The Identity, Policy and Audit system
CentOS Sources
2017-08-01 ac7d03c67af81669700da761908f3f0de3d23372
import ipa-4.5.0-20.el7
207 files added
171 files deleted
3 files modified
40006 ■■■■■ changed files
.gitignore 2 ●●● patch | view | raw | blame | history
.ipa.metadata 2 ●●● patch | view | raw | blame | history
SOURCES/0001-Add-options-to-allow-ticket-caching.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0001-Fix-incorrect-check-for-principal-type-when-evaluati.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0002-Use-connection-keep-alive.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0002-uninstall-untrack-lightweight-CA-certs.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0003-Add-debug-logging-for-keep-alive.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0003-ipa-nis-manage-Use-server-API-to-retrieve-plugin-sta.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0004-Increase-Apache-HTTPD-s-default-keep-alive-timeout.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0004-ipa-compat-manage-use-server-API-to-retrieve-plugin-.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0005-ipa-advise-correct-handling-of-plugin-namespace-iter.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0005-ipapython.ipautil.nolog_replace-Do-not-replace-empty.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0006-kdb-check-for-local-realm-in-enterprise-principals.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0006-tasks-run-systemctl-daemon-reload-after-httpd.servic.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0007-Enable-vault-commands-on-client.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0007-man-ipa-cacert-manage-install-needs-clarification.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0008-certs-do-not-implicitly-create-DS-pin.txt.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0008-vault-add-set-the-default-vault-type-on-the-client-s.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0009-caacl-expand-plugin-documentation.patch 66 ●●●●● patch | view | raw | blame | history
SOURCES/0009-httpinstance-clean-up-etc-httpd-alias-on-uninstall.patch 74 ●●●●● patch | view | raw | blame | history
SOURCES/0010-Fixing-replica-install-fix-ldap-connection-in-domlvl.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0010-host-find-do-not-show-SSH-key-by-default.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0011-Removed-unused-method-parameter-from-migrate-ds.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0011-replica-prepare-fix-wrong-IPA-CA-nickname-in-replica.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0012-Preserve-user-principal-aliases-during-rename-operat.patch 92 ●●●●● patch | view | raw | blame | history
SOURCES/0012-ldap2-use-LDAP-whoami-operation-to-retrieve-bind-DN-.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0013-Backup-ipa-specific-httpd-unit-file.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0013-messages-specify-message-type-for-ResultFormattingEr.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0014-WebUI-check-principals-in-lowercase.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0014-schema-Fix-subtopic-topic-mapping.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0015-DNS-install-Ensure-that-DNS-servers-container-exists.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0015-WebUI-add-method-for-disabling-item-in-user-dropdown.patch 105 ●●●●● patch | view | raw | blame | history
SOURCES/0016-Heap-corruption-in-ipapwd-plugin.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0016-WebUI-Add-support-for-login-for-AD-users.patch 341 ●●●●● patch | view | raw | blame | history
SOURCES/0017-Use-server-API-in-com.redhat.idm.trust-fetch-domains.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0017-cert-do-not-limit-internal-searches-in-cert-find.patch 105 ●●●●● patch | view | raw | blame | history
SOURCES/0018-frontend-copy-command-arguments-to-output-params-on-.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0018-ipa-kdb-add-ipadb_fetch_principals_with_extra_filter.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/0019-IPA-certauth-plugin.patch 609 ●●●●● patch | view | raw | blame | history
SOURCES/0019-Show-full-error-message-for-selinuxusermap-add-hostg.patch 152 ●●●●● patch | view | raw | blame | history
SOURCES/0020-allow-value-output-param-in-commands-without-primary.patch 157 ●●●●● patch | view | raw | blame | history
SOURCES/0020-configure-fix-disable-server-with-certauth-plugin.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0021-ipa-kdb-do-not-depend-on-certauth_plugin.h.patch 85 ●●●●● patch | view | raw | blame | history
SOURCES/0021-server-uninstall-fails-to-remove-krb-principals.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0022-WebUI-Add-support-for-suppressing-warnings.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0022-expose-secret-option-in-radiusproxy-commands.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0023-WebUI-suppress-truncation-warning-in-select-widget.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0023-prevent-search-for-RADIUS-proxy-servers-by-secret.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0024-WebUI-Fix-showing-vault-in-selfservice-view.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0024-trust-add-handle-all-raw-options-properly.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0025-Set-KDC-Disable-Last-Success-by-default.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0025-unite-log-file-name-of-ipa-ca-install.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0026-Host-del-fix-behavior-of-updatedns-and-PTR-records.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0026-WebUI-Allow-to-add-certs-to-certmapping-with-CERT-LI.patch 69 ●●●●● patch | view | raw | blame | history
SOURCES/0027-Bump-samba-version-for-FIPS-and-priv.-separation.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0027-help-Add-dnsserver-commands-to-help-topic-dns.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/0028-DNS-Locations-fix-update-system-records-unpacking-er.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0028-Reworked-the-renaming-mechanism.patch 296 ●●●●● patch | view | raw | blame | history
SOURCES/0029-Allow-renaming-of-the-HBAC-rule-objects.patch 103 ●●●●● patch | view | raw | blame | history
SOURCES/0029-Fix-session-cookies.patch 136 ●●●●● patch | view | raw | blame | history
SOURCES/0030-Allow-renaming-of-the-sudorule-objects.patch 100 ●●●●● patch | view | raw | blame | history
SOURCES/0030-Use-copy-when-replacing-files-to-keep-SELinux-contex.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0031-Create-temporaty-directories-at-the-begining-of-unin.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0031-baseldap-Fix-MidairCollision-instantiation-during-en.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0032-Create-indexes-for-krbCanonicalName-attribute.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0032-dogtag-ipa-ca-renew-agent-submit-fix-the-is_replicat.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0033-Simplify-KRA-transport-cert-cache.patch 195 ●●●●● patch | view | raw | blame | history
SOURCES/0033-harden-the-check-for-trust-namespace-overlap-in-new-.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0034-Revert-Enable-vault-commands-on-client.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/0034-rpcserver.login_x509-Actually-return-reply-from-__ca.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0035-Backup-CA-cert-from-kerberos-folder.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0035-client-fix-hiding-of-commands-which-lack-server-supp.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0036-Minor-fix-in-ipa-replica-manage-MAN-page.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0036-spec-file-Bump-requires-to-make-Certificate-Login-in.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0037-Use-Custodia-0.3.1-features.patch 236 ●●●●● patch | view | raw | blame | history
SOURCES/0037-compat-fix-ping-call.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0038-replica-install-Fix-domain.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0038-spec-file-bump-krb5-devel-BuildRequires-for-certauth.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0039-Avoid-growing-FILE-ccaches-unnecessarily.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0039-idrange-fix-unassigned-global-variable.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0040-Handle-failed-authentication-via-cookie.patch 120 ●●●●● patch | view | raw | blame | history
SOURCES/0040-re-set-canonical-principal-name-on-migrated-users.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0041-Do-not-initialize-API-in-ipa-client-automount-uninst.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0041-Work-around-issues-fetching-session-data.patch 331 ●●●●● patch | view | raw | blame | history
SOURCES/0042-Correct-path-to-HTTPD-s-systemd-service-directory.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0042-Prevent-churn-on-ccaches.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0043-Generate-PIN-for-PKI-to-help-Dogtag-in-FIPS.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0043-vault-Catch-correct-exception-in-decrypt.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0044-Increase-default-length-of-auto-generated-passwords.patch 138 ●●●●● patch | view | raw | blame | history
SOURCES/0044-httpinstance.disable_system_trust-Don-t-fail-if-modu.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0045-extdom-do-reverse-search-for-domain-separator.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0045-vault-add-missing-salt-option-to-vault_mod.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0046-Fix-ipa-hbactest-output.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0046-extdom-improve-cert-request.patch 243 ●●●●● patch | view | raw | blame | history
SOURCES/0047-install-fix-external-CA-cert-validation.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0047-spec-file-bump-libsss_nss_idmap-devel-BuildRequires.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0048-caacl-fix-regression-in-rule-instantiation.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0048-server-make-sure-we-test-for-sss_nss_getlistbycert.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0049-Update-ipa-replica-install-documentation.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0049-Upgrade-configure-PKINIT-after-adding-anonymous-prin.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0050-Remove-unused-variable-from-failed-anonymous-PKINIT-.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0050-ipa-kdb-Fix-unit-test-after-packaging-changes-in-krb.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0051-Improvements-for-the-ipa-cacert-manage-man-and-help.patch 117 ●●●●● patch | view | raw | blame | history
SOURCES/0051-Split-out-anonymous-PKINIT-test-to-a-separate-method.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0052-Ensure-KDC-is-propery-configured-after-upgrade.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0052-Revert-spec-add-conflict-with-bind-chroot-to-freeipa.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0053-Fix-unicode-characters-in-ca-and-domain-adders.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0053-adtrust-make-sure-that-runtime-hostname-result-is-co.patch 77 ●●●●● patch | view | raw | blame | history
SOURCES/0054-Allow-erasing-ipaDomainResolutionOrder-attribute.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0054-ipa-backup-backup-etc-tmpfiles.d-dirsrv-instance-.co.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0055-Always-check-and-create-anonymous-principal-during-K.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0055-client-RPM-require-initscripts-to-get-domainname.ser.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0056-Remove-duplicate-functionality-in-upgrade.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0056-parameters-move-the-confirm-kwarg-to-Param.patch 89 ●●●●● patch | view | raw | blame | history
SOURCES/0057-Fix-the-order-of-cert-files-check.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0057-client-add-missing-output-params-to-client-side-comm.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0058-Don-t-allow-setting-pkinit-related-options-on-DL0.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/0058-server-install-Fix-hostname-option-to-always-overrid.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0059-install-Call-hostnamectl-set-hostname-only-if-hostna.patch 148 ●●●●● patch | view | raw | blame | history
SOURCES/0059-replica-prepare-man-remove-pkinit-option-refs.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0060-Remove-redundant-option-check-for-cert-files.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0060-schema-Speed-up-schema-cache.patch 415 ●●●●● patch | view | raw | blame | history
SOURCES/0061-Hide-request_type-doc-string-in-cert-request-help.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0061-frontend-Change-doc-summary-topic-and-NO_CLI-to-clas.patch 378 ●●●●● patch | view | raw | blame | history
SOURCES/0062-Get-correct-CA-cert-nickname-in-CA-less.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0062-schema-Introduce-schema-cache-format.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0063-Remove-publish_ca_cert-method-from-NSSDatabase.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0063-schema-Generate-bits-for-help-load-them-on-request.patch 162 ●●●●● patch | view | raw | blame | history
SOURCES/0064-help-Do-not-create-instances-to-get-information-abou.patch 77 ●●●●● patch | view | raw | blame | history
SOURCES/0064-httpinstance-make-sure-NSS-database-is-backed-up.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0065-Fix-ipa-caalc-add-service-error-message.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0065-IPA-KDB-use-relative-path-in-ipa-certmap-config-snip.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0066-Add-pki_pin-only-when-needed.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0066-Don-t-show-force-ntpd-option-in-replica-install.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0067-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0067-idrange-add-properly-handle-empty-dom-name-option.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0068-DNS-allow-to-add-forward-zone-to-already-broken-sub-.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0068-ipa-sam-create-the-gidNumber-attribute-in-the-truste.patch 145 ●●●●● patch | view | raw | blame | history
SOURCES/0069-Upgrade-add-gidnumber-to-trusted-domain-entry.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0069-cert-speed-up-cert-find.patch 479 ●●●●● patch | view | raw | blame | history
SOURCES/0070-cert-do-not-crash-on-invalid-data-in-cert-find.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/0070-dsinstance-reconnect-ldap2-after-DS-is-restarted-by-.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0071-Add-warning-about-only-one-existing-CA-server.patch 151 ●●●●● patch | view | raw | blame | history
SOURCES/0071-httpinstance-avoid-httpd-restart-during-certificate-.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0072-Set-servers-list-as-default-facet-in-topology-facet-.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0072-dsinstance-httpinstance-consolidate-certificate-requ.patch 289 ●●●●● patch | view | raw | blame | history
SOURCES/0073-install-request-service-certs-after-host-keytab-is-s.patch 135 ●●●●● patch | view | raw | blame | history
SOURCES/0073-schema-cache-Do-not-reset-ServerInfo-dirty-flag.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0074-renew-agent-revert-to-host-keytab-authentication.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0074-schema-cache-Do-not-read-fingerprint-and-format-from.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0075-Access-data-for-help-separately.patch 121 ●●●●● patch | view | raw | blame | history
SOURCES/0075-renew-agent-restart-scripts-connect-to-LDAP-after-ki.patch 117 ●●●●● patch | view | raw | blame | history
SOURCES/0076-frontent-Add-summary-class-property-to-CommandOverri.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0076-ipaserver-dcerpc-unify-error-processing.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0077-schema-cache-Read-server-info-only-once.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0077-trust-always-use-oddjobd-helper-for-fetching-trust-i.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0078-WebUI-cert-login-Configure-name-of-parameter-used-to.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0078-schema-cache-Store-API-schema-cache-in-memory.patch 125 ●●●●● patch | view | raw | blame | history
SOURCES/0079-Create-system-users-for-FreeIPA-services-during-pack.patch 414 ●●●●● patch | view | raw | blame | history
SOURCES/0079-client-Do-not-create-instance-just-to-check-isinstan.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/0080-Fix-s4u2self-with-adtrust.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0080-schema-cache-Read-schema-instead-of-rewriting-it-whe.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0081-Add-debug-log-in-case-cookie-retrieval-went-wrong.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0081-schema-check-Check-current-client-language-against-c.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0082-Fail-on-topology-disconnect-last-role-removal.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0082-server-install-remove-broken-no-pkinit-check.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0083-Add-the-force-join-option-to-replica-install.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0083-server-install-do-not-prompt-for-cert-file-PIN-repea.patch 98 ●●●●● patch | view | raw | blame | history
SOURCES/0084-replicainstall-better-client-install-exception-handl.patch 120 ●●●●● patch | view | raw | blame | history
SOURCES/0084-service-add-flag-to-allow-S4U2Self.patch 122 ●●●●● patch | view | raw | blame | history
SOURCES/0085-Add-trusted-to-auth-as-user-checkbox.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0085-Fix-CA-less-to-CA-full-upgrade.patch 110 ●●●●● patch | view | raw | blame | history
SOURCES/0086-Added-new-authentication-method.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/0086-cert-defer-cert-find-result-post-processing.patch 221 ●●●●● patch | view | raw | blame | history
SOURCES/0087-schema-cache-Fallback-to-en_us-when-locale-is-not-av.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0087-server-install-No-double-Kerberos-install.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0088-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/0088-ext.-CA-correctly-write-the-cert-chain.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0089-Fix-RA-cert-import-during-DL0-replication.patch 122 ●●●●● patch | view | raw | blame | history
SOURCES/0089-Fix-container-owner-should-be-able-to-add-vault.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0090-configure-fix-AC_CHECK_LIB-usage.patch 64 ●●●●● patch | view | raw | blame | history
SOURCES/0090-ipaserver-dcerpc-reformat-to-make-the-code-closer-to.patch 1005 ●●●●● patch | view | raw | blame | history
SOURCES/0091-Fix-CAInstance.import_ra_cert-for-empty-passwords.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0091-trust-automatically-resolve-DNS-trust-conflicts-for-.patch 382 ●●●●● patch | view | raw | blame | history
SOURCES/0092-trust-make-sure-external-trust-topology-is-correctly.patch 90 ●●●●● patch | view | raw | blame | history
SOURCES/0092-upgrade-adtrust-update_tdo_gidnumber-plugin-must-che.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0093-compat-manage-behave-the-same-for-all-users.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0093-trust-make-sure-ID-range-is-created-for-the-child-do.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0094-Move-the-compat-plugin-setup-at-the-end-of-install.patch 317 ●●●●● patch | view | raw | blame | history
SOURCES/0094-ipa-kdb-simplify-trusted-domain-parent-search.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0095-Remove-Custodia-server-keys-from-LDAP.patch 78 ●●●●● patch | view | raw | blame | history
SOURCES/0095-compat-ignore-cn-topology-cn-ipa-cn-etc-subtree.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0096-Handled-empty-hostname-in-server-del-command.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0096-spec-file-bump-krb5-Requires-for-certauth-fixes.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0097-Hide-PKI-Client-database-password-in-log-file.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0097-Secure-permissions-of-Custodia-server.keys.patch 69 ●●●●● patch | view | raw | blame | history
SOURCES/0098-Require-httpd-2.4.6-31-with-mod_proxy-Unix-socket-su.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0098-Vault-Explicitly-default-to-3DES-CBC.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0099-Fix-ipa-server-install-in-pure-IPv6-environment.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0099-separate-function-to-set-ipaConfigString-values-on-s.patch 244 ●●●●● patch | view | raw | blame | history
SOURCES/0100-Allow-for-configuration-of-all-three-PKINIT-variants.patch 205 ●●●●● patch | view | raw | blame | history
SOURCES/0100-support-multiple-uid-values-in-schema-compatibility-.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0101-API-for-retrieval-of-master-s-PKINIT-status-and-publ.patch 99 ●●●●● patch | view | raw | blame | history
SOURCES/0101-custodia-include-known-CA-certs-in-the-PKCS-12-file-.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0102-Use-only-anonymous-PKINIT-to-fetch-armor-ccache.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/0102-otptoken-permission-Convert-custom-type-parameters-o.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0103-Raise-DuplicatedEnrty-error-when-user-exists-in-dele.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0103-Stop-requesting-anonymous-keytab-and-purge-all-refer.patch 110 ●●●●● patch | view | raw | blame | history
SOURCES/0104-Use-local-anchor-when-armoring-password-requests.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0104-cert-add-missing-param-values-to-cert-find-output.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0105-Upgrade-configure-local-full-PKINIT-depending-on-the.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0105-rpcserver-assume-version-1-for-unversioned-command-c.patch 130 ●●●●● patch | view | raw | blame | history
SOURCES/0106-Do-not-test-anonymous-PKINIT-after-install-upgrade.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0106-custodia-force-reconnect-before-retrieving-CA-certs-.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0107-rpcserver-fix-crash-in-XML-RPC-system-commands.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0107-vault-piped-input-for-ipa-vault-add-fails.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0108-automount-install-fix-checking-of-SSSD-functionality.patch 83 ●●●●● patch | view | raw | blame | history
SOURCES/0108-compat-Save-server-s-API-version-in-for-pre-schema-s.patch 346 ●●●●● patch | view | raw | blame | history
SOURCES/0109-Fix-CA-server-cert-validation-in-FIPS.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0109-compat-Fix-ping-command-call.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0110-Fix-man-page-ipa-replica-manage-remove-duplicate-c-o.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0110-restore-restart-reload-gssproxy-after-restore.patch 77 ●●●●● patch | view | raw | blame | history
SOURCES/0111-cert-include-CA-name-in-cert-command-output.patch 112 ●●●●● patch | view | raw | blame | history
SOURCES/0111-kerberos-session-use-CA-cert-with-full-cert-chain-fo.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0112-Fix-CA-ACL-Check-on-SubjectAltNames.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0112-ipa-client-install-remove-extra-space-in-pkinit_anch.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0113-Refresh-Dogtag-RestClient.ca_host-property.patch 114 ●●●●● patch | view | raw | blame | history
SOURCES/0113-do-not-use-trusted-forest-name-to-construct-domain-a.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0114-Always-fetch-forest-info-from-root-DCs-when-establis.patch 85 ●●●●● patch | view | raw | blame | history
SOURCES/0114-Remove-the-cachedproperty-class.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0115-factor-out-populate_remote_domain-method-into-module.patch 132 ●●●●● patch | view | raw | blame | history
SOURCES/0115-ipa-server-install-with-external-CA-fix-pkinit-cert-.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0116-Always-fetch-forest-info-from-root-DCs-when-establis.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/0116-kra-install-update-installation-failure-message.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0117-Make-sure-remote-hosts-have-our-keys.patch 114 ●●●●● patch | view | raw | blame | history
SOURCES/0117-cli-use-full-name-when-executing-a-command.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0118-Use-RSA-OAEP-instead-of-RSA-PKCS-1-v1.5.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0118-Use-proper-SELinux-context-with-http.keytab.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0119-Fix-ipa-certupdate-for-CA-less-installation.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0119-ipa-kra-install-fix-check_host_keys.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0120-Track-lightweight-CAs-on-replica-installation.patch 208 ●●●●● patch | view | raw | blame | history
SOURCES/0120-python2-ipalib-add-missing-python-dependency.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0121-dns-normalize-record-type-read-interactively-in-dnsr.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0121-installer-service-fix-typo-in-service-entry.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0122-dns-prompt-for-missing-record-parts-in-CLI.patch 201 ●●●●● patch | view | raw | blame | history
SOURCES/0122-upgrade-add-missing-suffix-to-http-instance.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0123-Turn-on-NSSOCSP-check-in-mod_nss-conf.patch 227 ●●●●● patch | view | raw | blame | history
SOURCES/0123-dns-fix-crash-in-interactive-mode-against-old-server.patch 106 ●●●●● patch | view | raw | blame | history
SOURCES/0124-cert-show-writable-files-does-not-mean-dirs.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0124-schema-cache-Store-and-check-info-for-pre-schema-ser.patch 393 ●●●●● patch | view | raw | blame | history
SOURCES/0125-Bump-version-of-ipa.conf-file.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0125-Fix-parse-errors-with-link-local-addresses.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0126-Add-support-for-additional-options-taken-from-table-.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0126-ipa-kra-install-manpage-document-domain-level-1.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0127-WebUI-Fix-showing-certificates-issued-by-sub-CA.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0127-renew-agent-respect-CA-renewal-master-setting.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0128-WebUI-add-support-for-sub-CAs-while-revoking-certifi.patch 252 ●●●●● patch | view | raw | blame | history
SOURCES/0128-server-upgrade-always-fix-certmonger-tracking-reques.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0129-cainstance-use-correct-profile-for-lightweight-CA-ce.patch 182 ●●●●● patch | view | raw | blame | history
SOURCES/0129-cert-fix-cert-find-certificate-when-the-cert-is-not-.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0130-Make-host-service-cert-revocation-aware-of-lightweig.patch 184 ●●●●● patch | view | raw | blame | history
SOURCES/0130-renew-agent-allow-reusing-existing-certs.patch 260 ●●●●● patch | view | raw | blame | history
SOURCES/0131-Fix-regression-introduced-in-ipa-certupdate.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0131-renew-agent-always-export-CSR-on-IPA-CA-certificate-.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0132-Start-named-during-configuration-upgrade.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0132-renew-agent-get-rid-of-virtual-profiles.patch 321 ●●●●● patch | view | raw | blame | history
SOURCES/0133-Catch-DNS-exceptions-during-emptyzones-named.conf-up.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0133-ipa-cacert-manage-add-external-ca-type.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/0134-Fixing-adding-authenticator-indicators-to-host.patch 70 ●●●●● patch | view | raw | blame | history
SOURCES/0134-trust-fetch-domains-contact-forest-DCs-when-fetching.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0135-Added-plugins-directory-to-ipaclient-subpackages.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0136-ipaclient-fix-missing-RPM-ownership.patch 71 ●●●●● patch | view | raw | blame | history
SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/0137-otptoken-add-yubikey-When-digits-not-provided-use-de.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0138-ipa-server-install-fix-uninstall.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0139-ca-install-merge-duplicated-code-for-DM-password.patch 85 ●●●●● patch | view | raw | blame | history
SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch 88 ●●●●● patch | view | raw | blame | history
SOURCES/0140-installutils-add-DM-password-validator.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch 152 ●●●●● patch | view | raw | blame | history
SOURCES/0141-ca-kra-install-validate-DM-password.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/0142-Fix-missing-file-that-fails-DL1-replica-installation.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0142-ipa-kra-install-fix-pkispawn-setting-for-pki_securit.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0143-certdb-add-named-trust-flag-constants.patch 344 ●●●●● patch | view | raw | blame | history
SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0144-certdb-certs-make-trust-flags-argument-mandatory.patch 181 ●●●●● patch | view | raw | blame | history
SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0145-certdb-use-custom-object-for-trust-flags.patch 358 ●●●●● patch | view | raw | blame | history
SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0146-install-trust-IPA-CA-for-PKINIT.patch 202 ●●●●● patch | view | raw | blame | history
SOURCES/0147-client-install-fix-client-PKINIT-configuration.patch 254 ●●●●● patch | view | raw | blame | history
SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0148-install-introduce-generic-Kerberos-Augeas-lens.patch 98 ●●●●● patch | view | raw | blame | history
SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch 64 ●●●●● patch | view | raw | blame | history
SOURCES/0149-server-install-fix-KDC-PKINIT-configuration.patch 292 ●●●●● patch | view | raw | blame | history
SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0150-ipapython.ipautil.run-Add-option-to-set-umask-before.patch 85 ●●●●● patch | view | raw | blame | history
SOURCES/0151-certs-do-not-export-keys-world-readable-in-install_k.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch 192 ●●●●● patch | view | raw | blame | history
SOURCES/0152-certs-do-not-export-CA-certs-in-install_pem_from_p12.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0153-server-install-fix-KDC-certificate-validation-in-CA-.patch 203 ●●●●● patch | view | raw | blame | history
SOURCES/0154-replica-install-respect-pkinit-cert-file.patch 56 ●●●●● patch | view | raw | blame | history
SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0155-cacert-manage-support-PKINIT.patch 74 ●●●●● patch | view | raw | blame | history
SOURCES/0156-Use-proper-logging-for-error-messages.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0156-server-certinstall-support-PKINIT.patch 163 ●●●●● patch | view | raw | blame | history
SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/0157-ipa-ca-install-append-CA-cert-chain-into-etc-ipa-ca..patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0158-ca-cert-show-check-certificate_out-in-options.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/0159-Fix-rare-race-condition-with-missing-ccache-file.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0160-Remove-pkinit-anonymous-command.patch 176 ●●●●● patch | view | raw | blame | history
SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch 129 ●●●●● patch | view | raw | blame | history
SOURCES/0161-krb5-make-sure-KDC-certificate-is-readable.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0162-Change-python-cryptography-to-python2-cryptography.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0163-Allow-for-multivalued-server-attributes.patch 270 ●●●●● patch | view | raw | blame | history
SOURCES/0164-Refactor-the-role-attribute-member-reporting-code.patch 179 ●●●●● patch | view | raw | blame | history
SOURCES/0165-Add-an-attribute-reporting-client-PKINIT-capable-ser.patch 275 ●●●●● patch | view | raw | blame | history
SOURCES/0166-Add-the-list-of-PKINIT-servers-as-a-virtual-attribut.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0167-Add-pkinit-status-command.patch 201 ●●●●● patch | view | raw | blame | history
SOURCES/0168-test_serverroles-Get-rid-of-MockLDAP-and-use-ldap2-i.patch 238 ●●●●● patch | view | raw | blame | history
SOURCES/0169-only-stop-disable-simple-service-if-it-is-installed.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0170-Fix-index-definition-for-ipaAnchorUUID.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0171-httpinstance-wait-until-the-service-entry-is-replica.patch 126 ●●●●● patch | view | raw | blame | history
SOURCES/0172-kdc.key-should-not-be-visible-to-all.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0173-ipa-kdb-reload-certificate-mapping-rules-periodicall.patch 221 ●●●●● patch | view | raw | blame | history
SOURCES/0174-Avoid-possible-endless-recursion-in-RPC-call.patch 127 ●●●●● patch | view | raw | blame | history
SOURCES/0175-rpc-preparations-for-recursion-fix.patch 103 ●●●●● patch | view | raw | blame | history
SOURCES/0176-rpc-avoid-possible-recursion-in-create_connection.patch 175 ●●●●● patch | view | raw | blame | history
SOURCES/0177-Changing-cert-find-to-do-not-use-only-primary-key-to.patch 102 ●●●●● patch | view | raw | blame | history
SOURCES/0178-ipa-kdb-add-pkinit-authentication-indicator-in-case-.patch 101 ●●●●● patch | view | raw | blame | history
SOURCES/0179-fix-incorrect-suffix-handling-in-topology-checks.patch 49 ●●●●● patch | view | raw | blame | history
SOURCES/0180-server-certinstall-update-KDC-master-entry.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0181-pkinit-manage-introduce-ipa-pkinit-manage.patch 259 ●●●●● patch | view | raw | blame | history
SOURCES/0182-server-upgrade-do-not-enable-PKINIT-by-default.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0183-Turn-off-OCSP-check.patch 196 ●●●●● patch | view | raw | blame | history
SOURCES/0184-Only-warn-when-specified-server-IP-addresses-don-t-m.patch 244 ●●●●● patch | view | raw | blame | history
SOURCES/0185-ipa-kdb-use-canonical-principal-in-certauth-plugin.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0186-Bump-version-of-python-gssapi.patch 66 ●●●●● patch | view | raw | blame | history
SOURCES/0187-Add-code-to-be-able-to-set-default-kinit-lifetime.patch 84 ●●●●● patch | view | raw | blame | history
SOURCES/0188-Revert-setting-sessionMaxAge-for-old-clients.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0189-Extend-the-advice-printing-code-by-some-useful-abstr.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0190-Prepare-advise-plugin-for-smart-card-auth-configurat.patch 293 ●●●●● patch | view | raw | blame | history
SOURCES/0191-trust-mod-allow-modifying-list-of-UPNs-of-a-trusted-.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0192-WebUI-add-support-for-changing-trust-UPN-suffixes.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0193-kra-promote-Get-ticket-before-calling-custodia.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0194-Fix-local-IP-address-validation.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0195-ipa-dns-install-remove-check-for-local-ip-address.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0196-refactor-CheckedIPAddress-class.patch 88 ●●●●● patch | view | raw | blame | history
SOURCES/0197-CheckedIPAddress-remove-match_local-param.patch 141 ●●●●● patch | view | raw | blame | history
SOURCES/0198-Remove-ip_netmask-from-option-parser.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0199-replica-install-add-missing-check-for-non-local-IP-a.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0200-Remove-network-and-broadcast-address-warnings.patch 146 ●●●●● patch | view | raw | blame | history
SOURCES/0201-ipa-sam-replace-encode_nt_key-with-E_md4hash.patch 80 ●●●●● patch | view | raw | blame | history
SOURCES/0202-ipa_pwd_extop-do-not-generate-NT-hashes-in-FIPS-mode.patch 102 ●●●●● patch | view | raw | blame | history
SOURCES/0203-Make-sure-we-check-ccaches-in-all-rpcserver-paths.patch 126 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch 999 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch 190 ●●●●● patch | view | raw | blame | history
SOURCES/1002-Package-copy-schema-to-ca.py.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/1002-Remove-pkinit-plugin.patch 157 ●●●●● patch | view | raw | blame | history
SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch 138 ●●●●● patch | view | raw | blame | history
SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch 753 ●●●●● patch | view | raw | blame | history
SOURCES/1004-Remove-csrgen.patch 1666 ●●●●● patch | view | raw | blame | history
SOURCES/1005-Remove-pylint-from-build-process.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/1006-Remove-i18test-from-build-process.patch 26 ●●●●● patch | view | raw | blame | history
SOURCES/1007-Do-not-build-tests.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/1008-RCUE.patch 200 ●●●●● patch | view | raw | blame | history
SOURCES/1009-Revert-Increased-mod_wsgi-socket-timeout.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/1010-WebUI-add-API-browser-is-tech-preview-warning.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 1939 ●●●● patch | view | raw | blame | history
.gitignore
@@ -1,4 +1,4 @@
SOURCES/freeipa-4.4.0.tar.gz
SOURCES/freeipa-4.5.0.tar.gz
SOURCES/header-logo.png
SOURCES/login-screen-background.jpg
SOURCES/login-screen-logo.png
.ipa.metadata
@@ -1,4 +1,4 @@
441ef8cb2b0ac103723d03b0478da641d697e104 SOURCES/freeipa-4.4.0.tar.gz
686e9b1375659524de83e1b78df66b355715438e SOURCES/freeipa-4.5.0.tar.gz
77c318cf1f4fc25cf847de0692a77859a767c0e3 SOURCES/header-logo.png
8727245558422bf966d60677568925f081b8e299 SOURCES/login-screen-background.jpg
24a29d79efbd0906777be4639957abda111fca4b SOURCES/login-screen-logo.png
SOURCES/0001-Add-options-to-allow-ticket-caching.patch
New file
@@ -0,0 +1,39 @@
From 6c4d53f843575d5e69a0c310cdb2e5026751faa4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).
Ticket: https://pagure.io/freeipa/issue/6771
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a689a430168ea9841d59cb558755371968..9d111009f5a5ba24dd474be336bf0cb27ab59aab 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
--
2.12.0
SOURCES/0001-Fix-incorrect-check-for-principal-type-when-evaluati.patch
File was deleted
SOURCES/0002-Use-connection-keep-alive.patch
New file
@@ -0,0 +1,35 @@
From 1216aaa3c5f5e3dc3a81de81633eaade15df1129 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 20 Mar 2017 08:47:41 +0100
Subject: [PATCH] Use connection keep-alive
Do not forcefully close the connection after every request. This enables
HTTP connection keep-alive, also known as persistent TCP and TLS/SSL
connection. Keep-alive speed up consecutive HTTP requests by 15% (for
local, low-latency network connections to a fast server) to multiple
times (high latency connections or remote peers).
https://pagure.io/freeipa/issue/6641
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 16ffb8b541107e3ce1a84d143db007a1105b49b5..8d587180a65bd06b644c6df23ac9fb26eb7e97dd 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -686,7 +686,7 @@ class KerbTransport(SSLTransport):
                 return self.parse_response(response)
         except gssapi.exceptions.GSSError as e:
             self._handle_exception(e)
-        finally:
+        except BaseException:
             self.close()
     if six.PY3:
--
2.12.1
SOURCES/0002-uninstall-untrack-lightweight-CA-certs.patch
File was deleted
SOURCES/0003-Add-debug-logging-for-keep-alive.patch
New file
@@ -0,0 +1,68 @@
From bdaf584ef5ebcae08e86142ceb80ebe56ac11fa3 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 20 Mar 2017 08:47:51 +0100
Subject: [PATCH] Add debug logging for keep-alive
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 ipalib/rpc.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d587180a65bd06b644c6df23ac9fb26eb7e97dd..38321d17cf2c9529738aa45cc44bbd38b08b032b 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -79,6 +79,13 @@ except ImportError:
     from xmlrpc.client import (Binary, Fault, DateTime, dumps, loads, ServerProxy,
             Transport, ProtocolError, MININT, MAXINT)
+# pylint: disable=import-error
+if six.PY3:
+    from http.client import RemoteDisconnected
+else:
+    from httplib import BadStatusLine as RemoteDisconnected
+# pylint: enable=import-error
+
 if six.PY3:
     unicode = str
@@ -531,6 +538,7 @@ class SSLTransport(LanguageAwareTransport):
         host, self._extra_headers, _x509 = self.get_host_info(host)
         if self._connection and host == self._connection[0]:
+            root_logger.debug("HTTP connection keep-alive (%s)", host)
             return self._connection[1]
         conn = create_https_connection(
@@ -540,6 +548,7 @@ class SSLTransport(LanguageAwareTransport):
             tls_version_max=api.env.tls_version_max)
         conn.connect()
+        root_logger.debug("New HTTP connection (%s)", host)
         self._connection = host, conn
         return self._connection[1]
@@ -686,8 +695,18 @@ class KerbTransport(SSLTransport):
                 return self.parse_response(response)
         except gssapi.exceptions.GSSError as e:
             self._handle_exception(e)
-        except BaseException:
+        except RemoteDisconnected:
+            # keep-alive connection was terminated by remote peer, close
+            # connection and let transport handle reconnect for us.
+            self.close()
+            root_logger.debug("HTTP server has closed connection (%s)", host)
+            raise
+        except BaseException as e:
+            # Unexpected exception may leave connections in a bad state.
             self.close()
+            root_logger.debug("HTTP connection destroyed (%s)",
+                              host, exc_info=True)
+            raise
     if six.PY3:
         def __send_request(self, connection, host, handler, request_body, debug):
--
2.12.1
SOURCES/0003-ipa-nis-manage-Use-server-API-to-retrieve-plugin-sta.patch
File was deleted
SOURCES/0004-Increase-Apache-HTTPD-s-default-keep-alive-timeout.patch
New file
@@ -0,0 +1,41 @@
From 2905ebdb1a6c668da1a12d79824c6710e3f0eb94 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 20 Mar 2017 08:47:56 +0100
Subject: [PATCH] Increase Apache HTTPD's default keep alive timeout
Apache has a default keep alive timeout of 5 seconds. That's too low for
interactive commands, e.g. password prompts. 30 seconds sounds like a
good compromise.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 install/conf/ipa.conf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 164231c729a8b3d64982ea0d9592e949635d7418..e1f1a581b4e8a91b899bcf165ca81f266fa9e516 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 24 - DO NOT REMOVE THIS LINE
+# VERSION 25 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -20,6 +20,11 @@ DirectoryIndex index.html
 # requests, ticket #2767. This should easily support a 64KiB PAC.
 LimitRequestFieldSize 100000
+# Increase connection keep alive time. Default value is 5 seconds, which is too
+# short for interactive ipa commands. 30 seconds is a good compromise.
+KeepAlive On
+KeepAliveTimeout 30
+
 # ipa-rewrite.conf is loaded separately
 # This is required so the auto-configuration works with Firefox 2+
--
2.12.1
SOURCES/0004-ipa-compat-manage-use-server-API-to-retrieve-plugin-.patch
File was deleted
SOURCES/0005-ipa-advise-correct-handling-of-plugin-namespace-iter.patch
File was deleted
SOURCES/0005-ipapython.ipautil.nolog_replace-Do-not-replace-empty.patch
New file
@@ -0,0 +1,32 @@
From fef78a011c148f63a08014bbe7ed2d63fe3380bd Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Mon, 20 Mar 2017 12:48:14 +0100
Subject: [PATCH] ipapython.ipautil.nolog_replace: Do not replace empty value
When provided empty value in nolog parameter nolog_replace added 'XXXXXXXX'
three (once for plain value, once for http quoted value and last time for shell
quoted value) times before every character (including terminating '\0') in the string.
https://pagure.io/freeipa/issue/6738
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
---
 ipapython/ipautil.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 60b4a37fe247624e826d0f6516cb9a25d30ae75d..cd66328e6c9a0f69e6f83582a9d288ac239c5be3 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -505,7 +505,7 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
 def nolog_replace(string, nolog):
     """Replace occurences of strings given in `nolog` with XXXXXXXX"""
     for value in nolog:
-        if not isinstance(value, six.string_types):
+        if not value or not isinstance(value, six.string_types):
             continue
         quoted = urllib.parse.quote(value)
--
2.12.1
SOURCES/0006-kdb-check-for-local-realm-in-enterprise-principals.patch
File was deleted
SOURCES/0006-tasks-run-systemctl-daemon-reload-after-httpd.servic.patch
New file
@@ -0,0 +1,49 @@
From d8a9ed4e2fc164962d76773b57277f97bca84270 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 12:51:29 +0000
Subject: [PATCH] tasks: run `systemctl daemon-reload` after httpd.service.d
 updates
Run `systemctl daemon-reload` after
`/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted,
otherwise systemd will not merge the file into httpd.service and therefore
required environment variables will not be set for httpd.
This fixes authentication failures ("No valid Negotiate header in server
response") due to missing `GSS_USE_PROXY=yes` in httpd environment.
https://pagure.io/freeipa/issue/6773
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaplatform/redhat/tasks.py | 7 +++++++
 1 file changed, 7 insertions(+)
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index c1b574e06fc52839b684cbe96587365fa107b2eb..d0ef5fbd1ceb8110dd417dda44a74dc63898456a 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -483,6 +483,9 @@ class RedHatTaskNamespace(BaseTaskNamespace):
         os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
         self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
+        ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
+                    raiseonerr=False)
+
     def configure_http_gssproxy_conf(self):
         ipautil.copy_template_file(
             os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'),
@@ -513,6 +516,10 @@ class RedHatTaskNamespace(BaseTaskNamespace):
                     'Error removing %s: %s',
                     paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e
                 )
+            return
+
+        ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
+                    raiseonerr=False)
     def set_hostname(self, hostname):
         ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
--
2.12.1
SOURCES/0007-Enable-vault-commands-on-client.patch
File was deleted
SOURCES/0007-man-ipa-cacert-manage-install-needs-clarification.patch
New file
@@ -0,0 +1,31 @@
From 9d5e8f44210f661850ec67f92909534dd52c2ee8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 22 Mar 2017 08:49:39 +0100
Subject: [PATCH] man ipa-cacert-manage install needs clarification
The customers are often confused by ipa-cacert-manage install. The man page
should make it clear that IPA CA is not modified in any way by this command.
https://pagure.io/freeipa/issue/6795
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 install/tools/man/ipa-cacert-manage.1 | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
index 4515d7c404054139725fd47f366706cb1e222be5..128edd8bd2500a09f406da8dc01a53b269007ab0 100644
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@@ -46,6 +46,8 @@ When the IPA CA is not configured, this command is not available.
 .RS
 This command can be used to install the certificate contained in \fICERTFILE\fR as an additional CA certificate to IPA.
 .sp
+Important: this does not replace IPA CA but adds the provided certificate as a known CA. This is useful for instance when using ipa-server-certinstall to replace HTTP/LDAP certificates with third-party certificates signed by this additional CA.
+.sp
 Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
 .RE
 .SH "COMMON OPTIONS"
--
2.12.1
SOURCES/0008-certs-do-not-implicitly-create-DS-pin.txt.patch
New file
@@ -0,0 +1,48 @@
From 846b1c9b72f539cbe4b8d6e23de81e03b1afec9e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 09:32:17 +0100
Subject: [PATCH] certs: do not implicitly create DS pin.txt
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.
This stops the file from being created in /etc/httpd/alias during classic
replica install.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/certs.py      | 1 -
 ipaserver/install/dsinstance.py | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 63e7887c4e73a8346d4eb5d865ddc89c07247573..9f340b8678c55cffe2872df97c643c34857cfaa9 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -635,7 +635,6 @@ class CertDB(object):
         self.cacert_name = ca_names[-1]
         self.trust_root_cert(self.cacert_name, trust_flags)
-        self.create_pin_file()
         self.export_ca_cert(nickname, False)
     def publish_ca_cert(self, location):
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 91cc180e62b9532e716c07c493b359567b20c749..79dc90e92cac49a2b64ff6645f75dc3a8cbcc104 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -838,7 +838,8 @@ class DsInstance(service.Service):
                 certmonger.modify_ca_helper('IPA', prev_helper)
             self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
-            dsdb.create_pin_file()
+
+        dsdb.create_pin_file()
         self.cacert_name = dsdb.cacert_name
--
2.12.1
SOURCES/0008-vault-add-set-the-default-vault-type-on-the-client-s.patch
File was deleted
SOURCES/0009-caacl-expand-plugin-documentation.patch
File was deleted
SOURCES/0009-httpinstance-clean-up-etc-httpd-alias-on-uninstall.patch
New file
@@ -0,0 +1,74 @@
From 10e74165a827377ed3318d4d2b974fdbf0fab9db Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 8 Mar 2017 14:24:15 +0000
Subject: [PATCH] httpinstance: clean up /etc/httpd/alias on uninstall
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.
Files modified by IPA are kept with .ipasave suffix.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipapython/certdb.py               | 13 +++++++++++++
 ipaserver/install/certs.py        |  3 +++
 ipaserver/install/httpinstance.py |  3 +++
 3 files changed, 19 insertions(+)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 6c89e778068d9ed1e9939077f7114463776e3516..f1410e5ae4290263573e9554ab4e66873d4344a1 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -169,6 +169,19 @@ class NSSDatabase(object):
                     new_mode = filemode
                 os.chmod(path, new_mode)
+    def restore(self):
+        for filename in NSS_FILES:
+            path = os.path.join(self.secdir, filename)
+            backup_path = path + '.orig'
+            save_path = path + '.ipasave'
+            try:
+                if os.path.exists(path):
+                    os.rename(path, save_path)
+                if os.path.exists(backup_path):
+                    os.rename(backup_path, path)
+            except OSError as e:
+                root_logger.debug(e)
+
     def list_certs(self):
         """Return nicknames and cert flags for all certs in the database
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 9f340b8678c55cffe2872df97c643c34857cfaa9..0ca971358030db6a6e7e410e58a984675bcf53ac 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -234,6 +234,9 @@ class CertDB(object):
                              backup=True)
         self.set_perms(self.passwd_fname, write=True)
+    def restore(self):
+        self.nssdb.restore()
+
     def list_certs(self):
         """
         Return a tuple of tuples containing (nickname, trust)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index ca3bcc87eec2c93a664db517df3eddecaaf565c2..f6f0b0c4f6acd648aa9f6f5d7400617613245473 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -555,6 +555,9 @@ class HTTPInstance(service.Service):
                 ca_iface.Set('org.fedorahosted.certmonger.ca',
                              'external-helper', helper)
+        db = certs.CertDB(self.realm, paths.HTTPD_ALIAS_DIR)
+        db.restore()
+
         for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]:
             try:
                 self.fstore.restore_file(f)
--
2.12.1
SOURCES/0010-Fixing-replica-install-fix-ldap-connection-in-domlvl.patch
New file
@@ -0,0 +1,43 @@
From 175c29c7b57a0ab48d1371c199e70f3435a0ead7 Mon Sep 17 00:00:00 2001
From: felipe <fbarreto@localhost.localdomain>
Date: Tue, 21 Mar 2017 09:05:56 -0300
Subject: [PATCH] Fixing replica install: fix ldap connection in domlvl 0
Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release,  the old master denies this operations.
https://pagure.io/freeipa/issue/6549
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index b4463fd4066efbc68f22e4f8f3175b59cb20b103..f489e691999fd9d6e82879341922510e56eac47d 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1391,7 +1391,16 @@ def install(installer):
     dsinstance.create_ds_user()
     try:
-        conn.connect(ccache=ccache)
+        if promote:
+            conn.connect(ccache=ccache)
+        else:
+            # dmlvl 0 replica install should always use DM credentials
+            # to create remote LDAP connection. Since ACIs permitting hosts
+            # to manage their own services were added in 4.2 release,
+            # the master denies this operations.
+            conn.connect(bind_dn=ipaldap.DIRMAN_DN, cacert=cafile,
+                         bind_pw=config.dirman_password)
+
         # Update and istall updated CA file
         cafile = install_ca_cert(conn, api.env.basedn, api.env.realm, cafile)
--
2.12.1
SOURCES/0010-host-find-do-not-show-SSH-key-by-default.patch
File was deleted
SOURCES/0011-Removed-unused-method-parameter-from-migrate-ds.patch
File was deleted
SOURCES/0011-replica-prepare-fix-wrong-IPA-CA-nickname-in-replica.patch
New file
@@ -0,0 +1,51 @@
From c34fa1891b774e98de6a1787001f2215ea85c0f3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Fri, 17 Mar 2017 09:34:08 +0000
Subject: [PATCH] replica prepare: fix wrong IPA CA nickname in replica file
Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and
httpcert.p12, otherwise a generic nickname will be used for the IPA CA
certificate instead of "$REALM IPA CA".
This fixes replica install on domain level 0 from a replica file created
using ipa-replica-install on IPA 4.5.
https://pagure.io/freeipa/issue/6777
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/install/ipa_replica_prepare.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index f4925a6c46b6714362545ee5e8194b7b02de5091..95c3818a9fc34c937f8b418e91a1bfc28352b02e 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -34,7 +34,7 @@ import dns.resolver
 from six.moves.configparser import SafeConfigParser
 # pylint: enable=import-error
-from ipaserver.install import certs, installutils, bindinstance, dsinstance
+from ipaserver.install import certs, installutils, bindinstance, dsinstance, ca
 from ipaserver.install.replication import enable_replication_version_checking
 from ipaserver.install.server.replicainstall import install_ca_cert
 from ipaserver.install.bindinstance import (
@@ -537,12 +537,13 @@ class ReplicaPrepare(admintool.AdminTool):
         """
         hostname = self.replica_fqdn
         subject_base = self.subject_base
+        ca_subject = ca.lookup_ca_subject(api, subject_base)
         nickname = "Server-Cert"
         try:
             db = certs.CertDB(
-                api.env.realm, nssdir=self.dir, subject_base=subject_base,
-                host_name=api.env.host)
+                api.env.realm, nssdir=self.dir, host_name=api.env.host,
+                subject_base=subject_base, ca_subject=ca_subject)
             db.create_passwd_file()
             db.create_from_cacert()
             db.create_server_cert(nickname, hostname)
--
2.12.1
SOURCES/0012-Preserve-user-principal-aliases-during-rename-operat.patch
File was deleted
SOURCES/0012-ldap2-use-LDAP-whoami-operation-to-retrieve-bind-DN-.patch
New file
@@ -0,0 +1,43 @@
From 1288763da61ba9e0c9bd345487a3e645c58284df Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 22 Mar 2017 13:00:22 +0200
Subject: [PATCH] ldap2: use LDAP whoami operation to retrieve bind DN for
 current connection
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.
Fixes https://pagure.io/freeipa/issue/6797
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
---
 ipaserver/plugins/ldap2.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index def124530cc863e6924c7b6f1f48c236323019a9..3b1e4da57a8e16e3d9b27eea24025de2caa53216 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -286,12 +286,11 @@ class ldap2(CrudBackend, LDAPClient):
         assert isinstance(dn, DN)
-        principal = getattr(context, 'principal')
-        entry = self.find_entry_by_attr("krbprincipalname", principal,
-            "krbPrincipalAux", base_dn=self.api.env.basedn)
+        bind_dn = self.conn.whoami_s()[4:]
+
         sctrl = [
             GetEffectiveRightsControl(
-                True, "dn: {0}".format(entry.dn).encode('utf-8'))
+                True, "dn: {0}".format(bind_dn).encode('utf-8'))
         ]
         self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
         try:
--
2.12.1
SOURCES/0013-Backup-ipa-specific-httpd-unit-file.patch
New file
@@ -0,0 +1,47 @@
From 7b57dd770bbb4861f46805adaa9597445dff142c Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Thu, 16 Mar 2017 10:22:59 +0100
Subject: [PATCH] Backup ipa-specific httpd unit-file
On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.
https://pagure.io/freeipa/issue/6748
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipaserver/install/ipa_backup.py  | 1 +
 ipaserver/install/ipa_restore.py | 2 ++
 2 files changed, 3 insertions(+)
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 07c50c8364c313b9aeb6d73540b541f55d98a44d..56583c01b1677a48c103d79123e3fbe106222f38 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -166,6 +166,7 @@ class Backup(admintool.AdminTool):
         paths.KDC_CERT,
         paths.KDC_KEY,
         paths.SYSTEMD_IPA_SERVICE,
+        paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
         paths.SYSTEMD_SSSD_SERVICE,
         paths.SYSTEMD_CERTMONGER_SERVICE,
         paths.SYSTEMD_PKI_TOMCAT_SERVICE,
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index d798654ea7464f66e461936e41e3747a16acb21d..2552bbdef36f653f1c377ea096ca227d09e5f3e6 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -414,6 +414,8 @@ class Restore(admintool.AdminTool):
                 sssd = services.service('sssd', api)
                 sssd.restart()
                 http.remove_httpd_ccaches()
+                # have the daemons pick up their restored configs
+                run([paths.SYSTEMCTL, "--system", "daemon-reload"])
         finally:
             try:
                 os.chdir(cwd)
--
2.12.1
SOURCES/0013-messages-specify-message-type-for-ResultFormattingEr.patch
File was deleted
SOURCES/0014-WebUI-check-principals-in-lowercase.patch
New file
@@ -0,0 +1,36 @@
From 4ffc29d45ff1121f76b39ac7acaee824b4d04aaf Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Wed, 22 Mar 2017 16:39:21 +0100
Subject: [PATCH] WebUI: check principals in lowercase
WebUI checks whether principal name of logged user and principal name
in each command is equal. As KDC for our principals is case insensitive
- it does make sense to switch this check also into case insensitive.
So both principals are reformated to lower case and then
compared.
Part of: https://pagure.io/freeipa/issue/3242
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/ui/src/freeipa/rpc.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js
index 7ae1b64291a4530137e0fb8d72ff5a8491cb10b4..1880f8d5732f982c25924b787b273c9e56636b20 100644
--- a/install/ui/src/freeipa/rpc.js
+++ b/install/ui/src/freeipa/rpc.js
@@ -389,7 +389,8 @@ rpc.command = function(spec) {
             } else if (IPA.version && data.version && IPA.version !== data.version) {
                 window.location.reload();
-            } else if (IPA.principal && data.principal && IPA.principal !== data.principal) {
+            } else if (IPA.principal && data.principal &&
+                IPA.principal.toLowerCase() !== data.principal.toLowerCase()) {
                 window.location.reload();
             } else if (data.error) {
--
2.12.1
SOURCES/0014-schema-Fix-subtopic-topic-mapping.patch
File was deleted
SOURCES/0015-DNS-install-Ensure-that-DNS-servers-container-exists.patch
File was deleted
SOURCES/0015-WebUI-add-method-for-disabling-item-in-user-dropdown.patch
New file
@@ -0,0 +1,105 @@
From 894fdd8c10552ef0b90363db985bb25e398d99e1 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Wed, 22 Mar 2017 16:48:36 +0100
Subject: [PATCH] WebUI: add method for disabling item in user dropdown menu
AD user can do only several things. One of those which are not
allowed is to reset password to itself. Therefore we need to be
able to turn of a item in dropdown menu. In our case
'Password reset' item. Function which disable menu item and detach
the listener on click from the item specified by its name was added.
Part of: https://pagure.io/freeipa/issue/3242
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/ui/src/freeipa/Application_controller.js | 42 ++++++++++++++++++++----
 install/ui/src/freeipa/widgets/App.js            |  4 +++
 2 files changed, 40 insertions(+), 6 deletions(-)
diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 32add5f8f3d6874c1c555bf28d2b70cd54af5956..d809c1f2662609e390609270ef3ddc42f0727936 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -69,6 +69,16 @@ define([
         facet_changing: false,
         /**
+         * Listeners for user menu items
+         */
+         on_profile_listener: null,
+         on_passwd_reset_listener: null,
+         on_logout_listener: null,
+         on_item_select_listener: null,
+         on_configuration_listerer: null,
+         on_about_listener: null,
+
+        /**
          * Currently displayed facet
          *
          */
@@ -109,12 +119,7 @@ define([
                 }
             };
-            on(this.app_widget.menu_widget, 'item-select', this.on_menu_click.bind(this));
-            on(this.app_widget, 'profile-click', this.on_profile.bind(this));
-            on(this.app_widget, 'logout-click', this.on_logout.bind(this));
-            on(this.app_widget, 'password-reset-click', this.on_password_reset.bind(this));
-            on(this.app_widget, 'configuration-click', this.on_configuration.bind(this));
-            on(this.app_widget, 'about-click', this.on_about.bind(this));
+            this.register_user_menu_listeners();
             on(this.router, 'facet-show', this.on_facet_show.bind(this));
             on(this.router, 'facet-change', this.on_facet_change.bind(this));
@@ -133,6 +138,31 @@ define([
             IPA.opened_dialogs.start_handling(this);
         },
+        register_user_menu_listeners: function() {
+            this.on_profile_listener = on(this.app_widget, 'profile-click',
+                    this.on_profile.bind(this));
+            this.on_passwd_reset_listener = on(this.app_widget,
+                    'password-reset-click', this.on_password_reset.bind(this));
+            this.on_logout_listener = on(this.app_widget, 'logout-click',
+                    this.on_logout.bind(this));
+            this.on_item_select_listener = on(this.app_widget.menu_widget,
+                    'item-select', this.on_menu_click.bind(this));
+            this.on_configuration_listerer = on(this.app_widget,
+                    'configuration-click', this.on_configuration.bind(this));
+            this.on_about_listener = on(this.app_widget,
+                    'about-click', this.on_about.bind(this));
+        },
+
+        /**
+         * Turns off one item in user dropdown menu and remove its listener.
+         * @param {string} name of the user menu item which should be disabled
+         * @param {Object} listener disable this listener
+         */
+        disable_user_menu_item: function(name, listener) {
+            this.app_widget.disable_user_menu_item(name);
+            listener.remove();
+        },
+
         /**
          * Gets:
          *  * metadata
diff --git a/install/ui/src/freeipa/widgets/App.js b/install/ui/src/freeipa/widgets/App.js
index 68b78c7c4be44f5a1f658fed6b6b75d1beda22c5..95bc9b2cf3bcf40cd3a4cab47e9043e05331e019 100644
--- a/install/ui/src/freeipa/widgets/App.js
+++ b/install/ui/src/freeipa/widgets/App.js
@@ -222,6 +222,10 @@ define(['dojo/_base/declare',
             }
         },
+        disable_user_menu_item: function(name) {
+            this.user_menu.disable_item(name);
+        },
+
         on_menu_item_click: function(item) {
             this.collapse_menu();
         },
--
2.12.1
SOURCES/0016-Heap-corruption-in-ipapwd-plugin.patch
File was deleted
SOURCES/0016-WebUI-Add-support-for-login-for-AD-users.patch
New file
@@ -0,0 +1,341 @@
From 18e9bc2399af788399e66c3f4b28e6a7f0378b78 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Wed, 22 Mar 2017 16:54:33 +0100
Subject: [PATCH] WebUI: Add support for login for AD users
After login, method user-find --whoami was called which cannot be
called for AD users. That method was replaced by ipa whoami command
and sequential command according to result of ipa whoami. AD user
can now be logged in.
AD users have new menu definition which contains only list of IPA
users and profile page of AD user - "User ID Override".
This commit also fixes several places where IPA.whoami object was
used, because its structure was also changed. It now contains two
objects. First one is stored in 'metadata' property and stores
result from ipa whoami (type of object, command which should be
called for showing detailed data about currently logged entity, etc).
The second one is stored in 'data' property which stores result of
_show command for currently logged entity.
https://pagure.io/freeipa/issue/3242
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/ui/src/freeipa/Application_controller.js | 52 +++++++++++++++++++-----
 install/ui/src/freeipa/idviews.js                | 21 +++++++++-
 install/ui/src/freeipa/ipa.js                    | 47 +++++++++++++--------
 install/ui/src/freeipa/navigation/menu_spec.js   | 10 +++++
 install/ui/src/freeipa/otptoken.js               |  2 +-
 install/ui/src/freeipa/user.js                   |  5 ++-
 ipaserver/plugins/internal.py                    |  1 +
 7 files changed, 108 insertions(+), 30 deletions(-)
diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index d809c1f2662609e390609270ef3ddc42f0727936..5eb4e7a5104b780761b9a5179dbfd1501a8d1478 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -31,6 +31,7 @@ define([
         './widgets/App',
         './widgets/FacetContainer',
         './ipa',
+        './rpc',
         './reg',
         './config',
         './widget',
@@ -41,7 +42,7 @@ define([
         './plugins/load_page'
        ],
        function(declare, array, Deferred, on, topic, query, dom_class, auth,
-            JSON, App_widget, FacetContainer, IPA, reg, config, widget_mod,
+            JSON, App_widget, FacetContainer, IPA, rpc, reg, config, widget_mod,
             Menu, Router, routing, menu_spec) {
     /**
@@ -156,7 +157,7 @@ define([
         /**
          * Turns off one item in user dropdown menu and remove its listener.
          * @param {string} name of the user menu item which should be disabled
-         * @param {Object} listener disable this listener
+         * @param {Object} listener disable di
          */
         disable_user_menu_item: function(name, listener) {
             this.app_widget.disable_user_menu_item(name);
@@ -179,16 +180,22 @@ define([
          */
         choose_profile: function() {
-            // TODO: change IPA.whoami.cn[0] to something readable
-            this.update_logged_in(true, IPA.whoami.cn[0]);
+            this.update_logged_in(true);
             var selfservice = this.is_selfservice();
             this.app_widget.menu_widget.ignore_changes = true;
             if (selfservice) {
-                this.menu.name = menu_spec.self_service.name;
-                this.menu.add_items(menu_spec.self_service.items);
+                if (this.is_aduser_selfservice()) {
+                    this.menu.name = menu_spec.ad_self_service.name;
+                    this.menu.add_items(menu_spec.ad_self_service.items);
+                    this.disable_user_menu_item('password_reset',
+                            this.on_passwd_reset_listener);
+                } else {
+                    this.menu.name = menu_spec.self_service.name;
+                    this.menu.add_items(menu_spec.self_service.items);
+                }
             } else {
                 this.menu.name = menu_spec.admin.name;
                 this.menu.add_items(menu_spec.admin.items);
@@ -232,10 +239,9 @@ define([
         },
         is_selfservice: function() {
-            var whoami = IPA.whoami;
+            var whoami = IPA.whoami.data;
             var self_service = true;
-
             if (whoami.hasOwnProperty('memberof_group') &&
                 whoami.memberof_group.indexOf('admins') !== -1) {
                 self_service = false;
@@ -255,13 +261,39 @@ define([
             return self_service;
         },
-        update_logged_in: function(logged_in, fullname) {
+        is_aduser_selfservice: function() {
+            var selfservice = IPA.whoami.metadata.object === 'idoverrideuser';
+            // quite ugly, needed for users and iduseroverride to hide breadcrumb
+            IPA.is_aduser_selfservice = selfservice;
+
+            return selfservice;
+        },
+
+        update_logged_in: function(logged_in) {
             this.app_widget.set('logged', logged_in);
+
+            var whoami = IPA.whoami;
+            var fullname = '';
+            var entity = whoami.metadata.object;
+
+            if (whoami.data.cn) {
+                fullname = whoami.data.cn[0];
+            } else if (whoami.data.displayname) {
+                fullname = whoami.data.displayname[0];
+            } else if (whoami.data.gecos) {
+                fullname = whoami.data.gecos[0];
+            } else if (whoami.data.krbprincipalname) {
+                fullname = whoami.data.krbprincipalname[0];
+            } else if (whoami.data.ipaoriginaluid) {
+                fullname = whoami.data.ipaoriginaluid[0];
+            }
+
             this.app_widget.set('fullname', fullname);
         },
         on_profile: function() {
-            routing.navigate(['entity', 'user', 'details', [IPA.whoami.uid[0]]]);
+            routing.navigate(['entity', IPA.whoami.metadata.object, 'details',
+                 IPA.whoami.metadata.arguments]);
         },
         on_logout: function(event) {
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index f383ab3be4c4ed997fb209da2da4d04835236d8a..d9133a13c2ed8970e7919bb28d06f818d832170a 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -452,6 +452,21 @@ idviews.id_override_user_details_facet = function(spec) {
     return that;
 };
+
+idviews.aduser_idoverrideuser_pre_op = function(spec, context) {
+    spec = spec || [];
+
+    if (!IPA.is_aduser_selfservice) return spec;
+
+    var facet = spec.facets[0];
+    facet.label = '@i18n:objects.idoverrideuser.profile';
+    facet.actions = [];
+    facet.header_actions = [];
+    facet.disable_breadcrumb = true;
+
+    return spec;
+};
+
 /**
  * @extends IPA.cert.certs_widget
  */
@@ -948,7 +963,11 @@ idviews.register = function() {
     var w = reg.widget;
     e.register({type: 'idview', spec: idviews.spec});
-    e.register({type: 'idoverrideuser', spec: idviews.idoverrideuser_spec});
+    e.register({
+        type: 'idoverrideuser',
+        spec: idviews.idoverrideuser_spec,
+        pre_ops: [idviews.aduser_idoverrideuser_pre_op]
+    });
     e.register({type: 'idoverridegroup', spec: idviews.idoverridegroup_spec});
     f.copy('attribute', 'idview_appliedtohosts', {
         factory: idviews.appliedtohosts_facet
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 0ddbd0744d699cacddb3970e5ec7cb72b9dbf4f4..2538001c94141b823d634ca63327a66fd148129f 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -86,7 +86,8 @@ var IPA = function () {
     /**
      * User information
      *
-     * - output of ipa user-find --whoami
+     * - output of ipa whoami in that.whoami.metadata and then object_show method
+     * in that.whoami.data
      */
     that.whoami = {};
@@ -263,19 +264,33 @@ var IPA = function () {
      */
     that.get_whoami_command = function(batch) {
         return rpc.command({
-            entity: 'user',
-            method: 'find',
-            options: {
-                whoami: true,
-                all: true
-            },
+            method: 'whoami',
             on_success: function(data, text_status, xhr) {
-                that.whoami = batch ? data.result[0] : data.result.result[0];
-                var cn = that.whoami.krbcanonicalname;
-                if (cn) that.principal = cn[0];
-                if (!that.principal) {
-                    that.principal = that.whoami.krbprincipalname[0];
-                }
+                that.whoami.metadata = data;
+
+                rpc.command({
+                    method: data.details || data.command,
+                    args: data.arguments,
+                    options: function() {
+                        var options = data.options || [];
+                        $.extend(options, {all: true});
+                        return options;
+                    }(),
+                    on_success: function(data, text_status, xhr) {
+                        that.whoami.data = false ? data.result[0] : data.result.result;
+                        var entity = that.whoami.metadata.object;
+
+                        if (entity === 'user') {
+                            var cn = that.whoami.data.krbcanonicalname;
+                            if (cn) that.principal = cn[0];
+                            if (!that.principal) {
+                                that.principal = that.whoami.data.krbprincipalname[0];
+                            }
+                        } else if (entity === 'idoverrideuser') {
+                            that.principal = that.whoami.data.ipaoriginaluid[0];
+                        }
+                    }
+                }).execute();
             }
         });
     };
@@ -616,7 +631,7 @@ IPA.update_password_expiration = function() {
     var now, expires, notify_days, diff, message, container, notify;
-    expires = rpc.extract_objects(IPA.whoami.krbpasswordexpiration);
+    expires = rpc.extract_objects(IPA.whoami.data.krbpasswordexpiration);
     expires = expires ? datetime.parse(expires[0]) : null;
     notify_days = IPA.server_config.ipapwdexpadvnotify;
@@ -650,13 +665,13 @@ IPA.update_password_expiration = function() {
 IPA.password_selfservice = function() {
     var reset_dialog = builder.build('dialog', {
         $type: 'user_password',
-        args: [IPA.whoami.uid[0]]
+        args: [IPA.whoami.data.uid[0]]
     });
     reset_dialog.succeeded.attach(function() {
         var command = IPA.get_whoami_command();
         var orig_on_success = command.on_success;
         command.on_success = function(data, text_status, xhr) {
-            orig_on_success.call(this, data, text_status, xhr);
+            orig_on_success.call(this, data.result, text_status, xhr);
             IPA.update_password_expiration();
         };
         command.execute();
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 4f78e4bf9ba25bf2f7585e38086b1cbc6db34026..9329694c14a47cbe1ec244554327b40743044d7b 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -353,5 +353,15 @@ nav.self_service = {
     ]
 };
+nav.ad_self_service = {
+    name: 'ad_self_service',
+    items: [
+        {
+            entity: 'idoverrideuser',
+            label: 'Profile'
+        }
+    ]
+};
+
 return nav;
 });
diff --git a/install/ui/src/freeipa/otptoken.js b/install/ui/src/freeipa/otptoken.js
index caa7a85523d6e63db629a3a518e8611d511f7952..1f6f20d801042a5424ecf5894658df9411723bcc 100644
--- a/install/ui/src/freeipa/otptoken.js
+++ b/install/ui/src/freeipa/otptoken.js
@@ -361,7 +361,7 @@ otptoken.adder_dialog = function(spec) {
         var command = that.entity_adder_dialog_create_add_command(record);
         if (that.self_service) {
-            command.set_option('ipatokenowner', IPA.whoami.uid[0]);
+            command.set_option('ipatokenowner', IPA.whoami.data.uid[0]);
         }
         return command;
     };
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 4bb04488b51dd43a437ab3759eb3f530afe62550..6b2bf196c31e7891d3389eb2e2774f56d88ac2ba 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -735,7 +735,7 @@ IPA.user.password_dialog = function(spec) {
     var that = dialogs.command_dialog(spec);
     that.is_self_service = function() {
-        var self_service = that.args[0] === IPA.whoami.uid[0];
+        var self_service = that.args[0] === IPA.whoami.data.uid[0];
         return self_service;
     };
@@ -895,7 +895,8 @@ IPA.user.self_service_other_user_evaluator = function(spec) {
         that.state = [];
         var value = that.adapter.load(data);
-        if (IPA.is_selfservice && IPA.whoami.uid[0] !== value[0]) {
+        if (IPA.is_aduser_selfservice ||
+            (IPA.is_selfservice && IPA.whoami.data.uid[0] !== value[0])) {
             that.state.push('self-service-other');
         }
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 9fa1b6de857cf7e21210f557befabff32da0d4ff..6feefa5941506f38f01b8016a22cad14a831e3fc 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -625,6 +625,7 @@ class i18n_messages(Command):
                 "anchor_label": _("User to override"),
                 "anchor_tooltip": _("Enter trusted or IPA user login. Note: search doesn't list users from trusted domains."),
                 "anchor_tooltip_ad": _("Enter trusted user login."),
+                "profile": _("Profile"),
             },
             "idoverridegroup": {
                 "anchor_label": _("Group to override"),
--
2.12.1
SOURCES/0017-Use-server-API-in-com.redhat.idm.trust-fetch-domains.patch
File was deleted
SOURCES/0017-cert-do-not-limit-internal-searches-in-cert-find.patch
New file
@@ -0,0 +1,105 @@
From ca26e32beb77fbd8fcc66e6eea07c6eeeb9261c9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Mar 2017 06:58:25 +0000
Subject: [PATCH] cert: do not limit internal searches in cert-find
Instead, apply the limits on the combined result.
This fixes (absence of) `--sizelimit` leading to strange behavior, such as
`cert-find --users user` returning a non-empty result only with
`--sizelimit 0`.
https://pagure.io/freeipa/issue/6716
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/plugins/cert.py | 28 ++++++++++------------------
 1 file changed, 10 insertions(+), 18 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 9f901076075809592ad5ddeec8d71c273d4853c9..1a6d04533cebb2eb00022981dae9ffe5b785ba8b 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1324,7 +1324,7 @@ class cert_find(Search, CertMethod):
         return result, False, True
-    def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
+    def _ca_search(self, all, raw, pkey_only, exactly, **options):
         ra_options = {}
         for name in ('revocation_reason',
                      'issuer',
@@ -1343,10 +1343,6 @@ class cert_find(Search, CertMethod):
             elif isinstance(value, DN):
                 value = unicode(value)
             ra_options[name] = value
-        if sizelimit > 0:
-            # Dogtag doesn't tell that the size limit was exceeded
-            # search for one more entry so that we can tell ourselves
-            ra_options['sizelimit'] = sizelimit + 1
         if exactly:
             ra_options['exactly'] = True
@@ -1369,11 +1365,6 @@ class cert_find(Search, CertMethod):
         ra = self.api.Backend.ra
         for ra_obj in ra.find(ra_options):
-            if sizelimit > 0 and len(result) >= sizelimit:
-                self.add_message(messages.SearchResultTruncated(
-                        reason=errors.SizeLimitExceeded()))
-                break
-
             issuer = DN(ra_obj['issuer'])
             serial_number = ra_obj['serial_number']
@@ -1411,8 +1402,7 @@ class cert_find(Search, CertMethod):
         return result, False, complete
-    def _ldap_search(self, all, raw, pkey_only, no_members, timelimit,
-                     sizelimit, **options):
+    def _ldap_search(self, all, raw, pkey_only, no_members, **options):
         ldap = self.api.Backend.ldap2
         filters = []
@@ -1453,8 +1443,8 @@ class cert_find(Search, CertMethod):
                 base_dn=self.api.env.basedn,
                 filter=filter,
                 attrs_list=['usercertificate'],
-                time_limit=timelimit,
-                size_limit=sizelimit,
+                time_limit=0,
+                size_limit=0,
             )
         except errors.EmptyResult:
             entries = []
@@ -1527,13 +1517,9 @@ class cert_find(Search, CertMethod):
                 raw=raw,
                 pkey_only=pkey_only,
                 no_members=no_members,
-                timelimit=timelimit,
-                sizelimit=sizelimit,
                 **options)
             if sub_complete:
-                sizelimit = 0
-
                 for key in tuple(result):
                     if key not in sub_result:
                         del result[key]
@@ -1552,6 +1538,12 @@ class cert_find(Search, CertMethod):
             complete = complete or sub_complete
         result = list(six.itervalues(result))
+        if sizelimit > 0 and len(result) > sizelimit:
+            if not truncated:
+                self.add_message(messages.SearchResultTruncated(
+                        reason=errors.SizeLimitExceeded()))
+            result = result[:sizelimit]
+            truncated = True
         ret = dict(
             result=result
--
2.12.1
SOURCES/0018-frontend-copy-command-arguments-to-output-params-on-.patch
File was deleted
SOURCES/0018-ipa-kdb-add-ipadb_fetch_principals_with_extra_filter.patch
New file
@@ -0,0 +1,132 @@
From 7a115884d370d8e9b2c7b110a0565fe5b78446a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 15 Feb 2017 12:09:20 +0100
Subject: [PATCH] ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
Additionally make ipadb_find_principal public.
Related to https://pagure.io/freeipa/issue/4905
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb.h            | 11 +++++++
 daemons/ipa-kdb/ipa_kdb_principals.c | 58 ++++++++++++++++++++++++++++--------
 2 files changed, 56 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 8a3f7d3c012186fd73b27abef09602b0d0e96e8d..72f2675809a3267cce30bc06c77335697c7287ad 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext,
                                     char **db_args);
 krb5_error_code ipadb_delete_principal(krb5_context kcontext,
                                        krb5_const_principal search_for);
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+                                         unsigned int flags,
+                                         const char *principal,
+                                         const char *filter,
+                                         LDAPMessage **result);
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+                                     unsigned int flags,
+                                     LDAPMessage *res,
+                                     char **principal,
+                                     LDAPMessage **entry);
 #if KRB5_KDB_API_VERSION < 8
 krb5_error_code ipadb_iterate(krb5_context kcontext,
                               char *match_entry,
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 3bd8fb8c70c61b056a714bc0a8149bd8524beb1d..82c857430b11279b4029fa72a6d430610524ba43 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -37,6 +37,17 @@
                                 "(objectclass=krbprincipal))" \
                               "(krbprincipalname=%s))"
+#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+                                          "(objectclass=krbprincipal)" \
+                                          "(objectclass=ipakrbprincipal))" \
+                                        "(|(ipakrbprincipalalias=%s)" \
+                                          "(krbprincipalname:caseIgnoreIA5Match:=%s))" \
+                                         "%s)"
+
+#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+                                      "(objectclass=krbprincipal))" \
+                                    "(krbprincipalname=%s)" \
+                                    "%s)"
 static char *std_principal_attrs[] = {
     "krbPrincipalName",
     "krbCanonicalName",
@@ -864,10 +875,12 @@ done:
     return kerr;
 }
-static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
-                                              unsigned int flags,
-                                              char *principal,
-                                              LDAPMessage **result)
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+                                         unsigned int flags,
+                                         const char *principal,
+                                         const char *filter,
+                                         LDAPMessage **result)
 {
     krb5_error_code kerr;
     char *src_filter = NULL;
@@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
         goto done;
     }
-    if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
-        ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
-                       esc_original_princ, esc_original_princ);
+    if (filter == NULL) {
+        if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+            ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
+                           esc_original_princ, esc_original_princ);
+        } else {
+            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+        }
     } else {
-        ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+        if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+            ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
+                           esc_original_princ, esc_original_princ, filter);
+        } else {
+            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
+                           esc_original_princ, filter);
+        }
     }
     if (ret == -1) {
@@ -913,11 +936,20 @@ done:
     return kerr;
 }
-static krb5_error_code ipadb_find_principal(krb5_context kcontext,
-                                            unsigned int flags,
-                                            LDAPMessage *res,
-                                            char **principal,
-                                            LDAPMessage **entry)
+static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
+                                              unsigned int flags,
+                                              char *principal,
+                                              LDAPMessage **result)
+{
+    return ipadb_fetch_principals_with_extra_filter(ipactx, flags, principal,
+                                                    NULL, result);
+}
+
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+                                     unsigned int flags,
+                                     LDAPMessage *res,
+                                     char **principal,
+                                     LDAPMessage **entry)
 {
     struct ipadb_context *ipactx;
     bool found = false;
--
2.12.1
SOURCES/0019-IPA-certauth-plugin.patch
New file
@@ -0,0 +1,609 @@
From 0956c8149f11921ed427d67b10bb9b6c4b97df48 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 2 Feb 2017 12:32:13 +0100
Subject: [PATCH] IPA certauth plugin
This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension
which contains a Kerberos principal but allow other mappings with the
help of SSSD's certmap library.
Related to https://pagure.io/freeipa/issue/4905
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 daemons/ipa-kdb/Makefile.am        |  24 ++-
 daemons/ipa-kdb/ipa-certauth.in    |   5 +
 daemons/ipa-kdb/ipa_kdb.c          |   2 +
 daemons/ipa-kdb/ipa_kdb.exports    |   1 +
 daemons/ipa-kdb/ipa_kdb.h          |   5 +
 daemons/ipa-kdb/ipa_kdb_certauth.c | 398 +++++++++++++++++++++++++++++++++++++
 freeipa.spec.in                    |   2 +
 server.m4                          |  13 ++
 8 files changed, 449 insertions(+), 1 deletion(-)
 create mode 100644 daemons/ipa-kdb/ipa-certauth.in
 create mode 100644 daemons/ipa-kdb/ipa_kdb_certauth.c
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 6a2caa0637bf076c796b50efc92412062524f35f..715666e779a4fa64c2c0f71767f09efb19b5f908 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -18,6 +18,7 @@ AM_CPPFLAGS =                        \
     $(WARN_CFLAGS)                    \
     $(NDRPAC_CFLAGS)                \
     $(NSS_CFLAGS)                    \
+    $(SSSCERTMAP_CFLAGS)                \
     $(NULL)
 plugindir = $(libdir)/krb5/plugins/kdb
@@ -39,6 +40,20 @@ ipadb_la_SOURCES =         \
     ipa_kdb_audit_as.c    \
     $(NULL)
+if BUILD_IPA_CERTAUTH_PLUGIN
+ipadb_la_SOURCES += ipa_kdb_certauth.c
+
+
+%: %.in
+    sed \
+        -e 's|@plugindir@|$(plugindir)|g' \
+        '$(srcdir)/$@.in' >$@
+
+krb5confdir = $(sysconfdir)/krb5.conf.d
+krb5conf_DATA = ipa-certauth
+CLEANFILES = $(krb5conf_DATA)
+endif
+
 ipadb_la_LDFLAGS =         \
     -avoid-version         \
     -module            \
@@ -50,6 +65,7 @@ ipadb_la_LIBADD =         \
     $(NDRPAC_LIBS)        \
     $(UNISTRING_LIBS)    \
     $(NSS_LIBS)             \
+    $(SSSCERTMAP_LIBS)    \
     $(top_builddir)/util/libutil.la    \
     $(NULL)
@@ -70,6 +86,11 @@ ipa_kdb_tests_SOURCES =        \
        ipa_kdb_delegation.c    \
        ipa_kdb_audit_as.c      \
        $(NULL)
+
+if BUILD_IPA_CERTAUTH_PLUGIN
+ipa_kdb_tests_SOURCES += ipa_kdb_certauth.c
+endif
+
 ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
 ipa_kdb_tests_LDADD =          \
        $(CMOCKA_LIBS)          \
@@ -78,12 +99,13 @@ ipa_kdb_tests_LDADD =          \
        $(NDRPAC_LIBS)          \
        $(UNISTRING_LIBS)       \
        $(NSS_LIBS)             \
+       $(SSSCERTMAP_LIBS)      \
        $(top_builddir)/util/libutil.la    \
        -lkdb5                  \
        -lsss_idmap             \
        $(NULL)
-dist_noinst_DATA = ipa_kdb.exports
+dist_noinst_DATA = ipa_kdb.exports ipa-certauth.in
 clean-local:
     rm -f tests/.dirstamp
diff --git a/daemons/ipa-kdb/ipa-certauth.in b/daemons/ipa-kdb/ipa-certauth.in
new file mode 100644
index 0000000000000000000000000000000000000000..eda89a26f02fbea449eb754b232b8115904acd21
--- /dev/null
+++ b/daemons/ipa-kdb/ipa-certauth.in
@@ -0,0 +1,5 @@
+[plugins]
+ certauth = {
+  module = ipakdb:@plugindir@/ipadb.so
+  enable_only = ipakdb
+ }
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index c19b7c40e2e88173ab8367a3ef1d7f46245fd174..a961e4e57cf5379eb237551d56e3bc8dc82d952d 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -67,6 +67,8 @@ static void ipadb_context_free(krb5_context kcontext,
         }
         free(cfg->authz_data);
+        ipa_certauth_free_moddata(&((*ctx)->certauth_moddata));
+
         free(*ctx);
         *ctx = NULL;
     }
diff --git a/daemons/ipa-kdb/ipa_kdb.exports b/daemons/ipa-kdb/ipa_kdb.exports
index d2c3f30246cc7ebcba02a9ec5d134e604fa0dbb9..27ce92d2edd741245061a5f4ee9275169440c932 100644
--- a/daemons/ipa-kdb/ipa_kdb.exports
+++ b/daemons/ipa-kdb/ipa_kdb.exports
@@ -3,6 +3,7 @@ EXPORTED {
     # public symbols
     global:
         kdb_function_table;
+        certauth_ipakdb_initvt;
     # everything else is local
     local:
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 72f2675809a3267cce30bc06c77335697c7287ad..632c1979d15e88aec86d5e408ed6c7017d8362b8 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -40,6 +40,7 @@
 #include <arpa/inet.h>
 #include <endian.h>
 #include <unistd.h>
+#include <krb5/certauth_plugin.h>
 #include "ipa_krb5.h"
 #include "ipa_pwd.h"
@@ -111,6 +112,7 @@ struct ipadb_context {
     krb5_key_salt_tuple *def_encs;
     int n_def_encs;
     struct ipadb_mspac *mspac;
+    krb5_certauth_moddata certauth_moddata;
     /* Don't access this directly, use ipadb_get_global_config(). */
     struct ipadb_global_config config;
@@ -331,3 +333,6 @@ ipadb_get_global_config(struct ipadb_context *ipactx);
 int ipadb_get_enc_salt_types(struct ipadb_context *ipactx, LDAPMessage *entry,
                              char *attr, krb5_key_salt_tuple **enc_salt_types,
                              int *n_enc_salt_types);
+
+/* CERTAUTH PLUGIN */
+void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata);
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
new file mode 100644
index 0000000000000000000000000000000000000000..a53a2ce4e7ceb06ec8de117cdbca2666fdb5a97a
--- /dev/null
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -0,0 +1,398 @@
+/** BEGIN COPYRIGHT BLOCK
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GPLv3 section 7:
+ *
+ * In the following paragraph, "GPL" means the GNU General Public
+ * License, version 3 or any later version, and "Non-GPL Code" means
+ * code that is governed neither by the GPL nor a license
+ * compatible with the GPL.
+ *
+ * You may link the code of this Program with Non-GPL Code and convey
+ * linked combinations including the two, provided that such Non-GPL
+ * Code only links to the code of this Program through those well
+ * defined interfaces identified in the file named EXCEPTION found in
+ * the source code files (the "Approved Interfaces"). The files of
+ * Non-GPL Code may instantiate templates or use macros or inline
+ * functions from the Approved Interfaces without causing the resulting
+ * work to be covered by the GPL. Only the copyright holders of this
+ * Program may make changes or additions to the list of Approved
+ * Interfaces.
+ *
+ * Authors:
+ * Sumit Bose <sbose@redhat.com>
+ *
+ * Copyright (C) 2017 Red Hat, Inc.
+ * All rights reserved.
+ * END COPYRIGHT BLOCK **/
+
+#include <errno.h>
+//#include <krb5/certauth_plugin.h>
+#include <syslog.h>
+#include <sss_certmap.h>
+
+#include "util/ipa_krb5.h"
+#include "ipa_kdb.h"
+
+#define IPA_OC_CERTMAP_RULE "ipaCertMapRule"
+#define IPA_CERTMAP_MAPRULE "ipaCertMapMapRule"
+#define IPA_CERTMAP_MATCHRULE "ipaCertMapMatchRule"
+#define IPA_CERTMAP_PRIORITY "ipaCertMapPriority"
+#define IPA_ENABLED_FLAG "ipaEnabledFlag"
+#define IPA_TRUE_VALUE "TRUE"
+#define IPA_ASSOCIATED_DOMAIN "associatedDomain"
+
+#define OBJECTCLASS "objectClass"
+
+#define CERTMAP_FILTER "(&("OBJECTCLASS"="IPA_OC_CERTMAP_RULE")" \
+                              "("IPA_ENABLED_FLAG"="IPA_TRUE_VALUE"))"
+
+#ifndef discard_const
+#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
+#endif
+
+
+struct krb5_certauth_moddata_st {
+    char *local_domain;
+    struct sss_certmap_ctx *sss_certmap_ctx;
+    struct ipadb_context *ipactx;
+};
+
+void ipa_certmap_debug(void *private,
+                       const char *file, long line,
+                       const char *function,
+                       const char *format, ...)
+{
+    va_list ap;
+    char str[255] = { 0 };
+
+    va_start(ap, format);
+    vsnprintf(str, sizeof(str)-1, format, ap);
+    va_end(ap);
+    krb5_klog_syslog(LOG_INFO, str);
+}
+
+void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata)
+{
+    if (moddata == NULL || *moddata == NULL) {
+        return;
+    }
+
+    free((*moddata)->local_domain);
+    (*moddata)->local_domain = NULL;
+    sss_certmap_free_ctx((*moddata)->sss_certmap_ctx);
+    (*moddata)->sss_certmap_ctx = NULL;
+
+    free(*moddata);
+
+    return;
+}
+
+static krb5_error_code ipa_get_init_data(krb5_context kcontext,
+                                         krb5_certauth_moddata moddata_out)
+{
+    int ret;
+    struct sss_certmap_ctx *ctx = NULL;
+    struct ipadb_context *ipactx;
+    krb5_error_code kerr;
+    char *basedn = NULL;
+    LDAPMessage *result = NULL;
+    LDAPMessage *le;
+    LDAP *lc;
+    size_t c;
+    uint32_t prio;
+    char *map_rule = NULL;
+    char *match_rule = NULL;
+    char **domains = NULL;
+
+    const char *certmap_attrs[] = { OBJECTCLASS,
+                                    IPA_CERTMAP_PRIORITY,
+                                    IPA_CERTMAP_MATCHRULE,
+                                    IPA_CERTMAP_MAPRULE,
+                                    IPA_ASSOCIATED_DOMAIN,
+                                    IPA_ENABLED_FLAG,
+                                    NULL};
+
+
+    krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin.");
+
+    ipactx = ipadb_get_context(kcontext);
+    if (ipactx == NULL) {
+        return KRB5_KDB_DBNOTINITED;
+    }
+
+    if (ipactx->certauth_moddata == NULL) {
+        ret = asprintf(&basedn, "cn=certmap,%s", ipactx->base);
+        if (ret == -1) {
+            return ENOMEM;
+        }
+
+        kerr = ipadb_simple_search(ipactx,basedn, LDAP_SCOPE_SUBTREE,
+                                   CERTMAP_FILTER, discard_const(certmap_attrs),
+                                   &result);
+        if (kerr != 0 && kerr != KRB5_KDB_NOENTRY) {
+            goto done;
+        }
+
+        ret = sss_certmap_init(NULL, ipa_certmap_debug, NULL, &ctx);
+        if (ret != 0) {
+            return ret;
+        }
+
+        if (kerr == KRB5_KDB_NOENTRY) {
+            ret = sss_certmap_add_rule(ctx, SSS_CERTMAP_MIN_PRIO,
+                                       NULL, NULL, NULL);
+            if (ret != 0) {
+                goto done;
+            }
+        } else {
+            lc = ipactx->lcontext;
+
+            for (le = ldap_first_entry(lc, result); le;
+                                                 le = ldap_next_entry(lc, le)) {
+                prio = SSS_CERTMAP_MIN_PRIO;
+                ret = ipadb_ldap_attr_to_uint32(lc, le, IPA_CERTMAP_PRIORITY,
+                                                &prio);
+                if (ret != 0 && ret != ENOENT) {
+                    goto done;
+                }
+
+                free(map_rule);
+                map_rule = NULL;
+                ret = ipadb_ldap_attr_to_str(lc, le, IPA_CERTMAP_MAPRULE,
+                                             &map_rule);
+                if (ret != 0 && ret != ENOENT) {
+                    goto done;
+                }
+
+                free(match_rule);
+                match_rule = NULL;
+                ret = ipadb_ldap_attr_to_str(lc, le, IPA_CERTMAP_MATCHRULE,
+                                             &match_rule);
+                if (ret != 0 && ret != ENOENT) {
+                    goto done;
+                }
+
+                if (domains != NULL) {
+                    for (c = 0; domains[c] != NULL; c++) {
+                        free(domains[c]);
+                    }
+                    free(domains);
+                    domains = NULL;
+                }
+                ret = ipadb_ldap_attr_to_strlist(lc, le, IPA_ASSOCIATED_DOMAIN,
+                                                 &domains);
+                if (ret != 0 && ret != ENOENT) {
+                    goto done;
+                }
+
+                ret = sss_certmap_add_rule(ctx, prio, match_rule, map_rule,
+                                           (const char **) domains);
+                if (ret != 0) {
+                    goto done;
+                }
+            }
+        }
+
+        ipactx->certauth_moddata = moddata_out;
+
+        if (ipactx->realm != NULL) {
+            ipactx->certauth_moddata->local_domain = strdup(ipactx->realm);
+            if (ipactx->certauth_moddata->local_domain == NULL) {
+                free(ipactx->certauth_moddata);
+                ipactx->certauth_moddata = NULL;
+                ret = ENOMEM;
+                goto done;
+            }
+        }
+
+        ipactx->certauth_moddata->sss_certmap_ctx = ctx;
+        ipactx->certauth_moddata->ipactx = ipactx;
+
+    }
+
+    ret = 0;
+
+done:
+    ldap_msgfree(result);
+    free(basedn);
+    free(map_rule);
+    free(match_rule);
+    if (domains != NULL) {
+        for (c = 0; domains[c] != NULL; c++) {
+            free(domains[c]);
+        }
+        free(domains);
+        domains = NULL;
+    }
+
+    if (ret != 0) {
+        sss_certmap_free_ctx(ctx);
+    }
+
+    return ret;
+}
+
+static krb5_error_code ipa_certauth_authorize(krb5_context context,
+                                              krb5_certauth_moddata moddata,
+                                              const uint8_t *cert,
+                                              size_t cert_len,
+                                              krb5_const_principal princ,
+                                              const void *opts,
+                                              const krb5_db_entry *db_entry,
+                                              char ***authinds_out)
+{
+    char *cert_filter = NULL;
+    char **domains = NULL;
+    int ret;
+    size_t c;
+    char *principal = NULL;
+    LDAPMessage *res = NULL;
+    krb5_error_code kerr;
+    LDAPMessage *lentry;
+
+    if (moddata == NULL) {
+        return KRB5_PLUGIN_NO_HANDLE;
+    }
+
+    if (moddata->sss_certmap_ctx == NULL) {
+        kerr = ipa_get_init_data(context, moddata);
+        if (kerr != 0) {
+            krb5_klog_syslog(LOG_ERR, "Failed to init certmapping data");
+            return KRB5_PLUGIN_NO_HANDLE;
+        }
+    }
+
+    ret = krb5_unparse_name(context, princ, &principal);
+    if (ret != 0) {
+        ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+        goto done;
+    }
+    krb5_klog_syslog(LOG_INFO, "Doing certauth authorize for [%s]", principal);
+
+    ret = sss_certmap_get_search_filter(moddata->sss_certmap_ctx,
+                                        cert, cert_len,
+                                        &cert_filter, &domains);
+    if (ret != 0) {
+        if (ret == ENOENT) {
+            ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+        }
+        goto done;
+    }
+    krb5_klog_syslog(LOG_INFO, "Got cert filter [%s]", cert_filter);
+
+    /* If there are no domains assigned the rule will apply to the local
+     * domain only. */
+    if (domains != NULL) {
+
+        if (moddata->local_domain == NULL) {
+        /* We don't know our own domain name, in general this should not
+         * happen. But to be fault tolerant we allow matching rule which
+         * do not have a domain assigned. */
+
+            ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+            goto done;
+        }
+
+        for (c = 0; domains[c] != NULL; c++) {
+            if (strcasecmp(domains[c], moddata->local_domain) == 0) {
+                break;
+            }
+        }
+
+        /* Our domain was not in the list */
+        if (domains[c] == NULL) {
+            ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+            goto done;
+        }
+    }
+
+    kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
+                                                    KRB5_KDB_FLAG_ALIAS_OK,
+                                                    principal,
+                                                    cert_filter,
+                                                    &res);
+    if (kerr != 0) {
+        krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
+        ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+        goto done;
+    }
+
+    kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
+                                &principal, &lentry);
+    if (kerr == KRB5_KDB_NOENTRY) {
+        krb5_klog_syslog(LOG_INFO, "No matching entry found");
+        ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+        goto done;
+    } else if (kerr != 0) {
+        krb5_klog_syslog(LOG_ERR, "ipadb_find_principal failed [%d]", kerr);
+        ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
+        goto done;
+    }
+
+    /* TODO: add more tests ? */
+
+    ret = 0;
+
+done:
+    sss_certmap_free_filter_and_domains(cert_filter, domains);
+    krb5_free_unparsed_name(context, principal);
+    ldap_msgfree(res);
+
+    return ret;
+}
+
+static krb5_error_code ipa_certauth_init(krb5_context kcontext,
+                                         krb5_certauth_moddata *moddata_out)
+{
+    struct krb5_certauth_moddata_st *certauth_moddata;
+
+    certauth_moddata = calloc(1, sizeof(struct krb5_certauth_moddata_st));
+    if (certauth_moddata == NULL) {
+        return ENOMEM;
+    }
+
+    *moddata_out = certauth_moddata;
+
+    return 0;
+}
+
+static void ipa_certauth_fini(krb5_context context,
+                              krb5_certauth_moddata moddata_out)
+{
+    krb5_klog_syslog(LOG_INFO, "IPA certauth plugin un-loaded.");
+    return;
+}
+
+
+krb5_error_code certauth_ipakdb_initvt(krb5_context context,
+                                          int maj_ver, int min_ver,
+                                          krb5_plugin_vtable vtable)
+{
+    krb5_certauth_vtable vt;
+
+    if (maj_ver != 1) {
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    }
+
+    vt = (krb5_certauth_vtable) vtable;
+
+    vt->name = "ipakdb";
+    vt->authorize = ipa_certauth_authorize;
+    vt->init = ipa_certauth_init;
+    vt->fini = ipa_certauth_fini;
+    /* currently we do not return authentication indicators */
+    vt->free_ind = NULL;
+    return 0;
+}
diff --git a/freeipa.spec.in b/freeipa.spec.in
index f776b34af88cc8ccd02da0713cb6eaca161c99f5..18291a5793a6b69dcd719f42e80e1652169e5e1d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -120,6 +120,7 @@ BuildRequires:  libtalloc-devel
 BuildRequires:  libtevent-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  libsss_idmap-devel
+BuildRequires:  libsss_certmap-devel
 # 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897)
 BuildRequires:  libsss_nss_idmap-devel >= 1.14.0
 BuildRequires:  rhino
@@ -1164,6 +1165,7 @@ fi
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
 %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
+%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
 %dir %{_libexecdir}/ipa/certmonger
 %attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
 # NOTE: systemd specific section
diff --git a/server.m4 b/server.m4
index 92b5cdd3a6ff90b70a9002360ff3d3aec5053392..7b2e94df91a4803849e496142788a4ed87ef487d 100644
--- a/server.m4
+++ b/server.m4
@@ -30,6 +30,19 @@ dnl -- sss_idmap is needed by the extdom exop --
 PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap])
 PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.13.90])
+dnl -- sss_certmap and certauth.h are needed by the IPA KDB certauth plugin --
+PKG_CHECK_EXISTS([sss_certmap],
+                 [PKG_CHECK_MODULES([SSSCERTMAP], [sss_certmap])],
+                 [AC_MSG_NOTICE([sss_certmap not found])])
+AC_CHECK_HEADER([krb5/certauth_plugin.h],
+                [have_certauth_plugin=yes],
+                [have_certauth_plugin=no])
+AM_CONDITIONAL([BUILD_IPA_CERTAUTH_PLUGIN],
+               [test x$have_certauth_plugin = xyes -a x"$SSSCERTMAP_LIBS" != x])
+AM_COND_IF([BUILD_IPA_CERTAUTH_PLUGIN],
+           [AC_MSG_NOTICE([Build IPA KDB certauth plugin])],
+           [AC_MSG_WARN([Cannot build IPA KDB certauth plugin])])
+
 dnl ---------------------------------------------------------------------------
 dnl - Check for KRB5 krad
 dnl ---------------------------------------------------------------------------
--
2.12.1
SOURCES/0019-Show-full-error-message-for-selinuxusermap-add-hostg.patch
File was deleted
SOURCES/0020-allow-value-output-param-in-commands-without-primary.patch
File was deleted
SOURCES/0020-configure-fix-disable-server-with-certauth-plugin.patch
New file
@@ -0,0 +1,55 @@
From 1dca2667b1e43540c377a45b0f653b0e9bc8840d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 27 Mar 2017 12:18:53 +0200
Subject: [PATCH] configure: fix --disable-server with certauth plugin
Resolves https://pagure.io/freeipa/issue/6816
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 configure.ac | 12 ++++++++++++
 server.m4    |  5 -----
 2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index 2d84426d1039e822fa3ee53410c819274e763e32..8d4b82e4590e9e122f7aa5684fd78834c4b6a204 100644
--- a/configure.ac
+++ b/configure.ac
@@ -225,6 +225,18 @@ AM_COND_IF([ENABLE_SERVER], [
 ])
 dnl ---------------------------------------------------------------------------
+dnl - Check if IPA certauth plugin can be build
+dnl ---------------------------------------------------------------------------
+
+AM_CONDITIONAL([BUILD_IPA_CERTAUTH_PLUGIN],
+               [test x$have_certauth_plugin = xyes -a x"$SSSCERTMAP_LIBS" != x])
+AM_COND_IF([BUILD_IPA_CERTAUTH_PLUGIN], [
+    AM_COND_IF([ENABLE_SERVER],
+               [AC_MSG_NOTICE([Build IPA KDB certauth plugin])],
+               [AC_MSG_WARN([Cannot build IPA KDB certauth plugin])])
+])
+
+dnl ---------------------------------------------------------------------------
 dnl - Check for program paths
 dnl ---------------------------------------------------------------------------
 AC_PATH_PROG(UNLINK, unlink, [AC_MSG_ERROR([unlink not found])])
diff --git a/server.m4 b/server.m4
index 7b2e94df91a4803849e496142788a4ed87ef487d..a4c99195ae535e586445cf5bbe9fef457d224531 100644
--- a/server.m4
+++ b/server.m4
@@ -37,11 +37,6 @@ PKG_CHECK_EXISTS([sss_certmap],
 AC_CHECK_HEADER([krb5/certauth_plugin.h],
                 [have_certauth_plugin=yes],
                 [have_certauth_plugin=no])
-AM_CONDITIONAL([BUILD_IPA_CERTAUTH_PLUGIN],
-               [test x$have_certauth_plugin = xyes -a x"$SSSCERTMAP_LIBS" != x])
-AM_COND_IF([BUILD_IPA_CERTAUTH_PLUGIN],
-           [AC_MSG_NOTICE([Build IPA KDB certauth plugin])],
-           [AC_MSG_WARN([Cannot build IPA KDB certauth plugin])])
 dnl ---------------------------------------------------------------------------
 dnl - Check for KRB5 krad
--
2.12.1
SOURCES/0021-ipa-kdb-do-not-depend-on-certauth_plugin.h.patch
New file
@@ -0,0 +1,85 @@
From 1c421b3874488c0021a5e0d344be31c84c2b4bd0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 27 Mar 2017 13:19:57 +0200
Subject: [PATCH] ipa-kdb: do not depend on certauth_plugin.h
Related to https://pagure.io/freeipa/issue/4905
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 configure.ac              | 2 ++
 daemons/ipa-kdb/ipa_kdb.c | 2 ++
 daemons/ipa-kdb/ipa_kdb.h | 8 ++++++++
 3 files changed, 12 insertions(+)
diff --git a/configure.ac b/configure.ac
index 8d4b82e4590e9e122f7aa5684fd78834c4b6a204..ded1d71fd079a5f6947ef0627fb699783c8cc109 100644
--- a/configure.ac
+++ b/configure.ac
@@ -231,6 +231,8 @@ dnl ---------------------------------------------------------------------------
 AM_CONDITIONAL([BUILD_IPA_CERTAUTH_PLUGIN],
                [test x$have_certauth_plugin = xyes -a x"$SSSCERTMAP_LIBS" != x])
 AM_COND_IF([BUILD_IPA_CERTAUTH_PLUGIN], [
+    AC_DEFINE([HAVE_KRB5_CERTAUTH_PLUGIN], [1],
+        [MIT Kerberos version supports certauth plugin])
     AM_COND_IF([ENABLE_SERVER],
                [AC_MSG_NOTICE([Build IPA KDB certauth plugin])],
                [AC_MSG_WARN([Cannot build IPA KDB certauth plugin])])
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index a961e4e57cf5379eb237551d56e3bc8dc82d952d..050bfc90cef1bce4c932f54bb6050438c60ca79f 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -67,7 +67,9 @@ static void ipadb_context_free(krb5_context kcontext,
         }
         free(cfg->authz_data);
+#ifdef HAVE_KRB5_CERTAUTH_PLUGIN
         ipa_certauth_free_moddata(&((*ctx)->certauth_moddata));
+#endif
         free(*ctx);
         *ctx = NULL;
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 632c1979d15e88aec86d5e408ed6c7017d8362b8..72573a61adecfae152796d61b88b6c43b3a975a3 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -30,6 +30,8 @@
  * filtering purposes */
 #define SECURID 1
+#include "config.h"
+
 #include <errno.h>
 #include <kdb.h>
 #include <ldap.h>
@@ -40,7 +42,9 @@
 #include <arpa/inet.h>
 #include <endian.h>
 #include <unistd.h>
+#ifdef HAVE_KRB5_CERTAUTH_PLUGIN
 #include <krb5/certauth_plugin.h>
+#endif
 #include "ipa_krb5.h"
 #include "ipa_pwd.h"
@@ -112,7 +116,9 @@ struct ipadb_context {
     krb5_key_salt_tuple *def_encs;
     int n_def_encs;
     struct ipadb_mspac *mspac;
+#ifdef HAVE_KRB5_CERTAUTH_PLUGIN
     krb5_certauth_moddata certauth_moddata;
+#endif
     /* Don't access this directly, use ipadb_get_global_config(). */
     struct ipadb_global_config config;
@@ -334,5 +340,7 @@ int ipadb_get_enc_salt_types(struct ipadb_context *ipactx, LDAPMessage *entry,
                              char *attr, krb5_key_salt_tuple **enc_salt_types,
                              int *n_enc_salt_types);
+#ifdef HAVE_KRB5_CERTAUTH_PLUGIN
 /* CERTAUTH PLUGIN */
 void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata);
+#endif
--
2.12.1
SOURCES/0021-server-uninstall-fails-to-remove-krb-principals.patch
File was deleted
SOURCES/0022-WebUI-Add-support-for-suppressing-warnings.patch
New file
@@ -0,0 +1,46 @@
From 3d8b42ac1e532168c2dae96ab0de3d83df0268d0 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Fri, 17 Mar 2017 15:10:42 +0100
Subject: [PATCH] WebUI: Add support for suppressing warnings
Each command can have specified an array of warning codes which will
be suppressed and won't be shown.
For specifying this it is necessary to set command property
'supressed_warnings: [codes_of_warning]'
Part of: https://pagure.io/freeipa/issue/6618
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 install/ui/src/freeipa/rpc.js | 7 +++++++
 1 file changed, 7 insertions(+)
diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js
index 1880f8d5732f982c25924b787b273c9e56636b20..84282f78d940ac2d18d00df92a7430ca51bbf389 100644
--- a/install/ui/src/freeipa/rpc.js
+++ b/install/ui/src/freeipa/rpc.js
@@ -72,6 +72,12 @@ rpc.command = function(spec) {
     that.options = $.extend({}, spec.options || {});
     /**
+     * @property {Array} suppress_warnings array of message codes which
+     * are suppressed
+     */
+    that.suppress_warnings = spec.suppress_warnings || [];
+
+    /**
      * Success handler
      * @property {Function}
      * @param {Object} data
@@ -219,6 +225,7 @@ rpc.command = function(spec) {
         for (var i=0,l=msgs.length; i<l; i++) {
             var msg = lang.clone(msgs[i]);
+            if (that.suppress_warnings.indexOf(msg.code) > -1) continue;
             // escape and reformat message
             msg.message = util.beautify_message(msg.message);
             IPA.notify(msg.message, msg.type);
--
2.12.1
SOURCES/0022-expose-secret-option-in-radiusproxy-commands.patch
File was deleted
SOURCES/0023-WebUI-suppress-truncation-warning-in-select-widget.patch
New file
@@ -0,0 +1,37 @@
From 66ea6269d7ad401e5f89b1ab33f8e827efb25dd8 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Fri, 17 Mar 2017 15:10:49 +0100
Subject: [PATCH] WebUI: suppress truncation warning in select widget
This widget is used on details pages and dialogs. When the size limit
is set to lower number the warning about truncation was shown every time
the details page was open.
Now, with support for suppressing warning messages from server according
to its code, we are able to disable warning with 13017 code (truncation
warning)
https://pagure.io/freeipa/issue/6618
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 install/ui/src/freeipa/widget.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 223b449962fabb47cf72b0443e39c295c783ab7f..b7a6504cf4af942c99ee217a2b47718af9e40f86 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -5012,7 +5012,8 @@ IPA.entity_select_widget = function(spec) {
             entity: that.other_entity.name,
             method: 'find',
             args: [filter],
-            options: that.filter_options
+            options: that.filter_options,
+            suppress_warnings: [13017]
         });
         var no_members = metadata.get('@mc-opt:' + cmd.get_command() + ':no_members');
         if (no_members) {
--
2.12.1
SOURCES/0023-prevent-search-for-RADIUS-proxy-servers-by-secret.patch
File was deleted
SOURCES/0024-WebUI-Fix-showing-vault-in-selfservice-view.patch
New file
@@ -0,0 +1,54 @@
From 5ccffb9ca109d820c5535140713a5b6672aa4f71 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Fri, 24 Mar 2017 10:19:21 +0100
Subject: [PATCH] WebUI: Fix showing vault in selfservice view
Vaults menu item was shown even when the KRA service was not installed.
That was caused by different path to the menu item in admin's view
and in selfservice view.
The path is now set correctly for both situations. 'network_service/vault'
for admin's view and 'vault' for selfservice view.
https://pagure.io/freeipa/issue/6812
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 install/ui/src/freeipa/navigation/menu_spec.js | 1 +
 install/ui/src/freeipa/vault.js                | 8 +++++---
 2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 9329694c14a47cbe1ec244554327b40743044d7b..0c30459691d8f652dc35ccf74ed27fae7654020d 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -326,6 +326,7 @@ nav.self_service = {
         { entity: 'user' },
         { entity: 'otptoken' },
         {
+            name: 'vault',
             entity: 'vault',
             facet: 'search',
             children: [
diff --git a/install/ui/src/freeipa/vault.js b/install/ui/src/freeipa/vault.js
index b5cdc810adea9b521df77eb328b55475a707580a..36a4838ee108020cf6ad7a20c59e4ab5403f3528 100644
--- a/install/ui/src/freeipa/vault.js
+++ b/install/ui/src/freeipa/vault.js
@@ -809,9 +809,11 @@ vault.config_sidebar_policy = function(spec) {
 vault.remove_vault_menu_item = function() {
-    if (!IPA.vault_enabled) {
-        menu.remove_item('network_services/vault');
-    }
+    if (IPA.vault_enabled) return;
+
+    var menu_location = IPA.is_selfservice ? 'vault' : 'network_services/vault';
+
+    menu.remove_item(menu_location);
 };
 vault.my_vault_spec = make_my_vault_spec();
--
2.12.1
SOURCES/0024-trust-add-handle-all-raw-options-properly.patch
File was deleted
SOURCES/0025-Set-KDC-Disable-Last-Success-by-default.patch
New file
@@ -0,0 +1,35 @@
From ac3c0d46d947c59aa25f4c9268ef17023c87b4b2 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 22 Mar 2017 17:47:04 +0100
Subject: [PATCH] Set "KDC:Disable Last Success" by default
In big deployments enabled recording of the last sucesfull login
this creates a huge changelog on DS side and cause performance
issues even if this is excluded from replication.
Actually this is not used directly by FreeIPA so it is safe to remove
in new installations. User who need this must manually remove
"KDC:Disable Last Success" using `ipa config-mod` command or WebUI.
https://pagure.io/freeipa/issue/5313
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 install/share/bootstrap-template.ldif | 1 +
 1 file changed, 1 insertion(+)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index da12ddf0ca887e8305402048ceed5d5b28816164..ea1e5b222e7af5ed7c5d80bbaf9282735e425e18 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -410,6 +410,7 @@ ipaUserObjectClasses: ipasshuser
 ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
 ipaConfigString: AllowNThash
+ipaConfigString: KDC:Disable Last Success
 ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
 ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
--
2.12.1
SOURCES/0025-unite-log-file-name-of-ipa-ca-install.patch
File was deleted
SOURCES/0026-Host-del-fix-behavior-of-updatedns-and-PTR-records.patch
File was deleted
SOURCES/0026-WebUI-Allow-to-add-certs-to-certmapping-with-CERT-LI.patch
New file
@@ -0,0 +1,69 @@
From be6eedde5a5aaf7ad1b527c0cfb9699ccb98a6b5 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Mon, 27 Mar 2017 14:14:32 +0200
Subject: [PATCH] WebUI: Allow to add certs to certmapping with CERT LINES
 around
The certificate to the certmapping might be inserted as
base64 encoded blob. This patch allows to also insert the certificate
blob with surrounding "-----BEGIN CERTIFICATE-----" and
"-----END CERTIFICATE-----" lines. This behavior is the same in
widget for assigning certificates to users, so the change helps
WebUI to be more consistent.
https://pagure.io/freeipa/issue/6772
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 install/ui/src/freeipa/plugins/certmap.js | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/install/ui/src/freeipa/plugins/certmap.js b/install/ui/src/freeipa/plugins/certmap.js
index ecbe095b9ead5c3dad70380202836608d564cd58..c613601e989f065a3d6289b02b60563020acf978 100644
--- a/install/ui/src/freeipa/plugins/certmap.js
+++ b/install/ui/src/freeipa/plugins/certmap.js
@@ -8,6 +8,7 @@ define([
         'dojo/_base/declare',
         'dojo/Evented',
         'dojo/on',
+        '../certificate',
         '../navigation',
         '../field',
         '../ipa',
@@ -19,8 +20,8 @@ define([
         // plain imports
         '../search',
         '../entity'],
-            function(lang, declare, Evented, on, navigation, mod_field, IPA,
-                     phases, reg, widget_mod, text, util) {
+            function(lang, declare, Evented, on, certificate, navigation,
+                 mod_field, IPA, phases, reg, widget_mod, text, util) {
 /**
  * Certificate map module
  * @class
@@ -312,6 +313,12 @@ certmap.certmap_multivalued_widget = function (spec) {
         var widget = widgets[0];
         var inner_widgets = widget.widgets.get_widgets();
+        var normalize_certs = function(certs) {
+            for (var k = 0, l = certs.length; k<l; k++) {
+                certs[k] = certificate.get_base64(certs[k]);
+            }
+        };
+
         for (var i = 0, l = inner_widgets.length; i<l; i++) {
             var w = inner_widgets[i];
@@ -321,6 +328,8 @@ certmap.certmap_multivalued_widget = function (spec) {
                 if (field.name === 'issuer' || field.name === 'subject') {
                     value = value[0];
+                } else if (field.name === 'certificate') {
+                    normalize_certs(value);
                 }
                 if (!util.is_empty(value)) options[field.name] = value;
--
2.12.1
SOURCES/0027-Bump-samba-version-for-FIPS-and-priv.-separation.patch
New file
@@ -0,0 +1,40 @@
From 9897f81c5182ee11e55d350f48968d608ef79f8b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Fri, 24 Mar 2017 14:47:38 +0100
Subject: [PATCH] Bump samba version for FIPS and priv. separation
With the latest Samba, adding trusts to AD under FIPS should now work
as well as adding trusts as a whole after the privilege separation
rework.
https://pagure.io/freeipa/issue/6671
https://pagure.io/freeipa/issue/6697
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 freeipa.spec.in | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 18291a5793a6b69dcd719f42e80e1652169e5e1d..5419ed10723fc7aa3ecc1b3f66b3ef1c8b38b12f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -36,11 +36,13 @@
 %global alt_name ipa
 %if 0%{?rhel}
-%global samba_version 4.0.5-1
+# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
+%global samba_version 4.6.0-4
 %global selinux_policy_version 3.12.1-153
 %global slapi_nis_version 0.56.0-4
 %else
-%global samba_version 2:4.0.5-1
+# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
+%global samba_version 2:4.6.0-4
 %global selinux_policy_version 3.13.1-158.4
 %global slapi_nis_version 0.56.1
 %endif
--
2.12.1
SOURCES/0027-help-Add-dnsserver-commands-to-help-topic-dns.patch
File was deleted
SOURCES/0028-DNS-Locations-fix-update-system-records-unpacking-er.patch
File was deleted
SOURCES/0028-Reworked-the-renaming-mechanism.patch
New file
@@ -0,0 +1,296 @@
From bd2a0a8d363af6c8b1491314d5da5f3c146e4ce6 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Mon, 27 Mar 2017 08:18:29 +0200
Subject: [PATCH] Reworked the renaming mechanism
The rename operation on *_mod commands was only allowed when
the primary key of an entry was also its RDN. With these changes,
it should be possible to rename the rest of the entries as well.
An attribute to the base LDAPObject was added to whitelist the
objects we want to allow to be renamed. It replaced an old
attribute rdn_is_primary_key which was used for the very same
purpose but the name was confusing because it was not set
correctly for certain objects.
https://pagure.io/freeipa/issue/2466
https://pagure.io/freeipa/issue/6784
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/plugins/automount.py         |  2 +-
 ipaserver/plugins/baseldap.py          | 32 ++++++++++++++++++++------------
 ipaserver/plugins/baseuser.py          |  2 +-
 ipaserver/plugins/ca.py                |  2 +-
 ipaserver/plugins/dns.py               |  2 +-
 ipaserver/plugins/group.py             |  2 +-
 ipaserver/plugins/idviews.py           |  6 +++---
 ipaserver/plugins/otptoken.py          |  2 +-
 ipaserver/plugins/permission.py        |  2 +-
 ipaserver/plugins/privilege.py         |  2 +-
 ipaserver/plugins/radiusproxy.py       |  2 +-
 ipaserver/plugins/role.py              |  2 +-
 ipaserver/plugins/servicedelegation.py |  2 +-
 13 files changed, 34 insertions(+), 26 deletions(-)
diff --git a/ipaserver/plugins/automount.py b/ipaserver/plugins/automount.py
index c4cf2d6db876e13c78ecd73fc53bb356bf190e17..03f994c65832e7b6099739e951105c4b5a897391 100644
--- a/ipaserver/plugins/automount.py
+++ b/ipaserver/plugins/automount.py
@@ -456,7 +456,7 @@ class automountkey(LDAPObject):
     default_attributes = [
         'automountkey', 'automountinformation', 'description'
     ]
-    rdn_is_primary_key = True
+    allow_rename = True
     rdn_separator = ' '
     takes_params = (
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index 79ba7fc4a14f8105cda481e1599b2acbd8394e45..dbe3cbd28c85ebc3d9254e24e14c5701adc673ab 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -36,7 +36,7 @@ from ipalib.text import _
 from ipalib.util import json_serialize, validate_hostname
 from ipalib.capabilities import client_has_capability
 from ipalib.messages import add_message, SearchResultTruncated
-from ipapython.dn import DN
+from ipapython.dn import DN, RDN
 from ipapython.version import API_VERSION
 if six.PY3:
@@ -549,7 +549,7 @@ class LDAPObject(Object):
     rdn_attribute = ''
     uuid_attribute = ''
     attribute_members = {}
-    rdn_is_primary_key = False # Do we need RDN change to do a rename?
+    allow_rename = False
     password_attributes = []
     # Can bind as this entry (has userPassword or krbPrincipalKey)
     bindable = False
@@ -1384,7 +1384,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
     def get_options(self):
         for option in super(LDAPUpdate, self).get_options():
             yield option
-        if self.obj.rdn_is_primary_key:
+        if self.obj.allow_rename:
             yield self._get_rename_option()
     def execute(self, *keys, **options):
@@ -1419,15 +1419,19 @@ class LDAPUpdate(LDAPQuery, crud.Update):
         _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), list(entry_attrs), allow_only=False)
         rdnupdate = False
-        try:
-            if self.obj.rdn_is_primary_key and 'rename' in options:
-                if not options['rename']:
-                    raise errors.ValidationError(name='rename', error=u'can\'t be empty')
-                entry_attrs[self.obj.primary_key.name] = options['rename']
-
-            if self.obj.rdn_is_primary_key and self.obj.primary_key.name in entry_attrs:
+        if 'rename' in options:
+            if not options['rename']:
+                raise errors.ValidationError(
+                    name='rename', error=u'can\'t be empty')
+            entry_attrs[self.obj.primary_key.name] = options['rename']
+
+        # if setattr was used to change the RDN, the primary_key.name is
+        # already in entry_attrs
+        if self.obj.allow_rename and self.obj.primary_key.name in entry_attrs:
+            # perform RDN change if the primary key is also RDN
+            if (RDN((self.obj.primary_key.name, keys[-1])) ==
+                    entry_attrs.dn[0]):
                 try:
-                    # RDN change
                     new_dn = DN((self.obj.primary_key.name,
                                  entry_attrs[self.obj.primary_key.name]),
                                 *entry_attrs.dn[1:])
@@ -1435,17 +1439,21 @@ class LDAPUpdate(LDAPQuery, crud.Update):
                         entry_attrs.dn,
                         new_dn)
-                    rdnkeys = keys[:-1] + (entry_attrs[self.obj.primary_key.name], )
+                    rdnkeys = (keys[:-1] +
+                               (entry_attrs[self.obj.primary_key.name], ))
                     entry_attrs.dn = self.obj.get_dn(*rdnkeys)
                     options['rdnupdate'] = True
                     rdnupdate = True
                 except errors.EmptyModlist:
                     # Attempt to rename to the current name, ignore
                     pass
+                except errors.NotFound:
+                    self.obj.handle_not_found(*keys)
                 finally:
                     # Delete the primary_key from entry_attrs either way
                     del entry_attrs[self.obj.primary_key.name]
+        try:
             # Exception callbacks will need to test for options['rdnupdate']
             # to decide what to do. An EmptyModlist in this context doesn't
             # mean an error occurred, just that there were no other updates to
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 44adc76ec854dadbe0d8a4e8ca03e71c30df526c..bf24dbf542d3b481671dfe4e8cee14a2edcc26e0 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -164,7 +164,7 @@ class baseuser(LDAPObject):
         'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
         'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
     }
-    rdn_is_primary_key = True
+    allow_rename = True
     bindable = True
     password_attributes = [('userpassword', 'has_password'),
                            ('krbprincipalkey', 'has_keytab')]
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index f774f78bd6d4ad236b37d06b8b267e8dd78f93b7..9bb163dffa645c1cbb10976e62cbd4a714139319 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -68,7 +68,7 @@ class ca(LDAPObject):
         'cn', 'description', 'ipacaid', 'ipacaissuerdn', 'ipacasubjectdn',
     ]
     rdn_attribute = 'cn'
-    rdn_is_primary_key = True
+    allow_rename = True
     label = _('Certificate Authorities')
     label_singular = _('Certificate Authority')
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py