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index a7a4100db6de1956b8d0468e03214abc227386d5..512a653c3cc8ee641debec0d20f58e17eff08266 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -281,10 +281,9 @@ register = Registry()
 # supported resource record types
 _record_types = (
     u'A', u'AAAA', u'A6', u'AFSDB', u'APL', u'CERT', u'CNAME', u'DHCID', u'DLV',
-    u'DNAME', u'DNSKEY', u'DS', u'HIP', u'IPSECKEY', u'KEY', u'KX', u'LOC',
-    u'MX', u'NAPTR', u'NS', u'NSEC', u'NSEC3', u'PTR',
-    u'RRSIG', u'RP', u'SIG', u'SPF', u'SRV', u'SSHFP', u'TA', u'TKEY',
-    u'TLSA', u'TSIG', u'TXT',
+    u'DNAME', u'DS', u'HIP', u'HINFO', u'IPSECKEY', u'KEY', u'KX', u'LOC',
+    u'MD', u'MINFO', u'MX', u'NAPTR', u'NS', u'NSEC', u'NXT', u'PTR', u'RRSIG',
+    u'RP', u'SIG', u'SPF', u'SRV', u'SSHFP', u'TLSA', u'TXT',
 )
 # DNS zone record identificator
@@ -1092,9 +1091,6 @@ class DNAMERecord(DNSRecord):
         ),
     )
-class DNSKEYRecord(UnsupportedDNSRecord):
-    rrtype = 'DNSKEY'
-    rfc = 4034
 class DSRecord(DNSRecord):
     rrtype = 'DS'
@@ -1129,6 +1125,11 @@ class DLVRecord(DSRecord):
     rfc = 4431
+class HINFORecord(UnsupportedDNSRecord):
+    rrtype = 'HINFO'
+    rfc = 1035
+
+
 class HIPRecord(UnsupportedDNSRecord):
     rrtype = 'HIP'
     rfc = 5205
@@ -1287,6 +1288,18 @@ class LOCRecord(DNSRecord):
                                              name=target_cli_name)
                     raise errors.ValidationError(name=self.name, error=error)
+
+class MDRecord(UnsupportedDNSRecord):
+    # obsoleted, use MX instead
+    rrtype = 'MD'
+    rfc = 1035
+
+
+class MINFORecord(UnsupportedDNSRecord):
+    rrtype = 'MINFO'
+    rfc = 1035
+
+
 class MXRecord(DNSRecord):
     rrtype = 'MX'
     rfc = 1035
@@ -1318,9 +1331,6 @@ class NSECRecord(UnsupportedDNSRecord):
     rrtype = 'NSEC'
     rfc = 4034
-class NSEC3Record(UnsupportedDNSRecord):
-    rrtype = 'NSEC3'
-    rfc = 5155
 def _validate_naptr_flags(ugettext, flags):
     allowed_flags = u'SAUP'
@@ -1361,6 +1371,12 @@ class NAPTRRecord(DNSRecord):
         ),
     )
+
+class NXTRecord(UnsupportedDNSRecord):
+    rrtype = 'NXT'
+    rfc = 2535
+
+
 class PTRRecord(DNSRecord):
     rrtype = 'PTR'
     rfc = 1035
@@ -1450,10 +1466,6 @@ class SSHFPRecord(DNSRecord):
         return tuple(values)
-class TARecord(UnsupportedDNSRecord):
-    rrtype = 'TA'
-
-
 class TLSARecord(DNSRecord):
     rrtype = 'TLSA'
     rfc = 6698
@@ -1479,12 +1491,6 @@ class TLSARecord(DNSRecord):
     )
-class TKEYRecord(UnsupportedDNSRecord):
-    rrtype = 'TKEY'
-
-class TSIGRecord(UnsupportedDNSRecord):
-    rrtype = 'TSIG'
-
 class TXTRecord(DNSRecord):
     rrtype = 'TXT'
     rfc = 1035
@@ -1509,7 +1515,6 @@ _dns_records = (
     DHCIDRecord(),
     DLVRecord(),
     DNAMERecord(),
-    DNSKEYRecord(),
     DSRecord(),
     HIPRecord(),
     IPSECKEYRecord(),
@@ -1520,7 +1525,6 @@ _dns_records = (
     NAPTRRecord(),
     NSRecord(),
     NSECRecord(),
-    NSEC3Record(),
     PTRRecord(),
     RRSIGRecord(),
     RPRecord(),
@@ -1528,10 +1532,7 @@ _dns_records = (
     SPFRecord(),
     SRVRecord(),
     SSHFPRecord(),
-    TARecord(),
     TLSARecord(),
-    TKEYRecord(),
-    TSIGRecord(),
     TXTRecord(),
 )
@@ -2500,20 +2501,21 @@ class dnszone(DNSZoneBase):
             'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn),
             'ipapermdefaultattr': {
                 'objectclass',
-                'a6record', 'aaaarecord', 'afsdbrecord', 'arecord',
-                'certrecord', 'cn', 'cnamerecord', 'dlvrecord', 'dnamerecord',
-                'dnsclass', 'dnsttl', 'dsrecord', 'hinforecord',
-                'idnsallowdynupdate', 'idnsallowquery', 'idnsallowsyncptr',
-                'idnsallowtransfer', 'idnsforwarders', 'idnsforwardpolicy',
-                'idnsname', 'idnssecinlinesigning', 'idnssoaexpire',
-                'idnssoaminimum', 'idnssoamname', 'idnssoarefresh',
-                'idnssoaretry', 'idnssoarname', 'idnssoaserial',
-                'idnsupdatepolicy', 'idnszoneactive', 'keyrecord', 'kxrecord',
+                'a6record', 'aaaarecord', 'afsdbrecord', 'aplrecord', 'arecord',
+                'certrecord', 'cn', 'cnamerecord', 'dhcidrecord', 'dlvrecord',
+                'dnamerecord', 'dnsclass', 'dnsttl', 'dsrecord',
+                'hinforecord', 'hiprecord', 'idnsallowdynupdate',
+                'idnsallowquery', 'idnsallowsyncptr', 'idnsallowtransfer',
+                'idnsforwarders', 'idnsforwardpolicy', 'idnsname',
+                'idnssecinlinesigning', 'idnssoaexpire', 'idnssoaminimum',
+                'idnssoamname', 'idnssoarefresh', 'idnssoaretry',
+                'idnssoarname', 'idnssoaserial', 'idnsupdatepolicy',
+                'idnszoneactive', 'ipseckeyrecord','keyrecord', 'kxrecord',
                 'locrecord', 'managedby', 'mdrecord', 'minforecord',
                 'mxrecord', 'naptrrecord', 'nsecrecord', 'nsec3paramrecord',
-                'nsrecord', 'nxtrecord', 'ptrrecord', 'rrsigrecord',
-                'sigrecord', 'srvrecord', 'sshfprecord', 'tlsarecord',
-                'txtrecord', 'unknownrecord',
+                'nsrecord', 'nxtrecord', 'ptrrecord', 'rprecord', 'rrsigrecord',
+                'sigrecord', 'spfrecord', 'srvrecord', 'sshfprecord',
+                'tlsarecord', 'txtrecord', 'unknownrecord',
             },
             'replaces_system': ['Read DNS Entries'],
             'default_privileges': {'DNS Administrators', 'DNS Servers'},
@@ -2534,20 +2536,21 @@ class dnszone(DNSZoneBase):
             'ipapermlocation': api.env.basedn,
             'ipapermtarget': DN('idnsname=*', 'cn=dns', api.env.basedn),
             'ipapermdefaultattr': {
-                'a6record', 'aaaarecord', 'afsdbrecord', 'arecord',
-                'certrecord', 'cn', 'cnamerecord', 'dlvrecord', 'dnamerecord',
-                'dnsclass', 'dnsttl', 'dsrecord', 'hinforecord',
-                'idnsallowdynupdate', 'idnsallowquery', 'idnsallowsyncptr',
-                'idnsallowtransfer', 'idnsforwarders', 'idnsforwardpolicy',
-                'idnsname', 'idnssecinlinesigning', 'idnssoaexpire',
-                'idnssoaminimum', 'idnssoamname', 'idnssoarefresh',
-                'idnssoaretry', 'idnssoarname', 'idnssoaserial',
-                'idnsupdatepolicy', 'idnszoneactive', 'keyrecord', 'kxrecord',
+                'a6record', 'aaaarecord', 'afsdbrecord', 'aplrecord', 'arecord',
+                'certrecord', 'cn', 'cnamerecord', 'dhcidrecord', 'dlvrecord',
+                'dnamerecord', 'dnsclass', 'dnsttl', 'dsrecord',
+                'hinforecord', 'hiprecord', 'idnsallowdynupdate',
+                'idnsallowquery', 'idnsallowsyncptr', 'idnsallowtransfer',
+                'idnsforwarders', 'idnsforwardpolicy', 'idnsname',
+                'idnssecinlinesigning', 'idnssoaexpire', 'idnssoaminimum',
+                'idnssoamname', 'idnssoarefresh', 'idnssoaretry',
+                'idnssoarname', 'idnssoaserial', 'idnsupdatepolicy',
+                'idnszoneactive', 'ipseckeyrecord','keyrecord', 'kxrecord',
                 'locrecord', 'managedby', 'mdrecord', 'minforecord',
                 'mxrecord', 'naptrrecord', 'nsecrecord', 'nsec3paramrecord',
-                'nsrecord', 'nxtrecord', 'ptrrecord', 'rrsigrecord',
-                'sigrecord', 'srvrecord', 'sshfprecord', 'tlsarecord',
-                'txtrecord', 'unknownrecord',
+                'nsrecord', 'nxtrecord', 'ptrrecord', 'rprecord', 'rrsigrecord',
+                'sigrecord', 'spfrecord', 'srvrecord', 'sshfprecord',
+                'tlsarecord', 'txtrecord', 'unknownrecord',
             },
             'replaces': [
                 '(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)',
--
2.4.3
SOURCES/0021-webui-prohibit-setting-rid-base-with-ipa-trust-ad-po.patch
File was deleted
SOURCES/0022-Fix-CA-certificate-backup-and-restore.patch
File was deleted
SOURCES/0022-ipaplatform-Add-constants-submodule.patch
New file
@@ -0,0 +1,147 @@
From 9e5c97ffdc7a42f6f76affbc9a791496ba245557 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 2 Jul 2015 12:38:43 +0200
Subject: [PATCH] ipaplatform: Add constants submodule
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 Makefile                        |  3 ++-
 freeipa.spec.in                 |  2 ++
 ipaplatform/base/constants.py   | 11 +++++++++++
 ipaplatform/fedora/constants.py | 16 ++++++++++++++++
 ipaplatform/redhat/constants.py | 17 +++++++++++++++++
 ipaplatform/rhel/constants.py   | 16 ++++++++++++++++
 6 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 ipaplatform/base/constants.py
 create mode 100644 ipaplatform/fedora/constants.py
 create mode 100644 ipaplatform/redhat/constants.py
 create mode 100644 ipaplatform/rhel/constants.py
diff --git a/Makefile b/Makefile
index abf58382960099a54b8920dd0e741b9fda17682f..3c81466d3728022c1d9cf5bb216990f14a59b7e5 100644
--- a/Makefile
+++ b/Makefile
@@ -159,10 +159,11 @@ version-update: release-update
     if [ "$(SUPPORTED_PLATFORM)" != "" ]; then \
         sed -e s/__PLATFORM__/$(SUPPORTED_PLATFORM)/ \
             ipaplatform/__init__.py.in > ipaplatform/__init__.py; \
-        rm -f ipaplatform/paths.py ipaplatform/services.py ipaplatform/tasks.py; \
+        rm -f ipaplatform/paths.py ipaplatform/services.py ipaplatform/tasks.py ipaplatform/constants.py; \
         ln -s $(SUPPORTED_PLATFORM)/paths.py ipaplatform/paths.py; \
         ln -s $(SUPPORTED_PLATFORM)/services.py ipaplatform/services.py; \
         ln -s $(SUPPORTED_PLATFORM)/tasks.py ipaplatform/tasks.py; \
+        ln -s $(SUPPORTED_PLATFORM)/constants.py ipaplatform/constants.py; \
     fi
     if [ "$(SKIP_API_VERSION_CHECK)" != "yes" ]; then \
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5790f7941d2117ed95d3c99556f1579c27917270..e9ba596fec1f8d179d4f834485e35a4814db898d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -363,6 +363,7 @@ rm -f ipapython/version.py
 rm -f ipaplatform/services.py
 rm -f ipaplatform/tasks.py
 rm -f ipaplatform/paths.py
+rm -f ipaplatform/constants.py
 make version-update
 cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %if ! %{ONLY_CLIENT}
@@ -385,6 +386,7 @@ rm -f ipapython/version.py
 rm -f ipaplatform/services.py
 rm -f ipaplatform/tasks.py
 rm -f ipaplatform/paths.py
+rm -f ipaplatform/constants.py
 make version-update
 %if ! %{ONLY_CLIENT}
 make install DESTDIR=%{buildroot}
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
new file mode 100644
index 0000000000000000000000000000000000000000..70485055fa5a12fac878ace3dea11ea442ebe6be
--- /dev/null
+++ b/ipaplatform/base/constants.py
@@ -0,0 +1,11 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+'''
+This base platform module exports platform dependant constants.
+'''
+
+
+class BaseConstantsNamespace(object):
+    pass
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
new file mode 100644
index 0000000000000000000000000000000000000000..ce03f58cf95be1a72a9ce3da65e6d21ef193cefe
--- /dev/null
+++ b/ipaplatform/fedora/constants.py
@@ -0,0 +1,16 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+'''
+This Fedora base platform module exports platform related constants.
+'''
+
+# Fallback to default constant definitions
+from ipaplatform.redhat.constants import RedHatConstantsNamespace
+
+
+class FedoraConstantsNamespace(RedHatConstantsNamespace):
+    pass
+
+constants = FedoraConstantsNamespace()
diff --git a/ipaplatform/redhat/constants.py b/ipaplatform/redhat/constants.py
new file mode 100644
index 0000000000000000000000000000000000000000..7209947f8afbd688b02c8b134d33185e497befe0
--- /dev/null
+++ b/ipaplatform/redhat/constants.py
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+'''
+This Red Hat OS family base platform module exports default platform
+related constants for the Red Hat OS family-based systems.
+'''
+
+# Fallback to default path definitions
+from ipaplatform.base.constants import BaseConstantsNamespace
+
+
+class RedHatConstantsNamespace(BaseConstantsNamespace):
+    pass
+
+constants = RedHatConstantsNamespace()
diff --git a/ipaplatform/rhel/constants.py b/ipaplatform/rhel/constants.py
new file mode 100644
index 0000000000000000000000000000000000000000..eaca48030fa28804c70c161b07228646a95fc1a3
--- /dev/null
+++ b/ipaplatform/rhel/constants.py
@@ -0,0 +1,16 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+'''
+This RHEL base platform module exports platform related constants.
+'''
+
+# Fallback to default constant definitions
+from ipaplatform.redhat.constants import RedHatConstantsNamespace
+
+
+class RHELConstantsNamespace(RedHatConstantsNamespace):
+    pass
+
+constants = RHELConstantsNamespace()
--
2.4.3
SOURCES/0023-DNS-check-if-DNS-package-is-installed.patch
New file
@@ -0,0 +1,170 @@
From 9bf3e3efe51ccda418afd2340a113f39144851c3 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 1 Jul 2015 15:05:45 +0200
Subject: [PATCH] DNS: check if DNS package is installed
Instead of separate checking of DNS required packages, we need just
check if IPA DNS package is installed.
https://fedorahosted.org/freeipa/ticket/4058
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipaplatform/base/constants.py           |  2 +-
 ipaplatform/base/paths.py               |  1 +
 ipaplatform/rhel/constants.py           |  2 +-
 ipaserver/install/bindinstance.py       | 19 +------------------
 ipaserver/install/dns.py                | 11 ++++++-----
 ipaserver/install/dnskeysyncinstance.py |  6 ------
 ipaserver/install/opendnssecinstance.py |  8 --------
 7 files changed, 10 insertions(+), 39 deletions(-)
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 70485055fa5a12fac878ace3dea11ea442ebe6be..cef829e2d3886db00ae6d0299ddcf325d1add80e 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -8,4 +8,4 @@ This base platform module exports platform dependant constants.
 class BaseConstantsNamespace(object):
-    pass
+    IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 5756040172126438d42275b734f4d766d53048fe..4c93c1f7162b0aeb4f798ef84e1ac8db4573518b 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -218,6 +218,7 @@ class BasePathNamespace(object):
     GROUPADD = "/usr/sbin/groupadd"
     HTTPD = "/usr/sbin/httpd"
     IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install"
+    IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install"
     SBIN_IPA_JOIN = "/usr/sbin/ipa-join"
     IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
     IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
diff --git a/ipaplatform/rhel/constants.py b/ipaplatform/rhel/constants.py
index eaca48030fa28804c70c161b07228646a95fc1a3..17abde1f861778bec83067cb01e9a1faae325527 100644
--- a/ipaplatform/rhel/constants.py
+++ b/ipaplatform/rhel/constants.py
@@ -11,6 +11,6 @@ from ipaplatform.redhat.constants import RedHatConstantsNamespace
 class RHELConstantsNamespace(RedHatConstantsNamespace):
-    pass
+    IPA_DNS_PACKAGE_NAME = "ipa-server-dns"
 constants = RHELConstantsNamespace()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 2228342dc40ee415d1adf2687a7ae91a5963d3c7..9705e845a76191a252bfa963b54d9c31d83ad18e 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -62,25 +62,8 @@ named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n"
 named_conf_include_re = re.compile(r'\s*include\s+"(?P<path>)"\s*;')
 named_conf_include_template = "include \"%(path)s\";\n"
-def check_inst(unattended):
-    has_bind = True
-    named = services.knownservices.named
-    if not os.path.exists(named.get_binary_path()):
-        print "BIND was not found on this system"
-        print ("Please install the '%s' package and start the installation again"
-              % named.get_package_name())
-        has_bind = False
-
-    # Also check for the LDAP BIND plug-in
-    if not os.path.exists(paths.BIND_LDAP_SO) and \
-       not os.path.exists(paths.BIND_LDAP_SO_64):
-        print "The BIND LDAP plug-in was not found on this system"
-        print "Please install the 'bind-dyndb-ldap' package and start the installation again"
-        has_bind = False
-
-    if not has_bind:
-        return False
+def check_inst(unattended):
     if not unattended and os.path.exists(NAMED_CONF):
         msg = "Existing BIND configuration detected, overwrite?"
         return ipautil.user_input(msg, False)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index d22bce7a7cd2e0e8a7ffe0ab4aa496634465903b..9430d189978b0984b0b71d7d754516a4135053fb 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -9,6 +9,7 @@ from subprocess import CalledProcessError
 from ipalib import api
 from ipalib import errors
 from ipaplatform.paths import paths
+from ipaplatform.constants import constants
 from ipaplatform import services
 from ipapython import ipautil
 from ipapython import sysrestore
@@ -96,6 +97,10 @@ def install_check(standalone, replica, options, hostname):
     global reverse_zones
     fstore = sysrestore.FileStore(paths.SYSRESTORE)
+    if not ipautil.file_exists(paths.IPA_DNS_INSTALL):
+        raise RuntimeError("Integrated DNS requires '%s' package" %
+                           constants.IPA_DNS_PACKAGE_NAME)
+
     if standalone:
         print "=============================================================================="
         print "This program will setup DNS for the FreeIPA Server."
@@ -141,8 +146,7 @@ def install_check(standalone, replica, options, hostname):
         sys.exit("Aborted")
     # Check bind packages are installed
-    if not (bindinstance.check_inst(options.unattended) and
-            dnskeysyncinstance.check_inst()):
+    if not bindinstance.check_inst(options.unattended):
         sys.exit("Aborting installation.")
     if options.disable_dnssec_master:
@@ -177,9 +181,6 @@ def install_check(standalone, replica, options, hostname):
             sys.exit("Only one DNSSEC key master is supported in current "
                      "version.")
-        # check opendnssec packages are installed
-        if not opendnssecinstance.check_inst():
-            sys.exit("Aborting installation")
         if options.kasp_db_file:
             dnskeysyncd = services.service('ipa-dnskeysyncd')
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index eb6d07f014bce296a5b094f499194286c31c2489..7d1351ccc57a5dbd7d537741545ad44d0dcd5eb1 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -30,12 +30,6 @@ softhsm_token_label = u'ipaDNSSEC'
 softhsm_slot = 0
 replica_keylabel_template = u"dnssec-replica:%s"
-def check_inst():
-    if not os.path.exists(paths.DNSSEC_KEYFROMLABEL):
-        print ("Please install the 'bind-pkcs11-utils' package and start "
-               "the installation again")
-        return False
-    return True
 def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
                             realm=None, autobind=ipaldap.AUTOBIND_DISABLED):
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index d68691fa32f135c7527ce28ed771757eadab4831..0f1af828ea245046330fdfab77db130ca14faba3 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -55,14 +55,6 @@ def get_dnssec_key_masters(conn):
     return keymasters_list
-def check_inst():
-    if not os.path.exists(paths.ODS_KSMUTIL):
-        print ("Please install the 'opendnssec' package and start "
-               "the installation again")
-        return False
-    return True
-
-
 class OpenDNSSECInstance(service.Service):
     def __init__(self, fstore=None, dm_password=None, ldapi=False,
                  start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED):
--
2.4.3
SOURCES/0023-Fix-DNS-installer-adds-invalid-zonemgr-email.patch
File was deleted
SOURCES/0024-dcerpc-Expand-explanation-for-WERR_ACCESS_DENIED.patch
New file
@@ -0,0 +1,76 @@
From c4859813a5fd89082c9c05a3808f9b6cb97ca5d0 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Wed, 15 Jul 2015 15:38:50 +0200
Subject: [PATCH] dcerpc: Expand explanation for WERR_ACCESS_DENIED
It's possible for AD to contact a wrong IPA server in case the DNS
SRV records on the AD sides are not properly configured.
Mention this case in the error message as well.
https://fedorahosted.org/freeipa/ticket/5013
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 ipaserver/dcerpc.py | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index a1da0a641064f59a79639d97489ff73181787a4a..97f6c1694c20f26af0861b86a1ae1adf7a970a59 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1084,22 +1084,44 @@ class TrustDomainInstance(object):
         result = retrieve_netlogon_info_2(None, self,
                                           netlogon.NETLOGON_CONTROL_TC_VERIFY,
                                           another_domain.info['dns_domain'])
-        if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)):
-            if (result.pdc_connection_status[0] != 0) and (result.tc_connection_status[0] != 0):
+
+        if result and result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED:
+            if result.pdc_connection_status[0] != 0 and result.tc_connection_status[0] != 0:
                 if result.pdc_connection_status[1] == "WERR_ACCESS_DENIED":
                     # Most likely AD DC hit another IPA replica which yet has no trust secret replicated
+
                     # Sleep and repeat again
                     self.validation_attempts += 1
                     if self.validation_attempts < 10:
                         sleep(5)
                         return self.verify_trust(another_domain)
-                    raise errors.ACIError(
-                            info=_('IPA master denied trust validation requests from AD DC '
-                                   '%(count)d times. Most likely AD DC contacted a replica '
-                                   'that has no trust information replicated yet.')
-                                   % dict(count=self.validation_attempts))
+
+                    # If we get here, we already failed 10 times
+                    srv_record_templates = (
+                        '_ldap._tcp.%s',
+                        '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.%s'
+                    )
+
+                    srv_records = ', '.join(
+                        [srv_record % api.env.domain
+                         for srv_record in srv_record_templates]
+                    )
+
+                    error_message = _(
+                        'IPA master denied trust validation requests from AD '
+                        'DC %(count)d times. Most likely AD DC contacted a '
+                        'replica that has no trust information replicated '
+                        'yet. Additionally, please check that AD DNS is able '
+                        'to resolve %(records)s SRV records to the correct '
+                        'IPA server.') % dict(count=self.validation_attempts,
+                                              records=srv_records)
+
+                    raise errors.ACIError(info=error_message)
+
                 raise assess_dcerpc_exception(*result.pdc_connection_status)
+
             return True
+
         return False
--
2.4.3
SOURCES/0024-ipaplatform-Use-the-dirsrv-service-not-target.patch
File was deleted
SOURCES/0025-Fix-DNS-policy-upgrade-raises-asertion-error.patch
File was deleted
SOURCES/0025-dcerpc-Fix-UnboundLocalError-for-ccache_name.patch
New file
@@ -0,0 +1,26 @@
From 45cbe4b94e59bcfa3d8968595a780bdb9f3af2f2 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Wed, 22 Jul 2015 14:29:35 +0200
Subject: [PATCH] dcerpc: Fix UnboundLocalError for ccache_name
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/dcerpc.py | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 97f6c1694c20f26af0861b86a1ae1adf7a970a59..c0aa322c5d59e7d17a4ceb90448b397613284e38 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -644,6 +644,8 @@ class DomainValidator(object):
         Returns LDAP result or None.
         """
+        ccache_name = None
+
         if self._admin_creds:
             (ccache_name, principal) = self.kinit_as_administrator(info['dns_domain'])
--
2.4.3
SOURCES/0026-Fix-upgrade-referint-plugin.patch
File was deleted
SOURCES/0026-fix-broken-search-for-users-by-their-manager.patch
New file
@@ -0,0 +1,72 @@
From 29d63aa08fc648c3dfbc9ae4cc74991eba2fb7a0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 23 Jul 2015 10:44:08 +0200
Subject: [PATCH] fix broken search for users by their manager
The patch fixes incorrect construction of search filter when using `ipa
user-find` with '--manager' option.
https://fedorahosted.org/freeipa/ticket/5146
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipalib/plugins/baseuser.py  | 8 ++++++++
 ipalib/plugins/stageuser.py | 7 -------
 ipalib/plugins/user.py      | 4 ----
 3 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py
index 9068ef0fd266a4460697ee45f29c80b74662fab2..bd66cf5a3e3a4e6c18d1a54408f969668c834fab 100644
--- a/ipalib/plugins/baseuser.py
+++ b/ipalib/plugins/baseuser.py
@@ -561,6 +561,14 @@ class baseuser_find(LDAPSearch):
     """
     Prototype command plugin to be implemented by real plugin
     """
+    def args_options_2_entry(self, *args, **options):
+        newoptions = {}
+        self.common_enhance_options(newoptions, **options)
+        options.update(newoptions)
+
+        return super(baseuser_find, self).args_options_2_entry(
+            *args, **options)
+
     def common_enhance_options(self, newoptions, **options):
         # assure the manager attr is a dn, not just a bare uid
         manager = options.get('manager')
diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py
index 6cbc8f4ab07f2c1172f2b2c45bfe8f30a74938b3..49a762a922b21bd6d0824787d9305417f5e47ee6 100644
--- a/ipalib/plugins/stageuser.py
+++ b/ipalib/plugins/stageuser.py
@@ -449,13 +449,6 @@ class stageuser_find(baseuser_find):
     member_attributes = ['memberof']
     has_output_params = baseuser_find.has_output_params + stageuser_output_params
-    def execute(self, *args, **options):
-        newoptions = {}
-        self.common_enhance_options(newoptions, **options)
-        options.update(newoptions)
-
-        return super(stageuser_find, self).execute(self, *args, **options)
-
     def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **options):
         assert isinstance(base_dn, DN)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 9bd7bf7e5242234ead4c39a6346e57865b2e2124..206b380efb6472fb040dde33ac80e3f66c00c138 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -730,10 +730,6 @@ class user_find(baseuser_find):
             return ("(&(objectclass=posixaccount)(krbprincipalname=%s))"%\
                         getattr(context, 'principal'), base_dn, scope)
-        newoptions = {}
-        self.common_enhance_options(newoptions, **options)
-        options.update(newoptions)
-
         preserved = options.get('preserved', False)
         if preserved is None:
             base_dn = self.api.env.basedn
--
2.4.3
SOURCES/0027-Upgrade-fix-trusts-objectclass-violationi.patch
File was deleted
SOURCES/0027-dcerpc-Add-get_trusted_domain_object_type-method.patch
New file
@@ -0,0 +1,62 @@
From c21bb52f339a38aaf7d5b4285447e5a166fb4fcf Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Wed, 22 Jul 2015 14:00:37 +0200
Subject: [PATCH] dcerpc: Add get_trusted_domain_object_type method
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/dcerpc.py | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index c0aa322c5d59e7d17a4ceb90448b397613284e38..c604fa3eae4cf94d719190a5a3e3de15d3841d24 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -107,6 +107,14 @@ dcerpc_error_messages = {
          errors.RequirementError(name=_('At least the domain or IP address should be specified')),
 }
+pysss_type_key_translation_dict = {
+    pysss_nss_idmap.ID_USER: 'user',
+    pysss_nss_idmap.ID_GROUP: 'group',
+    # Used for users with magic private groups
+    pysss_nss_idmap.ID_BOTH: 'both',
+}
+
+
 def assess_dcerpc_exception(num=None,message=None):
     """
     Takes error returned by Samba bindings and converts it into
@@ -368,6 +376,27 @@ class DomainValidator(object):
             raise errors.ValidationError(name=_('trusted domain object'),
                error= _('Trusted domain did not return a valid SID for the object'))
+    def get_trusted_domain_object_type(self, name_or_sid):
+        """
+        Return the type of the object corresponding to the given name in
+        the trusted domain, which is either 'user', 'group' or 'both'.
+        The 'both' types is used for users with magic private groups.
+        """
+
+        object_type = None
+
+        if is_sid_valid(name_or_sid):
+            result = pysss_nss_idmap.getnamebysid(name_or_sid)
+        else:
+            result = pysss_nss_idmap.getsidbyname(name_or_sid)
+
+        if name_or_sid in result:
+            object_type = result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY)
+
+        # Do the translation to hide pysss_nss_idmap constants
+        # from higher-level code
+        return pysss_type_key_translation_dict.get(object_type)
+
     def get_trusted_domain_object_from_sid(self, sid):
         root_logger.debug("Converting SID to object name: %s" % sid)
--
2.4.3
SOURCES/0028-Produce-better-error-in-group-add-command.patch
File was deleted
SOURCES/0028-idviews-Restrict-anchor-to-name-and-name-to-anchor-c.patch
New file
@@ -0,0 +1,98 @@
From 964bce5fd60bbb52be1dcc67e628a6c1ab62e356 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 23 Jul 2015 12:36:53 +0200
Subject: [PATCH] idviews: Restrict anchor to name and name to anchor
 conversions
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.
The same restriction applies for the opposite direction, when
converting the object name to it's SID.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/plugins/idviews.py | 50 +++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 46 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 67f52f886f0e19288a829616603c7aef6768f8db..c4f748132642f8702dcd12d38367dc36f4bc4a3c 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -432,6 +432,36 @@ class idview_unapply(baseidview_apply):
 # ID overrides helper methods
+def verify_trusted_domain_object_type(validator, desired_type, name_or_sid):
+
+    object_type = validator.get_trusted_domain_object_type(name_or_sid)
+
+    if object_type == desired_type:
+        # In case SSSD returns the same type as the type being
+        # searched, no problems here.
+        return True
+
+    elif desired_type == 'user' and object_type == 'both':
+        # Type both denotes users with magic private groups.
+        # Overriding attributes for such users is OK.
+        return True
+
+    elif desired_type == 'group' and object_type == 'both':
+        # However, overriding attributes for magic private groups
+        # does not make sense. One should override the GID of
+        # the user itself.
+
+        raise errors.ConversionError(
+            name='identifier',
+            error=_('You are trying to reference a magic private group '
+                    'which is not allowed to be overriden. '
+                    'Try overriding the GID attribute of the '
+                    'corresponding user instead.')
+            )
+
+    return False
+
+
 def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap):
     """
     Resolves the user/group name to the anchor uuid:
@@ -482,9 +512,15 @@ def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap):
                 sid = domain_validator.get_trusted_domain_object_sid(obj,
                         fallback_to_ldap=fallback_to_ldap)
-                # There is no domain prefix since SID contains information
-                # about the domain
-                return SID_ANCHOR_PREFIX + sid
+                # We need to verify that the object type is correct
+                type_correct = verify_trusted_domain_object_type(
+                        domain_validator, obj_type, sid)
+
+                if type_correct:
+                    # There is no domain prefix since SID contains information
+                    # about the domain
+                    return SID_ANCHOR_PREFIX + sid
+
     except errors.ValidationError:
         # Domain validator raises Validation Error if object name does not
         # contain domain part (either NETBIOS\ prefix or @domain.name suffix)
@@ -539,7 +575,13 @@ def resolve_anchor_to_object_name(ldap, obj_type, anchor):
             domain_validator = ipaserver.dcerpc.DomainValidator(api)
             if domain_validator.is_configured():
                 name = domain_validator.get_trusted_domain_object_from_sid(sid)
-                return name
+
+                # We need to verify that the object type is correct
+                type_correct = verify_trusted_domain_object_type(
+                        domain_validator, obj_type, name)
+
+                if type_correct:
+                    return name
     # No acceptable object was found
     raise errors.NotFound(
--
2.4.3
SOURCES/0029-Search-using-proper-scope-when-connecting-CA-instanc.patch
File was deleted
SOURCES/0029-idviews-Enforce-objectclass-check-in-idoverride-del.patch
New file
@@ -0,0 +1,52 @@
From 9fedf58eb1282560957edc1f36356602b55a736d Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 23 Jul 2015 14:00:06 +0200
Subject: [PATCH] idviews: Enforce objectclass check in idoverride*-del
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.
This patch introduces a objectclass check in idoverride*-del
commands to prevent that.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/plugins/idviews.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index c4f748132642f8702dcd12d38367dc36f4bc4a3c..2e6e84510d3caa3636d3f0c08c56403866ff54f9 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -716,6 +716,25 @@ class baseidoverride_del(LDAPDelete):
     takes_options = LDAPDelete.takes_options + (fallback_to_ldap_option,)
+    def pre_callback(self, ldap, dn, *keys, **options):
+        assert isinstance(dn, DN)
+
+        # Make sure the entry we're deleting has all the objectclasses
+        # this object requires
+        try:
+            entry = ldap.get_entry(dn, ['objectclass'])
+        except errors.NotFound:
+            self.obj.handle_not_found(*keys)
+
+        required_object_classes = set(self.obj.object_class)
+        actual_object_classes = set(entry['objectclass'])
+
+        # If not, treat it as a failed search
+        if not required_object_classes.issubset(actual_object_classes):
+            self.obj.handle_not_found(*keys)
+
+        return dn
+
 class baseidoverride_mod(LDAPUpdate):
     __doc__ = _('Modify an ID override.')
--
2.4.3
SOURCES/0030-Fix-zonemgr-must-be-unicode-value.patch
File was deleted
SOURCES/0030-idviews-Check-for-the-Default-Trust-View-only-if-app.patch
New file
@@ -0,0 +1,50 @@
From f12e0e81f1cc6af2034c535866c3bfeddce8321d Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Tue, 21 Jul 2015 12:44:37 +0200
Subject: [PATCH] idviews: Check for the Default Trust View only if applying
 the view
Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.
https://fedorahosted.org/freeipa/ticket/4969
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipalib/plugins/idviews.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 2e6e84510d3caa3636d3f0c08c56403866ff54f9..ceb277020d1325bfd1607bcd4b05f4069ae9508d 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -256,17 +256,19 @@ class baseidview_apply(LDAPQuery):
         if not options.get('clear_view', False):
             view_dn = self.api.Object['idview'].get_dn_if_exists(view)
             assert isinstance(view_dn, DN)
+
+            # Check that we're not applying the Default Trust View
+            if view.lower() == DEFAULT_TRUST_VIEW_NAME:
+                raise errors.ValidationError(
+                    name=_('ID View'),
+                    error=_('Default Trust View cannot be applied on hosts')
+                )
+
         else:
             # In case we are removing assigned view, we modify the host setting
             # the ipaAssignedIDView to None
             view_dn = None
-        if view.lower() == DEFAULT_TRUST_VIEW_NAME:
-            raise errors.ValidationError(
-                name=_('ID View'),
-                error=_('Default Trust View cannot be applied on hosts')
-            )
-
         completed = 0
         succeeded = {'host': []}
         failed = {
--
2.4.3
SOURCES/0031-Fix-warning-message-should-not-contain-CLI-commands.patch
File was deleted
SOURCES/0031-replication-Fix-incorrect-exception-invocation.patch
New file
@@ -0,0 +1,26 @@
From e3925cac13a3daca4880e789a139bad265c21798 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Fri, 24 Jul 2015 11:26:33 +0200
Subject: [PATCH] replication: Fix incorrect exception invocation
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipaserver/install/replication.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index e9af88dc4356d4fd5495f4fea399ab09c75db953..2b36a5eb9287bf1789009a3198e540e333869e98 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1171,7 +1171,7 @@ class ReplicationManager(object):
         entry = self.get_replication_agreement(hostname)
         if not entry:
             raise errors.NotFound(
-                "Replication agreement for %s not found" % hostname)
+                reason="Replication agreement for %s not found" % hostname)
         objectclass = entry.get("objectclass")
         for o in objectclass:
--
2.4.3
SOURCES/0032-Fix-wrong-expiration-date-on-renewed-IPA-CA-certific.patch
File was deleted
SOURCES/0032-webui-add-Kerberos-configuration-instructions-for-Ch.patch
New file
@@ -0,0 +1,149 @@
From dc0d09f6e6a5681fa4c4146e6df6872dccc40b68 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Fri, 17 Jul 2015 15:57:30 +0200
Subject: [PATCH] webui: add Kerberos configuration instructions for Chrome
* IE section moved at the end
* Chrome section added
* FF and IE icons removed
https://fedorahosted.org/freeipa/ticket/823
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 install/html/ssbrowser.html | 111 +++++++++++++++++++++++++++++++-------------
 1 file changed, 80 insertions(+), 31 deletions(-)
diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
index d90103228150a60bd49e91ea8c64891d53d75d7b..685800e16e6e77c70adf905acfca2996513d1e1d 100644
--- a/install/html/ssbrowser.html
+++ b/install/html/ssbrowser.html
@@ -54,38 +54,8 @@
     <div class="col-sm-12">
     <div class="ssbrowser">
         <h1>Browser Kerberos Setup</h1>
-        <h2><img alt="Internet Explorer" src="../ui/images/ie-icon.png">Internet Explorer Configuration</h2>
-        <p>
-            Once you are able to log into the workstation with your kerberos key you are now able to use that ticket in Internet Explorer.
-        </p>
-        <p>
-            <strong>Login to the Windows machine using an account of your Kerberos realm (administrative domain)</strong>
-        </p>
-        <p>
-            <strong>In Internet Explorer, click Tools, and then click Internet Options.</strong>
-        </p>
-        <div>
-            <ol>
-                <li>Click the Security tab</li>
-                <li>Click Local intranet</li>
-                <li>Click Sites </li>
-                <li>Click Advanced </li>
-                <li>Add your domain to the list</li>
-            </ol>
-            <ol>
-                <li>Click the Security tab</li>
-                <li>Click Local intranet</li>
-                <li>Click Custom Level</li>
-                <li>Select Automatic logon only in Intranet zone</li>
-            </ol>
-
-            <ol>
-                <li> Visit a kerberized web site using IE (You must use the fully-qualified Domain Name in the URL)</li>
-                <li><strong> You are all set.</strong></li>
-            </ol>
-        </div>
-        <h2><img alt="Firefox" src="../ui/images/firefox-icon.png">Firefox Configuration</h2>
+        <h2>Firefox</h2>
         <p>