The Identity, Policy and Audit system
CentOS Sources
2015-03-05 e3ffaba991846b3d30db421b233d97e0de702b6f
import ipa-4.1.0-18.el7
118 files added
72 files deleted
9 files modified
1 files renamed
34530 ■■■■ changed files
.gitignore 7 ●●●● patch | view | raw | blame | history
.ipa.metadata 7 ●●●● patch | view | raw | blame | history
SOURCES/0001-Do-not-check-if-port-8443-is-available-in-step-2-of-.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0002-Add-ipaSshPubkey-and-gidNumber-to-the-ACI-to-read-ID.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0002-Server-does-not-detect-different-server-and-IPA-doma.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch 120 ●●●●● patch | view | raw | blame | history
SOURCES/0003-Fix-dns-zonemgr-validation-regression.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0004-Handle-profile-changes-in-dogtag-ipa-ca-renew-agent.patch 181 ●●●●● patch | view | raw | blame | history
SOURCES/0005-Do-not-wait-for-new-CA-certificate-to-appear-in-LDAP.patch 170 ●●●●● patch | view | raw | blame | history
SOURCES/0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0006-Fail-if-certmonger-can-t-see-new-CA-certificate-in-L.patch 101 ●●●●● patch | view | raw | blame | history
SOURCES/0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0007-Fix-possible-NULL-dereference-in-ipa-kdb.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0007-Remove-mod_ssl-port-workaround.patch 98 ●●●●● patch | view | raw | blame | history
SOURCES/0008-Fix-memory-leaks-in-ipa-extdom-extop.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch 147 ●●●●● patch | view | raw | blame | history
SOURCES/0009-Fix-various-bugs-in-ipa-opt-counter-and-ipa-otp-last.patch 102 ●●●●● patch | view | raw | blame | history
SOURCES/0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0010-Fix-memory-leak-in-ipa-pwd-extop.patch 60 ●●●●● patch | view | raw | blame | history
SOURCES/0010-Use-hardening-flags-for-ipa-optd.patch 277 ●●●●● patch | view | raw | blame | history
SOURCES/0011-Fix-memory-leaks-in-ipa-join.patch 107 ●●●●● patch | view | raw | blame | history
SOURCES/0011-test_integration-Support-external-names-for-hosts.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0012-Fix-various-bugs-in-ipap11helper.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0013-Deadlock-in-schema-compat-plugin-between-automember_.patch 83 ●●●●● patch | view | raw | blame | history
SOURCES/0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0014-Stop-dirsrv-last-in-ipactl-stop.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0015-Fix-upgrade-do-not-use-invalid-ldap-connection.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0015-Prevent-garbage-from-readline-on-standard-output-of-.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0016-Ensure-that-a-password-exists-after-OTP-validation.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/0017-PKI-service-restart-after-CA-renewal-failed.patch 198 ●●●●● patch | view | raw | blame | history
SOURCES/0017-ipa-restore-Don-t-crash-if-AD-trust-is-not-installed.patch 53 ●●●●● patch | view | raw | blame | history
SOURCES/0018-hbactest-does-not-work-for-external-users.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0018-ranges-prohibit-setting-rid-base-with-ipa-trust-ad-p.patch 159 ●●●●● patch | view | raw | blame | history
SOURCES/0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0019-ldapupdater-set-baserid-to-0-for-ipa-ad-trust-posix-.patch 102 ●●●●● patch | view | raw | blame | history
SOURCES/0020-idrange-include-raw-range-type-in-output.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0020-sudoOrder-missing-in-sudoers.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0021-Add-missing-example-to-sudorule.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0021-webui-prohibit-setting-rid-base-with-ipa-trust-ad-po.patch 153 ●●●●● patch | view | raw | blame | history
SOURCES/0022-Fix-CA-certificate-backup-and-restore.patch 208 ●●●●● patch | view | raw | blame | history
SOURCES/0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/0023-Fix-DNS-installer-adds-invalid-zonemgr-email.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch 346 ●●●●● patch | view | raw | blame | history
SOURCES/0024-ipaplatform-Use-the-dirsrv-service-not-target.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0024-trustdomain-find-report-status-of-the-sub-domain.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0025-CLDAP-do-not-prepend.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0025-Fix-DNS-policy-upgrade-raises-asertion-error.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0026-Fix-upgrade-referint-plugin.patch 153 ●●●●● patch | view | raw | blame | history
SOURCES/0026-ipaserver-install-installutils-clean-up-properly-aft.patch 56 ●●●●● patch | view | raw | blame | history
SOURCES/0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0027-Upgrade-fix-trusts-objectclass-violationi.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch 180 ●●●●● patch | view | raw | blame | history
SOURCES/0028-Produce-better-error-in-group-add-command.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0029-Search-using-proper-scope-when-connecting-CA-instanc.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0029-Stop-adding-a-default-password-policy-reference.patch 409 ●●●●● patch | view | raw | blame | history
SOURCES/0030-Fix-zonemgr-must-be-unicode-value.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0030-Increase-service-startup-timeout-default.patch 26 ●●●●● patch | view | raw | blame | history
SOURCES/0031-Fix-warning-message-should-not-contain-CLI-commands.patch 73 ●●●●● patch | view | raw | blame | history
SOURCES/0031-cli.print_attribute-Convert-values-to-strings.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0032-Fix-wrong-expiration-date-on-renewed-IPA-CA-certific.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0032-group-show-resolve-external-members-of-the-groups.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0033-Do-not-restore-SELinux-settings-that-were-not-backed.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0033-Remove-SID-resolve-call-from-Web-UI.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0034-Improve-otptoken-help-messages.patch 121 ●●●●● patch | view | raw | blame | history
SOURCES/0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch 56 ●●●●● patch | view | raw | blame | history
SOURCES/0035-Ensure-users-exist-when-assigning-tokens-to-them.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0036-Enable-QR-code-display-by-default-in-otptoken-add.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0036-Hide-trust-resolve-command.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0037-Show-warning-instead-of-error-if-CA-did-not-start.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0037-Trust-domains-Web-UI.patch 188 ●●●●● patch | view | raw | blame | history
SOURCES/0038-ipasam-delete-trusted-child-domains-before-removing-.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/0038-webui-fix-potential-XSS-vulnerabilities.patch 131 ●●●●● patch | view | raw | blame | history
SOURCES/0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch 104 ●●●●● patch | view | raw | blame | history
SOURCES/0039-Raise-right-exception-if-domain-name-is-not-valid.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0040-Restore-file-extended-attributes-and-SELinux-context.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0041-Migration-does-not-add-users-to-default-group.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0041-restore-clear-httpd-ccache-after-restore.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0042-Fix-user-group-ignore-attribute-in-migration-plugin.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/0043-Fix-filtering-of-enctypes-in-server-code.patch 98 ●●●●● patch | view | raw | blame | history
SOURCES/0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0044-Add-asn1c-generated-code-for-keytab-controls.patch 13109 ●●●●● patch | view | raw | blame | history
SOURCES/0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0045-DNS-classless-support-for-reverse-domains.patch 229 ●●●●● patch | view | raw | blame | history
SOURCES/0045-Use-asn1c-helpers-to-encode-decode-the-getkeytab-con.patch 813 ●●●●● patch | view | raw | blame | history
SOURCES/0046-Fix-read_ip_addresses-should-return-ipaddr-object.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0046-Move-ipa-otpd-socket-directory.patch 84 ●●●●● patch | view | raw | blame | history
SOURCES/0047-Use-correct-service-name-in-cainstance.backup_config.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0048-ipa-restore-Check-if-directory-is-provided-better-er.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0049-Stop-tracking-certificates-before-restoring-them-in-.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/0050-Fix-detection-of-encoding-in-zonemgr-option.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0051-Too-big-font-in-input-fields.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/0051-webui-use-domain-name-instead-of-domain-SID-in-idran.patch 149 ●●●●● patch | view | raw | blame | history
SOURCES/0052-trust-make-sure-we-always-discover-topology-of-the-f.patch 75 ●●●●● patch | view | raw | blame | history
SOURCES/0052-webui-normalize-idview-tab-labels.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0053-copy_schema_to_ca-Fallback-to-old-import-location-fo.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0054-Remove-redefinition-of-LOG-from-ipa-otp-lasttoken.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0054-fix-filtering-of-subdomain-based-trust-users.patch 100 ●●●●● patch | view | raw | blame | history
SOURCES/0055-Unload-P11_Helper-object-s-library-when-it-is-finali.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0056-Fix-Kerberos-error-handling-in-ipa-sam.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0056-ipa-replica-install-never-checks-for-7389-port.patch 220 ●●●●● patch | view | raw | blame | history
SOURCES/0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0057-Fix-unchecked-return-value-in-ipa-kdb.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0058-Fix-unchecked-return-values-in-ipa-winsync.patch 108 ●●●●● patch | view | raw | blame | history
SOURCES/0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch 303 ●●●●● patch | view | raw | blame | history
SOURCES/0059-Fix-unchecked-return-value-in-ipa-join.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0060-Fix-unchecked-return-value-in-krb5-common-utils.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0061-Fix-memory-leak-in-GetKeytabControl-asn1-code.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0061-Update-Dogtag-9-database-during-replica-installation.patch 101 ●●●●● patch | view | raw | blame | history
SOURCES/0062-AD-trust-improve-trust-validation.patch 75 ●●●●● patch | view | raw | blame | history
SOURCES/0062-Prohibit-deletion-of-active-subdomain-range.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0063-Add-TLS-1.2-to-the-protocol-list-in-mod_nss-config.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/0063-extdom-do-not-return-results-from-the-wrong-domain.patch 58 ●●●●● patch | view | raw | blame | history
SOURCES/0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0064-webui-add-radius-fields-to-user-page.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0065-Fix-zonemgr-option-encoding-detection.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0065-Make-ipa-client-automount-backwards-compatible.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0066-Catch-USBError-during-YubiKey-location.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0067-Use-NSS-protocol-range-API-to-set-available-TLS-prot.patch 149 ●●●●● patch | view | raw | blame | history
SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0068-Throw-zonemgr-error-message-before-installation-proc.patch 136 ●●●●● patch | view | raw | blame | history
SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch 80 ●●●●● patch | view | raw | blame | history
SOURCES/0069-certs-Fix-incorrect-flag-handling-in-load_cacert.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0070-Preliminary-refactoring-of-libotp-files.patch 2309 ●●●●● patch | view | raw | blame | history
SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/0071-Move-authentication-configuration-cache-into-libotp.patch 1207 ●●●●● patch | view | raw | blame | history
SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0072-Enable-last-token-deletion-when-password-auth-type-i.patch 327 ●●●●● patch | view | raw | blame | history
SOURCES/0073-add-hosts-and-hostgroup-options-to-allow-retrieve-ke.patch 878 ●●●●● patch | view | raw | blame | history
SOURCES/0074-hosts-Display-assigned-ID-view-by-default-in-host-fi.patch 152 ●●●●● patch | view | raw | blame | history
SOURCES/0075-Prefer-TCP-connections-to-UDP-in-krb5-clients.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0076-webui-fix-service-unprovisioning.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0077-webui-increase-duration-of-notification-messages.patch 30 ●●●●● patch | view | raw | blame | history
SOURCES/0078-Fix-automatic-CA-cert-renewal-endless-loop-in-dogtag.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0079-Do-not-renew-the-IPA-CA-cert-by-serial-number-in-dog.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0080-Improve-validation-of-instance-and-backend-options-i.patch 169 ●●●●● patch | view | raw | blame | history
SOURCES/0081-revert-removal-of-cn-attribute-from-idnsRecord.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0082-Check-subject-name-encoding-in-ipa-cacert-manage-ren.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0083-Refer-the-user-to-freeipa.org-when-something-goes-wr.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0084-Show-SSHFP-record-containing-space-in-fingerprint.patch 37 ●●●●● patch | view | raw | blame | history
SOURCES/0085-Always-add-etc-hosts-record-when-DNS-is-being-config.patch 31 ●●●●● patch | view | raw | blame | history
SOURCES/0086-Avoid-calling-ldap-functions-without-a-context.patch 61 ●●●●● patch | view | raw | blame | history
SOURCES/0087-Remove-the-removal-of-the-ccache.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/0088-Fix-Upgrade-forwardzones-zones-after-adding-newer-re.patch 145 ●●●●● patch | view | raw | blame | history
SOURCES/0089-Fix-zone-find-during-forwardzone-upgrade.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0090-migrate-ds-fix-compat-plugin-check.patch 44 ●●●●● patch | view | raw | blame | history
SOURCES/0091-rpcclient-use-json_encode_binary-for-verbose-output.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0092-Remove-ipanttrustauthincoming-ipanttrustauthoutgoing.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0093-Abort-backup-restoration-on-not-matching-host.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0094-Fix-ipa-restore-on-systems-without-IPA-installed.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0095-Remove-RUV-from-LDIF-files-before-using-them-in-ipa-.patch 76 ●●●●● patch | view | raw | blame | history
SOURCES/0096-Fix-CA-certificate-renewal-syslog-alert.patch 28 ●●●●● patch | view | raw | blame | history
SOURCES/0097-Do-not-crash-on-unknown-services-in-installutils.sto.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0098-Restart-dogtag-when-its-server-certificate-is-renewe.patch 65 ●●●●● patch | view | raw | blame | history
SOURCES/0099-Make-certificate-renewal-process-synchronized.patch 581 ●●●●● patch | view | raw | blame | history
SOURCES/0100-Fix-validation-of-ipa-restore-options.patch 313 ●●●●● patch | view | raw | blame | history
SOURCES/0101-Allow-PassSync-user-to-locate-and-update-NT-users.patch 284 ●●●●● patch | view | raw | blame | history
SOURCES/0102-Allow-Replication-Administrators-manipulate-Winsync-.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/0103-Do-not-assume-certmonger-is-running-in-httpinstance.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/0104-Replication-Administrators-cannot-remove-replication.patch 41 ●●●●● patch | view | raw | blame | history
SOURCES/0105-Put-LDIF-files-to-their-original-location-in-ipa-res.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/0106-Add-anonymous-read-ACI-for-DUA-profile.patch 62 ●●●●● patch | view | raw | blame | history
SOURCES/0107-Revert-Make-all-ipatokenTOTP-attributes-mandatory.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0108-Create-correct-log-directories-during-full-restore-i.patch 57 ●●●●● patch | view | raw | blame | history
SOURCES/0109-Do-not-crash-when-replica-is-unreachable-in-ipa-rest.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0110-idviews-Allow-setting-ssh-public-key-on-ipauseroverr.patch 36 ●●●●● patch | view | raw | blame | history
SOURCES/0111-Fix-ipa-pwd-extop-global-configuration-caching.patch 39 ●●●●● patch | view | raw | blame | history
SOURCES/0112-group-detach-does-not-add-correct-objectclasses.patch 25 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch 136 ●●●●● patch | view | raw | blame | history
SOURCES/1002-Remove-pkinit-plugin.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch 96 ●●●●● patch | view | raw | blame | history
SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch 290 ●●●●● patch | view | raw | blame | history
SOURCES/1005-Remove-pylint-from-build-process.patch 16 ●●●● patch | view | raw | blame | history
SOURCES/1006-Remove-i18test-from-build-process.patch 10 ●●●● patch | view | raw | blame | history
SOURCES/1007-Do-not-build-tests.patch 16 ●●●● patch | view | raw | blame | history
SOURCES/1007-Remove-ipa-backup-and-ipa-restore-functionality.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/1008-RCUE.patch 196 ●●●●● patch | view | raw | blame | history
SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch 80 ●●●●● patch | view | raw | blame | history
SOURCES/1010-Disable-DNSSEC-support.patch 512 ●●●●● patch | view | raw | blame | history
SOURCES/1011-Disable-TLS-1.2-in-nss.conf-until-mod_nss-supports-i.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/1012-Expand-the-token-auth-sync-windows.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/1013-ipa-kdb-reject-principals-from-disabled-domains-as-a.patch 27 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 12 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 700 ●●●● patch | view | raw | blame | history
.gitignore
@@ -1,2 +1,5 @@
SOURCES/freeipa-3.3.3.tar.gz
SOURCES/rh-ipabanner.png
SOURCES/freeipa-4.1.0.tar.gz
SOURCES/header-logo.png
SOURCES/login-screen-background.jpg
SOURCES/login-screen-logo.png
SOURCES/product-name.png
.ipa.metadata
@@ -1,2 +1,5 @@
32702b534b3f82c141107820283833d54d8287f2 SOURCES/freeipa-3.3.3.tar.gz
7460c1ae34b05ea659275fe169c19f94a28db2f7 SOURCES/rh-ipabanner.png
40a07c0e64a696dccb5d377c635db136cbc7c2a5 SOURCES/freeipa-4.1.0.tar.gz
77c318cf1f4fc25cf847de0692a77859a767c0e3 SOURCES/header-logo.png
8727245558422bf966d60677568925f081b8e299 SOURCES/login-screen-background.jpg
24a29d79efbd0906777be4639957abda111fca4b SOURCES/login-screen-logo.png
af82b7b7d327bd683c7d062a6f15713ea91ebedf SOURCES/product-name.png
SOURCES/0001-Do-not-check-if-port-8443-is-available-in-step-2-of-.patch
New file
@@ -0,0 +1,54 @@
From e22cf5bafc4c862a16bd8ac0b950c7547b048ae9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Oct 2014 11:18:35 +0200
Subject: [PATCH] Do not check if port 8443 is available in step 2 of external
 CA install
The port is never available in step 2 of external CA install, as Dogtag is
already running.
https://fedorahosted.org/freeipa/ticket/4660
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 install/tools/ipa-ca-install     | 3 ++-
 install/tools/ipa-server-install | 9 +++++----
 2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index cb072e6789401f7041cafe926d7f88b2bb7f479d..1bda22dd66729999176c301af2f9b05843eff75c 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -301,7 +301,8 @@ def install_master(safe_options, options):
     domain_name = api.env.domain
     host_name = api.env.host
-    check_ca()
+    if external != 2:
+        check_ca()
     dirname = dsinstance.config_dirname(
         dsinstance.realm_to_serverid(realm_name))
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 0394314ee99817f221536136ae1432cc8e92220a..67dd21f302db0eba94d048cb064caf8a1f054b83 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -869,10 +869,11 @@ def main():
         # Make sure the 389-ds ports are available
         check_dirsrv(options.unattended)
-    if setup_ca:
-        if not cainstance.check_port():
-            print "IPA requires port 8443 for PKI but it is currently in use."
-            sys.exit("Aborting installation")
+        if setup_ca:
+            if not cainstance.check_port():
+                print ("IPA requires port 8443 for PKI but it is currently in "
+                       "use.")
+                sys.exit("Aborting installation")
     if options.conf_ntp:
         try:
--
1.9.3
SOURCES/0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch
File was deleted
SOURCES/0002-Add-ipaSshPubkey-and-gidNumber-to-the-ACI-to-read-ID.patch
New file
@@ -0,0 +1,42 @@
From 8e4181b467d4135dccb23400f8afad6141f44b3a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 24 Oct 2014 15:01:27 +0300
Subject: [PATCH] Add ipaSshPubkey and gidNumber to the ACI to read ID user
 overrides
https://fedorahosted.org/freeipa/ticket/4664
Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ACI.txt                   | 2 +-
 ipalib/plugins/idviews.py | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/ACI.txt b/ACI.txt
index 27a5d2f3458ab313437060a9daea470a8f4e5203..6680f658ee1aa0f961b2681f700557ce6b9238f8 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -131,7 +131,7 @@ aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:S
 dn: cn=views,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || description || entryusn || gecos || homedirectory || ipaanchoruuid || ipaoriginaluid || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index bfa8675fb84a1d1e13f44b31e9384c9c783f4c4e..9c8721018325f56e681f168b55c31055bfd07345 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -659,6 +659,7 @@ class idoverrideuser(baseidoverride):
             'ipapermdefaultattr': {
                 'objectClass', 'ipaAnchorUUID', 'uidNumber', 'description',
                 'homeDirectory', 'uid', 'ipaOriginalUid', 'loginShell', 'gecos',
+                'gidNumber', 'ipaSshPubkey',
             },
         },
     }
--
2.1.0
SOURCES/0002-Server-does-not-detect-different-server-and-IPA-doma.patch
File was deleted
SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch
File was deleted
SOURCES/0003-Fix-dns-zonemgr-validation-regression.patch
New file
@@ -0,0 +1,27 @@
From 142a1ee40666a08006ac084eb182908d8def94af Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 24 Oct 2014 12:15:17 +0200
Subject: [PATCH] Fix dns zonemgr validation regression
https://fedorahosted.org/freeipa/ticket/4663
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipalib/util.py | 1 +
 1 file changed, 1 insertion(+)
diff --git a/ipalib/util.py b/ipalib/util.py
index fcb2bab96bcf5669de444846d8dea572eefce793..7a283106d70ba6a3e25cc7129d57b44b80876882 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -277,6 +277,7 @@ def validate_zonemgr(zonemgr):
 def validate_zonemgr_str(zonemgr):
     zonemgr = normalize_zonemgr(zonemgr)
+    zonemgr = DNSName(zonemgr)
     return validate_zonemgr(zonemgr)
 def validate_hostname(hostname, check_fqdn=True, allow_underscore=False, allow_slash=False):
--
2.1.0
SOURCES/0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch
File was deleted
SOURCES/0004-Handle-profile-changes-in-dogtag-ipa-ca-renew-agent.patch
New file
@@ -0,0 +1,181 @@
From b82f0b1bc483fe265f3e2d2089b65185cafffd74 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Oct 2014 10:30:07 +0200
Subject: [PATCH] Handle profile changes in dogtag-ipa-ca-renew-agent
To update the CA certificate in the Dogtag NSS database, the
"ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change
the profile of the CA certificate certmonger request, resubmit it and
change the profile back to the original one.
When something goes wrong while resubmitting the request, it needs to be
modified and resubmitted again manually. This might fail with invalid
cookie error, because changing the profile does not change the internal
state of the request.
Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when
profile is changed.
https://fedorahosted.org/freeipa/ticket/4627
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 .../certmonger/dogtag-ipa-ca-renew-agent-submit    | 87 ++++++++++++++++++++--
 1 file changed, 80 insertions(+), 7 deletions(-)
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 4f0b78accac6840471f8b2e9f17288b3b4e82105..ca4380c331cc417c0a89eca17e987920118337d7 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -31,6 +31,7 @@ import tempfile
 import shutil
 import base64
 import contextlib
+import json
 from ipapython import ipautil
 from ipapython.dn import DN
@@ -64,6 +65,78 @@ def ldap_connect():
         if conn is not None and conn.isconnected():
             conn.disconnect()
+def call_handler(_handler, *args, **kwargs):
+    """
+    Request handler call wrapper
+
+    Before calling the handler, get the original profile name and cookie from
+    the provided cookie, if there is one. If the profile name does not match
+    the requested profile name, drop the cookie and restart the request.
+
+    After calling the handler, put the requested profile name and cookie
+    returned by the handler in a new cookie and return it.
+    """
+    operation = os.environ['CERTMONGER_OPERATION']
+    if operation == 'POLL':
+        cookie = os.environ.pop('CERTMONGER_CA_COOKIE', None)
+        if cookie is not None:
+            try:
+                context = json.loads(cookie)
+                if not isinstance(context, dict):
+                    raise TypeError
+            except (TypeError, ValueError):
+                return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
+        else:
+            return (UNCONFIGURED, "Cookie not provided")
+
+        if 'profile' in context:
+            profile = context.pop('profile')
+            try:
+                if profile is not None:
+                    if not isinstance(profile, unicode):
+                        raise TypeError
+                    profile = profile.encode('raw_unicode_escape')
+            except (TypeError, UnicodeEncodeError):
+                return (UNCONFIGURED,
+                        "Invalid 'profile' in cookie: %r" % profile)
+        else:
+            return (UNCONFIGURED, "No 'profile' in cookie")
+
+        # If profile has changed between SUBMIT and POLL, restart request
+        if os.environ.get('CERTMONGER_CA_PROFILE') != profile:
+            os.environ['CERTMONGER_OPERATION'] = 'SUBMIT'
+            context = {}
+
+        if 'cookie' in context:
+            cookie = context.pop('cookie')
+            try:
+                if not isinstance(cookie, unicode):
+                    raise TypeError
+                cookie = cookie.encode('raw_unicode_escape')
+            except (TypeError, UnicodeEncodeError):
+                return (UNCONFIGURED,
+                        "Invalid 'cookie' in cookie: %r" % cookie)
+            os.environ['CERTMONGER_CA_COOKIE'] = cookie
+    else:
+        context = {}
+
+    result = _handler(*args, **kwargs)
+
+    if result[0] in (WAIT, WAIT_WITH_DELAY):
+        context['cookie'] = result[-1].decode('raw_unicode_escape')
+
+    profile = os.environ.get('CERTMONGER_CA_PROFILE')
+    if profile is not None:
+        profile = profile.decode('raw_unicode_escape')
+    context['profile'] = profile
+
+    cookie = json.dumps(context)
+    os.environ['CERTMONGER_CA_COOKIE'] = cookie
+    if result[0] in (WAIT, WAIT_WITH_DELAY):
+        result = result[:-1] + (cookie,)
+
+    return result
+
 def request_cert():
     """
     Request certificate from IPA CA.
@@ -144,7 +217,7 @@ def store_cert():
             syslog.syslog(
                 syslog.LOG_ERR,
                 "Updating renewal certificate failed: %s. Sleeping 30s" % e)
-            return (WAIT_WITH_DELAY, 30, attempts)
+            return (WAIT_WITH_DELAY, 30, str(attempts))
         else:
             syslog.syslog(
                 syslog.LOG_ERR,
@@ -179,7 +252,7 @@ def request_and_store_cert():
         else:
             os.environ['CERTMONGER_CA_COOKIE'] = cookie
-        result = request_cert()
+        result = call_handler(request_cert)
         if result[0] == WAIT:
             return (result[0], 'request:%s' % result[1])
         elif result[0] == WAIT_WITH_DELAY:
@@ -198,7 +271,7 @@ def request_and_store_cert():
         os.environ['CERTMONGER_CA_COOKIE'] = cookie
     os.environ['CERTMONGER_CERTIFICATE'] = cert
-    result = store_cert()
+    result = call_handler(store_cert)
     if result[0] == WAIT:
         return (result[0], 'store:%s:%s' % (cert, result[1]))
     elif result[0] == WAIT_WITH_DELAY:
@@ -258,7 +331,7 @@ def retrieve_cert():
                     syslog.LOG_INFO,
                     "Updated certificate for %s not available" % nickname)
                 # No cert available yet, tell certmonger to wait another 8 hours
-                return (WAIT_WITH_DELAY, 8 * 60 * 60, attempts)
+                return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
         cert = base64.b64encode(cert)
         cert = x509.make_pem(cert)
@@ -323,14 +396,14 @@ def renew_ca_cert():
         return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
     if state == 'retrieve':
-        result = retrieve_cert()
+        result = call_handler(retrieve_cert)
         if result[0] == WAIT_WITH_DELAY and not is_self_signed:
             syslog.syslog(syslog.LOG_ALERT,
                           "IPA CA certificate is about to expire, "
                           "use ipa-cacert-manage to renew it")
     elif state == 'request':
         os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert'
-        result = request_and_store_cert()
+        result = call_handler(request_and_store_cert)
     if result[0] == WAIT:
         return (result[0], '%s:%s' % (state, result[1]))
@@ -369,7 +442,7 @@ def main():
             else:
                 handler = retrieve_cert
-        res = handler()
+        res = call_handler(handler)
         for item in res[1:]:
             print item
         return res[0]
--
2.1.0
SOURCES/0005-Do-not-wait-for-new-CA-certificate-to-appear-in-LDAP.patch
New file
@@ -0,0 +1,170 @@
From 5fa2b9d411c7c35266fa1c9726d91243ba2b02d6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Oct 2014 11:12:55 +0200
Subject: [PATCH] Do not wait for new CA certificate to appear in LDAP in
 ipa-certupdate
If new certificate is not available, reuse the old one, instead of waiting
indefinitely for the new certificate to appear.
https://fedorahosted.org/freeipa/ticket/4628
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 .../certmonger/dogtag-ipa-ca-renew-agent-submit    | 87 ++++++++++++----------
 ipa-client/ipaclient/ipa_certupdate.py             |  6 +-
 2 files changed, 53 insertions(+), 40 deletions(-)
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index ca4380c331cc417c0a89eca17e987920118337d7..9a01eb3a08900a5c8d04953b41f4493f30c2b56f 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -279,25 +279,11 @@ def request_and_store_cert():
     else:
         return result
-def retrieve_cert():
+def retrieve_or_reuse_cert():
     """
-    Retrieve new certificate from LDAP.
+    Retrieve certificate from LDAP. If the certificate is not available, reuse
+    the old certificate.
     """
-    operation = os.environ.get('CERTMONGER_OPERATION')
-    if operation == 'SUBMIT':
-        attempts = 0
-    elif operation == 'POLL':
-        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
-        if not cookie:
-            return (UNCONFIGURED, "Cookie not provided")
-
-        try:
-            attempts = int(cookie)
-        except ValueError:
-            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
-    else:
-        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
-
     csr = os.environ.get('CERTMONGER_CSR')
     if not csr:
         return (UNCONFIGURED, "Certificate request not provided")
@@ -306,12 +292,9 @@ def retrieve_cert():
     if not nickname:
         return (REJECTED, "No friendly name in the certificate request")
-    old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
-    if not old_cert:
+    cert = os.environ.get('CERTMONGER_CERTIFICATE')
+    if not cert:
         return (REJECTED, "New certificate requests not supported")
-    old_cert = x509.normalize_certificate(old_cert)
-
-    syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
     with ldap_connect() as conn:
         try:
@@ -320,23 +303,50 @@ def retrieve_cert():
                    ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn),
                 ['usercertificate'])
         except errors.NotFound:
-            cert = old_cert
+            pass
         else:
             cert = entry.single_value['usercertificate']
+            cert = base64.b64encode(cert)
+            cert = x509.make_pem(cert)
+
+    return (ISSUED, cert)
+
+def retrieve_cert():
+    """
+    Retrieve new certificate from LDAP.
+    """
+    operation = os.environ.get('CERTMONGER_OPERATION')
+    if operation == 'SUBMIT':
+        attempts = 0
+    elif operation == 'POLL':
+        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
+        if not cookie:
+            return (UNCONFIGURED, "Cookie not provided")
+
+        try:
+            attempts = int(cookie)
+        except ValueError:
+            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
+    else:
+        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
-        if cert == old_cert:
-            attempts += 1
-            if attempts < 4:
-                syslog.syslog(
-                    syslog.LOG_INFO,
-                    "Updated certificate for %s not available" % nickname)
-                # No cert available yet, tell certmonger to wait another 8 hours
-                return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
+    old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
+    if old_cert:
+        old_cert = x509.normalize_certificate(old_cert)
-        cert = base64.b64encode(cert)
-        cert = x509.make_pem(cert)
+    result = call_handler(retrieve_or_reuse_cert)
+    if result[0] != ISSUED:
+        return result
-    return (ISSUED, cert)
+    new_cert = x509.normalize_certificate(result[1])
+    if new_cert == old_cert:
+        attempts += 1
+        if attempts < 4:
+            syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
+            # No cert available yet, tell certmonger to wait another 8 hours
+            return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
+
+    return result
 def export_csr():
     """
@@ -414,10 +424,11 @@ def renew_ca_cert():
 def main():
     handlers = {
-        'ipaStorage':       store_cert,
-        'ipaRetrieval':     retrieve_cert,
-        'ipaCSRExport':     export_csr,
-        'ipaCACertRenewal': renew_ca_cert,
+        'ipaStorage':           store_cert,
+        'ipaRetrievalOrReuse':  retrieve_or_reuse_cert,
+        'ipaRetrieval':         retrieve_cert,
+        'ipaCSRExport':         export_csr,
+        'ipaCACertRenewal':     renew_ca_cert,
     }
     api.bootstrap(context='renew')
diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py
index 7ef11d058eeeb47dc47d46aa7cbe73578c42d131..031a34c3a54a02d43978eedcb794678a1550702b 100644
--- a/ipa-client/ipaclient/ipa_certupdate.py
+++ b/ipa-client/ipaclient/ipa_certupdate.py
@@ -143,14 +143,16 @@ class CertUpdate(admintool.AdminTool):
             timeout = api.env.startup_timeout + 60
             self.log.debug("resubmitting certmonger request '%s'", request_id)
-            certmonger.resubmit_request(request_id, profile='ipaRetrieval')
+            certmonger.resubmit_request(
+                request_id, profile='ipaRetrievalOrReuse')
             try:
                 state = certmonger.wait_for_request(request_id, timeout)
             except RuntimeError:
                 raise admintool.ScriptError(
                     "Resubmitting certmonger request '%s' timed out, "
                     "please check the request manually" % request_id)
-            if state != 'MONITORING':
+            ca_error = certmonger.get_request_value(request_id, 'ca-error')
+            if state != 'MONITORING' or ca_error:
                 raise admintool.ScriptError(
                     "Error resubmitting certmonger request '%s', "
                     "please check the request manually" % request_id)
--
2.1.0
SOURCES/0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch
File was deleted
SOURCES/0006-Fail-if-certmonger-can-t-see-new-CA-certificate-in-L.patch
New file
@@ -0,0 +1,101 @@
From ccaacaaf054e9d597159e14714ab41069173da10 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Oct 2014 11:26:15 +0200
Subject: [PATCH] Fail if certmonger can't see new CA certificate in LDAP in
 ipa-cacert-manage
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.
https://fedorahosted.org/freeipa/ticket/4629
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 .../certmonger/dogtag-ipa-ca-renew-agent-submit    | 40 +++++++++-------------
 ipaserver/install/ipa_cacert_manage.py             |  3 +-
 2 files changed, 19 insertions(+), 24 deletions(-)
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 9a01eb3a08900a5c8d04953b41f4493f30c2b56f..e5ad9639b03b95e6e265214067a985f6c3ca0b2a 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -311,25 +311,11 @@ def retrieve_or_reuse_cert():
     return (ISSUED, cert)
-def retrieve_cert():
+def retrieve_cert_continuous():
     """
-    Retrieve new certificate from LDAP.
+    Retrieve new certificate from LDAP. Repeat every eight hours until the
+    certificate is available.
     """
-    operation = os.environ.get('CERTMONGER_OPERATION')
-    if operation == 'SUBMIT':
-        attempts = 0
-    elif operation == 'POLL':
-        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
-        if not cookie:
-            return (UNCONFIGURED, "Cookie not provided")
-
-        try:
-            attempts = int(cookie)
-        except ValueError:
-            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
-    else:
-        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
-
     old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
     if old_cert:
         old_cert = x509.normalize_certificate(old_cert)
@@ -340,11 +326,19 @@ def retrieve_cert():
     new_cert = x509.normalize_certificate(result[1])
     if new_cert == old_cert:
-        attempts += 1
-        if attempts < 4:
-            syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
-            # No cert available yet, tell certmonger to wait another 8 hours
-            return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
+        syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
+        # No cert available yet, tell certmonger to wait another 8 hours
+        return (WAIT_WITH_DELAY, 8 * 60 * 60, '')
+
+    return result
+
+def retrieve_cert():
+    """
+    Retrieve new certificate from LDAP.
+    """
+    result = call_handler(retrieve_cert_continuous)
+    if result[0] == WAIT_WITH_DELAY:
+        return (REJECTED, "Updated certificate not available")
     return result
@@ -451,7 +445,7 @@ def main():
             if ca.is_renewal_master():
                 handler = request_and_store_cert
             else:
-                handler = retrieve_cert
+                handler = retrieve_cert_continuous
         res = call_handler(handler)
         for item in res[1:]:
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index a521e3965321d3345075d7fc4a55fb9c6904a652..2a8d95fdbebecf543a05afd47275c32684cad970 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -297,7 +297,8 @@ class CACertManage(admintool.AdminTool):
             raise admintool.ScriptError(
                 "Resubmitting certmonger request '%s' timed out, "
                 "please check the request manually" % self.request_id)
-        if state != 'MONITORING':
+        ca_error = certmonger.get_request_value(self.request_id, 'ca-error')
+        if state != 'MONITORING' or ca_error:
             raise admintool.ScriptError(
                 "Error resubmitting certmonger request '%s', "
                 "please check the request manually" % self.request_id)
--
2.1.0
SOURCES/0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch
File was deleted
SOURCES/0007-Fix-possible-NULL-dereference-in-ipa-kdb.patch
New file
@@ -0,0 +1,34 @@
From 73aa4b8a8b7352679a9c1e5ef900824be7b8f37c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 5 Nov 2014 08:44:05 +0000
Subject: [PATCH] Fix possible NULL dereference in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 084b689d459f27e72d679d37e24650149973df61..c8f6c76fb5b3bc7d47ec8a1551579d53d226027e 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1888,9 +1888,11 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
         }
         ipactx = ipadb_get_context(context);
-        gcfg = ipadb_get_global_config(ipactx);
-        if (gcfg != NULL)
-            tmp = gcfg->authz_data;
+        if (ipactx != NULL) {
+            gcfg = ipadb_get_global_config(ipactx);
+            if (gcfg != NULL)
+                tmp = gcfg->authz_data;
+        }
         if (ipactx == NULL || tmp == NULL) {
             krb5_klog_syslog(LOG_ERR, "No default authorization data types " \
                                       "available, no authorization data will " \
--
2.1.0
SOURCES/0007-Remove-mod_ssl-port-workaround.patch
File was deleted
SOURCES/0008-Fix-memory-leaks-in-ipa-extdom-extop.patch
New file
@@ -0,0 +1,57 @@
From 57ce6c99123854da69ce07fb8305d102b8e9d271 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 5 Nov 2014 08:46:19 +0000
Subject: [PATCH] Fix memory leaks in ipa-extdom-extop
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 .../ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c   | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index df04347e3d36b33ca0a4ea2391f60d97b75a97bf..20fdd62b20f28f5384cf83b8be5819f721c6c3db 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -340,7 +340,8 @@ static int pack_ber_user(enum response_types response_type,
     ber = ber_alloc_t( LBER_USE_DER );
     if (ber == NULL) {
-        return LDAP_OPERATIONS_ERROR;
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
     }
     ret = ber_printf(ber,"{e{ssii", response_type, domain_name, short_user_name,
@@ -449,14 +450,15 @@ static int pack_ber_group(enum response_types response_type,
     ber = ber_alloc_t( LBER_USE_DER );
     if (ber == NULL) {
-        return LDAP_OPERATIONS_ERROR;
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
     }
     ret = ber_printf(ber,"{e{ssi", response_type, domain_name, short_group_name,
                                    gid);
     if (ret == -1) {
-        ber_free(ber, 1);
-        return LDAP_OPERATIONS_ERROR;
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
     }
     if (response_type == RESP_GROUP_MEMBERS) {
@@ -716,7 +718,7 @@ static int handle_sid_request(enum request_types request_type, const char *sid,
     ret = get_buffer(&buf_len, &buf);
     if (ret != LDAP_SUCCESS) {
-        return ret;
+        goto done;
     }
     switch(id_type) {
--
2.1.0
SOURCES/0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch
File was deleted
SOURCES/0009-Fix-various-bugs-in-ipa-opt-counter-and-ipa-otp-last.patch
New file
@@ -0,0 +1,102 @@
From f4574e1764e56a3a281bfc0e5aba886c46cadf95 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 5 Nov 2014 08:50:26 +0000
Subject: [PATCH] Fix various bugs in ipa-opt-counter and ipa-otp-lasttoken
Fixes a wrong sizeof argument and unchecked return values.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c         |  2 +-
 .../ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c    | 14 +++++++++++---
 .../ipa-otp-lasttoken/ipa_otp_lasttoken.c                  |  6 +++++-
 3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c b/daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c
index 884e1a21004c5440f3bbad9da57d43bba8649d5f..a2fe592f07746423b12d9a531d7860615b729afa 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/berval.c
@@ -48,7 +48,7 @@ berval_new_longlong(long long value)
 {
     struct berval *bv;
-    bv = (struct berval*) slapi_ch_malloc(sizeof(struct berval*));
+    bv = (struct berval*) slapi_ch_malloc(sizeof(struct berval));
     bv->bv_val = slapi_ch_smprintf("%lld", value);
     bv->bv_len = strlen(bv->bv_val);
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c b/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
index 24ef9e2401d62d7d63b55afb9aa3ba2f41642839..da047d7dc58e27b37ad29c39bde44e33602ab4c5 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c
@@ -50,6 +50,7 @@
 #include "berval.h"
 #include "ldapmod.h"
+#include "util.h"
 #include <limits.h>
@@ -140,6 +141,7 @@ normalize_input(LDAPMod ***mods, const char *attr, long long ctr)
         case LDAP_MOD_REPLACE:
         case LDAP_MOD_INCREMENT:
             e++;
+            /* fall through */
         default:
             c++;
         }
@@ -284,8 +286,12 @@ preop_mod(Slapi_PBlock *pb)
     cpre = get_counter(epre, attr);
     if (repl == 0) {
-        if (normalize_input(&mods, attr, cpre) != 0)
-            slapi_pblock_set(pb, SLAPI_MODIFY_MODS, mods);
+        if (normalize_input(&mods, attr, cpre) != 0) {
+            if (slapi_pblock_set(pb, SLAPI_MODIFY_MODS, mods)) {
+                LOG_FATAL("slapi_pblock_set failed!\n");
+                goto error;
+            }
+        }
     }
     if (!simulate(mods, attr, cpre, &cpost) && repl == 0) {
@@ -316,7 +322,9 @@ preop_mod(Slapi_PBlock *pb)
 error:
     rc = LDAP_UNWILLING_TO_PERFORM;
     slapi_send_ldap_result(pb, rc, NULL, msg, 0, NULL);
-    slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc);
+    if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) {
+        LOG_FATAL("slapi_pblock_set failed!\n");
+    }
     slapi_ch_free_string(&msg);
     return rc;
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index 94d24ae0f0383c090e1207c6f4552ea29601f26e..d20fca1e705f7406362a3ba2def9ba102bd1622d 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -44,6 +44,8 @@
 #include <libotp.h>
 #include <time.h>
+#include "util.h"
+
 #define PLUGIN_NAME               "ipa-otp-lasttoken"
 #define LOG(sev, ...) \
     slapi_log_error(SLAPI_LOG_ ## sev, PLUGIN_NAME, \
@@ -100,7 +102,9 @@ static inline int
 send_error(Slapi_PBlock *pb, int rc, char *errstr)
 {
     slapi_send_ldap_result(pb, rc, NULL, errstr, 0, NULL);
-    slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc);
+    if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) {
+        LOG_FATAL("slapi_pblock_set failed!\n");
+    }
     return rc;
 }
--
2.1.0
SOURCES/0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch
File was deleted
SOURCES/0010-Fix-memory-leak-in-ipa-pwd-extop.patch
New file
@@ -0,0 +1,60 @@
From 8ab479e0fdaa509775255005400b214736c3308c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 5 Nov 2014 08:53:41 +0000
Subject: [PATCH] Fix memory leak in ipa-pwd-extop
Also remove dead code and explicitly mark an ignored return value to prevent
false positives in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 3 +--
 daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c       | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index ca021cac71da690a498fe3003fae1babb30456c1..f0346a343188930dfc90e19d2e5d38cb30741b90 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1393,6 +1393,7 @@ done:
     if (rc != LDAP_SUCCESS) {
         free(password);
         free(svcname);
+        free(enctypes);
         *_err_msg = err_msg;
     } else {
         *_password = password;
@@ -1639,7 +1640,6 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
     krb5_context krbctx = NULL;
     krb5_error_code krberr;
     struct berval *extop_value = NULL;
-    BerElement *ber = NULL;
     char *service_name = NULL;
     char *svcname;
     Slapi_Entry *target_entry = NULL;
@@ -1827,7 +1827,6 @@ free_and_return:
         }
         free(svals);
     }
-    if (ber) ber_free(ber, 1);
     if (bvp) ber_bvfree(bvp);
     return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
index 2bfcf10a271a497741f08bb519020cd159eb4aeb..cbb4536e7d119f4550e4b523eb02e34d058ae7a1 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c
@@ -86,7 +86,7 @@ bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,
         }
         /* Decode the optional token DN. */
-        ber_scanf(ber, "a", &token_dn);
+        (void)ber_scanf(ber, "a", &token_dn);
         /* Process the synchronization. */
         success = false;
--
2.1.0
SOURCES/0010-Use-hardening-flags-for-ipa-optd.patch
File was deleted
SOURCES/0011-Fix-memory-leaks-in-ipa-join.patch
New file
@@ -0,0 +1,107 @@
From 211bc475034488f20bfe74fe158bb8b7720fd534 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 5 Nov 2014 08:59:08 +0000
Subject: [PATCH] Fix memory leaks in ipa-join
Also remove dead code in ipa-join and add initializer to a variable in
ipa-getkeytab to prevent false positives in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipa-client/ipa-getkeytab.c |  2 +-
 ipa-client/ipa-join.c      | 18 ++++++++----------
 2 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 7861e4e508ce956a92d80d2e91294215854a2a32..bb43c333dca6560807a120103a1cb535fa87b76a 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -794,7 +794,7 @@ int main(int argc, const char *argv[])
     char *password = NULL;
     krb5_context krbctx;
     krb5_ccache ccache;
-    krb5_principal uprinc;
+    krb5_principal uprinc = NULL;
     krb5_principal sprinc;
     krb5_error_code krberr;
     struct keys_container keys = { 0 };
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index df33d3b08cf69a37ae9de76266a071825a95871f..46f64572dcaeb3be61dadf87a07520ad21fb4f47 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -463,14 +463,12 @@ static int
 join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bindpw, const char *basedn, const char **princ, const char **subject, int quiet)
 {
     LDAP *ld;
-    char *filter = NULL;
     int rval = 0;
     char *oidresult = NULL;
     struct berval valrequest;
     struct berval *valresult = NULL;
     int rc, ret;
     char *ldap_base = NULL;
-    char *search_base = NULL;
     *binddn = NULL;
     *princ = NULL;
@@ -542,16 +540,12 @@ join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bin
     *princ = strdup(valresult->bv_val);
 ldap_done:
-
-    free(filter);
-    free(search_base);
-    free(ldap_base);
-
     if (ld != NULL) {
         ldap_unbind_ext(ld, NULL, NULL);
     }
 done:
+    free(ldap_base);
     if (valresult) ber_bvfree(valresult);
     if (oidresult) free(oidresult);
     return rval;
@@ -815,7 +809,8 @@ unenroll_host(const char *server, const char *hostname, const char *ktname, int
         if (!quiet)
             fprintf(stderr, _("Error parsing \"%1$s\": %2$s.\n"),
                             principal, error_message(krberr));
-        return krberr;
+        rval = 4;
+        goto cleanup;
     }
     strcpy(tgs, KRB5_TGS_NAME);
     snprintf(tgs + strlen(tgs), sizeof(tgs) - strlen(tgs), "/%.*s",
@@ -833,7 +828,8 @@ unenroll_host(const char *server, const char *hostname, const char *ktname, int
         if (!quiet)
             fprintf(stderr, _("Error obtaining initial credentials: %s.\n"),
                     error_message(krberr));
-        return krberr;
+        rval = 19;
+        goto cleanup;
     }
     krberr = krb5_cc_resolve(krbctx, "MEMORY:ipa-join", &ccache);
@@ -852,7 +848,8 @@ unenroll_host(const char *server, const char *hostname, const char *ktname, int
             fprintf(stderr,
                     _("Error storing creds in credential cache: %s.\n"),
                     error_message(krberr));
-        return krberr;
+        rval = 19;
+        goto cleanup;
     }
     krb5_cc_close(krbctx, ccache);
     ccache = NULL;
@@ -914,6 +911,7 @@ cleanup:
     free(user_agent);
     if (keytab) krb5_kt_close(krbctx, keytab);
+    free(host);
     free((char *)principal);
     free((char *)ipaserver);
     if (princ) krb5_free_principal(krbctx, princ);
--
2.1.0
SOURCES/0011-test_integration-Support-external-names-for-hosts.patch
File was deleted
SOURCES/0012-Fix-various-bugs-in-ipap11helper.patch
New file
@@ -0,0 +1,108 @@
From 39b02dae37106eba8e3204048ca5dc3c9040c11f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 5 Nov 2014 08:59:57 +0000
Subject: [PATCH] Fix various bugs in ipap11helper
Fixes a memory leak, a library handle leak and a double free.
Also remove some redundant NULL checks before free to prevent false positives
in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipapython/ipap11helper/p11helper.c | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
index df5302a7f867a38596d8fbb3001a8796659fb706..038c26c4520cc8f71edbee15b0ccd9bf292d7588 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -334,8 +334,7 @@ int _find_key(P11_Helper* self, CK_ATTRIBUTE_PTR template,
             if (tmp_objects_ptr == NULL) {
                 *objects_count = 0;
                 PyErr_SetString(ipap11helperError, "_find_key realloc failed");
-                if (result_objects != NULL)
-                    free(result_objects);
+                free(result_objects);
                 return 0;
             } else {
                 result_objects = tmp_objects_ptr;
@@ -346,16 +345,14 @@ int _find_key(P11_Helper* self, CK_ATTRIBUTE_PTR template,
         rv = self->p11->C_FindObjects(self->session, &result_object, 1,
                 &objectCount);
         if (!check_return_value(rv, "Check for duplicated key")) {
-            if (result_objects != NULL)
-                free(result_objects);
+            free(result_objects);
             return 0;
         }
     }
     rv = self->p11->C_FindObjectsFinal(self->session);
     if (!check_return_value(rv, "Find objects final")) {
-        if (result_objects != NULL)
-            free(result_objects);
+        free(result_objects);
         return 0;
     }
@@ -499,6 +496,8 @@ static int P11_Helper_init(P11_Helper *self, PyObject *args, PyObject *kwds) {
     CK_C_GetFunctionList pGetFunctionList = loadLibrary(library_path,
             &module_handle);
     if (!pGetFunctionList) {
+        if (module_handle != NULL)
+            unloadLibrary(module_handle);
         PyErr_SetString(ipap11helperError, "Could not load the library.");
         return -1;
     }
@@ -933,9 +932,7 @@ P11_Helper_find_keys(P11_Helper* self, PyObject *args, PyObject *kwds) {
     if (result_list == NULL) {
         PyErr_SetString(ipap11helperError,
                 "Unable to create list with results");
-        if (objects != NULL) {
-            free(objects);
-        }
+        free(objects);
         return NULL;
     }
     Py_INCREF(result_list);
@@ -944,13 +941,12 @@ P11_Helper_find_keys(P11_Helper* self, PyObject *args, PyObject *kwds) {
                 == -1) {
             PyErr_SetString(ipap11helperError,
                     "Unable to add to value to result list");
-            if (objects != NULL) {
-                free(objects);
-            }
+            free(objects);
             return NULL;
         }
     }
+    free(objects);
     return result_list;
 }
@@ -1193,7 +1189,6 @@ P11_Helper_import_RSA_public_key(P11_Helper* self, CK_UTF8CHAR *label,
     if (rsa == NULL) {
         PyErr_SetString(ipap11helperError,
                 "import_RSA_public_key: EVP_PKEY_get1_RSA error");
-        free(pkey);
         return NULL;
     }
@@ -1379,8 +1374,8 @@ P11_Helper_export_wrapped_key(P11_Helper* self, PyObject *args, PyObject *kwds)
     wrapped_key = malloc(wrapped_key_len);
     if (wrapped_key == NULL) {
         rv = CKR_HOST_MEMORY;
-        check_return_value(rv, "key wrapping: buffer allocation");
-        return 0;
+        if (!check_return_value(rv, "key wrapping: buffer allocation"))
+            return 0;
     }
     rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
             object_wrapping_key, object_key, wrapped_key, &wrapped_key_len);
--
2.1.0
SOURCES/0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch
File was deleted
SOURCES/0013-Deadlock-in-schema-compat-plugin-between-automember_.patch
New file
@@ -0,0 +1,83 @@
From f91b6dd2ac7ee2d3444929e0d8649c9f355bdcd2 Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbordaz@redhat.com>
Date: Wed, 29 Oct 2014 16:23:03 +0100
Subject: [PATCH] Deadlock in schema compat plugin (between
 automember_update_membership task and dse update)
    Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
    default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
    Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
    This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
    that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
https://fedorahosted.org/freeipa/ticket/4635
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/updates/10-schema_compat.update | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index 7b75ba532612bbdaf9c85f8c88b0c8b8454e5969..b8c79012d121116f9cf53908fbe4eeeebe9d3d82 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -18,15 +18,19 @@ add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCatego
 add: schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixAccount)\",\"uid\")")'
 add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%{ipaSudoRunAsExtGroup}")'
 add: schema-compat-entry-attribute: 'sudoRunAsGroup=%ifeq("ipaSudoRunAsGroupCategory","all","ALL","%deref_f(\"ipaSudoRunAsGroup\",\"(objectclass=posixGroup)\",\"cn\")")'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 # Change padding for host and userCategory so the pad returns the same value
 # as the original, '' or -.
 dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
 replace: schema-compat-entry-attribute:'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})::nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",\"\",\"-\")"),%{nisDomainName:-})'
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config
 default:objectClass: top
@@ -41,19 +45,25 @@ default:schema-compat-entry-attribute: objectclass=device
 default:schema-compat-entry-attribute: objectclass=ieee802Device
 default:schema-compat-entry-attribute: cn=%{fqdn}
 default:schema-compat-entry-attribute: macAddress=%{macAddress}
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
 add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
 dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
-add: schema-compat-ignore-subtree: cn=changelog
-add: schema-compat-ignore-subtree: o=ipaca
+remove: schema-compat-ignore-subtree: cn=changelog
+remove: schema-compat-ignore-subtree: o=ipaca
+add: schema-compat-restrict-subtree: '$SUFFIX'
+add: schema-compat-restrict-subtree: 'cn=Schema Compatibility,cn=plugins,cn=config'
 dn: cn=Schema Compatibility,cn=plugins,cn=config
 # We need to run schema-compat pre-bind callback before
--
2.1.0
SOURCES/0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch
File was deleted
SOURCES/0014-Stop-dirsrv-last-in-ipactl-stop.patch
New file
@@ -0,0 +1,47 @@
From 788b0ac5d9ae805f46321d50531ed5baf80eee1e Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Tue, 4 Nov 2014 03:22:59 -0500
Subject: [PATCH] Stop dirsrv last in ipactl stop.
Other services may depend on directory server.
https://fedorahosted.org/freeipa/ticket/4632
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 install/tools/ipactl | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 7a1e41b01a80eeea85c417399dcf4666f70d4b26..b1b0b6e26fa97cdc953c86eee22e160782b57379 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -291,12 +291,6 @@ def ipa_stop(options):
             finally:
                 raise IpactlError()
-    try:
-        print "Stopping Directory Service"
-        dirsrv.stop(capture_output=False)
-    except:
-        raise IpactlError("Failed to stop Directory Service")
-
     for svc in reversed(svc_list):
         svchandle = services.service(svc)
         try:
@@ -305,6 +299,12 @@ def ipa_stop(options):
         except:
             emit_err("Failed to stop %s Service" % svc)
+    try:
+        print "Stopping Directory Service"
+        dirsrv.stop(capture_output=False)
+    except:
+        raise IpactlError("Failed to stop Directory Service")
+
     # remove file with list of started services
     try:
         os.unlink(paths.SVC_LIST_FILE)
--
2.1.0
SOURCES/0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch
File was deleted
SOURCES/0015-Fix-upgrade-do-not-use-invalid-ldap-connection.patch
New file
@@ -0,0 +1,43 @@
From 925904b8724c50b6336c0cd17f5dbb2eb85be8a4 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 4 Nov 2014 15:59:50 +0100
Subject: [PATCH] Fix upgrade: do not use invalid ldap connection
Ticket: https://fedorahosted.org/freeipa/ticket/4670
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/ldapupdate.py           | 6 ++++++
 ipaserver/install/plugins/updateclient.py | 3 +++
 2 files changed, 9 insertions(+)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 6bed046d2661f48218b66c11e6f6a43c6dc0f6bf..47f0399b928b3b0da3954592d56750450454aac7 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -889,3 +889,9 @@ class LDAPUpdate:
         self._run_updates(updates)
         return self.modified
+
+    def close_connection(self):
+        """Close ldap connection"""
+        if self.conn:
+            self.conn.unbind()
+            self.conn = None
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
index 7566b6cd807dafc3af5e7b51a1dfa68847ca91c2..8f5c5b5fdbc2b7bfec8be342ee267425c93b47cf 100644
--- a/ipaserver/install/plugins/updateclient.py
+++ b/ipaserver/install/plugins/updateclient.py
@@ -122,6 +122,9 @@ class updateclient(backend.Executioner):
         for update in self.order(updatetype):
             (restart, apply_now, res) = self.run(update.name, **kw)
             if restart:
+                # connection has to be closed before restart, otherwise
+                # ld instance will try to reuse old non-valid connection
+                ld.close_connection()
                 self.restart(dm_password, live_run)
             if apply_now:
--
2.1.0
SOURCES/0015-Prevent-garbage-from-readline-on-standard-output-of-.patch
File was deleted
SOURCES/0016-Ensure-that-a-password-exists-after-OTP-validation.patch
New file
@@ -0,0 +1,73 @@
From a4505caea4e4905e1756f31779c315de979f8f2c Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Wed, 5 Nov 2014 13:50:41 -0500
Subject: [PATCH] Ensure that a password exists after OTP validation
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
https://fedorahosted.org/freeipa/ticket/4690
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 26 ++++++++++++-----------
 1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 60ceaaa7ab0cd282efb45f1a89de9dbd240a452c..1f595d01d986ca2950672d796d62f5f78b05c212 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1446,12 +1446,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     /* Try to do OTP first. */
     syncreq = sync_request_present(pb);
-    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials)) {
-        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, NULL, 0, NULL);
-        return 1;
-    }
+    if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials))
+        goto invalid_creds;
+
+    /* Ensure that there is a password. */
+    if (credentials->bv_len == 0)
+        goto invalid_creds;
     /* Authenticate the user. */
     ret = ipapwd_authenticate(dn, entry, credentials);
@@ -1461,18 +1461,20 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     }
     /* Attempt to handle a token synchronization request. */
-    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn)) {
-        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, NULL, 0, NULL);
-        return 1;
-    }
+    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))
+        goto invalid_creds;
     /* Attempt to write out kerberos keys for the user. */
     ipapwd_write_krb_keys(pb, dn, entry, credentials);
     slapi_entry_free(entry);
     return 0;
+
+invalid_creds:
+    slapi_entry_free(entry);
+    slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
+                           NULL, NULL, 0, NULL);
+    return 1;
 }
 /* Init pre ops */
--
2.1.0
SOURCES/0017-PKI-service-restart-after-CA-renewal-failed.patch
File was deleted
SOURCES/0017-ipa-restore-Don-t-crash-if-AD-trust-is-not-installed.patch
New file
@@ -0,0 +1,53 @@
From d693ffd819a2016c6cc871107d5f66353c999888 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 10 Nov 2014 13:29:58 +0100
Subject: [PATCH] ipa-restore: Don't crash if AD trust is not installed
https://fedorahosted.org/freeipa/ticket/4668
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/ipa_restore.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 239de99c462639854e8e25c6b9278cb94b6fc6b8..352a1ca2bf283c0beb8c95925c6eb9c9984b3338 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -37,7 +37,6 @@ from ipaserver.install.replication import (wait_for_task, ReplicationManager,
                                            get_cs_replication_manager)
 from ipaserver.install import installutils
 from ipaserver.install import httpinstance
-from ipaserver.install import adtrustinstance
 from ipapython import ipaldap
 import ipapython.errors
 from ipaplatform.tasks import tasks
@@ -45,6 +44,11 @@ from ipaserver.install.ipa_backup import BACKUP_DIR
 from ipaplatform import services
 from ipaplatform.paths import paths
+try:
+    from ipaserver.install import adtrustinstance
+except ImportError:
+    adtrustinstance = None
+
 def recursive_chown(path, uid, gid):
     '''
@@ -646,7 +650,12 @@ class Restore(admintool.AdminTool):
     def restore_selinux_booleans(self):
         bools = dict(httpinstance.SELINUX_BOOLEAN_SETTINGS)
         if 'ADTRUST' in self.backup_services:
-            bools.update(adtrustinstance.SELINUX_BOOLEAN_SETTINGS)
+            if adtrustinstance:
+                bools.update(adtrustinstance.SELINUX_BOOLEAN_SETTINGS)
+            else:
+                self.log.error(
+                    'The AD trust package was not found, '
+                    'not setting SELinux booleans.')
         try:
             tasks.set_selinux_booleans(bools)
         except ipapython.errors.SetseboolError as e:
--
2.1.0
SOURCES/0018-hbactest-does-not-work-for-external-users.patch
File was deleted
SOURCES/0018-ranges-prohibit-setting-rid-base-with-ipa-trust-ad-p.patch
New file
@@ -0,0 +1,159 @@
From 77af6877a855c6dd738d03376464197ac3a938f8 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 13 Oct 2014 14:57:45 +0200
Subject: [PATCH] ranges: prohibit setting --rid-base with ipa-trust-ad-posix
 type
We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.
No schema change is done.
https://fedorahosted.org/freeipa/ticket/4221
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipalib/plugins/idrange.py | 61 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 47 insertions(+), 14 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 9e0481e94048c465f9a86112378a47390de0d494..6c3be6e69595127e346969e41703dc98e783282e 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -248,6 +248,12 @@ class idrange(LDAPObject):
             if not options.get('all', False) or options.get('pkey_only', False):
                 entry_attrs.pop('objectclass', None)
+    def handle_ipabaserid(self, entry_attrs, options):
+        if any((options.get('pkey_only', False), options.get('raw', False))):
+            return
+        if entry_attrs['iparangetype'][0] == u'ipa-ad-trust-posix':
+            entry_attrs.pop('ipabaserid', None)
+
     def check_ids_in_modified_range(self, old_base, old_size, new_base,
                                     new_size):
         if new_base is None and new_size is None:
@@ -414,6 +420,7 @@ class idrange_add(LDAPCreate):
         rid_base = kw.get('ipabaserid', None)
         secondary_rid_base = kw.get('ipasecondarybaserid', None)
+        range_type = kw.get('iparangetype', None)
         def set_from_prompt(param):
             value = self.prompt_param(self.params[param])
@@ -424,7 +431,7 @@ class idrange_add(LDAPCreate):
             # This is a trusted range
             # Prompt for RID base if domain SID / name was given
-            if rid_base is None:
+            if rid_base is None and range_type != u'ipa-ad-trust-posix':
                 set_from_prompt('ipabaserid')
         else:
@@ -486,23 +493,33 @@ class idrange_add(LDAPCreate):
             if not is_set('iparangetype'):
                 entry_attrs['iparangetype'] = u'ipa-ad-trust'
-            if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
-                                                   u'ipa-ad-trust-posix'):
+            if entry_attrs['iparangetype'] == u'ipa-ad-trust':
+                if not is_set('ipabaserid'):
+                    raise errors.ValidationError(
+                        name='ID Range setup',
+                        error=_('Options dom-sid/dom-name and rid-base must '
+                                'be used together')
+                    )
+            elif entry_attrs['iparangetype'] == u'ipa-ad-trust-posix':
+                if is_set('ipabaserid') and entry_attrs['ipabaserid'] != 0:
+                    raise errors.ValidationError(
+                        name='ID Range setup',
+                        error=_('Option rid-base must not be used when IPA '
+                                'range type is ipa-ad-trust-posix')
+                    )
+                else:
+                    entry_attrs['ipabaserid'] = 0
+            else:
                 raise errors.ValidationError(name='ID Range setup',
                     error=_('IPA Range type must be one of ipa-ad-trust '
                             'or ipa-ad-trust-posix when SID of the trusted '
-                            'domain is specified.'))
+                            'domain is specified'))
             if is_set('ipasecondarybaserid'):
                 raise errors.ValidationError(name='ID Range setup',
                     error=_('Options dom-sid/dom-name and secondary-rid-base '
                             'cannot be used together'))
-            if not is_set('ipabaserid'):
-                raise errors.ValidationError(name='ID Range setup',
-                    error=_('Options dom-sid/dom-name and rid-base must '
-                            'be used together'))
-
             # Validate SID as the one of trusted domains
             self.obj.validate_trusted_domain_sid(
                                         entry_attrs['ipanttrusteddomainsid'])
@@ -557,6 +574,7 @@ class idrange_add(LDAPCreate):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
+        self.obj.handle_ipabaserid(entry_attrs, options)
         self.obj.handle_iparangetype(entry_attrs, options,
                                      keep_objectclass=True)
         return dn
@@ -628,6 +646,7 @@ class idrange_find(LDAPSearch):
     def post_callback(self, ldap, entries, truncated, *args, **options):
         for entry in entries:
+            self.obj.handle_ipabaserid(entry, options)
             self.obj.handle_iparangetype(entry, options)
         return truncated
@@ -643,6 +662,7 @@ class idrange_show(LDAPRetrieve):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
+        self.obj.handle_ipabaserid(entry_attrs, options)
         self.obj.handle_iparangetype(entry_attrs, options)
         return dn
@@ -699,11 +719,23 @@ class idrange_mod(LDAPUpdate):
                 raise errors.ValidationError(name='ID Range setup',
                     error=_('Options dom-sid and secondary-rid-base cannot '
                             'be used together'))
-
-            if not in_updated_attrs('ipabaserid'):
-                raise errors.ValidationError(name='ID Range setup',
-                    error=_('Options dom-sid and rid-base must '
-                            'be used together'))
+            range_type = old_attrs['iparangetype'][0]
+            if range_type == u'ipa-ad-trust':
+                if not in_updated_attrs('ipabaserid'):
+                    raise errors.ValidationError(
+                        name='ID Range setup',
+                        error=_('Options dom-sid and rid-base must '
+                                'be used together'))
+            elif (range_type == u'ipa-ad-trust-posix' and
+                  'ipabaserid' in entry_attrs):
+                if entry_attrs['ipabaserid'] is None:
+                    entry_attrs['ipabaserid'] = 0
+                elif entry_attrs['ipabaserid'] != 0:
+                    raise errors.ValidationError(
+                        name='ID Range setup',
+                        error=_('Option rid-base must not be used when IPA '
+                                'range type is ipa-ad-trust-posix')
+                    )
             if is_set('ipanttrusteddomainsid'):
                 # Validate SID as the one of trusted domains
@@ -766,6 +798,7 @@ class idrange_mod(LDAPUpdate):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
+        self.obj.handle_ipabaserid(entry_attrs, options)
         self.obj.handle_iparangetype(entry_attrs, options)
         return dn
--
2.1.0
SOURCES/0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch
File was deleted
SOURCES/0019-ldapupdater-set-baserid-to-0-for-ipa-ad-trust-posix-.patch
New file
@@ -0,0 +1,102 @@
From aa5a5fa8349444c2817feb21dd8c6f8ba6b38fd0 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 13 Oct 2014 14:59:24 +0200
Subject: [PATCH] ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges
New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix
https://fedorahosted.org/freeipa/ticket/4221
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipaserver/install/plugins/update_idranges.py | 69 +++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/plugins/update_idranges.py b/ipaserver/install/plugins/update_idranges.py
index 9e97c9f74570484a8bae82e99a7561350163a1b1..1aa5fa7631fd35a7aaf4a23a5eee44e4e0a2e904 100644
--- a/ipaserver/install/plugins/update_idranges.py
+++ b/ipaserver/install/plugins/update_idranges.py
@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins import MIDDLE, LAST
 from ipaserver.install.plugins.baseupdate import PostUpdate
 from ipalib import api, errors
 from ipapython.dn import DN
@@ -111,4 +111,71 @@ class update_idrange_type(PostUpdate):
         return (False, False, [])
+
+class update_idrange_baserid(PostUpdate):
+    """
+    Update ipa-ad-trust-posix ranges' base RID to 0. This applies to AD trust
+    posix ranges prior to IPA 4.1.
+    """
+
+    order = LAST
+
+    def execute(self, **options):
+        ldap = self.obj.backend
+
+        base_dn = DN(api.env.container_ranges, api.env.basedn)
+        search_filter = ("(&(objectClass=ipaTrustedADDomainRange)"
+                         "(ipaRangeType=ipa-ad-trust-posix)"
+                         "(!(ipaBaseRID=0)))")
+        root_logger.debug(
+            "update_idrange_baserid: search for ipa-ad-trust-posix ID ranges "
+            "with ipaBaseRID != 0"
+        )
+
+        try:
+            (entries, truncated) = ldap.find_entries(
+                search_filter, ['ipabaserid'], base_dn,
+                paged_search=True, time_limit=0, size_limit=0)
+
+        except errors.NotFound:
+            root_logger.debug("update_idrange_baserid: no AD domain "
+                              "range with posix attributes found")
+            return (False, False, [])
+
+        except errors.ExecutionError, e:
+            root_logger.error("update_idrange_baserid: cannot retrieve "
+                              "list of affected ranges: %s", e)
+            return (False, False, [])
+
+        root_logger.debug("update_idrange_baserid: found %d "
+                          "idranges possible to update",
+                          len(entries))
+
+        error = False
+
+        # Set the range type
+        for entry in entries:
+            entry['ipabaserid'] = 0
+            try:
+                root_logger.info("Updating existing idrange: %s" % (entry.dn))
+                ldap.update_entry(entry)
+                root_logger.info("Done")
+            except (errors.EmptyModlist, errors.NotFound):
+                pass
+            except errors.ExecutionError, e:
+                root_logger.debug("update_idrange_type: cannot "
+                                  "update idrange: %s", e)
+                error = True
+
+        if error:
+            root_logger.error("update_idrange_baserid: error(s) "
+                              "detected during idrange baserid update")
+        else:
+            # All affected entries updated, exit the loop
+            root_logger.debug("update_idrange_baserid: all affected "
+                              "idranges updated")
+
+        return (False, False, [])
+
 api.register(update_idrange_type)
+api.register(update_idrange_baserid)
--
2.1.0
SOURCES/0020-idrange-include-raw-range-type-in-output.patch
New file
@@ -0,0 +1,29 @@
From 83e12a6e7266ab1324f259eaed809f8db1118d7a Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Wed, 15 Oct 2014 13:42:30 +0200
Subject: [PATCH] idrange: include raw range type in output
iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers
Solved by new iparangetyperaw output attribute which contains iparangetype's raw value
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipalib/plugins/idrange.py | 1 +
 1 file changed, 1 insertion(+)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 6c3be6e69595127e346969e41703dc98e783282e..fb198d79d4c14ffd5f7dc633c9f01a1465ff01d7 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -241,6 +241,7 @@ class idrange(LDAPObject):
         if not any((options.get('pkey_only', False),
                     options.get('raw', False))):
             range_type = entry_attrs['iparangetype'][0]
+            entry_attrs['iparangetyperaw'] = [range_type]
             entry_attrs['iparangetype'] = [self.range_types.get(range_type, None)]
         # Remove the objectclass
--
2.1.0
SOURCES/0020-sudoOrder-missing-in-sudoers.patch
File was deleted
SOURCES/0021-Add-missing-example-to-sudorule.patch
File was deleted
SOURCES/0021-webui-prohibit-setting-rid-base-with-ipa-trust-ad-po.patch
New file
@@ -0,0 +1,153 @@
From da57475f30f086b2420652b1aeab9e2902fb8664 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Wed, 3 Sep 2014 17:23:33 +0200
Subject: [PATCH] webui: prohibit setting rid base with ipa-trust-ad-posix type
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
https://fedorahosted.org/freeipa/ticket/4221
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 install/ui/src/freeipa/idrange.js | 77 ++++++++++++++++++++++++++++++---------
 1 file changed, 60 insertions(+), 17 deletions(-)
diff --git a/install/ui/src/freeipa/idrange.js b/install/ui/src/freeipa/idrange.js
index 12c0b288b766c059db6b844f445fb88b5821a1db..4e5dbfa00dcf80495d8a96f7fc961b9c6676691f 100644
--- a/install/ui/src/freeipa/idrange.js
+++ b/install/ui/src/freeipa/idrange.js
@@ -54,6 +54,11 @@ return {
                         'cn',
                         'iparangetype',
                         {
+                            name: 'iparangetyperaw',
+                            read_only: true,
+                            visible: false
+                        },
+                        {
                             name: 'ipabaseid',
                             label: '@i18n:objects.idrange.ipabaseid',
                             title: '@mo-param:idrange:ipabaseid:label'
@@ -80,6 +85,9 @@ return {
                         }
                     ]
                 }
+            ],
+            policies: [
+                exp.idrange_policy
             ]
         }
     ],
@@ -89,21 +97,6 @@ return {
                 name: 'cn'
             },
             {
-                name: 'ipabaseid',
-                label: '@i18n:objects.idrange.ipabaseid',
-                title: '@mo-param:idrange:ipabaseid:label'
-            },
-            {
-                name: 'ipaidrangesize',
-                label: '@i18n:objects.idrange.ipaidrangesize',
-                title: '@mo-param:idrange:ipaidrangesize:label'
-            },
-            {
-                name: 'ipabaserid',
-                label: '@i18n:objects.idrange.ipabaserid',
-                title: '@mo-param:idrange:ipabaserid:label'
-            },
-            {
                 name: 'iparangetype',
                 $type: 'radio',
                 label: '@i18n:objects.idrange.type',
@@ -125,6 +118,21 @@ return {
                 ]
             },
             {
+                name: 'ipabaseid',
+                label: '@i18n:objects.idrange.ipabaseid',
+                title: '@mo-param:idrange:ipabaseid:label'
+            },
+            {
+                name: 'ipaidrangesize',
+                label: '@i18n:objects.idrange.ipaidrangesize',
+                title: '@mo-param:idrange:ipaidrangesize:label'
+            },
+            {
+                name: 'ipabaserid',
+                label: '@i18n:objects.idrange.ipabaserid',
+                title: '@mo-param:idrange:ipabaserid:label'
+            },
+            {
                 name: 'ipasecondarybaserid',
                 label: '@i18n:objects.idrange.ipasecondarybaserid',
                 title: '@mo-param:idrange:ipasecondarybaserid:label'
@@ -147,7 +155,9 @@ IPA.idrange_adder_policy = function(spec) {
     The logic for enabling/requiring ipabaserid, ipasecondarybaserid and
     ipanttrusteddomainsid is as follows:
         1) for AD ranges (range type is ipa-ad-trust or ipa-ad-trust-posix):
-           * ipabaserid and ipanttrusteddomainsid are requred
+           * ipanttrusteddomainsid is required
+           * ipabaserid is required for ipa-ad-trust but disabled for
+             ipa-ad-trust-posix
            * ipasecondarybaserid is disabled
         2) for local ranges
            *  ipanttrusteddomainsid is disabled
@@ -206,7 +216,11 @@ IPA.idrange_adder_policy = function(spec) {
         var is_ad_range = (type_v === 'ipa-ad-trust' || type_v === 'ipa-ad-trust-posix');
         if (is_ad_range) {
-            require(baserid_f);
+            if (type_v === 'ipa-ad-trust') {
+                require(baserid_f);
+            } else {
+                disable(baserid_f);
+            }
             require(trusteddomainsid_f);
             disable(secondarybaserid_f);
         } else {
@@ -230,6 +244,35 @@ IPA.idrange_adder_policy = function(spec) {
     return that;
 };
+exp.idrange_policy = function(spec) {
+
+    spec = spec || {};
+    var that = IPA.facet_policy(spec);
+
+    that.post_load = function() {
+        var type_f = that.container.fields.get_field('iparangetyperaw');
+        var widgets = that.container.widgets;
+        var type_v = type_f.get_value()[0];
+
+        var baserid = true;
+        var secrid = true;
+        var sid = true;
+
+        if (type_v === 'ipa-local') {
+            sid = false;
+        } else if (type_v === 'ipa-ad-trust-posix') {
+            baserid = secrid = false;
+        } else if (type_v === 'ipa-ad-trust') {
+            secrid = false;
+        }
+
+        widgets.get_widget('details.ipabaserid').set_visible(baserid);
+        widgets.get_widget('details.ipasecondarybaserid').set_visible(secrid);
+        widgets.get_widget('details.ipanttrusteddomainsid').set_visible(sid);
+    };
+    return that;
+};
+
 exp.entity_spec = make_spec();
 exp.register = function() {
     var e = reg.entity;
--
2.1.0
SOURCES/0022-Fix-CA-certificate-backup-and-restore.patch
New file
@@ -0,0 +1,208 @@
From 9037c4d84bcf9cde48beb83d69f05c3733106c2d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 10 Nov 2014 16:24:22 +0000
Subject: [PATCH] Fix CA certificate backup and restore
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
https://fedorahosted.org/freeipa/ticket/4711
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
---
 ipaplatform/base/paths.py        |  2 +-
 ipaplatform/base/tasks.py        |  9 +++++++++
 ipaplatform/redhat/tasks.py      | 43 ++++++++++++++++++++--------------------
 ipaserver/install/ipa_backup.py  |  2 ++
 ipaserver/install/ipa_restore.py | 35 +++++++++++++++++++++++++++++++-
 5 files changed, 67 insertions(+), 24 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index af502628e493ad7b4d8d30ed1acb98bba8cb39e4..e28147ab4aa1faa3859c38665a83f57fb67e96b2 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -92,7 +92,7 @@ class BasePathNamespace(object):
     PAM_LDAP_CONF = "/etc/pam_ldap.conf"
     PASSWD = "/etc/passwd"
     ETC_PKI_CA_DIR = "/etc/pki-ca"
-    SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/"
+    SYSTEMWIDE_IPA_CA_CRT = "/etc/pki/ca-trust/source/anchors/ipa-ca.crt"
     IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit"
     NSS_DB_DIR = "/etc/pki/nssdb"
     PKI_TOMCAT = "/etc/pki/pki-tomcat"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 408447e43cd36d0cdf11a1877b3bc9880c4785de..a6684d7653d6de8202a489edb1f7a38f4b344bbc 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -49,6 +49,15 @@ class BaseTaskNamespace(object):
         return
+    def reload_systemwide_ca_store(self):
+        """
+        Reloads the systemwide CA store.
+
+        Returns True if the operation succeeded, False otherwise.
+        """
+
+        return True
+
     def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
         """
         Adds CA certificates from 'ca_certs' to the systemwide CA store
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 555516d90a6d1a7d3d9aced5de82a5c1efe6b8c2..4977e1c7c496e36d56110bcdf040ab5c932d31a2 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -158,8 +158,19 @@ class RedHatTaskNamespace(BaseTaskNamespace):
         auth_config.add_option("nostart")
         auth_config.execute()
+    def reload_systemwide_ca_store(self):
+        try:
+            ipautil.run([paths.UPDATE_CA_TRUST])
+        except CalledProcessError, e:
+            root_logger.error(
+                "Could not update systemwide CA trust database: %s", e)
+            return False
+        else:
+            root_logger.info("Systemwide CA database updated.")
+            return True
+
     def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
-        new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+        new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT
         if os.path.exists(new_cacert_path):
             try:
@@ -248,24 +259,18 @@ class RedHatTaskNamespace(BaseTaskNamespace):
         f.close()
         # Add the CA to the systemwide CA trust database
-        try:
-            ipautil.run([paths.UPDATE_CA_TRUST])
-        except CalledProcessError, e:
-            root_logger.info("Failed to add CA to the systemwide "
-                             "CA trust database: %s" % str(e))
-        else:
-            root_logger.info('Added the CA to the systemwide CA trust '
-                             'database.')
-            return True
+        if not self.reload_systemwide_ca_store():
+            return False
-        return False
+        return True
     def remove_ca_certs_from_systemwide_ca_store(self):
-        ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+        result = True
         update = False
         # Remove CA cert from systemwide store
-        for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt):
+        for new_cacert_path in (paths.IPA_P11_KIT,
+                                paths.SYSTEMWIDE_IPA_CA_CRT):
             if not os.path.exists(new_cacert_path):
                 continue
             try:
@@ -273,21 +278,15 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             except OSError, e:
                 root_logger.error(
                     "Could not remove %s: %s", new_cacert_path, e)
+                result = False
             else:
                 update = True
         if update:
-            try:
-                ipautil.run([paths.UPDATE_CA_TRUST])
-            except CalledProcessError, e:
-                root_logger.error(
-                    "Could not update systemwide CA trust database: %s", e)
+            if not self.reload_systemwide_ca_store():
                 return False
-            else:
-                root_logger.info("Systemwide CA database updated.")
-                return True
-        return False
+        return result
     def backup_and_replace_hostname(self, fstore, statestore, hostname):
         old_hostname = socket.gethostname()
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 75ee243d1c8deb6f8452744df4c040fd0794250c..5d583f7e9186f20ebe8187ba70db28de0c255ae7 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -138,6 +138,8 @@ class Backup(admintool.AdminTool):
         paths.SYSCONFIG_ODS,
         paths.ETC_SYSCONFIG_AUTHCONFIG,
         paths.IPA_NSSDB_PWDFILE_TXT,
+        paths.IPA_P11_KIT,
+        paths.SYSTEMWIDE_IPA_CA_CRT,
         paths.NSSWITCH_CONF,
         paths.KRB5_KEYTAB,
         paths.SSSD_CONF,
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 352a1ca2bf283c0beb8c95925c6eb9c9984b3338..8b1e80f5ed5e140ccb17ea0b63d92b6049507b74 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -26,7 +26,7 @@ import pwd
 from ConfigParser import SafeConfigParser
 from ipalib import api, errors
-from ipapython import version
+from ipapython import version, ipautil, certdb
 from ipapython.ipautil import run, user_input
 from ipapython import admintool
 from ipapython.dn import DN
@@ -278,7 +278,9 @@ class Restore(admintool.AdminTool):
                     create_ca_user()
                 if options.online:
                     raise admintool.ScriptError('File restoration cannot be done online.')
+                self.cert_restore_prepare()
                 self.file_restore(options.no_logs)
+                self.cert_restore()
                 if 'CA' in self.backup_services:
                     self.__create_dogtag_log_dirs()
@@ -660,3 +662,34 @@ class Restore(admintool.AdminTool):
             tasks.set_selinux_booleans(bools)
         except ipapython.errors.SetseboolError as e:
             self.log.error('%s', e)
+
+    def cert_restore_prepare(self):
+        for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'):
+            filename = os.path.join(paths.IPA_NSSDB_DIR, basename)
+            try:
+                ipautil.backup_file(filename)
+            except OSError as e:
+                self.log.error("Failed to backup %s: %s" % (filename, e))
+
+        tasks.remove_ca_certs_from_systemwide_ca_store()
+
+    def cert_restore(self):
+        if not os.path.exists(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db')):
+            certdb.create_ipa_nssdb()
+            ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+            sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
+            for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
+                                          ('External CA cert', 'C,,')):
+                try:
+                    cert = sys_db.get_cert(nickname)
+                except RuntimeError:
+                    pass
+                else:
+                    try:
+                        ipa_db.add_cert(cert, nickname, trust_flags)
+                    except ipautil.CalledProcessError as e:
+                        self.log.error(
+                            "Failed to add %s to %s: %s" %
+                            (nickname, paths.IPA_NSSDB_DIR, e))
+
+        tasks.reload_systemwide_ca_store()
--
2.1.0
SOURCES/0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch
File was deleted
SOURCES/0023-Fix-DNS-installer-adds-invalid-zonemgr-email.patch
New file
@@ -0,0 +1,43 @@
From cb9593d1571ed8704ebe33084463b2462a30cab9 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 7 Nov 2014 12:45:43 +0100
Subject: [PATCH] Fix: DNS installer adds invalid zonemgr email
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.
Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 install/share/bind.zone.db.template | 2 +-
 ipaserver/install/bindinstance.py   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template
index 6795bb01a7d8003a26dcc8a1cbc337550b3c296c..ec175c60825869ea9b86f7d1351a96189028b5d4 100644
--- a/install/share/bind.zone.db.template
+++ b/install/share/bind.zone.db.template
@@ -1,6 +1,6 @@
 $$ORIGIN $DOMAIN.
 $$TTL    86400
-@            IN SOA    $DOMAIN. $ZONEMGR. (
+@            IN SOA    $DOMAIN. $ZONEMGR (
                 01        ; serial
                 3H        ; refresh
                 15M        ; retry
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 6cf018e9cda3734a99a8ac5ac1df134e9e4c2293..16894de0a009aacb123cf76072f2556aebc5722f 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -563,7 +563,7 @@ class BindInstance(service.Service):
         self.no_dnssec_validation=no_dnssec_validation
         if not zonemgr:
-            self.zonemgr = 'hostmaster.%s' % self.domain
+            self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
         else:
             self.zonemgr = normalize_zonemgr(zonemgr)
--
2.1.0
SOURCES/0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch
File was deleted
SOURCES/0024-ipaplatform-Use-the-dirsrv-service-not-target.patch
New file
@@ -0,0 +1,37 @@
From f16e7b3a95d48afc0e798055e8ff4ac9efd9ce28 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 11 Nov 2014 16:07:37 +0100
Subject: [PATCH] ipaplatform: Use the dirsrv service, not target
IPA only uses one instance of the directory server. When an instance
is not specified to a call to service.start/stop/restart/...,
use IPA's instance.
Stopping a systemd service is synchronous (bby default), but stopping
a target is not. This will change ensures that the directory server
is actually down when stop() finishes.
https://fedorahosted.org/freeipa/ticket/4709
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaplatform/base/services.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 961c368e6b4d81d337cf0a8601075f052352ecbf..370b628c78a65591dec09db25f9f7545f920d795 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -187,8 +187,7 @@ class SystemdService(PlatformService):
         elements = self.systemd_name.split("@")
         # Make sure the correct DS instance is returned
-        if (elements[0] == 'dirsrv' and not instance_name and
-            operation == 'is-active'):
+        if elements[0] == 'dirsrv' and not instance_name:
             return ('dirsrv@%s.service'
                     % str(self.api.env.realm.replace('.', '-')))
--
2.1.0
SOURCES/0024-trustdomain-find-report-status-of-the-sub-domain.patch
File was deleted
SOURCES/0025-CLDAP-do-not-prepend.patch
File was deleted
SOURCES/0025-Fix-DNS-policy-upgrade-raises-asertion-error.patch
New file
@@ -0,0 +1,29 @@
From a7fdb85235909e8498f0b8b257bbab5825c3c338 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 7 Nov 2014 15:09:29 +0100
Subject: [PATCH] Fix: DNS policy upgrade raises asertion error
Ticket: https://fedorahosted.org/freeipa/ticket/4708
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/plugins/dns.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index 1aef837f63176cd307868c726460485fd4a004ed..62cf588d27155acb03026f69ea09ff15582d26dc 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -86,7 +86,9 @@ class update_dnszones(PostUpdate):
                         api.env.realm)
             if update:
-                api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
+                # FIXME: https://fedorahosted.org/freeipa/ticket/4722
+                api.Command.dnszone_mod(zone[u'idnsname'][0].make_absolute(),
+                                        **update)
         return (False, False, [])
--
2.1.0
SOURCES/0026-Fix-upgrade-referint-plugin.patch
New file
@@ -0,0 +1,153 @@
From 822910bb85c4dedff39faff142e645c5f2922984 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 7 Nov 2014 13:28:01 +0100
Subject: [PATCH] Fix upgrade referint plugin
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 install/updates/25-referint.update           | 13 +---
 ipaserver/install/plugins/Makefile.am        |  1 +
 ipaserver/install/plugins/update_referint.py | 90 ++++++++++++++++++++++++++++
 3 files changed, 92 insertions(+), 12 deletions(-)
 create mode 100644 ipaserver/install/plugins/update_referint.py
diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update
index a43d21ad5152358cb939c3545f0eef9d251e7fe0..609eaba74f0fcde6ce875093587315681fbd4584 100644
--- a/install/updates/25-referint.update
+++ b/install/updates/25-referint.update
@@ -1,19 +1,8 @@
 # Expand attributes checked by Referential Integrity plugin
 # pres and eq indexes defined in 20-indices.update must be set for all these
 # attributes
+# NOTE: migration to new style is done in update_referint.py
 dn: cn=referential integrity postoperation,cn=plugins,cn=config
-remove: nsslapd-pluginArg7: manager
-remove: nsslapd-pluginArg8: secretary
-remove: nsslapd-pluginArg9: memberuser
-remove: nsslapd-pluginArg10: memberhost
-remove: nsslapd-pluginArg11: sourcehost
-remove: nsslapd-pluginArg12: memberservice
-remove: nsslapd-pluginArg13: managedby
-remove: nsslapd-pluginArg14: memberallowcmd
-remove: nsslapd-pluginArg15: memberdenycmd
-remove: nsslapd-pluginArg16: ipasudorunas
-remove: nsslapd-pluginArg17: ipasudorunasgroup
-remove: nsslapd-pluginArg18: ipatokenradiusconfiglink
 add: referint-membership-attr: manager
 add: referint-membership-attr: secretary
 add: referint-membership-attr: memberuser
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
index 635877d8c2160a91208276498cdb4cd9bc82d56b..d651297ac141b0f05831e7fabbb9b561cdd239c7 100644
--- a/ipaserver/install/plugins/Makefile.am
+++ b/ipaserver/install/plugins/Makefile.am
@@ -11,6 +11,7 @@ app_PYTHON =             \
     update_services.py    \
     update_anonymous_aci.py    \
     update_pacs.py        \
+    update_referint.py    \
     ca_renewal_master.py    \
     update_uniqueness.py    \
     $(NULL)
diff --git a/ipaserver/install/plugins/update_referint.py b/ipaserver/install/plugins/update_referint.py
new file mode 100644
index 0000000000000000000000000000000000000000..1b7411035b27ebba04246a7ee6f220d470b46688
--- /dev/null
+++ b/ipaserver/install/plugins/update_referint.py
@@ -0,0 +1,90 @@
+#
+# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
+#
+
+from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins.baseupdate import PreUpdate
+from ipalib import api, errors
+from ipapython.dn import DN
+from ipapython.ipa_log_manager import root_logger
+
+class update_referint(PreUpdate):
+    """
+    Update referential integrity configuration to new style
+    http://directory.fedoraproject.org/docs/389ds/design/ri-plugin-configuration.html
+
+    old attr              -> new attr
+    nsslapd-pluginArg0    -> referint-update-delay
+    nsslapd-pluginArg1    -> referint-logfile
+    nsslapd-pluginArg2    -> referint-logchanges
+    nsslapd-pluginArg3..N -> referint-membership-attr [3..N]
+
+    Old and new style cannot be mixed, all nslapd-pluginArg* attrs have to be removed
+    """
+
+    order = MIDDLE
+
+    referint_dn = DN(('cn', 'referential integrity postoperation'),
+                           ('cn', 'plugins'), ('cn', 'config'))
+
+    def execute(self, **options):
+
+        root_logger.debug("Upgrading referential integrity plugin configuration")
+        ldap = self.obj.backend
+        try:
+            entry = ldap.get_entry(self.referint_dn)
+        except errors.NotFound:
+            root_logger.error("Referential integrity configuration not found")
+            return False, False, []
+
+        referint_membership_attrs = []
+
+        root_logger.debug("Initial value: %s", repr(entry))
+
+        # nsslapd-pluginArg0    -> referint-update-delay
+        update_delay = entry.get('nsslapd-pluginArg0')
+        if update_delay:
+            root_logger.debug("add: referint-update-delay: %s", update_delay)
+            entry['referint-update-delay'] = update_delay
+            entry['nsslapd-pluginArg0'] = None
+        else:
+            root_logger.info("Plugin already uses new style, skipping")
+            return False, False, []
+
+        # nsslapd-pluginArg1    -> referint-logfile
+        logfile = entry.get('nsslapd-pluginArg1')
+        if logfile:
+            root_logger.debug("add: referint-logfile: %s", logfile)
+            entry['referint-logfile'] = logfile
+            entry['nsslapd-pluginArg1'] = None
+
+        # nsslapd-pluginArg2    -> referint-logchanges
+        logchanges = entry.get('nsslapd-pluginArg2')
+        if logchanges:
+            root_logger.debug("add: referint-logchanges: %s", logchanges)
+            entry['referint-logchanges'] = logchanges
+            entry['nsslapd-pluginArg2'] = None
+
+        # nsslapd-pluginArg3..N -> referint-membership-attr [3..N]
+        for key in entry.keys():
+            if key.lower().startswith('nsslapd-pluginarg'):
+                arg_val = entry.single_value[key]
+                if arg_val:
+                    referint_membership_attrs.append(arg_val)
+                entry[key] = None
+
+        if referint_membership_attrs:
+            # entry['referint-membership-attr'] is None, plugin doesn't allow
+            # mixing old and new style
+            entry['referint-membership-attr'] = referint_membership_attrs
+
+        root_logger.debug("Final value: %s", repr(entry))
+        try:
+            ldap.update_entry(entry)
+        except errors.EmptyModlist:
+            root_logger.debug("No modifications required")
+            return False, False, []
+
+        return False, True, []
+
+api.register(update_referint)
--
2.1.0
SOURCES/0026-ipaserver-install-installutils-clean-up-properly-aft.patch
File was deleted
SOURCES/0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch
File was deleted
SOURCES/0027-Upgrade-fix-trusts-objectclass-violationi.patch
New file
@@ -0,0 +1,63 @@
From faa47e835213aaeff8ad4fa73b2bc20735615b37 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Mon, 10 Nov 2014 14:13:07 +0100
Subject: [PATCH] Upgrade: fix trusts objectclass violationi
Execute updates in proper ordering.
Curently ldap-updater implementation doesnt allow better fix.
Ticket: https://fedorahosted.org/freeipa/ticket/4680
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 install/updates/59-trusts-sysacount.update | 8 ++++++++
 install/updates/60-trusts.update           | 6 ------
 install/updates/Makefile.am                | 1 +
 3 files changed, 9 insertions(+), 6 deletions(-)
 create mode 100644 install/updates/59-trusts-sysacount.update
diff --git a/install/updates/59-trusts-sysacount.update b/install/updates/59-trusts-sysacount.update
new file mode 100644
index 0000000000000000000000000000000000000000..b90de80d27b36c9a7bfd3b358338a0a79d969813
--- /dev/null
+++ b/install/updates/59-trusts-sysacount.update
@@ -0,0 +1,8 @@
+# this update must be applied before 60-trusts.update, because current
+# implementation of ipa-ldap-updater doesn't keep the order of updates in
+# filesets
+dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
+add: objectClass: nestedgroup
+default: objectClass: GroupOfNames
+default: objectClass: top
+default: cn: adtrust agents
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 9dabc806e2f747c47ab809cd2ed2150b2a13c2a6..79caa837a55eae0e05e1a94f3eabdda7b2b9cc38 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -10,12 +10,6 @@ default: member: uid=admin,cn=users,cn=accounts,$SUFFIX
 default: nsAccountLock: FALSE
 default: ipaUniqueID: autogenerate
-dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
-add: objectClass: nestedgroup
-default: objectClass: GroupOfNames
-default: objectClass: top
-default: cn: adtrust agents
-
 dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX
 default: objectClass: top
 default: objectClass: groupofnames
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index e62a64cea925aaeae9d013ab01a89371c727a6fd..255586c6de1cab52a526c1ca82b4720adf998eee 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -41,6 +41,7 @@ app_DATA =                \
     50-nis.update            \
     50-ipaconfig.update        \
     55-pbacmemberof.update        \
+    59-trusts-sysacount.update    \
     60-trusts.update        \
     61-trusts-s4u2proxy.update    \
     62-ranges.update        \
--
2.1.0
SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch
File was deleted
SOURCES/0028-Produce-better-error-in-group-add-command.patch
New file
@@ -0,0 +1,28 @@
From 2ed0fd652cce1cef6035856ff16bf090c844646e Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Wed, 5 Nov 2014 02:40:10 -0500
Subject: [PATCH] Produce better error in group-add command.
https://fedorahosted.org/freeipa/ticket/4611
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/group.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 03e6893e3c7604268b503b28ea39ed3f610aec47..d25ed9a1958119a5872db85e958323fdb8205366 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -287,7 +287,7 @@ class group_add(LDAPCreate):
         if options['external']:
             entry_attrs['objectclass'].append('ipaexternalgroup')
             if 'gidnumber' in options:
-                raise errors.RequirementError(name='gid')
+                raise errors.MutuallyExclusiveError(reason=_('gid cannot be set for external group'))
         elif not options['nonposix']:
             entry_attrs['objectclass'].append('posixgroup')
             if not 'gidnumber' in options:
--
2.1.0
SOURCES/0029-Search-using-proper-scope-when-connecting-CA-instanc.patch
New file
@@ -0,0 +1,32 @@
From 6aa3004870321dc5f34b2a6a9e6d6cdf2459d7ee Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 6 Nov 2014 16:10:01 -0500
Subject: [PATCH] Search using proper scope when connecting CA instances
The wrong search scope was being used when trying to determine if
a given master had a CA installed when trying to create a new
connection.
https://fedorahosted.org/freeipa/ticket/4704
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
---
 install/tools/ipa-csreplica-manage | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index c534446d7b0daf0ce0709edf952a8795ba85e937..6f6c6c75a122274eeb221f6e0eb15959dec56786 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -303,7 +303,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
         dn = DN(('cn', 'CA'), ('cn', replica2), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                 ipautil.realm_to_suffix(realm))
-        conn.get_entries(dn, conn.SCOPE_ONELEVEL)
+        conn.get_entries(dn, conn.SCOPE_BASE)
         conn.unbind()
     except errors.NotFound:
         sys.exit('%s does not have a CA configured.' % replica2)
--
2.1.0
SOURCES/0029-Stop-adding-a-default-password-policy-reference.patch
File was deleted
SOURCES/0030-Fix-zonemgr-must-be-unicode-value.patch
New file
@@ -0,0 +1,30 @@
From 969021984125c94b1058bf94681f295071849a22 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 13 Nov 2014 18:22:22 +0100
Subject: [PATCH] Fix: zonemgr must be unicode value
To support IDNA --zonemgr option must be unicode not ascii
https://fedorahosted.org/freeipa/ticket/4724
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 ipaserver/install/bindinstance.py | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 16894de0a009aacb123cf76072f2556aebc5722f..5bf784e62aec7c323a84fc5130e53c3deb86e6fd 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -403,6 +403,8 @@ def zonemgr_callback(option, opt_str, value, parser):
     """
     # validate the value first
     try:
+        # IDNA support requires unicode
+        value = value.decode(sys.stdin.encoding)
         validate_zonemgr_str(value)
     except ValueError, e:
         parser.error("invalid zonemgr: " + unicode(e))
--
2.1.0
SOURCES/0030-Increase-service-startup-timeout-default.patch
File was deleted
SOURCES/0031-Fix-warning-message-should-not-contain-CLI-commands.patch
New file
@@ -0,0 +1,73 @@
From 22f830576d7d9f6585842818ea33379fd1674091 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 13 Nov 2014 14:02:02 +0100
Subject: [PATCH] Fix warning message should not contain CLI commands
Message is now universal for both CLI and WebUI
Ticket: https://fedorahosted.org/freeipa/ticket/4647
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 ipalib/messages.py                      | 4 ++--
 ipalib/plugins/dns.py                   | 9 ++++-----
 ipatests/test_xmlrpc/test_dns_plugin.py | 9 ++++++---
 3 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 5eeab3c54caf3a7318d89a4aeaee1357fceb787f..102e35275dbe37328c84ecb3cd5b2a8d8578056f 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -175,8 +175,8 @@ class OptionSemanticChangedWarning(PublicMessage):
     errno = 13005
     type = "warning"
-    format = _(u"semantic of '%(option)s' option was changed: "
-               u"%(current_behavior)s.\n%(hint)s")
+    format = _(u"Semantic of %(label)s was changed. %(current_behavior)s\n"
+               u"%(hint)s")
 class DNSServerNotRespondingWarning(PublicMessage):
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index dd1e640f4062a32921bf1edf316e122b81a6d485..c5d96a8c4fcdf101254ecefb60cb83d63bee6310 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2369,11 +2369,10 @@ class dnszone(DNSZoneBase):
             messages.add_message(
                 options['version'],
                 result, messages.OptionSemanticChangedWarning(
-                    option=u"--name-server",
-                    current_behavior=_(u"the option is used only for "
-                                       u"setting up the SOA MNAME attribute"),
-                    hint=_(u"To edit NS record(s) in zone apex, use command "
-                           u"'dnsrecord-mod [zone] @ --ns-rec=nameserver'.")
+                    label=_(u"setting Authoritative nameserver"),
+                    current_behavior=_(u"It is used only for setting the "
+                                       u"SOA MNAME attribute."),
+                    hint=_(u"NS record(s) can be edited in zone apex - '@'. ")
                 )
             )
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index a34d11a3278c67a3d00ca8f59bb8d8d19cf8a46e..fb53853147ecf663cf7015867131445f32364cfb 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -497,9 +497,12 @@ class test_dns(Declarative):
                     'objectclass': objectclasses.dnszone,
                 },
                 'messages': (
-                    {'message': u"semantic of '--name-server' option was changed: the option is used only for setting up"
-                                u" the SOA MNAME attribute.\nTo edit NS record(s) in zone apex, use command "
-                                u"'dnsrecord-mod [zone] @ --ns-rec=nameserver'.",
+                    {'message': u"Semantic of setting Authoritative nameserver "
+                                u"was changed. "
+                                u"It is used only for setting the SOA MNAME "
+                                u"attribute.\n"
+                                u"NS record(s) can be edited in zone "
+                                u"apex - '@'. ",
                      'code': 13005,
                      'type': u'warning',
                      'name': u'OptionSemanticChangedWarning'},
--
2.1.0
SOURCES/0031-cli.print_attribute-Convert-values-to-strings.patch
File was deleted
SOURCES/0032-Fix-wrong-expiration-date-on-renewed-IPA-CA-certific.patch
New file
@@ -0,0 +1,54 @@
From 6c7f71caf333363f8b4c18b3229de1533c1ad6fc Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 18 Nov 2014 14:01:59 +0000
Subject: [PATCH] Fix wrong expiration date on renewed IPA CA certificates
The expiration date was always set to the expiration date of the original
certificate.
https://fedorahosted.org/freeipa/ticket/4717
Reviewed-By: David Kupka <dkupka@redhat.com>
---
 freeipa.spec.in                                     | 4 ++--
 install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index be13e69255e7612f84aeca22105645b544cc50b5..e29f77de0db89035d15008c6be2da0ae7e96158a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -140,7 +140,7 @@ Requires: python-dns >= 1.11.1
 Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
-Requires(pre): certmonger >= 0.75.13
+Requires(pre): certmonger >= 0.76.8
 Requires(pre): 389-ds-base >= 1.3.3.5
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
@@ -221,7 +221,7 @@ Requires: wget
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.12.2
-Requires: certmonger >= 0.75.6
+Requires: certmonger >= 0.76.8
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index e5ad9639b03b95e6e265214067a985f6c3ca0b2a..0a2cff148810e4800c02121afc68911c221d34d7 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -146,6 +146,8 @@ def request_cert():
     path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
     args = [path] + sys.argv[1:]
+    if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
+        args += ['-O', 'bypassCAnotafter=true']
     stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ)
     sys.stderr.write(stderr)
     sys.stderr.flush()
--
2.1.0
SOURCES/0032-group-show-resolve-external-members-of-the-groups.patch
File was deleted
SOURCES/0033-Do-not-restore-SELinux-settings-that-were-not-backed.patch
New file
@@ -0,0 +1,43 @@
From 449e333dbf4c803bb179e7d27f08666fd6e333af Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 18 Nov 2014 10:40:31 +0100
Subject: [PATCH] Do not restore SELinux settings that were not backed up
https://fedorahosted.org/freeipa/ticket/4678
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 ipaplatform/base/tasks.py   | 3 ++-
 ipaplatform/redhat/tasks.py | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index a6684d7653d6de8202a489edb1f7a38f4b344bbc..ab2c50332bce9f6eb95e2cb76aa6f7904b542765 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -146,7 +146,8 @@ class BaseTaskNamespace(object):
         :param required_settings: A dictionary mapping the boolean names
                                   to desired_values.
-                                  The desired value can be 'on' or 'off'.
+                                  The desired value can be 'on' or 'off',
+                                  or None to leave the setting unchanged.
         :param backup_func: A function called for each boolean with two
                             arguments: the name and the previous value
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 4977e1c7c496e36d56110bcdf040ab5c932d31a2..c01d8cf8b65b3d93ba204b3453f5c65d556723cf 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -366,6 +366,8 @@ class RedHatTaskNamespace(BaseTaskNamespace):
         updated_vars = {}
         failed_vars = {}
         for setting, state in required_settings.iteritems():
+            if state is None:
+                continue
             try:
                 (stdout, stderr, rc) = ipautil.run([paths.GETSEBOOL, setting])
                 original_state = stdout.split()[2]
--
2.1.0
SOURCES/0033-Remove-SID-resolve-call-from-Web-UI.patch
File was deleted
SOURCES/0034-Improve-otptoken-help-messages.patch
New file
@@ -0,0 +1,121 @@
From 0d1c2e1039758c1c11fb60299f571013f3572842 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 6 Nov 2014 15:19:01 -0500
Subject: [PATCH] Improve otptoken help messages
https://fedorahosted.org/freeipa/ticket/4689
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 ipalib/plugins/otptoken.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 2b5f1c5fb83341d392e165a3507f5076820f1d3a..77366bafe7a102f5d2c048ac3d5f7d9948ed7fe4 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -153,6 +153,7 @@ class otptoken(LDAPObject):
         ),
         StrEnum('type?',
             label=_('Type'),
+            doc=_('Type of the token'),
             default=u'totp',
             autofill=True,
             values=tuple(TOKEN_TYPES.keys() + [x.upper() for x in TOKEN_TYPES]),
@@ -161,42 +162,52 @@ class otptoken(LDAPObject):
         Str('description?',
             cli_name='desc',
             label=_('Description'),
+            doc=_('Token description (informational only)'),
         ),
         Str('ipatokenowner?',
             cli_name='owner',
             label=_('Owner'),
+            doc=_('Assigned user of the token (default: self)'),
         ),
         Str('managedby_user?',
             label=_('Manager'),
+            doc=_('Assigned manager of the token (default: self)'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
         Bool('ipatokendisabled?',
             cli_name='disabled',
-            label=_('Disabled state')
+            label=_('Disabled'),
+            doc=_('Mark the token as disabled (default: false)')
         ),
         DateTime('ipatokennotbefore?',
             cli_name='not_before',
             label=_('Validity start'),
+            doc=_('First date/time the token can be used'),
         ),
         DateTime('ipatokennotafter?',
             cli_name='not_after',
             label=_('Validity end'),
+            doc=_('Last date/time the token can be used'),
         ),
         Str('ipatokenvendor?',
             cli_name='vendor',
             label=_('Vendor'),
+            doc=_('Token vendor name (informational only)'),
         ),
         Str('ipatokenmodel?',
             cli_name='model',
             label=_('Model'),
+            doc=_('Token model (informational only)'),
         ),
         Str('ipatokenserial?',
             cli_name='serial',
             label=_('Serial'),
+            doc=_('Token serial (informational only)'),
         ),
         OTPTokenKey('ipatokenotpkey?',
             cli_name='key',
             label=_('Key'),
+            doc=_('Token secret (Base32; default: random)'),
             default_from=lambda: os.urandom(KEY_LENGTH),
             autofill=True,
             flags=('no_display', 'no_update', 'no_search'),
@@ -204,6 +215,7 @@ class otptoken(LDAPObject):
         StrEnum('ipatokenotpalgorithm?',
             cli_name='algo',
             label=_('Algorithm'),
+            doc=_('Token hash algorithm'),
             default=u'sha1',
             autofill=True,
             flags=('no_update'),
@@ -212,6 +224,7 @@ class otptoken(LDAPObject):
         IntEnum('ipatokenotpdigits?',
             cli_name='digits',
             label=_('Digits'),
+            doc=_('Number of digits each token code will have'),
             values=(6, 8),
             default=6,
             autofill=True,
@@ -220,6 +233,7 @@ class otptoken(LDAPObject):
         Int('ipatokentotpclockoffset?',
             cli_name='offset',
             label=_('Clock offset'),
+            doc=_('TOTP token / FreeIPA server time difference'),
             default=0,
             autofill=True,
             flags=('no_update'),
@@ -227,6 +241,7 @@ class otptoken(LDAPObject):
         Int('ipatokentotptimestep?',
             cli_name='interval',
             label=_('Clock interval'),
+            doc=_('Length of TOTP token code validity'),
             default=30,
             autofill=True,
             minvalue=5,
@@ -235,6 +250,7 @@ class otptoken(LDAPObject):
         Int('ipatokenhotpcounter?',
             cli_name='counter',
             label=_('Counter'),
+            doc=_('Initial counter for the HOTP token'),
             default=0,
             autofill=True,
             minvalue=0,
--
2.1.0
SOURCES/0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch
File was deleted
SOURCES/0035-Ensure-users-exist-when-assigning-tokens-to-them.patch
New file
@@ -0,0 +1,34 @@
From 6e7474a1db6d49a4b07cd01663ec7f55df5225c4 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Fri, 24 Oct 2014 16:16:50 -0400
Subject: [PATCH] Ensure users exist when assigning tokens to them
https://fedorahosted.org/freeipa/ticket/4642
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/otptoken.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 77366bafe7a102f5d2c048ac3d5f7d9948ed7fe4..f48feeee0502992f1b5fed4f342cace1c404624b 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -100,8 +100,11 @@ def _convert_owner(userobj, entry_attrs, options):
 def _normalize_owner(userobj, entry_attrs):
     owner = entry_attrs.get('ipatokenowner', None)
-    if owner is not None:
-        entry_attrs['ipatokenowner'] = userobj.get_dn(owner)
+    if owner:
+        try:
+            entry_attrs['ipatokenowner'] = userobj._normalize_manager(owner)[0]
+        except NotFound:
+            userobj.handle_not_found(owner)
 def _check_interval(not_before, not_after):
     if not_before and not_after:
--
2.1.0
SOURCES/0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch
File was deleted
SOURCES/0036-Enable-QR-code-display-by-default-in-otptoken-add.patch
New file
@@ -0,0 +1,104 @@
From 9adf96c47f37ee027cef03dc5bed49c2567ae75d Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 6 Nov 2014 15:30:13 -0500
Subject: [PATCH] Enable QR code display by default in otptoken-add
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.
https://fedorahosted.org/freeipa/ticket/4703
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 API.txt                                  | 3 ++-
 VERSION                                  | 4 ++--
 ipalib/plugins/otptoken.py               | 5 +++--
 ipalib/plugins/otptoken_yubikey.py       | 1 +
 ipaserver/install/ipa_otptoken_import.py | 2 +-
 5 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/API.txt b/API.txt
index 0000491d7a76fd1d2d50208d314d1600839ce295..2a63f1e2349f0df69433fa7cb742e269cd42d79f 100644
--- a/API.txt
+++ b/API.txt
@@ -2592,7 +2592,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: otptoken_add
-args: 1,22,3
+args: 1,23,3
 arg: Str('ipatokenuniqueid', attribute=True, cli_name='id', multivalue=False, primary_key=True, required=False)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -2611,6 +2611,7 @@ option: Int('ipatokentotpclockoffset', attribute=True, autofill=True, cli_name='
 option: Int('ipatokentotptimestep', attribute=True, autofill=True, cli_name='interval', default=30, minvalue=5, multivalue=False, required=False)
 option: Str('ipatokenvendor', attribute=True, cli_name='vendor', multivalue=False, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('no_qrcode', autofill=True, default=False)
 option: Flag('qrcode?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('setattr*', cli_name='setattr', exclude='webui')
diff --git a/VERSION b/VERSION
index 138648545c3cbe395303fa3cfa9dc99623b7e6c2..750b5058867ca5f073a083009c4aadeeb0240c35 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=108
-# Last change: pvoborni - manage authorization of keytab operations
+IPA_API_VERSION_MINOR=109
+# Last change: npmccallum - display qrcode by default
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index f48feeee0502992f1b5fed4f342cace1c404624b..f0850854f98e84e44acdcef311225220ac0129a3 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -268,7 +268,8 @@ class otptoken_add(LDAPCreate):
     msg_summary = _('Added OTP token "%(value)s"')
     takes_options = LDAPCreate.takes_options + (
-        Flag('qrcode?', label=_('Display QR code')),
+        Flag('qrcode?', label=_('(deprecated)'), flags=('no_option')),
+        Flag('no_qrcode', label=_('Do not display QR code'), default=False),
     )
     has_output_params = LDAPCreate.has_output_params + (
@@ -348,7 +349,7 @@ class otptoken_add(LDAPCreate):
         rv = super(otptoken_add, self).output_for_cli(textui, output, *args, **options)
         # Print QR code to terminal if specified
-        if uri and options.get('qrcode', False):
+        if uri and not options.get('no_qrcode', False):
             print "\n"
             qr = qrcode.QRCode()
             qr.add_data(uri)
diff --git a/ipalib/plugins/otptoken_yubikey.py b/ipalib/plugins/otptoken_yubikey.py
index e70ddb6e42b5ea34d7ebecb252d6bbd73ac64d03..7095887ac7cdf5d4b7d0d30edc6cab0222246664 100644
--- a/ipalib/plugins/otptoken_yubikey.py
+++ b/ipalib/plugins/otptoken_yubikey.py
@@ -124,6 +124,7 @@ class otptoken_add_yubikey(Command):
                                                 ipatokenotpalgorithm=u'sha1',
                                                 ipatokenhotpcounter=0,
                                                 ipatokenotpkey=key,
+                                                no_qrcode=True,
                                                 **options)
         # Suppress values we don't want to return.
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 31a6902014b8e3b2aafb3ba98a4190dc2059a3e7..b78aba93a2edc987450d921c87ea4f61b014b419 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -517,7 +517,7 @@ class OTPTokenImport(admintool.AdminTool):
             # Parse tokens
             for keypkg in self.doc.getKeyPackages():
                 try:
-                    api.Command.otptoken_add(keypkg.id, **keypkg.options)
+                    api.Command.otptoken_add(keypkg.id, no_qrcode=True, **keypkg.options)
                 except Exception as e:
                     self.log.warn("Error adding token: %s", e)
                 else:
--
2.1.0
SOURCES/0036-Hide-trust-resolve-command.patch
File was deleted
SOURCES/0037-Show-warning-instead-of-error-if-CA-did-not-start.patch
New file
@@ -0,0 +1,32 @@
From 2e974ebf99737504f01feb2cbb85d3acbc2a15d6 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 18 Nov 2014 18:30:59 +0100
Subject: [PATCH] Show warning instead of error if CA did not start
This is just workaround, checking if CA is working raises false positive
exception during upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 install/tools/ipa-upgradeconfig | 4 ++++
 1 file changed, 4 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6556d8f313d3a9efeb32d4cba97cb82796459652..3484f8e8768fe05dddb08e9a40e58d8ad9c2e1e7 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1457,6 +1457,10 @@ def main():
             ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
         except ipautil.CalledProcessError, e:
             root_logger.error("Failed to restart %s: %s", ca.service_name, e)
+        # FIXME https://fedorahosted.org/freeipa/ticket/4676
+        # workaround
+        except RuntimeError as e:
+            root_logger.warning(str(e))
     set_sssd_domain_option('ipa_server_mode', 'True')
--
2.1.0
SOURCES/0037-Trust-domains-Web-UI.patch
File was deleted
SOURCES/0038-ipasam-delete-trusted-child-domains-before-removing-.patch
File was deleted
SOURCES/0038-webui-fix-potential-XSS-vulnerabilities.patch
New file
@@ -0,0 +1,131 @@
From a1d4f412181423cb3883650e033b9fb5b415bd83 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 10 Nov 2014 16:24:15 +0100
Subject: [PATCH] webui: fix potential XSS vulnerabilities
Escape user defined text to prevent XSS attacks. Extra precaution was taken
to escape also parts which are unlikely to contain user-defined text.
fixes CVE-2014-7850
https://fedorahosted.org/freeipa/ticket/4742
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 install/ui/src/freeipa/Application_controller.js |  4 ++--
 install/ui/src/freeipa/facet.js                  | 12 +++++++-----
 install/ui/src/freeipa/ipa.js                    |  1 +
 install/ui/src/freeipa/rule.js                   |  2 +-
 install/ui/src/freeipa/widget.js                 |  4 ++--
 5 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 094bd3da7c4806a316ebe2589b98a523410f4a5f..4bf76f8f56a8e34e330c35956b8922cc3c8f79e3 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -252,12 +252,12 @@ define([
             var error_container = $('<div/>', {
                 'class': 'container facet-content facet-error'
             }).appendTo($('.app-container .content').empty());
-            error_container.append('<h1>'+name+'</h1>');
+            error_container.append($('<h1/>', { text: name }));
             var details = $('<div/>', {
                 'class': 'error-details'
             }).appendTo(error_container);
-            details.append('<p> Web UI got in unrecoverable state during "'+error.phase+'" phase.</p>');
+            details.append($('<p/>', { text: 'Web UI got in unrecoverable state during "' + error.phase + '" phase' }));
             if (error.name) window.console.error(error.name);
             if (error.results) {
                 var msg = error.results.message;
diff --git a/install/ui/src/freeipa/facet.js b/install/ui/src/freeipa/facet.js
index 43627d9d531ed700ff780a0773451eaf17b1cbdd..b0121c75fd584988883a3b5f7d1665a985a321fd 100644
--- a/install/ui/src/freeipa/facet.js
+++ b/install/ui/src/freeipa/facet.js
@@ -895,12 +895,12 @@ exp.facet = IPA.facet = function(spec, no_init) {
         title = title.replace('${error}', error_thrown.name);
         that.error_container.empty();
-        that.error_container.append('<h1>'+title+'</h1>');
+        that.error_container.append($('<h1/>', { text: title }));
         var details = $('<div/>', {
             'class': 'error-details'
         }).appendTo(that.error_container);
-        details.append('<p>'+error_thrown.message+'</p>');
+        details.append($('<p/>', { text: error_thrown.message }));
         $('<div/>', {
             text: text.get('@i18n:error_report.options')
@@ -932,7 +932,9 @@ exp.facet = IPA.facet = function(spec, no_init) {
             }
         );
-        that.error_container.append('<p>'+text.get('@i18n:error_report.problem_persists')+'</p>');
+        that.error_container.append($('<p/>', {
+            text: text.get('@i18n:error_report.problem_persists')
+        }));
         that.show_error();
     };
@@ -1214,7 +1216,7 @@ exp.facet_header = IPA.facet_header = function(spec) {
                 click: item.handler
             }).appendTo(bc_item);
         } else {
-            bc_item.append(item.text);
+            bc_item.text(item.text);
         }
         return bc_item;
     };
@@ -1823,7 +1825,7 @@ exp.table_facet = IPA.table_facet = function(spec, no_init) {
             function(xhr, text_status, error_thrown) {
                 that.load_records([]);
                 var summary = that.table.summary.empty();
-                summary.append(error_thrown.name+': '+error_thrown.message);
+                summary.text(error_thrown.name+': '+error_thrown.message);
             }
         );
     };
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 6d3aeaaaaca11dfdaf20935e5c9084c9ed106e6c..137f11e832ff8d0b6dd1b50060f8537c7b117616 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -1133,6 +1133,7 @@ IPA.notify = function(message, type, timeout) {
     if (typeof message === 'string') {
         message = text.get(message);
+        message = document.createTextNode(message);
     }
     var notification_area = $('#notification .notification-area');
diff --git a/install/ui/src/freeipa/rule.js b/install/ui/src/freeipa/rule.js
index 8a2b01963b74e1892ac15127ae0050b35fe6ac27..706827190261efda136f6d1489bdb13543c00f7a 100644
--- a/install/ui/src/freeipa/rule.js
+++ b/install/ui/src/freeipa/rule.js
@@ -91,7 +91,7 @@ IPA.rule_radio_widget = function(spec) {
         var param_info = IPA.get_entity_param(that.entity.name, that.name);
         var title = param_info ? param_info.doc : that.name;
-        container.append(title + ': ');
+        container.append(document.createTextNode(title + ': '));
         that.widget_create(container);
         that.owb_create(container);
         if (that.undo) {
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 9240df8ef5402310ec9ceafd0b766def10c8cb48..1ef1a2bf22b735edcfcca44cfc1e69bc8d36a740 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -4166,8 +4166,8 @@ IPA.link_widget = function(spec) {
         that.values = util.normalize_value(values);
         that.value = that.values.slice(-1)[0] || '';
-        that.link.html(that.value);
-        that.nonlink.html(that.value);
+        that.link.text(that.value);
+        that.nonlink.text(that.value);
         that.update_link();
         that.check_entity_link();
         that.on_value_changed(values);
--
2.1.0
SOURCES/0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch
File was deleted
SOURCES/0039-Raise-right-exception-if-domain-name-is-not-valid.patch
New file
@@ -0,0 +1,46 @@
From e2f285e7c63a8ff9f2c049ee3a058b6e281352a8 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 19 Nov 2014 14:51:20 +0100
Subject: [PATCH] Raise right exception if domain name is not valid
Because of dnspython implementation, in some cases UnicodeError is
raised instead of DNS SyntaxError
Ticket: https://fedorahosted.org/freeipa/ticket/4734
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipapython/dnsutil.py | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index d7841fe2548dd100d51e60ea11bc6e468f3475cf..f08cddad959658a11623a31cb591655f1a5fdabf 100644
--- a/ipapython/dnsutil.py
+++ b/ipapython/dnsutil.py
@@ -26,15 +26,16 @@ class DNSName(dns.name.Name):
     labels = None  # make pylint happy
     def __init__(self, labels, origin=None):
-        if isinstance(labels, str):
-            #pylint: disable=E1101
-            labels = dns.name.from_text(labels, origin).labels
-        elif isinstance(labels, unicode):
-            #pylint: disable=E1101
-            labels = dns.name.from_unicode(labels, origin).labels
-        elif isinstance(labels, dns.name.Name):
-            labels = labels.labels
         try:
+            if isinstance(labels, str):
+                #pylint: disable=E1101
+                labels = dns.name.from_text(labels, origin).labels
+            elif isinstance(labels, unicode):
+                #pylint: disable=E1101
+                labels = dns.name.from_unicode(labels, origin).labels
+            elif isinstance(labels, dns.name.Name):
+                labels = labels.labels
+
             super(DNSName, self).__init__(labels)
         except UnicodeError, e:
             # dnspython bug, an invalid domain name returns the UnicodeError
--
2.1.0
SOURCES/0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
File was deleted
SOURCES/0040-Restore-file-extended-attributes-and-SELinux-context.patch
New file
@@ -0,0 +1,38 @@
From 387a4fb2430639f3d87ee1d310997576ddfd9246 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 20 Nov 2014 12:45:40 +0000
Subject: [PATCH] Restore file extended attributes and SELinux context in
 ipa-restore
https://fedorahosted.org/freeipa/ticket/4712
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
---
 ipaserver/install/ipa_restore.py | 4 ++++
 1 file changed, 4 insertions(+)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 8b1e80f5ed5e140ccb17ea0b63d92b6049507b74..7b92ab5d490a7a254b1ea307d5031da002b9f653 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -523,6 +523,8 @@ class Restore(admintool.AdminTool):
         cwd = os.getcwd()
         os.chdir('/')
         args = ['tar',
+                '--xattrs',
+                '--selinux',
                 '-xzf',
                 os.path.join(self.dir, 'files.tar')
                ]
@@ -581,6 +583,8 @@ class Restore(admintool.AdminTool):
         os.chdir(self.dir)
         args = ['tar',
+                '--xattrs',
+                '--selinux',
                 '-xzf',
                 filename,
                 '.'
--
2.1.0
SOURCES/0041-Migration-does-not-add-users-to-default-group.patch
File was deleted
SOURCES/0041-restore-clear-httpd-ccache-after-restore.patch
New file
@@ -0,0 +1,32 @@
From 8fb9a4a82c6ab1026e3d414d39b86d0467735a37 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Thu, 20 Nov 2014 15:11:02 +0100
Subject: [PATCH] restore: clear httpd ccache after restore
so that httpd ccache won't contain old credentials which would make ipa CLI fail with error:
 Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Decrypt integrity check failed)
https://fedorahosted.org/freeipa/ticket/4726
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
---
 ipaserver/install/ipa_restore.py | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 7b92ab5d490a7a254b1ea307d5031da002b9f653..93f176d302a49319940555a0be3037620143e1f3 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -315,6 +315,8 @@ class Restore(admintool.AdminTool):
                 self.log.info('Restarting SSSD')
                 sssd = services.service('sssd')
                 sssd.restart()
+                http = httpinstance.HTTPInstance()
+                http.remove_httpd_ccache()
         finally:
             try:
                 os.chdir(cwd)
--
2.1.0
SOURCES/0042-Fix-user-group-ignore-attribute-in-migration-plugin.patch
New file
@@ -0,0 +1,45 @@
From 7f2021b3fc501d3ee70976f4dba06629c71ae417 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Wed, 19 Nov 2014 09:57:59 -0500
Subject: [PATCH] Fix --{user,group}-ignore-attribute in migration plugin.
Ignore case in attribute names.
https://fedorahosted.org/freeipa/ticket/4620
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipalib/plugins/migration.py | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 6b630a464f0be163e82de95afe3a74b22889574b..fa3d512bf1434c7d349713f78c292b481021303a 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -196,9 +196,8 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
         entry_attrs.setdefault('loginshell', default_shell)
     # do not migrate all attributes
-    for attr in entry_attrs.keys():
-        if attr in attr_blacklist:
-            del entry_attrs[attr]
+    for attr in attr_blacklist:
+        entry_attrs.pop(attr, None)
     # do not migrate all object classes
     if 'objectclass' in entry_attrs:
@@ -393,9 +392,8 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg
         raise ValueError('Schema %s not supported' % schema)
     # do not migrate all attributes
-    for attr in entry_attrs.keys():
-        if attr in attr_blacklist:
-            del entry_attrs[attr]
+    for attr in attr_blacklist:
+        entry_attrs.pop(attr, None)
     # do not migrate all object classes
     if 'objectclass' in entry_attrs:
--
2.1.0
SOURCES/0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
File was deleted
SOURCES/0043-Fix-filtering-of-enctypes-in-server-code.patch
New file
@@ -0,0 +1,98 @@
From 6a6389fefdc055b5a920e6e4412ff0b7e37ef33a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 17 Nov 2014 21:05:56 -0500
Subject: [PATCH] Fix filtering of enctypes in server code.
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.
Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
---
 .../ipa-pwd-extop/ipa_pwd_extop.c                  | 60 ++++++++++++++++------
 1 file changed, 43 insertions(+), 17 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index f0346a343188930dfc90e19d2e5d38cb30741b90..b87ae0dc7a180008228f31293b49212df80584e8 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -125,6 +125,48 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
     }
 }
+static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
+                            krb5_key_salt_tuple *kenctypes,
+                            int *num_kenctypes)
+{
+    /* first filter for duplicates */
+    for (int i = 0; i + 1 < *num_kenctypes; i++) {
+        for (int j = i + 1; j < *num_kenctypes; j++) {
+            if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
+                /* duplicate, filter out */
+                for (int k = j; k + 1 < *num_kenctypes; k++) {
+                    kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
+                    kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
+                }
+                (*num_kenctypes)--;
+                j--;
+            }
+        }
+    }
+
+    /* then filter for supported */
+    for (int i = 0; i < *num_kenctypes; i++) {
+        int j;
+
+        /* Check if supported */
+        for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
+            if (kenctypes[i].ks_enctype ==
+                                    krbcfg->supp_encsalts[j].ks_enctype) {
+                break;
+            }
+        }
+        if (j == krbcfg->num_supp_encsalts) {
+            /* Unsupported, filter out */
+            for (int k = i; k + 1 < *num_kenctypes; k++) {
+                kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
+                kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
+            }
+            (*num_kenctypes)--;
+            i--;
+        }
+    }
+}
+
 static int ipapwd_to_ldap_pwpolicy_error(int ipapwderr)
 {
     switch (ipapwderr) {
@@ -1740,23 +1782,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
             goto free_and_return;
         }
-        for (int i = 0; i < num_kenctypes; i++) {
-
-            /* Check if supported */
-            for (int j = 0; j < krbcfg->num_supp_encsalts; j++) {
-                if (kenctypes[i].ks_enctype ==
-                                        krbcfg->supp_encsalts[j].ks_enctype) {
-                    continue;
-                }
-            }
-            /* Unsupported, filter out */
-            for (int j = i; j + 1 < num_kenctypes; j++) {
-                kenctypes[j].ks_enctype = kenctypes[j + 1].ks_enctype;