The Identity, Policy and Audit system
CentOS Sources
2016-05-12 aa60fb364aa859659fdb242b66651eeb82dd656d
import ipa-4.2.0-15.el7_2.15
21 files added
1 files deleted
3 files modified
2042 ■■■■■ changed files
SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch 145 ●●●●● patch | view | raw | blame | history
SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0183-installer-Propagate-option-values-from-components-in.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch 78 ●●●●● patch | view | raw | blame | history
SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch 74 ●●●●● patch | view | raw | blame | history
SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch 294 ●●●●● patch | view | raw | blame | history
SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch 66 ●●●●● patch | view | raw | blame | history
SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch 279 ●●●●● patch | view | raw | blame | history
SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/0194-Warn-user-if-trust-is-broken.patch 115 ●●●●● patch | view | raw | blame | history
SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0198-Fix-connections-to-DS-during-installation.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0199-Fix-broken-trust-warnings.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch 20 ●●●● patch | view | raw | blame | history
SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch 14 ●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 113 ●●●● patch | view | raw | blame | history
SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch
New file
@@ -0,0 +1,145 @@
From d9d27cae99fe6f71daf250bfff71ee406fa3d23c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 16 Dec 2015 12:38:16 +0100
Subject: [PATCH] ipa-kdb: map_groups() consider all results
Resolves https://fedorahosted.org/freeipa/ticket/5573
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 108 +++++++++++++++++++++-------------------
 1 file changed, 56 insertions(+), 52 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 3c0dca839314273ae309b3b65ec7cf103e9c6da7..de40a145210c36ea0d35e0cc491fe9d3d76efea0 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1082,68 +1082,72 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext,
             continue;
         }
-        ldap_derefresponse_free(deref_results);
-        ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
-        switch (ret) {
-            case ENOENT:
-                /* No entry found, try next SID */
-                break;
-            case 0:
-                if (deref_results == NULL) {
-                    krb5_klog_syslog(LOG_ERR, "No results.");
+        do {
+            ldap_derefresponse_free(deref_results);
+            ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
+            switch (ret) {
+                case ENOENT:
+                    /* No entry found, try next SID */
                     break;
-                }
+                case 0:
+                    if (deref_results == NULL) {
+                        krb5_klog_syslog(LOG_ERR, "No results.");
+                        break;
+                    }
-                for (dres = deref_results; dres; dres = dres->next) {
-                    count++;
-                }
+                    for (dres = deref_results; dres; dres = dres->next) {
+                        count++;
+                    }
-                sids = talloc_realloc(memctx, sids, struct dom_sid, count);
-                if (sids == NULL) {
-                    krb5_klog_syslog(LOG_ERR, "talloc_realloc failed.");
-                    kerr = ENOMEM;
-                    goto done;
-                }
+                    sids = talloc_realloc(memctx, sids, struct dom_sid, count);
+                    if (sids == NULL) {
+                        krb5_klog_syslog(LOG_ERR, "talloc_realloc failed.");
+                        kerr = ENOMEM;
+                        goto done;
+                    }
-                for (dres = deref_results; dres; dres = dres->next) {
-                    gid = 0;
-                    memset(&sid, '\0', sizeof(struct dom_sid));
-                    for (dval = dres->attrVals; dval; dval = dval->next) {
-                        if (strcasecmp(dval->type, "gidNumber") == 0) {
-                            errno = 0;
-                            gid = strtoul((char *)dval->vals[0].bv_val,
-                                          &endptr,10);
-                            if (gid == 0 || gid >= UINT32_MAX || errno != 0 ||
-                                *endptr != '\0') {
-                                continue;
+                    for (dres = deref_results; dres; dres = dres->next) {
+                        gid = 0;
+                        memset(&sid, '\0', sizeof(struct dom_sid));
+                        for (dval = dres->attrVals; dval; dval = dval->next) {
+                            if (strcasecmp(dval->type, "gidNumber") == 0) {
+                                errno = 0;
+                                gid = strtoul((char *)dval->vals[0].bv_val,
+                                              &endptr,10);
+                                if (gid == 0 || gid >= UINT32_MAX || errno != 0 ||
+                                    *endptr != '\0') {
+                                    continue;
+                                }
                             }
-                        }
-                        if (strcasecmp(dval->type,
-                                       "ipaNTSecurityIdentifier") == 0) {
-                            kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid);
-                            if (kerr != 0) {
-                                continue;
+                            if (strcasecmp(dval->type,
+                                           "ipaNTSecurityIdentifier") == 0) {
+                                kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid);
+                                if (kerr != 0) {
+                                    continue;
+                                }
                             }
                         }
-                    }
-                    if (gid != 0 && sid.sid_rev_num != 0) {
-                    /* TODO: check if gid maps to sid */
-                        if (sid_index >= count) {
-                            krb5_klog_syslog(LOG_ERR, "Index larger than "
-                                                      "array, this shoould "
-                                                      "never happen.");
-                            kerr = EFAULT;
-                            goto done;
+                        if (gid != 0 && sid.sid_rev_num != 0) {
+                        /* TODO: check if gid maps to sid */
+                            if (sid_index >= count) {
+                                krb5_klog_syslog(LOG_ERR, "Index larger than "
+                                                          "array, this shoould "
+                                                          "never happen.");
+                                kerr = EFAULT;
+                                goto done;
+                            }
+                            memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid));
+                            sid_index++;
                         }
-                        memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid));
-                        sid_index++;
                     }
-                }
-                break;
-            default:
-                goto done;
-        }
+                    break;
+                default:
+                    goto done;
+            }
+
+            lentry = ldap_next_entry(ipactx->lcontext, lentry);
+        } while (lentry != NULL);
     }
     *_ipa_group_sids_count = sid_index;
--
2.7.1
SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch
New file
@@ -0,0 +1,44 @@
From 3d13e08deee3586635e583c1d5ac8c722530ac2f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 15 Jul 2015 14:15:49 +0200
Subject: [PATCH] ipa-ca-install: print more specific errors when CA is already
 installed
This patch implements a more thorough checking for already installed CAs
during standalone CA installation using ipa-ca-install. The installer now
differentiates between CA that is already installed locally and CA installed
on one or more masters in topology and prints an appropriate error message.
https://fedorahosted.org/freeipa/ticket/4492
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/ca.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 0de992cb0c15f8161aae4937699baae2a94d305a..84cbf423246534259cd6b7a8cca25caa16e5594f 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -45,8 +45,16 @@ def install_check(standalone, replica_config, options):
         return
-    if standalone and api.Command.ca_is_enabled()['result']:
-        sys.exit("CA is already installed.\n")
+    if standalone:
+        if cainstance.is_ca_installed_locally():
+            sys.exit("CA is already installed on this host.")
+        elif api.Command.ca_is_enabled()['result']:
+            sys.exit(
+                "One or more CA masters are already present in IPA realm "
+                "'%s'.\nIf you wish to replicate CA to this host, please "
+                "re-run 'ipa-ca-install'\nwith a replica file generated on "
+                "an existing CA master as argument." % realm_name
+            )
     if options.external_cert_files:
         if not cainstance.is_step_one_done():
--
2.5.0
SOURCES/0183-installer-Propagate-option-values-from-components-in.patch
New file
@@ -0,0 +1,132 @@
From 95447911535974731a931b1d758f6cfd985c1e59 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Wed, 16 Dec 2015 12:43:13 +0000
Subject: [PATCH] installer: Propagate option values from components instead of
 copying them.
https://fedorahosted.org/freeipa/ticket/5556
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipapython/install/core.py                  | 21 ++++++++++++++++++---
 ipaserver/install/server/install.py        | 25 -------------------------
 ipaserver/install/server/replicainstall.py | 12 +-----------
 3 files changed, 19 insertions(+), 39 deletions(-)
diff --git a/ipapython/install/core.py b/ipapython/install/core.py
index 91ae854cdb2a8846e2a2673a5bfe54b4f75f3823..3bb13267326b8cf1f22bb34dcf1e03402479446e 100644
--- a/ipapython/install/core.py
+++ b/ipapython/install/core.py
@@ -484,6 +484,21 @@ class Composite(Configurable):
         for comp_cls in result:
             yield comp_cls.__outer_class__, comp_cls.__outer_name__
+    def __getattr__(self, name):
+        for owner_cls, knob_name in self.knobs():
+            if knob_name == name:
+                break
+        else:
+            raise AttributeError(name)
+
+        for component in self.__components:
+            if isinstance(component, owner_cls):
+                break
+        else:
+            raise AttributeError(name)
+
+        return getattr(component, name)
+
     def _reset(self):
         self.__components = list(self._get_components())
@@ -501,8 +516,7 @@ class Composite(Configurable):
                 try:
                     validator.next()
                 except StopIteration:
-                    if child.done():
-                        self.__components.remove(child)
+                    pass
                 else:
                     new_validate.append((child, validator))
             if not new_validate:
@@ -516,7 +530,8 @@ class Composite(Configurable):
         yield from_(super(Composite, self)._configure())
-        execute = [(c, c._executor()) for c in self.__components]
+        execute = [(c, c._executor()) for c in self.__components
+            if not c.done()]
         while True:
             new_execute = []
             for child, executor in execute:
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 9d7036a7786a35e6aa2429254d62c8afb30970db..71992db0d39e1969649587486031a8fb1a03419d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1592,35 +1592,10 @@ class Server(common.Installable, common.Interactive, core.Composite):
         self.setup_ca = False
         self.setup_kra = False
-        self.external_ca = self.ca.external_ca
-        self.external_ca_type = self.ca.external_ca_type
-        self.external_cert_files = self.ca.external_cert_files
-        self.no_pkinit = self.ca.no_pkinit
-        self.dirsrv_cert_files = self.ca.dirsrv_cert_files
-        self.http_cert_files = self.ca.http_cert_files
-        self.pkinit_cert_files = self.ca.pkinit_cert_files
-        self.dirsrv_pin = self.ca.dirsrv_pin
-        self.http_pin = self.ca.http_pin
-        self.pkinit_pin = self.ca.pkinit_pin
-        self.dirsrv_cert_name = self.ca.dirsrv_cert_name
-        self.http_cert_name = self.ca.http_cert_name
-        self.pkinit_cert_name = self.ca.pkinit_cert_name
-        self.ca_cert_files = self.ca.ca_cert_files
-        self.subject = self.ca.subject
-        self.ca_signing_algorithm = self.ca.ca_signing_algorithm
-        self.setup_dns = self.dns.setup_dns
-        self.forwarders = self.dns.forwarders
-        self.no_forwarders = self.dns.no_forwarders
-        self.reverse_zones = self.dns.reverse_zones
-        self.no_reverse = self.dns.no_reverse
-        self.no_dnssec_validation = self.dns.no_dnssec_validation
         self.dnssec_master = False
         self.disable_dnssec_master = False
         self.kasp_db_file = None
         self.force = False
-        self.zonemgr = self.dns.zonemgr
-        self.no_host_dns = self.dns.no_host_dns
-        self.no_dns_sshfp = self.dns.no_dns_sshfp
         self.unattended = not self.interactive
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..a5d4a77f3daa8110ad0be064085b12b20da853cf 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -847,22 +847,12 @@ class Replica(common.Installable, common.Interactive, core.Composite):
         self.external_ca = False
         self.external_cert_files = None
-        self.no_pkinit = self.ca.no_pkinit
-        self.skip_schema_check = self.ca.skip_schema_check
-
-        self.setup_dns = self.dns.setup_dns
-        self.forwarders = self.dns.forwarders
-        self.no_forwarders = self.dns.no_forwarders
-        self.reverse_zones = self.dns.reverse_zones
-        self.no_reverse = self.dns.no_reverse
-        self.no_dnssec_validation = self.dns.no_dnssec_validation
+
         self.dnssec_master = False
         self.disable_dnssec_master = False
         self.kasp_db_file = None
         self.force = False
         self.zonemgr = None
-        self.no_host_dns = self.dns.no_host_dns
-        self.no_dns_sshfp = self.dns.no_dns_sshfp
         self.unattended = not self.interactive
--
2.5.0
SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch
New file
@@ -0,0 +1,44 @@
From 71809fb6071a86156f881e20d4845cbd47606862 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Wed, 16 Dec 2015 12:45:24 +0000
Subject: [PATCH] installer: Fix logic of reading option values from cache.
Only options explicitly set must be stored before installer exits first step
of external CA setup. When installer continues all stored option values must
be restored.
https://fedorahosted.org/freeipa/ticket/5556
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/server/install.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 71992db0d39e1969649587486031a8fb1a03419d..01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -343,9 +343,7 @@ def install_check(installer):
             sys.exit("Directory Manager password required")
         try:
             cache_vars = read_cache(dm_password)
-            for name, value in cache_vars.iteritems():
-                if name not in options.__dict__:
-                    options.__dict__[name] = value
+            options.__dict__.update(cache_vars)
             if cache_vars.get('external_ca', False):
                 options.external_ca = False
                 options.interactive = False
@@ -767,7 +765,8 @@ def install(installer):
             options.host_name = host_name
             options.forwarders = dns.dns_forwarders
             options.reverse_zones = dns.reverse_zones
-            cache_vars = {n: getattr(options, n) for o, n in installer.knobs()}
+            cache_vars = {n: options.__dict__[n] for o, n in installer.knobs()
+                          if n in options.__dict__}
             write_cache(cache_vars)
         ca.install_step_0(False, None, options)
--
2.5.0
SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch
New file
@@ -0,0 +1,47 @@
From 303e3aea45c310e8a2508ac540264520d5d3eda4 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Mon, 28 Dec 2015 12:33:11 +0530
Subject: [PATCH] Fixed login error message box in LoginScreen page
Fix added for showing error message returned from server to client
browser. User is now notified with proper error messages returned by
server.
https://bugzilla.redhat.com/show_bug.cgi?id=1293870
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 install/ui/src/freeipa/widgets/LoginScreen.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index eb95b9161f05eeac1ec9aed286c9730dada85d59..2c778b50cfb10bfa8eef25c5456c6ce913e02695 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -272,12 +272,12 @@ define(['dojo/_base/declare',
                 }
                 this.set('view', 'login');
             } else {
+                otp_f.set_value('');
+                new_f.set_value('');
+                ver_f.set_value('');
                 val_summary.add_error('login', result.message);
             }
-            otp_f.set_value('');
-            new_f.set_value('');
-            ver_f.set_value('');
         },
         refresh: function() {
@@ -426,4 +426,4 @@ define(['dojo/_base/declare',
     ];
     return LoginScreen;
-});
\ No newline at end of file
+});
--
2.5.0
SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch
New file
@@ -0,0 +1,79 @@
From 8d651ef5a00c418138c355aa95259246090705b7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 21 Jan 2016 08:58:56 +0100
Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert
 renewal
Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.
https://fedorahosted.org/freeipa/ticket/5595
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 install/restart_scripts/renew_ca_cert | 28 +++++++++-------------------
 1 file changed, 9 insertions(+), 19 deletions(-)
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 86f5765b7d8bbeafd5379831020a952a7aa6db41..92dc0e6685f61f34bd6df941ef63ac138ad7965b 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -28,7 +28,6 @@ import shutil
 import traceback
 from ipapython import dogtag, ipautil
-from ipapython.dn import DN
 from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
@@ -158,11 +157,9 @@ def _main():
                             "Updating CA certificate failed: %s" % e)
                 # Add external CA certificates
-                ca_issuer = str(x509.get_issuer(cert, x509.DER))
                 try:
-                    ca_certs = certstore.get_ca_certs(
-                        conn, api.env.basedn, api.env.realm, False,
-                        filter_subject=ca_issuer)
+                    ca_certs = certstore.get_ca_certs_nss(
+                        conn, api.env.basedn, api.env.realm, False)
                 except Exception, e:
                     syslog.syslog(
                         syslog.LOG_ERR,
@@ -170,25 +167,18 @@ def _main():
                         "%s" % e)
                     ca_certs = []
-                for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs:
-                    ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER)))
-                    nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject)
-                    nick = nick_base
-                    i = 1
-                    while db.has_nickname(nick):
-                        nick = '%s [%s]' % (nick_base, i)
-                        i += 1
-                    if ca_trusted is False:
-                        flags = 'p,p,p'
-                    else:
-                        flags = 'CT,c,'
-
+                for ca_cert, ca_nick, ca_flags in ca_certs:
                     try:
-                        db.add_cert(ca_cert, nick, flags)
+                        db.add_cert(ca_cert, ca_nick, ca_flags)
                     except ipautil.CalledProcessError, e:
                         syslog.syslog(
                             syslog.LOG_ERR,
                             "Failed to add certificate %s" % ca_nick)
+
+                # Pass Dogtag's self-tests
+                for ca_nick in db.find_root_cert(nickname)[-2:-1]:
+                    ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick]
+                    db.trust_root_cert(ca_nick, 'C' + ca_flags)
             finally:
                 if conn is not None and conn.isconnected():
                     conn.disconnect()
--
2.5.0
SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch
New file
@@ -0,0 +1,78 @@
From c7f76e4f6c0f288b184152f5f6f45d11287914b3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 25 Jan 2016 08:48:42 +0100
Subject: [PATCH] CA install: explicitly set dogtag_version to 10
When installing new CA master, explicitly set the dogtag_version option to
10 in api.bootstrap() to prevent failures in code which expects the value
to be 10 rather than the default value of 9.
https://fedorahosted.org/freeipa/ticket/5611
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 install/tools/ipa-ca-install        | 2 +-
 ipaserver/install/cainstance.py     | 6 +++---
 ipaserver/install/server/upgrade.py | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d0304d4e189b133c495b75f200b04e2988..e8ccaef5b90807f452f77c2b62641df3952180d6 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -162,7 +162,7 @@ def install_master(safe_options, options):
     # override ra_plugin setting read from default.conf so that we have
     # functional dogtag backend plugins during CA install
-    api.bootstrap(in_server=True, ra_plugin='dogtag')
+    api.bootstrap(in_server=True, ra_plugin='dogtag', dogtag_version=10)
     api.finalize()
     dm_password = options.password
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d9bf4f31af5a922dd6f977a5011f50ce7cea8896..369902ad04b197c9e9516503c1f81c4de1ef153b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -478,7 +478,7 @@ class CAInstance(DogtagInstance):
                       self.http_proxy)
             self.step("restarting certificate server", self.restart_instance)
             self.step("migrating certificate profiles to LDAP",
-                      migrate_profiles_to_ldap)
+                      lambda: migrate_profiles_to_ldap(self.dogtag_constants))
             self.step("importing IPA certificate profiles",
                       import_included_profiles)
             self.step("adding default CA ACL", ensure_default_caacl)
@@ -1768,7 +1768,7 @@ def import_included_profiles():
     conn.disconnect()
-def migrate_profiles_to_ldap():
+def migrate_profiles_to_ldap(dogtag_constants):
     """Migrate profiles from filesystem to LDAP.
     This must be run *after* switching to the LDAPProfileSubsystem
@@ -1783,7 +1783,7 @@ def migrate_profiles_to_ldap():
     api.Backend.ra_certprofile._read_password()
     api.Backend.ra_certprofile.override_port = 8443
-    with open(dogtag.configured_constants().CS_CFG_PATH) as f:
+    with open(dogtag_constants.CS_CFG_PATH) as f:
         cs_cfg = f.read()
     match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE)
     profile_ids = match.group(1).split(',')
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 1f1cfeb672809c0298c69c121ac38d6c7a482d11..0a46635979497f8028465c2295b22485fd9c0279 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -336,7 +336,7 @@ def ca_enable_ldap_profile_subsystem(ca):
             separator='=')
         ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
-        cainstance.migrate_profiles_to_ldap()
+        cainstance.migrate_profiles_to_ldap(caconfig)
     return needs_update
--
2.5.0
SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch
New file
@@ -0,0 +1,30 @@
From 06c2e339f28ab697c830dc1f9d6ef89b833b2d1a Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 26 Jan 2016 13:02:44 +0100
Subject: [PATCH] fix standalone installation of externally signed CA on IPA
 master
https://fedorahosted.org/freeipa/ticket/5636
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/ca.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 84cbf423246534259cd6b7a8cca25caa16e5594f..d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -46,7 +46,8 @@ def install_check(standalone, replica_config, options):
         return
     if standalone:
-        if cainstance.is_ca_installed_locally():
+        if (not options.external_cert_files and
+                cainstance.is_ca_installed_locally()):
             sys.exit("CA is already installed on this host.")
         elif api.Command.ca_is_enabled()['result']:
             sys.exit(
--
2.5.0
SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch
New file
@@ -0,0 +1,74 @@
From 8ee71c8aab262ba0041ee9ac84fb862a5fda32cf Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 21 Jan 2016 15:48:30 +0100
Subject: [PATCH] replica install: validate DS and HTTP server certificates
Validate the DS and HTTP certificates from the replica info file early in
ipa-replica-install to prevent crashes later.
https://fedorahosted.org/freeipa/ticket/5598
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 31 +++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index a5d4a77f3daa8110ad0be064085b12b20da853cf..317eda92dd4322542f035c2df4dba919a5898cc7 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -356,6 +356,8 @@ def install_check(installer):
     config.setup_ca = options.setup_ca
     config.setup_kra = options.setup_kra
+    ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
+
     # Create the management framework config file
     # Note: We must do this before bootstraping and finalizing ipalib.api
     old_umask = os.umask(022)   # must be readable for httpd
@@ -371,7 +373,7 @@ def install_check(installer):
                  ipautil.format_netloc(config.host_name))
         fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
                  installutils.realm_to_serverid(config.realm_name))
-        if ipautil.file_exists(config.dir + "/cacert.p12"):
+        if ca_enabled:
             fd.write("enable_ra=True\n")
             fd.write("ra_plugin=dogtag\n")
             fd.write("dogtag_version=%s\n" %
@@ -395,6 +397,33 @@ def install_check(installer):
         raise RuntimeError("CA cert file is not available. Please run "
                            "ipa-replica-prepare to create a new replica file.")
+    for pkcs12_name, pin_name in (('dscert.p12', 'dirsrv_pin.txt'),
+                                  ('httpcert.p12', 'http_pin.txt')):
+        pkcs12_info = make_pkcs12_info(config.dir, pkcs12_name, pin_name)
+        tmp_db_dir = tempfile.mkdtemp('ipa')
+        try:
+            tmp_db = certs.CertDB(config.realm_name,
+                                  nssdir=tmp_db_dir,
+                                  subject_base=config.subject_base)
+            if ca_enabled:
+                trust_flags = 'CT,C,C'
+            else:
+                trust_flags = None
+            tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
+                                      ca_file=cafile,
+                                      trust_flags=trust_flags)
+            if not tmp_db.find_server_certs():
+                raise RuntimeError(
+                    "Could not find a suitable server cert in import in %s" %
+                    pkcs12_info[0])
+        except Exception as e:
+            root_logger.error('%s', e)
+            raise RuntimeError(
+                "Server cert is not valid. Please run ipa-replica-prepare to "
+                "create a new replica file.")
+        finally:
+            shutil.rmtree(tmp_db_dir)
+
     ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
     remote_api = create_api(mode=None)
     remote_api.bootstrap(in_server=True, context='installer',
--
2.5.0
SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch
New file
@@ -0,0 +1,294 @@
From ca08d7d3a7562588b09b78b7079b2c15e572a484 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 6 Jan 2016 14:50:42 +1100
Subject: [PATCH] Do not decode HTTP reason phrase from Dogtag
The HTTP reason phrase sent by Dogtag is assumed to be encoded in
UTF-8, but the encoding used by Tomcat is dependent on system
locale, causing decode errors in some locales.
The reason phrase is optional and will not be sent in a future
version of Tomcat[1], so do not bother decoding and returning it.
[1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37
Fixes: https://fedorahosted.org/freeipa/ticket/5578
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipapython/dogtag.py         | 23 +++++++++++------------
 ipaserver/install/certs.py  |  7 +++----
 ipaserver/plugins/dogtag.py | 44 ++++++++++++++++++++++----------------------
 3 files changed, 36 insertions(+), 38 deletions(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 8996902ba92f0fdd6106e2650c2decde375c593b..652bc3d13f2b47b35f6da30579f2df5f083dbff2 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -230,14 +230,14 @@ def ca_status(ca_host=None, use_proxy=True):
         ca_port = 443
     else:
         ca_port = 8443
-    status, reason, headers, body = unauthenticated_https_request(
+    status, headers, body = unauthenticated_https_request(
         ca_host, ca_port, '/ca/admin/ca/getStatus')
     if status == 503:
         # Service temporarily unavailable
-        return reason
+        return status
     elif status != 200:
         raise errors.RemoteRetrieveError(
-            reason=_("Retrieving CA status failed: %s") % reason)
+            reason=_("Retrieving CA status failed with status %d") % status)
     return _parse_ca_status(body)
@@ -248,8 +248,8 @@ def https_request(host, port, url, secdir, password, nickname,
     :param url: The path (not complete URL!) to post to.
     :param body: The request body (encodes kw if None)
     :param kw:  Keyword arguments to encode into POST body.
-    :return:   (http_status, http_reason_phrase, http_headers, http_body)
-               as (integer, unicode, dict, str)
+    :return:   (http_status, http_headers, http_body)
+               as (integer, dict, str)
     Perform a client authenticated HTTPS request
     """
@@ -277,8 +277,8 @@ def http_request(host, port, url, **kw):
     """
     :param url: The path (not complete URL!) to post to.
     :param kw: Keyword arguments to encode into POST body.
-    :return:   (http_status, http_reason_phrase, http_headers, http_body)
-                as (integer, unicode, dict, str)
+    :return:   (http_status, http_headers, http_body)
+                as (integer, dict, str)
     Perform an HTTP request.
     """
@@ -291,8 +291,8 @@ def unauthenticated_https_request(host, port, url, **kw):
     """
     :param url: The path (not complete URL!) to post to.
     :param kw: Keyword arguments to encode into POST body.
-    :return:   (http_status, http_reason_phrase, http_headers, http_body)
-                as (integer, unicode, dict, str)
+    :return:   (http_status, http_headers, http_body)
+                as (integer, dict, str)
     Perform an unauthenticated HTTPS request.
     """
@@ -331,15 +331,14 @@ def _httplib_request(
         res = conn.getresponse()
         http_status = res.status
-        http_reason_phrase = unicode(res.reason, 'utf-8')
         http_headers = res.msg.dict
         http_body = res.read()
         conn.close()
     except Exception, e:
         raise NetworkError(uri=uri, error=str(e))
-    root_logger.debug('response status %d %s', http_status, http_reason_phrase)
+    root_logger.debug('response status %d',    http_status)
     root_logger.debug('response headers %s',   http_headers)
     root_logger.debug('response body %r',      http_body)
-    return http_status, http_reason_phrase, http_headers, http_body
+    return http_status, http_headers, http_body
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 564332e6fde0698a23884922c5018fab59da7e4d..f8a9c9ecfd2fa1accb792c4748bc69f30701af6a 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -402,12 +402,11 @@ class CertDB(object):
                 dogtag.configured_constants().EE_SECURE_PORT,
             "/ca/ee/ca/profileSubmitSSLClient",
             self.secdir, password, "ipaCert", **params)
-        http_status, http_reason_phrase, http_headers, http_body = result
+        http_status, http_headers, http_body = result
         if http_status != 200:
             raise CertificateOperationError(
-                error=_('Unable to communicate with CMS (%s)') %
-                    http_reason_phrase)
+                error=_('Unable to communicate with CMS (status %d)') % http_status)
         # The result is an XML blob. Pull the certificate out of that
         doc = xml.dom.minidom.parseString(http_body)
@@ -459,7 +458,7 @@ class CertDB(object):
                 dogtag.configured_constants().EE_SECURE_PORT,
             "/ca/ee/ca/profileSubmitSSLClient",
             self.secdir, password, "ipaCert", **params)
-        http_status, http_reason_phrase, http_headers, http_body = result
+        http_status, http_headers, http_body = result
         if http_status != 200:
             raise RuntimeError("Unable to submit cert request")
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index f5f8eb67067c87f07c06e556fb9fc73792fbbc64..3029a9144d80a9b081853b95259fcd37e35d8c2b 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1350,8 +1350,8 @@ class ra(rabase.rabase):
         """
         :param url: The URL to post to.
         :param kw: Keyword arguments to encode into POST body.
-        :return:   (http_status, http_reason_phrase, http_headers, http_body)
-                   as (integer, unicode, dict, str)
+        :return:   (http_status, http_headers, http_body)
+                   as (integer, dict, str)
         Perform an HTTP request.
         """
@@ -1361,8 +1361,8 @@ class ra(rabase.rabase):
         """
         :param url: The URL to post to.
         :param kw:  Keyword arguments to encode into POST body.
-        :return:   (http_status, http_reason_phrase, http_headers, http_body)
-                   as (integer, unicode, dict, str)
+        :return:   (http_status, http_headers, http_body)
+                   as (integer, dict, str)
         Perform an HTTPS request
         """
@@ -1422,7 +1422,7 @@ class ra(rabase.rabase):
         self.debug('%s.check_request_status()', self.fullname)
         # Call CMS
-        http_status, http_reason_phrase, http_headers, http_body = \
+        http_status, http_headers, http_body = \
             self._request('/ca/ee/ca/checkRequest',
                           self.env.ca_port,
                           requestId=request_id,
@@ -1431,7 +1431,7 @@ class ra(rabase.rabase):
         # Parse and handle errors
         if http_status != 200:
             self.raise_certificate_operation_error('check_request_status',
-                                                   detail=http_reason_phrase)
+                                                   detail=http_status)
         parse_result = self.get_parse_result_xml(http_body, parse_check_request_result_xml)
         request_status = parse_result['request_status']
@@ -1507,7 +1507,7 @@ class ra(rabase.rabase):
         serial_number = int(serial_number, 0)
         # Call CMS
-        http_status, http_reason_phrase, http_headers, http_body = \
+        http_status, http_headers, http_body = \
             self._sslget('/ca/agent/ca/displayBySerial',
                          self.env.ca_agent_port,
                          serialNumber=str(serial_number),
@@ -1517,7 +1517,7 @@ class ra(rabase.rabase):
         # Parse and handle errors
         if http_status != 200:
             self.raise_certificate_operation_error('get_certificate',
-                                                   detail=http_reason_phrase)
+                                                   detail=http_status)
         parse_result = self.get_parse_result_xml(http_body, parse_display_cert_xml)
         request_status = parse_result['request_status']
@@ -1575,7 +1575,7 @@ class ra(rabase.rabase):
         self.debug('%s.request_certificate()', self.fullname)
         # Call CMS
-        http_status, http_reason_phrase, http_headers, http_body = \
+        http_status, http_headers, http_body = \
             self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
                          self.env.ca_ee_port,
                          profileId=profile_id,
@@ -1585,7 +1585,7 @@ class ra(rabase.rabase):
         # Parse and handle errors
         if http_status != 200:
             self.raise_certificate_operation_error('request_certificate',
-                                                   detail=http_reason_phrase)
+                                                   detail=http_status)
         parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml)
         # Note different status return, it's not request_status, it's error_code
@@ -1654,7 +1654,7 @@ class ra(rabase.rabase):
         serial_number = int(serial_number, 0)
         # Call CMS
-        http_status, http_reason_phrase, http_headers, http_body = \
+        http_status, http_headers, http_body = \
             self._sslget('/ca/agent/ca/doRevoke',
                          self.env.ca_agent_port,
                          op='revoke',
@@ -1666,7 +1666,7 @@ class ra(rabase.rabase):
         # Parse and handle errors
         if http_status != 200:
             self.raise_certificate_operation_error('revoke_certificate',
-                                                   detail=http_reason_phrase)
+                                                   detail=http_status)
         parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml)
         request_status = parse_result['request_status']
@@ -1717,7 +1717,7 @@ class ra(rabase.rabase):
         serial_number = int(serial_number, 0)
         # Call CMS
-        http_status, http_reason_phrase, http_headers, http_body = \
+        http_status, http_headers, http_body = \
             self._sslget('/ca/agent/ca/doUnrevoke',
                          self.env.ca_agent_port,
                          serialNumber=str(serial_number),
@@ -1726,7 +1726,7 @@ class ra(rabase.rabase):
         # Parse and handle errors
         if http_status != 200:
             self.raise_certificate_operation_error('take_certificate_off_hold',
-                                                   detail=http_reason_phrase)
+                                                   detail=http_status)
         parse_result = self.get_parse_result_xml(http_body, parse_unrevoke_cert_xml)
@@ -2027,7 +2027,7 @@ class RestClient(Backend):
         """Log into the REST API"""
         if self.cookie is not None:
             return
-        status, status_text, resp_headers, resp_body = dogtag.https_request(
+        status, resp_headers, resp_body = dogtag.https_request(
             self.ca_host, self.override_port or self.env.ca_agent_port,
             '/ca/rest/account/login',
             self.sec_dir, self.password, self.ipa_certificate_nickname,
@@ -2053,8 +2053,8 @@ class RestClient(Backend):
         """
         :param url: The URL to post to.
         :param kw:  Keyword arguments to encode into POST body.
-        :return:   (http_status, http_reason_phrase, http_headers, http_body)
-                   as (integer, unicode, dict, str)
+        :return:   (http_status, http_headers, http_body)
+                   as (integer, dict, str)
         Perform an HTTPS request
         """
@@ -2068,7 +2068,7 @@ class RestClient(Backend):
         resource = os.path.join('/ca/rest', self.path, path)
         # perform main request
-        status, status_text, resp_headers, resp_body = dogtag.https_request(
+        status, resp_headers, resp_body = dogtag.https_request(
             self.ca_host, self.override_port or self.env.ca_agent_port,
             resource,
             self.sec_dir, self.password, self.ipa_certificate_nickname,
@@ -2077,10 +2077,10 @@ class RestClient(Backend):
         if status < 200 or status >= 300:
             explanation = self._parse_dogtag_error(resp_body) or ''
             raise errors.RemoteRetrieveError(
-                reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s')
-                % {'status': status, 'status_text': status_text, 'explanation': explanation}
+                reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s')
+                % {'status': status, 'explanation': explanation}
             )
-        return (status, status_text, resp_headers, resp_body)
+        return (status, resp_headers, resp_body)
 class ra_certprofile(RestClient):
@@ -2105,7 +2105,7 @@ class ra_certprofile(RestClient):
         """
         Read the profile configuration from Dogtag
         """
-        status, status_text, resp_headers, resp_body = self._ssldo(
+        status, resp_headers, resp_body = self._ssldo(
             'GET', profile_id + '/raw')
         return resp_body
--
2.5.0
SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch
New file
@@ -0,0 +1,66 @@
From 52e2e879fa4decf67a19d6c79f4ec409b6a0dce7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 22 Feb 2016 13:35:41 +0100
Subject: [PATCH] upgrade: unconditional import of certificate profiles into
 LDAP
During IPA server upgrade, the migration of Dogtag profiles into LDAP
backend was bound to the update of CS.cfg which enabled the LDAP profile
subsystem. If the subsequent profile migration failed, the subsequent
upgrades were not executing the migration code leaving CA subsystem in
broken state. Therefore the migration code path should be executed
regardless of the status of the main Dogtag config file.
https://fedorahosted.org/freeipa/ticket/5682
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py     | 8 ++++++--
 ipaserver/install/server/upgrade.py | 4 +++-
 2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 369902ad04b197c9e9516503c1f81c4de1ef153b..1a98c438786ae7dad208212fff23e3a760c95b3c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1807,7 +1807,6 @@ def migrate_profiles_to_ldap(dogtag_constants):
             continue
         class_id = match.group(1)
-        root_logger.info("Migrating profile '%s' to LDAP", profile_id)
         with open(filename) as f:
             profile_data = f.read()
             if profile_data[-1] != '\n':
@@ -1824,7 +1823,12 @@ def _create_dogtag_profile(profile_id, profile_data):
         # import the profile
         try:
             profile_api.create_profile(profile_data)
-        except errors.RemoteRetrieveError:
+            root_logger.info("Profile '%s' successfully migrated to LDAP",
+                             profile_id)
+        except errors.RemoteRetrieveError as e:
+            root_logger.debug("Error migrating '{}': {}".format(
+                profile_id, e))
+
             # conflicting profile; replace it if we are
             # installing IPA, but keep it for upgrades
             if api.env.context == 'installer':
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0a46635979497f8028465c2295b22485fd9c0279..258d976c83844f89c1a939303b685fd6565b79e5 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -336,7 +336,9 @@ def ca_enable_ldap_profile_subsystem(ca):
             separator='=')
         ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
-        cainstance.migrate_profiles_to_ldap(caconfig)
+
+    root_logger.info('[Migrating certificate profiles to LDAP]')
+    cainstance.migrate_profiles_to_ldap(caconfig)
     return needs_update
--
2.5.0
SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch
New file
@@ -0,0 +1,279 @@
From c7df4a1856e740e88ac3633344815d5a0ff0d1f2 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 18 Feb 2016 19:59:50 +0100
Subject: [PATCH] upgrade: fix config of sidgen and extdom plugins
During upgrade to IPA 4.2, literally "$SUFFIX" value was added to
configuration of sidgen and extdom plugins. This cause that SID are not properly configured.
Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task
against IPA domain (if exists).
All trusts added when plugins configuration was broken must be re-added.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 install/updates/90-post_upgrade_plugins.update |   2 +
 ipaserver/install/dsinstance.py                |  12 +-
 ipaserver/install/plugins/adtrust.py           | 153 ++++++++++++++++++++++++-
 ipaserver/install/server/upgrade.py            |   4 +-
 4 files changed, 162 insertions(+), 9 deletions(-)
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 3df3a4574705dbd8df8f25149c13877898afb66b..f0d77138520f41376d71478d3633ea4c19f66195 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -4,6 +4,8 @@
 # middle
 plugin: update_dnszones
 plugin: update_dns_limits
+plugin: update_sigden_extdom_broken_config
+plugin: update_sids
 plugin: update_default_range
 plugin: update_default_trust_view
 plugin: update_ca_renewal_master
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index d78158532c4c88d9aa9acf3c65d278f5151458d8..7044782bac8068f7470b62bd7489b5319269b119 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -925,9 +925,9 @@ class DsInstance(service.Service):
         """
         Add sidgen directory server plugin configuration if it does not already exist.
         """
-        self._ldap_mod('ipa-sidgen-conf.ldif', self.sub_dict)
+        self.add_sidgen_plugin(self.sub_dict['SUFFIX'])
-    def add_sidgen_plugin(self):
+    def add_sidgen_plugin(self, suffix):
         """
         Add sidgen plugin configuration only if it does not already exist.
         """
@@ -935,7 +935,7 @@ class DsInstance(service.Service):
         try:
             self.admin_conn.get_entry(dn)
         except errors.NotFound:
-            self._add_sidgen_plugin()
+            self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix))
         else:
             root_logger.debug("sidgen plugin is already configured")
@@ -943,9 +943,9 @@ class DsInstance(service.Service):
         """
         Add directory server configuration for the extdom extended operation.
         """
-        self._ldap_mod('ipa-extdom-extop-conf.ldif', self.sub_dict)
+        self.add_extdom_plugin(self.sub_dict['SUFFIX'])
-    def add_extdom_plugin(self):
+    def add_extdom_plugin(self, suffix):
         """
         Add extdom configuration if it does not already exist.
         """
@@ -953,7 +953,7 @@ class DsInstance(service.Service):
         try:
             self.admin_conn.get_entry(dn)
         except errors.NotFound:
-            self._add_extdom_plugin()
+            self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix))
         else:
             root_logger.debug("extdom plugin is already configured")
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 45bcc5f2fe532446342300ff0c5e1e7149cf023b..4990a34f8972a0ffba098642c1ead09f976852e6 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -24,6 +24,7 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
 from ipapython import sysrestore
 from ipaserver.install import installutils
+from ipaserver.install import sysupgrade
 DEFAULT_ID_RANGE_SIZE = 200000
@@ -164,7 +165,6 @@ class update_default_trust_view(Updater):
         return False, [update]
-
 class update_oddjobd_for_adtrust(Updater):
     """
     Enables and starts oddjobd daemon if ipa-adtrust-install has been run
@@ -184,6 +184,157 @@ class update_oddjobd_for_adtrust(Updater):
         return False, []
+
+class update_sigden_extdom_broken_config(Updater):
+    """Fix configuration of sidgen and extdom plugins
+
+    Upgrade to IPA 4.2+ cause that sidgen and extdom plugins have improperly
+    configured basedn.
+
+    All trusts which have been added when config was broken must to be
+    re-added manually.
+
+    https://fedorahosted.org/freeipa/ticket/5665
+    """
+
+    sidgen_config_dn = DN("cn=IPA SIDGEN,cn=plugins,cn=config")
+    extdom_config_dn = DN("cn=ipa_extdom_extop,cn=plugins,cn=config")
+
+    def _fix_config(self):
+        """Due upgrade error configuration of sidgen and extdom plugins may
+        contain literally "$SUFFIX" value instead of real DN in nsslapd-basedn
+        attribute
+
+        :return: True if config was fixed, False if fix is not needed
+        """
+        ldap = self.api.Backend.ldap2
+        basedn_attr = 'nsslapd-basedn'
+        modified = False
+
+        for dn in (self.sidgen_config_dn, self.extdom_config_dn):
+            try:
+                entry = ldap.get_entry(dn, attrs_list=[basedn_attr])
+            except errors.NotFound:
+                self.log.debug("configuration for %s not found, skipping", dn)
+            else:
+                configured_suffix = entry.single_value.get(basedn_attr)
+                if configured_suffix is None:
+                    raise RuntimeError(
+                        "Missing attribute {attr} in {dn}".format(
+                            attr=basedn_attr, dn=dn
+                        )
+                    )
+                elif configured_suffix == "$SUFFIX":
+                    # configured value is wrong, fix it
+                    entry.single_value[basedn_attr] = str(self.api.env.basedn)
+                    self.log.debug("updating attribute %s of %s to correct "
+                                   "value %s", basedn_attr, dn,
+                                   self.api.env.basedn)
+                    ldap.update_entry(entry)
+                    modified = True
+                else:
+                    self.log.debug("configured basedn for %s is okay", dn)
+
+        return modified
+
+    def execute(self, **options):
+        if sysupgrade.get_upgrade_state('sidgen', 'config_basedn_updated'):
+            self.log.debug("Already done, skipping")
+            return False, ()
+
+        restart = False
+        if self._fix_config():
+            sysupgrade.set_upgrade_state('sidgen', 'update_sids', True)
+            restart = True  # DS has to be restarted to apply changes
+
+        sysupgrade.set_upgrade_state('sidgen', 'config_basedn_updated', True)
+        return restart, ()
+
+
+class update_sids(Updater):
+    """SIDs may be not created properly if bug with wrong configuration for
+    sidgen and extdom plugins is effective
+
+    This must be run after "update_sigden_extdom_broken_config"
+    https://fedorahosted.org/freeipa/ticket/5665
+    """
+    sidgen_config_dn = DN("cn=IPA SIDGEN,cn=plugins,cn=config")
+
+    def execute(self, **options):
+        ldap = self.api.Backend.ldap2
+
+        if sysupgrade.get_upgrade_state('sidgen', 'update_sids') is not True:
+            self.log.debug("SIDs do not need to be generated")
+            return False, ()
+
+        # check if IPA domain for AD trust has been created, and if we need to
+        # regenerate missing SIDs if attribute 'ipaNTSecurityIdentifier'
+        domain_IPA_AD_dn = DN(
+            ('cn', self.api.env.domain),
+            self.api.env.container_cifsdomains,
+            self.api.env.basedn)
+        attr_name = 'ipaNTSecurityIdentifier'
+
+        try:
+            entry = ldap.get_entry(domain_IPA_AD_dn, attrs_list=[attr_name])
+        except errors.NotFound:
+            self.log.debug("IPA domain object %s is not configured",
+                           domain_IPA_AD_dn)
+            sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
+            return False, ()
+        else:
+            if not entry.single_value.get(attr_name):
+                # we need to run sidgen task
+                sidgen_task_dn = DN(
+                    "cn=generate domain sid,cn=ipa-sidgen-task,cn=tasks,"
+                    "cn=config")
+                sidgen_tasks_attr = {
+                    "objectclass": ["top", "extensibleObject"],
+                    "cn": ["sidgen"],
+                    "delay": [0],
+                    "nsslapd-basedn": [self.api.env.basedn],
+                }
+
+                task_entry = ldap.make_entry(sidgen_task_dn,
+                                             **sidgen_tasks_attr)
+                try:
+                    ldap.add_entry(task_entry)
+                except errors.DuplicateEntry:
+                    self.log.debug("sidgen task already created")
+                else:
+                    self.log.debug("sidgen task has been created")
+
+        # we have to check all trusts domains which may been affected by the
+        # bug. Symptom is missing 'ipaNTSecurityIdentifier' attribute
+
+        base_dn = DN(self.api.env.container_adtrusts, self.api.env.basedn)
+        try:
+            trust_domain_entries, truncated = ldap.find_entries(
+                base_dn=base_dn,
+                scope=ldap.SCOPE_ONELEVEL,
+                attrs_list=["cn"],
+                # more types of trusts can be stored under cn=trusts, we need
+                # the type with ipaNTTrustPartner attribute
+                filter="(!(%s=*))" % attr_name
+            )
+        except errors.NotFound:
+            pass
+        else:
+            if truncated:
+                self.log.warning("update_sids: Search results were truncated")
+
+            for entry in trust_domain_entries:
+                domain = entry.single_value["cn"]
+                self.log.error(
+                    "Your trust to %s is broken. Please re-create it by "
+                    "running 'ipa trust-add' again.", domain)
+
+        sysupgrade.set_upgrade_state('sidgen', 'update_sids', False)
+        return False, ()
+
+
 api.register(update_default_range)
 api.register(update_default_trust_view)
 api.register(update_oddjobd_for_adtrust)
+api.register(update_sids)
+api.register(update_sigden_extdom_broken_config)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 258d976c83844f89c1a939303b685fd6565b79e5..c53b19a937d559b25da256670a5205ab40e0cadb 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1290,8 +1290,8 @@ def ds_enable_sidgen_extdom_plugins(ds):
         root_logger.debug('sidgen and extdom plugins are enabled already')
         return
-    ds.add_sidgen_plugin()
-    ds.add_extdom_plugin()
+    ds.add_sidgen_plugin(api.env.basedn)
+    ds.add_extdom_plugin(api.env.basedn)
     sysupgrade.set_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins', True)
 def ca_upgrade_schema(ca):
--
2.5.0
SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch
New file
@@ -0,0 +1,63 @@
From 6f958201dc32a1043c77632fe98c05307a4ea671 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Mon, 22 Feb 2016 17:36:01 +0100
Subject: [PATCH] trusts: use ipaNTTrustPartner attribute to detect trust
 entries
Trust entries were found by presence of ipaNTSecurityIdentifier
attribute. Unfortunately this attribute might not be there due the bug.
As replacement for this, attribute ipaNTTrustPartner can be used.
Note: other non trust entries located in cn=trusts subtree can be
cross-realm principals.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipalib/plugins/trust.py              | 7 +++++--
 ipaserver/install/plugins/adtrust.py | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 173463ae7d4134b5bd155cc5fa920bfabd0a6958..ff142591d385e715994f0381c6b23c416763cd03 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -541,7 +541,10 @@ class trust(LDAPObject):
             ldap = self.backend
             filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] },
                                       rules=ldap.MATCH_ALL)
-            filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL)
+            # more type of objects can be located in subtree (for example
+            # cross-realm principals). we need this attr do detect trust
+            # entries
+            filter = ldap.combine_filters((filter, "ipaNTTrustPartner=*"), rules=ldap.MATCH_ALL)
             result = ldap.get_entries(DN(self.container_dn, self.env.basedn),
                                       ldap.SCOPE_SUBTREE, filter, [''])
             if len(result) > 1:
@@ -996,7 +999,7 @@ class trust_find(LDAPSearch):
     # search needs to be done on a sub-tree scope
     def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
         # list only trust, not trust domains
-        trust_filter = '(ipaNTSecurityIdentifier=*)'
+        trust_filter = '(ipaNTTrustPartner=*)'
         filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
         return (filter, base_dn, ldap.SCOPE_SUBTREE)
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 4990a34f8972a0ffba098642c1ead09f976852e6..ea6de5cefe1dc56fc55cca076643867ecbeb08fe 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -315,7 +315,7 @@ class update_sids(Updater):
                 attrs_list=["cn"],
                 # more types of trusts can be stored under cn=trusts, we need
                 # the type with ipaNTTrustPartner attribute
-                filter="(!(%s=*))" % attr_name
+                filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name
             )
         except errors.NotFound:
             pass
--
2.5.0
SOURCES/0194-Warn-user-if-trust-is-broken.patch
New file
@@ -0,0 +1,115 @@
From b08bab80ab8c11681a96a10807930c830a2d096f Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 19 Feb 2016 14:55:34 +0100
Subject: [PATCH] Warn user if trust is broken
Detect missing ipaNTSecurityIdentifier and print message for a user,
that the trust is broken as result of trust-show and trust-find commands.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipalib/messages.py      | 11 +++++++++++
 ipalib/plugins/trust.py | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 58ae1f3ecbbf139f6f584c0ea2ebea6eb92e6e2b..ce92547de78a07f00d40fd850563faf1253826e3 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -241,6 +241,17 @@ class DNSSECValidationFailingWarning(PublicMessage):
                u"validation on all IPA servers.")
+class BrokenTrust(PublicMessage):
+    """
+    **13018** Trust for a specified domain is broken
+    """
+
+    errno = 13018
+    type = "warning"
+    format = _("Your trust to %(domain)s is broken. Please re-create it by "
+               "running 'ipa trust-add' again.")
+
+
 def iter_messages(variables, base):
     """Return a tuple with all subclasses
     """
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index ff142591d385e715994f0381c6b23c416763cd03..d451325e31e4e1d8d7223f009677bbcb002c65cb 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -18,6 +18,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+from ipalib.messages import (
+    add_message,
+    BrokenTrust)
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import *
 from ipalib.plugins.dns import dns_container_exists
@@ -554,6 +557,30 @@ class trust(LDAPObject):
         dn=make_trust_dn(self.env, trust_type, DN(*sdn))
         return dn
+    def warning_if_ad_trust_dom_have_missing_SID(self, result, **options):
+        """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be
+        AD trust domain without generated SID, warn user about it.
+        """
+        ldap = self.api.Backend.ldap2
+
+        try:
+            entries, truncated = ldap.find_entries(
+                base_dn=DN(self.container_dn, self.api.env.basedn),
+                attrs_list=['cn'],
+                filter='(&(ipaNTTrustPartner=*)'
+                       '(!(ipaNTSecurityIdentifier=*)))',
+            )
+        except errors.NotFound:
+            pass
+        else:
+            for entry in entries:
+                 add_message(
+                    options['version'],
+                    result,
+                    BrokenTrust(domain=entry.single_value['cn'])
+                 )
+
+
 @register()
 class trust_add(LDAPCreate):
     __doc__ = _('''
@@ -1003,6 +1030,13 @@ class trust_find(LDAPSearch):
         filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
         return (filter, base_dn, ldap.SCOPE_SUBTREE)
+    def execute(self, *args, **options):
+        result = super(trust_find, self).execute(*args, **options)
+
+        self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
+
+        return result
+
     def post_callback(self, ldap, entries, truncated, *args, **options):
         if options.get('pkey_only', False):
             return truncated
@@ -1022,6 +1056,13 @@ class trust_show(LDAPRetrieve):
     has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\
                         (Str('ipanttrusttype'), Str('ipanttrustdirection'))
+    def execute(self, *keys, **options):
+        result = super(trust_show, self).execute(*keys, **options)
+
+        self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
+
+        return result
+
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
--
2.5.0
SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch
New file
@@ -0,0 +1,39 @@
From 69322c06e8fd9f21867a9c7aa04f990be47536df Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 23 Feb 2016 10:37:47 +0100
Subject: [PATCH] fix upgrade: wait for proper DS socket after DS restart
DS restart executed by upgrade plugin causes that upgrade framework
is waiting for the improper socket. It leads to TimeoutError because
DS is not listening on 389 port during upgrade. This commit fixes the issue.
Required for: https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipaserver/install/ldapupdate.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 6f796dfdc8bbac1bb99a8b5a1bd5a6aaa778db16..0e258612d3060188212fdd2625d7e62b5cb14ebf 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -44,7 +44,6 @@ from ipaplatform.paths import paths
 from ipaplatform import services
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
-from ipapython.ipautil import wait_for_open_socket
 UPDATES_DIR=paths.UPDATES_DIR
@@ -932,5 +931,4 @@ class LDAPUpdate:
     def restart_ds(self):
         dirsrv = services.knownservices.dirsrv
         self.log.debug('Restarting directory server to apply updates')
-        dirsrv.restart()
-        wait_for_open_socket(self.socket_name)
+        dirsrv.restart(ldapi=self.ldapi)
--
2.5.0
SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch
New file
@@ -0,0 +1,61 @@
From 01ccf0deee2cfa98f76d79eb435be74efecd4626 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 22 Feb 2016 12:40:03 +0200
Subject: [PATCH] slapi-nis: update configuration to allow external members of
 IPA groups
Currently in an environment with trust to AD the compat tree does not
show AD users as members of IPA groups. The reason is that IPA groups
are read directly from the IPA DS tree and external groups are not
handled.
slapi-nis project has added support for it in 0.55, make sure we update
configuration for the group map if it exists and depend on 0.55 version.
https://fedorahosted.org/freeipa/ticket/4403
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 freeipa.spec.in                           | 2 +-
 install/updates/50-externalmembers.update | 3 +++
 install/updates/Makefile.am               | 1 +
 3 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 install/updates/50-externalmembers.update
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cd26d4ce66e320f8b8bf6aaa3e738b4c11f89aa9..17b90fc4653bd7694bf389a19d5847d7df544890 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,7 +139,7 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base
-Requires: slapi-nis >= 0.54.2-1
+Requires: slapi-nis >= 0.55-1
 Requires: pki-ca >= 10.2.5
 Requires: pki-kra >= 10.2.5
 Requires(preun): python systemd-units
diff --git a/install/updates/50-externalmembers.update b/install/updates/50-externalmembers.update
new file mode 100644
index 0000000000000000000000000000000000000000..6b9c5dd23fac65fd5e9055b255e7c4d41e5cc66b
--- /dev/null
+++ b/install/updates/50-externalmembers.update
@@ -0,0 +1,3 @@
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
+addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..86799838c8713d04d03a69167a00ee4baa6acd6c 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -45,6 +45,7 @@ app_DATA =                \
     50-krbenctypes.update        \
     50-nis.update            \
     50-ipaconfig.update        \
+    50-externalmembers.update    \
     55-pbacmemberof.update        \
     59-trusts-sysacount.update    \
     60-trusts.update        \
--
2.5.0
SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch
New file
@@ -0,0 +1,36 @@
From 431f42703acfb2f22c034a336277dcb2c320928a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 4 Aug 2015 10:15:36 -0400
Subject: [PATCH] Insure the admin_conn is disconnected on stop
If we stop or restart the server insure admin_conn gets reset or other
parts may fail to properly connect/authenticate
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/dsinstance.py | 7 +++++++
 1 file changed, 7 insertions(+)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 7044782bac8068f7470b62bd7489b5319269b119..cadf9ccbe8ed0a20813af3fd671b18942a918b0b 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -478,7 +478,14 @@ class DsInstance(service.Service):
             # Does not apply with newer DS releases
             pass
+    def stop(self, *args, **kwargs):
+        if self.admin_conn:
+            self.ldap_disconnect()
+        super(DsInstance, self).stop(*args, **kwargs)
+
     def restart(self, instance=''):
+        if self.admin_conn:
+            self.ldap_disconnect()
         try:
             super(DsInstance, self).restart(instance)
             if not is_ds_running(instance):
--
2.5.0
SOURCES/0198-Fix-connections-to-DS-during-installation.patch
New file
@@ -0,0 +1,42 @@
From 520e2ed9c5b2cfe3e3231bd616639bddb16d6995 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 1 Mar 2016 17:36:55 +0100
Subject: [PATCH] Fix connections to DS during installation
Regression caused by commit 9818e463f5d0a91b300801ee7c8f31f25de402b2,
admin_conn should be connected in method if there is no connection.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 ipaserver/install/dsinstance.py | 6 ++++++
 1 file changed, 6 insertions(+)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index cadf9ccbe8ed0a20813af3fd671b18942a918b0b..4ad0f9e7def8a10b1eaffce1b3d9cadd9cdcc689 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -938,6 +938,9 @@ class DsInstance(service.Service):
         """
         Add sidgen plugin configuration only if it does not already exist.
         """
+        if not self.admin_conn:
+            self.ldap_connect()
+
         dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config')
         try:
             self.admin_conn.get_entry(dn)
@@ -956,6 +959,9 @@ class DsInstance(service.Service):
         """
         Add extdom configuration if it does not already exist.
         """
+        if not self.admin_conn:
+            self.ldap_connect()
+
         dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config')
         try:
             self.admin_conn.get_entry(dn)
--
2.5.0
SOURCES/0199-Fix-broken-trust-warnings.patch
New file
@@ -0,0 +1,32 @@
From 9f131566a8218a082b59ec980e04f9193e9c85f7 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 16 Mar 2016 13:41:51 +0100
Subject: [PATCH] Fix broken trust warnings
Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all.
https://fedorahosted.org/freeipa/ticket/5737
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/plugins/trust.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index d451325e31e4e1d8d7223f009677bbcb002c65cb..4b3cb7aab665e5cd952704a58e4b58ea55ecab0a 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -565,7 +565,9 @@ class trust(LDAPObject):
         try:
             entries, truncated = ldap.find_entries(
-                base_dn=DN(self.container_dn, self.api.env.basedn),
+                base_dn=DN(self.api.env.container_adtrusts,
+                           self.api.env.basedn),
+                scope=ldap.SCOPE_ONELEVEL,
                 attrs_list=['cn'],
                 filter='(&(ipaNTTrustPartner=*)'
                        '(!(ipaNTSecurityIdentifier=*)))',
--
2.5.0
SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch
New file
@@ -0,0 +1,108 @@
From d1470a8a5d2f39b57d8d66e8d0d7e8437fcd2ae4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 2 Dec 2015 12:22:45 +0100
Subject: [PATCH] replica install: improvements in the handling of CA-related
 IPA config entries
When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.
https://fedorahosted.org/freeipa/ticket/5506
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/ca.py                    | 16 ----------------
 ipaserver/install/cainstance.py            | 18 ++++++++++++++++++
 ipaserver/install/server/replicainstall.py |  3 +++
 3 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38..b4db8dcbfad9d482e7106cd06b3d497ccf8954f0 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -12,7 +12,6 @@ from ipaplatform.paths import paths
 from ipaserver.install import installutils, certs
 from ipaserver.install.replication import replica_conn_check
 from ipalib import api, certstore, x509
-from ConfigParser import RawConfigParser
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
@@ -240,21 +239,6 @@ def install_step_1(standalone, replica_config, options):
     if standalone:
         ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME)
-        # Update config file
-        try:
-            parser = RawConfigParser()
-            parser.read(paths.IPA_DEFAULT_CONF)
-            parser.set('global', 'enable_ra', 'True')
-            parser.set('global', 'ra_plugin', 'dogtag')
-            parser.set('global', 'dogtag_version',
-                       str(dogtag_constants.DOGTAG_VERSION))
-            with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-                parser.write(f)
-        except IOError, e:
-            print "Failed to update /etc/ipa/default.conf"
-            root_logger.error(str(e))
-            sys.exit(1)
-
         # We need to restart apache as we drop a new config file in there
         services.knownservices.httpd.restart(capture_output=True)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1a98c438786ae7dad208212fff23e3a760c95b3c..b06760308865aa42afac79d6750f4a422a5c8f95 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -482,6 +482,8 @@ class CAInstance(DogtagInstance):
             self.step("importing IPA certificate profiles",
                       import_included_profiles)
             self.step("adding default CA ACL", ensure_default_caacl)
+            self.step("updating IPA configuration",
+                      lambda: update_ipa_conf(self.dogtag_constants))
         self.start_creation(runtime=210)
@@ -1880,6 +1882,22 @@ def ensure_default_caacl():
         api.Backend.ldap2.disconnect()
+def update_ipa_conf(dogtag_constants):
+    """
+    Update IPA configuration file to ensure that RA plugins are enabled and
+    that CA host points to localhost
+    """
+    parser = ConfigParser.RawConfigParser()
+    parser.read(paths.IPA_DEFAULT_CONF)
+    parser.set('global', 'enable_ra', 'True')
+    parser.set('global', 'ra_plugin', 'dogtag')
+    parser.set('global', 'dogtag_version',
+               str(dogtag_constants.DOGTAG_VERSION))
+    parser.remove_option('global', 'ca_host')
+    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+        parser.write(f)
+
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
     ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 317eda92dd4322542f035c2df4dba919a5898cc7..2ab95add90d33eb191d4e75b62cb4eceac40551b 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -378,6 +378,9 @@ def install_check(installer):
             fd.write("ra_plugin=dogtag\n")
             fd.write("dogtag_version=%s\n" %
                      dogtag.install_constants.DOGTAG_VERSION)
+
+            if not config.setup_ca:
+                fd.write("ca_host={0}\n".format(config.master_host_name))
         else:
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
--
2.5.0
SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch
New file
@@ -0,0 +1,49 @@
From c0598b1af6885b1558ef592d6e2a5250f707e878 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 10 Mar 2016 13:16:41 +0100
Subject: [PATCH] certdb: never use the -r option of certutil
The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.
Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.
https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipapython/certdb.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 5a6e494fb8a5963ae9c68c697234e83575bc89ec..63dc4580b43ec11329d2074fc9a33e55dac9cb03 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -395,15 +395,15 @@ class NSSDatabase(object):
                     "Setting trust on %s failed" % root_nickname)
     def get_cert(self, nickname, pem=False):
-        args = ['-L', '-n', nickname]
-        if pem:
-            args.append('-a')
-        else:
-            args.append('-r')
+        args = ['-L', '-n', nickname, '-a']
         try:
             cert, err, returncode = self.run_certutil(args)
         except ipautil.CalledProcessError:
             raise RuntimeError("Failed to get %s" % nickname)
+        if not pem:
+            (cert, start) = find_cert_from_txt(cert, start=0)
+            cert = x509.strip_header(cert)
+            cert = base64.b64decode(cert)
         return cert
     def has_nickname(self, nickname):
--
2.5.0
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,4 +1,4 @@
From 38e9b66a161f8e5c540c69f46a8bc699d0906636 Mon Sep 17 00:00:00 2001
From b30152e2225fed9a991423c35506f3aa62b38350 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version
@@ -13,7 +13,7 @@
 3 files changed, 8 insertions(+), 17 deletions(-)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 5246f5f5469c85571d04c99d872f38018802abaa..3ecf44fffad22e11b5008dadc24c9933eac965cf 100644
index b9ae60e9bc9d40be5f86e312980846b2ad80f67d..62cc8368abd999bec07154dc2c715431ff0c3b1a 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -65,9 +65,6 @@ class ReplicaPrepare(admintool.AdminTool):
@@ -72,10 +72,10 @@
         # If any of the PKCS#12 options are selected, all are required.
         cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e943548cd9a30 100644
index 01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd..a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1173,6 +1173,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
@@ -1172,6 +1172,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
 
     no_pkinit = Knob(
         bool, False,
@@ -83,7 +83,7 @@
         description="disables pkinit setup steps",
     )
 
@@ -1196,6 +1197,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
@@ -1195,6 +1196,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
 
     pkinit_cert_files = Knob(
         (list, str), None,
@@ -91,7 +91,7 @@
         description=("File containing the Kerberos KDC SSL certificate and "
                      "private key"),
         cli_name='pkinit-cert-file',
@@ -1221,6 +1223,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
@@ -1220,6 +1222,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
 
     pkinit_pin = Knob(
         str, None,
@@ -99,7 +99,7 @@
         sensitive=True,
         description="The password to unlock the Kerberos KDC private key",
         cli_aliases=['pkinit_pin'],
@@ -1241,6 +1244,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
@@ -1240,6 +1243,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
 
     pkinit_cert_name = Knob(
         str, None,
@@ -108,10 +108,10 @@
         cli_metavar='NAME',
     )
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..2544db2875cc29b1c0f6f8acd855bcfa02fc645a 100644
index 2ab95add90d33eb191d4e75b62cb4eceac40551b..b000e8ce84df3cb2a6bc90520cb4713ab416f4da 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -658,6 +658,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
@@ -690,6 +690,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
 
     no_pkinit = Knob(
         bool, False,
@@ -120,5 +120,5 @@
     )
 
-- 
2.4.3
2.5.0
SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
From b8aa1e36a06ec183709933e51ef105d7b4a96d6d Mon Sep 17 00:00:00 2001
From 5e341cea66938c8dfd99d83c869a1f2ba71479be Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:46:59 +0200
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -54,7 +54,7 @@
 47 files changed, 57 insertions(+), 57 deletions(-)
diff --git a/install/html/browserconfig.html b/install/html/browserconfig.html
index d721a4ad2a3b684a4bf45602584fee78f4613360..b0cd570403b1604449887302844c43b1e89b80e2 100644
index 9c5cf68211281723e12b518f346aac43c1541cdc..14c4ca1f98a60cd8dfe486f8b942fcf9ae9de4c0 100644
--- a/install/html/browserconfig.html
+++ b/install/html/browserconfig.html
@@ -2,7 +2,7 @@
@@ -723,10 +723,10 @@
     '''
 
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 95a9b560843cfea9b4f7b2718e4e943548cd9a30..f62874f085ee3ae478fc769465fe375abc4465e6 100644
index a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5..0534be818ecf950d9a9dab8f8a1797209d2dfc7d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -368,7 +368,7 @@ def install_check(installer):
@@ -366,7 +366,7 @@ def install_check(installer):
 
     print("======================================="
           "=======================================")
@@ -736,10 +736,10 @@
     print "This includes:"
     if setup_ca:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 2d34fdd02b57eb962cdffba508e53cfea0c922e1..55c58335c5bbc6993999da4c465e58f4ce3225aa 100644
index b000e8ce84df3cb2a6bc90520cb4713ab416f4da..3c13a3e743074e01ca952e114c2374205bdd68f8 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -435,7 +435,7 @@ def install_check(installer):
@@ -467,7 +467,7 @@ def install_check(installer):
         above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
 
         if under_lower_bound or above_upper_bound:
@@ -749,5 +749,5 @@
                        "this domain. The Domain Level needs to be "
                        "raised before installing a replica with "
-- 
2.5.1
2.5.0
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name:           ipa
Version:        4.2.0
Release:        15.0.1%{?dist}.6.1
Release:        15%{?dist}.15
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -43,10 +43,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -231,6 +231,27 @@
Patch0178:      0178-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch
Patch0179:      0179-ipalib-assume-version-2.0-when-skip_version_check-is.patch
Patch0180:      0180-always-start-certmonger-during-IPA-server-configurat.patch
Patch0181:      0181-ipa-kdb-map_groups-consider-all-results.patch
Patch0182:      0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch
Patch0183:      0183-installer-Propagate-option-values-from-components-in.patch
Patch0184:      0184-installer-Fix-logic-of-reading-option-values-from-ca.patch
Patch0185:      0185-Fixed-login-error-message-box-in-LoginScreen-page.patch
Patch0186:      0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch
Patch0187:      0187-CA-install-explicitly-set-dogtag_version-to-10.patch
Patch0188:      0188-fix-standalone-installation-of-externally-signed-CA-.patch
Patch0189:      0189-replica-install-validate-DS-and-HTTP-server-certific.patch
Patch0190:      0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch
Patch0191:      0191-upgrade-unconditional-import-of-certificate-profiles.patch
Patch0192:      0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch
Patch0193:      0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch
Patch0194:      0194-Warn-user-if-trust-is-broken.patch
Patch0195:      0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch
Patch0196:      0196-slapi-nis-update-configuration-to-allow-external-mem.patch
Patch0197:      0197-Insure-the-admin_conn-is-disconnected-on-stop.patch
Patch0198:      0198-Fix-connections-to-DS-during-installation.patch
Patch0199:      0199-Fix-broken-trust-warnings.patch
Patch0200:      0200-replica-install-improvements-in-the-handling-of-CA-r.patch
Patch0201:      0201-certdb-never-use-the-r-option-of-certutil.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -242,7 +263,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010:      1010-WebUI-add-API-browser-is-experimental-warning.patch
Patch1011:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -353,7 +373,7 @@
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= 0.54-3
Requires: slapi-nis >= 0.54-8
Requires: pki-ca >= 10.2.5-5
Requires: pki-kra >= 10.2.5-5
Requires(preun): python systemd-units
@@ -377,7 +397,7 @@
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
# Requires: redhat-access-plugin-ipa
Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -480,7 +500,7 @@
Requires: wget
Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
Requires: sssd >= 1.13.0-6
Requires: sssd >= 1.13.0-40.el7_2.2
Requires: python-sssdconfig
Requires: certmonger >= 0.78
Requires: nss-tools
@@ -586,10 +606,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1186,14 +1206,73 @@
# RHEL spec file only: DELETED: Do not build tests
%changelog
* Tue Apr 12 2016 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos.6.1
- Roll in CentOS Branding
- add .0.1 to release for dist tag change to .el7.centos
* Mon Apr 18 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.15
- Related: #1327197 Crash during IPA upgrade due to slapd
  - spec file: update minimum required version of slapi-nis
* Wed Apr 06 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.0-15.6.1
* Wed Apr 06 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.0-15.14
- Rebuild against newer Samba version
- Related: #1322690
* Tue Apr  5 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.13
- Resolves: #1324060 Installers fail when there are multiple versions of the
  same certificate
  - certdb: never use the -r option of certutil
* Thu Mar 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.12
- Resolves: #1309382 issues with migration from RHEL 6 self-signed to RHEL 7 CA
  IPA setup
  - replica install: improvements in the handling of CA-related IPA config
    entries
* Thu Mar 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.11
- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
  returns "0 trusts matched"
  - Fix broken trust warnings
* Wed Mar  2 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.10
- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
  returns "0 trusts matched"
  - Insure the admin_conn is disconnected on stop
  - Fix connections to DS during installation
- Renamed patch 1011 to 0196, as it was merged upstream
* Wed Feb 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.9
- Resolves: #1311468 shared certificateProfiles container is missing on a
  freshly installed RHEL7.2 system
  - upgrade: unconditional import of certificate profiles into LDAP
- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
  returns "0 trusts matched"
  - upgrade: fix config of sidgen and extdom plugins
  - trusts: use ipaNTTrustPartner attribute to detect trust entries
  - Warn user if trust is broken
  - fix upgrade: wait for proper DS socket after DS restart
- Resolves: #1311502 [RFE] compat tree: show AD members of IPA groups
  - slapi-nis: update configuration to allow external members of IPA groups
* Tue Feb 23 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.8
- Resolves: #1303052 install fails when locale is "fr_FR.UTF-8"
  - Do not decode HTTP reason phrase from Dogtag
- Resolves: #1303059 --setup-dns and other options is forgotten for using an
  external PKI
  - installer: Propagate option values from components instead of copying them.
  - installer: Fix logic of reading option values from cache.
- Resolves: #1309362 User should be notified for wrong password in password
  reset page
  - Fixed login error message box in LoginScreen page
- Resolves: #1309382 issues with migration from RHEL 6 self-signed to RHEL 7 CA
  IPA setup
  - ipa-ca-install: print more specific errors when CA is already installed
  - cert renewal: import all external CA certs on IPA CA cert renewal
  - CA install: explicitly set dogtag_version to 10
  - fix standalone installation of externally signed CA on IPA master
  - replica install: validate DS and HTTP server certificates
* Mon Feb  8 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.7
- Resolves: #1304333 In IPA-AD trust environment some secondary IPA based Posix
  groups are missing
  - ipa-kdb: map_groups() consider all results
* Tue Feb  2 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.6
- Resolves: #1298103 ipa-server-upgrade fails if certmonger is not running
  - always start certmonger during IPA server configuration upgrade