rpms / ipa

Clone
Source Code
GIT

Blame SPECS/ipa.spec

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   c303b26d489c8e733340ed53cea9481a094e7d1f
  2.   SPECS
  3.   ipa.spec
Blob History Raw
ac7d03 
# Define ONLY_CLIENT to only make the ipa-client and ipa-python
e3ffab 
# subpackages
99b6f7 
%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
ac7d03 
%if %{ONLY_CLIENT}
ac7d03 
    %global enable_server_option --disable-server
ac7d03 
%else
ac7d03 
    %global enable_server_option --enable-server
ac7d03 
%endif
ac7d03
ac7d03 
# Build with ipatests
ac7d03 
%global with_ipatests 0
ac7d03 
%if 0%{?with_ipatests}
ac7d03 
    %global with_ipatests_option --with-ipatests
ac7d03 
%else
ac7d03 
    %global with_ipatests_option --without-ipatests
ac7d03 
%endif
99b6f7
403b09 
%if 0%{?rhel}
403b09 
%global with_python3 0
403b09 
%else
403b09 
%global with_python3 1
403b09 
%endif
403b09
ac7d03 
# lint is not executed during rpmbuild
ac7d03 
# %%global with_lint 1
ac7d03 
%if 0%{?with_lint}
ac7d03 
    %global linter_options --enable-pylint --with-jslint
99b6f7 
%else
ac7d03 
    %global linter_options --disable-pylint --without-jslint
99b6f7 
%endif
ac7d03
ac7d03 
# Python wheel support and PyPI packages
ac7d03 
%global with_wheels 0
e3ffab
e3ffab 
%global alt_name freeipa
e3ffab 
%if 0%{?rhel}
ac7d03 
# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
ac7d03 
%global krb5_version 1.15.1-4
ac7d03 
# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
ac7d03 
%global samba_version 4.6.0-4
403b09 
%global selinux_policy_version 3.13.1-70
403b09 
%global slapi_nis_version 0.56.0-4
e3ffab 
%else
ac7d03 
# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
ac7d03 
%global krb5_version 1.15.1-7
ac7d03 
# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
ac7d03 
%global samba_version 2:4.6.0-4
403b09 
%global selinux_policy_version 3.13.1-158.4
403b09 
%global slapi_nis_version 0.56.1
e3ffab 
%endif
99b6f7
590d18 
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
590d18
99b6f7 
%global plugin_dir %{_libdir}/dirsrv/plugins
590d18 
%global etc_systemd_dir %{_sysconfdir}/systemd/system
99b6f7 
%global gettext_domain ipa
99b6f7
9991ea 
%define _hardened_build 1
9991ea
ac7d03 
# Work-around fact that RPM SPEC parser does not accept
ac7d03 
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
ac7d03 
%define IPA_VERSION 4.5.0
ac7d03 
%define AT_SIGN @
ac7d03 
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
ac7d03 
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
ac7d03 
	%define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
ac7d03 
%endif
ac7d03
99b6f7 
Name:           ipa
ac7d03 
Version:        %{IPA_VERSION}
3f8296 
Release:        22%{?dist}
99b6f7 
Summary:        The Identity, Policy and Audit system
99b6f7
99b6f7 
Group:          System Environment/Base
99b6f7 
License:        GPLv3+
99b6f7 
URL:            http://www.freeipa.org/
ac7d03 
Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
ac7d03 
# RHEL spec file only: START: Change branding to IPA and Identity Management
e0b2c4 
#Source1:        header-logo.png
e0b2c4 
#Source2:        login-screen-background.jpg
e0b2c4 
#Source3:        login-screen-logo.png
e0b2c4 
#Source4:        product-name.png
ac7d03 
# RHEL spec file only: END: Change branding to IPA and Identity Management
99b6f7 
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
99b6f7
e3ffab 
# RHEL spec file only: START
ac7d03 
Patch0001:      0001-Add-options-to-allow-ticket-caching.patch
ac7d03 
Patch0002:      0002-Use-connection-keep-alive.patch
ac7d03 
Patch0003:      0003-Add-debug-logging-for-keep-alive.patch
ac7d03 
Patch0004:      0004-Increase-Apache-HTTPD-s-default-keep-alive-timeout.patch
ac7d03 
Patch0005:      0005-ipapython.ipautil.nolog_replace-Do-not-replace-empty.patch
ac7d03 
Patch0006:      0006-tasks-run-systemctl-daemon-reload-after-httpd.servic.patch
ac7d03 
Patch0007:      0007-man-ipa-cacert-manage-install-needs-clarification.patch
ac7d03 
Patch0008:      0008-certs-do-not-implicitly-create-DS-pin.txt.patch
ac7d03 
Patch0009:      0009-httpinstance-clean-up-etc-httpd-alias-on-uninstall.patch
ac7d03 
Patch0010:      0010-Fixing-replica-install-fix-ldap-connection-in-domlvl.patch
ac7d03 
Patch0011:      0011-replica-prepare-fix-wrong-IPA-CA-nickname-in-replica.patch
ac7d03 
Patch0012:      0012-ldap2-use-LDAP-whoami-operation-to-retrieve-bind-DN-.patch
ac7d03 
Patch0013:      0013-Backup-ipa-specific-httpd-unit-file.patch
ac7d03 
Patch0014:      0014-WebUI-check-principals-in-lowercase.patch
ac7d03 
Patch0015:      0015-WebUI-add-method-for-disabling-item-in-user-dropdown.patch
ac7d03 
Patch0016:      0016-WebUI-Add-support-for-login-for-AD-users.patch
ac7d03 
Patch0017:      0017-cert-do-not-limit-internal-searches-in-cert-find.patch
ac7d03 
Patch0018:      0018-ipa-kdb-add-ipadb_fetch_principals_with_extra_filter.patch
ac7d03 
Patch0019:      0019-IPA-certauth-plugin.patch
ac7d03 
Patch0020:      0020-configure-fix-disable-server-with-certauth-plugin.patch
ac7d03 
Patch0021:      0021-ipa-kdb-do-not-depend-on-certauth_plugin.h.patch
ac7d03 
Patch0022:      0022-WebUI-Add-support-for-suppressing-warnings.patch
ac7d03 
Patch0023:      0023-WebUI-suppress-truncation-warning-in-select-widget.patch
ac7d03 
Patch0024:      0024-WebUI-Fix-showing-vault-in-selfservice-view.patch
ac7d03 
Patch0025:      0025-Set-KDC-Disable-Last-Success-by-default.patch
ac7d03 
Patch0026:      0026-WebUI-Allow-to-add-certs-to-certmapping-with-CERT-LI.patch
ac7d03 
Patch0027:      0027-Bump-samba-version-for-FIPS-and-priv.-separation.patch
ac7d03 
Patch0028:      0028-Reworked-the-renaming-mechanism.patch
ac7d03 
Patch0029:      0029-Allow-renaming-of-the-HBAC-rule-objects.patch
ac7d03 
Patch0030:      0030-Allow-renaming-of-the-sudorule-objects.patch
ac7d03 
Patch0031:      0031-Create-temporaty-directories-at-the-begining-of-unin.patch
ac7d03 
Patch0032:      0032-dogtag-ipa-ca-renew-agent-submit-fix-the-is_replicat.patch
ac7d03 
Patch0033:      0033-Simplify-KRA-transport-cert-cache.patch
ac7d03 
Patch0034:      0034-rpcserver.login_x509-Actually-return-reply-from-__ca.patch
ac7d03 
Patch0035:      0035-Backup-CA-cert-from-kerberos-folder.patch
ac7d03 
Patch0036:      0036-spec-file-Bump-requires-to-make-Certificate-Login-in.patch
ac7d03 
Patch0037:      0037-Use-Custodia-0.3.1-features.patch
ac7d03 
Patch0038:      0038-spec-file-bump-krb5-devel-BuildRequires-for-certauth.patch
ac7d03 
Patch0039:      0039-Avoid-growing-FILE-ccaches-unnecessarily.patch
ac7d03 
Patch0040:      0040-Handle-failed-authentication-via-cookie.patch
ac7d03 
Patch0041:      0041-Work-around-issues-fetching-session-data.patch
ac7d03 
Patch0042:      0042-Prevent-churn-on-ccaches.patch
ac7d03 
Patch0043:      0043-Generate-PIN-for-PKI-to-help-Dogtag-in-FIPS.patch
ac7d03 
Patch0044:      0044-httpinstance.disable_system_trust-Don-t-fail-if-modu.patch
ac7d03 
Patch0045:      0045-extdom-do-reverse-search-for-domain-separator.patch
ac7d03 
Patch0046:      0046-extdom-improve-cert-request.patch
ac7d03 
Patch0047:      0047-spec-file-bump-libsss_nss_idmap-devel-BuildRequires.patch
ac7d03 
Patch0048:      0048-server-make-sure-we-test-for-sss_nss_getlistbycert.patch
ac7d03 
Patch0049:      0049-Upgrade-configure-PKINIT-after-adding-anonymous-prin.patch
ac7d03 
Patch0050:      0050-Remove-unused-variable-from-failed-anonymous-PKINIT-.patch
ac7d03 
Patch0051:      0051-Split-out-anonymous-PKINIT-test-to-a-separate-method.patch
ac7d03 
Patch0052:      0052-Ensure-KDC-is-propery-configured-after-upgrade.patch
ac7d03 
Patch0053:      0053-adtrust-make-sure-that-runtime-hostname-result-is-co.patch
ac7d03 
Patch0054:      0054-Allow-erasing-ipaDomainResolutionOrder-attribute.patch
ac7d03 
Patch0055:      0055-Always-check-and-create-anonymous-principal-during-K.patch
ac7d03 
Patch0056:      0056-Remove-duplicate-functionality-in-upgrade.patch
ac7d03 
Patch0057:      0057-Fix-the-order-of-cert-files-check.patch
ac7d03 
Patch0058:      0058-Don-t-allow-setting-pkinit-related-options-on-DL0.patch
ac7d03 
Patch0059:      0059-replica-prepare-man-remove-pkinit-option-refs.patch
ac7d03 
Patch0060:      0060-Remove-redundant-option-check-for-cert-files.patch
ac7d03 
Patch0061:      0061-Hide-request_type-doc-string-in-cert-request-help.patch
ac7d03 
Patch0062:      0062-Get-correct-CA-cert-nickname-in-CA-less.patch
ac7d03 
Patch0063:      0063-Remove-publish_ca_cert-method-from-NSSDatabase.patch
ac7d03 
Patch0064:      0064-httpinstance-make-sure-NSS-database-is-backed-up.patch
ac7d03 
Patch0065:      0065-IPA-KDB-use-relative-path-in-ipa-certmap-config-snip.patch
ac7d03 
Patch0066:      0066-Add-pki_pin-only-when-needed.patch
ac7d03 
Patch0067:      0067-idrange-add-properly-handle-empty-dom-name-option.patch
ac7d03 
Patch0068:      0068-ipa-sam-create-the-gidNumber-attribute-in-the-truste.patch
ac7d03 
Patch0069:      0069-Upgrade-add-gidnumber-to-trusted-domain-entry.patch
ac7d03 
Patch0070:      0070-dsinstance-reconnect-ldap2-after-DS-is-restarted-by-.patch
ac7d03 
Patch0071:      0071-httpinstance-avoid-httpd-restart-during-certificate-.patch
ac7d03 
Patch0072:      0072-dsinstance-httpinstance-consolidate-certificate-requ.patch
ac7d03 
Patch0073:      0073-install-request-service-certs-after-host-keytab-is-s.patch
ac7d03 
Patch0074:      0074-renew-agent-revert-to-host-keytab-authentication.patch
ac7d03 
Patch0075:      0075-renew-agent-restart-scripts-connect-to-LDAP-after-ki.patch
ac7d03 
Patch0076:      0076-ipaserver-dcerpc-unify-error-processing.patch
ac7d03 
Patch0077:      0077-trust-always-use-oddjobd-helper-for-fetching-trust-i.patch
ac7d03 
Patch0078:      0078-WebUI-cert-login-Configure-name-of-parameter-used-to.patch
ac7d03 
Patch0079:      0079-Create-system-users-for-FreeIPA-services-during-pack.patch
ac7d03 
Patch0080:      0080-Fix-s4u2self-with-adtrust.patch
ac7d03 
Patch0081:      0081-Add-debug-log-in-case-cookie-retrieval-went-wrong.patch
ac7d03 
Patch0082:      0082-server-install-remove-broken-no-pkinit-check.patch
ac7d03 
Patch0083:      0083-Add-the-force-join-option-to-replica-install.patch
ac7d03 
Patch0084:      0084-replicainstall-better-client-install-exception-handl.patch
ac7d03 
Patch0085:      0085-Fix-CA-less-to-CA-full-upgrade.patch
ac7d03 
Patch0086:      0086-cert-defer-cert-find-result-post-processing.patch
ac7d03 
Patch0087:      0087-server-install-No-double-Kerberos-install.patch
ac7d03 
Patch0088:      0088-ext.-CA-correctly-write-the-cert-chain.patch
ac7d03 
Patch0089:      0089-Fix-RA-cert-import-during-DL0-replication.patch
ac7d03 
Patch0090:      0090-configure-fix-AC_CHECK_LIB-usage.patch
ac7d03 
Patch0091:      0091-Fix-CAInstance.import_ra_cert-for-empty-passwords.patch
ac7d03 
Patch0092:      0092-upgrade-adtrust-update_tdo_gidnumber-plugin-must-che.patch
ac7d03 
Patch0093:      0093-compat-manage-behave-the-same-for-all-users.patch
ac7d03 
Patch0094:      0094-Move-the-compat-plugin-setup-at-the-end-of-install.patch
ac7d03 
Patch0095:      0095-compat-ignore-cn-topology-cn-ipa-cn-etc-subtree.patch
ac7d03 
Patch0096:      0096-spec-file-bump-krb5-Requires-for-certauth-fixes.patch
ac7d03 
Patch0097:      0097-Hide-PKI-Client-database-password-in-log-file.patch
ac7d03 
Patch0098:      0098-Vault-Explicitly-default-to-3DES-CBC.patch
ac7d03 
Patch0099:      0099-separate-function-to-set-ipaConfigString-values-on-s.patch
ac7d03 
Patch0100:      0100-Allow-for-configuration-of-all-three-PKINIT-variants.patch
ac7d03 
Patch0101:      0101-API-for-retrieval-of-master-s-PKINIT-status-and-publ.patch
ac7d03 
Patch0102:      0102-Use-only-anonymous-PKINIT-to-fetch-armor-ccache.patch
ac7d03 
Patch0103:      0103-Stop-requesting-anonymous-keytab-and-purge-all-refer.patch
ac7d03 
Patch0104:      0104-Use-local-anchor-when-armoring-password-requests.patch
ac7d03 
Patch0105:      0105-Upgrade-configure-local-full-PKINIT-depending-on-the.patch
ac7d03 
Patch0106:      0106-Do-not-test-anonymous-PKINIT-after-install-upgrade.patch
ac7d03 
Patch0107:      0107-vault-piped-input-for-ipa-vault-add-fails.patch
ac7d03 
Patch0108:      0108-automount-install-fix-checking-of-SSSD-functionality.patch
ac7d03 
Patch0109:      0109-Fix-CA-server-cert-validation-in-FIPS.patch
ac7d03 
Patch0110:      0110-restore-restart-reload-gssproxy-after-restore.patch
ac7d03 
Patch0111:      0111-kerberos-session-use-CA-cert-with-full-cert-chain-fo.patch
ac7d03 
Patch0112:      0112-ipa-client-install-remove-extra-space-in-pkinit_anch.patch
ac7d03 
Patch0113:      0113-Refresh-Dogtag-RestClient.ca_host-property.patch
ac7d03 
Patch0114:      0114-Remove-the-cachedproperty-class.patch
ac7d03 
Patch0115:      0115-ipa-server-install-with-external-CA-fix-pkinit-cert-.patch
ac7d03 
Patch0116:      0116-kra-install-update-installation-failure-message.patch
ac7d03 
Patch0117:      0117-Make-sure-remote-hosts-have-our-keys.patch
ac7d03 
Patch0118:      0118-Use-proper-SELinux-context-with-http.keytab.patch
ac7d03 
Patch0119:      0119-ipa-kra-install-fix-check_host_keys.patch
ac7d03 
Patch0120:      0120-python2-ipalib-add-missing-python-dependency.patch
ac7d03 
Patch0121:      0121-installer-service-fix-typo-in-service-entry.patch
ac7d03 
Patch0122:      0122-upgrade-add-missing-suffix-to-http-instance.patch
ac7d03 
Patch0123:      0123-Turn-on-NSSOCSP-check-in-mod_nss-conf.patch
ac7d03 
Patch0124:      0124-cert-show-writable-files-does-not-mean-dirs.patch
ac7d03 
Patch0125:      0125-Bump-version-of-ipa.conf-file.patch
ac7d03 
Patch0126:      0126-ipa-kra-install-manpage-document-domain-level-1.patch
ac7d03 
Patch0127:      0127-renew-agent-respect-CA-renewal-master-setting.patch
ac7d03 
Patch0128:      0128-server-upgrade-always-fix-certmonger-tracking-reques.patch
ac7d03 
Patch0129:      0129-cainstance-use-correct-profile-for-lightweight-CA-ce.patch
ac7d03 
Patch0130:      0130-renew-agent-allow-reusing-existing-certs.patch
ac7d03 
Patch0131:      0131-renew-agent-always-export-CSR-on-IPA-CA-certificate-.patch
ac7d03 
Patch0132:      0132-renew-agent-get-rid-of-virtual-profiles.patch
ac7d03 
Patch0133:      0133-ipa-cacert-manage-add-external-ca-type.patch
ac7d03 
Patch0134:      0134-Fixing-adding-authenticator-indicators-to-host.patch
ac7d03 
Patch0135:      0135-Added-plugins-directory-to-ipaclient-subpackages.patch
ac7d03 
Patch0136:      0136-ipaclient-fix-missing-RPM-ownership.patch
ac7d03 
Patch0137:      0137-otptoken-add-yubikey-When-digits-not-provided-use-de.patch
ac7d03 
Patch0138:      0138-ipa-server-install-fix-uninstall.patch
ac7d03 
Patch0139:      0139-ca-install-merge-duplicated-code-for-DM-password.patch
ac7d03 
Patch0140:      0140-installutils-add-DM-password-validator.patch
ac7d03 
Patch0141:      0141-ca-kra-install-validate-DM-password.patch
ac7d03 
Patch0142:      0142-ipa-kra-install-fix-pkispawn-setting-for-pki_securit.patch
ac7d03 
Patch0143:      0143-certdb-add-named-trust-flag-constants.patch
ac7d03 
Patch0144:      0144-certdb-certs-make-trust-flags-argument-mandatory.patch
ac7d03 
Patch0145:      0145-certdb-use-custom-object-for-trust-flags.patch
ac7d03 
Patch0146:      0146-install-trust-IPA-CA-for-PKINIT.patch
ac7d03 
Patch0147:      0147-client-install-fix-client-PKINIT-configuration.patch
ac7d03 
Patch0148:      0148-install-introduce-generic-Kerberos-Augeas-lens.patch
ac7d03 
Patch0149:      0149-server-install-fix-KDC-PKINIT-configuration.patch
ac7d03 
Patch0150:      0150-ipapython.ipautil.run-Add-option-to-set-umask-before.patch
ac7d03 
Patch0151:      0151-certs-do-not-export-keys-world-readable-in-install_k.patch
ac7d03 
Patch0152:      0152-certs-do-not-export-CA-certs-in-install_pem_from_p12.patch
ac7d03 
Patch0153:      0153-server-install-fix-KDC-certificate-validation-in-CA-.patch
ac7d03 
Patch0154:      0154-replica-install-respect-pkinit-cert-file.patch
ac7d03 
Patch0155:      0155-cacert-manage-support-PKINIT.patch
ac7d03 
Patch0156:      0156-server-certinstall-support-PKINIT.patch
ac7d03 
Patch0157:      0157-ipa-ca-install-append-CA-cert-chain-into-etc-ipa-ca..patch
ac7d03 
Patch0158:      0158-ca-cert-show-check-certificate_out-in-options.patch
ac7d03 
Patch0159:      0159-Fix-rare-race-condition-with-missing-ccache-file.patch
ac7d03 
Patch0160:      0160-Remove-pkinit-anonymous-command.patch
ac7d03 
Patch0161:      0161-krb5-make-sure-KDC-certificate-is-readable.patch
ac7d03 
Patch0162:      0162-Change-python-cryptography-to-python2-cryptography.patch
ac7d03 
Patch0163:      0163-Allow-for-multivalued-server-attributes.patch
ac7d03 
Patch0164:      0164-Refactor-the-role-attribute-member-reporting-code.patch
ac7d03 
Patch0165:      0165-Add-an-attribute-reporting-client-PKINIT-capable-ser.patch
ac7d03 
Patch0166:      0166-Add-the-list-of-PKINIT-servers-as-a-virtual-attribut.patch
ac7d03 
Patch0167:      0167-Add-pkinit-status-command.patch
ac7d03 
Patch0168:      0168-test_serverroles-Get-rid-of-MockLDAP-and-use-ldap2-i.patch
ac7d03 
Patch0169:      0169-only-stop-disable-simple-service-if-it-is-installed.patch
ac7d03 
Patch0170:      0170-Fix-index-definition-for-ipaAnchorUUID.patch
ac7d03 
Patch0171:      0171-httpinstance-wait-until-the-service-entry-is-replica.patch
ac7d03 
Patch0172:      0172-kdc.key-should-not-be-visible-to-all.patch
ac7d03 
Patch0173:      0173-ipa-kdb-reload-certificate-mapping-rules-periodicall.patch
ac7d03 
Patch0174:      0174-Avoid-possible-endless-recursion-in-RPC-call.patch
ac7d03 
Patch0175:      0175-rpc-preparations-for-recursion-fix.patch
ac7d03 
Patch0176:      0176-rpc-avoid-possible-recursion-in-create_connection.patch
ac7d03 
Patch0177:      0177-Changing-cert-find-to-do-not-use-only-primary-key-to.patch
ac7d03 
Patch0178:      0178-ipa-kdb-add-pkinit-authentication-indicator-in-case-.patch
ac7d03 
Patch0179:      0179-fix-incorrect-suffix-handling-in-topology-checks.patch
ac7d03 
Patch0180:      0180-server-certinstall-update-KDC-master-entry.patch
ac7d03 
Patch0181:      0181-pkinit-manage-introduce-ipa-pkinit-manage.patch
ac7d03 
Patch0182:      0182-server-upgrade-do-not-enable-PKINIT-by-default.patch
ac7d03 
Patch0183:      0183-Turn-off-OCSP-check.patch
ac7d03 
Patch0184:      0184-Only-warn-when-specified-server-IP-addresses-don-t-m.patch
ac7d03 
Patch0185:      0185-ipa-kdb-use-canonical-principal-in-certauth-plugin.patch
ac7d03 
Patch0186:      0186-Bump-version-of-python-gssapi.patch
ac7d03 
Patch0187:      0187-Add-code-to-be-able-to-set-default-kinit-lifetime.patch
ac7d03 
Patch0188:      0188-Revert-setting-sessionMaxAge-for-old-clients.patch
ac7d03 
Patch0189:      0189-Extend-the-advice-printing-code-by-some-useful-abstr.patch
ac7d03 
Patch0190:      0190-Prepare-advise-plugin-for-smart-card-auth-configurat.patch
ac7d03 
Patch0191:      0191-trust-mod-allow-modifying-list-of-UPNs-of-a-trusted-.patch
ac7d03 
Patch0192:      0192-WebUI-add-support-for-changing-trust-UPN-suffixes.patch
ac7d03 
Patch0193:      0193-kra-promote-Get-ticket-before-calling-custodia.patch
ac7d03 
Patch0194:      0194-Fix-local-IP-address-validation.patch
ac7d03 
Patch0195:      0195-ipa-dns-install-remove-check-for-local-ip-address.patch
ac7d03 
Patch0196:      0196-refactor-CheckedIPAddress-class.patch
ac7d03 
Patch0197:      0197-CheckedIPAddress-remove-match_local-param.patch
ac7d03 
Patch0198:      0198-Remove-ip_netmask-from-option-parser.patch
ac7d03 
Patch0199:      0199-replica-install-add-missing-check-for-non-local-IP-a.patch
ac7d03 
Patch0200:      0200-Remove-network-and-broadcast-address-warnings.patch
ac7d03 
Patch0201:      0201-ipa-sam-replace-encode_nt_key-with-E_md4hash.patch
ac7d03 
Patch0202:      0202-ipa_pwd_extop-do-not-generate-NT-hashes-in-FIPS-mode.patch
ac7d03 
Patch0203:      0203-Make-sure-we-check-ccaches-in-all-rpcserver-paths.patch
8ec14d 
Patch0204:      0204-replica-install-drop-in-IPA-specific-config-to-tmpfi.patch
b38368 
Patch0205:      0205-Add-CommonNameToSANDefault-to-default-cert-profile.patch
b38368 
Patch0206:      0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch
b38368 
Patch0207:      0207-smart-card-advises-add-steps-to-store-smart-card-sig.patch
b38368 
Patch0208:      0208-Allow-to-pass-in-multiple-CA-cert-paths-to-the-smart.patch
b38368 
Patch0209:      0209-add-a-class-that-tracks-the-indentation-in-the-gener.patch
b38368 
Patch0210:      0210-delegate-the-indentation-handling-in-advises-to-dedi.patch
b38368 
Patch0211:      0211-advise-add-an-infrastructure-for-formatting-Bash-com.patch
b38368 
Patch0212:      0212-delegate-formatting-of-compound-Bash-statements-to-d.patch
b38368 
Patch0213:      0213-Fix-indentation-of-statements-in-Smart-card-advises.patch
b38368 
Patch0214:      0214-Use-the-compound-statement-formatting-API-for-config.patch
b38368 
Patch0215:      0215-smart-card-advises-use-a-wrapper-around-Bash-for-loo.patch
b38368 
Patch0216:      0216-smart-card-advise-use-password-when-changing-trust-f.patch
b38368 
Patch0217:      0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch
b38368 
Patch0218:      0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch
b38368 
Patch0219:      0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch
460745 
Patch0220:      0220-ipa-otptoken-import-Make-PBKDF2-refer-to-the-pkcs5-n.patch
460745 
Patch0221:      0221-Adds-whoami-DS-plugin-in-case-that-plugin-is-missing.patch
460745 
Patch0222:      0222-Fix-ipa-config-mod-ca-renewal-master.patch
460745 
Patch0223:      0223-Backport-PR-988-to-ipa-4-5-Fix-Certificate-renewal-w.patch
460745 
Patch0224:      0224-Backport-PR-1008-to-ipa-4-5-Fix-ipa-server-upgrade-T.patch
460745 
Patch0225:      0225-Fixing-how-sssd.conf-is-updated-when-promoting-a-cli.patch
460745 
Patch0226:      0226-Backport-4-5-Fix-ipa-server-upgrade-with-server-cert.patch
460745 
Patch0227:      0227-Always-check-peer-has-keys-before-connecting.patch
460745 
Patch0228:      0228-Make-sure-upgrade-also-checks-for-IPv6-stack.patch
460745 
Patch0229:      0229-control-logging-of-host_port_open-from-caller.patch
460745 
Patch0230:      0230-log-progress-of-wait_for_open_ports.patch
460745 
Patch0231:      0231-Store-help-in-Schema-before-writing-to-disk.patch
460745 
Patch0232:      0232-Disable-pylint-in-get_help-function-because-of-type-.patch
3f8296 
Patch0233:      0233-Less-confusing-message-for-PKINIT-configuration-duri.patch
3f8296 
Patch0234:      0234-server.py-Removes-dns-server-configuration-from-ldap.patch
3f8296 
Patch0235:      0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch
3f8296 
Patch0236:      0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch
ac7d03
ac7d03 
Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
ac7d03 
Patch1002:      1002-Package-copy-schema-to-ca.py.patch
ac7d03 
Patch1003:      1003-Revert-Increased-mod_wsgi-socket-timeout.patch
ac7d03 
Patch1004:      1004-Remove-csrgen.patch
e3ffab 
# RHEL spec file only: END
99b6f7
99b6f7 
BuildRequires:  openldap-devel
ac7d03 
# For KDB DAL version, make explicit dependency so that increase of version
ac7d03 
# will cause the build to fail due to unsatisfied dependencies.
ac7d03 
# DAL version change may cause code crash or memory leaks, it is better to fail early.
ac7d03 
%if 0%{?fedora} > 25
ac7d03 
BuildRequires: krb5-kdb-version = 6.1
ac7d03 
%endif
ac7d03 
BuildRequires:  krb5-devel >= %{krb5_version}
ac7d03 
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
99b6f7 
BuildRequires:  xmlrpc-c-devel >= 1.27.4
99b6f7 
BuildRequires:  popt-devel
99b6f7 
BuildRequires:  autoconf
99b6f7 
BuildRequires:  automake
99b6f7 
BuildRequires:  libtool
99b6f7 
BuildRequires:  gettext
ac7d03 
BuildRequires:  gettext-devel
99b6f7 
BuildRequires:  python-devel
99b6f7 
BuildRequires:  python-setuptools
ac7d03 
%if 0%{?with_python3}
ac7d03 
BuildRequires:  python3-devel
ac7d03 
BuildRequires:  python3-setuptools
ac7d03 
%endif # with_python3
ac7d03 
# %{_unitdir}, %{_tmpfilesdir}
99b6f7 
BuildRequires:  systemd
ac7d03 
# systemd-tmpfiles which is executed from make install requires apache user
ac7d03 
BuildRequires:  httpd
ac7d03 
BuildRequires:  nspr-devel
ac7d03 
BuildRequires:  nss-devel
ac7d03 
BuildRequires:  openssl-devel
ac7d03 
BuildRequires:  libini_config-devel
ac7d03 
BuildRequires:  cyrus-sasl-devel
e3ffab 
# RHEL spec file only: START
99b6f7 
BuildRequires:  diffstat
e3ffab 
# RHEL spec file only: END
ac7d03 
%if ! %{ONLY_CLIENT}
ac7d03 
# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
ac7d03 
BuildRequires:  389-ds-base-devel >= 1.3.3.9
ac7d03 
BuildRequires:  svrcore-devel
ac7d03 
%if 0%{?rhel}
ac7d03 
BuildRequires:  samba-devel >= 4.0.0
ac7d03 
%else
ac7d03 
BuildRequires:  samba-devel >= 2:4.0.0
ac7d03 
%endif
ac7d03 
BuildRequires:  libtalloc-devel
ac7d03 
BuildRequires:  libtevent-devel
ac7d03 
BuildRequires:  libuuid-devel
ac7d03 
BuildRequires:  libsss_idmap-devel
ac7d03 
BuildRequires:  libsss_certmap-devel
ac7d03 
# 1.15.3: sss_nss_getlistbycert (https://pagure.io/SSSD/sssd/issue/3050)
ac7d03 
BuildRequires:  libsss_nss_idmap-devel >= 1.15.2-2
ac7d03 
BuildRequires:  rhino
ac7d03 
BuildRequires:  libverto-devel
ac7d03 
BuildRequires:  libunistring-devel
e3ffab 
BuildRequires:  python-lesscpy
ac7d03 
%endif # ONLY_CLIENT
ac7d03
ac7d03 
#
ac7d03 
# Build dependencies for makeapi/makeaci
ac7d03 
# makeapi/makeaci is using Python 2 only for now
ac7d03 
#
ac7d03 
BuildRequires:  python-ldap
ac7d03 
BuildRequires:  python-nss
ac7d03 
BuildRequires:  python-netaddr
ac7d03 
BuildRequires:  python-pyasn1
ac7d03 
BuildRequires:  python-pyasn1-modules
ac7d03 
BuildRequires:  python-dns
403b09 
BuildRequires:  python-six
ac7d03 
BuildRequires:  python-libsss_nss_idmap
ac7d03 
BuildRequires:  python-cffi
ac7d03
ac7d03 
#
ac7d03 
# Build dependencies for wheel packaging and PyPI upload
ac7d03 
#
ac7d03 
%if 0%{with_wheels}
ac7d03 
BuildRequires:  python2-twine
ac7d03 
BuildRequires:  python2-wheel
ac7d03 
%if 0%{?with_python3}
ac7d03 
BuildRequires:  python3-twine
ac7d03 
BuildRequires:  python3-wheel
ac7d03 
%endif
ac7d03 
%endif # with_wheels
ac7d03
ac7d03 
#
ac7d03 
# Build dependencies for lint
ac7d03 
#
ac7d03 
%if 0%{?with_lint}
ac7d03 
BuildRequires:  samba-python
ac7d03 
# 1.4: the version where Certificate.serial changed to .serial_number
ac7d03 
BuildRequires:  python2-cryptography >= 1.4
ac7d03 
# Bump because of #1457942 certauth: use canonical principal for lookups
ac7d03 
BuildRequires:  python-gssapi >= 1.2.0-3
ac7d03 
BuildRequires:  pylint >= 1.6
ac7d03 
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
ac7d03 
BuildRequires:  python2-polib
ac7d03 
BuildRequires:  python-libipa_hbac
ac7d03 
BuildRequires:  python-lxml
ac7d03 
# 5.0.0: QRCode.print_ascii
ac7d03 
BuildRequires:  python-qrcode-core >= 5.0.0
ac7d03 
# 1.15: python-dns changed return type in to_text() method in PY3
ac7d03 
BuildRequires:  python-dns >= 1.12.0-3
ac7d03 
BuildRequires:  jsl
ac7d03 
BuildRequires:  python-yubico
ac7d03 
# pki Python package
ac7d03 
BuildRequires:  pki-base-python2
ac7d03 
BuildRequires:  python-pytest-multihost
ac7d03 
BuildRequires:  python-pytest-sourceorder
403b09 
BuildRequires:  python-jwcrypto
ac7d03 
# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
ac7d03 
BuildRequires:  python-custodia >= 0.3.0-4
403b09 
BuildRequires:  dbus-python
ac7d03 
BuildRequires:  python-dateutil
ac7d03 
BuildRequires:  python-enum34
ac7d03 
BuildRequires:  python-netifaces
ac7d03 
BuildRequires:  python-sss
ac7d03 
BuildRequires:  python-sss-murmur
ac7d03 
BuildRequires:  python-sssdconfig
ac7d03 
BuildRequires:  python-nose
ac7d03 
BuildRequires:  python-paste
ac7d03 
BuildRequires:  systemd-python
ac7d03 
# RHEL spec file only: DELETED: Remove csrgen
ac7d03 
# python-augeas >= 0.5 supports replace method
ac7d03 
BuildRequires:  python-augeas >= 0.5
403b09
ac7d03 
%if 0%{?with_python3}
ac7d03 
# FIXME: this depedency is missing - server will not work
ac7d03 
#BuildRequires:  python3-samba
ac7d03 
# 1.4: the version where Certificate.serial changed to .serial_number
ac7d03 
BuildRequires:  python3-cryptography >= 1.4
ac7d03 
BuildRequires:  python3-gssapi >= 1.2.0
ac7d03 
BuildRequires:  python3-pylint >= 1.6
ac7d03 
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
ac7d03 
BuildRequires:  python3-polib
ac7d03 
BuildRequires:  python3-libipa_hbac
ac7d03 
BuildRequires:  python3-memcached
ac7d03 
BuildRequires:  python3-lxml
ac7d03 
# 5.0.0: QRCode.print_ascii
ac7d03 
BuildRequires:  python3-qrcode-core >= 5.0.0
ac7d03 
# 1.15: python-dns changed return type in to_text() method in PY3
ac7d03 
BuildRequires:  python3-dns >= 1.12.0-3
ac7d03 
BuildRequires:  python3-yubico
ac7d03 
# pki Python package
ac7d03 
BuildRequires:  pki-base-python3
ac7d03 
BuildRequires:  python3-pytest-multihost
ac7d03 
BuildRequires:  python3-pytest-sourceorder
ac7d03 
BuildRequires:  python3-jwcrypto
ac7d03 
# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
ac7d03 
BuildRequires:  python3-custodia >= 0.3.0-4
ac7d03 
BuildRequires:  python3-dbus
ac7d03 
BuildRequires:  python3-dateutil
ac7d03 
BuildRequires:  python3-enum34
ac7d03 
BuildRequires:  python3-netifaces
ac7d03 
BuildRequires:  python3-sss
ac7d03 
BuildRequires:  python3-sss-murmur
ac7d03 
BuildRequires:  python3-sssdconfig
ac7d03 
BuildRequires:  python3-libsss_nss_idmap
ac7d03 
BuildRequires:  python3-nose
ac7d03 
BuildRequires:  python3-paste
ac7d03 
BuildRequires:  python3-systemd
ac7d03 
# RHEL spec file only: DELETED: Remove csrgen
ac7d03 
# python-augeas >= 0.5 supports replace method
ac7d03 
BuildRequires:  python3-augeas >= 0.5
ac7d03 
%endif # with_python3
ac7d03 
%endif # with_lint
ac7d03
ac7d03 
#
403b09 
# Build dependencies for unit tests
ac7d03 
#
ac7d03 
%if ! %{ONLY_CLIENT}
403b09 
BuildRequires:  libcmocka-devel
403b09 
BuildRequires:  nss_wrapper
403b09 
# Required by ipa_kdb_tests
403b09 
BuildRequires:  %{_libdir}/krb5/plugins/kdb/db2.so
ac7d03 
%endif # ONLY_CLIENT
99b6f7
99b6f7 
%description
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09
99b6f7
99b6f7 
%if ! %{ONLY_CLIENT}
403b09
99b6f7 
%package server
99b6f7 
Summary: The IPA authentication server
99b6f7 
Group: System Environment/Base
403b09 
Requires: %{name}-server-common = %{version}-%{release}
99b6f7 
Requires: %{name}-client = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipaserver = %{version}-%{release}
ac7d03 
Requires: 389-ds-base >= 1.3.5.14
99b6f7 
Requires: openldap-clients > 2.4.35-4
99b6f7 
Requires: nss >= 3.14.3-12.0
99b6f7 
Requires: nss-tools >= 3.14.3-12.0
ac7d03 
Requires(post): krb5-server >= %{krb5_version}
590d18 
Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
ac7d03 
Requires: krb5-pkinit-openssl >= %{krb5_version}
99b6f7 
Requires: cyrus-sasl-gssapi%{?_isa}
99b6f7 
Requires: ntp
403b09 
Requires: httpd >= 2.4.6-31
99b6f7 
Requires: mod_wsgi
ac7d03 
Requires: mod_auth_gssapi >= 1.5.0
ac7d03 
# 1.0.14-2: https://bugzilla.redhat.com/show_bug.cgi?id=1347298
ac7d03 
Requires: mod_nss >= 1.0.14-2
ac7d03 
Requires: mod_session
ac7d03 
# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
ac7d03 
Requires: mod_lookup_identity >= 0.9.9
e3ffab 
Requires: python-ldap >= 2.4.15
ac7d03 
# Bump because of #1457942 certauth: use canonical principal for lookups
ac7d03 
Requires: python-gssapi >= 1.2.0-3
99b6f7 
Requires: acl
99b6f7 
Requires: systemd-units >= 38
590d18 
Requires(pre): shadow-utils
99b6f7 
Requires(pre): systemd-units
99b6f7 
Requires(post): systemd-units
e3ffab 
Requires: selinux-policy >= %{selinux_policy_version}
590d18 
Requires(post): selinux-policy-base >= %{selinux_policy_version}
403b09 
Requires: slapi-nis >= %{slapi_nis_version}
b38368 
# Required because of: https://bugzilla.redhat.com/show_bug.cgi?id=1475238
b38368 
# related pki-core update: https://bugzilla.redhat.com/show_bug.cgi?id=1305993
b38368 
Requires: pki-ca >= 10.4.0-1
b38368 
Requires: pki-kra >= 10.4.0-1
99b6f7 
Requires(preun): python systemd-units
99b6f7 
Requires(postun): python systemd-units
e3ffab 
Requires: policycoreutils >= 2.1.14-37
99b6f7 
Requires: tar
590d18 
Requires(pre): certmonger >= 0.78
ac7d03 
Requires(pre): 389-ds-base >= 1.3.5.14
e3ffab 
Requires: fontawesome-fonts
e3ffab 
Requires: open-sans-fonts
e0ab38 
Requires: openssl >= 1:1.0.1e-42
590d18 
Requires: softhsm >= 2.0.0rc1-1
590d18 
Requires: p11-kit
590d18 
Requires: systemd-python
590d18 
Requires: %{etc_systemd_dir}
590d18 
Requires: gzip
403b09 
Requires: oddjob
ac7d03 
# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
ac7d03 
Requires: gssproxy >= 0.7.0-2
ac7d03 
# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
ac7d03 
Requires: sssd-dbus >= 1.15.2
e3ffab
403b09 
Provides: %{alt_name}-server = %{version}
e3ffab 
Conflicts: %{alt_name}-server
e3ffab 
Obsoletes: %{alt_name}-server < %{version}
e3ffab
e3ffab 
# RHEL spec file only: DELETED
99b6f7
590d18 
# upgrade path from monolithic -server to -server + -server-dns
590d18 
Obsoletes: %{name}-server <= 4.2.0-2
99b6f7
99b6f7 
# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
99b6f7 
# member.
99b6f7 
Conflicts: nss-pam-ldapd < 0.8.4
99b6f7
e3ffab 
# RHEL spec file only: START: Do not build tests
9991ea 
# ipa-tests subpackage was moved to separate srpm
9991ea 
Conflicts: ipa-tests < 3.3.3-9
e3ffab 
# RHEL spec file only: END: Do not build tests
9991ea
403b09 
# RHEL spec file only: START
403b09 
# https://bugzilla.redhat.com/show_bug.cgi?id=1296140
403b09 
Obsoletes: redhat-access-plugin-ipa
403b09 
Conflicts: redhat-access-plugin-ipa
403b09 
# RHEL spec file only: END
403b09
99b6f7 
%description server
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are installing an IPA server, you need to install this package.
403b09
403b09
403b09 
%package -n python2-ipaserver
403b09 
Summary: Python libraries used by IPA server
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
ac7d03 
%{?python_provide:%python_provide python2-ipaserver}
ac7d03 
%{!?python_provide:Provides: python-ipaserver = %{version}-%{release}}
403b09 
Requires: %{name}-server-common = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipaclient = %{version}-%{release}
ac7d03 
Requires: python-custodia >= 0.3.0-4
403b09 
Requires: python-ldap >= 2.4.15
ac7d03 
Requires: python-lxml
ac7d03 
# Bump because of #1457942 certauth: use canonical principal for lookups
ac7d03 
Requires: python-gssapi >= 1.2.0-3
403b09 
Requires: python-sssdconfig
403b09 
Requires: python-pyasn1
403b09 
Requires: dbus-python
ac7d03 
Requires: python-dns >= 1.12.0-3
403b09 
Requires: python-kdcproxy >= 0.3
403b09 
Requires: rpm-libs
ac7d03 
Requires: pki-base-python2
ac7d03 
# python-augeas >= 0.5 supports replace method
ac7d03 
Requires: python-augeas >= 0.5
403b09
403b09 
%description -n python2-ipaserver
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are installing an IPA server, you need to install this package.
403b09
403b09
ac7d03 
%if 0%{?with_python3}
ac7d03
ac7d03 
%package -n python3-ipaserver
ac7d03 
Summary: Python libraries used by IPA server
ac7d03 
Group: System Environment/Libraries
ac7d03 
BuildArch: noarch
ac7d03 
%{?python_provide:%python_provide python3-ipaserver}
ac7d03 
Requires: %{name}-server-common = %{version}-%{release}
ac7d03 
Requires: %{name}-common = %{version}-%{release}
ac7d03 
Requires: python3-ipaclient = %{version}-%{release}
ac7d03 
Requires: python3-custodia >= 0.3.0-4
ac7d03 
Requires: python3-pyldap >= 2.4.15
ac7d03 
Requires: python3-lxml
ac7d03 
Requires: python3-gssapi >= 1.2.0
ac7d03 
Requires: python3-sssdconfig
ac7d03 
Requires: python3-pyasn1
ac7d03 
Requires: python3-dbus
ac7d03 
Requires: python3-dns >= 1.12.0-3
ac7d03 
Requires: python3-kdcproxy >= 0.3
ac7d03 
# python3-augeas >= 0.5 supports replace method
ac7d03 
Requires: python3-augeas >= 0.5
ac7d03 
Requires: rpm-libs
ac7d03 
Requires: pki-base-python3
ac7d03
ac7d03 
%description -n python3-ipaserver
ac7d03 
IPA is an integrated solution to provide centrally managed Identity (users,
ac7d03 
hosts, services), Authentication (SSO, 2FA), and Authorization
ac7d03 
(host access control, SELinux user roles, services). The solution provides
ac7d03 
features for further integration with Linux based clients (SUDO, automount)
ac7d03 
and integration with Active Directory based infrastructures (Trusts).
ac7d03 
If you are installing an IPA server, you need to install this package.
ac7d03
ac7d03 
%endif  # with_python3
ac7d03
ac7d03
403b09 
%package server-common
403b09 
Summary: Common files used by IPA server
403b09 
Group: System Environment/Base
403b09 
BuildArch: noarch
403b09 
Requires: %{name}-client-common = %{version}-%{release}
403b09 
Requires: httpd >= 2.4.6-31
403b09 
Requires: systemd-units >= 38
ac7d03 
Requires: custodia >= 0.3.0-4
403b09
403b09 
Provides: %{alt_name}-server-common = %{version}
403b09 
Conflicts: %{alt_name}-server-common
403b09 
Obsoletes: %{alt_name}-server-common < %{version}
403b09
403b09 
%description server-common
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are installing an IPA server, you need to install this package.
99b6f7
99b6f7
590d18 
%package server-dns
590d18 
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
590d18 
Group: System Environment/Base
403b09 
BuildArch: noarch
590d18 
Requires: %{name}-server = %{version}-%{release}
8ec14d 
# bumped because of https://bugzilla.redhat.com/show_bug.cgi?id=1469480
8ec14d 
Requires: bind-dyndb-ldap >= 11.1-4
8ec14d 
Requires: bind >= 9.9.4-51
8ec14d 
Requires: bind-utils >= 9.9.4-51
8ec14d 
Requires: bind-pkcs11 >= 9.9.4-51
8ec14d 
Requires: bind-pkcs11-utils >= 9.9.4-51
590d18 
Requires: opendnssec >= 1.4.6-4
590d18
403b09 
Provides: %{alt_name}-server-dns = %{version}
590d18 
Conflicts: %{alt_name}-server-dns
590d18 
Obsoletes: %{alt_name}-server-dns < %{version}
590d18
590d18 
# upgrade path from monolithic -server to -server + -server-dns
590d18 
Obsoletes: %{name}-server <= 4.2.0-2
590d18
590d18 
%description server-dns
590d18 
IPA integrated DNS server with support for automatic DNSSEC signing.
590d18 
Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
590d18
590d18
99b6f7 
%package server-trust-ad
99b6f7 
Summary: Virtual package to install packages required for Active Directory trusts
99b6f7 
Group: System Environment/Base
403b09 
Requires: %{name}-server = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
99b6f7 
Requires: samba-python
e3ffab 
Requires: samba >= %{samba_version}
99b6f7 
Requires: samba-winbind
99b6f7 
Requires: libsss_idmap
590d18 
Requires: python-libsss_nss_idmap
590d18 
Requires: python-sss
99b6f7 
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
99b6f7 
# on the installes where server-trust-ad subpackage is installed because
99b6f7 
# IPA AD trusts cannot be used at the same time with the locator plugin
99b6f7 
# since Winbindd will be configured in a different mode
99b6f7 
Requires(post): %{_sbindir}/update-alternatives
99b6f7 
Requires(post): python
99b6f7 
Requires(postun): %{_sbindir}/update-alternatives
99b6f7 
Requires(preun): %{_sbindir}/update-alternatives
99b6f7
403b09 
Provides: %{alt_name}-server-trust-ad = %{version}
e3ffab 
Conflicts: %{alt_name}-server-trust-ad
e3ffab 
Obsoletes: %{alt_name}-server-trust-ad < %{version}
e3ffab
99b6f7 
%description server-trust-ad
99b6f7 
Cross-realm trusts with Active Directory in IPA require working Samba 4
99b6f7 
installation. This package is provided for convenience to install all required
99b6f7 
dependencies at once.
99b6f7
99b6f7 
%endif # ONLY_CLIENT
99b6f7
99b6f7
99b6f7 
%package client
99b6f7 
Summary: IPA authentication for use on clients
99b6f7 
Group: System Environment/Base
403b09 
Requires: %{name}-client-common = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipaclient = %{version}-%{release}
99b6f7 
Requires: python-ldap
99b6f7 
Requires: cyrus-sasl-gssapi%{?_isa}
99b6f7 
Requires: ntp
ac7d03 
Requires: krb5-workstation >= %{krb5_version}
99b6f7 
Requires: authconfig
403b09 
Requires: curl
403b09 
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
403b09 
Requires: initscripts
99b6f7 
Requires: libcurl >= 7.21.7-2
99b6f7 
Requires: xmlrpc-c >= 1.27.4
403b09 
Requires: sssd >= 1.14.0
590d18 
Requires: python-sssdconfig
590d18 
Requires: certmonger >= 0.78
99b6f7 
Requires: nss-tools
99b6f7 
Requires: bind-utils
99b6f7 
Requires: oddjob-mkhomedir
ac7d03 
# Bump because of #1457942 certauth: use canonical principal for lookups
ac7d03 
Requires: python-gssapi >= 1.2.0-3
99b6f7 
Requires: libsss_autofs
99b6f7 
Requires: autofs
99b6f7 
Requires: libnfsidmap
99b6f7 
Requires: nfs-utils
99b6f7 
Requires(post): policycoreutils
99b6f7
403b09 
Provides: %{alt_name}-client = %{version}
e3ffab 
Conflicts: %{alt_name}-client
e3ffab 
Obsoletes: %{alt_name}-client < %{version}
e3ffab
ac7d03 
Provides: %{alt_name}-admintools = %{version}
ac7d03 
Conflicts: %{alt_name}-admintools
ac7d03 
Obsoletes: %{alt_name}-admintools < 4.4.1
ac7d03
ac7d03 
Obsoletes: %{name}-admintools < 4.4.1
ac7d03 
Provides: %{name}-admintools = %{version}-%{release}
ac7d03
99b6f7 
%description client
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If your network uses IPA for authentication, this package should be
403b09 
installed on every client machine.
ac7d03 
This package provides command-line tools for IPA administrators.
403b09
403b09
403b09 
%package -n python2-ipaclient
403b09 
Summary: Python libraries used by IPA client
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
ac7d03 
%{?python_provide:%python_provide python2-ipaclient}
ac7d03 
%{!?python_provide:Provides: python-ipaclient = %{version}-%{release}}
403b09 
Requires: %{name}-client-common = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipalib = %{version}-%{release}
ac7d03 
Requires: python-dns >= 1.12.0-3
ac7d03 
# RHEL spec file only: DELETED: Remove csrgen
403b09
403b09 
%description -n python2-ipaclient
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If your network uses IPA for authentication, this package should be
403b09 
installed on every client machine.
403b09
403b09
403b09 
%if 0%{?with_python3}
403b09
403b09 
%package -n python3-ipaclient
403b09 
Summary: Python libraries used by IPA client
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
ac7d03 
%{?python_provide:%python_provide python3-ipaclient}
403b09 
Requires: %{name}-client-common = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python3-ipalib = %{version}-%{release}
ac7d03 
Requires: python3-dns >= 1.12.0-3
ac7d03 
# RHEL spec file only: DELETED: Remove csrgen
403b09
403b09 
%description -n python3-ipaclient
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If your network uses IPA for authentication, this package should be
403b09 
installed on every client machine.
403b09
403b09 
%endif  # with_python3
403b09
403b09
403b09 
%package client-common
403b09 
Summary: Common files used by IPA client
403b09 
Group: System Environment/Base
403b09 
BuildArch: noarch
403b09
403b09 
Provides: %{alt_name}-client-common = %{version}
403b09 
Conflicts: %{alt_name}-client-common
403b09 
Obsoletes: %{alt_name}-client-common < %{version}
403b09
403b09 
%description client-common
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If your network uses IPA for authentication, this package should be
403b09 
installed on every client machine.
99b6f7
99b6f7
403b09 
%package python-compat
403b09 
Summary: Compatiblity package for Python libraries used by IPA
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Obsoletes: %{name}-python < 4.2.91
403b09 
Provides: %{name}-python = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipalib = %{version}-%{release}
403b09
403b09 
Provides: %{alt_name}-python-compat = %{version}
403b09 
Conflicts: %{alt_name}-python-compat
403b09 
Obsoletes: %{alt_name}-python-compat < %{version}
403b09
403b09 
Obsoletes: %{alt_name}-python < 4.2.91
403b09 
Provides: %{alt_name}-python = %{version}
403b09
403b09 
%description python-compat
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
This is a compatibility package to accommodate %{name}-python split into
403b09 
python2-ipalib and %{name}-common. Packages still depending on
403b09 
%{name}-python should be fixed to depend on python2-ipaclient or
403b09 
%{name}-common instead.
403b09
403b09
403b09 
%package -n python2-ipalib
99b6f7 
Summary: Python libraries used by IPA
99b6f7 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Conflicts: %{name}-python < 4.2.91
ac7d03 
%{?python_provide:%python_provide python2-ipalib}
ac7d03 
%{!?python_provide:Provides: python-ipalib = %{version}-%{release}}
403b09 
Provides: python2-ipapython = %{version}-%{release}
ac7d03 
%{?python_provide:%python_provide python2-ipapython}
ac7d03 
%{!?python_provide:Provides: python-ipapython = %{version}-%{release}}
403b09 
Provides: python2-ipaplatform = %{version}-%{release}
ac7d03 
%{?python_provide:%python_provide python2-ipaplatform}
ac7d03 
%{!?python_provide:Provides: python-ipaplatform = %{version}-%{release}}
403b09 
Requires: %{name}-common = %{version}-%{release}
ac7d03 
# Bump because of #1457942 certauth: use canonical principal for lookups
ac7d03 
Requires: python-gssapi >= 1.2.0-3
99b6f7 
Requires: gnupg
99b6f7 
Requires: keyutils
99b6f7 
Requires: pyOpenSSL
ac7d03 
Requires: python >= 2.7.5-24
e3ffab 
Requires: python-nss >= 0.16
ac7d03 
Requires: python2-cryptography >= 1.4
99b6f7 
Requires: python-netaddr
590d18 
Requires: python-libipa_hbac
e3ffab 
Requires: python-qrcode-core >= 5.0.0
e3ffab 
Requires: python-pyasn1
ac7d03 
Requires: python-pyasn1-modules
e3ffab 
Requires: python-dateutil
590d18 
Requires: python-yubico >= 1.2.3
590d18 
Requires: python-sss-murmur
590d18 
Requires: dbus-python
590d18 
Requires: python-setuptools
403b09 
Requires: python-six
403b09 
Requires: python-jwcrypto
403b09 
Requires: python-cffi
403b09 
Requires: python-ldap >= 2.4.15
403b09 
Requires: python-requests
ac7d03 
Requires: python-dns >= 1.12.0-3
ac7d03 
Requires: python-enum34
403b09 
Requires: python-netifaces >= 0.10.4
403b09 
Requires: pyusb
403b09
403b09 
Conflicts: %{alt_name}-python < %{version}
403b09
403b09 
%description -n python2-ipalib
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are using IPA, you need to install this package.
403b09
403b09
403b09 
%if 0%{?with_python3}
403b09
403b09 
%package -n python3-ipalib
403b09 
Summary: Python3 libraries used by IPA
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
ac7d03 
%{?python_provide:%python_provide python3-ipalib}
403b09 
Provides: python3-ipapython = %{version}-%{release}
ac7d03 
%{?python_provide:%python_provide python3-ipapython}
403b09 
Provides: python3-ipaplatform = %{version}-%{release}
ac7d03 
%{?python_provide:%python_provide python3-ipaplatform}
403b09 
Requires: %{name}-common = %{version}-%{release}
ac7d03 
Requires: python3-gssapi >= 1.2.0
403b09 
Requires: gnupg
403b09 
Requires: keyutils
403b09 
Requires: python3-pyOpenSSL
403b09 
Requires: python3-nss >= 0.16
ac7d03 
Requires: python3-cryptography >= 1.4
403b09 
Requires: python3-netaddr
403b09 
Requires: python3-libipa_hbac
403b09 
Requires: python3-qrcode-core >= 5.0.0
403b09 
Requires: python3-pyasn1
ac7d03 
Requires: python3-pyasn1-modules
403b09 
Requires: python3-dateutil
403b09 
Requires: python3-yubico >= 1.2.3
403b09 
Requires: python3-sss-murmur
403b09 
Requires: python3-dbus
403b09 
Requires: python3-setuptools
403b09 
Requires: python3-six
403b09 
Requires: python3-jwcrypto
403b09 
Requires: python3-cffi
403b09 
Requires: python3-pyldap >= 2.4.15
403b09 
Requires: python3-requests
ac7d03 
Requires: python3-dns >= 1.12.0-3
403b09 
Requires: python3-netifaces >= 0.10.4
403b09 
Requires: python3-pyusb
403b09
403b09 
%description -n python3-ipalib
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are using IPA with Python 3, you need to install this package.
403b09
403b09 
%endif # with_python3
403b09
403b09
403b09 
%package common
403b09 
Summary: Common files used by IPA
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Conflicts: %{name}-python < 4.2.91
403b09
403b09 
Provides: %{alt_name}-common = %{version}
403b09 
Conflicts: %{alt_name}-common
403b09 
Obsoletes: %{alt_name}-common < %{version}
403b09
403b09 
Conflicts: %{alt_name}-python < %{version}
e3ffab
403b09 
%description common
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are using IPA, you need to install this package.
99b6f7
99b6f7
ac7d03 
%if 0%{?with_ipatests}
ac7d03
ac7d03 
%package -n python2-ipatests
ac7d03 
Summary: IPA tests and test tools
ac7d03 
BuildArch: noarch
ac7d03 
Obsoletes: %{name}-tests < 4.2.91
ac7d03 
Provides: %{name}-tests = %{version}-%{release}
ac7d03 
%{?python_provide:%python_provide python2-ipatests}
ac7d03 
%{!?python_provide:Provides: python-ipatests = %{version}-%{release}}
ac7d03 
Requires: python2-ipaclient = %{version}-%{release}
ac7d03 
Requires: python2-ipaserver = %{version}-%{release}
ac7d03 
Requires: tar
ac7d03 
Requires: xz
ac7d03 
Requires: python-nose
ac7d03 
Requires: pytest >= 2.6
ac7d03 
Requires: python-paste
ac7d03 
Requires: python-coverage
ac7d03 
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
ac7d03 
Requires: python2-polib
ac7d03 
Requires: python-pytest-multihost >= 0.5
ac7d03 
Requires: python-pytest-sourceorder
ac7d03 
Requires: ldns-utils
ac7d03 
Requires: python-sssdconfig
ac7d03 
Requires: python2-cryptography >= 1.4
ac7d03
ac7d03 
Provides: %{alt_name}-tests = %{version}
ac7d03 
Conflicts: %{alt_name}-tests
ac7d03 
Obsoletes: %{alt_name}-tests < %{version}
ac7d03
ac7d03 
%description -n python2-ipatests
ac7d03 
IPA is an integrated solution to provide centrally managed Identity (users,
ac7d03 
hosts, services), Authentication (SSO, 2FA), and Authorization
ac7d03 
(host access control, SELinux user roles, services). The solution provides
ac7d03 
features for further integration with Linux based clients (SUDO, automount)
ac7d03 
and integration with Active Directory based infrastructures (Trusts).
ac7d03 
This package contains tests that verify IPA functionality.
ac7d03
ac7d03
ac7d03 
%if 0%{?with_python3}
ac7d03
ac7d03 
%package -n python3-ipatests
ac7d03 
Summary: IPA tests and test tools
ac7d03 
BuildArch: noarch
ac7d03 
%{?python_provide:%python_provide python3-ipatests}
ac7d03 
Requires: python3-ipaclient = %{version}-%{release}
ac7d03 
# FIXME: uncomment once there's python3-ipaserver
ac7d03 
#Requires: python3-ipaserver = %{version}-%{release}
ac7d03 
Requires: tar
ac7d03 
Requires: xz
ac7d03 
Requires: python3-nose
ac7d03 
Requires: python3-pytest >= 2.6
ac7d03 
Requires: python3-coverage
ac7d03 
Requires: python3-polib
ac7d03 
Requires: python3-pytest-multihost >= 0.5
ac7d03 
Requires: python3-pytest-sourceorder
ac7d03 
Requires: ldns-utils
ac7d03 
Requires: python3-sssdconfig
ac7d03 
Requires: python3-cryptography >= 1.4
ac7d03
ac7d03 
%description -n python3-ipatests
ac7d03 
IPA is an integrated solution to provide centrally managed Identity (users,
ac7d03 
hosts, services), Authentication (SSO, 2FA), and Authorization
ac7d03 
(host access control, SELinux user roles, services). The solution provides
ac7d03 
features for further integration with Linux based clients (SUDO, automount)
ac7d03 
and integration with Active Directory based infrastructures (Trusts).
ac7d03 
This package contains tests that verify IPA functionality under Python 3.
ac7d03
ac7d03 
%endif # with_python3
ac7d03
ac7d03 
%endif # with_ipatests
e3ffab
e3ffab
99b6f7 
%prep
ac7d03 
%setup -n freeipa-%{version} -q
ac7d03
99b6f7 
# RHEL spec file only: START
99b6f7 
# Update timestamps on the files touched by a patch, to avoid non-equal
99b6f7 
# .pyc/.pyo files across the multilib peers within a build, where "Level"
99b6f7 
# is the patch prefix option (e.g. -p1)
99b6f7 
# Taken from specfile for sssd and python-simplejson
99b6f7 
UpdateTimestamps() {
99b6f7 
  Level=$1
99b6f7 
  PatchFile=$2
99b6f7
99b6f7 
  # Locate the affected files:
99b6f7 
  for f in $(diffstat $Level -l $PatchFile); do
99b6f7 
    # Set the files to have the same timestamp as that of the patch:
ac7d03 
    touch -c -r $PatchFile $f
99b6f7 
  done
99b6f7 
}
99b6f7 
for p in %patches ; do
99b6f7 
    %__patch -p1 -i $p
99b6f7 
    UpdateTimestamps -p1 $p
99b6f7 
done
99b6f7 
# RHEL spec file only: END
99b6f7
ac7d03 
%if 0%{?with_python3}
ac7d03 
# Workaround: We want to build Python things twice. To be sure we do not mess
ac7d03 
# up something, do two separate builds in separate directories.
ac7d03 
cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
ac7d03 
%endif # with_python3
ac7d03
ac7d03 
# RHEL spec file only: START: Change branding to IPA and Identity Management
e0b2c4 
#cp %SOURCE1 install/ui/images/header-logo.png
e0b2c4 
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
e0b2c4 
#cp %SOURCE3 install/ui/images/login-screen-logo.png
e0b2c4 
#cp %SOURCE4 install/ui/images/product-name.png
ac7d03 
# RHEL spec file only: END: Change branding to IPA and Identity Management
ac7d03
403b09
99b6f7 
%build
ac7d03 
# RHEL spec file only: START
ac7d03 
autoreconf -i -f
ac7d03 
# RHEL spec file only: END
e3ffab 
# UI compilation segfaulted on some arches when the stack was lower (#1040576)
e3ffab 
export JAVA_STACK_SIZE="8m"
ac7d03 
# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
ac7d03 
export PATH=/usr/bin:/usr/sbin:$PATH
ac7d03 
export PYTHON=%{__python2}
ac7d03 
# Workaround: make sure all shebangs are pointing to Python 2
ac7d03 
# This should be solved properly using setuptools
ac7d03 
# and this hack should be removed.
ac7d03 
find \
ac7d03 
	! -name '*.pyc' -a \
ac7d03 
	! -name '*.pyo' -a \
ac7d03 
	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
ac7d03 
	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
ac7d03 
%configure --with-vendor-suffix=-%{release} \
ac7d03 
           %{enable_server_option} \
ac7d03 
           %{with_ipatests_option} \
c303b2 
           %{linter_options} \
c303b2 
           --with-ipaplatform=rhel
ac7d03
ac7d03 
%make_build
e3ffab
ac7d03 
%if 0%{?with_python3}
ac7d03 
pushd %{_builddir}/freeipa-%{version}-python3
ac7d03 
export PYTHON=%{__python3}
ac7d03 
# Workaround: make sure all shebangs are pointing to Python 3
ac7d03 
# This should be solved properly using setuptools
ac7d03 
# and this hack should be removed.
ac7d03 
find \
ac7d03 
	! -name '*.pyc' -a \
ac7d03 
	! -name '*.pyo' -a \
ac7d03 
	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
ac7d03 
	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \;
ac7d03 
%configure --with-vendor-suffix=-%{release} \
ac7d03 
           %{enable_server_option} \
ac7d03 
           %{with_ipatests_option} \
ac7d03 
           %{linter_options}
ac7d03 
popd
ac7d03 
%endif # with_python3
403b09
403b09 
%check
ac7d03 
make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
403b09
403b09
99b6f7 
%install
ac7d03 
# Please put as much logic as possible into make install. It allows:
ac7d03 
# - easier porting to other distributions
ac7d03 
# - rapid devel & install cycle using make install
ac7d03 
#   (instead of full RPM build and installation each time)
ac7d03 
#
ac7d03 
# All files and directories created by spec install should be marked as ghost.
ac7d03 
# (These are typically configuration files created by IPA installer.)
ac7d03 
# All other artifacts should be created by make install.
ac7d03 
#
ac7d03 
# Exception to this rule are test programs which where want to install
ac7d03 
# Python2/3 versions at the same time so we need to rename them. Yuck.
403b09
ac7d03 
%if 0%{?with_python3}
ac7d03 
# Python 3 installation needs to be done first. Subsequent Python 2 install
ac7d03 
# will overwrite /usr/bin/ipa and other scripts with variants using
ac7d03 
# python2 shebang.
ac7d03 
pushd %{_builddir}/freeipa-%{version}-python3
ac7d03 
(cd ipaclient && %make_install)
ac7d03 
(cd ipalib && %make_install)
ac7d03 
(cd ipaplatform && %make_install)
ac7d03 
(cd ipapython && %make_install)
ac7d03 
%if ! %{ONLY_CLIENT}
ac7d03 
(cd ipaserver && %make_install)
99b6f7 
%endif # ONLY_CLIENT
ac7d03 
%if 0%{?with_ipatests}
ac7d03 
(cd ipatests && %make_install)
ac7d03 
%endif # with_ipatests
ac7d03 
popd
ac7d03
ac7d03 
%if 0%{?with_ipatests}
ac7d03 
mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
ac7d03 
mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
ac7d03 
mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
ac7d03 
ln -s %{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3
ac7d03 
ln -s %{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3
ac7d03 
ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3
ac7d03 
%endif # with_ipatests
99b6f7
403b09 
%endif # with_python3
403b09
ac7d03 
# Python 2 installation
ac7d03 
%make_install
ac7d03
ac7d03 
%if 0%{?with_ipatests}
ac7d03 
mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python2_version}
ac7d03 
mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python2_version}
ac7d03 
mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python2_version}
ac7d03 
ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests-2
ac7d03 
ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config-2
ac7d03 
ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task-2
ac7d03 
# test framework defaults to Python 2
ac7d03 
ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests
ac7d03 
ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config
ac7d03 
ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task
ac7d03 
%endif # with_ipatests
ac7d03
ac7d03 
# remove files which are useful only for make uninstall
ac7d03 
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
403b09
403b09 
%find_lang %{gettext_domain}
99b6f7
99b6f7 
%if ! %{ONLY_CLIENT}
99b6f7 
# Remove .la files from libtool - we don't want to package
99b6f7 
# these files
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_cldap.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_dns.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
e3ffab 
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
e3ffab 
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
590d18 
rm %{buildroot}/%{plugin_dir}/libtopology.la
99b6f7 
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
99b6f7 
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
99b6f7
99b6f7 
# So we can own our Apache configuration
99b6f7 
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
590d18 
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
99b6f7
99b6f7 
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
99b6f7 
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
99b6f7
ac7d03 
# RHEL spec file only: START: Package copy-schema-to-ca.py
ac7d03 
cp contrib/copy-schema-to-ca-RHEL6.py %{buildroot}%{_usr}/share/ipa/copy-schema-to-ca.py
ac7d03 
# RHEL spec file only: END: Package copy-schema-to-ca.py
ac7d03
99b6f7 
%endif # ONLY_CLIENT
99b6f7
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
e3ffab
e3ffab 
%if ! %{ONLY_CLIENT}
99b6f7 
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
99b6f7 
%endif # ONLY_CLIENT
99b6f7
403b09
99b6f7 
%clean
99b6f7 
rm -rf %{buildroot}
99b6f7
403b09
99b6f7 
%if ! %{ONLY_CLIENT}
403b09
99b6f7 
%post server
99b6f7 
# NOTE: systemd specific section
99b6f7 
    /bin/systemctl --system daemon-reload 2>&1 || :
99b6f7 
# END
99b6f7 
if [ $1 -gt 1 ] ; then
99b6f7 
    /bin/systemctl condrestart certmonger.service 2>&1 || :
99b6f7 
fi
403b09 
/bin/systemctl reload-or-try-restart dbus
403b09 
/bin/systemctl reload-or-try-restart oddjobd
99b6f7
99b6f7
403b09 
%posttrans server
403b09 
# don't execute upgrade and restart of IPA when server is not installed
e3ffab 
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
403b09
99b6f7 
if [  $? -eq 0 ]; then
403b09 
    # This must be run in posttrans so that updates from previous
403b09 
    # execution that may no longer be shipped are not applied.
403b09 
    /usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
403b09
403b09 
    # Restart IPA processes. This must be also run in postrans so that plugins
403b09 
    # and software is in consistent state
403b09 
    # NOTE: systemd specific section
403b09
e3ffab 
    /bin/systemctl is-enabled ipa.service >/dev/null 2>&1
e3ffab 
    if [  $? -eq 0 ]; then
e3ffab 
        /bin/systemctl restart ipa.service >/dev/null 2>&1 || :
e3ffab 
    fi
99b6f7 
fi
99b6f7 
# END
99b6f7
403b09
99b6f7 
%preun server
99b6f7 
if [ $1 = 0 ]; then
99b6f7 
# NOTE: systemd specific section
99b6f7 
    /bin/systemctl --quiet stop ipa.service || :
99b6f7 
    /bin/systemctl --quiet disable ipa.service || :
403b09 
    /bin/systemctl reload-or-try-restart dbus
403b09 
    /bin/systemctl reload-or-try-restart oddjobd
99b6f7 
# END
99b6f7 
fi
99b6f7
403b09
99b6f7 
%pre server
99b6f7 
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
99b6f7 
# zombie process when we're done.
99b6f7 
if [ -e /usr/sbin/ipa_kpasswd ]; then
99b6f7 
# NOTE: systemd specific section
99b6f7 
    /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
99b6f7 
# END
99b6f7 
fi
99b6f7
ac7d03 
# create users and groups
ac7d03 
# create kdcproxy group and user
ac7d03 
getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
ac7d03 
getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy
ac7d03 
# create ipaapi group and user
ac7d03 
getent group ipaapi >/dev/null || groupadd -f -r ipaapi
ac7d03 
getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi
ac7d03 
# add apache to ipaaapi group
ac7d03 
id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi
403b09
99b6f7 
%postun server-trust-ad
99b6f7 
if [ "$1" -ge "1" ]; then
99b6f7 
    if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
99b6f7 
        %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
99b6f7 
    fi
99b6f7 
fi
99b6f7
403b09
99b6f7 
%post server-trust-ad
99b6f7 
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
99b6f7 
        winbind_krb5_locator.so /dev/null 90
590d18 
/bin/systemctl reload-or-try-restart dbus
590d18 
/bin/systemctl reload-or-try-restart oddjobd
99b6f7
403b09
99b6f7 
%posttrans server-trust-ad
e3ffab 
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
99b6f7 
if [  $? -eq 0 ]; then
99b6f7 
# NOTE: systemd specific section
99b6f7 
    /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
99b6f7 
# END
99b6f7 
fi
99b6f7
403b09
99b6f7 
%preun server-trust-ad
99b6f7 
if [ $1 -eq 0 ]; then
99b6f7 
    %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
590d18 
    /bin/systemctl reload-or-try-restart dbus
590d18 
    /bin/systemctl reload-or-try-restart oddjobd
99b6f7 
fi
e3ffab
99b6f7 
%endif # ONLY_CLIENT
99b6f7
403b09
99b6f7 
%post client
99b6f7 
if [ $1 -gt 1 ] ; then
99b6f7 
    # Has the client been configured?
99b6f7 
    restore=0
99b6f7 
    test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
99b6f7
99b6f7 
    if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
99b6f7 
        if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
99b6f7 
            echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
99b6f7 
            cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
590d18 
            mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
99b6f7 
        fi
99b6f7 
    fi
e3ffab
ac7d03 
    if [ $restore -ge 2 ]; then
ac7d03 
        if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then
ac7d03 
            sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew
ac7d03 
            mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
ac7d03 
            cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
ac7d03 
            cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
ac7d03 
        fi
ac7d03 
    fi
ac7d03
e3ffab 
    if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
e3ffab 
        if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
e3ffab 
            sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
590d18 
            mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
e3ffab
e3ffab 
            /bin/systemctl condrestart ntpd.service 2>&1 || :
e3ffab 
        fi
e3ffab 
    fi
e3ffab
403b09 
    if [ $restore -ge 2 ]; then
ac7d03 
        python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
e3ffab 
    fi
99b6f7 
fi
99b6f7
403b09
403b09 
%triggerin client -- openssh-server
99b6f7 
# Has the client been configured?
99b6f7 
restore=0
99b6f7 
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
99b6f7
99b6f7 
if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
99b6f7 
    if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
99b6f7 
        sed -r '
99b6f7 
            /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
99b6f7 
        ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
99b6f7
ac7d03 
        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
99b6f7 
            sed -ri '
99b6f7 
                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
99b6f7 
                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
99b6f7 
            ' /etc/ssh/sshd_config.ipanew
ac7d03 
        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
99b6f7 
            sed -ri '
99b6f7 
                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
99b6f7 
                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
99b6f7 
            ' /etc/ssh/sshd_config.ipanew
ac7d03 
        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
99b6f7 
            sed -ri '
99b6f7 
                s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
99b6f7 
                s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
99b6f7 
            ' /etc/ssh/sshd_config.ipanew
99b6f7 
        fi
99b6f7
590d18 
        mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
99b6f7 
        chmod 600 /etc/ssh/sshd_config
99b6f7
99b6f7 
        /bin/systemctl condrestart sshd.service 2>&1 || :
99b6f7 
    fi
99b6f7 
fi
99b6f7
403b09
99b6f7 
%if ! %{ONLY_CLIENT}
403b09
403b09 
%files server
99b6f7 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
e3ffab 
%{_sbindir}/ipa-backup
e3ffab 
%{_sbindir}/ipa-restore
99b6f7 
%{_sbindir}/ipa-ca-install
590d18 
%{_sbindir}/ipa-kra-install
99b6f7 
%{_sbindir}/ipa-server-install
99b6f7 
%{_sbindir}/ipa-replica-conncheck
99b6f7 
%{_sbindir}/ipa-replica-install
99b6f7 
%{_sbindir}/ipa-replica-prepare
99b6f7 
%{_sbindir}/ipa-replica-manage
99b6f7 
%{_sbindir}/ipa-csreplica-manage
99b6f7 
%{_sbindir}/ipa-server-certinstall
590d18 
%{_sbindir}/ipa-server-upgrade
99b6f7 
%{_sbindir}/ipa-ldap-updater
e3ffab 
%{_sbindir}/ipa-otptoken-import
99b6f7 
%{_sbindir}/ipa-compat-manage
99b6f7 
%{_sbindir}/ipa-nis-manage
99b6f7 
%{_sbindir}/ipa-managed-entries
99b6f7 
%{_sbindir}/ipactl
99b6f7 
%{_sbindir}/ipa-advise
e3ffab 
%{_sbindir}/ipa-cacert-manage
590d18 
%{_sbindir}/ipa-winsync-migrate
ac7d03 
%{_sbindir}/ipa-pkinit-manage
e3ffab 
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
e3ffab 
%{_libexecdir}/certmonger/ipa-server-guard
e3ffab 
%dir %{_libexecdir}/ipa
ac7d03 
%{_libexecdir}/ipa/ipa-custodia
590d18 
%{_libexecdir}/ipa/ipa-dnskeysyncd
590d18 
%{_libexecdir}/ipa/ipa-dnskeysync-replica
590d18 
%{_libexecdir}/ipa/ipa-ods-exporter
590d18 
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
403b09 
%{_libexecdir}/ipa/ipa-pki-retrieve-key
ac7d03 
%{_libexecdir}/ipa/ipa-otpd
403b09 
%dir %{_libexecdir}/ipa/oddjob
403b09 
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
403b09 
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
403b09 
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
ac7d03 
%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
403b09 
%dir %{_libexecdir}/ipa/certmonger
403b09 
%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
99b6f7 
# NOTE: systemd specific section
99b6f7 
%attr(644,root,root) %{_unitdir}/ipa.service
99b6f7 
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
99b6f7 
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
590d18 
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
590d18 
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
590d18 
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
e3ffab 
# END
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_dns.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
403b09 
%attr(755,root,root) %{plugin_dir}/libtopology.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
403b09 
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
ac7d03 
%{_mandir}/man1/ipa-replica-conncheck.1*
ac7d03 
%{_mandir}/man1/ipa-replica-install.1*
ac7d03 
%{_mandir}/man1/ipa-replica-manage.1*
ac7d03 
%{_mandir}/man1/ipa-csreplica-manage.1*
ac7d03 
%{_mandir}/man1/ipa-replica-prepare.1*
ac7d03 
%{_mandir}/man1/ipa-server-certinstall.1*
ac7d03 
%{_mandir}/man1/ipa-server-install.1*
ac7d03 
%{_mandir}/man1/ipa-server-upgrade.1*
ac7d03 
%{_mandir}/man1/ipa-ca-install.1*
ac7d03 
%{_mandir}/man1/ipa-kra-install.1*
ac7d03 
%{_mandir}/man1/ipa-compat-manage.1*
ac7d03 
%{_mandir}/man1/ipa-nis-manage.1*
ac7d03 
%{_mandir}/man1/ipa-managed-entries.1*
ac7d03 
%{_mandir}/man1/ipa-ldap-updater.1*
ac7d03 
%{_mandir}/man8/ipactl.8*
ac7d03 
%{_mandir}/man1/ipa-backup.1*
ac7d03 
%{_mandir}/man1/ipa-restore.1*
ac7d03 
%{_mandir}/man1/ipa-advise.1*
ac7d03 
%{_mandir}/man1/ipa-otptoken-import.1*
ac7d03 
%{_mandir}/man1/ipa-cacert-manage.1*
ac7d03 
%{_mandir}/man1/ipa-winsync-migrate.1*
ac7d03 
%{_mandir}/man1/ipa-pkinit-manage.1*
ac7d03
ac7d03 
%files -n python2-ipaserver
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
ac7d03 
%{python2_sitelib}/ipaserver
ac7d03 
%{python2_sitelib}/ipaserver-*.egg-info
ac7d03
ac7d03
ac7d03 
%if 0%{?with_python3}
ac7d03
ac7d03 
%files -n python3-ipaserver
ac7d03 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
ac7d03 
%license COPYING
ac7d03 
%{python3_sitelib}/ipaserver
ac7d03 
%{python3_sitelib}/ipaserver-*.egg-info
ac7d03
ac7d03 
%endif # with_python3
403b09
403b09
403b09 
%files server-common
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
403b09 
%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
403b09 
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
403b09 
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
403b09 
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
403b09 
%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
403b09 
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
403b09 
%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
403b09 
# END
99b6f7 
%dir %{_usr}/share/ipa
99b6f7 
%{_usr}/share/ipa/wsgi.py*
ac7d03 
# RHEL spec file only: START: Package copy-schema-to-ca.py
99b6f7 
%{_usr}/share/ipa/copy-schema-to-ca.py*
ac7d03 
# RHEL spec file only: END: Package copy-schema-to-ca.py
99b6f7 
%{_usr}/share/ipa/*.ldif
99b6f7 
%{_usr}/share/ipa/*.uldif
99b6f7 
%{_usr}/share/ipa/*.template
ac7d03 
%{_usr}/share/ipa/ipa.conf.tmpfiles
99b6f7 
%dir %{_usr}/share/ipa/advise
99b6f7 
%dir %{_usr}/share/ipa/advise/legacy
99b6f7 
%{_usr}/share/ipa/advise/legacy/*.template
590d18 
%dir %{_usr}/share/ipa/profiles
590d18 
%{_usr}/share/ipa/profiles/*.cfg
99b6f7 
%dir %{_usr}/share/ipa/html
99b6f7 
%{_usr}/share/ipa/html/ffconfig.js
99b6f7 
%{_usr}/share/ipa/html/ffconfig_page.js
99b6f7 
%{_usr}/share/ipa/html/ssbrowser.html
99b6f7 
%{_usr}/share/ipa/html/browserconfig.html
99b6f7 
%{_usr}/share/ipa/html/unauthorized.html
99b6f7 
%dir %{_usr}/share/ipa/migration
99b6f7 
%{_usr}/share/ipa/migration/error.html
99b6f7 
%{_usr}/share/ipa/migration/index.html
99b6f7 
%{_usr}/share/ipa/migration/invalid.html
99b6f7 
%{_usr}/share/ipa/migration/migration.py*
99b6f7 
%dir %{_usr}/share/ipa/ui
99b6f7 
%{_usr}/share/ipa/ui/index.html
99b6f7 
%{_usr}/share/ipa/ui/reset_password.html
e3ffab 
%{_usr}/share/ipa/ui/sync_otp.html
99b6f7 
%{_usr}/share/ipa/ui/*.ico
99b6f7 
%{_usr}/share/ipa/ui/*.css
99b6f7 
%{_usr}/share/ipa/ui/*.js
e3ffab 
%dir %{_usr}/share/ipa/ui/css
e3ffab 
%{_usr}/share/ipa/ui/css/*.css
9991ea 
%dir %{_usr}/share/ipa/ui/js
99b6f7 
%dir %{_usr}/share/ipa/ui/js/dojo
99b6f7 
%{_usr}/share/ipa/ui/js/dojo/dojo.js
99b6f7 
%dir %{_usr}/share/ipa/ui/js/libs
99b6f7 
%{_usr}/share/ipa/ui/js/libs/*.js
99b6f7 
%dir %{_usr}/share/ipa/ui/js/freeipa
99b6f7 
%{_usr}/share/ipa/ui/js/freeipa/app.js
e3ffab 
%{_usr}/share/ipa/ui/js/freeipa/core.js
99b6f7 
%dir %{_usr}/share/ipa/ui/js/plugins
99b6f7 
%dir %{_usr}/share/ipa/ui/images
e3ffab 
%{_usr}/share/ipa/ui/images/*.jpg
99b6f7 
%{_usr}/share/ipa/ui/images/*.png
99b6f7 
%dir %{_usr}/share/ipa/wsgi
99b6f7 
%{_usr}/share/ipa/wsgi/plugins.py*
99b6f7 
%dir %{_sysconfdir}/ipa
99b6f7 
%dir %{_sysconfdir}/ipa/html
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
99b6f7 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
99b6f7 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
590d18 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
99b6f7 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
590d18 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
403b09 
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
99b6f7 
%{_usr}/share/ipa/ipa.conf
99b6f7 
%{_usr}/share/ipa/ipa-rewrite.conf
99b6f7 
%{_usr}/share/ipa/ipa-pki-proxy.conf
99b6f7 
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
99b6f7 
%dir %{_usr}/share/ipa/updates/
99b6f7 
%{_usr}/share/ipa/updates/*
99b6f7 
%dir %{_localstatedir}/lib/ipa
e3ffab 
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
ac7d03 
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
99b6f7 
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
99b6f7 
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
99b6f7 
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
99b6f7 
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
e3ffab 
%ghost %{_localstatedir}/named/dyndb-ldap/ipa
403b09 
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
ac7d03 
%dir %{_usr}/share/ipa/schema.d
ac7d03 
%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
ac7d03 
%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login
ac7d03 
%{_usr}/share/ipa/ipakrb5.aug
590d18
590d18 
%files server-dns
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
590d18 
%{_sbindir}/ipa-dns-install
ac7d03 
%{_mandir}/man1/ipa-dns-install.1*
99b6f7
403b09
99b6f7 
%files server-trust-ad
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
99b6f7 
%{_sbindir}/ipa-adtrust-install
99b6f7 
%{_usr}/share/ipa/smb.conf.empty
99b6f7 
%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
ac7d03 
%{_mandir}/man1/ipa-adtrust-install.1*
99b6f7 
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
590d18 
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
590d18 
%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
403b09 
%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
99b6f7
99b6f7 
%endif # ONLY_CLIENT
99b6f7
403b09
99b6f7 
%files client
99b6f7 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
99b6f7 
%{_sbindir}/ipa-client-install
99b6f7 
%{_sbindir}/ipa-client-automount
e3ffab 
%{_sbindir}/ipa-certupdate
99b6f7 
%{_sbindir}/ipa-getkeytab
99b6f7 
%{_sbindir}/ipa-rmkeytab
99b6f7 
%{_sbindir}/ipa-join
ac7d03 
%{_bindir}/ipa
ac7d03 
%config %{_sysconfdir}/bash_completion.d
ac7d03 
%{_mandir}/man1/ipa.1*
ac7d03 
%{_mandir}/man1/ipa-getkeytab.1*
ac7d03 
%{_mandir}/man1/ipa-rmkeytab.1*
ac7d03 
%{_mandir}/man1/ipa-client-install.1*
ac7d03 
%{_mandir}/man1/ipa-client-automount.1*
ac7d03 
%{_mandir}/man1/ipa-certupdate.1*
ac7d03 
%{_mandir}/man1/ipa-join.1*
403b09
403b09
403b09 
%files -n python2-ipaclient
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
403b09 
%dir %{python_sitelib}/ipaclient
403b09 
%{python_sitelib}/ipaclient/*.py*
ac7d03 
%dir %{python_sitelib}/ipaclient/install
ac7d03 
%{python_sitelib}/ipaclient/install/*.py*
ac7d03 
%dir %{python_sitelib}/ipaclient/plugins
403b09 
%{python_sitelib}/ipaclient/plugins/*.py*
ac7d03 
%dir %{python_sitelib}/ipaclient/remote_plugins
403b09 
%{python_sitelib}/ipaclient/remote_plugins/*.py*
403b09 
%{python_sitelib}/ipaclient/remote_plugins/2_*/*.py*
ac7d03 
# RHEL spec file only: DELETED: Remove csrgen
403b09 
%{python_sitelib}/ipaclient-*.egg-info
403b09
403b09
403b09 
%if 0%{?with_python3}
403b09
403b09 
%files -n python3-ipaclient
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
403b09 
%dir %{python3_sitelib}/ipaclient
403b09 
%{python3_sitelib}/ipaclient/*.py
403b09 
%{python3_sitelib}/ipaclient/__pycache__/*.py*
ac7d03 
%dir %{python3_sitelib}/ipaclient/install
ac7d03 
%{python3_sitelib}/ipaclient/install/*.py
ac7d03 
%{python3_sitelib}/ipaclient/install/__pycache__/*.py*
ac7d03 
%dir %{python3_sitelib}/ipaclient/plugins
403b09 
%{python3_sitelib}/ipaclient/plugins/*.py
403b09 
%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
ac7d03 
%dir %{python3_sitelib}/ipaclient/remote_plugins
403b09 
%{python3_sitelib}/ipaclient/remote_plugins/*.py
403b09 
%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
403b09 
%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
403b09 
%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
ac7d03 
# RHEL spec file only: DELETED: Remove csrgen
403b09 
%{python3_sitelib}/ipaclient-*.egg-info
403b09
403b09 
%endif # with_python3
403b09
403b09
403b09 
%files client-common
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
403b09 
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
403b09 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
403b09 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
403b09 
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
403b09 
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
403b09 
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
403b09 
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
403b09 
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
403b09 
%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
403b09 
%dir %{_localstatedir}/lib/ipa-client
ac7d03 
%dir %{_localstatedir}/lib/ipa-client/pki
403b09 
%dir %{_localstatedir}/lib/ipa-client/sysrestore
ac7d03 
%{_mandir}/man5/default.conf.5*
99b6f7
403b09
403b09 
%files python-compat
99b6f7 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
403b09
403b09
403b09 
%files -n python2-ipalib
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
99b6f7 
%dir %{python_sitelib}/ipapython
99b6f7 
%{python_sitelib}/ipapython/*.py*
590d18 
%dir %{python_sitelib}/ipapython/install
590d18 
%{python_sitelib}/ipapython/install/*.py*
99b6f7 
%dir %{python_sitelib}/ipalib
ac7d03 
%{python_sitelib}/ipalib/*.py*
ac7d03 
%dir %{python_sitelib}/ipalib/install
ac7d03 
%{python_sitelib}/ipalib/install/*.py*
e3ffab 
%dir %{python_sitelib}/ipaplatform
e3ffab 
%{python_sitelib}/ipaplatform/*
99b6f7 
%{python_sitelib}/ipapython-*.egg-info
403b09 
%{python_sitelib}/ipalib-*.egg-info
e3ffab 
%{python_sitelib}/ipaplatform-*.egg-info
db5969
a809a6
403b09 
%files common -f %{gettext_domain}.lang
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
d3dad6
0843e2
403b09 
%if 0%{?with_python3}
aa60fb
403b09 
%files -n python3-ipalib
403b09 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
403b09 
%license COPYING
aa60fb
403b09 
%{python3_sitelib}/ipapython/
403b09 
%{python3_sitelib}/ipalib/
403b09 
%{python3_sitelib}/ipaplatform/
403b09 
%{python3_sitelib}/ipapython-*.egg-info
403b09 
%{python3_sitelib}/ipalib-*.egg-info
403b09 
%{python3_sitelib}/ipaplatform-*.egg-info
aa60fb
403b09 
%endif # with_python3
aa60fb
aa60fb
ac7d03 
%if 0%{?with_ipatests}
ac7d03
ac7d03 
%files -n python2-ipatests
ac7d03 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
ac7d03 
%license COPYING
ac7d03 
%{python_sitelib}/ipatests
ac7d03 
%{python_sitelib}/ipatests-*.egg-info
ac7d03 
%{_bindir}/ipa-run-tests
ac7d03 
%{_bindir}/ipa-test-config
ac7d03 
%{_bindir}/ipa-test-task
ac7d03 
%{_bindir}/ipa-run-tests-2
ac7d03 
%{_bindir}/ipa-test-config-2
ac7d03 
%{_bindir}/ipa-test-task-2
ac7d03 
%{_bindir}/ipa-run-tests-%{python2_version}
ac7d03 
%{_bindir}/ipa-test-config-%{python2_version}
ac7d03 
%{_bindir}/ipa-test-task-%{python2_version}
ac7d03 
%{_mandir}/man1/ipa-run-tests.1*
ac7d03 
%{_mandir}/man1/ipa-test-config.1*
ac7d03 
%{_mandir}/man1/ipa-test-task.1*
ac7d03
ac7d03 
%if 0%{?with_python3}
ac7d03
ac7d03 
%files -n python3-ipatests
ac7d03 
%defattr(-,root,root,-)
ac7d03 
%doc README.md Contributors.txt
ac7d03 
%license COPYING
ac7d03 
%{python3_sitelib}/ipatests
ac7d03 
%{python3_sitelib}/ipatests-*.egg-info
ac7d03 
%{_bindir}/ipa-run-tests-3
ac7d03 
%{_bindir}/ipa-test-config-3
ac7d03 
%{_bindir}/ipa-test-task-3
ac7d03 
%{_bindir}/ipa-run-tests-%{python3_version}
ac7d03 
%{_bindir}/ipa-test-config-%{python3_version}
ac7d03 
%{_bindir}/ipa-test-task-%{python3_version}
ac7d03
ac7d03 
%endif # with_python3
ac7d03
ac7d03 
%endif # with_ipatests
aa60fb
e0ab38
403b09 
%changelog
c303b2 
* Thu Nov 30 2017 Johnny Hughes <johnny@centos.org> - 4.5.0-22.el7.centos
c303b2 
- set ipaplatform to rhel for compatibilty for updates
c303b2
e0b2c4 
* Thu Nov 30 2017 CentOS Sources <bugs@centos.org> - 4.5.0-22.el7.centos
e0b2c4 
- Roll in CentOS Branding
e0b2c4
3f8296 
* Fri Oct 27 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-22.el7
3f8296 
- Resolves: #1506528 In case full PKINIT configuration is failing during
3f8296 
  server/replica install the error message should be more meaningful.
3f8296 
    - Less confusing message for PKINIT configuration during install
3f8296 
- Resolves: #1506526 Use X509v3 Basic Constraints "CA:TRUE" instead of
3f8296 
  "CA:FALSE" IPA CA CSR
3f8296 
    - Include the CA basic constraint in CSRs when renewing a CA
3f8296 
- Resolves: #1506913 ipa-replica-install might fail because of an already
3f8296 
  existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
3f8296 
    - Checks if replica-s4u2proxy.ldif should be applied
3f8296 
- Resolves: #1506525 server-del doesn't remove dns-server configuration
3f8296 
  from ldap
3f8296 
    - server.py: Removes dns-server configuration from ldap
8ae601
460745 
* Wed Sep 20 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-21.el7.2.2
460745 
- Resolves: #1493410 ipa-server-upgrade timeouts on wait_for_open ports
460745 
  expecting IPA services listening on IPv6 ports
460745 
    - Make sure upgrade also checks for IPv6 stack
460745 
    - control logging of host_port_open from caller
460745 
    - log progress of wait_for_open_ports
460745 
- Resolves: #1493411 ipa help command returns traceback when no cache
460745 
  is present
460745 
    - Store help in Schema before writing to disk
460745 
    - Disable pylint in get_help function because of type confusion.
460745
460745 
* Tue Sep 19 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-21.el7.2
460745 
- Resolves: #1486794 - [ipa-replica-install] - 406 Client Error: Failed to
460745 
  validate message: Incorrect number of results (0) searching forpublic
460745 
  key for host
460745 
    - Always check peer has keys before connecting
460745 
- Resolves: #1489300 - Unable to set ca renewal master on replica
460745 
    - Fix ipa config-mod --ca-renewal-master
460745 
- Resolves: #1489815 - TypeError in renew_ca_cert prevents from swiching
460745 
  back to self-signed CA
460745 
    - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca)
460745 
- Resolves: #1489817 - ipa-server-upgrade failes with "This entry already exists"
460745 
    - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists
460745 
- Resolves: #1490331 - FreeIPA/IdM installations which were upgraded from
460745 
  versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and
460745 
  thus startup of Web UI fails
460745 
    - Adds whoami DS plugin in case that plugin is missing
460745 
- Resolves: #1491545 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5
460745 
    - Fixing how sssd.conf is updated when promoting a client to replica
460745 
- Resolves: #1492616 - ipa-otptoken-import - XML file is missing PBKDF2
460745 
  parameters!
460745 
    - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
460745 
- Resolves: #1493153 - Updating from RHEL 7.3 fails with Server-Cert not found
460745 
  (ipa-server-upgrade)
460745 
    - Backport 4-5: Fix ipa-server-upgrade with server cert tracking
3169c7
b38368 
* Wed Aug 16 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1.2
b38368 
- Fixing issues reported by Errata tool
b38368
b38368 
* Tue Aug 15 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1.1
b38368 
- Resolves: #1477046 Use CommonNameToSANDefault in default profile
b38368 
  (new installs only)
b38368 
  - Restore old version of caIPAserviceCert for upgrade only
b38368
b38368 
* Tue Aug 1 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1
b38368 
- Resolves: #1473272 Provide a tooling automating the configuration
b38368 
  of Smart Card authentication on a FreeIPA master
b38368 
  - smart-card advises: configure systemwide NSS DB also on master
b38368 
  - smart-card advises: add steps to store smart card signing CA cert
b38368 
  - Allow to pass in multiple CA cert paths to the smart card advises
b38368 
  - add a class that tracks the indentation in the generated advises
b38368 
  - delegate the indentation handling in advises to dedicated class
b38368 
  - advise: add an infrastructure for formatting Bash compound statements
b38368 
  - delegate formatting of compound Bash statements to dedicated classes
b38368 
  - Fix indentation of statements in Smart card advises
b38368 
  - Use the compound statement formatting API for configuring PKINIT
b38368 
  - smart card advises: use a wrapper around Bash `for` loops
b38368 
  - smart card advise: use password when changing trust flags on HTTP cert
b38368 
  - smart-card-advises: ensure that krb5-pkinit is installed on client
b38368 
- Resolves: #1477046 Use CommonNameToSANDefault in default profile
b38368 
  (new installs only)
b38368 
  - Add CommonNameToSANDefault to default cert profile
b38368 
- Resolves: #1475664 NULL LDAP context in call to ldap_search_ext_s
b38368 
  during search in cn=ad,cn=trusts,dc=example,dc=com
b38368 
  - NULL LDAP context in call to ldap_search_ext_s during search
080ee6
8ec14d 
* Wed Jul 12 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7
8ec14d 
- Resolves: #1470125 Replica install fails to configure IPA-specific
8ec14d 
  temporary files/directories
8ec14d 
  - replica install: drop-in IPA specific config to tmpfiles.d
8ec14d 
- Resolves: #1469978 bind package is not automatically updated during
8ec14d 
  ipa-server upgrade process
8ec14d 
  - Bumped Required version of bind-dyndb-ldap and bind package
0c092f
ac7d03 
* Tue Jun 27 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-20.el7
ac7d03 
- Resolves: #1452216 Replica installation grants HTTP principal
ac7d03 
  access in WebUI
ac7d03 
  - Make sure we check ccaches in all rpcserver paths
ac7d03
ac7d03 
* Wed Jun 21 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-19.el7
ac7d03 
- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL
ac7d03 
  internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
ac7d03 
  - ipa-sam: replace encode_nt_key() with E_md4hash()
ac7d03 
  - ipa_pwd_extop: do not generate NT hashes in FIPS mode
ac7d03 
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
ac7d03 
  IP address is not found on local interfaces
ac7d03 
  - Fix local IP address validation
ac7d03 
  - ipa-dns-install: remove check for local ip address
ac7d03 
  - refactor CheckedIPAddress class
ac7d03 
  - CheckedIPAddress: remove match_local param
ac7d03 
  - Remove ip_netmask from option parser
ac7d03 
  - replica install: add missing check for non-local IP address
ac7d03 
  - Remove network and broadcast address warnings
ac7d03
ac7d03 
* Thu Jun 15 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-18.el7
ac7d03 
- Resolves: #1449189 ipa-kra-install timeouts on replica
ac7d03 
  - kra: promote: Get ticket before calling custodia
ac7d03
ac7d03 
* Wed Jun 14 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-17.el7
ac7d03 
- Resolve: #1455946 Provide a tooling automating the configuration
ac7d03 
  of Smart Card authentication on a FreeIPA master
ac7d03 
  - server certinstall: update KDC master entry
ac7d03 
  - pkinit manage: introduce ipa-pkinit-manage
ac7d03 
  - server upgrade: do not enable PKINIT by default
ac7d03 
  - Extend the advice printing code by some useful abstractions
ac7d03 
  - Prepare advise plugin for smart card auth configuration
ac7d03 
- Resolve: #1461053 allow to modify list of UPNs of a trusted forest
ac7d03 
  - trust-mod: allow modifying list of UPNs of a trusted forest
ac7d03 
  - WebUI: add support for changing trust UPN suffixes
ac7d03
ac7d03 
* Wed Jun 7 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-16.el7
ac7d03 
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
ac7d03 
  IP address is not found on local interfaces
ac7d03 
  - Only warn when specified server IP addresses don't match intf
ac7d03 
- Resolves: #1438016 gssapi errors after IPA server upgrade
ac7d03 
  - Bump version of python-gssapi
ac7d03 
- Resolves: #1457942 certauth: use canonical principal for lookups
ac7d03 
  - ipa-kdb: use canonical principal in certauth plugin
ac7d03 
- Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid
ac7d03 
  breaking older clients
ac7d03 
  - Add code to be able to set default kinit lifetime
ac7d03 
  - Revert setting sessionMaxAge for old clients
ac7d03
ac7d03 
* Wed Jun 7 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-15.el7
ac7d03 
- Resolves: #1442233 IPA client commands fail when pointing to replica
ac7d03 
  - httpinstance: wait until the service entry is replicated
ac7d03 
- Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then
ac7d03 
  not indexed
ac7d03 
  - Fix index definition for ipaAnchorUUID
ac7d03 
- Resolves: #1438016 gssapi errors after IPA server upgrade
ac7d03 
  - Avoid possible endless recursion in RPC call
ac7d03 
  - rpc: preparations for recursion fix
ac7d03 
  - rpc: avoid possible recursion in create_connection
ac7d03 
- Resolves: #1446087 services entries missing krbCanonicalName attribute.
ac7d03 
  - Changing cert-find to do not use only primary key to search in LDAP.
ac7d03 
- Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers
ac7d03 
  - ipa-kdb: reload certificate mapping rules periodically
ac7d03 
- Resolves: #1455541 after upgrade login from web ui breaks
ac7d03 
  - kdc.key should not be visible to all
ac7d03 
- Resolves: #1435606 Add pkinit_indicator option to KDC configuration
ac7d03 
  - ipa-kdb: add pkinit authentication indicator in case of a successful
ac7d03 
    certauth
ac7d03 
- Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate
ac7d03 
  issuance when ipa-ca records are not resolvable
ac7d03 
  - Turn off OCSP check
ac7d03 
- Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 -
ac7d03 
  server_del - TypeError: 'NoneType' object is not iterable
ac7d03 
  - fix incorrect suffix handling in topology checks
ac7d03
ac7d03 
* Wed May 24 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-14.el7
ac7d03 
- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to
ac7d03 
  handle PKINIT certificates/anchors
ac7d03 
  - certdb: add named trust flag constants
ac7d03 
  - certdb, certs: make trust flags argument mandatory
ac7d03 
  - certdb: use custom object for trust flags
ac7d03 
  - install: trust IPA CA for PKINIT
ac7d03 
  - client install: fix client PKINIT configuration
ac7d03 
  - install: introduce generic Kerberos Augeas lens
ac7d03 
  - server install: fix KDC PKINIT configuration
ac7d03 
  - ipapython.ipautil.run: Add option to set umask before executing command
ac7d03 
  - certs: do not export keys world-readable in install_key_from_p12
ac7d03 
  - certs: do not export CA certs in install_pem_from_p12
ac7d03 
  - server install: fix KDC certificate validation in CA-less
ac7d03 
  - replica install: respect --pkinit-cert-file
ac7d03 
  - cacert manage: support PKINIT
ac7d03 
  - server certinstall: support PKINIT
ac7d03 
- Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file
ac7d03 
  option
ac7d03 
  - certs: do not export CA certs in install_pem_from_p12
ac7d03 
  - server install: fix KDC certificate validation in CA-less
ac7d03 
- Resolves: #1451228 ipa-kra-install fails when primary KRA server has been
ac7d03 
  decommissioned
ac7d03 
  - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
ac7d03 
- Resolves: #1451712 KRA installation fails on server that was originally
ac7d03 
  installed as CA-less
ac7d03 
  - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
ac7d03 
- Resolves: #1441499 ipa cert-show does not raise error if no file name
ac7d03 
  specified
ac7d03 
  - ca/cert-show: check certificate_out in options
ac7d03 
- Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+
ac7d03 
  - Remove pkinit-anonymous command
ac7d03 
- Resolves: #1449523 Provide an API command to retrieve PKINIT status
ac7d03 
  in the FreeIPA topology
ac7d03 
  - Allow for multivalued server attributes
ac7d03 
  - Refactor the role/attribute member reporting code
ac7d03 
  - Add an attribute reporting client PKINIT-capable servers
ac7d03 
  - Add the list of PKINIT servers as a virtual attribute to global config
ac7d03 
  - Add `pkinit-status` command
ac7d03 
  - test_serverroles: Get rid of MockLDAP and use ldap2 instead
ac7d03 
- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI
ac7d03 
  - Fix rare race condition with missing ccache file
ac7d03 
- Resolves: #1455045 Simple service uninstallers must be able to handle
ac7d03 
  missing service files gracefully
ac7d03 
  - only stop/disable simple service if it is installed
ac7d03 
- Resolves: #1455541 after upgrade login from web ui breaks
ac7d03 
  - krb5: make sure KDC certificate is readable
ac7d03 
- Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing
ac7d03 
  command "ipa cert-request --add" after upgrade
ac7d03 
  - Change python-cryptography to python2-cryptography
ac7d03
ac7d03 
* Thu May 18 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-13.el7
ac7d03 
- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'"
ac7d03 
  error observed during ipa upgrade with latest package.
ac7d03 
  - ipa-server-install: fix uninstall
ac7d03 
- Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break
ac7d03 
  replica
ac7d03 
  - ca install: merge duplicated code for DM password
ac7d03 
  - installutils: add DM password validator
ac7d03 
  - ca, kra install: validate DM password
ac7d03
ac7d03 
* Tue May 16 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-12.el7
ac7d03 
- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy
ac7d03 
  - python2-ipalib: add missing python dependency
ac7d03 
  - installer service: fix typo in service entry
ac7d03 
  - upgrade: add missing suffix to http instance
ac7d03 
- Resolves: #1444791 Update man page of ipa-kra-install
ac7d03 
  - ipa-kra-install manpage: document domain-level 1
ac7d03 
- Resolves: #1441493 ipa cert-show raises stack traces when
ac7d03 
  --certificate-out=/tmp
ac7d03 
  - cert-show: writable files does not mean dirs
ac7d03 
- Resolves: #1441192 Add the name of URL parameter which will be check for
ac7d03 
  username during cert login
ac7d03 
  - Bump version of ipa.conf file
ac7d03 
- Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login
ac7d03 
  - Turn on NSSOCSP check in mod_nss conf
ac7d03 
- Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting
ac7d03 
  template on
ac7d03 
  - renew agent: respect CA renewal master setting
ac7d03 
  - server upgrade: always fix certmonger tracking request
ac7d03 
  - cainstance: use correct profile for lightweight CA certificates
ac7d03 
  - renew agent: allow reusing existing certs
ac7d03 
  - renew agent: always export CSR on IPA CA certificate renewal
ac7d03 
  - renew agent: get rid of virtual profiles
ac7d03 
  - ipa-cacert-manage: add --external-ca-type
ac7d03 
- Resolves: #1441593 error adding authenticator indicators to host
ac7d03 
  - Fixing adding authenticator indicators to host
ac7d03 
- Resolves: #1449525 Set directory ownership in spec file
ac7d03 
  - Added plugins directory to ipaclient subpackages
ac7d03 
  - ipaclient: fix missing RPM ownership
ac7d03 
- Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits'
ac7d03 
  - otptoken-add-yubikey: When --digits not provided use default value
ac7d03
ac7d03 
* Wed May 10 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-11.el7
ac7d03 
- Resolves: #1449189 ipa-kra-install timeouts on replica
ac7d03 
  - ipa-kra-install: fix check_host_keys
ac7d03
ac7d03 
* Wed May  3 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-10.el7
ac7d03 
- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to
ac7d03 
  validate message: Incorrect number of results (0) searching forpublic key for
ac7d03 
  host
ac7d03 
  - Make sure remote hosts have our keys
ac7d03 
- Resolves: #1442815 Replica install fails during migration from older IPA
ac7d03 
  master
ac7d03 
  - Refresh Dogtag RestClient.ca_host property
ac7d03 
  - Remove the cachedproperty class
ac7d03 
- Resolves: #1444787 Update warning message when KRA installation fails
ac7d03 
  - kra install: update installation failure message
ac7d03 
- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode
ac7d03 
  - ipa-server-install with external CA: fix pkinit cert issuance
ac7d03 
- Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition()
ac7d03 
  must use FreeIPA CA
ac7d03 
  - kerberos session: use CA cert with full cert chain for obtaining cookie
ac7d03 
- Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors
ac7d03 
  definition
ac7d03 
  - ipa-client-install: remove extra space in pkinit_anchors definition
ac7d03 
- Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade
ac7d03 
  - Use proper SELinux context with http.keytab
ac7d03
ac7d03 
* Fri Apr 28 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-9.el7
ac7d03 
- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with
ac7d03 
  certificates on smart cards (pkinit)
ac7d03 
  - spec file: bump krb5 Requires for certauth fixes
ac7d03 
- Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option
ac7d03 
  is used
ac7d03 
  - separate function to set ipaConfigString values on service entry
ac7d03 
  - Allow for configuration of all three PKINIT variants when deploying KDC
ac7d03 
  - API for retrieval of master's PKINIT status and publishing it in LDAP
ac7d03 
  - Use only anonymous PKINIT to fetch armor ccache
ac7d03 
  - Stop requesting anonymous keytab and purge all references of it
ac7d03 
  - Use local anchor when armoring password requests
ac7d03 
  - Upgrade: configure local/full PKINIT depending on the master status
ac7d03 
  - Do not test anonymous PKINIT after install/upgrade
ac7d03 
- Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust.
ac7d03 
  update_tdo_gidnumber: ERROR Default SMB Group not found
ac7d03 
  - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is
ac7d03 
    installed
ac7d03 
- Resolves: #1442932 ipa restore fails to restore IPA user
ac7d03 
  - restore: restart/reload gssproxy after restore
ac7d03 
- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode
ac7d03 
  - Fix CA/server cert validation in FIPS
ac7d03 
- Resolves: #1444947 Deadlock between topology and schema-compat plugins
ac7d03 
  - compat-manage: behave the same for all users
ac7d03 
  - Move the compat plugin setup at the end of install
ac7d03 
  - compat: ignore cn=topology,cn=ipa,cn=etc subtree
ac7d03 
- Resolves: #1445358 ipa vault-add raises TypeError
ac7d03 
  - vault: piped input for ipa vault-add fails
ac7d03 
- Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault
ac7d03 
  - Vault: Explicitly default to 3DES CBC
ac7d03 
- Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning
ac7d03 
  - automount install: fix checking of SSSD functionality on uninstall
ac7d03 
- Resolves: #1446137 pki_client_database_password is shown in
ac7d03 
  ipaserver-install.log
ac7d03 
  - Hide PKI Client database password in log file
ac7d03
ac7d03 
* Thu Apr 20 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-8.el7
ac7d03 
- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade
ac7d03 
  - Fix CAInstance.import_ra_cert for empty passwords
ac7d03
ac7d03 
* Wed Apr 19 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-7.el7
ac7d03 
- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA
ac7d03 
  WebUI is slow to display user details page
ac7d03 
  - cert: defer cert-find result post-processing
ac7d03 
- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit
ac7d03 
  helper when installing replica
ac7d03 
  - server-install: No double Kerberos install
ac7d03 
- Resolves: #1437502 ipa-replica-install fails with requirement to
ac7d03 
  use --force-join that is a client install option.
ac7d03 
  - Add the force-join option to replica install
ac7d03 
  - replicainstall: better client install exception handling
ac7d03 
- Resolves: #1437953 Server CA-less impossible option check
ac7d03 
  - server-install: remove broken no-pkinit check
ac7d03 
- Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies
ac7d03 
  - Add debug log in case cookie retrieval went wrong
ac7d03 
- Resolves: #1441548 ipa server install fails with --external-ca option
ac7d03 
  - ext. CA: correctly write the cert chain
ac7d03 
- Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance
ac7d03 
  spawn
ac7d03 
  - Fix CA-less to CA-full upgrade
ac7d03 
- Resolves: #1442133 Do not link libkrad, liblber, libldap_r and
ac7d03 
  libsss_nss_idmap to every binary in IPA
ac7d03 
  - configure: fix AC_CHECK_LIB usage
ac7d03 
- Resolves: #1442815 Replica install fails during migration from older IPA
ac7d03 
  master
ac7d03 
  - Fix RA cert import during DL0 replication
ac7d03 
- Related: #1442004 Building IdM/FreeIPA internally on all architectures -
ac7d03 
  filtering unsupported packages
ac7d03 
  - Build all subpackages on all architectures
ac7d03
ac7d03 
* Wed Apr 12 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-6.el7
ac7d03 
- Resolves: #1382053 Need to have validation for idrange names
ac7d03 
  - idrange-add: properly handle empty --dom-name option
ac7d03 
- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit
ac7d03 
  helper when installing replica
ac7d03 
  - dsinstance: reconnect ldap2 after DS is restarted by certmonger
ac7d03 
  - httpinstance: avoid httpd restart during certificate request
ac7d03 
  - dsinstance, httpinstance: consolidate certificate request code
ac7d03 
  - install: request service certs after host keytab is set up
ac7d03 
  - renew agent: revert to host keytab authentication
ac7d03 
  - renew agent, restart scripts: connect to LDAP after kinit
ac7d03 
- Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted
ac7d03 
  domain entry
ac7d03 
  - ipa-sam: create the gidNumber attribute in the trusted domain entry
ac7d03 
  - Upgrade: add gidnumber to trusted domain entry
ac7d03 
- Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException:
ac7d03 
  Incorrect client security database password
ac7d03 
  - Add pki_pin only when needed
ac7d03 
- Resolves: #1438348 Console output message while adding trust should be
ac7d03 
  mapped with texts changed in Samba.
ac7d03 
  - ipaserver/dcerpc: unify error processing
ac7d03 
- Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid
ac7d03 
  'Credentials': Missing credentials for cross-forest communication
ac7d03 
  - trust: always use oddjobd helper for fetching trust information
ac7d03 
- Resolves: #1441192 Add the name of URL parameter which will be check for
ac7d03 
  username during cert login
ac7d03 
  - WebUI: cert login: Configure name of parameter used to pass username
ac7d03 
- Resolves: #1437879 [copr] Replica install failing
ac7d03 
  - Create system users for FreeIPA services during package installation
ac7d03 
- Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install
ac7d03 
  - Fix s4u2self with adtrust
ac7d03
ac7d03 
* Wed Apr  5 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-5.el7
ac7d03 
- Resolves: #1318186 Misleading error message during external-ca IPA master
ac7d03 
  install
ac7d03 
  - httpinstance: make sure NSS database is backed up
ac7d03 
- Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR
ac7d03 
  CA certificate chain in ... incomplete"
ac7d03 
  - httpinstance: make sure NSS database is backed up
ac7d03 
- Resolves: #1393726 Enumerate all available request type options in ipa
ac7d03 
  cert-request help
ac7d03 
  - Hide request_type doc string in cert-request help
ac7d03 
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
ac7d03 
  - spec file: bump libsss_nss_idmap-devel BuildRequires
ac7d03 
  - server: make sure we test for sss_nss_getlistbycert
ac7d03 
- Resolves: #1437378 ipa-adtrust-install produced an error and failed on
ac7d03 
  starting smb when hostname is not FQDN
ac7d03 
  - adtrust: make sure that runtime hostname result is consistent with the
ac7d03 
    configuration
ac7d03 
- Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous
ac7d03 
  keytab
ac7d03 
  - Always check and create anonymous principal during KDC install
ac7d03 
  - Remove duplicate functionality in upgrade
ac7d03 
- Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous
ac7d03 
  principal for PKINIT
ac7d03 
  - Upgrade: configure PKINIT after adding anonymous principal
ac7d03 
  - Remove unused variable from failed anonymous PKINIT handling
ac7d03 
  - Split out anonymous PKINIT test to a separate method
ac7d03 
  - Ensure KDC is propery configured after upgrade
ac7d03 
- Resolves: #1437951 Remove pkinit-related options from server/replica-install
ac7d03 
  on DL0
ac7d03 
  - Fix the order of cert-files check
ac7d03 
  - Don't allow setting pkinit-related options on DL0
ac7d03 
  - replica-prepare man: remove pkinit option refs
ac7d03 
  - Remove redundant option check for cert files
ac7d03 
- Resolves: #1438490 CA-less installation fails on publishing CA certificate
ac7d03 
  - Get correct CA cert nickname in CA-less
ac7d03 
  - Remove publish_ca_cert() method from NSSDatabase
ac7d03 
- Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap
ac7d03 
  - IPA-KDB: use relative path in ipa-certmap config snippet
ac7d03 
- Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute
ac7d03 
  - Allow erasing ipaDomainResolutionOrder attribute
ac7d03
ac7d03 
* Wed Mar 29 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-4.el7
ac7d03 
- Resolves: #1434032 Run ipa-custodia with custom SELinux context
ac7d03 
  - Require correct custodia version
ac7d03
ac7d03 
* Tue Mar 28 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-3.el7
ac7d03 
- Resolves: #800545 [RFE] Support SUDO command rename
ac7d03 
  - Reworked the renaming mechanism
ac7d03 
  - Allow renaming of the sudorule objects
ac7d03 
- Resolves: #872671 IPA WebUI login for AD Trusted User fails
ac7d03 
  - WebUI: check principals in lowercase
ac7d03 
  - WebUI: add method for disabling item in user dropdown menu
ac7d03 
  - WebUI: Add support for login for AD users
ac7d03 
- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with
ac7d03 
  certificates on smart cards (pkinit)
ac7d03 
  - ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
ac7d03 
  - IPA certauth plugin
ac7d03 
  - ipa-kdb: do not depend on certauth_plugin.h
ac7d03 
  - spec file: bump krb5-devel BuildRequires for certauth
ac7d03 
- Resolves: #1264370 RFE: disable last successful authentication by default in
ac7d03 
  ipa.
ac7d03 
  - Set "KDC:Disable Last Success" by default
ac7d03 
- Resolves: #1318186 Misleading error message during external-ca IPA master
ac7d03 
  install
ac7d03 
  - certs: do not implicitly create DS pin.txt
ac7d03 
  - httpinstance: clean up /etc/httpd/alias on uninstall
ac7d03 
- Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR
ac7d03 
  CA certificate chain in ... incomplete"
ac7d03 
  - certs: do not implicitly create DS pin.txt
ac7d03 
  - httpinstance: clean up /etc/httpd/alias on uninstall
ac7d03 
- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication
ac7d03 
  - configure: fix --disable-server with certauth plugin
ac7d03 
  - rpcserver.login_x509: Actually return reply from __call__ method
ac7d03 
  - spec file: Bump requires to make Certificate Login in WebUI work
ac7d03 
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
ac7d03 
  - extdom: do reverse search for domain separator
ac7d03 
  - extdom: improve cert request
ac7d03 
- Resolves: #1430363 [RFE] HBAC rule names command rename
ac7d03 
  - Reworked the renaming mechanism
ac7d03 
  - Allow renaming of the HBAC rule objects
ac7d03 
- Resolves: #1433082 systemctl daemon-reload needs to be called after
ac7d03 
  httpd.service.d/ipa.conf is manipulated
ac7d03 
  - tasks: run `systemctl daemon-reload` after httpd.service.d updates
ac7d03 
- Resolves: #1434032 Run ipa-custodia with custom SELinux context
ac7d03 
  - Use Custodia 0.3.1 features
ac7d03 
- Resolves: #1434384 RPC client should use HTTP persistent connection
ac7d03 
  - Use connection keep-alive
ac7d03 
  - Add debug logging for keep-alive
ac7d03 
  - Increase Apache HTTPD's default keep alive timeout
ac7d03 
- Resolves: #1434729 man ipa-cacert-manage install needs clarification
ac7d03 
  - man ipa-cacert-manage install needs clarification
ac7d03 
- Resolves: #1434910 replica install against IPA v3 master fails with ACIError
ac7d03 
  - Fixing replica install: fix ldap connection in domlvl 0
ac7d03 
- Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is
ac7d03 
  used during typing Directory Manager password
ac7d03 
  - ipapython.ipautil.nolog_replace: Do not replace empty value
ac7d03 
- Resolves: #1435397 ipa-replica-install can't install replica file produced by
ac7d03 
  ipa-replica-prepare on 4.5
ac7d03 
  - replica prepare: fix wrong IPA CA nickname in replica file
ac7d03 
- Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if
ac7d03 
  KRA is not installed
ac7d03 
  - WebUI: Fix showing vault in selfservice view
ac7d03 
- Resolves: #1435718 As a ID user I cannot call a command with --rights option
ac7d03 
  - ldap2: use LDAP whoami operation to retrieve bind DN for current connection
ac7d03 
- Resolves: #1436319 "Truncated search results" pop-up appears in user details
ac7d03 
  in WebUI
ac7d03 
  - WebUI: Add support for suppressing warnings
ac7d03 
  - WebUI: suppress truncation warning in select widget
ac7d03 
- Resolves: #1436333 Uninstall fails with No such file or directory:
ac7d03 
  '/var/run/ipa/services.list'
ac7d03 
  - Create temporaty directories at the begining of uninstall
ac7d03 
- Resolves: #1436334 WebUI: Adding certificate mapping data using certificate
ac7d03 
  fails
ac7d03 
  - WebUI: Allow to add certs to certmapping with CERT LINES around
ac7d03 
- Resolves: #1436338 CLI doesn't work after ipa-restore
ac7d03 
  - Backup ipa-specific httpd unit-file
ac7d03 
  - Backup CA cert from kerberos folder
ac7d03 
- Resolves: #1436342 Bump samba version, required for FIPS mode and privilege
ac7d03 
  separation
ac7d03 
  - Bump samba version for FIPS and priv. separation
ac7d03 
- Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with
ac7d03 
  ipa vault commands
ac7d03 
  - Avoid growing FILE ccaches unnecessarily
ac7d03 
  - Handle failed authentication via cookie
ac7d03 
  - Work around issues fetching session data
ac7d03 
  - Prevent churn on ccaches
ac7d03 
- Resolves: #1436657 Add workaround for pki_pin for FIPS
ac7d03 
  - Generate PIN for PKI to help Dogtag in FIPS
ac7d03 
- Resolves: #1436714 [vault] cache KRA transport cert
ac7d03 
  - Simplify KRA transport cert cache
ac7d03 
- Resolves: #1436723 cert-find does not find all certificates without
ac7d03 
  sizelimit=0
ac7d03 
  - cert: do not limit internal searches in cert-find
ac7d03 
- Resolves: #1436724 Renewal of IPA RA fails on replica
ac7d03 
  - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
ac7d03 
- Resolves: #1436753 Master tree fails to install
ac7d03 
  - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not
ac7d03 
    available
ac7d03
ac7d03 
* Tue Mar 21 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-2.el7
ac7d03 
- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient
ac7d03 
  - Remove csrgen
ac7d03 
- Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets
ac7d03 
  - Add options to allow ticket caching
ac7d03
ac7d03 
* Wed Mar 15 2017 Jan Cholasta <jcholast@redhat.com> - 4.5.0-1.el7
ac7d03 
- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install
ac7d03 
- Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in
ac7d03 
  hostname
ac7d03 
- Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember'
ac7d03 
  attribute
ac7d03 
- Resolves: #1321652 ipa-server-install fails when using external certificates
ac7d03 
  that encapsulate RDN components in double quotes
ac7d03 
- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on
ac7d03 
  revocation reasons
ac7d03 
- Resolves: #1340880 ipa-server-install: improve prompt on interactive
ac7d03 
  installation
ac7d03 
- Resolves: #1353841 ipa-replica-install fails to install when resolv.conf
ac7d03 
  incomplete entries
ac7d03 
- Resolves: #1356104 cert-show command does not display Subject Alternative
ac7d03 
  Names
ac7d03 
- Resolves: #1357511 Traceback message seen when ipa is provided with invalid
ac7d03 
  configuration file name
ac7d03 
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
ac7d03 
  converted from CA-less to CA-full
ac7d03 
- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication
ac7d03 
- Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa
ac7d03 
  config-mod --enable-migration=TRUE
ac7d03 
- Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain
ac7d03 
- Resolves: #1371927 Implement ca-enable/disable commands.
ac7d03 
- Resolves: #1372202 Add Users into User Group editors fails to show Full names
ac7d03 
- Resolves: #1373091 Adding an auth indicator from the CLI creates an extra
ac7d03 
  check box in the UI
ac7d03 
- Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error
ac7d03 
  message
ac7d03 
- Resolves: #1375905 "Normal" group type in the UI is confusing
ac7d03 
- Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback
ac7d03 
- Resolves: #1376630 IDM admin password gets written to
ac7d03 
  /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
ac7d03 
- Resolves: #1376729 ipa-server-install script option --no_hbac_allow should
ac7d03 
  match other options
ac7d03 
- Resolves: #1378461 IPA Allows Password Reuse with History value defined when
ac7d03 
  admin resets the password.
ac7d03 
- Resolves: #1379029 conncheck failing intermittently during single step
ac7d03 
  replica installs
ac7d03 
- Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck
ac7d03 
- Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace
ac7d03 
- Resolves: #1392778 Update man page for ipa-adtrust-install by
ac7d03 
  removing --no-msdcs option
ac7d03 
- Resolves: #1392858 Rebase to FreeIPA 4.5+
ac7d03 
  - Rebase to 4.5.0
ac7d03 
- Resolves: #1399133 Delete option shouldn't be available for hosts applied to
ac7d03 
  view.
ac7d03 
- Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA
ac7d03 
  should contain full trust chain
ac7d03 
- Resolves: #1400416 RFE: Provide option to take backup of IPA server before
ac7d03 
  uninstalling IPA server
ac7d03 
- Resolves: #1400529 cert-request is not aware of Kerberos principal aliases
ac7d03 
- Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but
ac7d03 
  not on details page
ac7d03 
- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping
ac7d03 
- Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when
ac7d03 
  non-FQDN name of IPA server is first in /etc/hosts
ac7d03 
- Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using
ac7d03 
  nsupdate
ac7d03 
- Resolves: #1413742 Backport request for bug/issue Change IP address
ac7d03 
  validation errors to warnings
ac7d03 
- Resolves: #1415652 IPA replica install log shows password in plain text
ac7d03 
- Resolves: #1427897 different behavior regarding system wide certs in master
ac7d03 
  and replica.
ac7d03 
- Resolves: #1430314 The ipa-managed-entries command failed, exception:
ac7d03 
  AttributeError: ldap2
5239bb
76b7d5 
* Tue Mar 14 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.7
ac7d03 
- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica
76b7d5 
  with cert errors (untrusted)
76b7d5 
  - added ssl verification using IPA trust anchor
ac7d03 
- Resolves: #1428472 batch param compatibility is incorrect
76b7d5 
  - compat: fix `Any` params in `batch` and `dnsrecord`
76b7d5 
- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream
b2aa39
ff14fa 
* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.6
ac7d03 
- Resolves: #1416454 replication race condition prevents IPA to install
ff14fa 
  - wait_for_entry: use only DN as parameter
ff14fa 
  - Wait until HTTPS principal entry is replicated to replica
ff14fa 
  - Use proper logging for error messages
ff14fa
ff14fa 
* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.5
ac7d03 
- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is
ff14fa 
  installed without CA
ff14fa 
  - Set up DS TLS on replica in CA-less topology
ac7d03 
- Resolves: #1398600 IPA replica install fails with dirsrv errors.
ac7d03 
  - Do not configure PKI ajp redirection to use "::1"
ff14fa 
- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for
ff14fa 
  ca-del, ca-disable and ca-enable commands
ff14fa 
  - ca: correctly authorise ca-del, ca-enable and ca-disable
8ffc8b
34b659 
* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.4
53a374 
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
53a374 
  by abusing password policy
53a374 
  - ipa-kdb: search for password policies globally
34b659 
- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream
34b659
34b659 
* Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.3
ac7d03 
- Resolves: #1398670 Check IdM Topology for broken record caused by replication
34b659 
  conflict before upgrading it
34b659 
  - Check for conflict entries before raising domain level
34b659
34b659 
* Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.2
ac7d03 
- Resolves: #1382812 Creation of replica for disconnected environment is
ac7d03 
  failing with CA issuance errors; Need good steps.
ac7d03 
  - gracefully handle setting replica bind dn group on old masters
ac7d03 
- Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a
34b659 
  temporary CA admin
34b659 
  - replication: ensure bind DN group check interval is set on replica config
34b659 
  - add missing attribute to ipaca replica during CA topology update
ac7d03 
- Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of
34b659 
  named-pkcs11
34b659 
  - bindinstance: use data in named.conf to determine configuration status
53a374
53a374 
* Mon Dec 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1
53a374 
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
53a374 
  by abusing password policy
53a374 
  - password policy: Add explicit default password policy for hosts and
53a374 
    services
53a374 
- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in
53a374 
  certprofile-mod
53a374 
  - certprofile-mod: correctly authorise config update
a46197
fef02c 
* Tue Nov  1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14
fef02c 
- Resolves: #1378353 Replica install fails with old IPA master sometimes during
fef02c 
  replication process
fef02c 
  - spec file: bump minimal required version of 389-ds-base
fef02c 
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
fef02c 
  - Fix missing file that fails DL1 replica installation
fef02c 
- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade
fef02c 
  - WebUI: services without canonical name are shown correctly
fef02c 
- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run
fef02c 
  - trustdomain-del: fix the way how subdomain is searched
fef02c
fef02c 
* Mon Oct 31 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-13
fef02c 
- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca
fef02c 
  - Keep NSS trust flags of existing certificates
fef02c 
- Resolves: #1360813 ipa-server-certinstall does not update all certificate
fef02c 
  stores and doesn't set proper trust permissions
fef02c 
  - Add cert checks in ipa-server-certinstall
fef02c 
- Resolves: #1371479 cert-find --all does not show information about revocation
fef02c 
  - cert: add revocation reason back to cert-find output
fef02c 
- Resolves: #1375133 WinSync users who have First.Last casing creates users who
fef02c 
  can have their password set
fef02c 
  - ipa passwd: use correct normalizer for user principals
fef02c 
- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers
fef02c 
  - Properly handle LDAP socket closures in ipa-otpd
fef02c 
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
fef02c 
  - Make httpd publish its CA certificate on DL1
21794d
403b09 
* Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12
403b09 
- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.
403b09 
- Resolves: #1375269 ipa trust-fetch-domains throws internal error
403b09
403b09 
* Tue Sep 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-11
403b09 
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
403b09 
  - Fix regression introduced in ipa-certupdate
403b09
403b09 
* Wed Sep  7 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-10
403b09 
- Resolves: #1355753 adding two way non transitive(external) trust displays
403b09 
  internal error on the console
403b09 
  - Always fetch forest info from root DCs when establishing two-way trust
403b09 
  - factor out `populate_remote_domain` method into module-level function
403b09 
  - Always fetch forest info from root DCs when establishing one-way trust
403b09 
- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger
403b09 
  after `ipa-replica-install`
403b09 
  - Track lightweight CAs on replica installation
403b09 
- Resolves: #1357488 ipa command stuck forever on higher versioned client with
403b09 
  lower versioned server
403b09 
  - compat: Save server's API version in for pre-schema servers
403b09 
  - compat: Fix ping command call
403b09 
  - schema cache: Store and check info for pre-schema servers
403b09 
- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag
403b09 
  - Fix man page ipa-replica-manage: remove duplicate -c option
403b09 
    from --no-lookup
403b09 
- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA
403b09 
  when revoking certificate
403b09 
  - cert: include CA name in cert command output
403b09 
  - WebUI add support for sub-CAs while revoking certificates
403b09 
- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI
403b09 
  - Add support for additional options taken from table facet
403b09 
  - WebUI: Fix showing certificates issued by sub-CA
403b09 
- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts
403b09 
  internactively
403b09 
  - dns: normalize record type read interactively in dnsrecord_add
403b09 
  - dns: prompt for missing record parts in CLI
403b09 
  - dns: fix crash in interactive mode against old servers
403b09 
- Resolves: #1370519 Certificate revocation in service-del and host-del isn't
403b09 
  aware of Sub CAs
403b09 
  - cert: fix cert-find --certificate when the cert is not in LDAP
403b09 
  - Make host/service cert revocation aware of lightweight CAs
403b09 
- Resolves: #1371901 Use OAEP padding with custodia
403b09 
  - Use RSA-OAEP instead of RSA PKCS#1 v1.5
403b09 
- Resolves: #1371915 When establishing external two-way trust, forest root
403b09 
  Administrator account is used to fetch domain info
403b09 
  - do not use trusted forest name to construct domain admin principal
403b09 
- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in
403b09 
  certificate request
403b09 
  - Fix CA ACL Check on SubjectAltNames
403b09 
- Resolves: #1373272 CLI always sends default command version
403b09 
  - cli: use full name when executing a command
403b09 
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
403b09 
  - Fix ipa-certupdate for CA-less installation
403b09 
- Resolves: #1373540 client-install with IPv6 address fails on link-local
403b09 
  address (always)
403b09 
  - Fix parse errors with link-local addresses
403b09
403b09 
* Fri Sep  2 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-9
403b09 
- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env
403b09 
  - Fix ipa-server-install in pure IPv6 environment
403b09 
- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as
403b09 
  reachable via the forest root
403b09 
  - trust: make sure ID range is created for the child domain even if it exists
403b09 
  - ipa-kdb: simplify trusted domain parent search
403b09 
- Resolves: #1335567 Update Warning in IdM Web UI API browser
403b09 
  - WebUI: add API browser is tech preview warning
403b09 
- Resolves: #1348560 Mulitple domain Active Directory Trust conflict
403b09 
  - ipaserver/dcerpc: reformat to make the code closer to pep8
403b09 
  - trust: automatically resolve DNS trust conflicts for triangle trusts
403b09 
- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
403b09 
  certificate revocation
403b09 
  - cert-revoke: fix permission check bypass (CVE-2016-5404)
403b09 
- Resolves: #1353936 custodia.conf and server.keys file is world-readable.
403b09 
  - Remove Custodia server keys from LDAP
403b09 
  - Secure permissions of Custodia server.keys
403b09 
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
403b09 
  converted from CA-less to CA-full
403b09 
  - custodia: include known CA certs in the PKCS#12 file for Dogtag
403b09 
  - custodia: force reconnect before retrieving CA certs from LDAP
403b09 
- Resolves: #1362333 ipa vault container owner cannot add vault
403b09 
  - Fix: container owner should be able to add vault
403b09 
- Resolves: #1365546 External trust with root domain is transitive
403b09 
  - trust: make sure external trust topology is correctly rendered
403b09 
- Resolves: #1365572 IPA server broken after upgrade
403b09 
  - Require pki-core-10.3.3-7
403b09 
- Resolves: #1367864 Server assumes latest version of command instead of
403b09 
  version 1 for old / 3rd party clients
403b09 
  - rpcserver: assume version 1 for unversioned command calls
403b09 
  - rpcserver: fix crash in XML-RPC system commands
403b09 
- Resolves: #1367773 thin client ignores locale change
403b09 
  - schema cache: Fallback to 'en_us' when locale is not available
403b09 
- Resolves: #1368754 ipa server uninstall fails with Python "Global Name error"
403b09 
  - Fail on topology disconnect/last role removal
403b09 
- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP
403b09 
  - otptoken, permission: Convert custom type parameters on server
403b09 
- Resolves: #1369414 ipa server-del fails with Python stack trace
403b09 
  - Handled empty hostname in server-del command
403b09 
- Resolves: #1369761 ipa-server must depend on a version of httpd that support
403b09 
  mod_proxy with UDS
403b09 
  - Require httpd 2.4.6-31 with mod_proxy Unix socket support
403b09 
- Resolves: #1370512 Received ACIError instead of DuplicatedError in
403b09 
  stageuser_tests
403b09 
  - Raise DuplicatedEnrty error when user exists in delete_container
403b09 
- Resolves: #1371479 cert-find --all does not show information about revocation
403b09 
  - cert: add missing param values to cert-find output
403b09 
- Renamed patch 1011 to 0100, as it was merged upstream
403b09
403b09 
* Wed Aug 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-8
403b09 
- Resolves: #1298288 [RFE] Improve performance in large environments.
403b09 
  - cert: speed up cert-find
403b09 
- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card
403b09 
  authentication
403b09 
  - service: add flag to allow S4U2Self
403b09 
  - Add 'trusted to auth as user' checkbox
403b09 
  - Added new authentication method
403b09 
- Resolves: #1353881 ipa-replica-install suggests about
403b09 
  non-existent --force-ntpd option
403b09 
  - Don't show --force-ntpd option in replica install
403b09 
- Resolves: #1354441 DNS forwarder check is too strict: unable to add
403b09 
  sub-domain to already-broken domain
403b09 
  - DNS: allow to add forward zone to already broken sub-domain
403b09 
- Resolves: #1356146 performance regression in CLI help
403b09 
  - schema: Speed up schema cache
403b09 
  - frontend: Change doc, summary, topic and NO_CLI to class properties
403b09 
  - schema: Introduce schema cache format
403b09 
  - schema: Generate bits for help load them on request
403b09 
  - help: Do not create instances to get information about commands and topics
403b09 
  - schema cache: Do not reset ServerInfo dirty flag
403b09 
  - schema cache: Do not read fingerprint and format from cache
403b09 
  - Access data for help separately
403b09 
  - frontent: Add summary class property to CommandOverride
403b09 
  - schema cache: Read server info only once
403b09 
  - schema cache: Store API schema cache in memory
403b09 
  - client: Do not create instance just to check isinstance
403b09 
  - schema cache: Read schema instead of rewriting it when SchemaUpToDate
403b09 
- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file
403b09 
  - server install: do not prompt for cert file PIN repeatedly
403b09 
- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create
403b09 
  cache directory: [Errno 13] Permission denied: '/home/test_user'
403b09 
  - schema: Speed up schema cache
403b09 
- Resolves: #1366604 `cert-find` crashes on invalid certificate data
403b09 
  - cert: do not crash on invalid data in cert-find
403b09 
- Resolves: #1366612 Middle replica uninstallation in line topology works
403b09 
  without '--ignore-topology-disconnect'
403b09 
  - Fail on topology disconnect/last role removal
403b09 
- Resolves: #1366626 caacl-add-service: incorrect error message when service
403b09 
  does not exists
403b09 
  - Fix ipa-caalc-add-service error message
403b09 
- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11
403b09 
  does not happen to run during dnf upgrade
403b09 
  - DNS server upgrade: do not fail when DNS server did not respond
403b09 
- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server
403b09 
  with CA
403b09 
  - Add warning about only one existing CA server
403b09 
  - Set servers list as default facet in topology facet group
403b09 
- Resolves: #1367773 thin client ignores locale change
403b09 
  - schema check: Check current client language against cached one
403b09
403b09 
* Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-7
403b09 
- Resolves: #1361119 UPN-based search for AD users does not match an entry in
403b09 
  slapi-nis map cache
403b09 
  - support multiple uid values in schema compatibility tree
403b09
403b09 
* Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-6
403b09 
- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
403b09 
  - Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
403b09 
- Resolves: #1341249 Subsequent external CA installation fails
403b09 
  - install: fix external CA cert validation
403b09 
- Resolves: #1353831 ipa-server-install fails in container because of
403b09 
  hostnamectl set-hostname
403b09 
  - server-install: Fix --hostname option to always override api.env values
403b09 
  - install: Call hostnamectl set-hostname only if --hostname option is used
403b09 
- Resolves: #1356091 ipa-cacert-manage --help and man differ
403b09 
  - Improvements for the ipa-cacert-manage man and help
403b09 
- Resolves: #1360631 ipa-backup is not keeping the
403b09 
  /etc/tmpfiles.d/dirsrv-<instance>.conf
403b09 
  - ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
403b09 
- Resolves: #1361047 ipa-replica-install --help usage line suggests the replica
403b09 
  file is needed
403b09 
  - Update ipa-replica-install documentation
403b09 
- Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does
403b09 
  not rpm-require it
403b09 
  - client: RPM require initscripts to get *-domainname.service
403b09 
- Resolves: #1364197 caacl: error when instantiating rules with service
403b09 
  principals
403b09 
  - caacl: fix regression in rule instantiation
403b09 
- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm
403b09 
  - parameters: move the `confirm` kwarg to Param
403b09 
- Resolves: #1364464 Topology graph: ca and domain adders shows question marks
403b09 
  instead of plus icon
403b09 
  - Fix unicode characters in ca and domain adders
403b09 
- Resolves: #1365083 Incomplete output returned for command ipa vault-add
403b09 
  - client: add missing output params to client-side commands
403b09 
- Resolves: #1365526 build fails during "make check"
403b09 
  - ipa-kdb: Fix unit test after packaging changes in krb5
403b09
403b09 
* Fri Aug  5 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-5
403b09 
- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file.
403b09 
  - Do not initialize API in ipa-client-automount uninstall
403b09 
- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin
403b09 
  client changes
403b09 
  - idrange: fix unassigned global variable
403b09 
- Resolves: #1360792 Migrating users doesn't update krbCanonicalName
403b09 
  - re-set canonical principal name on migrated users
403b09 
- Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str'
403b09 
  and 'bool' objects
403b09 
  - Fix ipa hbactest output
403b09 
- Resolves: #1362260 ipa vault-mod no longer allows defining salt
403b09 
  - vault: add missing salt option to vault_mod
403b09 
- Resolves: #1362312 ipa vault-retrieve internal error when using the wrong
403b09 
  public key
403b09 
  - vault: Catch correct exception in decrypt
403b09 
- Resolves: #1362537 ipa-server-install fails to create symlink from
403b09 
  /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/
403b09 
  - Correct path to HTTPD's systemd service directory
403b09 
- Resolves: #1363756 Increase length of passwords generated by installer
403b09 
  - Increase default length of auto generated passwords
403b09
403b09 
* Fri Jul 29 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-4
403b09 
- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos
403b09 
  aliases)
403b09 
  - harden the check for trust namespace overlap in new principals
403b09 
- Resolves: #1351142 CLI is not using session cookies for communication with
403b09 
  IPA API
403b09 
  - Fix session cookies
403b09 
- Resolves: #1353888 Fix the help for ipa otp and other topics
403b09 
  - help: Add dnsserver commands to help topic 'dns'
403b09 
- Resolves: #1354406 host-del updatedns options complains about missing ptr
403b09 
  record for host
403b09 
  - Host-del: fix behavior of --updatedns and PTR records
403b09 
- Resolves: #1355718 ipa-replica-manage man page example output differs actual
403b09 
  command output
403b09 
  - Minor fix in ipa-replica-manage MAN page
403b09 
- Resolves: #1358229 Traceback message should be fixed, seen while editing
403b09 
  winsync migrated user information in Default trust view.
403b09 
  - baseldap: Fix MidairCollision instantiation during entry modification
403b09 
- Resolves: #1358849 CA replica install logs to wrong log file
403b09 
  - unite log file name of ipa-ca-install
403b09 
- Resolves: #1359130 ipa-server-install command fails to install IPA server.
403b09 
  - DNS Locations: fix update-system-records unpacking error
403b09 
- Resolves: #1359237 AVC on dirsrv config caused by IPA installer
403b09 
  - Use copy when replacing files to keep SELinux context
403b09 
- Resolves: #1359692 ipa-client-install join fail with traceback against
403b09 
  RHEL-6.8 ipa-server
403b09 
  - compat: fix ping call
403b09 
- Resolves: #1359738 ipa-replica-install --domain=<IPA primary domain> option
403b09 
  does not work
403b09 
  - replica-install: Fix --domain
403b09 
- Resolves: #1360778 Vault commands are available in CLI even when the server
403b09 
  does not support them
403b09 
  - Revert "Enable vault-* commands on client"
403b09 
  - client: fix hiding of commands which lack server support
403b09 
- Related: #1281704 Rebase to softhsm 2.1.0
403b09 
  - Remove the workaround for softhsm bug #1293340
403b09 
- Related: #1298288 [RFE] Improve performance in large environments.
403b09 
  - Create indexes for krbCanonicalName attribute
403b09
403b09 
* Fri Jul 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-3
403b09 
- Resolves: #1296140 Remove redhat-access-plugin-ipa support
403b09 
  - Obsolete and conflict redhat-access-plugin-ipa
403b09 
- Resolves: #1351119 Multiple issues while uninstalling ipa-server
403b09 
  - server uninstall fails to remove krb principals
403b09 
- Resolves: #1351758 ipa commands not showing expected error messages
403b09 
  - frontend: copy command arguments to output params on client
403b09 
  - Show full error message for selinuxusermap-add-hostgroup
403b09 
- Resolves: #1352883 Traceback on adding default automember group and hostgroup
403b09 
  set
403b09 
  - allow 'value' output param in commands without primary key
403b09 
- Resolves: #1353888 Fix the help for ipa otp and other topics
403b09 
  - schema: Fix subtopic -> topic mapping
403b09 
- Resolves: #1354348 ipa trustconfig-show throws internal error.
403b09 
  - allow 'value' output param in commands without primary key
403b09 
- Resolves: #1354381 ipa trust-add with raw option gives internal error.
403b09 
  - trust-add: handle `--all/--raw` options properly
403b09 
- Resolves: #1354493 Replica install fails with old IPA master
403b09 
  - DNS install: Ensure that DNS servers container exists
403b09 
- Resolves: #1354628 ipa hostgroup-add-member does not return error message
403b09 
  when adding itself as member
403b09 
  - frontend: copy command arguments to output params on client
403b09 
- Resolves: #1355856 ipa otptoken-add --type=totp gives internal error
403b09 
  - messages: specify message type for ResultFormattingError
403b09 
- Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter
403b09 
  secret key
403b09 
  - expose `--secret` option in radiusproxy-* commands
403b09 
  - prevent search for RADIUS proxy servers by secret
403b09 
- Resolves: #1356099 Bug in the ipapwd plugin
403b09 
  - Heap corruption in ipapwd plugin
403b09 
- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin
403b09 
  client changes
403b09 
  - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
403b09 
- Resolves: #1356964 Renaming a user removes all of his principal aliases
403b09 
  - Preserve user principal aliases during rename operation
403b09
403b09 
* Fri Jul 15 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-2.1
403b09 
- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas
403b09 
- Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD
403b09 
- Related: #1356134 'kinit -E' does not work for IPA user
403b09
403b09 
* Thu Jul 14 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-2
403b09 
- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA
403b09 
  with certmonger
403b09 
  - uninstall: untrack lightweight CA certs
403b09 
- Resolves: #1351807 ipa-nis-manage config.get_dn missing
403b09 
  - ipa-nis-manage: Use server API to retrieve plugin status
403b09 
- Resolves: #1353452 ipa-compat-manage command failed,
403b09 
  exception: NotImplementedError: config.get_dn()
403b09 
  - ipa-compat-manage: use server API to retrieve plugin status
403b09 
- Resolves: #1353899 ipa-advise: object of type 'type' has no len()
403b09 
  - ipa-advise: correct handling of plugin namespace iteration
403b09 
- Resolves: #1356134 'kinit -E' does not work for IPA user
403b09 
  - kdb: check for local realm in enterprise principals
403b09 
- Resolves: #1353072 ipa unknown command vault-add
403b09 
  - Enable vault-* commands on client
403b09 
  - vault-add: set the default vault type on the client side if none was given
403b09 
- Resolves: #1353995 Default CA can be used without a CA ACL
403b09 
  - caacl: expand plugin documentation
403b09 
- Resolves: #1356144 host-find should not print SSH keys by default, only
403b09 
  SSH fingerprints
403b09 
  - host-find: do not show SSH key by default
403b09 
- Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3
403b09 
  - Removed unused method parameter from migrate-ds
403b09
403b09 
* Fri Jul  1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-1
403b09 
- Resolves: #747612 [RFE] IPA should support and manage DNS sites
403b09 
- Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0)
403b09 
  in the default global_policy in IPA sets user's password expiration
403b09 
  (krbPasswordExpiration) to be 90 days
403b09 
- Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records
403b09 
- Resolves: #1084018 [RFE] Add IdM user password change support for legacy
403b09 
  client compat tree
403b09 
- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos
403b09 
  aliases)
403b09 
  - Fix incorrect check for principal type when evaluating CA ACLs
403b09 
- Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI
403b09 
- Resolves: #1238190 ipasam unable to lookup group in directory yet manual
403b09 
  search works
403b09 
- Resolves: #1250110 search by users which don't have read rights for all attrs
403b09 
  in search_attributes fails
403b09 
- Resolves: #1263764 Show Certificate displays in useless format
403b09 
- Resolves: #1272491 [WebUI] Certificate action dropdown does not display all
403b09 
  the options after adding new certificate
403b09 
- Resolves: #1292141 Rebase to FreeIPA 4.4+
403b09 
  - Rebase to 4.4.0
403b09 
- Resolves: #1294503 IPA fails to issue 3rd party certs
403b09 
- Resolves: #1298242 [RFE] API compatibility - compatibility of clients
403b09 
- Resolves: #1298848 [RFE] Centralized topology management
403b09 
- Resolves: #1298966 [RFE] Extend Smart Card support
403b09 
- Resolves: #1315146 Multiple clients cannot join domain simultaneously:
403b09 
  /var/run/httpd/ipa/clientcaches race condition?
403b09 
- Resolves: #1318903 ipa server install failing when SUBCA signs the cert
403b09 
- Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper
403b09 
  console output
403b09 
- Resolves: #1324055 IPA always qualify requests for admin
403b09 
- Resolves: #1328552 [RFE] Allow users to authenticate with alternative names
403b09 
- Resolves: #1334582 Inconsistent UI and CLI options for removing certificate
403b09 
  hold
403b09 
- Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl)
403b09 
- Resolves: #1349281 Fix `Conflicts` with ipa-python
403b09 
- Resolves: #1350695 execution of copy-schema script fails
403b09 
- Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z
403b09 
- Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test
403b09 
  execution to 7.3
403b09 
- Resolves: #1351276 ipa-server-install with dns cannot resolve itself to
403b09 
  create ipa-ca entry
403b09 
- Related: #1343422 [RFE] Add GssapiImpersonate option
403b09
403b09 
* Wed Jun 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-0.2.alpha1
403b09 
- Resolves: #1348948 IPA server install fails with build
403b09 
  ipa-server-4.4.0-0.el7.1.alpha1
403b09 
  - Revert "Increased mod_wsgi socket-timeout"
403b09
403b09 
* Wed Jun 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-0.1.alpha1
403b09 
- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while
403b09 
  setting password for default sudo binddn.
403b09 
- Resolves: #747612 [RFE] IPA should support and manage DNS sites
403b09 
- Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name
403b09 
- Resolves: #825391 [RFE] Replica installation should provide a means for
403b09 
  inheriting nssldap security access settings
403b09 
- Resolves: #921497 Incorrect *.py[co] files placement
403b09 
- Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support
403b09 
- Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas
403b09 
- Resolves: #1196958 IPA replica installation failing with high number of users
403b09 
  (160000).
403b09 
- Resolves: #1219402 IPA suggests to uninstall a client when the user needs to
403b09 
  uninstall a replica
403b09 
- Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on
403b09 
  Authentication Indicator
403b09 
- Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos
403b09 
  principal expiration"
403b09 
- Resolves: #1234223 [WebUI] General invalid password error message appearing
403b09 
  for "Locked user"
403b09 
- Resolves: #1254267 ipa-server-install failure applying ldap updates with
403b09 
  limits exceeded
403b09 
- Resolves: #1258626 realmdomains-mod --add-domain command throwing error when
403b09 
  doamin already is in forwardzone.
403b09 
- Resolves: #1259020 ipa-server-adtrust-install doesn't allow
403b09 
  NetBIOS-name=EXAMPLE-TEST.COM (dash character)
403b09 
- Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error
403b09 
  message when DNSSEC master not installed
403b09 
- Resolves: #1262747 dnssec options missing in ipa-dns-install man page
403b09 
- Resolves: #1265900 Fail installation immediately after dirsrv fails to
403b09 
  install using ipa-server-install
403b09 
- Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not
403b09 
  resolvable anymore
403b09 
- Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace -
403b09 
  LimitsExceeded: limits exceeded for this query
403b09 
- Resolves: #1269089 Certificate of managed-by host/service fails to resubmit
403b09 
- Resolves: #1269200 ipa-server crashing while trying to preserve admin user
403b09 
- Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults
403b09 
- Resolves: #1271579 Automember rule expressions disappear from tables on
403b09 
  single expression delete
403b09 
- Resolves: #1275816 Incomplete ports for IPA ad-trust
403b09 
- Resolves: #1276351 [RFE] Remove
403b09 
  /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases
403b09 
- Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in
403b09 
  the IPA UI
403b09 
- Resolves: #1278426 Better error message needed for invalid ca-signing-algo
403b09 
  option
403b09 
- Resolves: #1279932 ipa-client-install --request-cert needs workaround in
403b09 
  anaconda chroot
403b09 
- Resolves: #1282521 Creating a user w/o private group fails when doing so in
403b09 
  WebUI
403b09 
- Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced
403b09 
  by "IPA is not configured on this system"
403b09 
- Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert
403b09 
  file
403b09 
- Resolves: #1287194 [RFE] Support of UPN for trusted domains
403b09 
- Resolves: #1288967 Normalize Manager entry in ipa user-add
403b09 
- Resolves: #1289487 Priority field missing in Password Policy detail tab
403b09 
- Resolves: #1291140 ipa client should configure kpasswd_server directive in
403b09 
  krb5.conf
403b09 
- Resolves: #1292141 Rebase to FreeIPA 4.4+
403b09 
  - Rebase to 4.4.0.alpha1
403b09 
- Resolves: #1298848 [RFE] Centralized topology management
403b09 
- Resolves: #1300576 Browser setup page includes instructions for Internet
403b09 
  Explorer
403b09 
- Resolves: #1301586 ipa host-del --updatedns should remove related dns
403b09 
  entries.
403b09 
- Resolves: #1304618 Residual Files After IPA Server Uninstall
403b09 
- Resolves: #1305144 ipa-python does not require its dependencies
403b09 
- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
403b09 
- Resolves: #1313798 Console output post ipa-winsync-migrate command should be
403b09 
  corrected.
403b09 
- Resolves: #1314786 [RFE] External Trust with Active Directory domain
403b09 
- Resolves: #1319023 Include description for 'status' option in man page for
403b09 
  ipactl command.
403b09 
- Resolves: #1319912 ipa-server-install does not completely change hostname and
403b09 
  named-pkcs11 fails
403b09 
- Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord':
403b09 
  Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given
403b09 
- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on
403b09 
  revocation reasons
403b09 
- Resolves: #1328549 "ipa-kra-install" command reports incorrect message when
403b09 
  it is executed on server already installed with KRA.
403b09 
- Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap'
403b09 
  to 'rpcbind'
403b09 
- Resolves: #1329275 ipa-nis-manage command should include status option
403b09 
- Resolves: #1330843 'man ipa' should be updated with latest commands
403b09 
- Resolves: #1333755 ipa cert-request causes internal server error while
403b09 
  requesting certificate
403b09 
- Resolves: #1337484 EOF is not handled for ipa-client-install command
403b09 
- Resolves: #1338031 Insufficient 'write' privilege on some attributes for the
403b09 
  members of the role which has "User Administrators" privilege.
403b09 
- Resolves: #1343142 IPA DNS should do better verification of DNS zones
403b09 
- Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in
403b09 
  browser
403b09
403b09 
* Wed May 25 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605241723GIT1b427d3.1
403b09 
- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files
403b09 
  - Fix incorrect rebase of patch 1001
403b09
403b09 
* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605241723GIT1b427d3
403b09 
- Resolves: #1339233 CA installed on replica is always marked as renewal master
403b09 
- Related: #1292141 Rebase to FreeIPA 4.4+
403b09 
  - Rebase to 4.3.1.201605241723GIT1b427d3
403b09
403b09 
* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605191449GITf8edf37.1
403b09 
- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install
403b09 
  because of missing dependencies
403b09 
  - Rebuild with krb5-1.14.1
403b09
403b09 
* Fri May 20 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605191449GITf8edf37
403b09 
- Resolves: #837369 [RFE] Switch to client promotion to replica model
403b09 
- Resolves: #1199516 [RFE] Move replication topology to the shared tree
403b09 
- Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology
403b09 
- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)
403b09 
- Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also
403b09 
  list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend
403b09 
- Resolves: #1267206 ipa-server-install uninstall should warn if no
403b09 
  installation found
403b09 
- Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when
403b09 
  ipa-client-automount is executed.
403b09 
- Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly
403b09 
  displayed when certificate generated using IPA on RHEL 7.2up2.
403b09 
- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install
403b09 
  because of missing dependencies
403b09 
- Related: #1292141 Rebase to FreeIPA 4.4+
403b09 
  - Rebase to 4.3.1.201605191449GITf8edf37
e0ab38
403b09 
* Mon Apr 18 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-16
403b09 
- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid
403b09 
  Credential"
403b09 
  - cert renewal: make renewal of ipaCert atomic
403b09 
- Resolves: #1278330 installer options are not validated at the beginning of
403b09 
  installation
403b09 
  - install: fix command line option validation
403b09 
- Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd
403b09 
  from starting up
403b09 
  - client install: do not corrupt OpenSSH config with Match sections
403b09 
- Resolves: #1282935 ipa upgrade causes vault internal error
403b09 
  - install: export KRA agent PEM file in ipa-kra-install
403b09 
- Resolves: #1283429 Default CA ACL rule is not created during
403b09 
  ipa-replica-install
403b09 
  - TLS and Dogtag HTTPS request logging improvements
403b09 
  - Avoid race condition caused by profile delete and recreate
403b09 
  - Do not erroneously reinit NSS in Dogtag interface
403b09 
  - Add profiles and default CA ACL on migration
403b09 
  - disconnect ldap2 backend after adding default CA ACL profiles
403b09 
  - do not disconnect when using existing connection to check default CA ACLs
403b09 
- Resolves: #1283430 ipa-kra-install: fails to apply updates
403b09 
  - suppress errors arising from adding existing LDAP entries during KRA
403b09 
    install
403b09 
- Resolves: #1283748 Caching of ipaconfig does not work in framework
403b09 
  - fix caching in get_ipa_config
403b09 
- Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after
403b09 
  upgrade from RHEL 7.0 to RHEL 7.2
403b09 
  - upgrade: fix migration of old dns forward zones
403b09 
  - Fix upgrade of forwardzones when zone is in realmdomains
403b09 
- Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap
403b09 
  connection
403b09 
  - ipa-cacert-renew: Fix connection to ldap.
403b09 
- Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection
403b09 
  - ipa-otptoken-import: Fix connection to ldap.
403b09 
- Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using
e0ab38 
  "yum update ipa* sssd"
e0ab38 
  - Set minimal required version for openssl
403b09 
- Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps
e0ab38 
  - Upgrade: Fix upgrade of NIS Server configuration
403b09 
- Resolves: #1289311 umask setting causes named-pkcs11 issue with directory
e0ab38 
  permissions on /var/lib/ipa/dnssec
e0ab38 
  - DNS: fix file permissions
e0ab38 
  - Explicitly call chmod on newly created directories
e0ab38 
  - Fix: replace mkdir with chmod
403b09 
- Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison
e0ab38 
  - Fix version comparison
e0ab38 
  - use FFI call to rpmvercmp function for version comparison
403b09 
- Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix
403b09 
  groups are missing
403b09 
  - ipa-kdb: map_groups() consider all results
403b09 
- Resolves: #1293870 User should be notified for wrong password in password
403b09 
  reset page
403b09 
  - Fixed login error message box in LoginScreen page
403b09 
- Resolves: #1296196 Sysrestore did not restore state if a key is specified in
e0ab38 
  mixed case
e0ab38 
  - Allow to used mixed case for sysrestore
403b09 
- Resolves: #1296214 DNSSEC key purging is not handled properly
e0ab38 
  - DNSSEC: Improve error reporting from ipa-ods-exporter
e0ab38 
  - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in
e0ab38 
    LDAP
e0ab38 
  - DNSSEC: Make sure that current key state in LDAP matches key state in BIND
e0ab38 
  - DNSSEC: remove obsolete TODO note
e0ab38 
  - DNSSEC: add debug mode to ldapkeydb.py
e0ab38 
  - DNSSEC: logging improvements in ipa-ods-exporter
e0ab38 
  - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
e0ab38 
  - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
e0ab38 
  - DNSSEC: ipa-ods-exporter: add ldap-cleanup command
e0ab38 
  - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
e0ab38 
  - DNSSEC: Log debug messages at log level DEBUG
403b09 
- Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running
e0ab38 
  - prevent crash of CA-less server upgrade due to absent certmonger
403b09 
  - always start certmonger during IPA server configuration upgrade
403b09 
- Resolves: #1297811 The ipa -e skip_version_check=1 still issues
e0ab38 
  incompatibility error when called against RHEL 6 server
e0ab38 
  - ipalib: assume version 2.0 when skip_version_check is enabled
403b09 
- Resolves: #1298289 install fails when locale is "fr_FR.UTF-8"
403b09 
  - Do not decode HTTP reason phrase from Dogtag
403b09 
- Resolves: #1300252 shared certificateProfiles container is missing on a
403b09 
  freshly installed RHEL7.2 system
403b09 
  - upgrade: unconditional import of certificate profiles into LDAP
403b09 
- Resolves: #1301674 --setup-dns and other options is forgotten for using an
403b09 
  external PKI
403b09 
  - installer: Propagate option values from components instead of copying them.
403b09 
  - installer: Fix logic of reading option values from cache.
403b09 
- Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA
403b09 
  IPA setup
403b09 
  - ipa-ca-install: print more specific errors when CA is already installed
403b09 
  - cert renewal: import all external CA certs on IPA CA cert renewal
403b09 
  - CA install: explicitly set dogtag_version to 10
403b09 
  - fix standalone installation of externally signed CA on IPA master
403b09 
  - replica install: validate DS and HTTP server certificates
403b09 
  - replica install: improvements in the handling of CA-related IPA config
403b09 
    entries
403b09 
- Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups
403b09 
  - slapi-nis: update configuration to allow external members of IPA groups
403b09 
- Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find
403b09 
  returns "0 trusts matched"
403b09 
  - upgrade: fix config of sidgen and extdom plugins
403b09 
  - trusts: use ipaNTTrustPartner attribute to detect trust entries
403b09 
  - Warn user if trust is broken
403b09 
  - fix upgrade: wait for proper DS socket after DS restart
403b09 
  - Insure the admin_conn is disconnected on stop
403b09 
  - Fix connections to DS during installation
403b09 
  - Fix broken trust warnings
403b09 
- Resolves: #1321092 Installers fail when there are multiple versions of the
403b09 
  same certificate
403b09 
  - certdb: never use the -r option of certutil
403b09 
- Related: #1317381 Crash during IPA upgrade due to slapd
403b09 
  - spec file: update minimum required version of slapi-nis
403b09 
- Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
403b09 
  CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws
403b09 
  [rhel-7.3]
403b09 
  - Rebuild against newer Samba version
8eb28c
590d18 
* Tue Oct 13 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15
590d18 
- Resolves: #1252556 Missing CLI param and ACL for vault service operations
590d18 
  - vault: fix private service vault creation
590d18
590d18 
* Mon Oct 12 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-14
590d18 
- Resolves: #1262996 ipa vault internal error on replica without KRA
590d18 
  - upgrade: make sure ldap2 is connected in export_kra_agent_pem
590d18 
- Resolves: #1270608 IPA upgrade fails for server with CA cert signed by
590d18 
  external CA
590d18 
  - schema: do not derive ipaVaultPublicKey from ipaPublicKey
590d18
590d18 
* Thu Oct  8 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-13
590d18 
- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens
590d18 
  - Fix an integer underflow bug in libotp
590d18 
- Resolves: #1262996 ipa vault internal error on replica without KRA
590d18 
  - install: always export KRA agent PEM file
590d18 
  - vault: select a server with KRA for vault operations
590d18 
- Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files
590d18 
  - do not overwrite files with local users/groups when restoring authconfig
590d18 
- Renamed patch 1011 to 0138, as it was merged upstream
590d18
590d18 
* Wed Sep 23 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-12
590d18 
- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to
590d18 
  Trusts
590d18 
  - winsync-migrate: Convert entity names to posix friendly strings
590d18 
  - winsync-migrate: Properly handle collisions in the names of external groups
590d18 
- Resolves: #1261074 Adjust Firefox configuration to new extension signing
590d18 
  policy
590d18 
  - webui: use manual Firefox configuration for Firefox >= 40
590d18 
- Resolves: #1263337 IPA Restore failed with installed KRA
590d18 
  - ipa-backup: Add mechanism to store empty directory structure
590d18 
- Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate
590d18 
  and private key in world readable file [rhel-7.2]
590d18 
  - install: fix KRA agent PEM file permissions
590d18 
- Resolves: #1265086 Mark IdM API Browser as experimental
590d18 
  - WebUI: add API browser is experimental warning
590d18 
- Resolves: #1265277 Fix kdcproxy user creation
590d18 
  - install: create kdcproxy user during server install
590d18 
  - platform: add option to create home directory when adding user
590d18 
  - install: fix kdcproxy user home directory
590d18 
- Resolves: #1265559 GSS failure after ipa-restore
590d18 
  - destroy httpd ccache after stopping the service
590d18
590d18 
* Thu Sep 17 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-11
590d18 
- Resolves: #1258965 ipa vault: set owner of vault container
590d18 
  - baseldap: make subtree deletion optional in LDAPDelete
590d18 
  - vault: add vault container commands
590d18 
  - vault: set owner to current user on container creation
590d18 
  - vault: update access control
590d18 
  - vault: add permissions and administrator privilege
590d18 
  - install: support KRA update
590d18 
- Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses
590d18 
  - config: allow user/host attributes with tagging options
590d18 
- Resolves: #1262315 Unable to establish winsync replication
590d18 
  - winsync: Add inetUser objectclass to the passsync sysaccount
590d18
590d18 
* Wed Sep 16 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-10
590d18 
- Resolves: #1260663 crash of ipa-dnskeysync-replica component during
590d18 
  ipa-restore
590d18 
  - IPA Restore: allows to specify files that should be removed
590d18 
- Resolves: #1261806 Installing ipa-server package breaks httpd
590d18 
  - Handle timeout error in ipa-httpd-kdcproxy
590d18 
- Resolves: #1262322 Failed to backup CS.cfg message in upgrade.
590d18 
  - Server Upgrade: backup CS.cfg when dogtag is turned off
590d18
590d18 
* Wed Sep  9 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-9
590d18 
- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not
590d18 
  tracked
590d18 
  - cert renewal: Include KRA users in Dogtag LDAP update
590d18 
  - cert renewal: Automatically update KRA agent PEM file
590d18 
- Resolves: #1257163 renaming certificatte profile with --rename option leads
590d18 
  to integrity issues
590d18 
  - certprofile: remove 'rename' option
590d18 
- Resolves: #1257968 kinit stop working after ipa-restore
590d18 
  - Backup: back up the hosts file
590d18 
- Resolves: #1258926 Remove 'DNSSEC is experimental' warnings
590d18 
  - DNSSEC: remove "DNSSEC is experimental" warnings
590d18 
- Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts
590d18 
  - Installer: do not modify /etc/hosts before user agreement
590d18 
- Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1
590d18 
  zone
590d18 
  - DNSSEC: backup and restore opendnssec zone list file
590d18 
  - DNSSEC: remove ccache and keytab of ipa-ods-exporter
590d18 
  - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart
590d18 
  - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
590d18 
  - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC
590d18 
    key master
590d18 
  - DNSSEC: Fix key metadata export
590d18 
  - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.
590d18 
- Resolves: #1258964 revert to use ldapi to add kra agent in KRA install
590d18 
  - Using LDAPI to setup CA and KRA agents.
590d18 
- Resolves: #1259848 server closes connection and refuses commands after
590d18 
  deleting user that is still logged in
590d18 
  - ldap: Make ldap2 connection management thread-safe again
590d18 
- Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute
590d18 
  'ra_certprofile' while ipa-ca-install
590d18 
  - load RA backend plugins during standalone CA install on CA-less IPA master
590d18
590d18 
* Wed Aug 26 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-8
590d18 
- Resolves: #1254689 Storing big file as a secret in vault raises traceback
590d18 
  - vault: Limit size of data stored in vault
590d18 
- Resolves: #1255880 ipactl status should distinguish between different
590d18 
  pki-tomcat services
590d18 
  - ipactl: Do not start/stop/restart single service multiple times
590d18
590d18 
* Wed Aug 26 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-7
590d18 
- Resolves: #1256840 [webui] majority of required fields is no longer marked as
590d18 
  required
590d18 
  - fix missing information in object metadata
590d18 
- Resolves: #1256842 [webui] no option to choose trust type when creating a
590d18 
  trust
590d18 
  - webui: add option to establish bidirectional trust
590d18 
- Resolves: #1256853 Clear text passwords in KRA install log
590d18 
  - Removed clear text passwords from KRA install log.
590d18 
- Resolves: #1257072 The "Standard Vault" MUST not be the default and must be
590d18 
  discouraged
590d18 
  - vault: change default vault type to symmetric
590d18 
- Resolves: #1257163 renaming certificatte profile with --rename option leads
590d18 
  to integrity issues
590d18 
  - certprofile: prevent rename (modrdn)
590d18
590d18 
* Wed Aug 26 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-6
590d18 
- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone
590d18 
  - DNSSEC: fix forward zone forwarders checks
590d18 
- Resolves: #1250190 idrange is not added for sub domain
590d18 
  - trusts: format Kerberos principal properly when fetching trust topology
590d18 
- Resolves: #1252334 User life cycle: missing ability to provision a stage user
590d18 
  from a preserved user
590d18 
  - Add user-stage command
590d18 
- Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to
590d18 
  start.
590d18 
  - spec file: Add Requires(post) on selinux-policy
590d18 
- Resolves: #1254304 Changing vault encryption attributes
590d18 
  - Change internal rsa_(public|private)_key variable names
590d18 
  - Added support for changing vault encryption.
590d18 
- Resolves: #1256715 Executing user-del --preserve twice removes the user
590d18 
  pernamently
590d18 
  - improve the usability of `ipa user-del --preserve` command
590d18
590d18 
* Wed Aug 19 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-5
590d18 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
590d18 
  - user-undel: Fix error messages.
590d18 
- Resolves: #1200694 [RFE] Support for multiple cert profiles
590d18 
  - Prohibit deletion of predefined profiles
590d18 
- Resolves: #1232819 testing ipa-restore on fresh system install fails
590d18 
  - Backup/resore authentication control configuration
590d18 
- Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0
590d18 
  server
590d18 
  - Require Dogtag PKI >= 10.2.6
590d18 
- Resolves: #1245225 Asymmetric vault drops traceback when the key is not
590d18 
  proper
590d18 
  - Asymmetric vault: validate public key in client
590d18 
- Resolves: #1248399 Missing DNSSEC related files in backup
590d18 
  - fix typo in BasePathNamespace member pointing to ods exporter config
590d18 
  - ipa-backup: archive DNSSEC zone file and kasp.db
590d18 
- Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is
590d18 
  finished
590d18 
  - winsync-migrate: Add warning about passsync
590d18 
  - winsync-migrate: Expand the man page
590d18 
- Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME"
590d18 
  - adjust search so that it works for non-admin users
590d18 
- Resolves: #1250093 ipa certprofile-import accepts invalid config
590d18 
  - Require Dogtag PKI >= 10.2.6
590d18 
- Resolves: #1250107 IPA framework should not allow modifying trust on AD trust
590d18 
  agents
590d18 
  - trusts: Detect missing Samba instance
590d18 
- Resolves: #1250111 User lifecycle - preserved users can be assigned
590d18 
  membership
590d18 
  - ULC: Prevent preserved users from being assigned membership
590d18 
- Resolves: #1250145 Add permission for user to bypass caacl enforcement
590d18 
  - Add permission for bypassing CA ACL enforcement
590d18 
- Resolves: #1250190 idrange is not added for sub domain
590d18 
  - idranges: raise an error when local IPA ID range is being modified
590d18 
  - trusts: harden trust-fetch-domains oddjobd-based script
590d18 
- Resolves: #1250928 Man page for ipa-server-install is out of sync
590d18 
  - install: Fix server and replica install options
590d18 
- Resolves: #1251225 IPA default CAACL does not allow cert-request for services
590d18 
  after upgrade
590d18 
  - Fix default CA ACL added during upgrade
590d18 
- Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey
590d18 
  - validate mutually exclusive options in vault-add
590d18 
- Resolves: #1251579 ipa vault-add --user should set container owner equal to
590d18 
  user on first run
590d18 
  - Fixed vault container ownership.
590d18 
- Resolves: #1252517 cert-request rejects request with correct
590d18 
  krb5PrincipalName SAN
590d18 
  - Fix KRB5PrincipalName / UPN SAN comparison
590d18 
- Resolves: #1252555 ipa vault-find doesn't work for services
590d18 
  - vault: Add container information to vault command results
590d18 
  - Add flag to list all service and user vaults
590d18 
- Resolves: #1252556 Missing CLI param and ACL for vault service operations
590d18 
  - Added CLI param and ACL for vault service operations.
590d18 
- Resolves: #1252557 certprofile: improve profile format documentation
590d18 
  - certprofile-import: improve profile format documentation
590d18 
  - certprofile: add profile format explanation
590d18 
- Resolves: #1253443 ipa vault-add creates vault with invalid type
590d18 
  - vault: validate vault type
590d18 
- Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing
590d18 
  owner
590d18 
  - baseldap: Allow overriding member param label in LDAPModMember
590d18 
  - vault: Fix param labels in output of vault owner commands
590d18 
- Resolves: #1253511 ipa vault-find does not use criteria
590d18 
  - vault: Fix vault-find with criteria
590d18 
- Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10
590d18 
  - install: Fix replica install with custom certificates
590d18 
- Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc
590d18 
  - improve the handling of krb5-related errors in dnssec daemons
590d18 
- Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with
590d18 
  starting CA and named-pkcs11.service
590d18 
  - Server Upgrade: Start DS before CA is started.
590d18 
- Resolves: #1254637 Add ACI and permission for managing user userCertificate
590d18 
  attribute
590d18 
  - add permission: System: Manage User Certificates
590d18 
- Resolves: #1254641 Remove CSR allowed-extensions restriction
590d18 
  - cert-request: remove allowed extensions check
590d18 
- Resolves: #1254693 vault --service does not normalize service principal
590d18 
  - vault: normalize service principal in service vault operations
590d18 
- Resolves: #1254785 ipa-client-install does not properly handle dual stacked
590d18 
  hosts
590d18 
  - client: Add support for multiple IP addresses during installation.
590d18 
  - Add dependency to SSSD 1.13.1
590d18 
  - client: Add description of --ip-address and --all-ip-addresses to man page
590d18
590d18 
* Tue Aug 11 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-4
590d18 
- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to
590d18 
  users in IdM
590d18 
  - store certificates issued for user entries as
590d18 
  - user-show: add --out option to save certificates to file
590d18 
- Resolves: #1145748 [RFE] IPA running with One Way Trust
590d18 
  - Fix upgrade of sidgen and extdom plugins
590d18 
- Resolves: #1195339 ipa-client-install changes the label on various files
590d18 
  which causes SELinux denials
590d18 
  - Use 'mv -Z' in specfile to restore SELinux context
590d18 
- Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior
590d18 
  for combinations of "User authentication types"
590d18 
  - webui: add LDAP vs Kerberos behavior description to user auth
590d18 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
590d18 
  - ULC: Fix stageused-add --from-delete command
590d18 
- Resolves: #1200694 [RFE] Support for multiple cert profiles
590d18 
  - certprofile-import: do not require profileId in profile data
590d18 
  - Give more info on virtual command access denial
590d18 
  - Allow SAN extension for cert-request self-service
590d18 
  - Add profile for DNP3 / IEC 62351-8 certificates
590d18 
  - Work around python-nss bug on unrecognised OIDs
590d18 
- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality
590d18 
  - Validate vault's file parameters
590d18 
  - Fixed missing KRA agent cert on replica.
590d18 
- Resolves: #1225866 display browser config options that apply to the browser.
590d18 
  - webui: add Kerberos configuration instructions for Chrome
590d18 
  - Remove ico files from Makefile
590d18 
- Resolves: #1246342 Unapply idview raises internal error
590d18 
  - idviews: Check for the Default Trust View only if applying the view
590d18 
- Resolves: #1248102 [webui] regression - incorrect/no failed auth messages
590d18 
  - webui: fix regressions failed auth messages
590d18 
- Resolves: #1248396 Internal error in DomainValidator.__search_in_dc
590d18 
  - dcerpc: Fix UnboundLocalError for ccache_name
590d18 
- Resolves: #1249455 ipa trust-add failed CIFS server configuration does not
590d18 
  allow access to \\pipe\lsarpc
590d18 
  - Fix selector of protocol for LSA RPC binding string
590d18 
  - dcerpc: Simplify generation of LSA-RPC binding strings
590d18 
- Resolves: #1250192 Error in ipa trust-fecth-domains
590d18 
  - Fix incorrect type comparison in trust-fetch-domains
590d18 
- Resolves: #1251553 Winsync setup fails with unexpected error
590d18 
  - replication: Fix incorrect exception invocation
590d18 
- Resolves: #1251854 ipa aci plugin is not parsing aci's correctly.
590d18 
  - ACI plugin: correctly parse bind rules enclosed in
590d18 
- Resolves: #1252414 Trust agent install does not detect available replicas to
590d18 
  add to master
590d18 
  - adtrust-install: Correctly determine 4.2 FreeIPA servers
590d18
590d18 
* Fri Jul 24 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-3
590d18 
- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains
590d18 
  that conflicts with AD DC
590d18 
  - trusts: Check for AD root domain among our trusted domains
590d18 
- Resolves: #1195339 ipa-client-install changes the label on various files
590d18 
  which causes SELinux denials
590d18 
  - sysrestore: copy files instead of moving them to avoind SELinux issues
590d18 
- Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned
590d18 
  commands / ntpd -qgc $tmpfile hangs
590d18 
  - enable debugging of ntpd during client installation
590d18 
- Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled
590d18 
  - migration: Use api.env variables.
590d18 
- Resolves: #1212719 abort-clean-ruv subcommand should allow
590d18 
  replica-certifyall: no
590d18 
  - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand
590d18 
- Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has
590d18 
  occurred
590d18 
  - dcerpc: Expand explanation for WERR_ACCESS_DENIED
590d18 
  - dcerpc: Fix UnboundLocalError for ccache_name
590d18 
- Resolves: #1222778 idoverride group-del can delete user and user-del can
590d18 
  delete group
590d18 
  - dcerpc: Add get_trusted_domain_object_type method
590d18 
  - idviews: Restrict anchor to name and name to anchor conversions
590d18 
  - idviews: Enforce objectclass check in idoverride*-del
590d18 
- Resolves: #1234919 Be able to request certificates without certmonger service
590d18 
  running
590d18 
  - cermonger: Use private unix socket when DBus SystemBus is not available.
590d18 
  - ipa-client-install: Do not (re)start certmonger and DBus daemons.
590d18 
- Resolves: #1240939 Please add dependency on bind-pkcs11
590d18 
  - Create server-dns sub-package.
590d18 
  - ipaplatform: Add constants submodule
590d18 
  - DNS: check if DNS package is installed
590d18 
- Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow
590d18 
  calling out oddjobd-activated services
590d18 
  - selinux: enable httpd_run_ipa to allow communicating with oddjobd services
590d18 
- Resolves: #1243261 non-admin users cannot search hbac rules
590d18 
  - fix hbac rule search for non-admin users
590d18 
  - fix selinuxusermap search for non-admin users
590d18 
- Resolves: #1243652 Client has missing dependency on memcache
590d18 
  - do not import memcache on client
590d18 
- Resolves: #1243835 [webui] user change password dialog does not work
590d18 
  - webui: fix user reset password dialog
590d18 
- Resolves: #1244802 spec: selinux denial during kdcproxy user creation
590d18 
  - Fix selinux denial during kdcproxy user creation
590d18 
- Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user
590d18 
  - oddjob: avoid chown keytab to sssd if sssd user does not exist
590d18 
- Resolves: #1246136 Adding a privilege to a permission avoids validation
590d18 
  - Validate adding privilege to a permission
590d18 
- Resolves: #1246141 DNS Administrators cannot search in zones
590d18 
  - DNS: Consolidate DNS RR types in API and schema
590d18 
- Resolves: #1246143 User plugin - user-find doesn't work properly with manager
590d18 
  option
590d18 
  - fix broken search for users by their manager
590d18
590d18 
* Wed Jul 15 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-2
590d18 
- Resolves: #1131907 [ipa-client-install] cannot write certificate file
590d18 
  '/etc/ipa/ca.crt.new': must be string or buffer, not None
590d18 
- Resolves: #1195775 unsaved changes dialog internally inconsistent
590d18 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
590d18 
  - Stageusedr-activate: show username instead of DN
590d18 
- Resolves: #1200694 [RFE] Support for multiple cert profiles
590d18 
  - Prevent to rename certprofile profile id
590d18 
- Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error
590d18 
- Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files
590d18 
  - copy-schema-to-ca: allow to overwrite schema files
590d18 
- Resolves: #1241941 kdc component installation of IPA failed
590d18 
  - spec file: Update minimum required version of krb5
590d18 
- Resolves: #1242036 Replica install fails to update DNS records
590d18 
  - Fix DNS records installation for replicas
590d18 
- Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy
590d18 
  - Start dirsrv for kdcproxy upgrade
590d18
590d18 
* Thu Jul  9 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-1
590d18 
- Resolves: #846033  [RFE] Documentation for JSONRPC IPA API
590d18 
- Resolves: #989091  Ability to manage IdM/IPA directly from a standard LDAP
590d18 
  client
590d18 
- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to
590d18 
  users in IdM
590d18 
- Resolves: #1115294 [RFE] Add support for DNSSEC
590d18 
- Resolves: #1145748 [RFE] IPA running with One Way Trust
590d18 
- Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade
590d18 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
590d18 
- Resolves: #1200694 [RFE] Support for multiple cert profiles
590d18 
- Resolves: #1200728 [RFE] Replicate PKI Profile information
590d18 
- Resolves: #1200735 [RFE] Allow issuing certificates for user accounts
590d18 
- Resolves: #1204054 SSSD database is not cleared between installs and
590d18 
  uninstalls of ipa
590d18 
- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to
590d18 
  Trusts
590d18 
- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality
590d18 
- Resolves: #1204504 [RFE] Add access control so hosts can create their own
590d18 
  services
590d18 
- Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default
590d18 
- Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default
590d18 
- Resolves: #1209476 package ipa-client does not require package dbus-python
590d18 
- Resolves: #1211589 [RFE] Add option to skip the verify_client_version
590d18 
- Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597)
590d18 
- Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone
590d18 
- Resolves: #1217010 OTP Manager field is not exposed in the UI
590d18 
- Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp
590d18 
  00007fffd68b2340 error 6 in libc-2.17.so
590d18 
- Related:  #1204809 Rebase ipa to 4.2
590d18 
  - Update to upstream 4.2.0
590d18 
  - Move /etc/ipa/kdcproxy to the server subpackage
590d18
590d18 
* Tue Jun 23 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-0.2.alpha1
590d18 
- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install
590d18 
- Related:  #1204809 Rebase ipa to 4.2
590d18 
  - Fix minimum version of slapi-nis
590d18 
  - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)
590d18
590d18 
* Mon Jun 22 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-0.1.alpha1
590d18 
- Resolves: #805188  [RFE] "ipa migrate-ds" ldapsearches with scope=1
590d18 
- Resolves: #1019272 With 20000+ users, adding a user to a group intermittently
590d18 
  throws Internal server error
590d18 
- Resolves: #1035494 Unable to add Kerberos principal via kadmin.local
590d18 
- Resolves: #1045153 ipa-managed-entries --list -p <badpassword> still requires
590d18 
  DM password
590d18 
- Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389
590d18 
  from ldap_port_t
590d18 
- Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI
590d18 
- Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not
590d18 
  matching uidgid
590d18 
- Resolves: #1176036 IDM client registration failure in a high load environment
590d18 
- Resolves: #1183116 Remove Requires: subscription-manager
590d18 
- Resolves: #1186054 permission-add does not prompt to enter --right option in
590d18 
  interactive mode
590d18 
- Resolves: #1187524 Replication agreement with replica not disabled when
590d18 
  ipa-restore done without IPA installed
590d18 
- Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as
590d18 
  normal user.
590d18 
- Resolves: #1189034 "an internal error has occurred" during ipa host-del
590d18 
  --updatedns
590d18 
- Resolves: #1193554 ipa-client-automount: failing with error LDAP server
590d18 
  returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled.
590d18 
- Resolves: #1193759 IPA extdom plugin fails when encountering large groups
590d18 
- Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode
590d18 
  certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.
590d18 
- Resolves: #1194633 Default trust view can be deleted in lower case
590d18 
- Resolves: #1196455 ipa-server-install step [8/27]: starting certificate
590d18 
  server instance - confusing CA staus message on TLS error
590d18 
- Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis
590d18 
- Resolves: #1199527 [RFE] Use datepicker component for datetime fields
590d18 
- Resolves: #1200867 [RFE] Make OTP validation window configurable
590d18 
- Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi
590d18 
- Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using
590d18 
  get_user_grouplist() [rhel-7.2]
590d18 
- Resolves: #1204637 slow group operations
590d18 
- Resolves: #1204642 migrate-ds: slow add o users to default group
590d18 
- Resolves: #1208461 IPA CA master server update stuck on checking getStatus
590d18 
  via https
590d18 
- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)
590d18 
- Resolves: #1211708 ipa-client-install gets stuck during NTP sync
590d18 
- Resolves: #1215197 ipa-client-install ignores --ntp-server option during time
590d18 
  sync
590d18 
- Resolves: #1215200 ipa-client-install configures IPA server as NTP source
590d18 
  even if IPA server has not ntpd configured
590d18 
- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens
590d18 
- Related:  #1204809 Rebase ipa to 4.2
590d18 
  - Update to upstream 4.2.0.alpha1
ba521e
0201d8 
* Thu Mar 19 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.3
0201d8 
- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate:
0201d8 
  (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)
0201d8
0201d8 
* Wed Mar 18 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.0-18.2
0201d8 
- IPA extdom plugin fails when encountering large groups (#1193759)
0201d8 
- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r()
590d18 
  (#1202998)
0201d8
0201d8 
* Thu Mar  5 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.1
0201d8 
- "an internal error has occurred" during ipa host-del --updatedns (#1198431)
0201d8 
- Renamed patch 1013 to 0114, as it was merged upstream
0201d8 
- Fax number not displayed for user-show when kinit'ed as normal user.
0201d8 
  (#1198430)
0201d8 
- Replication agreement with replica not disabled when ipa-restore done without
0201d8 
  IPA installed (#1199060)
0201d8 
- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)
0201d8
0201d8 
* Thu Jan 29 2015 Martin Kosek <mkosek@redhat.com> - 4.1.0-18
e3ffab 
- Fix ipa-pwd-extop global configuration caching (#1187342)
e3ffab 
- group-detach does not add correct objectclasses (#1187540)
e3ffab
e3ffab 
* Tue Jan 27 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-17
e3ffab 
- Wrong directories created on full restore (#1186398)
e3ffab 
- ipa-restore crashes if replica is unreachable (#1186396)
e3ffab 
- idoverrideuser-add option --sshpubkey does not work (#1185410)
e3ffab
e3ffab 
* Wed Jan 21 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-16
e3ffab 
- PassSync does not sync passwords due to missing ACIs (#1181093)
e3ffab 
- ipa-replica-manage list does not list synced domain (#1181010)
e3ffab 
- Do not assume certmonger is running in httpinstance (#1181767)
e3ffab 
- ipa-replica-manage disconnect fails without password (#1183279)
e3ffab 
- Put LDIF files to their original location in ipa-restore (#1175277)
e3ffab 
- DUA profile not available anonymously (#1184149)
e3ffab 
- IPA replica missing data after master upgraded (#1176995)
e3ffab
e3ffab 
* Wed Jan 14 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-15
e3ffab 
- Re-add accidentally removed patches for #1170695 and #1164896
e3ffab
e3ffab 
* Wed Jan 14 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-14
e3ffab 
- IPA Replicate creation fails with error "Update failed! Status: [10 Total
e3ffab 
  update abortedLDAP error: Referral]" (#1166265)
e3ffab 
- running ipa-server-install --setup-dns results in a crash (#1072502)
e3ffab 
- DNS zones are not migrated into forward zones if 4.0+ replica is added
e3ffab 
  (#1175384)
e3ffab 
- gid is overridden by uid in default trust view (#1168904)
e3ffab 
- When migrating warn user if compat is enabled (#1177133)
e3ffab 
- Clean up debug log for trust-add (#1168376)
e3ffab 
- No error message thrown on restore(full kind) on replica from full backup
e3ffab 
  taken on master (#1175287)
e3ffab 
- ipa-restore proceed even IPA not configured (#1175326)
e3ffab 
- Data replication not working as expected after data restore from full backup
e3ffab 
  (#1175277)
e3ffab 
- IPA externally signed CA cert expiration warning missing from log (#1178128)
e3ffab 
- ipa-upgradeconfig fails in CA-less installs (#1181767)
e3ffab 
- IPA certs fail to autorenew simultaneouly (#1173207)
e3ffab 
- More validation required on ipa-restore's options (#1176034)
e3ffab
e3ffab 
* Wed Dec 17 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-13
e3ffab 
- Expand the token auth/sync windows (#919228)
e3ffab 
- Access is not rejected for disabled domain (#1172598)
e3ffab 
- krb5kdc crash in ldap_pvt_search (#1170695)
e3ffab 
- RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)
e3ffab
e3ffab 
* Wed Dec 10 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-12
e3ffab 
- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible
e3ffab 
  (#1169591)
e3ffab 
- CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression)
e3ffab 
  (#1172578)
e3ffab
e3ffab 
* Tue Dec  9 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-11
e3ffab 
- Throw zonemgr error message before installation proceeds (#1163849)
e3ffab 
- Winsync: Setup is broken due to incorrect import of certificate (#1169867)
e3ffab 
- Enable last token deletion when password auth type is configured (#919228)
e3ffab 
- ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641)
e3ffab 
- add --hosts and --hostgroup options to allow/retrieve keytab methods
e3ffab 
  (#1007367)
e3ffab 
- Extend host-show to add the view attribute in set of default attributes
e3ffab 
  (#1168916)
e3ffab 
- Prefer TCP connections to UDP in krb5 clients (#919228)
e3ffab 
- [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214)
e3ffab 
- webui: increase notification duration (#1171089)
e3ffab 
- RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931)
e3ffab 
- RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert
e3ffab 
  (#1170003)
e3ffab 
- Improve validation of --instance and --backend options in ipa-restore
e3ffab 
  (#951581)
e3ffab 
- RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964)
e3ffab 
- Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)
e3ffab
e3ffab 
* Wed Nov 26 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-10
e3ffab 
- Use NSS protocol range API to set available TLS protocols (#1156466)
e3ffab
e3ffab 
* Tue Nov 25 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-9
e3ffab 
- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1
e3ffab 
  build fails (#1167196)
e3ffab 
- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756)
e3ffab 
- "ipa trust-add ... " cmd says : (Trust status: Established and verified)
e3ffab 
  while in the logs we see "WERR_ACCESS_DENIED" during verification step.
e3ffab 
  (#1144121)
e3ffab 
- POODLE: force using safe ciphers (non-SSLv3) in IPA client and server
e3ffab 
  (#1156466)
e3ffab 
- Add support/hooks for a one-time password system like SecureID in IPA
e3ffab 
  (#919228)
e3ffab 
- Tracebacks with latest build for --zonemgr cli option (#1167270)
e3ffab 
- ID Views: Support migration from the sync solution to the trust solution
e3ffab 
  (#891984)
e3ffab
e3ffab 
* Mon Nov 24 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-8
e3ffab 
- Improve otptoken help messages (#919228)
e3ffab 
- Ensure users exist when assigning tokens to them (#919228)
e3ffab 
- Enable QR code display by default in otptoken-add (#919228)
e3ffab 
- Show warning instead of error if CA did not start (#1158410)
e3ffab 
- CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774)
e3ffab 
- Traceback when adding zone with long name (#1164859)
e3ffab 
- Backup & Restore mechanism (#951581)
e3ffab 
- ignoring user attributes in migrate-ds does not work if uppercase characters
e3ffab 
  are returned by ldap (#1159816)
e3ffab 
- Allow ipa-getkeytab to optionally fetch existing keys (#1007367)
e3ffab 
- Failure when installing on dual stacked system with external ca (#1128380)
e3ffab 
- ipa-server should keep backup of CS.cfg (#1059135)
e3ffab 
- Tracebacks with latest build for --zonemgr cli option (#1167270)
e3ffab 
- webui: use domain name instead of domain SID in idrange adder dialog
e3ffab 
  (#891984)
e3ffab 
- webui: normalize idview tab labels (#891984)
e3ffab
e3ffab 
* Wed Nov 19 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-7
e3ffab 
- ipa-csreplica-manage connect fails (#1157735)
e3ffab 
- error message which is not understandable when IDNA2003 characters are
e3ffab 
  present in --zonemgr (#1163849)
e3ffab 
- Fix warning message should not contain CLI commands (#1114013)
e3ffab 
- Renewing the CA signing certificate does not extend its validity period end
e3ffab 
  (#1163498)
e3ffab 
- RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for
e3ffab 
  httpd (#1159330)
e3ffab
e3ffab 
* Thu Nov 13 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-6
e3ffab 
- Fix: DNS installer adds invalid zonemgr email (#1056202)
e3ffab 
- ipaplatform: Use the dirsrv service, not target (#951581)
e3ffab 
- Fix: DNS policy upgrade raises asertion error (#1161128)
e3ffab 
- Fix upgrade referint plugin (#1161128)
e3ffab 
- Upgrade: fix trusts objectclass violationi (#1161128)
e3ffab 
- group-add doesn't accept gid parameter (#1149124)
e3ffab
e3ffab 
* Tue Nov 11 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-5
e3ffab 
- Update slapi-nis dependency to pull 0.54-2 (#891984)
e3ffab 
- ipa-restore: Don't crash if AD trust is not installed (#951581)
e3ffab 
- Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791)
e3ffab 
- Trust setting not restored for CA cert with ipa-restore command (#1159011)
e3ffab 
- ipa-server-install fails when restarting named (#1162340)
e3ffab
e3ffab 
* Thu Nov 06 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-4
e3ffab 
- Update Requires on pki-ca to 10.1.2-4 (#1129558)
e3ffab 
- build: increase java stack size for all arches
e3ffab 
- Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984)
e3ffab 
- Fix dns zonemgr validation regression (#1056202)
e3ffab 
- Handle profile changes in dogtag-ipa-ca-renew-agent (#886645)
e3ffab 
- Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
e3ffab 
  (#886645)
e3ffab 
- Add bind-dyndb-ldap working dir to IPA specfile
e3ffab 
- Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
e3ffab 
  (#886645)
e3ffab 
- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756)
e3ffab 
- Deadlock in schema compat plugin (#1161131)
e3ffab 
- ipactl stop should stop dirsrv last (#1161129)
e3ffab 
- Upgrade 3.3.5 to 4.1 failed (#1161128)
e3ffab 
- CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)
e3ffab
e3ffab 
* Wed Oct 22 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-3
e3ffab 
- Do not check if port 8443 is available in step 2 of external CA install
e3ffab 
  (#1129481)
e3ffab
e3ffab 
* Wed Oct 22 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-2
e3ffab 
- Update Requires on selinux-policy to 3.13.1-4
e3ffab
e3ffab 
* Tue Oct 21 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-1
e3ffab 
- Update to upstream 4.1.0 (#1109726)
e3ffab
e3ffab 
* Mon Sep 29 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-0.1.alpha1
e3ffab 
- Update to upstream 4.1.0 Alpha 1 (#1109726)
e3ffab
e3ffab 
* Fri Sep 26 2014 Petr Vobornik <pvoborni@redhat.com> - 4.0.3-3
e3ffab 
- Add redhat-access-plugin-ipa dependency
e3ffab
e3ffab 
* Thu Sep 25 2014 Jan Cholasta <jcholast@redhat.com> - 4.0.3-2
e3ffab 
- Re-enable otptoken_yubikey plugin
e3ffab
e3ffab 
* Mon Sep 15 2014 Jan Cholasta <jcholast@redhat.com> - 4.0.3-1
e3ffab 
- Update to upstream 4.0.3 (#1109726)
e3ffab
e3ffab 
* Thu Aug 14 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-29
031d60 
- Server installation fails using external signed certificates with
e3ffab 
  "IndexError: list index out of range" (#1111320)
031d60 
- Add rhino to BuildRequires to fix Web UI build error
10ca37
9991ea 
* Tue Apr  1 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28
9991ea 
- ipa-client-automount fails with incompatibility error when installed against
9991ea 
  older IPA server (#1083108)
9991ea
9991ea 
* Wed Mar 26 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-27
9991ea 
- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future
9991ea 
  PKI versions (#1080865)
9991ea
9991ea 
* Tue Mar 25 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-26
9991ea 
- When IdM server trusts multiple AD forests, IPA client returns invalid group
9991ea 
  membership info (#1079498)
9991ea
9991ea 
* Thu Mar 13 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-25
9991ea 
- Deletion of active subdomain range should not be allowed (#1075615)
9991ea
9991ea 
* Thu Mar 13 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-24
9991ea 
- PKI database is ugraded during replica installation (#1075118)
9991ea
9991ea 
* Wed Mar 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-23
9991ea 
- Unable to add trust successfully with --trust-secret (#1075704)
9991ea
9991ea 
* Wed Mar 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-22
9991ea 
- ipa-replica-install never checks for 7389 port (#1075165)
9991ea 
- Non-terminated string may be passed to LDAP search (#1075091)
9991ea 
- ipa-sam may fail to translate group SID into GID (#1073829)
9991ea 
- Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)
9991ea
9991ea 
* Thu Mar  6 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-21
9991ea 
- Do not fetch a principal two times, remove potential memory leak (#1070924)
9991ea
9991ea 
* Wed Mar  5 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-20
9991ea 
- trustdomain-find with pkey-only fails (#1068611)
9991ea 
- Invalid credential cache in trust-add (#1069182)
9991ea 
- ipa-replica-install prints unexpected error (#1069722)
9991ea 
- Too big font in input fields in details facet in Firefox (#1069720)
9991ea 
- trust-add for POSIX AD does not fetch trustdomains (#1070925)
9991ea 
- Misleading trust-add error message in some cases (#1070926)
9991ea 
- Access is not rejected for disabled domain (#1070924)
9991ea
9991ea 
* Wed Feb 26 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-19
9991ea 
- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)
9991ea
9991ea 
* Wed Feb 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-18
9991ea 
- Display server name in ipa command's verbose mode (#1061703)
9991ea 
- Remove sourcehostcategory from default HBAC rule (#1061187)
9991ea 
- dnszone-add cannot add classless PTR zones (#1058688)
9991ea 
- Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)
9991ea
9991ea 
* Tue Feb  4 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-17
9991ea 
- Lockout plugin crashed during ipa-server-install (#912725)
9991ea
9991ea 
* Fri Jan 31 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-16
9991ea 
- Fallback to global policy in ipa lockout plugin (#912725)
9991ea 
- Migration does not add users to default group (#903232)
9991ea
9991ea 
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.3.3-15
9991ea 
- Mass rebuild 2014-01-24
9991ea
9991ea 
* Thu Jan 23 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-14
9991ea 
- Fix NetBIOS name generation in CLDAP plugin (#1030517)
9991ea
9991ea 
* Mon Jan 20 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-13
9991ea 
- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218)
9991ea 
- Increase default timeout for IPA services (#1033273)
9991ea 
- Error while running trustdomain-find (#1054376)
9991ea 
- group-show lists SID instead of name for external groups (#1054391)
9991ea 
- Fix IPA server NetBIOS name in samba configuration (#1030517)
9991ea 
- dnsrecord-mod produces missing API version warning (#1054869)
9991ea 
- Hide trust-resolve command as internal (#1052860)
9991ea 
- Add Trust domain Web UI (#1054870)
9991ea 
- ipasam cannot delete multiple child trusted domains (#1056120)
9991ea
9991ea 
* Wed Jan 15 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-12
9991ea 
- Missing objectclasses when empty password passed to host-add (#1052979)
9991ea 
- sudoOrder missing in sudoers (#1052983)
9991ea 
- Missing examples in sudorule help (#1049464)
9991ea 
- Client automount does not uninstall when fstore is empty (#910899)
9991ea 
- Error not clear for invalid realm given to trust-fetch-domains (#1052981)
9991ea 
- trust-fetch-domains does not add idrange for subdomains found (#1049926)
9991ea 
- Add option to show if an AD subdomain is enabled/disabled (#1052973)
9991ea 
- ipa-adtrust-install still failed with long NetBIOS names (#1030517)
9991ea 
- Error not clear for invalid relam given to trustdomain-find (#1049455)
9991ea 
- renewed client cert not recognized during IPA CA renewal (#1033273)
9991ea
9991ea 
* Fri Jan 10 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-11
9991ea 
- hbactest does not work for external users (#848531)
9991ea
9991ea 
* Wed Jan 08 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-10
9991ea 
- PKI service restart after CA renewal failed (#1040018)
9991ea
9991ea 
* Mon Jan 06 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-9
9991ea 
- Move ipa-tests package to separate srpm (#1032668)
9991ea
9991ea 
* Fri Jan  3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-8
9991ea 
- Fix status trust-add command status message (#910453)
9991ea 
- NetBIOS was not trimmed at 15 characters (#1030517)
9991ea 
- Harden CA subsystem certificate renewal on CA clones (#1040018)
9991ea
9991ea 
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.3.3-7
9991ea 
- Mass rebuild 2013-12-27
9991ea
9991ea 
* Mon Dec  2 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-6
9991ea 
- Remove "Listen 443 http" hack from deployed nss.conf (#1029046)
9991ea 
- Re-adding existing trust fails (#1033216)
9991ea 
- IPA uninstall exits with a samba error (#1033075)
9991ea 
- Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260)
9991ea 
- Fixed ownership of /usr/share/ipa/ui/js (#1026260)
9991ea 
- ipa-tests: support external names for hosts (#1032668)
9991ea 
- ipa-client-install fail due fail to obtain host TGT (#1029354)
9991ea
99b6f7 
* Fri Nov 22 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
99b6f7 
- Trust add tries to add same value of --base-id for sub domain,
99b6f7 
  causing an error (#1033068)
99b6f7 
- Improved error reporting for adding trust case (#1029856)
99b6f7
99b6f7 
* Wed Nov 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-4
99b6f7 
- Winsync agreement cannot be created (#1023085)
99b6f7
99b6f7 
* Wed Nov  6 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-3
99b6f7 
- Installer did not detect different server and IPA domain (#1026845)
99b6f7 
- Allow kernel keyring CCACHE when supported (#1026861)
99b6f7
99b6f7 
* Tue Nov  5 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-2
99b6f7 
- ipa-server-install crashes when AD subpackage is not installed (#1026434)
99b6f7
99b6f7 
* Fri Nov  1 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-1
99b6f7 
- Update to upstream 3.3.3 (#991064)
99b6f7
99b6f7 
* Tue Oct 29 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-5
99b6f7 
- Temporarily move ipa-backup and ipa-restore functionality
99b6f7 
  back to make them available in public Beta (#1003933)
99b6f7
99b6f7 
* Tue Oct 29 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-4
99b6f7 
- Server install failure during client enrollment shouldn't
99b6f7 
  roll back (#1023086)
99b6f7 
- nsds5ReplicaStripAttrs are not set on agreements (#1023085)
99b6f7 
- ipa-server conflicts with mod_ssl (#1018172)
99b6f7
99b6f7 
* Wed Oct 16 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-3
99b6f7 
- Reinstalling ipa server hangs when configuring certificate
99b6f7 
  server (#1018804)
99b6f7
99b6f7 
* Fri Oct 11 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-2
99b6f7 
- Deprecate --serial-autoincrement option (#1016645)
99b6f7 
- CA installation always failed on replica (#1005446)
99b6f7 
- Re-initializing a winsync connection exited with error (#994980)
99b6f7
99b6f7 
* Fri Oct  4 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
99b6f7 
- Update to upstream 3.3.2 (#991064)
99b6f7 
- Add delegation info to MS-PAC (#915799)
99b6f7 
- Warn about incompatibility with AD when IPA realm and domain
99b6f7 
  differs (#1009044)
99b6f7 
- Allow PKCS#12 files with empty password in install tools (#1002639)
99b6f7 
- Privilege "SELinux User Map Administrators" did not list
99b6f7 
  permissions (#997085)
99b6f7 
- SSH key upload broken when client joins an older server (#1009024)
99b6f7
99b6f7 
* Mon Sep 23 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-5
99b6f7 
- Remove dependency on python-paramiko (#1002884)
99b6f7 
- Broken redirection when deleting last entry of DNS resource
99b6f7 
  record (#1006360)
99b6f7
99b6f7 
* Tue Sep 10 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-4
99b6f7 
- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)
99b6f7
99b6f7 
* Mon Sep  9 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-3
99b6f7 
- Replica installation fails for RHEL 6.4 master (#1004680)
99b6f7 
- Server uninstallation crashes if DS is not available (#998069)
99b6f7
99b6f7 
* Thu Sep  5 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-2
99b6f7 
- Unable to remove replica by ipa-replica-manage (#1001662)
99b6f7 
- Before uninstalling a server, warn about active replicas (#998069)
99b6f7
99b6f7 
* Thu Aug 29 2013 Rob Crittenden <rcritten@redhat.com> - 3.3.1-1
99b6f7 
- Update to upstream 3.3.1 (#991064)
99b6f7 
- Update minimum version of bind-dyndb-ldap to 3.5
99b6f7
99b6f7 
* Tue Aug 20 2013 Rob Crittenden <rcritten@redhat.com> - 3.3.0-7
99b6f7 
- Fix replica installation failing on certificate subject (#983075)
99b6f7
99b6f7 
* Tue Aug 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-6
99b6f7 
- Allow ipa-tests to work with older version (1.7.7) of python-paramiko
99b6f7
99b6f7 
* Tue Aug 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-5
99b6f7 
- Prevent multilib failures in *.pyo and *.pyc files
99b6f7
99b6f7 
* Mon Aug 12 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-4
99b6f7 
- ipa-server-install fails if --subject parameter is other than default
99b6f7 
  realm (#983075)
99b6f7 
- do not allow configuring bind-dyndb-ldap without persistent search (#967876)
99b6f7
99b6f7 
* Mon Aug 12 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-3
99b6f7 
- diffstat was missing as a build dependency causing multilib problems
99b6f7
99b6f7 
* Thu Aug  8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-2
99b6f7 
- Remove ipa-server-selinux obsoletes as upgrades from version prior to
99b6f7 
  3.3.0 are not allowed
99b6f7 
- Wrap server-trust-ad subpackage description better
9991ea 
- Add (noreplace) flag for %%{_sysconfdir}/tmpfiles.d/ipa.conf
99b6f7 
- Change permissions on default_encoding_utf8.so to fix ipa-python Provides
99b6f7
99b6f7 
* Thu Aug  8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-1
99b6f7 
- Update to upstream 3.3.0 (#991064)
99b6f7
99b6f7 
* Thu Aug  8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-0.2.beta2
99b6f7 
- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release
99b6f7
99b6f7 
* Wed Aug  7 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-0.1.beta2
99b6f7 
- Update to upstream 3.3.0 Beta 2 (#991064)
99b6f7
99b6f7 
* Thu Jul 18 2013 Martin Kosek <mkosek@redhat.com> - 3.2.2-1
99b6f7 
- Update to upstream 3.2.2
99b6f7 
- Drop ipa-server-selinux subpackage
99b6f7 
- Drop redundant directory /var/cache/ipa/sessions
99b6f7 
- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
99b6f7 
- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
99b6f7 
  issues when there are still old parts of software (like entitlements plugin)
99b6f7
99b6f7 
* Fri Jun 14 2013 Martin Kosek <mkosek@redhat.com> - 3.2.1-1
99b6f7 
- Update to upstream 3.2.1
99b6f7 
- Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0
99b6f7
99b6f7 
* Tue May 14 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-2
99b6f7 
- Add OTP patches
99b6f7 
- Add patch to set KRB5CCNAME for 389-ds-base
99b6f7
99b6f7 
* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
99b6f7 
- Update to upstream 3.2.0 GA
99b6f7 
- ipa-client-install fails if /etc/ipa does not exist (#961483)
99b6f7 
- Certificate status is not visible in Service and Host page (#956718)
99b6f7 
- ipa-client-install removes needed options from ldap.conf (#953991)
99b6f7 
- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)
99b6f7 
- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
99b6f7 
- Require nss 3.14.3-12.0 to address certutil certificate import
99b6f7 
  errors (#953485)
99b6f7 
- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
99b6f7 
  environments. (#953464)
99b6f7 
- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
99b6f7 
- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
99b6f7 
- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
99b6f7 
  socket based connections (#960222)
99b6f7 
- Require libsss_nss_idmap-python
99b6f7 
- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
99b6f7 
  member is now done automatically and having it in the config file raises
99b6f7 
  an error.
99b6f7 
- Add backup and restore tools, directory.
99b6f7 
- require at least systemd 38 which provides the journal (we no longer
99b6f7 
  need to require syslog.target)
99b6f7 
- Update Requires on policycoreutils to 2.1.14-37
99b6f7 
- Update Requires on selinux-policy to 3.12.1-42
99b6f7 
- Update Requires on 389-ds-base to 1.3.1.0
99b6f7 
- Remove a Requires for java-atk-wrapper
99b6f7
99b6f7 
* Tue Apr 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.4.beta1
99b6f7 
- Remove release from krb5-server in strict sub-package to allow for rebuilds.
99b6f7
99b6f7 
* Mon Apr 22 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.3.beta1
99b6f7 
- Add a Requires for java-atk-wrapper until we can determine which package
99b6f7 
  should be pulling it in, dogtag or tomcat.
99b6f7
99b6f7 
* Tue Apr 16 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.2.beta1
99b6f7 
- Update to upstream 3.2.0 Beta 1
99b6f7
99b6f7 
* Tue Apr  2 2013 Martin Kosek <mkosek@redhat.com> - 3.2.0-0.1.pre1
99b6f7 
- Update to upstream 3.2.0 Prerelease 1
99b6f7 
- Use upstream reference spec file as a base for Fedora spec file
99b6f7
99b6f7 
* Sat Mar 30 2013 Kevin Fenzi <kevin@scrye.com> 3.1.2-4
99b6f7 
- Rebuild for broken deps
99b6f7 
- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1
99b6f7
99b6f7 
* Sat Feb 23 2013 Kevin Fenzi <kevin@scrye.com> - 3.1.2-3
99b6f7 
- Rebuild for broken deps in rawhide
99b6f7 
- Fix 389-ds-base strict dep to be 1.3.0.3
99b6f7
99b6f7 
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1.2-2
99b6f7 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
99b6f7
99b6f7 
* Wed Jan 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.2-1
99b6f7 
- Update to upstream 3.1.2
99b6f7 
- CVE-2012-4546: Incorrect CRLs publishing
99b6f7 
- CVE-2012-5484: MITM Attack during Join process
99b6f7 
- CVE-2013-0199: Cross-Realm Trust key leak
99b6f7 
- Updated strict dependencies to 389-ds-base = 1.3.0.2 and
99b6f7 
  pki-ca = 10.0.1
99b6f7
99b6f7 
* Thu Dec 20 2012 Martin Kosek <mkosek@redhat.com> - 3.1.0-2
99b6f7 
- Remove redundat Requires versions that are already in Fedora 17
99b6f7 
- Replace python-crypto Requires with m2crypto
99b6f7 
- Add missing Requires(post) for client and server-trust-ad subpackages
99b6f7 
- Restart httpd service when server-trust-ad subpackage is installed
99b6f7 
- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes
99b6f7
99b6f7 
* Mon Dec 10 2012 Rob Crittenden <rcritten@redhat.com> - 3.1.0-1
99b6f7 
- Updated to upstream 3.1.0 GA
99b6f7 
- Set minimum for sssd to 1.9.2
99b6f7 
- Set minimum for pki-ca to 10.0.0-1
99b6f7 
- Set minimum for 389-ds-base to 1.3.0
99b6f7 
- Set minimum for selinux-policy to 3.11.1-60
99b6f7 
- Remove unneeded dogtag package requires
99b6f7
99b6f7 
* Tue Oct 23 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-3
99b6f7 
- Update Requires on krb5-server to 1.11
99b6f7
99b6f7 
* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-2
99b6f7 
- Configure CA replication to use TLS instead of SSL
99b6f7
99b6f7 
* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-1
99b6f7 
- Updated to upstream 3.0.0 GA
99b6f7 
- Set minimum for samba to 4.0.0-153.
99b6f7 
- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
99b6f7 
  plugin to /dev/null since they cannot be used when trusts are configured
99b6f7 
- Restrict krb5-server to 1.10.
99b6f7 
- Update BR for 389-ds-base to 1.3.0
99b6f7 
- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
99b6f7 
- Add Requires on zip for generating FF browser extension
99b6f7
99b6f7 
* Fri Oct  5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.10
99b6f7 
- Updated to upstream 3.0.0 rc 2
99b6f7 
- Include new FF configuration extension
99b6f7 
- Set minimum Requires of selinux-policy to 3.11.1-33
99b6f7 
- Set minimum Requires dogtag to 10.0.0-0.43.b1
99b6f7 
- Add new optional strict sub-package to allow users to limit other
99b6f7 
  package upgrades.
99b6f7
99b6f7 
* Tue Oct  2 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.9
99b6f7 
- Require samba packages instead of obsoleted samba4 packages
99b6f7
99b6f7 
* Fri Sep 21 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.8
99b6f7 
- Updated to upstream 3.0.0 rc 1
99b6f7 
- Update BR for 389-ds-base to 1.2.11.14
99b6f7 
- Update BR for krb5 to 1.10
99b6f7 
- Update BR for samba4-devel to 4.0.0-139 (rc1)
99b6f7 
- Add BR for python-polib
99b6f7 
- Update BR and Requires on sssd to 1.9.0
99b6f7 
- Update Requires on policycoreutils to 2.1.12-5
99b6f7 
- Update Requires on 389-ds-base to 1.2.11.14
99b6f7 
- Update Requires on selinux-policy to 3.11.1-21
99b6f7 
- Update Requires on dogtag to 10.0.0-0.33.a1
99b6f7 
- Update Requires on certmonger to 0.60
99b6f7 
- Update Requires on tomcat to 7.0.29
99b6f7 
- Update minimum version of bind to 9.9.1-10.P3
99b6f7 
- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1
99b6f7 
- Remove Requires on authconfig from python sub-package
99b6f7
99b6f7 
* Wed Sep  5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.7
99b6f7 
- Rebuild against samba4 beta8
99b6f7
99b6f7 
* Fri Aug 31 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.6
99b6f7 
- Rebuild against samba4 beta7
99b6f7
99b6f7 
* Wed Aug 22 2012 Alexander Bokovoy <abokovoy@redhat.com> - 3.0.0-0.5
99b6f7 
- Adopt to samba4 beta6 (libsecurity -> libsamba-security)
99b6f7 
- Add dependency to samba4-winbind
99b6f7
99b6f7 
* Fri Aug 17 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.4
99b6f7 
- Updated to upstream 3.0.0 beta 2
99b6f7
99b6f7 
* Mon Aug  6 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.3
99b6f7 
- Updated to current upstream state of 3.0.0 beta 2 development
99b6f7
99b6f7 
* Mon Jul 23 2012 Alexander Bokovoy <abokovy@redhat.com> - 3.0.0-0.2
99b6f7 
- Rebuild against samba4 beta4
99b6f7
99b6f7 
* Mon Jul  2 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.1
99b6f7 
- Updated to upstream 3.0.0 beta 1
99b6f7
99b6f7 
* Thu May  3 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-1
99b6f7 
- Updated to upstream 2.2.0 GA
99b6f7 
- Update minimum n-v-r of certmonger to 0.53
99b6f7 
- Update minimum n-v-r of slapi-nis to 0.40
99b6f7 
- Add Requires in client to oddjob-mkhomedir and python-krbV
99b6f7 
- Update minimum selinux-policy to 3.10.0-110
99b6f7
99b6f7 
* Mon Mar 19 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.2
99b6f7 
- Update to upstream 2.2.0 beta 1 (2.1.90.rc1)
99b6f7 
- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18.
99b6f7 
- Add Conflicts on mod_ssl
99b6f7 
- Update minimum n-v-r of 389-ds-base to 1.2.10.4
99b6f7 
- Update minimum n-v-r of sssd to 1.8.0
99b6f7 
- Update minimum n-v-r of slapi-nis to 0.38
99b6f7 
- Update minimum n-v-r of pki-* to 9.0.18
99b6f7 
- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1
99b6f7 
- Update conflicts on bind to < 9.9.0-1
99b6f7 
- Drop requires on krb5-server-ldap
99b6f7 
- Add patch to remove escaping arguments to pkisilent
99b6f7
99b6f7 
* Mon Feb 06 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.1
99b6f7 
- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)
99b6f7
99b6f7 
* Wed Feb 01 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-5
99b6f7 
- Force to use 389-ds 1.2.10-0.8.a7 or above
99b6f7 
- Improve upgrade script to handle systemd 389-ds change
99b6f7 
- Fix freeipa to work with python-ldap 2.4.6
99b6f7
99b6f7 
* Wed Jan 11 2012 Martin Kosek <mkosek@redhat.com> - 2.1.4-4
99b6f7 
- Fix ipa-replica-install crashes
99b6f7 
- Fix ipa-server-install and ipa-dns-install logging
99b6f7 
- Set minimum version of pki-ca to 9.0.17 to fix sslget problem
99b6f7 
  caused by FEDORA-2011-17400 update (#771357)
99b6f7
99b6f7 
* Wed Dec 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-3
99b6f7 
- Allow Web-based migration to work with tightened SE Linux policy (#769440)
99b6f7 
- Rebuild slapi plugins against re-enterant version of libldap
99b6f7
99b6f7 
* Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2
99b6f7 
- Allow longer dirsrv startup with systemd:
99b6f7 
  - IPAdmin class will wait until dirsrv instance is available up to 10 seconds
99b6f7 
  - Helps with restarts during upgrade for ipa-ldap-updater
99b6f7 
- Fix pylint warnings from F16 and Rawhide
99b6f7
99b6f7 
* Tue Dec  6 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.4-1
99b6f7 
- Update to upstream 2.1.4 (CVE-2011-3636)
99b6f7
99b6f7 
* Mon Dec  5 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-8
99b6f7 
- Update SELinux policy to allow ipa_kpasswd to connect ldap and
99b6f7 
  read /dev/urandom. (#759679)
99b6f7
99b6f7 
* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-7
99b6f7 
- Fix wrong path in packaging freeipa-systemd-upgrade
99b6f7
99b6f7 
* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-6
99b6f7 
- Introduce upgrade script to recover existing configuration after systemd migration
99b6f7 
  as user has no means to recover FreeIPA from systemd migration
99b6f7 
- Upgrade script:
99b6f7 
  - recovers symlinks in Dogtag instance install
99b6f7 
  - recovers systemd configuration for FreeIPA's directory server instances
99b6f7 
  - recovers freeipa.service
99b6f7 
  - migrates directory server and KDC configs to use proper keytabs for systemd services
99b6f7
99b6f7 
* Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-5
99b6f7 
- Rebuilt for glibc bug#747377
99b6f7
99b6f7 
* Wed Oct 19 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-4
e3ffab 
- clean up spec
99b6f7 
- Depend on sssd >= 1.6.2 for better user experience
99b6f7
99b6f7 
* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-3
99b6f7 
- Fix Fedora package changelog after merging systemd changes
99b6f7
99b6f7 
* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-2
99b6f7 
- Fix postin scriplet for F-15/F-16
99b6f7
99b6f7 
* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-1
99b6f7 
- 2.1.3
99b6f7
99b6f7 
* Mon Oct 17 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.2-1
99b6f7 
- Default to systemd for Fedora 16 and onwards
99b6f7
99b6f7 
* Tue Aug 16 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.0-1
99b6f7 
- Update to upstream 2.1.0
99b6f7
99b6f7 
* Fri May  6 2011 Simo Sorce <ssorce@redhat.com> - 2.0.1-2
99b6f7 
- Fix bug #702633
99b6f7
99b6f7 
* Mon May  2 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.1-1
99b6f7 
- Update minimum selinux-policy to 3.9.16-18
99b6f7 
- Update minimum pki-ca and pki-selinux to 9.0.7
99b6f7 
- Update minimum 389-ds-base to 1.2.8.0-1
99b6f7 
- Update to upstream 2.0.1
99b6f7
99b6f7 
* Thu Mar 24 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-1
99b6f7 
- Update to upstream GA release
99b6f7 
- Automatically apply updates when the package is upgraded
99b6f7
99b6f7 
* Fri Feb 25 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.4.rc2
99b6f7 
- Update to upstream freeipa-2.0.0.rc2
99b6f7 
- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in
99b6f7 
- Set minimum version of sssd to 1.5.1
99b6f7 
- Patch to include SuiteSpotGroup when setting up 389-ds instances
99b6f7 
- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled
99b6f7
99b6f7 
* Tue Feb 15 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.3.rc1
99b6f7 
- Set the N-V-R so rc1 is an update to beta2.
99b6f7
99b6f7 
* Mon Feb 14 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.rc1
99b6f7 
- Set minimum version of sssd to 1.5.1
99b6f7 
- Update to upstream freeipa-2.0.0.rc1
99b6f7 
- Move server-only binaries from admintools subpackage to server
99b6f7
99b6f7 
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.0-0.2.beta2
99b6f7 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
99b6f7
99b6f7 
* Thu Feb  3 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta2
99b6f7 
- Set min version of 389-ds-base to 1.2.8
99b6f7 
- Set min version of mod_nss 1.0.8-10
99b6f7 
- Set min version of selinux-policy to 3.9.7-27
99b6f7 
- Add dogtag themes to Requires
99b6f7 
- Update to upstream freeipa-2.0.0.pre2
99b6f7
99b6f7 
* Thu Jan 27 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.2.beta.git80e87e7
99b6f7 
- Remove unnecessary moving of v1 CA serial number file in post script
99b6f7 
- Add Obsoletes for server-selinxu subpackage
99b6f7 
- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da
99b6f7
99b6f7 
* Wed Jan 26 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta.git80e87e7
99b6f7 
- Prepare spec file for release
99b6f7 
- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503
99b6f7
99b6f7 
* Tue Jan 25 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-41
99b6f7 
- Re-arrange doc and defattr to clean up rpmlint warnings
99b6f7 
- Remove conditionals on older releases
99b6f7 
- Move some man pages into admintools subpackage
99b6f7 
- Remove some explicit Requires in client that aren't needed
99b6f7 
- Consistent use of buildroot vs RPM_BUILD_ROOT
99b6f7
99b6f7 
* Wed Jan 19 2011 Adam Young <ayoung@redhat.com> - 1.99-40
99b6f7 
- Moved directory install/static to install/ui
99b6f7
99b6f7 
* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-39
99b6f7 
- Remove dependency on nss_ldap/nss-pam-ldapd
99b6f7 
- The official client is sssd and that's what we use by default.
99b6f7
99b6f7 
* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-38
99b6f7 
- Remove radius subpackages
99b6f7
99b6f7 
* Thu Jan 13 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-37
99b6f7 
- Set minimum pki-ca and pki-silent versions to 9.0.0
99b6f7
99b6f7 
* Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-36
99b6f7 
- Drop BuildRequires on mozldap-devel
99b6f7
99b6f7 
* Mon Dec 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-35
99b6f7 
- Add Requires on krb5-pkinit-openssl
99b6f7
99b6f7 
* Fri Dec 10 2010 Jr Aquino <jr.aquino@citrix.com> - 1.99-34
99b6f7 
- Add ipa-host-net-manage script
99b6f7
99b6f7 
* Tue Dec  7 2010 Simo Sorce <ssorce@redhat.com> - 1.99-33
99b6f7 
- Add ipa init script
99b6f7
99b6f7 
* Fri Nov 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-32
99b6f7 
- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin
99b6f7
99b6f7 
* Wed Nov  3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-31
99b6f7 
- remove ipa-fix-CVE-2008-3274
99b6f7
99b6f7 
* Wed Oct  6 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-30
99b6f7 
- Remove duplicate %%files entries on share/ipa/static
99b6f7 
- Add python default encoding shared library
99b6f7
99b6f7 
* Mon Sep 20 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-29
99b6f7 
- Drop requires on python-configobj (not used any more)
99b6f7 
- Drop ipa-ldap-updater message, upgrades are done differently now
99b6f7
99b6f7 
* Wed Sep  8 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-28
99b6f7 
- Drop conflicts on mod_nss
99b6f7 
- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847)
99b6f7 
- Drop a slew of conditionals on older Fedora releases (< 12)
99b6f7 
- Add a few conditionals against RHEL 6
99b6f7 
- Add Requires of nss-tools on ipa-client
99b6f7
99b6f7 
* Fri Aug 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-27
99b6f7 
- Set minimum version of certmonger to 0.26 (to pck up #621670)
99b6f7 
- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm)
99b6f7 
- Set minimum version of pki-ca to 1.3.6
99b6f7 
- Set minimum version of sssd to 1.2.1
99b6f7
99b6f7 
* Tue Aug 10 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-26
99b6f7 
- Add BuildRequires for authconfig
99b6f7
99b6f7 
* Mon Jul 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-25
99b6f7 
- Bump up minimum version of python-nss to pick up nss_is_initialize() API
99b6f7
99b6f7 
* Thu Jun 24 2010 Adam Young <ayoung@redhat.com> - 1.99-24
99b6f7 
- Removed python-asset based webui
99b6f7
99b6f7 
* Thu Jun 24 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-23
99b6f7 
- Change Requires from fedora-ds-base to 389-ds-base
99b6f7 
- Set minimum level of 389-ds-base to 1.2.6 for the replication
99b6f7 
  version plugin.
99b6f7
99b6f7 
* Tue Jun  1 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-22
99b6f7 
- Drop Requires of python-krbV on ipa-client
99b6f7
99b6f7 
* Mon May 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-21
99b6f7 
- Load ipa_dogtag.pp in post install
99b6f7
99b6f7 
* Mon Apr 26 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-20
99b6f7 
- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.
99b6f7
99b6f7 
* Thu Mar  4 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-19
99b6f7 
- No need to create /var/log/ipa_error.log since we aren't using
99b6f7 
  TurboGears any more.
99b6f7
99b6f7 
* Mon Mar 1 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-18
99b6f7 
- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included
99b6f7
99b6f7 
* Wed Feb 24 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-17
99b6f7 
- Added Require mod_wsgi, added share/ipa/wsgi.py
99b6f7
99b6f7 
* Thu Feb 11 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-16
99b6f7 
- Require python-wehjit >= 0.2.2
99b6f7
99b6f7 
* Wed Feb  3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-15
99b6f7 
- Add sssd and certmonger as a Requires on ipa-client
99b6f7
99b6f7 
* Wed Jan 27 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-14
99b6f7 
- Require python-wehjit >= 0.2.0
99b6f7
99b6f7 
* Fri Dec  4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-13
99b6f7 
- Add ipa-rmkeytab tool
99b6f7
99b6f7 
* Tue Dec  1 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-12
99b6f7 
- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1
99b6f7 
  Any type
99b6f7
99b6f7 
* Wed Nov 25 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-11
99b6f7 
- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf
99b6f7
99b6f7 
* Fri Nov 13 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-10
99b6f7 
- Add bash completion script and own /etc/bash_completion.d in case it
99b6f7 
  doesn't already exist
99b6f7
99b6f7 
* Tue Nov  3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
99b6f7 
- Remove ipa_webgui, its functions rolled into ipa_httpd
99b6f7
99b6f7 
* Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
99b6f7 
- Removed python-cherrypy from BuildRequires and Requires
99b6f7 
- Added Requires python-assets, python-wehjit
99b6f7
99b6f7 
* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
99b6f7 
- Added httpd SELinux policy so CRLs can be read
99b6f7
99b6f7 
* Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
99b6f7 
- Move ipalib to ipa-python subpackage
99b6f7 
- Bump minimum version of slapi-nis to 0.15
99b6f7
99b6f7 
* Wed May  6 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-5
99b6f7 
- Set 0.14 as minimum version for slapi-nis
99b6f7
99b6f7 
* Wed Apr 22 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-4
99b6f7 
- Add Requires: python-nss to ipa-python sub-package
99b6f7
99b6f7 
* Thu Mar  5 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-3
99b6f7 
- Remove the IPA DNA plugin, use the DS one
99b6f7
99b6f7 
* Wed Mar  4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-2
99b6f7 
- Build radius separately
99b6f7 
- Fix a few minor issues
99b6f7
99b6f7 
* Tue Feb  3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-1
99b6f7 
- Replace TurboGears requirement with python-cherrypy
99b6f7
99b6f7 
* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.1-3
99b6f7 
- rebuild with new openssl
99b6f7
99b6f7 
* Fri Dec 19 2008 Dan Walsh <dwalsh@redhat.com> - 1.2.1-2
99b6f7 
- Fix SELinux code
99b6f7
99b6f7 
* Mon Dec 15 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-1
99b6f7 
- Fix breakage caused by python-kerberos update to 1.1
99b6f7
99b6f7 
* Fri Dec 5 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-0
99b6f7 
- New upstream release 1.2.1
99b6f7
99b6f7 
* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 1.2.0-4
99b6f7 
- Rebuild for Python 2.6
99b6f7
99b6f7 
* Fri Nov 14 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-3
99b6f7 
- Respin after the tarball has been re-released upstream
99b6f7 
  New hash is 506c9c92dcaf9f227cba5030e999f177
99b6f7
99b6f7 
* Thu Nov 13 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-2
99b6f7 
- Conditionally restart also dirsrv and httpd when upgrading
99b6f7
99b6f7 
* Wed Oct 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.2.0-1
99b6f7 
- Update to upstream version 1.2.0
99b6f7 
- Set fedora-ds-base minimum version to 1.1.3 for winsync header
99b6f7 
- Set the minimum version for SELinux policy
99b6f7 
- Remove references to Fedora 7
99b6f7
99b6f7 
* Wed Jul 23 2008 Simo Sorce <ssorce@redhat.com> - 1.1.0-3
99b6f7 
- Fix for CVE-2008-3274
99b6f7 
- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface
99b6f7 
- Add fix for bug #453185
99b6f7 
- Rebuild against openldap libraries, mozldap ones do not work properly
99b6f7 
- TurboGears is currently broken in rawhide. Added patch to not build
99b6f7 
  the UI locales and removed them from the ipa-server files section.
99b6f7
99b6f7 
* Wed Jun 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-2
99b6f7 
- Add call to /usr/sbin/upgradeconfig to post install
99b6f7
99b6f7 
* Wed Jun 11 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-1
99b6f7 
- Update to upstream version 1.1.0
99b6f7 
- Patch for indexing memberof attribute
99b6f7 
- Patch for indexing uidnumber and gidnumber
99b6f7 
- Patch to change DNA default values for replicas
99b6f7 
- Patch to fix uninitialized variable in ipa-getkeytab
99b6f7
99b6f7 
* Fri May 16 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-5
99b6f7 
- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum
99b6f7 
  version to 1.0.7-4 so we pick up the NSS fixes.
99b6f7 
- Add selinux-policy-base(post) to Requires (446496)
99b6f7
99b6f7 
* Tue Apr 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-4
99b6f7 
- Add missing entry for /var/cache/ipa/kpasswd (444624)
99b6f7 
- Added patch to fix permissions problems with the Apache NSS database.
99b6f7 
- Added patch to fix problem with DNS querying where the query could be
99b6f7 
  returned as the answer.
99b6f7 
- Fix spec error where patch1 was in the wrong section
99b6f7
99b6f7 
* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-3
99b6f7 
- Added patch to fix problem reported by ldapmodify
99b6f7
99b6f7 
* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-2
99b6f7 
- Fix Requires for krb5-server that was missing for Fedora versions > 9
99b6f7 
- Remove quotes around test for fedora version to package egg-info
99b6f7
99b6f7 
* Fri Apr 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
99b6f7 
- Update to upstream version 1.0.0
99b6f7
99b6f7 
* Tue Mar 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-12
99b6f7 
- Pull upstream changelog 722
99b6f7 
- Add Conflicts mod_ssl (435360)
99b6f7
99b6f7 
* Fri Feb 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-11
99b6f7 
- Pull upstream changelog 698
99b6f7 
- Fix ownership of /var/log/ipa_error.log during install (435119)
99b6f7 
- Add pwpolicy command and man page
99b6f7
99b6f7 
* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-10
99b6f7 
- Pull upstream changelog 678
99b6f7 
- Add new subpackage, ipa-server-selinux
99b6f7 
- Add Requires: authconfig to ipa-python (bz #433747)
99b6f7 
- Package i18n files
99b6f7
99b6f7 
* Mon Feb 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-9
99b6f7 
- Pull upstream changelog 641
99b6f7 
- Require minimum version of krb5-server on F-7 and F-8
99b6f7 
- Package some new files
99b6f7
99b6f7 
* Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> 0.99-8
99b6f7 
- Marked with wrong license. IPA is GPLv2.
99b6f7
99b6f7 
* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-7
99b6f7 
- Ensure that /etc/ipa exists before moving user-modifiable html files there
99b6f7 
- Put html files into /etc/ipa/html instead of /etc/ipa
99b6f7
99b6f7 
* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-6
99b6f7 
- Pull upstream changelog 608 which renamed several files
99b6f7
99b6f7 
* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-5
99b6f7 
- package the sessions dir /var/cache/ipa/sessions
99b6f7 
- Pull upstream changelog 597
99b6f7
99b6f7 
* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-4
99b6f7 
- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the
99b6f7 
  UI to not start.
99b6f7
99b6f7 
* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-3
99b6f7 
- Included LICENSE and README in all packages for documentation
99b6f7 
- Move user-modifiable content to /etc/ipa and linked back to
99b6f7 
  /usr/share/ipa/html
99b6f7 
- Changed some references to /usr to the {_usr} macro and /etc
99b6f7 
  to {_sysconfdir}
99b6f7 
- Added popt-devel to BuildRequires for Fedora 8 and higher and
99b6f7 
  popt for Fedora 7
99b6f7 
- Package the egg-info for Fedora 9 and higher for ipa-python
99b6f7
99b6f7 
* Tue Jan 22 2008 Rob Crittenden <rcritten@redhat.com> 0.99-2
99b6f7 
- Added auto* BuildRequires
99b6f7
99b6f7 
* Mon Jan 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-1
99b6f7 
- Unified spec file
99b6f7
99b6f7 
* Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
99b6f7 
- Fixed License in specfile
99b6f7 
- Include files from /usr/lib/python*/site-packages/ipaserver
99b6f7
99b6f7 
* Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
99b6f7 
- Version bump for release
99b6f7
99b6f7 
* Wed Nov 21 2007 Karl MacMillan <kmacmill@mentalrootkit.com> - 0.5.0-1
99b6f7 
- Preverse mode on ipa-keytab-util
99b6f7 
- Version bump for relase and rpm name change
99b6f7
99b6f7 
* Thu Nov 15 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.1-2
99b6f7 
- Broke invididual Requires and BuildRequires onto separate lines and
99b6f7 
  reordered them
99b6f7 
- Added python-tgexpandingformwidget as a dependency
99b6f7 
- Require at least fedora-ds-base 1.1
99b6f7
99b6f7 
* Thu Nov  1 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1
99b6f7 
- Version bump for release
99b6f7
99b6f7 
* Wed Oct 31 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-6
99b6f7 
- Add dep for freeipa-admintools and acl
99b6f7
99b6f7 
* Wed Oct 24 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-5
99b6f7 
- Add dependency for python-krbV
99b6f7
99b6f7 
* Fri Oct 19 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-4
99b6f7 
- Require mod_nss-1.0.7-2 for mod_proxy fixes
99b6f7
99b6f7 
* Thu Oct 18 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-3
99b6f7 
- Convert to autotools-based build
99b6f7
99b6f7 
* Tue Sep 25 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-2
99b6f7
99b6f7 
* Fri Sep 7 2007 Karl MacMillan <kmacmill@redhat.com> - 0.3.0-1
99b6f7 
- Added support for libipa-dna-plugin
99b6f7
99b6f7 
* Fri Aug 10 2007 Karl MacMillan <kmacmill@redhat.com> - 0.2.0-1
99b6f7 
- Added support for ipa_kpasswd and ipa_pwd_extop
99b6f7
99b6f7 
* Sun Aug  5 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-3
99b6f7 
- Abstracted client class to work directly or over RPC
99b6f7
99b6f7 
* Wed Aug  1 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-2
99b6f7 
- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
99b6f7 
- Remove references to admin server in ipa-server-setupssl
99b6f7 
- Generate a client certificate for the XML-RPC server to connect to LDAP with
99b6f7 
- Create a keytab for Apache
99b6f7 
- Create an ldif with a test user
99b6f7 
- Provide a certmap.conf for doing SSL client authentication
99b6f7
99b6f7 
* Fri Jul 27 2007 Karl MacMillan <kmacmill@redhat.com> - 0.1.0-1
99b6f7 
- Initial rpm version

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation