The Identity, Policy and Audit system
bc720f31aaf83a07b43ab005cf8763fbdb61b323..bedac4b191e52e86d0892b03b4f89c0ebf0df307
2019-01-29 CentOS Sources
debrand ipa-4.6.4-10.el7_6.2
bedac4 diff | tree
2019-01-29 CentOS Sources
import ipa-4.6.4-10.el7_6.2
21de49 diff | tree
11 files added
6 files modified
1067 ■■■■■ changed files
SOURCES/0046-Find-orphan-automember-rules.patch 214 ●●●●● patch | view | raw | blame | history
SOURCES/0047-Add-a-shared-vault-retrieve-test.patch 113 ●●●●● patch | view | raw | blame | history
SOURCES/0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch 35 ●●●●● patch | view | raw | blame | history
SOURCES/0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch 48 ●●●●● patch | view | raw | blame | history
SOURCES/0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch 51 ●●●●● patch | view | raw | blame | history
SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch 76 ●●●●● patch | view | raw | blame | history
SOURCES/0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch 32 ●●●●● patch | view | raw | blame | history
SOURCES/0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch 145 ●●●●● patch | view | raw | blame | history
SOURCES/0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch 78 ●●●●● patch | view | raw | blame | history
SOURCES/0056-replication-check-remote-ds-version-before-editing-a.patch 87 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch 26 ●●●● patch | view | raw | blame | history
SOURCES/1002-Package-copy-schema-to-ca.py.patch 8 ●●●● patch | view | raw | blame | history
SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch 4 ●●●● patch | view | raw | blame | history
SOURCES/1004-Remove-csrgen.patch 26 ●●●● patch | view | raw | blame | history
SOURCES/1005-Removing-filesystem-encoding-check.patch 4 ●●●● patch | view | raw | blame | history
SPECS/ipa.spec 34 ●●●●● patch | view | raw | blame | history
SOURCES/0046-Find-orphan-automember-rules.patch
New file
@@ -0,0 +1,214 @@
From b78abe934c6c0038f74dd9e52309f61854d86469 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 1 Oct 2018 11:58:26 +0100
Subject: [PATCH] Find orphan automember rules
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.
A new command has been added to the ipa tool:
  ipa automember-find-orphans --type={hostgroup,group} [--remove]
This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.
The IPA API version has been increased and a test case has been added.
Using ideas from a patch by: Rob Crittenden <rcritten@redhat.com>
See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 API.txt                                       | 15 +++++
 VERSION.m4                                    |  4 +-
 ipaserver/plugins/automember.py               | 60 +++++++++++++++++++
 .../test_xmlrpc/test_automember_plugin.py     | 48 +++++++++++++++
 4 files changed, 125 insertions(+), 2 deletions(-)
diff --git a/API.txt b/API.txt
index 0e09e58a6ecaa4f724fb0c92b4faaf64df9fab5a..b9dc35fb5752ce04f58aa8c4c3e89c7299f34cd7 100644
--- a/API.txt
+++ b/API.txt
@@ -186,6 +186,20 @@ output: Output('count', type=[<type 'int'>])
 output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
+command: automember_find_orphans/1
+args: 1,7,4
+arg: Str('criteria?')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('description?', autofill=False, cli_name='desc')
+option: Flag('pkey_only?', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Flag('remove?', autofill=True, default=False)
+option: StrEnum('type', values=[u'group', u'hostgroup'])
+option: Str('version?')
+output: Output('count', type=[<type 'int'>])
+output: ListOfEntries('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: Output('truncated', type=[<type 'bool'>])
 command: automember_mod/1
 args: 1,9,3
 arg: Str('cn', cli_name='automember_rule')
@@ -6498,6 +6512,7 @@ default: automember_default_group_set/1
 default: automember_default_group_show/1
 default: automember_del/1
 default: automember_find/1
+default: automember_find_orphans/1
 default: automember_mod/1
 default: automember_rebuild/1
 default: automember_remove_condition/1
diff --git a/VERSION.m4 b/VERSION.m4
index 81e671ed60f2ada0766b06db879c706cf7c4c77a..7ebf3410c8a688577f1fabc37d65b128e47418a6 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -82,8 +82,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 229)
-# Last change: Added the Certificate parameter
+define(IPA_API_VERSION_MINOR, 230)
+# Last change: Added `automember-find-orphans' command
 ########################################################
diff --git a/ipaserver/plugins/automember.py b/ipaserver/plugins/automember.py
index 1e29f365784695c2cf1947f62351d99d7da0515d..3f48769f588f8db03caf65e7bc1206047796f63e 100644
--- a/ipaserver/plugins/automember.py
+++ b/ipaserver/plugins/automember.py
@@ -116,6 +116,11 @@ EXAMPLES:
 """) + _("""
  Find all of the automember rules:
     ipa automember-find
+""") + _("""
+ Find all of the orphan automember rules:
+    ipa automember-find-orphans --type=hostgroup
+ Find all of the orphan automember rules and remove them:
+    ipa automember-find-orphans --type=hostgroup --remove
 """) + _("""
  Display a automember rule:
     ipa automember-show --type=hostgroup webservers
@@ -820,3 +825,58 @@ class automember_rebuild(Method):
             result=result,
             summary=unicode(summary),
             value=pkey_to_value(None, options))
+
+
+@register()
+class automember_find_orphans(LDAPSearch):
+    __doc__ = _("""
+    Search for orphan automember rules. The command might need to be run as
+    a privileged user user to get all orphan rules.
+    """)
+    takes_options = group_type + (
+        Flag(
+            'remove?',
+            doc=_("Remove orphan automember rules"),
+        ),
+    )
+
+    msg_summary = ngettext(
+        '%(count)d rules matched', '%(count)d rules matched', 0
+    )
+
+    def execute(self, *keys, **options):
+        results = super(automember_find_orphans, self).execute(*keys,
+                                                               **options)
+
+        remove_option = options.get('remove')
+        pkey_only = options.get('pkey_only', False)
+        ldap = self.obj.backend
+        orphans = []
+        for entry in results["result"]:
+            am_dn_entry = entry['automembertargetgroup'][0]
+            # Make DN for --raw option
+            if not isinstance(am_dn_entry, DN):
+                am_dn_entry = DN(am_dn_entry)
+            try:
+                ldap.get_entry(am_dn_entry)
+            except errors.NotFound:
+                if pkey_only:
+                    # For pkey_only remove automembertargetgroup
+                    del(entry['automembertargetgroup'])
+                orphans.append(entry)
+                if remove_option:
+                    ldap.delete_entry(entry['dn'])
+
+        results["result"][:] = orphans
+        results["count"] = len(orphans)
+        return results
+
+    def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args,
+                     **options):
+        assert isinstance(base_dn, DN)
+        scope = ldap.SCOPE_SUBTREE
+        ndn = DN(('cn', options['type']), base_dn)
+        if options.get('pkey_only', False):
+            # For pkey_only add automembertargetgroup
+            attrs_list.append('automembertargetgroup')
+        return filters, ndn, scope
diff --git a/ipatests/test_xmlrpc/test_automember_plugin.py b/ipatests/test_xmlrpc/test_automember_plugin.py
index ffbc91104ab504a98099babb024f9edab114ac5b..c83e11ac9410ce07a431f818bda79a34fcc3b180 100644
--- a/ipatests/test_xmlrpc/test_automember_plugin.py
+++ b/ipatests/test_xmlrpc/test_automember_plugin.py
@@ -715,3 +715,51 @@ class TestMultipleAutomemberConditions(XMLRPC_test):
         defaultgroup1.ensure_missing()
         defaulthostgroup1.ensure_missing()
+
+
+@pytest.mark.tier1
+class TestAutomemberFindOrphans(XMLRPC_test):
+    def test_create_deps_for_find_orphans(self, hostgroup1, host1,
+                                          automember_hostgroup):
+        """ Create host, hostgroup, and automember tracker for this class
+        of tests. """
+
+        # Create hostgroup1 and automember rule with condition
+        hostgroup1.ensure_exists()
+        host1.ensure_exists()
+
+        # Manually create automember rule and condition, racker will try to
+        # remove the automember rule in the end, which is failing as the rule
+        # is already removed
+        api.Command['automember_add'](hostgroup1.cn, type=u'hostgroup')
+        api.Command['automember_add_condition'](
+            hostgroup1.cn,
+            key=u'fqdn', type=u'hostgroup',
+            automemberinclusiveregex=[hostgroup_include_regex]
+        )
+
+        hostgroup1.retrieve()
+
+    def test_find_orphan_automember_rules(self, hostgroup1):
+        """ Remove hostgroup1, find and remove obsolete automember rules. """
+        # Remove hostgroup1
+
+        hostgroup1.ensure_missing()
+
+        # Find obsolete automember rules
+        result = api.Command['automember_find_orphans'](type=u'hostgroup')
+        assert result['count'] == 1
+
+        # Find and remove obsolete automember rules
+        result = api.Command['automember_find_orphans'](type=u'hostgroup',
+                                                        remove=True)
+        assert result['count'] == 1
+
+        # Find obsolete automember rules
+        result = api.Command['automember_find_orphans'](type=u'hostgroup')
+        assert result['count'] == 0
+
+        # Final cleanup of automember rule if it still exists
+        with raises_exact(errors.NotFound(
+                reason=u'%s: Automember rule not found' % hostgroup1.cn)):
+            api.Command['automember_del'](hostgroup1.cn, type=u'hostgroup')
--
2.17.2
SOURCES/0047-Add-a-shared-vault-retrieve-test.patch
New file
@@ -0,0 +1,113 @@
From 107e20a158c867a52eadb0d65982ce2f7f3ce699 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 20 Nov 2018 17:05:30 +0100
Subject: [PATCH] Add a shared-vault-retrieve test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691
Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: Fran├žois Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipatests/test_integration/test_vault.py | 65 ++++++++++++++++++++++++-
 1 file changed, 64 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py
index 496ccb1bbdd06407e9b356ac210f639436312a22..c3465799ff933ae175684ade83b4bf276b921a96 100644
--- a/ipatests/test_integration/test_vault.py
+++ b/ipatests/test_integration/test_vault.py
@@ -20,14 +20,17 @@ class TestInstallKRA(IntegrationTest):
     vault_password = "password"
     vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
+    vault_user = "vault_user"
+    vault_user_password = "vault_user_password"
     vault_name_master = "ci_test_vault_master"
     vault_name_master2 = "ci_test_vault_master2"
     vault_name_master3 = "ci_test_vault_master3"
     vault_name_replica_without_KRA = "ci_test_vault_replica_without_kra"
+    shared_vault_name_replica_without_KRA = ("ci_test_shared"
+                                             "_vault_replica_without_kra")
     vault_name_replica_with_KRA = "ci_test_vault_replica_with_kra"
     vault_name_replica_KRA_uninstalled = "ci_test_vault_replica_KRA_uninstalled"
-
     @classmethod
     def install(cls, mh):
         tasks.install_master(cls.master, setup_kra=True)
@@ -89,6 +92,66 @@ class TestInstallKRA(IntegrationTest):
         self._retrieve_secret([self.vault_name_replica_without_KRA])
+    def test_create_and_retrieve_shared_vault_replica_without_kra(self):
+        # create vault
+        self.replicas[0].run_command([
+            "ipa", "vault-add",
+            self.shared_vault_name_replica_without_KRA,
+            "--shared",
+            "--type", "standard",
+        ])
+
+        # archive secret
+        self.replicas[0].run_command([
+            "ipa", "vault-archive",
+            self.shared_vault_name_replica_without_KRA,
+            "--shared",
+            "--data", self.vault_data,
+        ])
+        time.sleep(WAIT_AFTER_ARCHIVE)
+
+        # add non-admin user
+        self.replicas[0].run_command([
+            'ipa', 'user-add', self.vault_user,
+            '--first', self.vault_user,
+            '--last', self.vault_user,
+            '--password'],
+            stdin_text=self.vault_user_password)
+
+        # add it to vault
+        self.replicas[0].run_command([
+            "ipa", "vault-add-member",
+            self.shared_vault_name_replica_without_KRA,
+            "--shared",
+            "--users", self.vault_user,
+        ])
+
+        self.replicas[0].run_command([
+            'kdestroy', '-A'])
+
+        user_kinit = "%s\n%s\n%s\n" % (self.vault_user_password,
+                                       self.vault_user_password,
+                                       self.vault_user_password)
+
+        self.replicas[0].run_command([
+            'kinit', self.vault_user],
+            stdin_text=user_kinit)
+
+        # TODO: possibly refactor with:
+        # self._retrieve_secret([self.vault_name_replica_without_KRA])
+
+        self.replicas[0].run_command([
+            "ipa", "vault-retrieve",
+            "--shared",
+            self.shared_vault_name_replica_without_KRA,
+            "--out=test.txt"])
+
+        self.replicas[0].run_command([
+            'kdestroy', '-A'])
+
+        tasks.kinit_admin(self.replicas[0])
+
+
     def test_create_and_retrieve_vault_replica_with_kra(self):
         # install KRA on replica
--
2.17.2
SOURCES/0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch
New file
@@ -0,0 +1,35 @@
From 93b58fdbcf1da0a952386e6c8f4e20c344db903c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 21 Nov 2018 00:01:02 +0100
Subject: [PATCH] Add a "Find enabled services" ACI in 20-aci.update so that
 all users can find IPA servers and services. ACI suggested by Christian
 Heimes.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: Fran├žois Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 install/updates/20-aci.update | 4 ++++
 1 file changed, 4 insertions(+)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 184749d78106c30fdf542c1fe1c52cb11b53a83e..7650cb48101d866b3a094ec9ab11378de4f68232 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -36,6 +36,10 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
 add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)
+# Allow users to discover enabled services
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+add:aci:(targetfilter = "(ipaConfigString=enabledService)")(targetattrs = "ipaConfigString")(version 3.0; acl "Find enabled services"; allow(read, search, compare) userdn = "ldap:///all";)
+
 # Allow hosts to read masters service configuration
 dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
 add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
--
2.17.2
SOURCES/0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch
New file
@@ -0,0 +1,48 @@
From 896c438f1dd7e4aa316503fbf68fef13963d7463 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 22 Nov 2018 18:31:38 +0100
Subject: [PATCH] ipaldap.py: fix method creating a ldap filter for
 IPACertificate
ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)
When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).
Fixes https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipapython/ipaldap.py | 3 +++
 1 file changed, 3 insertions(+)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 53fdf4967868961effea7f3f64dfb3c0edfc75f3..a44246e3ee0de5a78de77a593718ecad1aaa0f67 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -36,6 +36,7 @@ from six.moves.urllib.parse import urlparse
 # pylint: enable=import-error
 from cryptography import x509 as crypto_x509
+from cryptography.hazmat.primitives import serialization
 import ldap
 import ldap.sasl
@@ -1276,6 +1277,8 @@ class LDAPClient(object):
             ]
             return cls.combine_filters(flts, rules)
         elif value is not None:
+            if isinstance(value, crypto_x509.Certificate):
+                value = value.public_bytes(serialization.Encoding.DER)
             if isinstance(value, bytes):
                 value = binascii.hexlify(value).decode('ascii')
                 # value[-2:0] is empty string for the initial '\\'
--
2.17.2
SOURCES/0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch
New file
@@ -0,0 +1,86 @@
From 489ac5a5da034394c09043d6c26700e4ae049b78 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 23 Nov 2018 10:23:40 +0100
Subject: [PATCH] ipatests: add xmlrpc test for user|host-find --certificate
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.
Related to https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipatests/test_xmlrpc/test_host_plugin.py |  5 ++++
 ipatests/test_xmlrpc/test_user_plugin.py | 31 ++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 8255296d1794bfa19c1f4642bb4bfb9212567b1e..1bcc90b0c48c811356ec93813834d6aa6805a921 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -251,6 +251,11 @@ class TestCRUD(XMLRPC_test):
                         valid_not_after=fuzzy_date,
                     ))
         host.retrieve()
+        # test host-find with --certificate
+        command = host.make_find_command(
+            fqdn=host.fqdn, usercertificate=host_cert)
+        res = command()['result']
+        assert len(res) == 1
     def test_try_rename(self, host):
         host.ensure_exists()
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index af825f79daf21720e164dd8cd01576167fb440c4..8e54d04bd79888c447368250c3a2e182029a3b44 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -25,6 +25,7 @@ Test the `ipaserver/plugins/user.py` module.
 """
 import pytest
+import base64
 import datetime
 import ldap
 import re
@@ -220,6 +221,36 @@ class TestUser(XMLRPC_test):
         user.check_update(result)
         user.delete()
+    def test_find_cert(self, user):
+        """ Add a usercertificate and perform a user-find --certificate """
+        user_cert = (
+            u"MIICszCCAZugAwIBAgICM24wDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChML\r\n"
+            "RVhBTVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjUyOVoXDTE3M\r\n"
+            "DQxOTEwMjUyOVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTEwggEiMA0GCSqGSI\r\n"
+            "b3DQEBAQUAA4IBDwAwggEKAoIBAQCq03FRQQBvq4HwYMKP8USLZuOkKzuIs2V\r\n"
+            "Pt8k/+nO1dADrzMogKDiUDjCwYoG2UM/sj6P+PJUUCNDLh5eRRI+aR5VE5y2a\r\n"
+            "K95iCsj1ByDWrugAUXgr8GUUr+UbaGc0XxHCMnQBkYhzbXY3u91KYRRh5l3lx\r\n"
+            "RSICcVeJFJ/tiMS14Vsor1DWykHGz1wm0Zjwg1XDV3oea+uwrSz5Pa6RNPlgC\r\n"
+            "+GGW6B7+8qC2XdSSEwvY7y1SAGgqyOxN/FLwvqqMDNU0uX7fww587uZ57IfYz\r\n"
+            "b8Xn5DAprRFNk40FDc46rMlkPBT+Tij1I0jedD8h2e6WEa7JRU6SGToYDbRm4\r\n"
+            "RL9xAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHqm1jXzYer9oSjYs9qh1jWpM\r\n"
+            "vTcN+0/z1uuX++Wezh3lG7IzYtypbZNxlXDECyrkUh+9oxzMJqdlZ562ko2br\r\n"
+            "uK6X5csbbM9uVsUva8NCsPPfZXDhrYaMKFvQGFY4pO3uhFGhccob037VN5Ifm\r\n"
+            "aKGM8aJ40cw2PQh38QPDdemizyVCThQ9Pcr+WgWKiG+t2Gd9NldJRLEhky0bW\r\n"
+            "2fc4zWZVbGq5nFXy1k+d/bgkHbVzf255eFZOKKy0NgZwig+uSlhVWPJjS4Z1w\r\n"
+            "LbpBKxTZp/xD0yEARs0u1ZcCELO/BkgQM50EDKmahIM4mdCs/7j1B/DdWs2i3\r\n"
+            "5lnbjxYYiUiyA=")
+        user.ensure_exists()
+        user.update(dict(usercertificate=user_cert),
+                    expected_updates=dict(
+                        usercertificate=[base64.b64decode(user_cert)])
+                    )
+        command = user.make_find_command(uid=user.name,
+                                         usercertificate=user_cert)
+        res = command()['result']
+        assert len(res) == 1
+        user.delete()
+
 @pytest.mark.tier1
 class TestFind(XMLRPC_test):
--
2.17.2
SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch
New file
@@ -0,0 +1,51 @@
From 086611271c4dfbbf47e76e666142327bf950a9ca Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 26 Nov 2018 14:15:12 +0100
Subject: [PATCH] ipa upgrade: handle double-encoded certificates
Issue is linked to the ticket
 #3477 LDAP upload CA cert sometimes double-encodes the value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
The fix for 3477 is only partial as it prevents double-encoding when a
new cert is uploaded but does not fix wrong values already present in LDAP.
With this commit, the code first tries to read a der cert. If it fails,
it logs a debug message and re-writes the value caCertificate;binary
to repair the entry.
Fixes https://pagure.io/freeipa/issue/7775
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipaserver/install/plugins/upload_cacrt.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 68d43caa76eb67093745658d20a39700adbd16c6..dc58f0863182ccb92d9fed6aa5f1c2546404b598 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -115,7 +115,18 @@ class update_upload_cacrt(Updater):
                 entry.single_value['cACertificate;binary'] = ca_cert
                 ldap.add_entry(entry)
             else:
-                if b'' in entry['cACertificate;binary']:
+                force_write = False
+                try:
+                    _cert_bin = entry['cACertificate;binary']
+                except ValueError:
+                    # BZ 1644874
+                    # sometimes the cert is badly stored, twice encoded
+                    # force write to fix the value
+                    logger.debug('Fixing the value of cACertificate;binary '
+                                 'in entry %s', entry.dn)
+                    force_write = True
+
+                if force_write or b'' in entry['cACertificate;binary']:
                     entry.single_value['cACertificate;binary'] = ca_cert
                     ldap.update_entry(entry)
--
2.17.2
SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch
New file
@@ -0,0 +1,76 @@
From 57a473bd41fbd3520871dbd7ed7dc9524946a48e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 29 Nov 2018 15:41:33 +0100
Subject: [PATCH] ipatests: add upgrade test for double-encoded cacert
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value
The upgrade should finish successfully and repair
the double-encoded cert.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipatests/test_integration/test_upgrade.py | 35 +++++++++++++++++++++++
 1 file changed, 35 insertions(+)
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
index 951747b0b37cd62459a241255190baebdf0f728a..7dbe52d57052d3c640df644705fc3e22fab14334 100644
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@@ -6,6 +6,9 @@
 Module provides tests to verify that the upgrade script works.
 """
+import base64
+from cryptography.hazmat.primitives import serialization
+from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_plugins.integration import tasks
@@ -19,3 +22,35 @@ class TestUpgrade(IntegrationTest):
         cmd = self.master.run_command(['ipa-server-upgrade'],
                                       raiseonerr=False)
         assert cmd.returncode == 0
+
+    def test_double_encoded_cacert(self):
+        """Test for BZ 1644874
+
+        In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
+        could contain a double-encoded cert, which leads to ipa-server-upgrade
+        failure.
+        Force a double-encoded value then call upgrade to check the fix.
+        """
+        # Read the current entry from LDAP
+        ldap = self.master.ldap_connect()
+        basedn = self.master.domain.basedn  # pylint: disable=no-member
+        dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
+        entry = ldap.get_entry(dn)  # pylint: disable=no-member
+        # Extract the certificate as DER then double-encode
+        cacert = entry['cacertificate;binary'][0]
+        cacert_der = cacert.public_bytes(serialization.Encoding.DER)
+        cacert_b64 = base64.b64encode(cacert_der)
+        # overwrite the value with double-encoded cert
+        entry.single_value['cACertificate;binary'] = cacert_b64
+        ldap.update_entry(entry)  # pylint: disable=no-member
+
+        # try the upgrade
+        self.master.run_command(['ipa-server-upgrade'])
+
+        # read the value after upgrade, should be fixed
+        entry = ldap.get_entry(dn)  # pylint: disable=no-member
+        try:
+            _cacert = entry['cacertificate;binary']
+        except ValueError:
+            raise AssertionError('%s contains a double-encoded cert'
+                                 % entry.dn)
--
2.17.2
SOURCES/0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch
New file
@@ -0,0 +1,32 @@
From 840f9cfe17737c9ef1899b9923682a5df53ff4b6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 4 Dec 2018 16:44:54 +0100
Subject: [PATCH] ipatests: fix TestUpgrade::test_double_encoded_cacert
The test is using a stale ldap connection to the master
(obtained before calling upgrade, and the upgrade stops
and starts 389-ds, breaking the connection).
The fix re-connects before using the ldap handle.
Related to https://pagure.io/freeipa/issue/7775
---
 ipatests/test_integration/test_upgrade.py | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
index 7dbe52d57052d3c640df644705fc3e22fab14334..b03109f7c3bb0f037c8fd6554e3e5420bc557684 100644
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@@ -47,6 +47,8 @@ class TestUpgrade(IntegrationTest):
         # try the upgrade
         self.master.run_command(['ipa-server-upgrade'])
+        # reconnect to the master (upgrade stops 389-ds)
+        ldap = self.master.ldap_connect()
         # read the value after upgrade, should be fixed
         entry = ldap.get_entry(dn)  # pylint: disable=no-member
         try:
--
2.17.2
SOURCES/0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch
New file
@@ -0,0 +1,145 @@
From 3e0e8c309c70a0d379b985189c23f1bacd62a96e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 30 Nov 2018 15:46:25 +0100
Subject: [PATCH] ipatest: add test for ipa-pkinit-manage enable|disable
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable
At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.
Related to https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 .../test_integration/test_pkinit_manage.py    | 111 ++++++++++++++++++
 1 file changed, 111 insertions(+)
 create mode 100644 ipatests/test_integration/test_pkinit_manage.py
diff --git a/ipatests/test_integration/test_pkinit_manage.py b/ipatests/test_integration/test_pkinit_manage.py
new file mode 100644
index 0000000000000000000000000000000000000000..bc1d9e338cdf4e7a503b3c83ac12792894eecce2
--- /dev/null
+++ b/ipatests/test_integration/test_pkinit_manage.py
@@ -0,0 +1,111 @@
+#
+# Copyright (C) 2018  FreeIPA Contributors see COPYING for license
+#
+
+"""
+Module provides tests for the ipa-pkinit-manage command.
+"""
+
+from __future__ import absolute_import
+
+from ipalib import x509
+from ipaplatform.paths import paths
+from ipapython.dn import DN
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.pytest_ipa.integration import tasks
+
+
+SELFSIGNED_CA_HELPER = 'SelfSign'
+IPA_CA_HELPER = 'IPA'
+PKINIT_STATUS_ENABLED = 'enabled'
+PKINIT_STATUS_DISABLED = 'disabled'
+
+
+def check_pkinit_status(host, status):
+    """Ensures that ipa-pkinit-manage status returns the expected state"""
+    result = host.run_command(['ipa-pkinit-manage', 'status'],
+                              raiseonerr=False)
+    assert result.returncode == 0
+    assert 'PKINIT is {}'.format(status) in result.stdout_text
+
+
+def check_pkinit_tracking(host, ca_helper):
+    """Ensures that the PKINIT cert is tracked by the expected helper"""
+    result = host.run_command(['getcert', 'list', '-f', paths.KDC_CERT],
+                              raiseonerr=False)
+    assert result.returncode == 0
+    # Make sure that only one request exists
+    assert result.stdout_text.count('Request ID') == 1
+    # Make sure that the right CA helper is used to track the cert
+    assert 'CA: {}'.format(ca_helper) in result.stdout_text
+
+
+def check_pkinit_cert_issuer(host, issuer):
+    """Ensures that the PKINIT cert is signed by the expected issuer"""
+    data = host.get_file_contents(paths.KDC_CERT)
+    pkinit_cert = x509.load_pem_x509_certificate(data)
+    # Make sure that the issuer is the expected one
+    assert DN(pkinit_cert.issuer) == DN(issuer)
+
+
+def check_pkinit(host, enabled=True):
+    """Checks that PKINIT is configured as expected
+
+    If enabled:
+    ipa-pkinit-manage status must return 'PKINIT is enabled'
+    the certificate must be tracked by IPA CA helper
+    the certificate must be signed by IPA CA
+    If disabled:
+    ipa-pkinit-manage status must return 'PKINIT is disabled'
+    the certificate must be tracked by SelfSign CA helper
+    the certificate must be self-signed
+    """
+    if enabled:
+        # When pkinit is enabled:
+        # cert is tracked by IPA CA helper
+        # cert is signed by IPA CA
+        check_pkinit_status(host, PKINIT_STATUS_ENABLED)
+        check_pkinit_tracking(host, IPA_CA_HELPER)
+        check_pkinit_cert_issuer(
+            host,
+            'CN=Certificate Authority,O={}'.format(host.domain.realm))
+    else:
+        # When pkinit is disabled
+        # cert is tracked by 'SelfSign' CA helper
+        # cert is self-signed
+        check_pkinit_status(host, PKINIT_STATUS_DISABLED)
+        check_pkinit_tracking(host, SELFSIGNED_CA_HELPER)
+        check_pkinit_cert_issuer(
+            host,
+            'CN={},O={}'.format(host.hostname, host.domain.realm))
+
+
+class TestPkinitManage(IntegrationTest):
+    """Tests the ipa-pkinit-manage command.
+
+    ipa-pkinit-manage can be used to enable, disable or check
+    the status of PKINIT.
+    When pkinit is enabled, the kerberos server is using a certificate
+    signed either externally or by IPA CA. In the latter case, certmonger
+    is tracking the cert with IPA helper.
+    When pkinit is disabled, the kerberos server is using a self-signed
+    certificate that is tracked by certmonger with the SelfSigned helper.
+    """
+
+    @classmethod
+    def install(cls, mh):
+        # Install the master with PKINIT disabled
+        tasks.install_master(cls.master, extra_args=['--no-pkinit'])
+        check_pkinit(cls.master, enabled=False)
+
+    def test_pkinit_enable(self):
+        self.master.run_command(['ipa-pkinit-manage', 'enable'])
+        check_pkinit(self.master, enabled=True)
+
+    def test_pkinit_disable(self):
+        self.master.run_command(['ipa-pkinit-manage', 'disable'])
+        check_pkinit(self.master, enabled=False)
+
+    def test_pkinit_reenable(self):
+        self.master.run_command(['ipa-pkinit-manage', 'enable'])
+        check_pkinit(self.master, enabled=True)
--
2.17.2
SOURCES/0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch
New file
@@ -0,0 +1,78 @@
From 977a01a67318a9b0ce01f7803b1126a310bf4140 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 30 Nov 2018 15:49:20 +0100
Subject: [PATCH] PKINIT: fix ipa-pkinit-manage enable|disable
The command ipa-pkinit-manage enable|disable is reporting
success even though the PKINIT cert is not re-issued.
The command triggers the request of a new certificate
(signed by IPA CA when state=enable, selfsigned when disabled),
but as the cert file is still present, certmonger does not create
a new request and the existing certificate is kept.
The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.
There was also an issue in the is_pkinit_enabled() function:
if no tracking request was found for the PKINIT cert,
is_pkinit_enabled() was returning True while it should not.
Fixes https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipaserver/install/ipa_pkinit_manage.py | 2 ++
 ipaserver/install/krbinstance.py       | 9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py
index 4a79bba5d1b636827a7a031965b49cf7b34c6330..86bd1baf00178a629864b210ca9f4786668149df 100644
--- a/ipaserver/install/ipa_pkinit_manage.py
+++ b/ipaserver/install/ipa_pkinit_manage.py
@@ -72,6 +72,8 @@ class PKINITManage(AdminTool):
                 if ca_enabled:
                     logger.warning(
                         "Failed to stop tracking certificates: %s", e)
+            # remove the cert and key
+            krb.delete_pkinit_cert()
             krb.enable_ssl()
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index a3079bd6304a41116f9aa5e78b6c6c71d72d7aa6..6221f3f61338308afb406e23d62566b12d8c131d 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -77,7 +77,7 @@ def is_pkinit_enabled():
     if os.path.exists(paths.KDC_CERT):
         pkinit_request_ca = get_pkinit_request_ca()
-        if pkinit_request_ca != "SelfSign":
+        if pkinit_request_ca and pkinit_request_ca != "SelfSign":
             return True
     return False
@@ -591,6 +591,10 @@ class KrbInstance(service.Service):
     def stop_tracking_certs(self):
         certmonger.stop_tracking(certfile=paths.KDC_CERT)
+    def delete_pkinit_cert(self):
+        installutils.remove_file(paths.KDC_CERT)
+        installutils.remove_file(paths.KDC_KEY)
+
     def uninstall(self):
         if self.is_configured():
             self.print_msg("Unconfiguring %s" % self.service_name)
@@ -616,8 +620,7 @@ class KrbInstance(service.Service):
         # stop tracking and remove certificates
         self.stop_tracking_certs()
         installutils.remove_file(paths.CACERT_PEM)
-        installutils.remove_file(paths.KDC_CERT)
-        installutils.remove_file(paths.KDC_KEY)
+        self.delete_pkinit_cert()
         if running:
             self.restart()
--
2.17.2
SOURCES/0056-replication-check-remote-ds-version-before-editing-a.patch
New file
@@ -0,0 +1,87 @@
From e879ca9b693a10f456f03d3c471afa49321516f9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 13 Dec 2018 14:54:07 +0100
Subject: [PATCH] replication: check remote ds version before editing
 attributes
When the remote server has an old DS version, update of the
replication attributes nsds5ReplicaReleaseTimeout nsds5ReplicaBackoffMax
and nsDS5ReplicaBindDnGroupCheckInterval fails even if the remote
schema has been updated.
Check first the remote server version and update the attributes only if
the version is high enough.
A previous fix was already performing this check (commit 02f4a7a),
but not in all the cases. This fix also handles when the remote server
already has a cn=replica entry (for instance because it has already
established replication with another host).
Fixes https://pagure.io/freeipa/issue/7796
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipaserver/install/replication.py | 33 ++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 92a99cd9482f86d6820230479bf94c871669572e..70629b4528f033908c584bfaf0793cfa4ce259d4 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -215,6 +215,22 @@ def wait_for_entry(connection, dn, timeout, attr=None, attrvalue='*',
             time.sleep(1)
+def get_ds_version(conn):
+    """Returns the DS version
+
+    Retrieves the DS version from the vendorVersion attribute stored in LDAP.
+    :param conn: LDAP connection established and authenticated to the server
+                 for which we need the version
+    :return: a tuple containing the DS version
+    """
+    # Find which 389-ds is installed
+    rootdse = conn.get_entry(DN(''), ['vendorVersion'])
+    version = rootdse.single_value.get('vendorVersion')
+    mo = re.search(r'(\d+)\.(\d+)\.(\d+)[\.\d]*', version)
+    vendor_version = tuple(int(v) for v in mo.groups())
+    return vendor_version
+
+
 class ReplicationManager(object):
     """Manage replication agreements
@@ -527,8 +543,16 @@ class ReplicationManager(object):
             # Add the new replication manager
             binddns.append(replica_binddn)
-        for key, value in REPLICA_CREATION_SETTINGS.items():
-            entry[key] = value
+        # If the remote server has 389-ds < 1.3, it does not
+        # support the attributes we are trying to set.
+        # Find which 389-ds is installed
+        vendor_version = get_ds_version(conn)
+        if vendor_version >= (1, 3, 0):
+            for key, value in REPLICA_CREATION_SETTINGS.items():
+                entry[key] = value
+        else:
+            logger.debug("replication attributes not supported "
+                         "on remote master, skipping update.")
         try:
             conn.update_entry(entry)
@@ -604,10 +628,7 @@ class ReplicationManager(object):
         # If the remote server has 389-ds < 1.3, it does not
         # support the attributes we are trying to set.
         # Find which 389-ds is installed
-        rootdse = r_conn.get_entry(DN(''), ['vendorVersion'])
-        version = rootdse.single_value.get('vendorVersion')
-        mo = re.search(r'(\d+)\.(\d+)\.(\d+)[\.\d]*', version)
-        vendor_version = tuple(int(v) for v in mo.groups())
+        vendor_version = get_ds_version(r_conn)
         if vendor_version >= (1, 3, 0):
             # 389-ds understands the replication attributes,
             # we can safely modify them
--
2.17.2
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
From e94346d8c3d588056f04af1c1916617c962be4bc Mon Sep 17 00:00:00 2001
From e443dc9390ead872bfa0c7ae35323023f21cebc9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -46,12 +46,12 @@
 install/tools/man/ipactl.8                 |   2 +-
 install/ui/css/patternfly.css              |   2 +-
 install/ui/index.html                      |   2 +-
 install/ui/less/brand.less                 | 103 ++++++++++++++---------------
 install/ui/less/patternfly.less            |  48 ++++++++++++++
 install/ui/less/brand.less                 | 103 ++++++++++-----------
 install/ui/less/patternfly.less            |  48 ++++++++++
 install/ui/reset_password.html             |   2 +-
 install/ui/src/freeipa/widgets/App.js      |   2 +-
 install/ui/sync_otp.html                   |   2 +-
 ipaserver/advise/plugins/legacy_clients.py |   8 +--
 ipaserver/advise/plugins/legacy_clients.py |   8 +-
 ipaserver/install/dns.py                   |   2 +-
 ipaserver/install/ipa_kra_install.py       |   4 +-
 ipaserver/install/server/install.py        |   2 +-
@@ -280,7 +280,7 @@
 You may place your schema files in a subdirectory too, the code that loads
 schema files processes recursively all subdirectories of schema.d.
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index d4e5d4c09cf6b7c1521bcecb79bb6fd7235fc799..e6618ef2e78e26f0cb74fadff214f564d000677c 100755
index a870d136e242affe6627cd4c44a173a80a9ab1c6..f0e72b3adaa5ef27a11c11feb787019b6db71e62 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -141,11 +141,11 @@ def main():
@@ -344,7 +344,7 @@
\ No newline at end of file
+1 if an error occurred
diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1
index ff9759ec77d54f32532c4ececfa5081daab9ec15..476f9b534d514b03200369212807fc6d001c70b8 100644
index 9e2900f770880d3a554df5cd5d0430716e3bf70e..747fc12f71c12be9ddcd69bdb86354a3e0237944 100644
--- a/install/tools/man/ipa-backup.1
+++ b/install/tools/man/ipa-backup.1
@@ -16,7 +16,7 @@
@@ -940,10 +940,10 @@
                    'are all Red Hat based platforms.')
 
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index e14b353e9cb655a6e7ef228d47dfc7a1badd7286..1cd851625f225538856b9b627b3d8190ccfa47dc 100644
index e4f73ac025dfe8aa19ef99c8d0ab9379caa32610..897c40a6c02899bfe60228dd73e5c71c0b59c3be 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -149,7 +149,7 @@ def install_check(standalone, api, replica, options, hostname):
@@ -150,7 +150,7 @@ def install_check(standalone, api, replica, options, hostname):
 
     if standalone:
         print("==============================================================================")
@@ -953,7 +953,7 @@
         print("This includes:")
         print("  * Configure DNS (bind)")
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index 07e11ea69ded8832015dd69ea43ff338c5f9df95..76492c1dd9bf02d3e80ec5876214441d697e9765 100644
index b536685f5f1f3fccab07fd37aa001958e2d38420..1a0b96b000a4c4166054dee9d63b6f239741b40f 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -90,7 +90,7 @@ class KRAInstall(admintool.AdminTool):
@@ -975,7 +975,7 @@
     '''
 
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index e96ae97c74ee1598683d1ef3f2570e8de93c9943..b5290817e4b0f849ef77353d33bc6753a7c8b42d 100644
index a341408f78f24055d807ae49c8a0cda81bfb3ec4..eeeb2977a98790585b8b8d4467ee4ad0e6c2f217 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -377,7 +377,7 @@ def install_check(installer):
@@ -988,10 +988,10 @@
     print("This includes:")
     if setup_ca:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 33f3ae9e616b34a3ab0ff8e4257552855e817e7c..356d17cf9a2d507e98952ae0477e473562a356e2 100644
index eb354f81ba6e4cbc3848f9c24338fb85cc7639ae..7e9a1ce5d8c2b8a6fe445148afd66e61553b0e07 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -616,7 +616,7 @@ def check_domain_level_is_supported(current):
@@ -621,7 +621,7 @@ def check_domain_level_is_supported(current):
     above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
 
     if under_lower_bound or above_upper_bound:
@@ -1023,5 +1023,5 @@
 """) + _("""
 To enable the binddn run the following command to set the password:
-- 
2.14.4
2.17.2
SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
From 5b587502716f71c9c71cd63e32d6b837613bc8dc Mon Sep 17 00:00:00 2001
From ddd951ba70e11fb6332f57e94a3b1a22ded08a39 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -22,10 +22,10 @@
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b58fbb4c881d247d6b5fb661f4085ec82c3cc811..cf6247a4b12e3fecc7c784c9d803670442c56fd5 100644
index d6e467097808594756d947fa721b8cf10fe7d043..a52336fd71ffb44e3f7dfcc95656bd82065f41cd 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1384,9 +1384,11 @@ def replica_ca_install_check(config, promote):
@@ -1416,9 +1416,11 @@ def replica_ca_install_check(config, promote):
     else:
         logger.critical(
             'The master CA directory server does not have necessary schema. '
@@ -40,5 +40,5 @@
 
 
-- 
2.14.4
2.17.2
SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
From fa0db6fe2c7343d2ba86fadd55e9f4db78ec9f8a Mon Sep 17 00:00:00 2001
From 6f6d25da7a5e93de9f8c80e7fe3419d4b0c60a72 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@
 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
-- 
2.14.4
2.17.2
SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
From b7082747c2b6bbe2e857bd4fa20af443073dbd02 Mon Sep 17 00:00:00 2001
From bbe70ea811007cf8426ac14565e7da47b3ae1ced Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -19,17 +19,17 @@
https://bugzilla.redhat.com/show_bug.cgi?id=1432630
---
 freeipa.spec.in                                    | 18 -----
 ipaclient/csrgen/profiles/caIPAserviceCert.json    | 15 ----
 ipaclient/csrgen/profiles/userCert.json            | 15 ----
 ipaclient/csrgen/templates/openssl_macros.tmpl     | 29 --------
 ipaclient/plugins/cert.py                          | 82 +---------------------
 ipaclient/setup.py                                 |  7 --
 ipalib/errors.py                                   | 28 --------
 ipatests/setup.py                                  |  2 -
 ipatests/test_ipaclient/__init__.py                |  7 --
 .../data/test_csrgen/profiles/profile.json         |  8 ---
 .../data/test_csrgen/templates/identity_base.tmpl  |  1 -
 freeipa.spec.in                               | 18 ----
 .../csrgen/profiles/caIPAserviceCert.json     | 15 ----
 ipaclient/csrgen/profiles/userCert.json       | 15 ----
 .../csrgen/templates/openssl_macros.tmpl      | 29 -------
 ipaclient/plugins/cert.py                     | 82 +------------------
 ipaclient/setup.py                            |  7 --
 ipalib/errors.py                              | 28 -------
 ipatests/setup.py                             |  2 -
 ipatests/test_ipaclient/__init__.py           |  7 --
 .../data/test_csrgen/profiles/profile.json    |  8 --
 .../test_csrgen/templates/identity_base.tmpl  |  1 -
 11 files changed, 1 insertion(+), 211 deletions(-)
 delete mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json
 delete mode 100644 ipaclient/csrgen/profiles/userCert.json
@@ -403,5 +403,5 @@
@@ -1 +0,0 @@
-{{ options|join(";") }}
-- 
2.14.4
2.17.2
SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
From 5f659d56bea124335d1813ae32c809cbc8582fb6 Mon Sep 17 00:00:00 2001
From eaa2dd2de04147dbca127673d3c2473955b9289c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Fri, 10 Aug 2018 13:16:38 +0200
Subject: [PATCH] Removing filesystem encoding check
@@ -123,5 +123,5 @@
-    assert p.returncode > 0, (out, err)
-    assert b'System encoding must be UTF-8' in err, (out, err)
-- 
2.17.1
2.17.2
SPECS/ipa.spec
@@ -93,7 +93,7 @@
Name:           ipa
Version:        %{IPA_VERSION}
Release:        10%{?dist}
Release:        10%{?dist}.2
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -154,6 +154,17 @@
Patch0043:    0043-Always-make-ipa.p11-kit-world-readable.patch
Patch0044:    0044-Make-etc-httpd-alias-world-readable-executable.patch
Patch0045:    0045-Fix-permission-of-public-files-in-upgrader.patch
Patch0046:    0046-Find-orphan-automember-rules.patch
Patch0047:    0047-Add-a-shared-vault-retrieve-test.patch
Patch0048:    0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch
Patch0049:    0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch
Patch0050:    0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch
Patch0051:    0051-ipa-upgrade-handle-double-encoded-certificates.patch
Patch0052:    0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch
Patch0053:    0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch
Patch0054:    0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch
Patch0055:    0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch
Patch0056:    0056-replication-check-remote-ds-version-before-editing-a.patch
Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002:      1002-Package-copy-schema-to-ca.py.patch
Patch1003:      1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1729,9 +1740,28 @@
%changelog
* Tue Oct 30 2018 CentOS Sources <bugs@centos.org> - 4.6.4-10.el7.centos
* Tue Jan 29 2019 CentOS Sources <bugs@centos.org> - 4.6.4-10.el7.centos.2
- Roll in CentOS Branding
* Tue Dec 18 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7_6.2
- Resolves: 1659492 searching for ipa users by certificate fails
  - ipaldap.py: fix method creating a ldap filter for IPACertificate
  - ipatests: add xmlrpc test for user|host-find --certificate
- Resolves: 1659509 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'"
  - ipa upgrade: handle double-encoded certificates
  - ipatests: add upgrade test for double-encoded cacert
  - ipatests: fix TestUpgrade::test_double_encoded_cacert
- Resolves: 1659500 'ipa vault-retrieve' is failing with "ipa: ERROR: an internal error has occurred"
  - Add a shared-vault-retrieve test
  - Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
- Resolves: 1659511 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.
  - ipatest: add test for ipa-pkinit-manage enable|disable
  - PKINIT: fix ipa-pkinit-manage enable|disable
- Resolves: 1659499 automember-rebuild crashes
  - Find orphan automember rules
- Resolves: 1660389 ipa-replica-install fails migrating RHEL 6 to 7
  - replication: check remote ds version before editing attributes
* Tue Sep 18 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7
- Resolves: 1630361 PKINIT fails in FIPS mode
  - Ensure that public cert and CA bundle are readable