diff --git a/SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch b/SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch new file mode 100644 index 0000000..caf5574 --- /dev/null +++ b/SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch @@ -0,0 +1,29 @@ +From 762573b429c4465aabde8d1a7d8b3bdaa1c3b15b Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Tue, 20 Dec 2016 23:29:22 +1000 +Subject: [PATCH] Set up DS TLS on replica in CA-less topology + +Fixes: https://fedorahosted.org/freeipa/ticket/6226 +Reviewed-By: Tomas Krizek +--- + ipaserver/install/dsinstance.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index c93b3b4ff58c4102a9de448247966ad3dd8e4e7c..1249a86d2c4c83eb9426885bfed8910aa3274d21 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -382,7 +382,9 @@ class DsInstance(service.Service): + + if self.promote: + self.step("creating DS keytab", self.__get_ds_keytab) +- if self.ca_is_configured: ++ if self.pkcs12_info: ++ self.step("configuring ssl for ds instance", self.__enable_ssl) ++ else: + self.step("retrieving DS Certificate", self.__get_ds_cert) + self.step("restarting directory server", self.__restart_instance) + +-- +2.9.3 + diff --git a/SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch b/SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch new file mode 100644 index 0000000..f159361 --- /dev/null +++ b/SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch @@ -0,0 +1,63 @@ +From a9a9d67637c394ca1490e8e7df790c06b3480c56 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Wed, 18 Jan 2017 12:55:13 +0100 +Subject: [PATCH] wait_for_entry: use only DN as parameter + +Using the whole entry is not needed as parameter because only DN is used +and it prevents easier usage of this function + +https://fedorahosted.org/freeipa/ticket/6588 + +Reviewed-By: Stanislav Laznicka +--- + ipaserver/install/dogtaginstance.py | 2 +- + ipaserver/install/replication.py | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py +index b65628277d9e361a3ab5674dfd2689e258b1887b..2a2ab6fc7f90514013b5a6f368739c2f1706ed9b 100644 +--- a/ipaserver/install/dogtaginstance.py ++++ b/ipaserver/install/dogtaginstance.py +@@ -470,7 +470,7 @@ class DogtagInstance(service.Service): + port=389, + protocol='ldap') + master_conn.do_sasl_gssapi_bind() +- replication.wait_for_entry(master_conn, entry) ++ replication.wait_for_entry(master_conn, entry.dn) + del master_conn + + def __remove_admin_from_group(self, group): +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index 5f03ddeadfc515255509a1f49d3b38687e561b9f..be4de6dd0037a028bcaf1743be74a80855ba3541 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -150,7 +150,7 @@ def wait_for_task(conn, dn): + return exit_code + + +-def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): ++def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): + """Wait for entry and/or attr to show up""" + + filter = "(objectclass=*)" +@@ -160,8 +160,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True): + attrlist.append(attr) + timeout += int(time.time()) + +- dn = entry.dn +- + if not quiet: + sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr)) + sys.stdout.flush() +@@ -732,7 +730,7 @@ class ReplicationManager(object): + # that we will have to set the memberof fixup task + self.need_memberof_fixup = True + +- wait_for_entry(a_conn, entry) ++ wait_for_entry(a_conn, entry.dn) + + def needs_memberof_fixup(self): + return self.need_memberof_fixup +-- +2.9.3 + diff --git a/SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch b/SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch new file mode 100644 index 0000000..7c63b72 --- /dev/null +++ b/SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch @@ -0,0 +1,45 @@ +From ea3848ae6729fda734ec60167129f4cae5253a44 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Wed, 18 Jan 2017 13:56:24 +0100 +Subject: [PATCH] Wait until HTTPS principal entry is replicated to replica + +Without HTTP principal the steps later fails. + +https://fedorahosted.org/freeipa/ticket/6588 + +Reviewed-By: Stanislav Laznicka +--- + ipaserver/install/server/replicainstall.py | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index f54ff7da06c57b9c8251429cbdacc5c300805f84..2a1c290351d8ce1dade5eea2f67539659555af2e 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -36,7 +36,7 @@ from ipaserver.install import ( + from ipaserver.install.installutils import ( + create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) + from ipaserver.install.replication import ( +- ReplicationManager, replica_conn_check) ++ ReplicationManager, replica_conn_check, wait_for_entry) + import SSSDConfig + from subprocess import CalledProcessError + from binascii import hexlify +@@ -86,6 +86,14 @@ def install_http_certs(config, fstore, remote_api): + config.master_host_name, + paths.IPA_KEYTAB, + force_service_add=True) ++ dn = DN( ++ ('krbprincipalname', principal), ++ api.env.container_service, api.env.basedn ++ ) ++ conn = ipaldap.IPAdmin(realm=config.realm_name, ldapi=True) ++ conn.do_external_bind() ++ wait_for_entry(conn, dn) ++ conn.unbind() + + # Obtain certificate for the HTTP service + nssdir = certs.NSS_DIR +-- +2.9.3 + diff --git a/SOURCES/0156-Use-proper-logging-for-error-messages.patch b/SOURCES/0156-Use-proper-logging-for-error-messages.patch new file mode 100644 index 0000000..624d1ea --- /dev/null +++ b/SOURCES/0156-Use-proper-logging-for-error-messages.patch @@ -0,0 +1,45 @@ +From 999042579802d0443307ed18e8bb0b993c102c95 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Wed, 18 Jan 2017 17:08:19 +0100 +Subject: [PATCH] Use proper logging for error messages + +https://fedorahosted.org/freeipa/ticket/6588r + +Reviewed-By: Stanislav Laznicka +--- + ipaserver/install/replication.py | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index be4de6dd0037a028bcaf1743be74a80855ba3541..1f437dad4ed850ebfd59fe9f72a5127df8f56f3e 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -171,7 +171,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): + except errors.NotFound: + pass # no entry yet + except Exception as e: # badness +- print("\nError reading entry", dn, e) ++ root_logger.error("Error reading entry %s: %s", dn, e) + break + if not entry: + if not quiet: +@@ -180,11 +180,13 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True): + time.sleep(1) + + if not entry and int(time.time()) > timeout: +- print("\nwait_for_entry timeout for %s for %s" % (connection, dn)) ++ root_logger.error( ++ "wait_for_entry timeout for %s for %s", connection, dn) + elif entry and not quiet: +- print("\nThe waited for entry is:", entry) ++ root_logger.error("The waited for entry is: %s", entry) + elif not entry: +- print("\nError: could not read entry %s from %s" % (dn, connection)) ++ root_logger.error( ++ "Error: could not read entry %s from %s", dn, connection) + + + class ReplicationManager(object): +-- +2.9.3 + diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch index 949554b..e7d7586 100644 --- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch +++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch @@ -1,4 +1,4 @@ -From 4651261af43a311d23efa759e61143a6413c5dc5 Mon Sep 17 00:00:00 2001 +From 0ae346b514a1bd093c8ae6166f206138a5035efa Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 5 Sep 2014 11:24:27 +0200 Subject: [PATCH] Hide pkinit functionality from production version @@ -174,10 +174,10 @@ index b33b0243d4d909a561b59d93f0014c390146b333..c292c4d24bfde1484769698ee2a7ef59 subject = Knob(BaseServerCA.subject) ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index f54ff7da06c57b9c8251429cbdacc5c300805f84..7695adf0d537237b24660e8871011f04f242e744 100644 +index 2a1c290351d8ce1dade5eea2f67539659555af2e..aaa56c4691ae47d764d86b627df913c5e320c411 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -1587,7 +1587,6 @@ class Replica(BaseServer): +@@ -1595,7 +1595,6 @@ class Replica(BaseServer): mkhomedir = Knob(BaseServer.mkhomedir) no_host_dns = Knob(BaseServer.no_host_dns) no_ntp = Knob(BaseServer.no_ntp) diff --git a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch index e06d7ff..899cd0b 100644 --- a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From d9499d8d1a40b96e40c956dca25464fc129a9dec Mon Sep 17 00:00:00 2001 +From 9095fee099069989d93bcb62a4bf6f8e259e4099 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 5 Sep 2014 11:46:59 +0200 Subject: [PATCH] Change branding to IPA and Identity Management @@ -736,10 +736,10 @@ index c292c4d24bfde1484769698ee2a7ef59a6fcc52c..101af640d2a990d4f4f99ad2c0bb0826 print("This includes:") if setup_ca: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 7695adf0d537237b24660e8871011f04f242e744..582df08094335554edffaed21bcaf4ab5a74e899 100644 +index aaa56c4691ae47d764d86b627df913c5e320c411..ad7164c5e2774e448742e6416e40fe9af2dcac83 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -673,7 +673,7 @@ def install_check(installer): +@@ -681,7 +681,7 @@ def install_check(installer): above_upper_bound = current > constants.MAX_DOMAIN_LEVEL if under_lower_bound or above_upper_bound: diff --git a/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch new file mode 100644 index 0000000..aed3a5a --- /dev/null +++ b/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch @@ -0,0 +1,42 @@ +From e4cee2aa50396b18713092ba7f4a9b4f232a3ea0 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 13 Jan 2017 20:33:45 +1000 +Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable + +CAs consist of a FreeIPA and a corresponding Dogtag object. When +executing ca-del, ca-enable and ca-disable, changes are made to the +Dogtag object. In the case of ca-del, the corresponding FreeIPA +object is deleted after the Dogtag CA is deleted. + +These operations were not correctly authorised; the FreeIPA +permissions are not checked before the Dogtag operations are +executed. This allows any user to delete, enable or disable a +lightweight CA (except the main IPA CA, for which there are +additional check to prevent deletion or disablement). + +Add the proper authorisation checks to the ca-del, ca-enable and +ca-disable commands. +--- + ipaserver/plugins/ca.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py +index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644 +--- a/ipaserver/plugins/ca.py ++++ b/ipaserver/plugins/ca.py +@@ -192,6 +192,12 @@ class ca_del(LDAPDelete): + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + ++ # ensure operator has permission to delete CA ++ # before contacting Dogtag ++ if not ldap.can_delete(dn): ++ raise errors.ACIError(info=_( ++ "Insufficient privilege to delete a CA.")) ++ + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), +-- +2.9.3 + diff --git a/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch b/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch new file mode 100644 index 0000000..1838e70 --- /dev/null +++ b/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch @@ -0,0 +1,63 @@ +From 1de12ed5ec503708454e76227d646e4bd63802f7 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 12 Jan 2017 18:17:15 +0100 +Subject: [PATCH] Do not configure PKI ajp redirection to use "::1" + +When ipa-server-install configures PKI, it provides a configuration file +with the parameter pki_ajp_host set to ::1. This parameter is used to configure +Tomcat redirection in /etc/pki/pki-tomcat/server.xml: + +ie all requests to port 8009 are redirected to port 8443 on address ::1. + +If the /etc/hosts config file does not define ::1 for localhost, then AJP +redirection fails and replica install is not able to request a certificate +for the replica. + +Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP +redirection with "localhost", FreeIPA does not need any more to override +this setting. + +https://fedorahosted.org/freeipa/ticket/6575 + +Reviewed-By: Tomas Krizek +--- + freeipa.spec.in | 4 ++-- + ipaserver/install/cainstance.py | 4 ---- + 2 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -159,8 +159,8 @@ Requires(post): systemd-units + Requires: selinux-policy >= %{selinux_policy_version} + Requires(post): selinux-policy-base >= %{selinux_policy_version} + Requires: slapi-nis >= %{slapi_nis_version} +-Requires: pki-ca >= 10.3.4 +-Requires: pki-kra >= 10.3.4 ++Requires: pki-ca >= 10.3.5-11 ++Requires: pki-kra >= 10.3.5-11 + Requires(preun): python systemd-units + Requires(postun): python systemd-units + Requires: zip +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance): + config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) + config.set("CA", "pki_external_step_two", "True") + +- # PKI IPv6 Configuration +- config.add_section("Tomcat") +- config.set("Tomcat", "pki_ajp_host", "::1") +- + # Generate configuration file + with open(cfg_file, "wb") as f: + config.write(f) +-- +2.9.3 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index be4fd8b..ad0a7d6 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -43,7 +43,7 @@ Name: ipa Version: 4.4.0 -Release: 14%{?dist}.4 +Release: 14%{?dist}.6 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -51,10 +51,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -211,6 +211,10 @@ Patch0149: 0149-Check-for-conflict-entries-before-raising-domain-lev.patch Patch0150: 0150-certprofile-mod-correctly-authorise-config-update.patch Patch0151: 0151-password-policy-Add-explicit-default-password-policy.patch Patch0152: 0152-ipa-kdb-search-for-password-policies-globally.patch +Patch0153: 0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch +Patch0154: 0154-wait_for_entry-use-only-DN-as-parameter.patch +Patch0155: 0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch +Patch0156: 0156-Use-proper-logging-for-error-messages.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -222,7 +226,8 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch -Patch1011: ipa-centos-branding.patch +Patch1011: 1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch +Patch1012: 1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -342,8 +347,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.3-7 -Requires: pki-kra >= 10.3.3-7 +Requires: pki-ca >= 10.3.3-17 +Requires: pki-kra >= 10.3.3-17 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip @@ -802,10 +807,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END @@ -1541,8 +1546,21 @@ fi %changelog -* Tue Jan 17 2017 CentOS Sources - 4.4.0-14.el7.centos.4 -- Roll in CentOS Branding +* Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.6 +- Resolves: #1416488 replication race condition prevents IPA to install + - wait_for_entry: use only DN as parameter + - Wait until HTTPS principal entry is replicated to replica + - Use proper logging for error messages + +* Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.5 +- Resolves: #1410760 ipa-ca-install fails on replica when IPA Master is + installed without CA + - Set up DS TLS on replica in CA-less topology +- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for + ca-del, ca-disable and ca-enable commands + - ca: correctly authorise ca-del, ca-enable and ca-disable +- Resolves: #1416481 IPA replica install fails with dirsrv errors. + - Do not configure PKI ajp redirection to use "::1" * Fri Dec 16 2016 Jan Cholasta - 4.4.0-14.4 - Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services