diff --git a/SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch b/SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch
new file mode 100644
index 0000000..b2d6909
--- /dev/null
+++ b/SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch
@@ -0,0 +1,52 @@
+From 8750c84bbfef36ceeaac8e7c8e3b788c31f68317 Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Tue, 13 Sep 2016 15:40:04 +0200
+Subject: [PATCH] ipa passwd: use correct normalizer for user principals
+
+Commit c2af032c0333f7e210c54369159d1d9f5e3fec74 introduced a regression in the
+handling of user principals supplied to the`ipa passwd` command. This patch
+restores the original behavior which lowercases the username portion of the
+principal.
+
+https://fedorahosted.org/freeipa/ticket/6329
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/plugins/passwd.py | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py
+index 1576c4ca85cb761d2a124a932a26b371b9e87107..ebc41d90009d7145ada75f3cabe3c01c6d25f6ea 100644
+--- a/ipaserver/plugins/passwd.py
++++ b/ipaserver/plugins/passwd.py
+@@ -29,7 +29,8 @@ from ipalib.plugable import Registry
+ from ipalib.request import context
+ from ipapython import kerberos
+ from ipapython.dn import DN
+-from ipaserver.plugins.service import validate_realm, normalize_principal
++from ipaserver.plugins.baseuser import normalize_user_principal
++from ipaserver.plugins.service import validate_realm
+
+ if six.PY3:
+ unicode = str
+@@ -66,7 +67,7 @@ def get_current_password(principal):
+ be ignored later.
+ """
+ current_principal = krb_utils.get_principal()
+- if current_principal == unicode(normalize_principal(principal)):
++ if current_principal == unicode(normalize_user_principal(principal)):
+ return None
+ else:
+ return MAGIC_VALUE
+@@ -84,7 +85,7 @@ class passwd(Command):
+ primary_key=True,
+ autofill=True,
+ default_from=lambda: kerberos.Principal(krb_utils.get_principal()),
+- normalizer=lambda value: normalize_principal(value),
++ normalizer=lambda value: normalize_user_principal(value),
+ ),
+ Password('password',
+ label=_('New Password'),
+--
+2.10.2
+
diff --git a/SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch b/SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch
new file mode 100644
index 0000000..b71c7b7
--- /dev/null
+++ b/SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch
@@ -0,0 +1,47 @@
+From 08d3dcb1834fc227dcd9d2071fda58e6dc639394 Mon Sep 17 00:00:00 2001
+From: Tomas Krizek <tkrizek@redhat.com>
+Date: Tue, 13 Sep 2016 10:14:47 +0200
+Subject: [PATCH] Keep NSS trust flags of existing certificates
+
+Backup and restore trust flags of existing certificates during CA
+installation. This prevents marking a previously trusted certificate
+as untrusted, as was the case when CA-less was converted to CA-full
+with external CA when using the same certificate.
+
+https://fedorahosted.org/freeipa/ticket/5791
+
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/install/cainstance.py | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 3551887cd8ff8baa5e17f8969c84fb92d7552ef3..6c57aadfcdc2864f8cdc84c16556dce7163737fc 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -832,6 +832,10 @@ class CAInstance(DogtagInstance):
+ raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
+
+ def __import_ca_chain(self):
++ # Backup NSS trust flags of all already existing certificates
++ certdb = certs.CertDB(self.realm)
++ cert_backup_list = certdb.list_certs()
++
+ chain = self.__get_ca_chain()
+
+ # If this chain contains multiple certs then certutil will only import
+@@ -882,6 +886,10 @@ class CAInstance(DogtagInstance):
+ os.remove(chain_name)
+ subid += 1
+
++ # Restore NSS trust flags of all previously existing certificates
++ for nick, trust_flags in cert_backup_list:
++ certdb.trust_root_cert(nick, trust_flags)
++
+ def __request_ra_certificate(self):
+ # Create a noise file for generating our private key
+ noise = array.array('B', os.urandom(128))
+--
+2.10.2
+
diff --git a/SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch b/SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch
new file mode 100644
index 0000000..6a44a36
--- /dev/null
+++ b/SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch
@@ -0,0 +1,81 @@
+From 31007eff1b8d858dfc51f730b47a7aaefc8e33e8 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Tue, 27 Sep 2016 14:34:05 -0400
+Subject: [PATCH] Properly handle LDAP socket closures in ipa-otpd
+
+In at least one case, when an LDAP socket closes, a read event is fired
+rather than an error event. Without this patch, ipa-otpd silently
+ignores this event and enters a state where all bind auths fail.
+
+To remedy this problem, we pass error events along the same path as read
+events. Should the actual read fail, we exit.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1377858
+https://fedorahosted.org/freeipa/ticket/6368
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-otpd/bind.c | 10 ++++------
+ daemons/ipa-otpd/query.c | 13 ++++++-------
+ 2 files changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/daemons/ipa-otpd/bind.c b/daemons/ipa-otpd/bind.c
+index 022525b786705b4f58f861bc3b0a745ab8693755..a98312f906a785bfa9c98603a3577561552bfc0a 100644
+--- a/daemons/ipa-otpd/bind.c
++++ b/daemons/ipa-otpd/bind.c
+@@ -85,6 +85,9 @@ static void on_bind_readable(verto_ctx *vctx, verto_ev *ev)
+ if (rslt <= 0)
+ results = NULL;
+ ldap_msgfree(results);
++ otpd_log_err(EIO, "IO error received on bind socket");
++ verto_break(ctx.vctx);
++ ctx.exitstatus = 1;
+ return;
+ }
+
+@@ -137,11 +140,6 @@ void otpd_on_bind_io(verto_ctx *vctx, verto_ev *ev)
+ flags = verto_get_fd_state(ev);
+ if (flags & VERTO_EV_FLAG_IO_WRITE)
+ on_bind_writable(vctx, ev);
+- if (flags & VERTO_EV_FLAG_IO_READ)
++ if (flags & (VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_IO_ERROR))
+ on_bind_readable(vctx, ev);
+- if (flags & VERTO_EV_FLAG_IO_ERROR) {
+- otpd_log_err(EIO, "IO error received on bind socket");
+- verto_break(ctx.vctx);
+- ctx.exitstatus = 1;
+- }
+ }
+diff --git a/daemons/ipa-otpd/query.c b/daemons/ipa-otpd/query.c
+index 67e2d751d8d1511d077a93d7673439be11812e6f..50e15603322c550a0eb14e1e3c502e1a229d1ebe 100644
+--- a/daemons/ipa-otpd/query.c
++++ b/daemons/ipa-otpd/query.c
+@@ -133,7 +133,11 @@ static void on_query_readable(verto_ctx *vctx, verto_ev *ev)
+ if (i != LDAP_RES_SEARCH_ENTRY && i != LDAP_RES_SEARCH_RESULT) {
+ if (i <= 0)
+ results = NULL;
+- goto egress;
++ ldap_msgfree(results);
++ otpd_log_err(EIO, "IO error received on query socket");
++ verto_break(ctx.vctx);
++ ctx.exitstatus = 1;
++ return;
+ }
+
+ item = otpd_queue_pop_msgid(&ctx.query.responses, ldap_msgid(results));
+@@ -243,11 +247,6 @@ void otpd_on_query_io(verto_ctx *vctx, verto_ev *ev)
+ flags = verto_get_fd_state(ev);
+ if (flags & VERTO_EV_FLAG_IO_WRITE)
+ on_query_writable(vctx, ev);
+- if (flags & VERTO_EV_FLAG_IO_READ)
++ if (flags & (VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_IO_ERROR))
+ on_query_readable(vctx, ev);
+- if (flags & VERTO_EV_FLAG_IO_ERROR) {
+- otpd_log_err(EIO, "IO error received on query socket");
+- verto_break(ctx.vctx);
+- ctx.exitstatus = 1;
+- }
+ }
+--
+2.10.2
+
diff --git a/SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch b/SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch
new file mode 100644
index 0000000..44a9376
--- /dev/null
+++ b/SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch
@@ -0,0 +1,54 @@
+From c3ceffccc56dea782a3dfac5bc3a14d1d022d33a Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Wed, 12 Oct 2016 12:58:46 +0200
+Subject: [PATCH] cert: add revocation reason back to cert-find output
+
+In commit c718ef058847bb39e78236e8af0ad69ac961bbcf some param values were
+accidentally removed from cert-find output.
+
+In commit 22d5f579bbd8bb452cf1bf620294ab6ade6e7c47 `serial_number_hex` and
+`revoked` were added back.
+
+Add back `revocation_reason` as well. Also, do not include `revoked` with
+--raw, as it's a virtual attribute.
+
+https://fedorahosted.org/freeipa/ticket/6269
+
+Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
+---
+ ipaserver/plugins/cert.py | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
+index 00bae4560d601e28e0b983786bff9144bcc1b065..68516391a54aead8e92f3cdeb33463d8fa624bbd 100644
+--- a/ipaserver/plugins/cert.py
++++ b/ipaserver/plugins/cert.py
+@@ -1098,16 +1098,17 @@ class cert_find(Search, CertMethod):
+ obj = {'serial_number': serial_number}
+ else:
+ obj = ra_obj
+- obj['issuer'] = issuer
+- obj['subject'] = DN(ra_obj['subject'])
+- obj['revoked'] = (
+- ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED'))
+-
+ if all:
+- ra_obj = ra.get_certificate(str(serial_number))
+- if not raw:
++ obj.update(ra.get_certificate(str(serial_number)))
++
++ if not raw:
++ obj['issuer'] = issuer
++ obj['subject'] = DN(ra_obj['subject'])
++ obj['revoked'] = (
++ ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED'))
++ if all:
+ obj['certificate'] = (
+- ra_obj['certificate'].replace('\r\n', ''))
++ obj['certificate'].replace('\r\n', ''))
+ self.obj._parse(obj)
+
+ obj['cacn'] = ca_obj['cn'][0]
+--
+2.10.2
+
diff --git a/SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch b/SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch
new file mode 100644
index 0000000..d6ad038
--- /dev/null
+++ b/SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch
@@ -0,0 +1,34 @@
+From 3ea5984f2806958dee1b94fe993d20b09f64b107 Mon Sep 17 00:00:00 2001
+From: Stanislav Laznicka <slaznick@redhat.com>
+Date: Tue, 11 Oct 2016 15:48:47 +0200
+Subject: [PATCH] Make httpd publish its CA certificate on DL1
+
+httpd did not publish its certificate on DL1 which could
+cause issues during client installation in a rare corner
+case where there would be no way of getting the certificate
+but from a HTTP instance.
+
+https://fedorahosted.org/freeipa/ticket/6393
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaserver/install/httpinstance.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 00f890175ae583f485797da6f913a7f83b302df3..431671eaf55d4ac63dc01190e254931dac096dec 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -175,8 +175,7 @@ class HTTPInstance(service.Service):
+ self.step("importing CA certificates from LDAP", self.__import_ca_certs)
+ if autoconfig:
+ self.step("setting up browser autoconfig", self.__setup_autoconfig)
+- if not self.promote:
+- self.step("publish CA cert", self.__publish_ca_cert)
++ self.step("publish CA cert", self.__publish_ca_cert)
+ self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
+ self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+ if not self.is_kdcproxy_configured():
+--
+2.10.2
+
diff --git a/SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch b/SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch
new file mode 100644
index 0000000..be7d0f1
--- /dev/null
+++ b/SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch
@@ -0,0 +1,88 @@
+From b3512bae94edc33448466cae6f2716a5527f9eed Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 1 Sep 2016 13:56:24 +0200
+Subject: [PATCH] Add cert checks in ipa-server-certinstall
+
+When ipa-server-certinstall is called to install a new server certificate,
+the prerequisite is that the certificate issuer must be already known by IPA.
+This fix adds new checks to make sure that the tool exits before
+modifying the target NSS database if it is not the case.
+The fix consists in creating a temp NSS database with the CA certs from the
+target NSS database + the new server cert and checking the new server cert
+validity.
+
+https://fedorahosted.org/freeipa/ticket/6263
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/ipa_server_certinstall.py | 40 +++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
+index 0a8fb214a232e60a89b6c06940b928f97c007b93..7bc39e356ef3082ab229fa66eaeebba85eaa2802 100644
+--- a/ipaserver/install/ipa_server_certinstall.py
++++ b/ipaserver/install/ipa_server_certinstall.py
+@@ -25,8 +25,8 @@ import optparse
+
+ from ipaplatform.constants import constants
+ from ipaplatform.paths import paths
+-from ipapython import admintool
+-from ipapython.certdb import get_ca_nickname
++from ipapython import admintool, ipautil
++from ipapython.certdb import get_ca_nickname, NSSDatabase
+ from ipapython.dn import DN
+ from ipalib import api, errors
+ from ipalib.constants import CACERT
+@@ -157,6 +157,38 @@ class ServerCertInstall(admintool.AdminTool):
+ os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
+ os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
+
++ def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):
++ # create a temp nssdb
++ with NSSDatabase() as tempnssdb:
++ db_password = ipautil.ipa_generate_password()
++ db_pwdfile = ipautil.write_tmp_file(db_password)
++ tempnssdb.create_db(db_pwdfile.name)
++
++ # import the PKCS12 file, then delete all CA certificates
++ # this leaves only the server certs in the temp db
++ tempnssdb.import_pkcs12(
++ pkcs12_filename, db_pwdfile.name, pkcs12_pin)
++ for nickname, flags in tempnssdb.list_certs():
++ if 'u' not in flags:
++ while tempnssdb.has_nickname(nickname):
++ tempnssdb.delete_cert(nickname)
++
++ # import all the CA certs from nssdb into the temp db
++ for nickname, flags in nssdb.list_certs():
++ if 'u' not in flags:
++ cert = nssdb.get_cert_from_db(nickname)
++ tempnssdb.add_cert(cert, nickname, flags)
++
++ # now get the server certs from tempnssdb and check their validity
++ try:
++ for nick, flags in tempnssdb.find_server_certs():
++ tempnssdb.verify_server_cert_validity(nick, api.env.host)
++ except ValueError as e:
++ raise admintool.ScriptError(
++ "Peer's certificate issuer is not trusted (%s). "
++ "Please run ipa-cacert-manage install and ipa-certupdate "
++ "to install the CA certificate." % str(e))
++
+ def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
+ pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
+ cert_files=self.args,
+@@ -167,6 +199,10 @@ class ServerCertInstall(admintool.AdminTool):
+
+ dirname = os.path.normpath(dirname)
+ cdb = certs.CertDB(api.env.realm, nssdir=dirname)
++
++ # Check that the ca_cert is known and trusted
++ self.check_chain(pkcs12_file.name, pin, cdb)
++
+ try:
+ ca_enabled = api.Command.ca_is_enabled()['result']
+ if ca_enabled:
+--
+2.10.2
+
diff --git a/SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch b/SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch
new file mode 100644
index 0000000..079bde0
--- /dev/null
+++ b/SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch
@@ -0,0 +1,152 @@
+From 014aab243a4e7185ad5ebdc0a71e7de81553e501 Mon Sep 17 00:00:00 2001
+From: Pavel Vomacka <pvomacka@redhat.com>
+Date: Mon, 17 Oct 2016 14:33:07 +0200
+Subject: [PATCH] WebUI: services without canonical name are shown correctly
+
+There is a change introduced in 4.4 that new services have canonical name. The old ones
+didn't have it, therefore these services were not correctly displayed in WebUI.
+
+This patch adds support for this type of services. Service name is taken from
+'krbprincipalname' attribute in case that 'krbcanonicalname' attribute is not present
+in server response.
+
+https://fedorahosted.org/freeipa/ticket/6397
+
+Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
+---
+ install/ui/src/freeipa/field.js | 41 ++++++++++++++++++++++++++++++
+ install/ui/src/freeipa/service.js | 52 ++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 92 insertions(+), 1 deletion(-)
+
+diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
+index d8b957f5ab28b5ee4bc4ebce2ae6f454083bc4fd..efa2fb6ef4d4b5384661e9023ace511730954153 100644
+--- a/install/ui/src/freeipa/field.js
++++ b/install/ui/src/freeipa/field.js
+@@ -1306,6 +1306,46 @@ field.ObjectAdapter = declare([field.Adapter], {
+
+
+ /**
++ * Custom adapter for fields which handles situations when there is no value
++ * for attribute (name) of the field and we want to use alternative attribute
++ * from response. We can set the alternative attribute name to the 'alt_attr'
++ * attribute of the adapter.
++ * This adapter is used i.e. in table in search facet for services. Handles
++ * situations where older services don't have canonical name.
++ *
++ * @class
++ * @extends field.Adapter
++ */
++field.AlternateAttrFieldAdapter = declare([field.Adapter], {
++ /**
++ * In case that the value is not get using field name then use alternative
++ * name.
++ * @param {Object} data Object which contains the record or the record
++ * @param {string} [attribute] attribute name - overrides `context.param`
++ * @param {Mixed} [def_val] default value - overrides `context.default_value`
++ * @returns {Array} attribute value
++ */
++ load: function(data, attribute, def_val) {
++ var record = this.get_record(data);
++ var value = null;
++ var attr = attribute || this.context.param;
++ var def = def_val || this.context.default_value;
++ if (record) {
++ value = this.get_value(record, attr);
++ if (util.is_empty(value) && this.context.adapter.alt_attr) {
++ value = this.get_value(record, this.context.adapter.alt_attr);
++ }
++ }
++ if (util.is_empty(value) && !util.is_empty(def)) {
++ value = util.normalize_value(def);
++ }
++ value = rpc.extract_objects(value);
++ return value;
++ }
++});
++
++
++/**
+ * Field for enabling/disabling entity
+ *
+ * - expects radio widget
+@@ -1577,6 +1617,7 @@ field.register = function() {
+
+ l.register('adapter', field.Adapter);
+ l.register('object_adapter', field.ObjectAdapter);
++ l.register('alternate_attr_field_adapter', field.AlternateAttrFieldAdapter);
+ };
+ phases.on('registration', field.register);
+
+diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
+index 30e336c35b8eece2e5e3ef55629d0c98f097fbf5..a6607d22e83047fb2d0dcc7775891445df4910b7 100644
+--- a/install/ui/src/freeipa/service.js
++++ b/install/ui/src/freeipa/service.js
+@@ -58,7 +58,16 @@ return {
+ facets: [
+ {
+ $type: 'search',
+- columns: [ 'krbcanonicalname' ]
++ $factory: IPA.service.search_facet,
++ columns: [
++ {
++ name: 'krbcanonicalname',
++ adapter: {
++ $type: 'alternate_attr_field_adapter',
++ alt_attr: 'krbprincipalname'
++ }
++ }
++ ]
+ },
+ {
+ $type: 'details',
+@@ -403,6 +412,47 @@ return {
+ }
+ };};
+
++
++/**
++ * Custom search facet for services. It has alternative primary key, in case
++ * that the service doesn't have canonical name.
++ */
++IPA.service.search_facet = function(spec) {
++ spec = spec || {};
++
++ spec.alternative_pkey = spec.alternative_pkey || 'krbprincipalname';
++
++ var that = IPA.search_facet(spec);
++
++ that.alternative_pkey = spec.alternative_pkey;
++
++ that.get_records_map = function(data) {
++
++ var records_map = $.ordered_map();
++
++ var result = data.result.result;
++ var pkey_name = that.managed_entity.metadata.primary_key ||
++ that.primary_key_name;
++ var adapter = builder.build('adapter', 'adapter', {context: that});
++
++ for (var i=0; i<result.length; i++) {
++ var record = result[i];
++ var pkey = adapter.load(record, pkey_name)[0];
++ if (pkey === undefined && that.alternative_pkey) {
++ pkey = adapter.load(record, that.alternative_pkey)[0];
++ }
++ if (that.filter_records(records_map, pkey, record)) {
++ records_map.put(pkey, record);
++ }
++ }
++
++ return records_map;
++ };
++
++ return that;
++};
++
++
+ IPA.service.details_facet = function(spec, no_init) {
+
+ var that = IPA.details_facet(spec, true);
+--
+2.7.4
+
diff --git a/SOURCES/0142-Fix-missing-file-that-fails-DL1-replica-installation.patch b/SOURCES/0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
new file mode 100644
index 0000000..8d34501
--- /dev/null
+++ b/SOURCES/0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
@@ -0,0 +1,55 @@
+From eb844fe9e56a30be9462508f1e5330aaa73342b3 Mon Sep 17 00:00:00 2001
+From: Stanislav Laznicka <slaznick@redhat.com>
+Date: Mon, 31 Oct 2016 16:51:49 +0100
+Subject: [PATCH] Fix missing file that fails DL1 replica installation
+
+Replica installation on DL1 would fail to create a httpd instance
+due to missing '/etc/httpd/alias/cacert.asc'. Create this file
+in the setup_ssl step to avoid the error.
+
+https://fedorahosted.org/freeipa/ticket/6393
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/httpinstance.py | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 431671eaf55d4ac63dc01190e254931dac096dec..aeae10902e6597ca1e494240a625caed9f7b7192 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -343,14 +343,23 @@ class HTTPInstance(service.Service):
+ self.__set_mod_nss_nickname(nickname)
+ self.add_cert_to_service()
+
+- elif not self.promote:
+- db.create_password_conf()
+- self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
+- ca_db)
+- db.track_server_cert(self.cert_nickname, self.principal,
+- db.passwd_fname, 'restart_httpd')
+- db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
+- self.add_cert_to_service()
++ else:
++ if not self.promote:
++ db.create_password_conf()
++ self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
++ ca_db)
++ db.track_server_cert(self.cert_nickname, self.principal,
++ db.passwd_fname, 'restart_httpd')
++ db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
++ self.add_cert_to_service()
++
++ server_certs = db.find_server_certs()
++ if not server_certs:
++ raise RuntimeError("Could not find a suitable server cert.")
++
++ # We only handle one server cert
++ nickname = server_certs[0][0]
++ db.export_ca_cert(nickname)
+
+ # Fix the database permissions
+ os.chmod(certs.NSS_DIR + "/cert8.db", 0o660)
+--
+2.7.4
+
diff --git a/SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch b/SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
new file mode 100644
index 0000000..035a451
--- /dev/null
+++ b/SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
@@ -0,0 +1,46 @@
+From 99c93ce55d740fd8c6901dc3cfa3ecbf71edbff8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 31 Oct 2016 18:17:35 +0200
+Subject: [PATCH] trustdomain-del: fix the way how subdomain is searched
+
+With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic.
+Update 'ipa trustdomain-del' command to properly calculate DN to the
+actual child domain and handle the case when it is missing correctly.
+
+Fixes https://fedorahosted.org/freeipa/ticket/6445
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ ipaserver/plugins/trust.py | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
+index 720a45a4d12d59f00e3e63f2b4f62edd45646065..723dba6a26311752ecde8589d22e2911b72e8044 100644
+--- a/ipaserver/plugins/trust.py
++++ b/ipaserver/plugins/trust.py
+@@ -1614,13 +1614,16 @@ class trustdomain_del(LDAPDelete):
+ # to always receive empty keys. We need to catch the case when root domain is being deleted
+
+ for domain in keys[1]:
+- # Fetch the trust to verify that the entered domain is trusted
+- self.api.Command.trust_show(domain)
++ try:
++ self.obj.get_dn_if_exists(keys[0], domain, trust_type=u'ad')
++ except errors.NotFound:
++ if keys[0].lower() == domain:
++ raise errors.ValidationError(
++ name='domain',
++ error=_("cannot delete root domain of the trust, "
++ "use trust-del to delete the trust itself"))
++ self.obj.handle_not_found(keys[0], domain)
+
+- if keys[0].lower() == domain:
+- raise errors.ValidationError(name='domain',
+- error=_("cannot delete root domain of the trust, "
+- "use trust-del to delete the trust itself"))
+ try:
+ res = self.api.Command.trustdomain_enable(keys[0], domain)
+ except errors.AlreadyActive:
+--
+2.7.4
+
diff --git a/SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch b/SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
new file mode 100644
index 0000000..953b80e
--- /dev/null
+++ b/SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
@@ -0,0 +1,40 @@
+From df19f8d314894b747181c5bb360a79e519065798 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 1 Nov 2016 11:36:30 +0100
+Subject: [PATCH] spec file: bump minimal required version of 389-ds-base
+
+Require 389-ds-base >= 1.3.5.14 for:
+https://fedorahosted.org/389/ticket/48992
+
+https://fedorahosted.org/freeipa/ticket/6369
+
+Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
+---
+ freeipa.spec.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 7456a9ea77ec289312eb11c05709018b3d6d0c90..dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -135,7 +135,7 @@ Requires: %{name}-client = %{version}-%{release}
+ Requires: %{name}-admintools = %{version}-%{release}
+ Requires: %{name}-common = %{version}-%{release}
+ Requires: python2-ipaserver = %{version}-%{release}
+-Requires: 389-ds-base >= 1.3.5.6
++Requires: 389-ds-base >= 1.3.5.14
+ Requires: openldap-clients > 2.4.35-4
+ Requires: nss >= 3.14.3-12.0
+ Requires: nss-tools >= 3.14.3-12.0
+@@ -167,7 +167,7 @@ Requires: zip
+ Requires: policycoreutils >= 2.1.12-5
+ Requires: tar
+ Requires(pre): certmonger >= 0.78
+-Requires(pre): 389-ds-base >= 1.3.5.6
++Requires(pre): 389-ds-base >= 1.3.5.14
+ Requires: fontawesome-fonts
+ Requires: open-sans-fonts
+ Requires: openssl
+--
+2.7.4
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 6264d38..deb823c 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name: ipa
Version: 4.4.0
-Release: 12%{?dist}
+Release: 14%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -51,10 +51,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -193,6 +193,16 @@ Patch0131: 0131-Fix-regression-introduced-in-ipa-certupdate.patch
Patch0132: 0132-Start-named-during-configuration-upgrade.patch
Patch0133: 0133-Catch-DNS-exceptions-during-emptyzones-named.conf-up.patch
Patch0134: 0134-trust-fetch-domains-contact-forest-DCs-when-fetching.patch
+Patch0135: 0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch
+Patch0136: 0136-Keep-NSS-trust-flags-of-existing-certificates.patch
+Patch0137: 0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch
+Patch0138: 0138-cert-add-revocation-reason-back-to-cert-find-output.patch
+Patch0139: 0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch
+Patch0140: 0140-Add-cert-checks-in-ipa-server-certinstall.patch
+Patch0141: 0141-WebUI-services-without-canonical-name-are-shown-corr.patch
+Patch0142: 0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
+Patch0143: 0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
+Patch0144: 0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -204,7 +214,6 @@ Patch1007: 1007-Do-not-build-tests.patch
Patch1008: 1008-RCUE.patch
Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch
-Patch1011: ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -300,7 +309,7 @@ Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python2-ipaserver = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.5.6
+Requires: 389-ds-base >= 1.3.5.10-12
Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
@@ -332,7 +341,7 @@ Requires: zip
Requires: policycoreutils >= 2.1.14-37
Requires: tar
Requires(pre): certmonger >= 0.78
-Requires(pre): 389-ds-base >= 1.3.5.6
+Requires(pre): 389-ds-base >= 1.3.5.10-12
Requires: fontawesome-fonts
Requires: open-sans-fonts
Requires: openssl >= 1:1.0.1e-42
@@ -784,10 +793,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1523,8 +1532,32 @@ fi
%changelog
-* Thu Nov 03 2016 CentOS Sources <bugs@centos.org> - 4.4.0-12.el7.centos
-- Roll in CentOS Branding
+* Tue Nov 1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14
+- Resolves: #1378353 Replica install fails with old IPA master sometimes during
+ replication process
+ - spec file: bump minimal required version of 389-ds-base
+- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
+ - Fix missing file that fails DL1 replica installation
+- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade
+ - WebUI: services without canonical name are shown correctly
+- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run
+ - trustdomain-del: fix the way how subdomain is searched
+
+* Mon Oct 31 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-13
+- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca
+ - Keep NSS trust flags of existing certificates
+- Resolves: #1360813 ipa-server-certinstall does not update all certificate
+ stores and doesn't set proper trust permissions
+ - Add cert checks in ipa-server-certinstall
+- Resolves: #1371479 cert-find --all does not show information about revocation
+ - cert: add revocation reason back to cert-find output
+- Resolves: #1375133 WinSync users who have First.Last casing creates users who
+ can have their password set
+ - ipa passwd: use correct normalizer for user principals
+- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers
+ - Properly handle LDAP socket closures in ipa-otpd
+- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
+ - Make httpd publish its CA certificate on DL1
* Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12
- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.