diff --git a/.ipa.metadata b/.ipa.metadata
new file mode 100644
index 0000000..91392e4
--- /dev/null
+++ b/.ipa.metadata
@@ -0,0 +1,2 @@
+7460c1ae34b05ea659275fe169c19f94a28db2f7 SOURCES/rh-ipabanner.png
+32702b534b3f82c141107820283833d54d8287f2 SOURCES/freeipa-3.3.3.tar.gz
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch b/SOURCES/0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch
new file mode 100644
index 0000000..4202105
--- /dev/null
+++ b/SOURCES/0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch
@@ -0,0 +1,41 @@
+From 90ac36c780d6e5d0bcb26f8c7f153d35af1db70f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 4 Nov 2013 17:15:23 +0200
+Subject: [PATCH] Guard import of adtrustinstance for case without trusts
+
+https://fedorahosted.org/freeipa/ticket/4011
+---
+ install/tools/ipa-server-install | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
+index b3dcf6d93a70e2910a3d7fa62139efbf640d1cbe..458ebba550d0fe7675bd874e23c7d730c53297e6 100755
+--- a/install/tools/ipa-server-install
++++ b/install/tools/ipa-server-install
+@@ -40,7 +40,12 @@ import pwd
+ import textwrap
+ from optparse import OptionGroup, OptionValueError
+
+-from ipaserver.install import adtrustinstance
++try:
++ from ipaserver.install import adtrustinstance
++ _server_trust_ad_installed = True
++except ImportError:
++ _server_trust_ad_installed = False
++
+ from ipaserver.install import dsinstance
+ from ipaserver.install import krbinstance
+ from ipaserver.install import bindinstance
+@@ -493,7 +498,8 @@ def uninstall():
+ httpinstance.HTTPInstance(fstore).uninstall()
+ krbinstance.KrbInstance(fstore).uninstall()
+ dsinstance.DsInstance(fstore=fstore).uninstall()
+- adtrustinstance.ADTRUSTInstance(fstore).uninstall()
++ if _server_trust_ad_installed:
++ adtrustinstance.ADTRUSTInstance(fstore).uninstall()
+ memcacheinstance.MemcacheInstance().uninstall()
+ otpdinstance.OtpdInstance().uninstall()
+ ipaservices.restore_network_configuration(fstore, sstore)
+--
+1.8.3.1
+
diff --git a/SOURCES/0002-Server-does-not-detect-different-server-and-IPA-doma.patch b/SOURCES/0002-Server-does-not-detect-different-server-and-IPA-doma.patch
new file mode 100644
index 0000000..9b81558
--- /dev/null
+++ b/SOURCES/0002-Server-does-not-detect-different-server-and-IPA-doma.patch
@@ -0,0 +1,61 @@
+From 8955e9f236ea9ca3ccfd32cb17c6b4baf9d492a2 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 6 Nov 2013 10:14:40 +0100
+Subject: [PATCH] Server does not detect different server and IPA domain
+
+Server installer does not properly recognize a situation when server
+fqdn is not in a subdomain of the IPA domain, but shares the same
+suffix.
+
+For example, if server FQDN is ipa-idm.example.com and domain
+is idm.example.com, server's FQDN is not in the main domain, but
+installer does not recognize that. proper Kerberos realm-domain
+mapping is not created in this case and server does not work
+(httpd reports gssapi errors).
+
+https://fedorahosted.org/freeipa/ticket/4012
+---
+ ipaserver/install/krbinstance.py | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
+index a16e4d5f0cb3b70c6c69aac3251785ef3e8fa7f2..98687a4002cd7b19faea03acc552759e962d8832 100644
+--- a/ipaserver/install/krbinstance.py
++++ b/ipaserver/install/krbinstance.py
+@@ -24,6 +24,7 @@
+ import os
+ import pwd
+ import socket
++import dns.name
+
+ import service
+ import installutils
+@@ -237,15 +238,18 @@ def __setup_sub_dict(self):
+
+ # IPA server/KDC is not a subdomain of default domain
+ # Proper domain-realm mapping needs to be specified
+- dr_map = ''
+- if not self.fqdn.endswith(self.domain):
+- root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'" \
+- % (self.fqdn, self.domain))
+- server_host, dot, server_domain = self.fqdn.partition('.')
+- root_logger.debug("Domain '%s' needs additional mapping in krb5.conf" \
+- % server_domain)
++ domain = dns.name.from_text(self.domain)
++ fqdn = dns.name.from_text(self.fqdn)
++ if not fqdn.is_subdomain(domain):
++ root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'",
++ fqdn, domain)
++ server_domain = fqdn.parent().to_unicode(omit_final_dot=True)
++ root_logger.debug("Domain '%s' needs additional mapping in krb5.conf",
++ server_domain)
+ dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \
+ % dict(domain=server_domain, realm=self.realm)
++ else:
++ dr_map = ""
+ self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
+
+ def __configure_sasl_mappings(self):
+--
+1.8.3.1
+
diff --git a/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch b/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch
new file mode 100644
index 0000000..ee5a7db
--- /dev/null
+++ b/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch
@@ -0,0 +1,112 @@
+From a66fc51f69b0d19ecb63a5a78d2a052e810913c9 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 6 Nov 2013 12:48:26 +0100
+Subject: [PATCH] Allow kernel keyring CCACHE when supported
+
+Allow ipa-server-install and ipa-client-install to allow kernel keyring
+ccache when supported.
+
+https://fedorahosted.org/freeipa/ticket/4013
+---
+ install/share/krb5.conf.template | 2 +-
+ ipa-client/ipa-install/ipa-client-install | 11 +++++++++++
+ ipapython/kernel_keyring.py | 6 ++++++
+ ipaserver/install/krbinstance.py | 16 ++++++++++++++++
+ 4 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
+index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6ddd88edd1f 100644
+--- a/install/share/krb5.conf.template
++++ b/install/share/krb5.conf.template
+@@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
+ rdns = false
+ ticket_lifetime = 24h
+ forwardable = yes
+-
++$OTHER_LIBDEFAULTS
+ [realms]
+ $REALM = {
+ kdc = $FQDN:88
+diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
+index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a49ba0e087 100755
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -43,6 +43,7 @@ try:
+ run, user_input, CalledProcessError, file_exists, realm_to_suffix)
+ import ipapython.services as ipaservices
+ from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
++ from ipapython import kernel_keyring
+ from ipapython.config import IPAOptionParser
+ from ipalib import api, errors
+ from ipalib import x509
+@@ -926,6 +927,16 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
+ libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
+ libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
+
++ # Configure KEYRING CCACHE if supported
++ uid = os.geteuid()
++ try:
++ kernel_keyring.get_persistent_key(str(uid))
++ except ValueError:
++ pass
++ else:
++ libopts.append({'name':'default_ccache_name', 'type':'option',
++ 'value':'KEYRING:persistent:%{uid}'})
++
+ opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
+ opts.append({'name':'empty', 'type':'empty'})
+
+diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py
+index 547dd3de6b45295910b66982e99886135c06335b..c6670c4ade48e9dc9b503f937cbcaead143f19fc 100644
+--- a/ipapython/kernel_keyring.py
++++ b/ipapython/kernel_keyring.py
+@@ -47,6 +47,12 @@ def get_real_key(key):
+ raise ValueError('key %s not found' % key)
+ return stdout.rstrip()
+
++def get_persistent_key(key):
++ (stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False)
++ if rc:
++ raise ValueError('persistent key %s not found' % key)
++ return stdout.rstrip()
++
+ def has_key(key):
+ """
+ Returns True/False whether the key exists in the keyring.
+diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
+index 98687a4002cd7b19faea03acc552759e962d8832..48407edb9b0e237cf86e8d4e9059208e52b9c165 100644
+--- a/ipaserver/install/krbinstance.py
++++ b/ipaserver/install/krbinstance.py
+@@ -31,6 +31,7 @@
+ from ipapython import sysrestore
+ from ipapython import ipautil
+ from ipapython import services as ipaservices
++from ipapython import kernel_keyring
+ from ipalib import errors
+ from ipapython.ipa_log_manager import *
+ from ipapython.dn import DN
+@@ -252,6 +253,21 @@ def __setup_sub_dict(self):
+ dr_map = ""
+ self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
+
++ # Configure KEYRING CCACHE if supported
++ uid = os.geteuid()
++ try:
++ kernel_keyring.get_persistent_key(str(uid))
++ except ValueError:
++ keyring_ccache_supported = False
++ else:
++ keyring_ccache_supported = True
++
++ if keyring_ccache_supported:
++ self.sub_dict['OTHER_LIBDEFAULTS'] = \
++ " default_ccache_name = KEYRING:persistent:%{uid}\n"
++ else:
++ self.sub_dict['OTHER_LIBDEFAULTS'] = ''
++
+ def __configure_sasl_mappings(self):
+ # we need to remove any existing SASL mappings in the directory as otherwise they
+ # they may conflict.
+--
+1.8.3.1
+
diff --git a/SOURCES/0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch b/SOURCES/0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch
new file mode 100644
index 0000000..5839449
--- /dev/null
+++ b/SOURCES/0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch
@@ -0,0 +1,31 @@
+From 2f3c2538595664796d673517eb1c91edf5712d80 Mon Sep 17 00:00:00 2001
+From: Ana Krivokapic <akrivoka@redhat.com>
+Date: Tue, 12 Nov 2013 14:50:57 +0100
+Subject: [PATCH] Fix regression which prevents creating a winsync agreement
+
+A regression, which prevented creation of a winsync agreement,
+was introduced in the original fix for ticket #3989.
+
+https://fedorahosted.org/freeipa/ticket/3989
+---
+ ipaserver/install/replication.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index 4d8a4687e162155d7855e11ba5048bed2ff13fa5..c4e62fc91b4fb33c37b9f18ce167149ccd3bd54f 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -626,8 +626,9 @@ def setup_agreement(self, a_conn, b_hostname, port=389,
+
+ if iswinsync:
+ self.setup_winsync_agmt(entry, win_subtree)
++ else:
++ entry['nsds5ReplicaStripAttrs'] = [" ".join(STRIP_ATTRS)]
+
+- entry['nsds5ReplicaStripAttrs'] = [" ".join(STRIP_ATTRS)]
+ a_conn.add_entry(entry)
+
+ try:
+--
+1.8.3.1
+
diff --git a/SOURCES/0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch b/SOURCES/0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch
new file mode 100644
index 0000000..29e4c01
--- /dev/null
+++ b/SOURCES/0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch
@@ -0,0 +1,40 @@
+From bcf89f59d86f4031f3b2ea39dc1dff9484d81e67 Mon Sep 17 00:00:00 2001
+From: Tomas Babej <tbabej@redhat.com>
+Date: Thu, 21 Nov 2013 14:44:42 +0100
+Subject: [PATCH 5/6] trusts: Do not pass base-id to the subdomain ranges
+
+For trusted domains base id is calculated using a murmur3 hash of the
+domain Security Identifier (SID). During trust-add we create ranges for
+forest root domain and other forest domains. Since --base-id explicitly
+overrides generated base id for forest root domain, its value should not
+be passed to other forest domains' ranges -- their base ids must be
+calculated based on their SIDs.
+
+In case base id change for non-root forest domains is required, it can
+be done manually through idrange-mod command after the trust is
+established.
+
+https://fedorahosted.org/freeipa/ticket/4041
+---
+ ipalib/plugins/trust.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index 32a93834394273c9f896ff5fd17bfcc753fe7b8e..5ba0905030c700c7f63003eef25891c52330934b 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -375,6 +375,11 @@ def execute(self, *keys, **options):
+ passed_options = options
+ passed_options.update(range_type=created_range_type)
+
++ # Do not pass the base id to the subdomains since it would
++ # clash with the root level domain
++ if 'base_id' in passed_options:
++ del passed_options['base_id']
++
+ # Try to add the range for each subdomain
+ try:
+ self.add_range(range_name, dom_sid, *keys,
+--
+1.8.3.1
+
diff --git a/SOURCES/0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch b/SOURCES/0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch
new file mode 100644
index 0000000..52c1290
--- /dev/null
+++ b/SOURCES/0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch
@@ -0,0 +1,32 @@
+From f3292de4abee43c35c25d7ecd8b3638173fb24b8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 12 Nov 2013 11:36:22 +0200
+Subject: [PATCH 6/6] Map NT_STATUS_INVALID_PARAMETER to most likely error
+ cause: clock skew
+
+When we get NT_STATUS_INVALID_PARAMETER in response to establish
+DCE RPC pipe with Kerberos, the most likely reason is clock skew.
+Suggest that it is so in the error message.
+
+https://fedorahosted.org/freeipa/ticket/4024
+---
+ ipaserver/dcerpc.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 86bb42884067ec91477d8efb37a5e7729ad50315..0dde3473b12b857ff269a936ad9a07d098405c45 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -82,6 +82,9 @@ def is_sid_valid(sid):
+ -1073741614: access_denied_error,
+ -1073741603:
+ errors.ValidationError(name=_('AD domain controller'), error=_('unsupported functional level')),
++ -1073741811: # NT_STATUS_INVALID_PARAMETER
++ errors.RemoteRetrieveError(
++ reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')),
+ }
+
+ dcerpc_error_messages = {
+--
+1.8.3.1
+
diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
new file mode 100644
index 0000000..53301a0
--- /dev/null
+++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -0,0 +1,117 @@
+From 7b9f8b3ba5c2768879906227e4f526b2675337ea Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 22 May 2013 09:38:50 +0200
+Subject: [PATCH 1001/1006] Hide pkinit functionality from production version
+
+Rebased from original patch from Jan Zeleny and Rob Crittenden.
+
+https://fedorahosted.org/freeipa/ticket/616
+---
+ install/tools/ipa-replica-install | 5 +++--
+ install/tools/ipa-server-install | 10 ++++------
+ ipaserver/install/ipa_replica_prepare.py | 11 +++--------
+ 3 files changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
+index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659447065aa 100755
+--- a/install/tools/ipa-replica-install
++++ b/install/tools/ipa-replica-install
+@@ -96,8 +96,6 @@ def parse_options():
+ parser.add_option_group(basic_group)
+
+ cert_group = OptionGroup(parser, "certificate system options")
+- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
+- default=True, help="disables pkinit setup steps")
+ cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
+ default=False, help="skip check for updated CA DS schema on the remote master")
+ parser.add_option_group(cert_group)
+@@ -122,6 +120,9 @@ def parse_options():
+ options, args = parser.parse_args()
+ safe_options = parser.get_safe_opts(options)
+
++ # pkinit is disabled in production version
++ options.setup_pkinit = False
++
+ if len(args) != 1:
+ parser.error("you must provide a file generated by ipa-replica-prepare")
+
+diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
+index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62 100755
+--- a/install/tools/ipa-server-install
++++ b/install/tools/ipa-server-install
+@@ -173,20 +173,14 @@ def parse_options():
+ help="PEM file containing a certificate signed by the external CA")
+ cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
+ help="PEM file containing the external CA chain")
+- cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
+- default=True, help="disables pkinit setup steps")
+ cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
+ help="PKCS#12 file containing the Directory Server SSL certificate")
+ cert_group.add_option("--http_pkcs12", dest="http_pkcs12",
+ help="PKCS#12 file containing the Apache Server SSL certificate")
+- cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
+- help="PKCS#12 file containing the Kerberos KDC SSL certificate")
+ cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
+ help="The password of the Directory Server PKCS#12 file")
+ cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
+ help="The password of the Apache Server PKCS#12 file")
+- cert_group.add_option("--pkinit_pin", dest="pkinit_pin",
+- help="The password of the Kerberos KDC PKCS#12 file")
+ cert_group.add_option("--root-ca-file", dest="root_ca_file",
+ help="PEM file with root CA certificate(s) to trust")
+ cert_group.add_option("--subject", action="callback", callback=subject_callback,
+@@ -236,6 +230,10 @@ def parse_options():
+ options, args = parser.parse_args()
+ safe_options = parser.get_safe_opts(options)
+
++ # pkinit is disabled in production version
++ options.pkinit_pin = False
++ options.pkinit_pkcs12 = False
++
+ if options.dm_password is not None:
+ try:
+ validate_dm_password(options.dm_password)
+diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
+index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b17683f51 100644
+--- a/ipaserver/install/ipa_replica_prepare.py
++++ b/ipaserver/install/ipa_replica_prepare.py
+@@ -57,9 +57,6 @@ def add_options(cls, parser):
+ parser.add_option("--no-reverse", dest="no_reverse",
+ action="store_true", default=False,
+ help="do not create reverse DNS zone")
+- parser.add_option("--no-pkinit", dest="setup_pkinit",
+- action="store_false", default=True,
+- help="disables pkinit setup steps")
+ parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
+ metavar="FILE",
+ help="location of CA PKCS#12 file, default /root/cacert.p12")
+@@ -72,15 +69,10 @@ def add_options(cls, parser):
+ group.add_option("--http_pkcs12", dest="http_pkcs12",
+ metavar="FILE",
+ help="install certificate for the http server")
+- group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
+- metavar="FILE",
+- help="install certificate for the KDC")
+ group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN",
+ help="PIN for the Directory Server PKCS#12 file")
+ group.add_option("--http_pin", dest="http_pin", metavar="PIN",
+ help="PIN for the Apache Server PKCS#12 file")
+- group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN",
+- help="PIN for the KDC pkinit PKCS#12 file")
+ parser.add_option_group(group)
+
+ def validate_options(self):
+@@ -100,7 +92,10 @@ def validate_options(self):
+ "option together with --no-reverse")
+
+ #Automatically disable pkinit w/ dogtag until that is supported
++ # pkinit is disabled in production version
+ options.setup_pkinit = False
++ options.pkinit_pin = False
++ options.pkinit_pkcs12 = False
+
+ # If any of the PKCS#12 options are selected, all are required.
+ pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+--
+1.8.3.1
+
diff --git a/SOURCES/1002-Remove-pkinit-plugin.patch b/SOURCES/1002-Remove-pkinit-plugin.patch
new file mode 100644
index 0000000..6c53550
--- /dev/null
+++ b/SOURCES/1002-Remove-pkinit-plugin.patch
@@ -0,0 +1,144 @@
+From 62b7d72f65ab8ac90a62486bb170133755764bc7 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 22 May 2013 09:40:39 +0200
+Subject: [PATCH 1002/1006] Remove pkinit plugin
+
+This patch completely removes any signs of pkinit in the IPA package. It
+should be used only as addition to the first patch attached to the
+ticket.
+
+Rebased patch by Jan Zeleny and Rob Crittenden.
+
+https://fedorahosted.org/freeipa/ticket/616
+---
+ API.txt | 5 ---
+ ipalib/plugins/pkinit.py | 101 -----------------------------------------------
+ 2 files changed, 106 deletions(-)
+ delete mode 100644 ipalib/plugins/pkinit.py
+
+diff --git a/API.txt b/API.txt
+index 5418f31dc8d936ee629155aff08c05577cf9c4ee..ec5b3c9f6459e048c516a64dbab2396306fa6a72 100644
+--- a/API.txt
++++ b/API.txt
+@@ -2336,11 +2336,6 @@ command: ping
+ args: 0,1,1
+ option: Str('version?', exclude='webui')
+ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+-command: pkinit_anonymous
+-args: 1,1,1
+-arg: Str('action')
+-option: Str('version?', exclude='webui')
+-output: Output('result', None, None)
+ command: plugins
+ args: 0,3,3
+ option: Flag('all', autofill=True, cli_name='all', default=True, exclude='webui')
+diff --git a/ipalib/plugins/pkinit.py b/ipalib/plugins/pkinit.py
+deleted file mode 100644
+index 981e411df520e175fa88f1de02a4eae36d687ede..0000000000000000000000000000000000000000
+--- a/ipalib/plugins/pkinit.py
++++ /dev/null
+@@ -1,101 +0,0 @@
+-# Authors:
+-# Simo Sorce <ssorce@redhat.com>
+-#
+-# Copyright (C) 2010 Red Hat
+-# see file 'COPYING' for use and warranty information
+-#
+-# This program is free software; you can redistribute it and/or modify
+-# it under the terms of the GNU General Public License as published by
+-# the Free Software Foundation, either version 3 of the License, or
+-# (at your option) any later version.
+-#
+-# This program is distributed in the hope that it will be useful,
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-# GNU General Public License for more details.
+-#
+-# You should have received a copy of the GNU General Public License
+-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+-
+-from ipalib import api, errors
+-from ipalib import Int, Str
+-from ipalib import Object, Command
+-from ipalib import _
+-from ipapython.dn import DN
+-
+-__doc__ = _("""
+-Kerberos pkinit options
+-
+-Enable or disable anonymous pkinit using the principal
+-WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
+-pkinit support.
+-
+-EXAMPLES:
+-
+- Enable anonymous pkinit:
+- ipa pkinit-anonymous enable
+-
+- Disable anonymous pkinit:
+- ipa pkinit-anonymous disable
+-
+-For more information on anonymous pkinit see:
+-
+-http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
+-""")
+-
+-class pkinit(Object):
+- """
+- PKINIT Options
+- """
+- object_name = _('pkinit')
+-
+- label=_('PKINIT')
+-
+-api.register(pkinit)
+-
+-def valid_arg(ugettext, action):
+- """
+- Accepts only Enable/Disable.
+- """
+- a = action.lower()
+- if a != 'enable' and a != 'disable':
+- raise errors.ValidationError(
+- name='action',
+- error=_('Unknown command %s') % action
+- )
+-
+-class pkinit_anonymous(Command):
+- __doc__ = _('Enable or Disable Anonymous PKINIT.')
+-
+- princ_name = 'WELLKNOWN/ANONYMOUS@%s' % api.env.realm
+- default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn)
+-
+- takes_args = (
+- Str('action', valid_arg),
+- )
+-
+- def execute(self, action, **options):
+- ldap = self.api.Backend.ldap2
+- set_lock = False
+- lock = None
+-
+- (dn, entry_attrs) = ldap.get_entry(self.default_dn, ['nsaccountlock'])
+-
+- if 'nsaccountlock' in entry_attrs:
+- lock = entry_attrs['nsaccountlock'][0].lower()
+-
+- if action.lower() == 'enable':
+- if lock == 'true':
+- set_lock = True
+- lock = None
+- elif action.lower() == 'disable':
+- if lock != 'true':
+- set_lock = True
+- lock = 'TRUE'
+-
+- if set_lock:
+- ldap.update_entry(dn, {'nsaccountlock':lock})
+-
+- return dict(result=True)
+-
+-api.register(pkinit_anonymous)
+--
+1.8.3.1
+
diff --git a/SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch b/SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch
new file mode 100644
index 0000000..d4a0099
--- /dev/null
+++ b/SOURCES/1003-Remove-pkinit-references-from-tool-man-pages.patch
@@ -0,0 +1,93 @@
+From e7dcef627095e38ce29a5f446c08a55ee88fc893 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 22 May 2013 09:59:12 +0200
+Subject: [PATCH 1003/1006] Remove pkinit references from tool man pages
+
+---
+ install/tools/man/ipa-replica-install.1 | 3 ---
+ install/tools/man/ipa-replica-prepare.1 | 9 ---------
+ install/tools/man/ipa-server-install.1 | 9 ---------
+ 3 files changed, 21 deletions(-)
+
+diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
+index b7a55cb748dfd5536d86e1b2634df34fd43f319b..993606d83c8117b47b73bb13ac1e7431ba03f369 100644
+--- a/install/tools/man/ipa-replica-install.1
++++ b/install/tools/man/ipa-replica-install.1
+@@ -76,9 +76,6 @@ An unattended installation that will never prompt for user input
+
+ .SS "CERTIFICATE SYSTEM OPTIONS"
+ .TP
+-\fB\-\-no\-pkinit\fR
+-Disables pkinit setup steps
+-.TP
+ \fB\-\-skip\-schema\-check\fR
+ Skip check for updated CA DS schema on the remote master
+
+diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1
+index 8e1e60a25628432bf380e7af1d2d2dac9abf8c8a..88c30757b38cfdfec36dce85e995d419dd05c17b 100644
+--- a/install/tools/man/ipa-replica-prepare.1
++++ b/install/tools/man/ipa-replica-prepare.1
+@@ -41,18 +41,12 @@ PKCS#12 file containing the Directory Server SSL Certificate and Private Key
+ \fB\-\-http_pkcs12\fR=\fIFILE\fR
+ PKCS#12 file containing the Apache Server SSL Certificate and Private Key
+ .TP
+-\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR
+-PKCS#12 file containing the Kerberos KDC Certificate and Private Key
+-.TP
+ \fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
+ The password of the Directory Server PKCS#12 file
+ .TP
+ \fB\-\-http_pin\fR=\fIHTTP_PIN\fR
+ The password of the Apache Server PKCS#12 file
+ .TP
+-\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR
+-The password of the Kerberos KDC PKCS#12 file
+-.TP
+ \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
+ Directory Manager (existing master) password
+ .TP
+@@ -68,9 +62,6 @@ Do not create reverse DNS zone
+ \fB\-\-ca\fR=\fICA_FILE\fR
+ Location of CA PKCS#12 file, default /root/cacert.p12
+ .TP
+-\fB\-\-no\-pkinit\fR
+-Disables pkinit setup steps
+-.TP
+ \fB\-\-debug\fR
+ Prints info log messages to the output
+ .SH "EXIT STATUS"
+diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
+index 59219c14727c5a3062d06d5ef02eb0eebdc9c4f2..409dcf24beb6c53a9908437738fbbe3c90078367 100644
+--- a/install/tools/man/ipa-server-install.1
++++ b/install/tools/man/ipa-server-install.1
+@@ -93,27 +93,18 @@ PEM file containing a certificate signed by the external CA. Must be given with
+ \fB\-\-external_ca_file\fR=\fIFILE\fR
+ PEM file containing the external CA chain
+ .TP
+-\fB\-\-no\-pkinit\fR
+-Disables pkinit setup steps
+-.TP
+ \fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
+ PKCS#12 file containing the Directory Server SSL Certificate
+ .TP
+ \fB\-\-http_pkcs12\fR=\fIFILE\fR
+ PKCS#12 file containing the Apache Server SSL Certificate
+ .TP
+-\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR
+-PKCS#12 file containing the Kerberos KDC SSL certificate
+-.TP
+ \fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
+ The password of the Directory Server PKCS#12 file
+ .TP
+ \fB\-\-http_pin\fR=\fIHTTP_PIN\fR
+ The password of the Apache Server PKCS#12 file
+ .TP
+-\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR
+-The password of the Kerberos KDC PKCS#12 file
+-.TP
+ \fB\-\-subject\fR=\fISUBJECT\fR
+ The certificate subject base (default O=REALM.NAME)
+
+--
+1.8.3.1
+
diff --git a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
new file mode 100644
index 0000000..3f300c0
--- /dev/null
+++ b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
@@ -0,0 +1,564 @@
+From 8f1aaebb76015f92601d012a4ce1d8da27a1c90c Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Thu, 18 Jul 2013 08:48:29 +0200
+Subject: [PATCH 1004/1006] Change branding to IPA and Identity Management
+
+---
+ install/html/browserconfig.html | 2 +-
+ install/html/ssbrowser.html | 2 +-
+ install/html/unauthorized.html | 2 +-
+ install/migration/error.html | 2 +-
+ install/migration/index.html | 2 +-
+ install/migration/invalid.html | 2 +-
+ install/tools/ipa-adtrust-install | 6 +++---
+ install/tools/ipa-dns-install | 2 +-
+ install/tools/ipa-replica-conncheck | 2 +-
+ install/tools/ipa-server-install | 2 +-
+ install/tools/man/ipa-adtrust-install.1 | 2 +-
+ install/tools/man/ipa-advise.1 | 4 ++--
+ install/tools/man/ipa-backup.1 | 2 +-
+ install/tools/man/ipa-ca-install.1 | 2 +-
+ install/tools/man/ipa-compat-manage.1 | 2 +-
+ install/tools/man/ipa-csreplica-manage.1 | 2 +-
+ install/tools/man/ipa-dns-install.1 | 2 +-
+ install/tools/man/ipa-ldap-updater.1 | 2 +-
+ install/tools/man/ipa-managed-entries.1 | 2 +-
+ install/tools/man/ipa-nis-manage.1 | 2 +-
+ install/tools/man/ipa-replica-conncheck.1 | 2 +-
+ install/tools/man/ipa-replica-install.1 | 2 +-
+ install/tools/man/ipa-replica-manage.1 | 2 +-
+ install/tools/man/ipa-replica-prepare.1 | 2 +-
+ install/tools/man/ipa-restore.1 | 2 +-
+ install/tools/man/ipa-server-certinstall.1 | 2 +-
+ install/tools/man/ipa-server-install.1 | 2 +-
+ install/tools/man/ipactl.8 | 2 +-
+ install/ui/index.html | 2 +-
+ install/ui/login.html | 2 +-
+ install/ui/logout.html | 2 +-
+ install/ui/reset_password.html | 2 +-
+ ipa-client/man/default.conf.5 | 2 +-
+ ipa-client/man/ipa-client-automount.1 | 2 +-
+ ipa-client/man/ipa-client-install.1 | 2 +-
+ ipa-client/man/ipa-getkeytab.1 | 2 +-
+ ipa-client/man/ipa-join.1 | 2 +-
+ ipa-client/man/ipa-rmkeytab.1 | 2 +-
+ 38 files changed, 41 insertions(+), 41 deletions(-)
+
+diff --git a/install/html/browserconfig.html b/install/html/browserconfig.html
+index a7784f75b8dabb19a5658b06a008bc3f4660823d..31508e95521b9c196c102cfda0be94bb25e43cf3 100644
+--- a/install/html/browserconfig.html
++++ b/install/html/browserconfig.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
+ <link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
+diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
+index 72fd573cf907e7ce3a27a17a2857633480cff9de..9a52a9f4d6920a949c071d58312c3d8177d4a1d6 100644
+--- a/install/html/ssbrowser.html
++++ b/install/html/ssbrowser.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
+ <link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
+diff --git a/install/html/unauthorized.html b/install/html/unauthorized.html
+index 0fac88b98bc6eebeaa776af8341dfb5fdad4773d..19c7eb19a04530273893156b3a61141a65f29076 100644
+--- a/install/html/unauthorized.html
++++ b/install/html/unauthorized.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <script type="text/javascript" src="../ui/js/libs/jquery.js"></script>
+
+diff --git a/install/migration/error.html b/install/migration/error.html
+index 9e1e3bd0b27f264534d013e8e526c3cded448c77..333ee1e5030596917a15a5b864719cc2abb374b4 100644
+--- a/install/migration/error.html
++++ b/install/migration/error.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
+ <link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
+diff --git a/install/migration/index.html b/install/migration/index.html
+index eb816b35d9f420f8f64ee8a63c443818793e5e59..78c5165f076f77de59f5554bedfe59f4a580a133 100644
+--- a/install/migration/index.html
++++ b/install/migration/index.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
+ <link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
+diff --git a/install/migration/invalid.html b/install/migration/invalid.html
+index 4f46934066602b5bc52c62ad7006fe4b85ae2a6d..4f4e87a7d9490cab4ac97ed623d1f364d87be909 100644
+--- a/install/migration/invalid.html
++++ b/install/migration/invalid.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
+ <link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
+diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
+index 838f7226bca66f4980c1144d7907bc42fcd31a22..bcf90a621ff052715951ed494d29c4d89742a458 100755
+--- a/install/tools/ipa-adtrust-install
++++ b/install/tools/ipa-adtrust-install
+@@ -225,11 +225,11 @@ def main():
+
+ print "=============================================================================="
+ print "This program will setup components needed to establish trust to AD domains for"
+- print "the FreeIPA Server."
++ print "the IPA Server."
+ print ""
+ print "This includes:"
+ print " * Configure Samba"
+- print " * Add trust related objects to FreeIPA LDAP server"
++ print " * Add trust related objects to IPA LDAP server"
+ #TODO:
+ #print " * Add a SID to all users and Posix groups"
+ print ""
+@@ -398,7 +398,7 @@ You must make sure these network ports are open:
+ \t * 389: (C)LDAP
+ \t * 445: microsoft-ds
+
+-Additionally you have to make sure the FreeIPA LDAP server is not reachable
++Additionally you have to make sure the IPA LDAP server is not reachable
+ by any domain controller in the Active Directory domain by closing down
+ the following ports for these servers:
+ \tTCP Ports:
+diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
+index 275e699ebc824e0eb454ac80089105c5e9ac2146..505f3d5b651c75df4f592f880bf29657c2f6b650 100755
+--- a/install/tools/ipa-dns-install
++++ b/install/tools/ipa-dns-install
+@@ -112,7 +112,7 @@ def main():
+ fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+
+ print "=============================================================================="
+- print "This program will setup DNS for the FreeIPA Server."
++ print "This program will setup DNS for the IPA Server."
+ print ""
+ print "This includes:"
+ print " * Configure DNS (bind)"
+diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
+index 583b5d5e75090483ddd9549862de04ea30fe820f..b2d4bc253e334ccce742489b376e29af649bd2e0 100755
+--- a/install/tools/ipa-replica-conncheck
++++ b/install/tools/ipa-replica-conncheck
+@@ -223,7 +223,7 @@ class PortResponder(threading.Thread):
+ ipautil.bind_port_responder(self.port,
+ self.port_type,
+ socket_timeout=self.socket_timeout,
+- responder_data="FreeIPA")
++ responder_data="IPA")
+ except socket.timeout:
+ pass
+ except socket.error, e:
+diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
+index 00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62..fa9e4c47fe961c2296c5491ca19c61cc7869af0b 100755
+--- a/install/tools/ipa-server-install
++++ b/install/tools/ipa-server-install
+@@ -730,7 +730,7 @@ def main():
+ external = 0
+
+ print "=============================================================================="
+- print "This program will set up the FreeIPA Server."
++ print "This program will set up the IPA Server."
+ print ""
+ print "This includes:"
+ if setup_ca:
+diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
+index 7f0566e135ce1eec049987ff99e922f76c53177b..3b591a033ee4639b951e15b937249c7890fbf3b6 100644
+--- a/install/tools/man/ipa-adtrust-install.1
++++ b/install/tools/man/ipa-adtrust-install.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Sumit Bose <sbose@redhat.com>
+ .\"
+-.TH "ipa-adtrust-install" "1" "Aug 23 2011" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-adtrust-install" "1" "Aug 23 2011" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-advise.1 b/install/tools/man/ipa-advise.1
+index 4c494aab90fe307bf0a2bf82677efda4b5e67e3e..515bbddbe4de8a38a2797d6aa5e95c1ae76fb718 100644
+--- a/install/tools/man/ipa-advise.1
++++ b/install/tools/man/ipa-advise.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Tomas Babej <tbabej@redhat.com>
+ .\"
+-.TH "ipa-advise" "1" "Jun 10 2013" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-advise" "1" "Jun 10 2013" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-advise \- Provide configurations advice for various use cases.
+ .SH "SYNOPSIS"
+@@ -41,4 +41,4 @@ Log to the given file
+ .SH "EXIT STATUS"
+ 0 if the command was successful
+
+-1 if an error occurred
+\ No newline at end of file
++1 if an error occurred
+diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1
+index ff9759ec77d54f32532c4ececfa5081daab9ec15..476f9b534d514b03200369212807fc6d001c70b8 100644
+--- a/install/tools/man/ipa-backup.1
++++ b/install/tools/man/ipa-backup.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-backup" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-backup" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-backup \- Back up an IPA master
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
+index 13ef43a80aa16afad8b7432ef2bce361e45d1fb8..0a6977dbf9780182f0d86564575433002ab50b71 100644
+--- a/install/tools/man/ipa-ca-install.1
++++ b/install/tools/man/ipa-ca-install.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-ca-install" "1" "Jun 17 2011" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-ca-install" "1" "Jun 17 2011" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-ca\-install \- Install a CA on a replica
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-compat-manage.1 b/install/tools/man/ipa-compat-manage.1
+index f22b1743e31c3b07132acfcfdd8600544f9ace6c..26470331a127af9445c4473525434c237e23dbcf 100644
+--- a/install/tools/man/ipa-compat-manage.1
++++ b/install/tools/man/ipa-compat-manage.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Simo Sorce <ssorce@redhat.com>
+ .\"
+-.TH "ipa-compat-manage" "1" "Dec 2 2008" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-compat-manage" "1" "Dec 2 2008" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1
+index ddb28da414ee12f4a8d09032b8b7346b2d3a06ea..ee1a030ace8dce345e66f42b37d2621d954083d9 100644
+--- a/install/tools/man/ipa-csreplica-manage.1
++++ b/install/tools/man/ipa-csreplica-manage.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-csreplica\-manage \- Manage an IPA CS replica
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
+index b0bdca94f4aea4a17fecc3362a92a9885bbafed0..68789506c11857190273d2ea67ce299517e3d338 100644
+--- a/install/tools/man/ipa-dns-install.1
++++ b/install/tools/man/ipa-dns-install.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-dns-install" "1" "Jun 28, 2012" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-dns\-install \- Add DNS as a service to an IPA server
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1
+index 37e200f520218150af4e1be63fc442131f908e27..23b8dc8177c85e351eae30a27e6001780ad267bb 100644
+--- a/install/tools/man/ipa-ldap-updater.1
++++ b/install/tools/man/ipa-ldap-updater.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-ldap-updater" "1" "Sep 12 2008" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-ldap-updater" "1" "Sep 12 2008" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-ldap\-updater \- Update the IPA LDAP configuration
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-managed-entries.1 b/install/tools/man/ipa-managed-entries.1
+index 3d5ca22b87846d2b46122c7171016019aa07028e..edaa0a90d1a6b123d32cbbdceb30b68c736fe8cb 100644
+--- a/install/tools/man/ipa-managed-entries.1
++++ b/install/tools/man/ipa-managed-entries.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Jr Aquino <jr.aquino@citrix.com>
+ .\"
+-.TH "ipa-managed-entries" "1" "Feb 06 2012" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-managed-entries" "1" "Feb 06 2012" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1
+index fa02cfc76fa6bd076ebddde702036fa0b36f1413..e25f53eddca6cf1da1b631c1bf4ae275efb5a2b1 100644
+--- a/install/tools/man/ipa-nis-manage.1
++++ b/install/tools/man/ipa-nis-manage.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-nis-manage" "1" "May 6 2009" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-nis-manage" "1" "May 6 2009" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-nis\-manage \- Enables or disables the NIS listener plugin
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
+index 566322cf035bbb51d1ba8b14166a1b61375015da..7f220de96cc03a1f883f585740a82bff062f0ce9 100644
+--- a/install/tools/man/ipa-replica-conncheck.1
++++ b/install/tools/man/ipa-replica-conncheck.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Martin Kosek <mkosek@redhat.com>
+ .\"
+-.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
+index 993606d83c8117b47b73bb13ac1e7431ba03f369..4452c807d963a4a501eeb802f1d96e5761e0c0f3 100644
+--- a/install/tools/man/ipa-replica-install.1
++++ b/install/tools/man/ipa-replica-install.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-replica-install" "1" "May 16 2012" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-replica-install" "1" "May 16 2012" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-replica\-install \- Create an IPA replica
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
+index a981c72f59e23024110e0d9e8331cd50cbb22130..8703caa2baaf83211a5e64e4cd724c42a78a835f 100644
+--- a/install/tools/man/ipa-replica-manage.1
++++ b/install/tools/man/ipa-replica-manage.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-replica-manage" "1" "Mar 1 2013" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-replica-manage" "1" "Mar 1 2013" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-replica\-manage \- Manage an IPA replica
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1
+index 88c30757b38cfdfec36dce85e995d419dd05c17b..24b6464d1683f23c1a95c952a27b8a92adfbf385 100644
+--- a/install/tools/man/ipa-replica-prepare.1
++++ b/install/tools/man/ipa-replica-prepare.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-replica-prepare" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-replica-prepare" "1" "Mar 14 2008" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-replica\-prepare \- Create an IPA replica file
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-restore.1 b/install/tools/man/ipa-restore.1
+index 31734b259524e4b07312a4009184e725aafc3728..689dc133fc4f526bffac0458b0c5c25ff5a8f674 100644
+--- a/install/tools/man/ipa-restore.1
++++ b/install/tools/man/ipa-restore.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-restore" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-restore" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-restore \- Restore an IPA master
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
+index ab293cf0fdcb2fb231c39f2a32eaa62842a94a94..023971db661d4c0bee495d14bd226534b50559c2 100644
+--- a/install/tools/man/ipa-server-certinstall.1
++++ b/install/tools/man/ipa-server-certinstall.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-server-certinstall" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-server-certinstall" "1" "Mar 14 2008" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-server\-certinstall \- Install new SSL server certificates
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
+index 409dcf24beb6c53a9908437738fbbe3c90078367..807e1b38201c504b601a21751798a332d257e819 100644
+--- a/install/tools/man/ipa-server-install.1
++++ b/install/tools/man/ipa-server-install.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-server-install" "1" "Jun 28 2012" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-server-install" "1" "Jun 28 2012" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-server\-install \- Configure an IPA server
+ .SH "SYNOPSIS"
+diff --git a/install/tools/man/ipactl.8 b/install/tools/man/ipactl.8
+index 05be8e0e29f792ad2a2159ca3f8f38624a42ffa4..b9e4700858c7490298bac58c092fe97d2c6d3a19 100644
+--- a/install/tools/man/ipactl.8
++++ b/install/tools/man/ipactl.8
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipactl" "8" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipactl" "8" "Mar 14 2008" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipactl \- IPA Server Control Interface
+ .SH "SYNOPSIS"
+diff --git a/install/ui/index.html b/install/ui/index.html
+index 75ff829970a42c6efa0f62a61bf922d07fb779a5..7a71f815496a6651850d7076015f30c6df281fed 100644
+--- a/install/ui/index.html
++++ b/install/ui/index.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+
+ <link rel="stylesheet" type="text/css" href="jquery-ui.css" />
+diff --git a/install/ui/login.html b/install/ui/login.html
+index 5545e8834a38fd24a6f0debf263a56402be42dbc..7b4d13962790e6b9457727424c37b41879a3404a 100644
+--- a/install/ui/login.html
++++ b/install/ui/login.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <link rel="stylesheet" type="text/css" href="ipa.css" />
+
+diff --git a/install/ui/logout.html b/install/ui/logout.html
+index e356d2a5f9b59f0b516825fb039eaa4210dc5d98..80740069c9c3b3fa1b5ccbcf64487b4f1ab4a2cd 100644
+--- a/install/ui/logout.html
++++ b/install/ui/logout.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <link rel="stylesheet" type="text/css" href="ipa.css" />
+
+diff --git a/install/ui/reset_password.html b/install/ui/reset_password.html
+index 4dbbb7aacd52fe4ab787a8db73ca780225a98307..2d9c7aa7e704fa76ad5e1a93672626ad71b78568 100644
+--- a/install/ui/reset_password.html
++++ b/install/ui/reset_password.html
+@@ -2,7 +2,7 @@
+ <html>
+ <head>
+ <meta charset="utf-8">
+- <title>IPA: Identity Policy Audit</title>
++ <title>Identity Management</title>
+
+ <link rel="stylesheet" type="text/css" href="ipa.css" />
+
+diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5
+index 9e87bb7c8b0b2767b590e0b920a752f83a2fde51..315f15d75ecb10a30690adb41fa12837ca32a6c6 100644
+--- a/ipa-client/man/default.conf.5
++++ b/ipa-client/man/default.conf.5
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@@redhat.com>
+ .\"
+-.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages"
++.TH "default.conf" "5" "Feb 21 2011" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ default.conf \- IPA configuration file
+ .SH "SYNOPSIS"
+diff --git a/ipa-client/man/ipa-client-automount.1 b/ipa-client/man/ipa-client-automount.1
+index 5b60503f1304d0a0b03a8862708ba126c50c7eff..2e6f78aa659e90f879f66431c4e52e303a4c9b15 100644
+--- a/ipa-client/man/ipa-client-automount.1
++++ b/ipa-client/man/ipa-client-automount.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-client-automount" "1" "May 25 2012" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-client-automount" "1" "May 25 2012" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-client\-automount \- Configure automount and NFS for IPA
+ .SH "SYNOPSIS"
+diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
+index bb19041b13622e3384fb800fca60b7b6f695e8f0..17b0666232d95e84692a7ecba7cd7b7e6117b2e7 100644
+--- a/ipa-client/man/ipa-client-install.1
++++ b/ipa-client/man/ipa-client-install.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-client-install" "1" "Jan 31 2013" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-client\-install \- Configure an IPA client
+ .SH "SYNOPSIS"
+diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1
+index ce62d9d09df07401a4d067e9247035ca6f957b83..07f0f05b604a6bf50f6149e1d3699d4643013b82 100644
+--- a/ipa-client/man/ipa-getkeytab.1
++++ b/ipa-client/man/ipa-getkeytab.1
+@@ -17,7 +17,7 @@
+ .\" Author: Karl MacMillan <kmacmill@redhat.com>
+ .\" Author: Simo Sorce <ssorce@redhat.com>
+ .\"
+-.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-getkeytab" "1" "Oct 10 2007" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-getkeytab \- Get a keytab for a Kerberos principal
+ .SH "SYNOPSIS"
+diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1
+index 5dd4004b36c096bbccf1cd966e3f189fa2e356ca..86272b6409b8966348969e998848fac5039193db 100644
+--- a/ipa-client/man/ipa-join.1
++++ b/ipa-client/man/ipa-join.1
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+-.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-join" "1" "Oct 8 2009" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
+ .SH "SYNOPSIS"
+diff --git a/ipa-client/man/ipa-rmkeytab.1 b/ipa-client/man/ipa-rmkeytab.1
+index 4f4fcee2665c105c5cdab5f964e3295bea4b7997..84d8abd548b873213d165fe5fb012ec018a8424a 100644
+--- a/ipa-client/man/ipa-rmkeytab.1
++++ b/ipa-client/man/ipa-rmkeytab.1
+@@ -17,7 +17,7 @@
+ .\" Author: Rob Crittenden <rcritten@redhat.com>
+ .\"
+ .\"
+-.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-rmkeytab" "1" "Oct 30 2009" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-rmkeytab \- Remove a kerberos principal from a keytab
+ .SH "SYNOPSIS"
+--
+1.8.3.1
+
diff --git a/SOURCES/1005-Remove-pylint-from-build-process.patch b/SOURCES/1005-Remove-pylint-from-build-process.patch
new file mode 100644
index 0000000..d74e340
--- /dev/null
+++ b/SOURCES/1005-Remove-pylint-from-build-process.patch
@@ -0,0 +1,35 @@
+From d48ef24f108af76f950fc67cd728d5eeee1221c4 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 22 May 2013 10:52:32 +0200
+Subject: [PATCH 1005/1006] Remove pylint from build process
+
+pylint is not present in RHEL-7.0.
+---
+ Makefile | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 484144fd6f2dfb905abfc96621fc03b306d2f230..0718367cd78e070e160d50f28006ded580be78cf 100644
+--- a/Makefile
++++ b/Makefile
+@@ -46,9 +46,6 @@ IPA_RPM_RELEASE=$(shell cat RELEASE)
+ LIBDIR ?= /usr/lib
+
+ DEVELOPER_MODE ?= 0
+-ifneq ($(DEVELOPER_MODE),0)
+-LINT_OPTIONS=--no-fail
+-endif
+
+ PYTHON ?= $(shell rpm -E %__python)
+
+@@ -97,7 +94,6 @@ client-dirs:
+ fi
+
+ lint: bootstrap-autogen
+- ./make-lint $(LINT_OPTIONS)
+ $(MAKE) -C install/po validate-src-strings
+
+
+--
+1.8.3.1
+
diff --git a/SOURCES/1006-Remove-i18test-from-build-process.patch b/SOURCES/1006-Remove-i18test-from-build-process.patch
new file mode 100644
index 0000000..aee4946
--- /dev/null
+++ b/SOURCES/1006-Remove-i18test-from-build-process.patch
@@ -0,0 +1,26 @@
+From 87a676e2d02194a37343e32660a2228b92f56ea9 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 22 May 2013 11:55:06 +0200
+Subject: [PATCH 1006/1006] Remove i18test from build process
+
+Required package python-polib is not present in RHEL-7.0.
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 0718367cd78e070e160d50f28006ded580be78cf..f53fcd8ff79289e867e17c71dcb3fc7b38e40c63 100644
+--- a/Makefile
++++ b/Makefile
+@@ -94,7 +94,7 @@ client-dirs:
+ fi
+
+ lint: bootstrap-autogen
+- $(MAKE) -C install/po validate-src-strings
++ @echo "lint target skipped in RHEL-7.0 due to missing dependencies"
+
+
+ test:
+--
+1.8.3.1
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
new file mode 100644
index 0000000..806ab5b
--- /dev/null
+++ b/SPECS/ipa.spec
@@ -0,0 +1,1543 @@
+# Define ONLY_CLIENT to only make the ipa-client and ipa-python subpackages
+%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
+
+%ifarch x86_64 %{ix86}
+# Nothing, we want to force just building client on non-Intel
+%else
+%global ONLY_CLIENT 1
+%endif
+
+%global plugin_dir %{_libdir}/dirsrv/plugins
+%global POLICYCOREUTILSVER 2.1.14-37
+%global gettext_domain ipa
+%global VERSION 3.3.3
+
+Name: ipa
+Version: 3.3.3
+Release: 5%{?dist}
+Summary: The Identity, Policy and Audit system
+
+Group: System Environment/Base
+License: GPLv3+
+URL: http://www.freeipa.org/
+Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
+Source1: rh-ipabanner.png
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+Patch0001: 0001-Guard-import-of-adtrustinstance-for-case-without-tru.patch
+Patch0002: 0002-Server-does-not-detect-different-server-and-IPA-doma.patch
+Patch0003: 0003-Allow-kernel-keyring-CCACHE-when-supported.patch
+Patch0004: 0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch
+Patch0005: 0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch
+Patch0006: 0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch
+
+Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
+Patch1002: 1002-Remove-pkinit-plugin.patch
+Patch1003: 1003-Remove-pkinit-references-from-tool-man-pages.patch
+Patch1004: 1004-Change-branding-to-IPA-and-Identity-Management.patch
+Patch1005: 1005-Remove-pylint-from-build-process.patch
+Patch1006: 1006-Remove-i18test-from-build-process.patch
+
+%if ! %{ONLY_CLIENT}
+BuildRequires: 389-ds-base-devel >= 1.3.1
+BuildRequires: svrcore-devel
+BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
+BuildRequires: systemd-units
+BuildRequires: samba-devel >= 4.0.5-1
+BuildRequires: samba-python
+BuildRequires: libwbclient-devel
+BuildRequires: libtalloc-devel
+BuildRequires: libtevent-devel
+%endif # ONLY_CLIENT
+BuildRequires: nspr-devel
+BuildRequires: nss-devel
+BuildRequires: openssl-devel
+BuildRequires: openldap-devel
+BuildRequires: krb5-devel >= 1.11
+BuildRequires: krb5-workstation
+BuildRequires: libuuid-devel
+BuildRequires: libcurl-devel >= 7.21.7-2
+BuildRequires: xmlrpc-c-devel >= 1.27.4
+BuildRequires: popt-devel
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: m4
+BuildRequires: libtool
+BuildRequires: gettext
+BuildRequires: python-devel
+BuildRequires: python-ldap
+BuildRequires: python-setuptools
+BuildRequires: python-krbV
+BuildRequires: python-nss
+BuildRequires: python-netaddr
+BuildRequires: python-kerberos
+BuildRequires: python-rhsm
+BuildRequires: pyOpenSSL
+BuildRequires: libipa_hbac-python
+BuildRequires: python-memcached
+BuildRequires: sssd >= 1.9.2
+BuildRequires: python-lxml
+BuildRequires: python-pyasn1 >= 0.0.9a
+BuildRequires: python-dns
+BuildRequires: m2crypto
+BuildRequires: check
+BuildRequires: libsss_idmap-devel
+BuildRequires: libsss_nss_idmap-devel
+BuildRequires: java-1.7.0-openjdk
+BuildRequires: libverto-devel
+BuildRequires: systemd
+BuildRequires: libunistring-devel
+BuildRequires: diffstat
+
+# Find out Kerberos middle version to infer ABI changes in DAL driver
+# We cannot load DAL driver into KDC with wrong ABI.
+# This is also needed to support ipa-devel repository where krb5 1.11 is available for F18
+%global krb5_dal_version %{expand:%(echo "#include <kdb.h>"|cpp -dM|grep KRB5_KDB_DAL_MAJOR_VERSION|cut -d' ' -f3)}
+
+%description
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof).
+
+%if ! %{ONLY_CLIENT}
+%package server
+Summary: The IPA authentication server
+Group: System Environment/Base
+Requires: %{name}-python = %{version}-%{release}
+Requires: %{name}-client = %{version}-%{release}
+Requires: %{name}-admintools = %{version}-%{release}
+Requires: 389-ds-base >= 1.3.1.3
+Requires: openldap-clients > 2.4.35-4
+Requires: nss >= 3.14.3-12.0
+Requires: nss-tools >= 3.14.3-12.0
+%if 0%{?krb5_dal_version} >= 4
+Requires: krb5-server >= 1.11.2-1
+%else
+%if 0%{krb5_dal_version} == 3
+# krb5 1.11 bumped DAL interface major version, a rebuild is needed
+Requires: krb5-server < 1.11
+Requires: krb5-server >= 1.10
+%else
+Requires: krb5-server >= 1.10
+%endif
+%endif
+Requires: krb5-pkinit-openssl
+Requires: cyrus-sasl-gssapi%{?_isa}
+Requires: ntp
+Requires: httpd
+Requires: mod_wsgi
+Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_nss >= 1.0.8-24
+Requires: python-ldap
+Requires: python-krbV
+Requires: acl
+Requires: python-pyasn1
+Requires: memcached
+Requires: python-memcached
+Requires: systemd-units >= 38
+Requires(pre): systemd-units
+Requires(post): systemd-units
+Requires: selinux-policy >= 3.12.1-65
+Requires(post): selinux-policy-base
+Requires: slapi-nis >= 0.47.7
+Requires: pki-ca >= 10.0.4
+%if 0%{?rhel}
+Requires: subscription-manager
+%endif
+Requires(preun): python systemd-units
+Requires(postun): python systemd-units
+Requires: python-dns
+Requires: zip
+Requires: policycoreutils >= %{POLICYCOREUTILSVER}
+Requires: tar
+Requires(pre): certmonger >= 0.65
+Requires(pre): 389-ds-base >= 1.3.1.3
+
+# We have a soft-requires on bind. It is an optional part of
+# IPA but if it is configured we need a way to require versions
+# that work for us.
+Conflicts: bind-dyndb-ldap < 3.5
+Conflicts: bind < 9.8.2-0.4.rc2
+
+# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
+# member.
+Conflicts: nss-pam-ldapd < 0.8.4
+
+%description server
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). If you are installing an IPA server you need
+to install this package (in other words, most people should NOT install
+this package).
+
+
+%package server-trust-ad
+Summary: Virtual package to install packages required for Active Directory trusts
+Group: System Environment/Base
+Requires: %{name}-server = %version-%release
+Requires: m2crypto
+Requires: samba-python
+Requires: samba >= 4.0.5-1
+Requires: samba-winbind
+Requires: libsss_idmap
+Requires: libsss_nss_idmap-python
+# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
+# on the installes where server-trust-ad subpackage is installed because
+# IPA AD trusts cannot be used at the same time with the locator plugin
+# since Winbindd will be configured in a different mode
+Requires(post): %{_sbindir}/update-alternatives
+Requires(post): python
+Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
+
+%description server-trust-ad
+Cross-realm trusts with Active Directory in IPA require working Samba 4
+installation. This package is provided for convenience to install all required
+dependencies at once.
+
+%endif # ONLY_CLIENT
+
+
+%package client
+Summary: IPA authentication for use on clients
+Group: System Environment/Base
+Requires: %{name}-python = %{version}-%{release}
+Requires: python-ldap
+Requires: cyrus-sasl-gssapi%{?_isa}
+Requires: ntp
+Requires: krb5-workstation
+Requires: authconfig
+Requires: pam_krb5
+Requires: wget
+Requires: libcurl >= 7.21.7-2
+Requires: xmlrpc-c >= 1.27.4
+Requires: sssd >= 1.11.1
+Requires: certmonger >= 0.65
+Requires: nss-tools
+Requires: bind-utils
+Requires: oddjob-mkhomedir
+Requires: python-krbV
+Requires: python-dns
+Requires: libsss_autofs
+Requires: autofs
+Requires: libnfsidmap
+Requires: nfs-utils
+Requires(post): policycoreutils
+
+%description client
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). If your network uses IPA for authentication,
+this package should be installed on every client machine.
+
+
+%if ! %{ONLY_CLIENT}
+%package admintools
+Summary: IPA administrative tools
+Group: System Environment/Base
+Requires: %{name}-python = %{version}-%{release}
+Requires: %{name}-client = %{version}-%{release}
+Requires: python-krbV
+Requires: python-ldap
+
+%description admintools
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). This package provides command-line tools for
+IPA administrators.
+%endif # ONLY_CLIENT
+
+%package python
+Summary: Python libraries used by IPA
+Group: System Environment/Libraries
+Requires: python-kerberos
+Requires: gnupg
+Requires: iproute
+Requires: keyutils
+Requires: pyOpenSSL
+Requires: python-nss
+Requires: python-lxml
+Requires: python-netaddr
+Requires: libipa_hbac-python
+
+%description python
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof). If you are using IPA you need to install this
+package.
+
+%if ! %{ONLY_CLIENT}
+%package tests
+Summary: IPA tests and test tools
+Requires: %{name}-client = %{version}-%{release}
+Requires: %{name}-python = %{version}-%{release}
+Requires: tar
+Requires: xz
+Requires: python-nose
+Requires: python-paste
+Requires: python-coverage
+Requires: openssh-clients
+
+%description tests
+IPA is an integrated solution to provide centrally managed Identity (machine,
+user, virtual machines, groups, authentication credentials), Policy
+(configuration settings, access control information) and Audit (events,
+logs, analysis thereof).
+This package contains tests that verify IPA functionality.
+
+%endif # ONLY_CLIENT
+
+
+%prep
+# RHEL spec file only: START
+# Update timestamps on the files touched by a patch, to avoid non-equal
+# .pyc/.pyo files across the multilib peers within a build, where "Level"
+# is the patch prefix option (e.g. -p1)
+# Taken from specfile for sssd and python-simplejson
+UpdateTimestamps() {
+ Level=$1
+ PatchFile=$2
+
+ # Locate the affected files:
+ for f in $(diffstat $Level -l $PatchFile); do
+ # Set the files to have the same timestamp as that of the patch:
+ touch -r $PatchFile $f
+ done
+}
+
+%setup -n freeipa-%{VERSION} -q
+
+for p in %patches ; do
+ %__patch -p1 -i $p
+ UpdateTimestamps -p1 $p
+done
+# RHEL spec file only: END
+
+%build
+export CFLAGS="$CFLAGS %{optflags}"
+export CPPFLAGS="$CPPFLAGS %{optflags}"
+# use fedora18 platform which is based on fedora16 platform with systemd
+# support + fedora18 changes
+export SUPPORTED_PLATFORM=fedora18
+# Force re-generate of platform support
+rm -f ipapython/services.py
+make version-update
+cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
+%if ! %{ONLY_CLIENT}
+cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd ..
+cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
+%endif # ONLY_CLIENT
+
+%if ! %{ONLY_CLIENT}
+make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all
+%else
+make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
+%endif # ONLY_CLIENT
+
+%install
+rm -rf %{buildroot}
+# use fedora18 platform which is based on fedora16 platform with systemd
+# support + fedora18 changes
+export SUPPORTED_PLATFORM=fedora18
+# Force re-generate of platform support
+rm -f ipapython/services.py
+%if ! %{ONLY_CLIENT}
+make install DESTDIR=%{buildroot}
+# Start RHEL-7.0: Red Hat's Identity Management branding
+cp %SOURCE1 %{buildroot}%{_usr}/share/ipa/ui/images/ipa-banner.png
+# End RHEL-7.0
+%else
+make client-install DESTDIR=%{buildroot}
+%endif # ONLY_CLIENT
+%find_lang %{gettext_domain}
+
+
+%if ! %{ONLY_CLIENT}
+# Remove .la files from libtool - we don't want to package
+# these files
+rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
+rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la
+rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
+rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
+rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
+rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
+rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
+rm %{buildroot}/%{plugin_dir}/libipa_cldap.la
+rm %{buildroot}/%{plugin_dir}/libipa_dns.la
+rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
+rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
+rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
+rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
+rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
+rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
+
+# Some user-modifiable HTML files are provided. Move these to /etc
+# and link back.
+mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
+mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
+mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
+mkdir %{buildroot}%{_usr}/share/ipa/html/
+ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
+ %{buildroot}%{_usr}/share/ipa/html/ffconfig.js
+ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig_page.js \
+ %{buildroot}%{_usr}/share/ipa/html/ffconfig_page.js
+ln -s ../../../..%{_sysconfdir}/ipa/html/ssbrowser.html \
+ %{buildroot}%{_usr}/share/ipa/html/ssbrowser.html
+ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
+ %{buildroot}%{_usr}/share/ipa/html/unauthorized.html
+ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
+ %{buildroot}%{_usr}/share/ipa/html/browserconfig.html
+ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
+ %{buildroot}%{_usr}/share/ipa/html/ipa_error.css
+
+# So we can own our Apache configuration
+mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
+mkdir -p %{buildroot}%{_usr}/share/ipa/html/
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
+/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
+mkdir -p %{buildroot}%{_initrddir}
+mkdir %{buildroot}%{_sysconfdir}/sysconfig/
+install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
+
+# Web UI plugin dir
+mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+
+# NOTE: systemd specific section
+mkdir -p %{buildroot}%{_prefix}/lib/tmpfiles.d
+install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf
+# END
+
+mkdir -p %{buildroot}%{_localstatedir}/run/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+
+mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
+touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+
+# NOTE: systemd specific section
+mkdir -p %{buildroot}%{_unitdir}
+install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
+install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
+# END
+
+mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
+%endif # ONLY_CLIENT
+
+mkdir -p %{buildroot}%{_sysconfdir}/ipa/
+/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
+/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
+mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
+
+%if ! %{ONLY_CLIENT}
+mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
+install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
+mkdir -p %{buildroot}%{_sysconfdir}/cron.d
+
+(cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f | \
+ grep -v dcerpc | grep -v adtrustinstance | \
+ sed -e 's,\.py.*$,.*,g' | sort -u | \
+ sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list
+
+(cd %{buildroot}/%{python_sitelib}/ipatests && find . -type f | \
+ sed -e 's,\.py.*$,.*,g' | sort -u | \
+ sed -e 's,\./,%%{python_sitelib}/ipatests/,g' ) >tests-python.list
+%endif # ONLY_CLIENT
+
+%clean
+rm -rf %{buildroot}
+
+%if ! %{ONLY_CLIENT}
+%post server
+# NOTE: systemd specific section
+ /bin/systemctl --system daemon-reload 2>&1 || :
+# END
+if [ $1 -gt 1 ] ; then
+ /bin/systemctl condrestart certmonger.service 2>&1 || :
+fi
+
+%posttrans server
+# This must be run in posttrans so that updates from previous
+# execution that may no longer be shipped are not applied.
+/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || :
+/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
+
+# Restart IPA processes. This must be also run in postrans so that plugins
+# and software is in consistent state
+python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+# NOTE: systemd specific section
+if [ $? -eq 0 ]; then
+ /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
+fi
+# END
+
+%preun server
+if [ $1 = 0 ]; then
+# NOTE: systemd specific section
+ /bin/systemctl --quiet stop ipa.service || :
+ /bin/systemctl --quiet disable ipa.service || :
+# END
+fi
+
+%pre server
+# Stop ipa_kpasswd if it exists before upgrading so we don't have a
+# zombie process when we're done.
+if [ -e /usr/sbin/ipa_kpasswd ]; then
+# NOTE: systemd specific section
+ /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
+# END
+fi
+
+%postun server-trust-ad
+if [ "$1" -ge "1" ]; then
+ if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
+ %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
+ fi
+fi
+
+%post server-trust-ad
+%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
+ winbind_krb5_locator.so /dev/null 90
+
+%posttrans server-trust-ad
+python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+# NOTE: systemd specific section
+ /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
+# END
+fi
+
+%preun server-trust-ad
+if [ $1 -eq 0 ]; then
+ %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
+fi
+%endif # ONLY_CLIENT
+
+%post client
+if [ $1 -gt 1 ] ; then
+ # Has the client been configured?
+ restore=0
+ test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+ if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
+ if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
+ echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
+ cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
+ mv /etc/krb5.conf.ipanew /etc/krb5.conf
+ /sbin/restorecon /etc/krb5.conf
+ fi
+ fi
+fi
+
+%triggerin -n ipa-client -- openssh-server
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+ if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
+ sed -r '
+ /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
+ ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
+
+ if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+ sed -ri '
+ s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
+ s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+ sed -ri '
+ s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
+ s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
+ ' /etc/ssh/sshd_config.ipanew
+ fi
+
+ mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+ /sbin/restorecon /etc/ssh/sshd_config
+ chmod 600 /etc/ssh/sshd_config
+
+ /bin/systemctl condrestart sshd.service 2>&1 || :
+ fi
+fi
+
+%if ! %{ONLY_CLIENT}
+%files server -f server-python.list
+%defattr(-,root,root,-)
+%doc COPYING README Contributors.txt
+%{_sbindir}/ipa-backup
+%{_sbindir}/ipa-restore
+%{_sbindir}/ipa-ca-install
+%{_sbindir}/ipa-dns-install
+%{_sbindir}/ipa-server-install
+%{_sbindir}/ipa-replica-conncheck
+%{_sbindir}/ipa-replica-install
+%{_sbindir}/ipa-replica-prepare
+%{_sbindir}/ipa-replica-manage
+%{_sbindir}/ipa-csreplica-manage
+%{_sbindir}/ipa-server-certinstall
+%{_sbindir}/ipa-ldap-updater
+%{_sbindir}/ipa-compat-manage
+%{_sbindir}/ipa-nis-manage
+%{_sbindir}/ipa-managed-entries
+%{_sbindir}/ipactl
+%{_sbindir}/ipa-upgradeconfig
+%{_sbindir}/ipa-advise
+%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
+%{_libexecdir}/ipa-otpd
+%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
+%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+# NOTE: systemd specific section
+%{_prefix}/lib/tmpfiles.d/%{name}.conf
+%attr(644,root,root) %{_unitdir}/ipa.service
+%attr(644,root,root) %{_unitdir}/ipa_memcached.service
+# END
+%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
+%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
+%dir %{python_sitelib}/ipaserver
+%dir %{python_sitelib}/ipaserver/install
+%dir %{python_sitelib}/ipaserver/install/plugins
+%dir %{python_sitelib}/ipaserver/advise
+%dir %{python_sitelib}/ipaserver/advise/plugins
+%dir %{python_sitelib}/ipaserver/plugins
+%dir %{_libdir}/ipa/certmonger
+%attr(755,root,root) %{_libdir}/ipa/certmonger/*
+%dir %{_usr}/share/ipa
+%{_usr}/share/ipa/wsgi.py*
+%{_usr}/share/ipa/copy-schema-to-ca.py*
+%{_usr}/share/ipa/*.ldif
+%{_usr}/share/ipa/*.uldif
+%{_usr}/share/ipa/*.template
+%dir %{_usr}/share/ipa/advise
+%dir %{_usr}/share/ipa/advise/legacy
+%{_usr}/share/ipa/advise/legacy/*.template
+%dir %{_usr}/share/ipa/ffextension
+%{_usr}/share/ipa/ffextension/bootstrap.js
+%{_usr}/share/ipa/ffextension/install.rdf
+%{_usr}/share/ipa/ffextension/chrome.manifest
+%dir %{_usr}/share/ipa/ffextension/chrome
+%dir %{_usr}/share/ipa/ffextension/chrome/content
+%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth.js
+%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth_overlay.xul
+%dir %{_usr}/share/ipa/ffextension/locale
+%dir %{_usr}/share/ipa/ffextension/locale/en-US
+%{_usr}/share/ipa/ffextension/locale/en-US/kerberosauth.properties
+%dir %{_usr}/share/ipa/html
+%{_usr}/share/ipa/html/ffconfig.js
+%{_usr}/share/ipa/html/ffconfig_page.js
+%{_usr}/share/ipa/html/ssbrowser.html
+%{_usr}/share/ipa/html/browserconfig.html
+%{_usr}/share/ipa/html/unauthorized.html
+%{_usr}/share/ipa/html/ipa_error.css
+%dir %{_usr}/share/ipa/migration
+%{_usr}/share/ipa/migration/error.html
+%{_usr}/share/ipa/migration/index.html
+%{_usr}/share/ipa/migration/invalid.html
+%{_usr}/share/ipa/migration/migration.py*
+%dir %{_usr}/share/ipa/ui
+%{_usr}/share/ipa/ui/index.html
+%{_usr}/share/ipa/ui/login.html
+%{_usr}/share/ipa/ui/logout.html
+%{_usr}/share/ipa/ui/reset_password.html
+%{_usr}/share/ipa/ui/*.ico
+%{_usr}/share/ipa/ui/*.css
+%{_usr}/share/ipa/ui/*.js
+%{_usr}/share/ipa/ui/*.eot
+%{_usr}/share/ipa/ui/*.svg
+%{_usr}/share/ipa/ui/*.ttf
+%{_usr}/share/ipa/ui/*.woff
+%dir %{_usr}/share/ipa/ui/js/dojo
+%{_usr}/share/ipa/ui/js/dojo/dojo.js
+%dir %{_usr}/share/ipa/ui/js/libs
+%{_usr}/share/ipa/ui/js/libs/*.js
+%dir %{_usr}/share/ipa/ui/js/freeipa
+%{_usr}/share/ipa/ui/js/freeipa/app.js
+%dir %{_usr}/share/ipa/ui/js/plugins
+%dir %{_usr}/share/ipa/ui/images
+%{_usr}/share/ipa/ui/images/*.png
+%{_usr}/share/ipa/ui/images/*.gif
+%dir %{_usr}/share/ipa/wsgi
+%{_usr}/share/ipa/wsgi/plugins.py*
+%dir %{_sysconfdir}/ipa
+%dir %{_sysconfdir}/ipa/html
+%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
+%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
+%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
+%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
+%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
+%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
+%{_usr}/share/ipa/ca_renewal
+%{_usr}/share/ipa/ipa.conf
+%{_usr}/share/ipa/ipa-rewrite.conf
+%{_usr}/share/ipa/ipa-pki-proxy.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
+%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html
+%dir %{_usr}/share/ipa/updates/
+%{_usr}/share/ipa/updates/*
+%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
+%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
+%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
+%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
+%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
+%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
+%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
+%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
+%attr(755,root,root) %{plugin_dir}/libipa_dns.so
+%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
+%dir %{_localstatedir}/lib/ipa
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
+%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
+%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
+%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
+%{_mandir}/man1/ipa-replica-conncheck.1.gz
+%{_mandir}/man1/ipa-replica-install.1.gz
+%{_mandir}/man1/ipa-replica-manage.1.gz
+%{_mandir}/man1/ipa-csreplica-manage.1.gz
+%{_mandir}/man1/ipa-replica-prepare.1.gz
+%{_mandir}/man1/ipa-server-certinstall.1.gz
+%{_mandir}/man1/ipa-server-install.1.gz
+%{_mandir}/man1/ipa-dns-install.1.gz
+%{_mandir}/man1/ipa-ca-install.1.gz
+%{_mandir}/man1/ipa-compat-manage.1.gz
+%{_mandir}/man1/ipa-nis-manage.1.gz
+%{_mandir}/man1/ipa-managed-entries.1.gz
+%{_mandir}/man1/ipa-ldap-updater.1.gz
+%{_mandir}/man8/ipactl.8.gz
+%{_mandir}/man8/ipa-upgradeconfig.8.gz
+%{_mandir}/man1/ipa-backup.1.gz
+%{_mandir}/man1/ipa-restore.1.gz
+%{_mandir}/man1/ipa-advise.1.gz
+
+%files server-trust-ad
+%{_sbindir}/ipa-adtrust-install
+%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
+%{_usr}/share/ipa/smb.conf.empty
+%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
+%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
+%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
+%{_mandir}/man1/ipa-adtrust-install.1.gz
+%{python_sitelib}/ipaserver/dcerpc*
+%{python_sitelib}/ipaserver/install/adtrustinstance*
+%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+
+%endif # ONLY_CLIENT
+
+%files client
+%defattr(-,root,root,-)
+%doc COPYING README Contributors.txt
+%{_sbindir}/ipa-client-install
+%{_sbindir}/ipa-client-automount
+%{_sbindir}/ipa-getkeytab
+%{_sbindir}/ipa-rmkeytab
+%{_sbindir}/ipa-join
+%dir %{_usr}/share/ipa
+%dir %{_usr}/share/ipa/ipaclient
+%dir %{_localstatedir}/lib/ipa-client
+%dir %{_localstatedir}/lib/ipa-client/sysrestore
+%{_usr}/share/ipa/ipaclient/ipa.cfg
+%{_usr}/share/ipa/ipaclient/ipa.js
+%dir %{python_sitelib}/ipaclient
+%{python_sitelib}/ipaclient/*.py*
+%{_mandir}/man1/ipa-getkeytab.1.gz
+%{_mandir}/man1/ipa-rmkeytab.1.gz
+%{_mandir}/man1/ipa-client-install.1.gz
+%{_mandir}/man1/ipa-client-automount.1.gz
+%{_mandir}/man1/ipa-join.1.gz
+%{_mandir}/man5/default.conf.5.gz
+
+%if ! %{ONLY_CLIENT}
+%files admintools
+%defattr(-,root,root,-)
+%doc COPYING README Contributors.txt
+%{_bindir}/ipa
+%config %{_sysconfdir}/bash_completion.d
+%{_mandir}/man1/ipa.1.gz
+%endif # ONLY_CLIENT
+
+%files python -f %{gettext_domain}.lang
+%defattr(-,root,root,-)
+%doc COPYING README Contributors.txt
+%dir %{python_sitelib}/ipapython
+%dir %{python_sitelib}/ipapython/platform
+%dir %{python_sitelib}/ipapython/platform/base
+%dir %{python_sitelib}/ipapython/platform/fedora16
+%dir %{python_sitelib}/ipapython/platform/fedora18
+%dir %{python_sitelib}/ipapython/platform/redhat
+%{python_sitelib}/ipapython/*.py*
+%{python_sitelib}/ipapython/platform/*.py*
+%{python_sitelib}/ipapython/platform/base/*.py*
+%{python_sitelib}/ipapython/platform/fedora16/*.py*
+%{python_sitelib}/ipapython/platform/fedora18/*.py*
+%{python_sitelib}/ipapython/platform/redhat/*.py*
+%dir %{python_sitelib}/ipalib
+%{python_sitelib}/ipalib/*
+%attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so
+%{python_sitelib}/ipapython-*.egg-info
+%{python_sitelib}/freeipa-*.egg-info
+%{python_sitearch}/python_default_encoding-*.egg-info
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
+
+%if ! %{ONLY_CLIENT}
+%files tests -f tests-python.list
+%defattr(-,root,root,-)
+%doc COPYING README Contributors.txt
+%dir %{python_sitelib}/ipatests
+%dir %{python_sitelib}/ipatests/test_cmdline
+%dir %{python_sitelib}/ipatests/test_install
+%dir %{python_sitelib}/ipatests/test_ipalib
+%dir %{python_sitelib}/ipatests/test_ipapython
+%dir %{python_sitelib}/ipatests/test_ipaserver
+%dir %{python_sitelib}/ipatests/test_ipaserver/install
+%dir %{python_sitelib}/ipatests/test_pkcs10
+%dir %{python_sitelib}/ipatests/test_webui
+%dir %{python_sitelib}/ipatests/test_xmlrpc
+%{_bindir}/ipa-run-tests
+%{_bindir}/ipa-test-config
+%{_bindir}/ipa-test-task
+%{python_sitelib}/ipatests-*.egg-info
+%{_mandir}/man1/ipa-run-tests.1.gz
+%{_mandir}/man1/ipa-test-config.1.gz
+%{_mandir}/man1/ipa-test-task.1.gz
+%endif # ONLY_CLIENT
+
+%changelog
+* Fri Nov 22 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
+- Trust add tries to add same value of --base-id for sub domain,
+ causing an error (#1033068)
+- Improved error reporting for adding trust case (#1029856)
+
+* Wed Nov 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-4
+- Winsync agreement cannot be created (#1023085)
+
+* Wed Nov 6 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-3
+- Installer did not detect different server and IPA domain (#1026845)
+- Allow kernel keyring CCACHE when supported (#1026861)
+
+* Tue Nov 5 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-2
+- ipa-server-install crashes when AD subpackage is not installed (#1026434)
+
+* Fri Nov 1 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-1
+- Update to upstream 3.3.3 (#991064)
+
+* Tue Oct 29 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-5
+- Temporarily move ipa-backup and ipa-restore functionality
+ back to make them available in public Beta (#1003933)
+
+* Tue Oct 29 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-4
+- Server install failure during client enrollment shouldn't
+ roll back (#1023086)
+- nsds5ReplicaStripAttrs are not set on agreements (#1023085)
+- ipa-server conflicts with mod_ssl (#1018172)
+
+* Wed Oct 16 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-3
+- Reinstalling ipa server hangs when configuring certificate
+ server (#1018804)
+
+* Fri Oct 11 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-2
+- Deprecate --serial-autoincrement option (#1016645)
+- CA installation always failed on replica (#1005446)
+- Re-initializing a winsync connection exited with error (#994980)
+
+* Fri Oct 4 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
+- Update to upstream 3.3.2 (#991064)
+- Add delegation info to MS-PAC (#915799)
+- Warn about incompatibility with AD when IPA realm and domain
+ differs (#1009044)
+- Allow PKCS#12 files with empty password in install tools (#1002639)
+- Privilege "SELinux User Map Administrators" did not list
+ permissions (#997085)
+- SSH key upload broken when client joins an older server (#1009024)
+
+* Mon Sep 23 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-5
+- Remove dependency on python-paramiko (#1002884)
+- Broken redirection when deleting last entry of DNS resource
+ record (#1006360)
+
+* Tue Sep 10 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-4
+- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)
+
+* Mon Sep 9 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-3
+- Replica installation fails for RHEL 6.4 master (#1004680)
+- Server uninstallation crashes if DS is not available (#998069)
+
+* Thu Sep 5 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-2
+- Unable to remove replica by ipa-replica-manage (#1001662)
+- Before uninstalling a server, warn about active replicas (#998069)
+
+* Thu Aug 29 2013 Rob Crittenden <rcritten@redhat.com> - 3.3.1-1
+- Update to upstream 3.3.1 (#991064)
+- Update minimum version of bind-dyndb-ldap to 3.5
+
+* Tue Aug 20 2013 Rob Crittenden <rcritten@redhat.com> - 3.3.0-7
+- Fix replica installation failing on certificate subject (#983075)
+
+* Tue Aug 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-6
+- Allow ipa-tests to work with older version (1.7.7) of python-paramiko
+
+* Tue Aug 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-5
+- Prevent multilib failures in *.pyo and *.pyc files
+
+* Mon Aug 12 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-4
+- ipa-server-install fails if --subject parameter is other than default
+ realm (#983075)
+- do not allow configuring bind-dyndb-ldap without persistent search (#967876)
+
+* Mon Aug 12 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-3
+- diffstat was missing as a build dependency causing multilib problems
+
+* Thu Aug 8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-2
+- Remove ipa-server-selinux obsoletes as upgrades from version prior to
+ 3.3.0 are not allowed
+- Wrap server-trust-ad subpackage description better
+- Add (noreplace) flag for \%{_sysconfdir}/tmpfiles.d/ipa.conf
+- Change permissions on default_encoding_utf8.so to fix ipa-python Provides
+
+* Thu Aug 8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-1
+- Update to upstream 3.3.0 (#991064)
+
+* Thu Aug 8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-0.2.beta2
+- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release
+
+* Wed Aug 7 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-0.1.beta2
+- Update to upstream 3.3.0 Beta 2 (#991064)
+
+* Thu Jul 18 2013 Martin Kosek <mkosek@redhat.com> - 3.2.2-1
+- Update to upstream 3.2.2
+- Drop ipa-server-selinux subpackage
+- Drop redundant directory /var/cache/ipa/sessions
+- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
+- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
+ issues when there are still old parts of software (like entitlements plugin)
+
+* Fri Jun 14 2013 Martin Kosek <mkosek@redhat.com> - 3.2.1-1
+- Update to upstream 3.2.1
+- Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0
+
+* Tue May 14 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-2
+- Add OTP patches
+- Add patch to set KRB5CCNAME for 389-ds-base
+
+* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
+- Update to upstream 3.2.0 GA
+- ipa-client-install fails if /etc/ipa does not exist (#961483)
+- Certificate status is not visible in Service and Host page (#956718)
+- ipa-client-install removes needed options from ldap.conf (#953991)
+- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)
+- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
+- Require nss 3.14.3-12.0 to address certutil certificate import
+ errors (#953485)
+- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
+ environments. (#953464)
+- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
+- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
+- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
+ socket based connections (#960222)
+- Require libsss_nss_idmap-python
+- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
+ member is now done automatically and having it in the config file raises
+ an error.
+- Add backup and restore tools, directory.
+- require at least systemd 38 which provides the journal (we no longer
+ need to require syslog.target)
+- Update Requires on policycoreutils to 2.1.14-37
+- Update Requires on selinux-policy to 3.12.1-42
+- Update Requires on 389-ds-base to 1.3.1.0
+- Remove a Requires for java-atk-wrapper
+
+* Tue Apr 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.4.beta1
+- Remove release from krb5-server in strict sub-package to allow for rebuilds.
+
+* Mon Apr 22 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.3.beta1
+- Add a Requires for java-atk-wrapper until we can determine which package
+ should be pulling it in, dogtag or tomcat.
+
+* Tue Apr 16 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.2.beta1
+- Update to upstream 3.2.0 Beta 1
+
+* Tue Apr 2 2013 Martin Kosek <mkosek@redhat.com> - 3.2.0-0.1.pre1
+- Update to upstream 3.2.0 Prerelease 1
+- Use upstream reference spec file as a base for Fedora spec file
+
+* Sat Mar 30 2013 Kevin Fenzi <kevin@scrye.com> 3.1.2-4
+- Rebuild for broken deps
+- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1
+
+* Sat Feb 23 2013 Kevin Fenzi <kevin@scrye.com> - 3.1.2-3
+- Rebuild for broken deps in rawhide
+- Fix 389-ds-base strict dep to be 1.3.0.3
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.2-1
+- Update to upstream 3.1.2
+- CVE-2012-4546: Incorrect CRLs publishing
+- CVE-2012-5484: MITM Attack during Join process
+- CVE-2013-0199: Cross-Realm Trust key leak
+- Updated strict dependencies to 389-ds-base = 1.3.0.2 and
+ pki-ca = 10.0.1
+
+* Thu Dec 20 2012 Martin Kosek <mkosek@redhat.com> - 3.1.0-2
+- Remove redundat Requires versions that are already in Fedora 17
+- Replace python-crypto Requires with m2crypto
+- Add missing Requires(post) for client and server-trust-ad subpackages
+- Restart httpd service when server-trust-ad subpackage is installed
+- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes
+
+* Mon Dec 10 2012 Rob Crittenden <rcritten@redhat.com> - 3.1.0-1
+- Updated to upstream 3.1.0 GA
+- Set minimum for sssd to 1.9.2
+- Set minimum for pki-ca to 10.0.0-1
+- Set minimum for 389-ds-base to 1.3.0
+- Set minimum for selinux-policy to 3.11.1-60
+- Remove unneeded dogtag package requires
+
+* Tue Oct 23 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-3
+- Update Requires on krb5-server to 1.11
+
+* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-2
+- Configure CA replication to use TLS instead of SSL
+
+* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-1
+- Updated to upstream 3.0.0 GA
+- Set minimum for samba to 4.0.0-153.
+- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
+ plugin to /dev/null since they cannot be used when trusts are configured
+- Restrict krb5-server to 1.10.
+- Update BR for 389-ds-base to 1.3.0
+- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
+- Add Requires on zip for generating FF browser extension
+
+* Fri Oct 5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.10
+- Updated to upstream 3.0.0 rc 2
+- Include new FF configuration extension
+- Set minimum Requires of selinux-policy to 3.11.1-33
+- Set minimum Requires dogtag to 10.0.0-0.43.b1
+- Add new optional strict sub-package to allow users to limit other
+ package upgrades.
+
+* Tue Oct 2 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.9
+- Require samba packages instead of obsoleted samba4 packages
+
+* Fri Sep 21 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.8
+- Updated to upstream 3.0.0 rc 1
+- Update BR for 389-ds-base to 1.2.11.14
+- Update BR for krb5 to 1.10
+- Update BR for samba4-devel to 4.0.0-139 (rc1)
+- Add BR for python-polib
+- Update BR and Requires on sssd to 1.9.0
+- Update Requires on policycoreutils to 2.1.12-5
+- Update Requires on 389-ds-base to 1.2.11.14
+- Update Requires on selinux-policy to 3.11.1-21
+- Update Requires on dogtag to 10.0.0-0.33.a1
+- Update Requires on certmonger to 0.60
+- Update Requires on tomcat to 7.0.29
+- Update minimum version of bind to 9.9.1-10.P3
+- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1
+- Remove Requires on authconfig from python sub-package
+
+* Wed Sep 5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.7
+- Rebuild against samba4 beta8
+
+* Fri Aug 31 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.6
+- Rebuild against samba4 beta7
+
+* Wed Aug 22 2012 Alexander Bokovoy <abokovoy@redhat.com> - 3.0.0-0.5
+- Adopt to samba4 beta6 (libsecurity -> libsamba-security)
+- Add dependency to samba4-winbind
+
+* Fri Aug 17 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.4
+- Updated to upstream 3.0.0 beta 2
+
+* Mon Aug 6 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.3
+- Updated to current upstream state of 3.0.0 beta 2 development
+
+* Mon Jul 23 2012 Alexander Bokovoy <abokovy@redhat.com> - 3.0.0-0.2
+- Rebuild against samba4 beta4
+
+* Mon Jul 2 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.1
+- Updated to upstream 3.0.0 beta 1
+
+* Thu May 3 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-1
+- Updated to upstream 2.2.0 GA
+- Update minimum n-v-r of certmonger to 0.53
+- Update minimum n-v-r of slapi-nis to 0.40
+- Add Requires in client to oddjob-mkhomedir and python-krbV
+- Update minimum selinux-policy to 3.10.0-110
+
+* Mon Mar 19 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.2
+- Update to upstream 2.2.0 beta 1 (2.1.90.rc1)
+- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18.
+- Add Conflicts on mod_ssl
+- Update minimum n-v-r of 389-ds-base to 1.2.10.4
+- Update minimum n-v-r of sssd to 1.8.0
+- Update minimum n-v-r of slapi-nis to 0.38
+- Update minimum n-v-r of pki-* to 9.0.18
+- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1
+- Update conflicts on bind to < 9.9.0-1
+- Drop requires on krb5-server-ldap
+- Add patch to remove escaping arguments to pkisilent
+
+* Mon Feb 06 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.1
+- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)
+
+* Wed Feb 01 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-5
+- Force to use 389-ds 1.2.10-0.8.a7 or above
+- Improve upgrade script to handle systemd 389-ds change
+- Fix freeipa to work with python-ldap 2.4.6
+
+* Wed Jan 11 2012 Martin Kosek <mkosek@redhat.com> - 2.1.4-4
+- Fix ipa-replica-install crashes
+- Fix ipa-server-install and ipa-dns-install logging
+- Set minimum version of pki-ca to 9.0.17 to fix sslget problem
+ caused by FEDORA-2011-17400 update (#771357)
+
+* Wed Dec 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-3
+- Allow Web-based migration to work with tightened SE Linux policy (#769440)
+- Rebuild slapi plugins against re-enterant version of libldap
+
+* Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2
+- Allow longer dirsrv startup with systemd:
+ - IPAdmin class will wait until dirsrv instance is available up to 10 seconds
+ - Helps with restarts during upgrade for ipa-ldap-updater
+- Fix pylint warnings from F16 and Rawhide
+
+* Tue Dec 6 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.4-1
+- Update to upstream 2.1.4 (CVE-2011-3636)
+
+* Mon Dec 5 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-8
+- Update SELinux policy to allow ipa_kpasswd to connect ldap and
+ read /dev/urandom. (#759679)
+
+* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-7
+- Fix wrong path in packaging freeipa-systemd-upgrade
+
+* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-6
+- Introduce upgrade script to recover existing configuration after systemd migration
+ as user has no means to recover FreeIPA from systemd migration
+- Upgrade script:
+ - recovers symlinks in Dogtag instance install
+ - recovers systemd configuration for FreeIPA's directory server instances
+ - recovers freeipa.service
+ - migrates directory server and KDC configs to use proper keytabs for systemd services
+
+* Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-5
+- Rebuilt for glibc bug#747377
+
+* Wed Oct 19 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-4
+- clean up spec
+- Depend on sssd >= 1.6.2 for better user experience
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-3
+- Fix Fedora package changelog after merging systemd changes
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-2
+- Fix postin scriplet for F-15/F-16
+
+* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-1
+- 2.1.3
+
+* Mon Oct 17 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.2-1
+- Default to systemd for Fedora 16 and onwards
+
+* Tue Aug 16 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.0-1
+- Update to upstream 2.1.0
+
+* Fri May 6 2011 Simo Sorce <ssorce@redhat.com> - 2.0.1-2
+- Fix bug #702633
+
+* Mon May 2 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.1-1
+- Update minimum selinux-policy to 3.9.16-18
+- Update minimum pki-ca and pki-selinux to 9.0.7
+- Update minimum 389-ds-base to 1.2.8.0-1
+- Update to upstream 2.0.1
+
+* Thu Mar 24 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-1
+- Update to upstream GA release
+- Automatically apply updates when the package is upgraded
+
+* Fri Feb 25 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.4.rc2
+- Update to upstream freeipa-2.0.0.rc2
+- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in
+- Set minimum version of sssd to 1.5.1
+- Patch to include SuiteSpotGroup when setting up 389-ds instances
+- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled
+
+* Tue Feb 15 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.3.rc1
+- Set the N-V-R so rc1 is an update to beta2.
+
+* Mon Feb 14 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.rc1
+- Set minimum version of sssd to 1.5.1
+- Update to upstream freeipa-2.0.0.rc1
+- Move server-only binaries from admintools subpackage to server
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.0-0.2.beta2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Feb 3 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta2
+- Set min version of 389-ds-base to 1.2.8
+- Set min version of mod_nss 1.0.8-10
+- Set min version of selinux-policy to 3.9.7-27
+- Add dogtag themes to Requires
+- Update to upstream freeipa-2.0.0.pre2
+
+* Thu Jan 27 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.2.beta.git80e87e7
+- Remove unnecessary moving of v1 CA serial number file in post script
+- Add Obsoletes for server-selinxu subpackage
+- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da
+
+* Wed Jan 26 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta.git80e87e7
+- Prepare spec file for release
+- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503
+
+* Tue Jan 25 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-41
+- Re-arrange doc and defattr to clean up rpmlint warnings
+- Remove conditionals on older releases
+- Move some man pages into admintools subpackage
+- Remove some explicit Requires in client that aren't needed
+- Consistent use of buildroot vs RPM_BUILD_ROOT
+
+* Wed Jan 19 2011 Adam Young <ayoung@redhat.com> - 1.99-40
+- Moved directory install/static to install/ui
+
+* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-39
+- Remove dependency on nss_ldap/nss-pam-ldapd
+- The official client is sssd and that's what we use by default.
+
+* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-38
+- Remove radius subpackages
+
+* Thu Jan 13 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-37
+- Set minimum pki-ca and pki-silent versions to 9.0.0
+
+* Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-36
+- Drop BuildRequires on mozldap-devel
+
+* Mon Dec 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-35
+- Add Requires on krb5-pkinit-openssl
+
+* Fri Dec 10 2010 Jr Aquino <jr.aquino@citrix.com> - 1.99-34
+- Add ipa-host-net-manage script
+
+* Tue Dec 7 2010 Simo Sorce <ssorce@redhat.com> - 1.99-33
+- Add ipa init script
+
+* Fri Nov 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-32
+- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin
+
+* Wed Nov 3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-31
+- remove ipa-fix-CVE-2008-3274
+
+* Wed Oct 6 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-30
+- Remove duplicate %%files entries on share/ipa/static
+- Add python default encoding shared library
+
+* Mon Sep 20 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-29
+- Drop requires on python-configobj (not used any more)
+- Drop ipa-ldap-updater message, upgrades are done differently now
+
+* Wed Sep 8 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-28
+- Drop conflicts on mod_nss
+- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847)
+- Drop a slew of conditionals on older Fedora releases (< 12)
+- Add a few conditionals against RHEL 6
+- Add Requires of nss-tools on ipa-client
+
+* Fri Aug 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-27
+- Set minimum version of certmonger to 0.26 (to pck up #621670)
+- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm)
+- Set minimum version of pki-ca to 1.3.6
+- Set minimum version of sssd to 1.2.1
+
+* Tue Aug 10 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-26
+- Add BuildRequires for authconfig
+
+* Mon Jul 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-25
+- Bump up minimum version of python-nss to pick up nss_is_initialize() API
+
+* Thu Jun 24 2010 Adam Young <ayoung@redhat.com> - 1.99-24
+- Removed python-asset based webui
+
+* Thu Jun 24 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-23
+- Change Requires from fedora-ds-base to 389-ds-base
+- Set minimum level of 389-ds-base to 1.2.6 for the replication
+ version plugin.
+
+* Tue Jun 1 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-22
+- Drop Requires of python-krbV on ipa-client
+
+* Mon May 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-21
+- Load ipa_dogtag.pp in post install
+
+* Mon Apr 26 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-20
+- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.
+
+* Thu Mar 4 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-19
+- No need to create /var/log/ipa_error.log since we aren't using
+ TurboGears any more.
+
+* Mon Mar 1 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-18
+- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included
+
+* Wed Feb 24 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-17
+- Added Require mod_wsgi, added share/ipa/wsgi.py
+
+* Thu Feb 11 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-16
+- Require python-wehjit >= 0.2.2
+
+* Wed Feb 3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-15
+- Add sssd and certmonger as a Requires on ipa-client
+
+* Wed Jan 27 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-14
+- Require python-wehjit >= 0.2.0
+
+* Fri Dec 4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-13
+- Add ipa-rmkeytab tool
+
+* Tue Dec 1 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-12
+- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1
+ Any type
+
+* Wed Nov 25 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-11
+- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf
+
+* Fri Nov 13 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-10
+- Add bash completion script and own /etc/bash_completion.d in case it
+ doesn't already exist
+
+* Tue Nov 3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
+- Remove ipa_webgui, its functions rolled into ipa_httpd
+
+* Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
+- Removed python-cherrypy from BuildRequires and Requires
+- Added Requires python-assets, python-wehjit
+
+* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
+- Added httpd SELinux policy so CRLs can be read
+
+* Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
+- Move ipalib to ipa-python subpackage
+- Bump minimum version of slapi-nis to 0.15
+
+* Wed May 6 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-5
+- Set 0.14 as minimum version for slapi-nis
+
+* Wed Apr 22 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-4
+- Add Requires: python-nss to ipa-python sub-package
+
+* Thu Mar 5 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-3
+- Remove the IPA DNA plugin, use the DS one
+
+* Wed Mar 4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-2
+- Build radius separately
+- Fix a few minor issues
+
+* Tue Feb 3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-1
+- Replace TurboGears requirement with python-cherrypy
+
+* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.1-3
+- rebuild with new openssl
+
+* Fri Dec 19 2008 Dan Walsh <dwalsh@redhat.com> - 1.2.1-2
+- Fix SELinux code
+
+* Mon Dec 15 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-1
+- Fix breakage caused by python-kerberos update to 1.1
+
+* Fri Dec 5 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-0
+- New upstream release 1.2.1
+
+* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 1.2.0-4
+- Rebuild for Python 2.6
+
+* Fri Nov 14 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-3
+- Respin after the tarball has been re-released upstream
+ New hash is 506c9c92dcaf9f227cba5030e999f177
+
+* Thu Nov 13 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-2
+- Conditionally restart also dirsrv and httpd when upgrading
+
+* Wed Oct 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.2.0-1
+- Update to upstream version 1.2.0
+- Set fedora-ds-base minimum version to 1.1.3 for winsync header
+- Set the minimum version for SELinux policy
+- Remove references to Fedora 7
+
+* Wed Jul 23 2008 Simo Sorce <ssorce@redhat.com> - 1.1.0-3
+- Fix for CVE-2008-3274
+- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface
+- Add fix for bug #453185
+- Rebuild against openldap libraries, mozldap ones do not work properly
+- TurboGears is currently broken in rawhide. Added patch to not build
+ the UI locales and removed them from the ipa-server files section.
+
+* Wed Jun 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-2
+- Add call to /usr/sbin/upgradeconfig to post install
+
+* Wed Jun 11 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-1
+- Update to upstream version 1.1.0
+- Patch for indexing memberof attribute
+- Patch for indexing uidnumber and gidnumber
+- Patch to change DNA default values for replicas
+- Patch to fix uninitialized variable in ipa-getkeytab
+
+* Fri May 16 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-5
+- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum
+ version to 1.0.7-4 so we pick up the NSS fixes.
+- Add selinux-policy-base(post) to Requires (446496)
+
+* Tue Apr 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-4
+- Add missing entry for /var/cache/ipa/kpasswd (444624)
+- Added patch to fix permissions problems with the Apache NSS database.
+- Added patch to fix problem with DNS querying where the query could be
+ returned as the answer.
+- Fix spec error where patch1 was in the wrong section
+
+* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-3
+- Added patch to fix problem reported by ldapmodify
+
+* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-2
+- Fix Requires for krb5-server that was missing for Fedora versions > 9
+- Remove quotes around test for fedora version to package egg-info
+
+* Fri Apr 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
+- Update to upstream version 1.0.0
+
+* Tue Mar 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-12
+- Pull upstream changelog 722
+- Add Conflicts mod_ssl (435360)
+
+* Fri Feb 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-11
+- Pull upstream changelog 698
+- Fix ownership of /var/log/ipa_error.log during install (435119)
+- Add pwpolicy command and man page
+
+* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-10
+- Pull upstream changelog 678
+- Add new subpackage, ipa-server-selinux
+- Add Requires: authconfig to ipa-python (bz #433747)
+- Package i18n files
+
+* Mon Feb 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-9
+- Pull upstream changelog 641
+- Require minimum version of krb5-server on F-7 and F-8
+- Package some new files
+
+* Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> 0.99-8
+- Marked with wrong license. IPA is GPLv2.
+
+* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-7
+- Ensure that /etc/ipa exists before moving user-modifiable html files there
+- Put html files into /etc/ipa/html instead of /etc/ipa
+
+* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-6
+- Pull upstream changelog 608 which renamed several files
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-5
+- package the sessions dir /var/cache/ipa/sessions
+- Pull upstream changelog 597
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-4
+- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the
+ UI to not start.
+
+* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-3
+- Included LICENSE and README in all packages for documentation
+- Move user-modifiable content to /etc/ipa and linked back to
+ /usr/share/ipa/html
+- Changed some references to /usr to the {_usr} macro and /etc
+ to {_sysconfdir}
+- Added popt-devel to BuildRequires for Fedora 8 and higher and
+ popt for Fedora 7
+- Package the egg-info for Fedora 9 and higher for ipa-python
+
+* Tue Jan 22 2008 Rob Crittenden <rcritten@redhat.com> 0.99-2
+- Added auto* BuildRequires
+
+* Mon Jan 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-1
+- Unified spec file
+
+* Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
+- Fixed License in specfile
+- Include files from /usr/lib/python*/site-packages/ipaserver
+
+* Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
+- Version bump for release
+
+* Wed Nov 21 2007 Karl MacMillan <kmacmill@mentalrootkit.com> - 0.5.0-1
+- Preverse mode on ipa-keytab-util
+- Version bump for relase and rpm name change
+
+* Thu Nov 15 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.1-2
+- Broke invididual Requires and BuildRequires onto separate lines and
+ reordered them
+- Added python-tgexpandingformwidget as a dependency
+- Require at least fedora-ds-base 1.1
+
+* Thu Nov 1 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1
+- Version bump for release
+
+* Wed Oct 31 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-6
+- Add dep for freeipa-admintools and acl
+
+* Wed Oct 24 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-5
+- Add dependency for python-krbV
+
+* Fri Oct 19 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-4
+- Require mod_nss-1.0.7-2 for mod_proxy fixes
+
+* Thu Oct 18 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-3
+- Convert to autotools-based build
+
+* Tue Sep 25 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-2
+
+* Fri Sep 7 2007 Karl MacMillan <kmacmill@redhat.com> - 0.3.0-1
+- Added support for libipa-dna-plugin
+
+* Fri Aug 10 2007 Karl MacMillan <kmacmill@redhat.com> - 0.2.0-1
+- Added support for ipa_kpasswd and ipa_pwd_extop
+
+* Sun Aug 5 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-3
+- Abstracted client class to work directly or over RPC
+
+* Wed Aug 1 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-2
+- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
+- Remove references to admin server in ipa-server-setupssl
+- Generate a client certificate for the XML-RPC server to connect to LDAP with
+- Create a keytab for Apache
+- Create an ldif with a test user
+- Provide a certmap.conf for doing SSL client authentication
+
+* Fri Jul 27 2007 Karl MacMillan <kmacmill@redhat.com> - 0.1.0-1
+- Initial rpm version