rpms / ipa

Clone
Source Code
GIT

Blame SPECS/ipa.spec

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   ff14fa5fa773ff952717b3f34c10385bc54aab66
  2.   SPECS
  3.   ipa.spec
Blob History Raw
e3ffab 
# Define ONLY_CLIENT to only make the ipa-admintools, ipa-client and ipa-python
e3ffab 
# subpackages
99b6f7 
%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
99b6f7
403b09 
%if 0%{?rhel}
403b09 
%global with_python3 0
403b09 
%else
403b09 
%global with_python3 1
403b09 
%endif
403b09
e3ffab 
# RHEL spec file only: START
99b6f7 
%ifarch x86_64 %{ix86}
99b6f7 
# Nothing, we want to force just building client on non-Intel
99b6f7 
%else
99b6f7 
%global ONLY_CLIENT 1
99b6f7 
%endif
403b09 
%global VERSION 4.4.0
e3ffab 
# RHEL spec file only: END
e3ffab
e3ffab 
%global alt_name freeipa
e3ffab 
%if 0%{?rhel}
d73e7d 
%global samba_version 4.2.10-1
403b09 
%global selinux_policy_version 3.13.1-70
403b09 
%global slapi_nis_version 0.56.0-4
e3ffab 
%else
403b09 
%global samba_version 2:4.0.5-1
403b09 
%global selinux_policy_version 3.13.1-158.4
403b09 
%global slapi_nis_version 0.56.1
e3ffab 
%endif
99b6f7
590d18 
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
590d18
99b6f7 
%global plugin_dir %{_libdir}/dirsrv/plugins
590d18 
%global etc_systemd_dir %{_sysconfdir}/systemd/system
99b6f7 
%global gettext_domain ipa
e3ffab 
%if 0%{?rhel}
e3ffab 
%global platform_module rhel
e3ffab 
%else
e3ffab 
%global platform_module fedora
e3ffab 
%endif
99b6f7
9991ea 
%define _hardened_build 1
9991ea
99b6f7 
Name:           ipa
403b09 
Version:        4.4.0
ff14fa 
Release:        14%{?dist}.6
99b6f7 
Summary:        The Identity, Policy and Audit system
99b6f7
99b6f7 
Group:          System Environment/Base
99b6f7 
License:        GPLv3+
99b6f7 
URL:            http://www.freeipa.org/
99b6f7 
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
e3ffab 
# RHEL spec file only: START: Change branding to IPA and Identity-Management
ff14fa 
Source1:        header-logo.png
ff14fa 
Source2:        login-screen-background.jpg
ff14fa 
Source3:        login-screen-logo.png
ff14fa 
Source4:        product-name.png
e3ffab 
# RHEL spec file only: END: Change branding to IPA and Identity-Management
99b6f7 
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
99b6f7
e3ffab 
# RHEL spec file only: START
403b09 
Patch0001:      0001-Fix-incorrect-check-for-principal-type-when-evaluati.patch
403b09 
Patch0002:      0002-uninstall-untrack-lightweight-CA-certs.patch
403b09 
Patch0003:      0003-ipa-nis-manage-Use-server-API-to-retrieve-plugin-sta.patch
403b09 
Patch0004:      0004-ipa-compat-manage-use-server-API-to-retrieve-plugin-.patch
403b09 
Patch0005:      0005-ipa-advise-correct-handling-of-plugin-namespace-iter.patch
403b09 
Patch0006:      0006-kdb-check-for-local-realm-in-enterprise-principals.patch
403b09 
Patch0007:      0007-Enable-vault-commands-on-client.patch
403b09 
Patch0008:      0008-vault-add-set-the-default-vault-type-on-the-client-s.patch
403b09 
Patch0009:      0009-caacl-expand-plugin-documentation.patch
403b09 
Patch0010:      0010-host-find-do-not-show-SSH-key-by-default.patch
403b09 
Patch0011:      0011-Removed-unused-method-parameter-from-migrate-ds.patch
403b09 
Patch0012:      0012-Preserve-user-principal-aliases-during-rename-operat.patch
403b09 
Patch0013:      0013-messages-specify-message-type-for-ResultFormattingEr.patch
403b09 
Patch0014:      0014-schema-Fix-subtopic-topic-mapping.patch
403b09 
Patch0015:      0015-DNS-install-Ensure-that-DNS-servers-container-exists.patch
403b09 
Patch0016:      0016-Heap-corruption-in-ipapwd-plugin.patch
403b09 
Patch0017:      0017-Use-server-API-in-com.redhat.idm.trust-fetch-domains.patch
403b09 
Patch0018:      0018-frontend-copy-command-arguments-to-output-params-on-.patch
403b09 
Patch0019:      0019-Show-full-error-message-for-selinuxusermap-add-hostg.patch
403b09 
Patch0020:      0020-allow-value-output-param-in-commands-without-primary.patch
403b09 
Patch0021:      0021-server-uninstall-fails-to-remove-krb-principals.patch
403b09 
Patch0022:      0022-expose-secret-option-in-radiusproxy-commands.patch
403b09 
Patch0023:      0023-prevent-search-for-RADIUS-proxy-servers-by-secret.patch
403b09 
Patch0024:      0024-trust-add-handle-all-raw-options-properly.patch
403b09 
Patch0025:      0025-unite-log-file-name-of-ipa-ca-install.patch
403b09 
Patch0026:      0026-Host-del-fix-behavior-of-updatedns-and-PTR-records.patch
403b09 
Patch0027:      0027-help-Add-dnsserver-commands-to-help-topic-dns.patch
403b09 
Patch0028:      0028-DNS-Locations-fix-update-system-records-unpacking-er.patch
403b09 
Patch0029:      0029-Fix-session-cookies.patch
403b09 
Patch0030:      0030-Use-copy-when-replacing-files-to-keep-SELinux-contex.patch
403b09 
Patch0031:      0031-baseldap-Fix-MidairCollision-instantiation-during-en.patch
403b09 
Patch0032:      0032-Create-indexes-for-krbCanonicalName-attribute.patch
403b09 
Patch0033:      0033-harden-the-check-for-trust-namespace-overlap-in-new-.patch
403b09 
Patch0034:      0034-Revert-Enable-vault-commands-on-client.patch
403b09 
Patch0035:      0035-client-fix-hiding-of-commands-which-lack-server-supp.patch
403b09 
Patch0036:      0036-Minor-fix-in-ipa-replica-manage-MAN-page.patch
403b09 
Patch0037:      0037-compat-fix-ping-call.patch
403b09 
Patch0038:      0038-replica-install-Fix-domain.patch
403b09 
Patch0039:      0039-idrange-fix-unassigned-global-variable.patch
403b09 
Patch0040:      0040-re-set-canonical-principal-name-on-migrated-users.patch
403b09 
Patch0041:      0041-Do-not-initialize-API-in-ipa-client-automount-uninst.patch
403b09 
Patch0042:      0042-Correct-path-to-HTTPD-s-systemd-service-directory.patch
403b09 
Patch0043:      0043-vault-Catch-correct-exception-in-decrypt.patch
403b09 
Patch0044:      0044-Increase-default-length-of-auto-generated-passwords.patch
403b09 
Patch0045:      0045-vault-add-missing-salt-option-to-vault_mod.patch
403b09 
Patch0046:      0046-Fix-ipa-hbactest-output.patch
403b09 
Patch0047:      0047-install-fix-external-CA-cert-validation.patch
403b09 
Patch0048:      0048-caacl-fix-regression-in-rule-instantiation.patch
403b09 
Patch0049:      0049-Update-ipa-replica-install-documentation.patch
403b09 
Patch0050:      0050-ipa-kdb-Fix-unit-test-after-packaging-changes-in-krb.patch
403b09 
Patch0051:      0051-Improvements-for-the-ipa-cacert-manage-man-and-help.patch
403b09 
Patch0052:      0052-Revert-spec-add-conflict-with-bind-chroot-to-freeipa.patch
403b09 
Patch0053:      0053-Fix-unicode-characters-in-ca-and-domain-adders.patch
403b09 
Patch0054:      0054-ipa-backup-backup-etc-tmpfiles.d-dirsrv-instance-.co.patch
403b09 
Patch0055:      0055-client-RPM-require-initscripts-to-get-domainname.ser.patch
403b09 
Patch0056:      0056-parameters-move-the-confirm-kwarg-to-Param.patch
403b09 
Patch0057:      0057-client-add-missing-output-params-to-client-side-comm.patch
403b09 
Patch0058:      0058-server-install-Fix-hostname-option-to-always-overrid.patch
403b09 
Patch0059:      0059-install-Call-hostnamectl-set-hostname-only-if-hostna.patch
403b09 
Patch0060:      0060-schema-Speed-up-schema-cache.patch
403b09 
Patch0061:      0061-frontend-Change-doc-summary-topic-and-NO_CLI-to-clas.patch
403b09 
Patch0062:      0062-schema-Introduce-schema-cache-format.patch
403b09 
Patch0063:      0063-schema-Generate-bits-for-help-load-them-on-request.patch
403b09 
Patch0064:      0064-help-Do-not-create-instances-to-get-information-abou.patch
403b09 
Patch0065:      0065-Fix-ipa-caalc-add-service-error-message.patch
403b09 
Patch0066:      0066-Don-t-show-force-ntpd-option-in-replica-install.patch
403b09 
Patch0067:      0067-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
403b09 
Patch0068:      0068-DNS-allow-to-add-forward-zone-to-already-broken-sub-.patch
403b09 
Patch0069:      0069-cert-speed-up-cert-find.patch
403b09 
Patch0070:      0070-cert-do-not-crash-on-invalid-data-in-cert-find.patch
403b09 
Patch0071:      0071-Add-warning-about-only-one-existing-CA-server.patch
403b09 
Patch0072:      0072-Set-servers-list-as-default-facet-in-topology-facet-.patch
403b09 
Patch0073:      0073-schema-cache-Do-not-reset-ServerInfo-dirty-flag.patch
403b09 
Patch0074:      0074-schema-cache-Do-not-read-fingerprint-and-format-from.patch
403b09 
Patch0075:      0075-Access-data-for-help-separately.patch
403b09 
Patch0076:      0076-frontent-Add-summary-class-property-to-CommandOverri.patch
403b09 
Patch0077:      0077-schema-cache-Read-server-info-only-once.patch
403b09 
Patch0078:      0078-schema-cache-Store-API-schema-cache-in-memory.patch
403b09 
Patch0079:      0079-client-Do-not-create-instance-just-to-check-isinstan.patch
403b09 
Patch0080:      0080-schema-cache-Read-schema-instead-of-rewriting-it-whe.patch
403b09 
Patch0081:      0081-schema-check-Check-current-client-language-against-c.patch
403b09 
Patch0082:      0082-Fail-on-topology-disconnect-last-role-removal.patch
403b09 
Patch0083:      0083-server-install-do-not-prompt-for-cert-file-PIN-repea.patch
403b09 
Patch0084:      0084-service-add-flag-to-allow-S4U2Self.patch
403b09 
Patch0085:      0085-Add-trusted-to-auth-as-user-checkbox.patch
403b09 
Patch0086:      0086-Added-new-authentication-method.patch
403b09 
Patch0087:      0087-schema-cache-Fallback-to-en_us-when-locale-is-not-av.patch
403b09 
Patch0088:      0088-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
403b09 
Patch0089:      0089-Fix-container-owner-should-be-able-to-add-vault.patch
403b09 
Patch0090:      0090-ipaserver-dcerpc-reformat-to-make-the-code-closer-to.patch
403b09 
Patch0091:      0091-trust-automatically-resolve-DNS-trust-conflicts-for-.patch
403b09 
Patch0092:      0092-trust-make-sure-external-trust-topology-is-correctly.patch
403b09 
Patch0093:      0093-trust-make-sure-ID-range-is-created-for-the-child-do.patch
403b09 
Patch0094:      0094-ipa-kdb-simplify-trusted-domain-parent-search.patch
403b09 
Patch0095:      0095-Remove-Custodia-server-keys-from-LDAP.patch
403b09 
Patch0096:      0096-Handled-empty-hostname-in-server-del-command.patch
403b09 
Patch0097:      0097-Secure-permissions-of-Custodia-server.keys.patch
403b09 
Patch0098:      0098-Require-httpd-2.4.6-31-with-mod_proxy-Unix-socket-su.patch
403b09 
Patch0099:      0099-Fix-ipa-server-install-in-pure-IPv6-environment.patch
403b09 
Patch0100:      0100-support-multiple-uid-values-in-schema-compatibility-.patch
403b09 
Patch0101:      0101-custodia-include-known-CA-certs-in-the-PKCS-12-file-.patch
403b09 
Patch0102:      0102-otptoken-permission-Convert-custom-type-parameters-o.patch
403b09 
Patch0103:      0103-Raise-DuplicatedEnrty-error-when-user-exists-in-dele.patch
403b09 
Patch0104:      0104-cert-add-missing-param-values-to-cert-find-output.patch
403b09 
Patch0105:      0105-rpcserver-assume-version-1-for-unversioned-command-c.patch
403b09 
Patch0106:      0106-custodia-force-reconnect-before-retrieving-CA-certs-.patch
403b09 
Patch0107:      0107-rpcserver-fix-crash-in-XML-RPC-system-commands.patch
403b09 
Patch0108:      0108-compat-Save-server-s-API-version-in-for-pre-schema-s.patch
403b09 
Patch0109:      0109-compat-Fix-ping-command-call.patch
403b09 
Patch0110:      0110-Fix-man-page-ipa-replica-manage-remove-duplicate-c-o.patch
403b09 
Patch0111:      0111-cert-include-CA-name-in-cert-command-output.patch
403b09 
Patch0112:      0112-Fix-CA-ACL-Check-on-SubjectAltNames.patch
403b09 
Patch0113:      0113-do-not-use-trusted-forest-name-to-construct-domain-a.patch
403b09 
Patch0114:      0114-Always-fetch-forest-info-from-root-DCs-when-establis.patch
403b09 
Patch0115:      0115-factor-out-populate_remote_domain-method-into-module.patch
403b09 
Patch0116:      0116-Always-fetch-forest-info-from-root-DCs-when-establis.patch
403b09 
Patch0117:      0117-cli-use-full-name-when-executing-a-command.patch
403b09 
Patch0118:      0118-Use-RSA-OAEP-instead-of-RSA-PKCS-1-v1.5.patch
403b09 
Patch0119:      0119-Fix-ipa-certupdate-for-CA-less-installation.patch
403b09 
Patch0120:      0120-Track-lightweight-CAs-on-replica-installation.patch
403b09 
Patch0121:      0121-dns-normalize-record-type-read-interactively-in-dnsr.patch
403b09 
Patch0122:      0122-dns-prompt-for-missing-record-parts-in-CLI.patch
403b09 
Patch0123:      0123-dns-fix-crash-in-interactive-mode-against-old-server.patch
403b09 
Patch0124:      0124-schema-cache-Store-and-check-info-for-pre-schema-ser.patch
403b09 
Patch0125:      0125-Fix-parse-errors-with-link-local-addresses.patch
403b09 
Patch0126:      0126-Add-support-for-additional-options-taken-from-table-.patch
403b09 
Patch0127:      0127-WebUI-Fix-showing-certificates-issued-by-sub-CA.patch
403b09 
Patch0128:      0128-WebUI-add-support-for-sub-CAs-while-revoking-certifi.patch
403b09 
Patch0129:      0129-cert-fix-cert-find-certificate-when-the-cert-is-not-.patch
403b09 
Patch0130:      0130-Make-host-service-cert-revocation-aware-of-lightweig.patch
403b09 
Patch0131:      0131-Fix-regression-introduced-in-ipa-certupdate.patch
403b09 
Patch0132:      0132-Start-named-during-configuration-upgrade.patch
403b09 
Patch0133:      0133-Catch-DNS-exceptions-during-emptyzones-named.conf-up.patch
403b09 
Patch0134:      0134-trust-fetch-domains-contact-forest-DCs-when-fetching.patch
fef02c 
Patch0135:      0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch
fef02c 
Patch0136:      0136-Keep-NSS-trust-flags-of-existing-certificates.patch
fef02c 
Patch0137:      0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch
fef02c 
Patch0138:      0138-cert-add-revocation-reason-back-to-cert-find-output.patch
fef02c 
Patch0139:      0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch
fef02c 
Patch0140:      0140-Add-cert-checks-in-ipa-server-certinstall.patch
fef02c 
Patch0141:      0141-WebUI-services-without-canonical-name-are-shown-corr.patch
fef02c 
Patch0142:      0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
fef02c 
Patch0143:      0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
fef02c 
Patch0144:      0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
34b659 
Patch0145:      0145-replication-ensure-bind-DN-group-check-interval-is-s.patch
34b659 
Patch0146:      0146-bindinstance-use-data-in-named.conf-to-determine-con.patch
34b659 
Patch0147:      0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch
34b659 
Patch0148:      0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch
34b659 
Patch0149:      0149-Check-for-conflict-entries-before-raising-domain-lev.patch
34b659 
Patch0150:      0150-certprofile-mod-correctly-authorise-config-update.patch
34b659 
Patch0151:      0151-password-policy-Add-explicit-default-password-policy.patch
34b659 
Patch0152:      0152-ipa-kdb-search-for-password-policies-globally.patch
ff14fa 
Patch0153:      0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch
ff14fa 
Patch0154:      0154-wait_for_entry-use-only-DN-as-parameter.patch
ff14fa 
Patch0155:      0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
ff14fa 
Patch0156:      0156-Use-proper-logging-for-error-messages.patch
99b6f7
99b6f7 
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
99b6f7 
Patch1002:      1002-Remove-pkinit-plugin.patch
99b6f7 
Patch1003:      1003-Remove-pkinit-references-from-tool-man-pages.patch
99b6f7 
Patch1004:      1004-Change-branding-to-IPA-and-Identity-Management.patch
99b6f7 
Patch1005:      1005-Remove-pylint-from-build-process.patch
99b6f7 
Patch1006:      1006-Remove-i18test-from-build-process.patch
e3ffab 
Patch1007:      1007-Do-not-build-tests.patch
e3ffab 
Patch1008:      1008-RCUE.patch
403b09 
Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
403b09 
Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
ff14fa 
Patch1011:      1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
ff14fa 
Patch1012:      1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
e3ffab 
# RHEL spec file only: END
99b6f7
99b6f7 
%if ! %{ONLY_CLIENT}
403b09 
BuildRequires:  389-ds-base-devel >= 1.3.5.6
99b6f7 
BuildRequires:  svrcore-devel
e3ffab 
BuildRequires:  policycoreutils >= 2.1.14-37
99b6f7 
BuildRequires:  systemd-units
e3ffab 
BuildRequires:  samba-devel >= %{samba_version}
99b6f7 
BuildRequires:  samba-python
99b6f7 
BuildRequires:  libtalloc-devel
99b6f7 
BuildRequires:  libtevent-devel
99b6f7 
%endif # ONLY_CLIENT
99b6f7 
BuildRequires:  nspr-devel
99b6f7 
BuildRequires:  nss-devel
99b6f7 
BuildRequires:  openssl-devel
99b6f7 
BuildRequires:  openldap-devel
590d18 
BuildRequires:  krb5-devel >= 1.13
99b6f7 
BuildRequires:  krb5-workstation
99b6f7 
BuildRequires:  libuuid-devel
99b6f7 
BuildRequires:  libcurl-devel >= 7.21.7-2
99b6f7 
BuildRequires:  xmlrpc-c-devel >= 1.27.4
99b6f7 
BuildRequires:  popt-devel
99b6f7 
BuildRequires:  autoconf
99b6f7 
BuildRequires:  automake
99b6f7 
BuildRequires:  m4
99b6f7 
BuildRequires:  libtool
99b6f7 
BuildRequires:  gettext
99b6f7 
BuildRequires:  python-devel
99b6f7 
BuildRequires:  python-ldap
99b6f7 
BuildRequires:  python-setuptools
99b6f7 
BuildRequires:  python-nss
403b09 
BuildRequires:  python-cryptography >= 0.9
99b6f7 
BuildRequires:  python-netaddr
403b09 
BuildRequires:  python-gssapi >= 1.1.2
99b6f7 
BuildRequires:  python-rhsm
99b6f7 
BuildRequires:  pyOpenSSL
e3ffab 
# RHEL spec file only: DELETED: Remove pylint from build process
e3ffab 
# RHEL spec file only: DELETED: Remove i18test from build process
590d18 
BuildRequires:  python-libipa_hbac
99b6f7 
BuildRequires:  python-memcached
99b6f7 
BuildRequires:  python-lxml
99b6f7 
BuildRequires:  python-pyasn1 >= 0.0.9a
e3ffab 
BuildRequires:  python-qrcode-core >= 5.0.0
e3ffab 
BuildRequires:  python-dns >= 1.11.1-2
99b6f7 
BuildRequires:  libsss_idmap-devel
403b09 
BuildRequires:  libsss_nss_idmap-devel >= 1.14.0
e3ffab 
BuildRequires:  java-headless
031d60 
BuildRequires:  rhino
99b6f7 
BuildRequires:  libverto-devel
99b6f7 
BuildRequires:  systemd
99b6f7 
BuildRequires:  libunistring-devel
e3ffab 
# RHEL spec file only: START
99b6f7 
BuildRequires:  diffstat
e3ffab 
# RHEL spec file only: END
e3ffab 
BuildRequires:  python-lesscpy
590d18 
BuildRequires:  python-yubico >= 1.2.3
590d18 
BuildRequires:  openssl-devel
403b09 
BuildRequires:  pki-base >= 10.3.3-7
590d18 
# RHEL spec file only: DELETED: Do not build tests
590d18 
BuildRequires:  python-kdcproxy >= 0.3
403b09 
BuildRequires:  python-six
403b09 
BuildRequires:  python-jwcrypto
403b09 
BuildRequires:  custodia
403b09 
BuildRequires:  libini_config-devel >= 1.2.0
403b09 
BuildRequires:  dbus-python
403b09 
BuildRequires:  python-netifaces >= 0.10.4
403b09
403b09 
# Build dependencies for unit tests
403b09 
BuildRequires:  libcmocka-devel
403b09 
BuildRequires:  nss_wrapper
403b09 
# Required by ipa_kdb_tests
403b09 
BuildRequires:  %{_libdir}/krb5/plugins/kdb/db2.so
403b09
403b09 
%if 0%{?with_python3}
403b09 
BuildRequires:  python3-devel
403b09 
%endif  # with_python3
99b6f7
99b6f7 
%description
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09
99b6f7
99b6f7 
%if ! %{ONLY_CLIENT}
403b09
99b6f7 
%package server
99b6f7 
Summary: The IPA authentication server
99b6f7 
Group: System Environment/Base
403b09 
Requires: %{name}-server-common = %{version}-%{release}
99b6f7 
Requires: %{name}-client = %{version}-%{release}
99b6f7 
Requires: %{name}-admintools = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipaserver = %{version}-%{release}
fef02c 
Requires: 389-ds-base >= 1.3.5.10-12
99b6f7 
Requires: openldap-clients > 2.4.35-4
99b6f7 
Requires: nss >= 3.14.3-12.0
99b6f7 
Requires: nss-tools >= 3.14.3-12.0
590d18 
Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
99b6f7 
Requires: krb5-pkinit-openssl
99b6f7 
Requires: cyrus-sasl-gssapi%{?_isa}
99b6f7 
Requires: ntp
403b09 
Requires: httpd >= 2.4.6-31
99b6f7 
Requires: mod_wsgi
403b09 
Requires: mod_auth_gssapi >= 1.4.0
9991ea 
Requires: mod_nss >= 1.0.8-26
e3ffab 
Requires: python-ldap >= 2.4.15
403b09 
Requires: python-gssapi >= 1.1.2
99b6f7 
Requires: acl
99b6f7 
Requires: memcached
99b6f7 
Requires: python-memcached
99b6f7 
Requires: systemd-units >= 38
590d18 
Requires(pre): shadow-utils
99b6f7 
Requires(pre): systemd-units
99b6f7 
Requires(post): systemd-units
e3ffab 
Requires: selinux-policy >= %{selinux_policy_version}
590d18 
Requires(post): selinux-policy-base >= %{selinux_policy_version}
403b09 
Requires: slapi-nis >= %{slapi_nis_version}
ff14fa 
Requires: pki-ca >= 10.3.3-17
ff14fa 
Requires: pki-kra >= 10.3.3-17
99b6f7 
Requires(preun): python systemd-units
99b6f7 
Requires(postun): python systemd-units
99b6f7 
Requires: zip
e3ffab 
Requires: policycoreutils >= 2.1.14-37
99b6f7 
Requires: tar
590d18 
Requires(pre): certmonger >= 0.78
fef02c 
Requires(pre): 389-ds-base >= 1.3.5.10-12
e3ffab 
Requires: fontawesome-fonts
e3ffab 
Requires: open-sans-fonts
e0ab38 
Requires: openssl >= 1:1.0.1e-42
590d18 
Requires: softhsm >= 2.0.0rc1-1
590d18 
Requires: p11-kit
590d18 
Requires: systemd-python
590d18 
Requires: %{etc_systemd_dir}
590d18 
Requires: gzip
403b09 
Requires: oddjob
e3ffab
403b09 
Provides: %{alt_name}-server = %{version}
e3ffab 
Conflicts: %{alt_name}-server
e3ffab 
Obsoletes: %{alt_name}-server < %{version}
e3ffab
e3ffab 
# RHEL spec file only: DELETED
99b6f7
590d18 
# upgrade path from monolithic -server to -server + -server-dns
590d18 
Obsoletes: %{name}-server <= 4.2.0-2
99b6f7
99b6f7 
# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
99b6f7 
# member.
99b6f7 
Conflicts: nss-pam-ldapd < 0.8.4
99b6f7
e3ffab 
# RHEL spec file only: START: Do not build tests
9991ea 
# ipa-tests subpackage was moved to separate srpm
9991ea 
Conflicts: ipa-tests < 3.3.3-9
e3ffab 
# RHEL spec file only: END: Do not build tests
9991ea
403b09 
# RHEL spec file only: START
403b09 
# https://bugzilla.redhat.com/show_bug.cgi?id=1296140
403b09 
Obsoletes: redhat-access-plugin-ipa
403b09 
Conflicts: redhat-access-plugin-ipa
403b09 
# RHEL spec file only: END
403b09
99b6f7 
%description server
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are installing an IPA server, you need to install this package.
403b09
403b09
403b09 
%package -n python2-ipaserver
403b09 
Summary: Python libraries used by IPA server
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Provides: python-ipaserver = %{version}-%{release}
403b09 
Requires: %{name}-server-common = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipaclient = %{version}-%{release}
403b09 
Requires: python-ldap >= 2.4.15
403b09 
Requires: python-gssapi >= 1.1.2
403b09 
Requires: python-sssdconfig
403b09 
Requires: python-pyasn1
403b09 
Requires: dbus-python
403b09 
Requires: python-dns >= 1.11.1-2
403b09 
Requires: python-kdcproxy >= 0.3
403b09 
Requires: rpm-libs
403b09
403b09 
%description -n python2-ipaserver
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are installing an IPA server, you need to install this package.
403b09
403b09
403b09 
%package server-common
403b09 
Summary: Common files used by IPA server
403b09 
Group: System Environment/Base
403b09 
BuildArch: noarch
403b09 
Requires: %{name}-client-common = %{version}-%{release}
403b09 
Requires: httpd >= 2.4.6-31
403b09 
Requires: systemd-units >= 38
403b09 
Requires: custodia
403b09
403b09 
Provides: %{alt_name}-server-common = %{version}
403b09 
Conflicts: %{alt_name}-server-common
403b09 
Obsoletes: %{alt_name}-server-common < %{version}
403b09
403b09 
%description server-common
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are installing an IPA server, you need to install this package.
99b6f7
99b6f7
590d18 
%package server-dns
590d18 
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
590d18 
Group: System Environment/Base
403b09 
BuildArch: noarch
590d18 
Requires: %{name}-server = %{version}-%{release}
403b09 
Requires: bind-dyndb-ldap >= 10.0
590d18 
%if 0%{?fedora} >= 21
590d18 
Requires: bind >= 9.9.6-3
590d18 
Requires: bind-utils >= 9.9.6-3
590d18 
Requires: bind-pkcs11 >= 9.9.6-3
590d18 
Requires: bind-pkcs11-utils >= 9.9.6-3
590d18 
%else
590d18 
Requires: bind >= 9.9.4-21
590d18 
Requires: bind-utils >= 9.9.4-21
590d18 
Requires: bind-pkcs11 >= 9.9.4-21
590d18 
Requires: bind-pkcs11-utils >= 9.9.4-21
590d18 
%endif
590d18 
Requires: opendnssec >= 1.4.6-4
590d18
403b09 
Provides: %{alt_name}-server-dns = %{version}
590d18 
Conflicts: %{alt_name}-server-dns
590d18 
Obsoletes: %{alt_name}-server-dns < %{version}
590d18
590d18 
# upgrade path from monolithic -server to -server + -server-dns
590d18 
Obsoletes: %{name}-server <= 4.2.0-2
590d18
590d18 
%description server-dns
590d18 
IPA integrated DNS server with support for automatic DNSSEC signing.
590d18 
Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
590d18
590d18
99b6f7 
%package server-trust-ad
99b6f7 
Summary: Virtual package to install packages required for Active Directory trusts
99b6f7 
Group: System Environment/Base
403b09 
Requires: %{name}-server = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
99b6f7 
Requires: samba-python
e3ffab 
Requires: samba >= %{samba_version}
99b6f7 
Requires: samba-winbind
99b6f7 
Requires: libsss_idmap
590d18 
Requires: python-libsss_nss_idmap
590d18 
Requires: python-sss
99b6f7 
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
99b6f7 
# on the installes where server-trust-ad subpackage is installed because
99b6f7 
# IPA AD trusts cannot be used at the same time with the locator plugin
99b6f7 
# since Winbindd will be configured in a different mode
99b6f7 
Requires(post): %{_sbindir}/update-alternatives
99b6f7 
Requires(post): python
99b6f7 
Requires(postun): %{_sbindir}/update-alternatives
99b6f7 
Requires(preun): %{_sbindir}/update-alternatives
99b6f7
403b09 
Provides: %{alt_name}-server-trust-ad = %{version}
e3ffab 
Conflicts: %{alt_name}-server-trust-ad
e3ffab 
Obsoletes: %{alt_name}-server-trust-ad < %{version}
e3ffab
99b6f7 
%description server-trust-ad
99b6f7 
Cross-realm trusts with Active Directory in IPA require working Samba 4
99b6f7 
installation. This package is provided for convenience to install all required
99b6f7 
dependencies at once.
99b6f7
99b6f7 
%endif # ONLY_CLIENT
99b6f7
99b6f7
99b6f7 
%package client
99b6f7 
Summary: IPA authentication for use on clients
99b6f7 
Group: System Environment/Base
403b09 
Requires: %{name}-client-common = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipaclient = %{version}-%{release}
99b6f7 
Requires: python-ldap
99b6f7 
Requires: cyrus-sasl-gssapi%{?_isa}
99b6f7 
Requires: ntp
99b6f7 
Requires: krb5-workstation
99b6f7 
Requires: authconfig
99b6f7 
Requires: pam_krb5
403b09 
Requires: curl
403b09 
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
403b09 
Requires: initscripts
99b6f7 
Requires: libcurl >= 7.21.7-2
99b6f7 
Requires: xmlrpc-c >= 1.27.4
403b09 
Requires: sssd >= 1.14.0
590d18 
Requires: python-sssdconfig
590d18 
Requires: certmonger >= 0.78
99b6f7 
Requires: nss-tools
99b6f7 
Requires: bind-utils
99b6f7 
Requires: oddjob-mkhomedir
403b09 
Requires: python-gssapi >= 1.1.2
99b6f7 
Requires: libsss_autofs
99b6f7 
Requires: autofs
99b6f7 
Requires: libnfsidmap
99b6f7 
Requires: nfs-utils
99b6f7 
Requires(post): policycoreutils
99b6f7
403b09 
Provides: %{alt_name}-client = %{version}
e3ffab 
Conflicts: %{alt_name}-client
e3ffab 
Obsoletes: %{alt_name}-client < %{version}
e3ffab
99b6f7 
%description client
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If your network uses IPA for authentication, this package should be
403b09 
installed on every client machine.
403b09
403b09
403b09 
%package -n python2-ipaclient
403b09 
Summary: Python libraries used by IPA client
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Provides: python-ipaclient = %{version}-%{release}
403b09 
Requires: %{name}-client-common = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipalib = %{version}-%{release}
403b09 
Requires: python-dns >= 1.11.1-2
403b09
403b09 
%description -n python2-ipaclient
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If your network uses IPA for authentication, this package should be
403b09 
installed on every client machine.
403b09
403b09
403b09 
%if 0%{?with_python3}
403b09
403b09 
%package -n python3-ipaclient
403b09 
Summary: Python libraries used by IPA client
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Requires: %{name}-client-common = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python3-ipalib = %{version}-%{release}
403b09 
Requires: python3-dns >= 1.11.1
403b09
403b09 
%description -n python3-ipaclient
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If your network uses IPA for authentication, this package should be
403b09 
installed on every client machine.
403b09
403b09 
%endif  # with_python3
403b09
403b09
403b09 
%package client-common
403b09 
Summary: Common files used by IPA client
403b09 
Group: System Environment/Base
403b09 
BuildArch: noarch
403b09
403b09 
Provides: %{alt_name}-client-common = %{version}
403b09 
Conflicts: %{alt_name}-client-common
403b09 
Obsoletes: %{alt_name}-client-common < %{version}
403b09
403b09 
%description client-common
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If your network uses IPA for authentication, this package should be
403b09 
installed on every client machine.
99b6f7
99b6f7
99b6f7 
%package admintools
99b6f7 
Summary: IPA administrative tools
99b6f7 
Group: System Environment/Base
403b09 
BuildArch: noarch
403b09 
Requires: python2-ipaclient = %{version}-%{release}
99b6f7 
Requires: python-ldap
99b6f7
403b09 
Provides: %{alt_name}-admintools = %{version}
e3ffab 
Conflicts: %{alt_name}-admintools
e3ffab 
Obsoletes: %{alt_name}-admintools < %{version}
e3ffab
99b6f7 
%description admintools
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
This package provides command-line tools for IPA administrators.
99b6f7
403b09
403b09 
%package python-compat
403b09 
Summary: Compatiblity package for Python libraries used by IPA
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Obsoletes: %{name}-python < 4.2.91
403b09 
Provides: %{name}-python = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python2-ipalib = %{version}-%{release}
403b09
403b09 
Provides: %{alt_name}-python-compat = %{version}
403b09 
Conflicts: %{alt_name}-python-compat
403b09 
Obsoletes: %{alt_name}-python-compat < %{version}
403b09
403b09 
Obsoletes: %{alt_name}-python < 4.2.91
403b09 
Provides: %{alt_name}-python = %{version}
403b09
403b09 
%description python-compat
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
This is a compatibility package to accommodate %{name}-python split into
403b09 
python2-ipalib and %{name}-common. Packages still depending on
403b09 
%{name}-python should be fixed to depend on python2-ipaclient or
403b09 
%{name}-common instead.
403b09
403b09
403b09 
%package -n python2-ipalib
99b6f7 
Summary: Python libraries used by IPA
99b6f7 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Conflicts: %{name}-python < 4.2.91
403b09 
Provides: python-ipalib = %{version}-%{release}
403b09 
Provides: python2-ipapython = %{version}-%{release}
403b09 
Provides: python-ipapython = %{version}-%{release}
403b09 
Provides: python2-ipaplatform = %{version}-%{release}
403b09 
Provides: python-ipaplatform = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python-gssapi >= 1.1.2
99b6f7 
Requires: gnupg
99b6f7 
Requires: keyutils
99b6f7 
Requires: pyOpenSSL
e3ffab 
Requires: python-nss >= 0.16
403b09 
Requires: python-cryptography >= 0.9
99b6f7 
Requires: python-lxml
99b6f7 
Requires: python-netaddr
590d18 
Requires: python-libipa_hbac
e3ffab 
Requires: python-qrcode-core >= 5.0.0
e3ffab 
Requires: python-pyasn1
e3ffab 
Requires: python-dateutil
590d18 
Requires: python-yubico >= 1.2.3
590d18 
Requires: python-sss-murmur
590d18 
Requires: dbus-python
590d18 
Requires: python-setuptools
403b09 
Requires: python-six
403b09 
Requires: python-jwcrypto
403b09 
Requires: python-cffi
403b09 
Requires: python-ldap >= 2.4.15
403b09 
Requires: python-requests
403b09 
Requires: python-custodia
403b09 
Requires: python-dns >= 1.11.1-2
403b09 
Requires: python-netifaces >= 0.10.4
403b09 
Requires: pyusb
403b09
403b09 
Conflicts: %{alt_name}-python < %{version}
403b09
403b09 
%description -n python2-ipalib
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are using IPA, you need to install this package.
403b09
403b09
403b09 
%if 0%{?with_python3}
403b09
403b09 
%package -n python3-ipalib
403b09 
Summary: Python3 libraries used by IPA
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Provides: python3-ipapython = %{version}-%{release}
403b09 
Provides: python3-ipaplatform = %{version}-%{release}
403b09 
Requires: %{name}-common = %{version}-%{release}
403b09 
Requires: python3-gssapi >= 1.1.2
403b09 
Requires: gnupg
403b09 
Requires: keyutils
403b09 
Requires: python3-pyOpenSSL
403b09 
Requires: python3-nss >= 0.16
403b09 
Requires: python3-cryptography
403b09 
Requires: python3-lxml
403b09 
Requires: python3-netaddr
403b09 
Requires: python3-libipa_hbac
403b09 
Requires: python3-qrcode-core >= 5.0.0
403b09 
Requires: python3-pyasn1
403b09 
Requires: python3-dateutil
403b09 
Requires: python3-yubico >= 1.2.3
403b09 
Requires: python3-sss-murmur
403b09 
Requires: python3-dbus
403b09 
Requires: python3-setuptools
403b09 
Requires: python3-six
403b09 
Requires: python3-jwcrypto
403b09 
Requires: python3-cffi
403b09 
Requires: python3-pyldap >= 2.4.15
403b09 
Requires: python3-custodia
403b09 
Requires: python3-requests
403b09 
Requires: python3-dns >= 1.11.1
403b09 
Requires: python3-netifaces >= 0.10.4
403b09 
Requires: python3-pyusb
403b09
403b09 
%description -n python3-ipalib
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are using IPA with Python 3, you need to install this package.
403b09
403b09 
%endif # with_python3
403b09
403b09
403b09 
%package common
403b09 
Summary: Common files used by IPA
403b09 
Group: System Environment/Libraries
403b09 
BuildArch: noarch
403b09 
Conflicts: %{name}-python < 4.2.91
403b09
403b09 
Provides: %{alt_name}-common = %{version}
403b09 
Conflicts: %{alt_name}-common
403b09 
Obsoletes: %{alt_name}-common < %{version}
403b09
403b09 
Conflicts: %{alt_name}-python < %{version}
e3ffab
403b09 
%description common
403b09 
IPA is an integrated solution to provide centrally managed Identity (users,
403b09 
hosts, services), Authentication (SSO, 2FA), and Authorization
403b09 
(host access control, SELinux user roles, services). The solution provides
403b09 
features for further integration with Linux based clients (SUDO, automount)
403b09 
and integration with Active Directory based infrastructures (Trusts).
403b09 
If you are using IPA, you need to install this package.
99b6f7
99b6f7
e3ffab 
# RHEL spec file only: DELETED: Do not build tests
e3ffab
e3ffab
99b6f7 
%prep
99b6f7 
# RHEL spec file only: START
99b6f7 
# Update timestamps on the files touched by a patch, to avoid non-equal
99b6f7 
# .pyc/.pyo files across the multilib peers within a build, where "Level"
99b6f7 
# is the patch prefix option (e.g. -p1)
99b6f7 
# Taken from specfile for sssd and python-simplejson
99b6f7 
UpdateTimestamps() {
99b6f7 
  Level=$1
99b6f7 
  PatchFile=$2
99b6f7
99b6f7 
  # Locate the affected files:
99b6f7 
  for f in $(diffstat $Level -l $PatchFile); do
99b6f7 
    # Set the files to have the same timestamp as that of the patch:
99b6f7 
    touch -r $PatchFile $f
99b6f7 
  done
99b6f7 
}
99b6f7
99b6f7 
%setup -n freeipa-%{VERSION} -q
99b6f7
99b6f7 
for p in %patches ; do
99b6f7 
    %__patch -p1 -i $p
99b6f7 
    UpdateTimestamps -p1 $p
99b6f7 
done
e3ffab
e3ffab 
# Red Hat's Identity Management branding
ff14fa 
cp %SOURCE1 install/ui/images/header-logo.png
ff14fa 
cp %SOURCE2 install/ui/images/login-screen-background.jpg
ff14fa 
cp %SOURCE3 install/ui/images/login-screen-logo.png
ff14fa 
cp %SOURCE4 install/ui/images/product-name.png
99b6f7 
# RHEL spec file only: END
99b6f7
403b09
99b6f7 
%build
e3ffab 
# UI compilation segfaulted on some arches when the stack was lower (#1040576)
e3ffab 
export JAVA_STACK_SIZE="8m"
e3ffab
9991ea 
export CFLAGS="%{optflags} $CFLAGS"
9991ea 
export LDFLAGS="%{__global_ldflags} $LDFLAGS"
e3ffab 
export SUPPORTED_PLATFORM=%{platform_module}
e3ffab
99b6f7 
# Force re-generate of platform support
e3ffab 
export IPA_VENDOR_VERSION_SUFFIX=-%{release}
e3ffab 
rm -f ipapython/version.py
e3ffab 
rm -f ipaplatform/services.py
e3ffab 
rm -f ipaplatform/tasks.py
e3ffab 
rm -f ipaplatform/paths.py
590d18 
rm -f ipaplatform/constants.py
99b6f7 
make version-update
403b09 
cd client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
99b6f7 
%if ! %{ONLY_CLIENT}
0201d8 
# RHEL SPEC file only: START: Force re-generation of the makefiles
0201d8 
find daemons -name Makefile.in |egrep -v '(libotp|lockout|otp-counter|lasttoken)'|xargs rm -f
0201d8 
# RHEL SPEC file only: END: Force re-generation of the makefiles
99b6f7 
cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd ..
99b6f7 
cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
99b6f7 
%endif # ONLY_CLIENT
99b6f7
99b6f7 
%if ! %{ONLY_CLIENT}
99b6f7 
make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all
99b6f7 
%else
99b6f7 
make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
99b6f7 
%endif # ONLY_CLIENT
99b6f7
403b09
403b09 
%check
403b09 
%if ! %{ONLY_CLIENT}
403b09 
make %{?_smp_mflags} check VERBOSE=yes
403b09 
%else
403b09 
make %{?_smp_mflags} client-check VERBOSE=yes
403b09 
%endif # ONLY_CLIENT
403b09
403b09
99b6f7 
%install
99b6f7 
rm -rf %{buildroot}
e3ffab 
export SUPPORTED_PLATFORM=%{platform_module}
99b6f7 
# Force re-generate of platform support
e3ffab 
export IPA_VENDOR_VERSION_SUFFIX=-%{release}
e3ffab 
rm -f ipapython/version.py
e3ffab 
rm -f ipaplatform/services.py
e3ffab 
rm -f ipaplatform/tasks.py
e3ffab 
rm -f ipaplatform/paths.py
590d18 
rm -f ipaplatform/constants.py
e3ffab 
make version-update
99b6f7 
%if ! %{ONLY_CLIENT}
99b6f7 
make install DESTDIR=%{buildroot}
403b09
403b09 
# RHEL spec file only: DELETED: Do not build tests
403b09
99b6f7 
%else
99b6f7 
make client-install DESTDIR=%{buildroot}
99b6f7 
%endif # ONLY_CLIENT
99b6f7
403b09 
%if 0%{?with_python3}
403b09 
(cd ipalib && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install)
403b09 
(cd ipapython && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install)
403b09 
(cd ipaplatform && %{__python3} setup.py install --root %{buildroot})
403b09 
(cd ipaclient && %{__python3} setup.py install --root %{buildroot})
403b09 
%endif # with_python3
403b09
403b09 
# Switch shebang of /usr/bin/ipa
403b09 
# XXX: ipa cli is not stable enough for enabling py3 support, keep it in py2
403b09 
# in any case
403b09 
sed -i -e'1s/python\(3\|$\)/python2/' %{buildroot}%{_bindir}/ipa
403b09
403b09 
%find_lang %{gettext_domain}
99b6f7
e3ffab 
mkdir -p %{buildroot}%{_usr}/share/ipa
e3ffab
99b6f7 
%if ! %{ONLY_CLIENT}
99b6f7 
# Remove .la files from libtool - we don't want to package
99b6f7 
# these files
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_cldap.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_dns.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
99b6f7 
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
e3ffab 
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
e3ffab 
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
590d18 
rm %{buildroot}/%{plugin_dir}/libtopology.la
99b6f7 
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
99b6f7 
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
99b6f7
99b6f7 
# Some user-modifiable HTML files are provided. Move these to /etc
99b6f7 
# and link back.
99b6f7 
mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
99b6f7 
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
99b6f7 
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
99b6f7 
mkdir %{buildroot}%{_usr}/share/ipa/html/
99b6f7 
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
99b6f7 
    %{buildroot}%{_usr}/share/ipa/html/ffconfig.js
99b6f7 
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig_page.js \
99b6f7 
    %{buildroot}%{_usr}/share/ipa/html/ffconfig_page.js
99b6f7 
ln -s ../../../..%{_sysconfdir}/ipa/html/ssbrowser.html \
99b6f7 
    %{buildroot}%{_usr}/share/ipa/html/ssbrowser.html
99b6f7 
ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
99b6f7 
    %{buildroot}%{_usr}/share/ipa/html/unauthorized.html
99b6f7 
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
99b6f7 
    %{buildroot}%{_usr}/share/ipa/html/browserconfig.html
99b6f7
99b6f7 
# So we can own our Apache configuration
99b6f7 
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
590d18 
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
99b6f7 
mkdir -p %{buildroot}%{_usr}/share/ipa/html/
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
99b6f7 
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
99b6f7 
mkdir -p %{buildroot}%{_initrddir}
99b6f7 
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
99b6f7 
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
590d18 
install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
590d18 
install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
590d18 
install -m 644 daemons/dnssec/ipa-ods-exporter.socket %{buildroot}%{_unitdir}/ipa-ods-exporter.socket
590d18 
install -m 644 daemons/dnssec/ipa-ods-exporter.service %{buildroot}%{_unitdir}/ipa-ods-exporter.service
590d18 
install -m 644 daemons/dnssec/ipa-dnskeysyncd.service %{buildroot}%{_unitdir}/ipa-dnskeysyncd.service
e3ffab
e3ffab 
# dnssec daemons
e3ffab 
mkdir -p %{buildroot}%{_libexecdir}/ipa/
590d18 
install daemons/dnssec/ipa-dnskeysyncd %{buildroot}%{_libexecdir}/ipa/ipa-dnskeysyncd
590d18 
install daemons/dnssec/ipa-dnskeysync-replica %{buildroot}%{_libexecdir}/ipa/ipa-dnskeysync-replica
590d18 
install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-exporter
99b6f7
99b6f7 
# Web UI plugin dir
99b6f7 
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
99b6f7
403b09 
# DNSSEC config
403b09 
mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
403b09
590d18 
# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
590d18 
mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
590d18 
install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
590d18
99b6f7 
# NOTE: systemd specific section
e3ffab 
mkdir -p %{buildroot}%{_tmpfilesdir}
e3ffab 
install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
99b6f7 
# END
99b6f7
99b6f7 
mkdir -p %{buildroot}%{_localstatedir}/run/
99b6f7 
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
99b6f7 
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
590d18 
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
590d18 
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
590d18 
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
99b6f7
99b6f7 
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
99b6f7 
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
99b6f7
99b6f7 
# NOTE: systemd specific section
99b6f7 
mkdir -p %{buildroot}%{_unitdir}
590d18 
mkdir -p %{buildroot}%{etc_systemd_dir}
99b6f7 
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
99b6f7 
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
403b09 
install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
99b6f7 
# END
e3ffab 
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
99b6f7 
%endif # ONLY_CLIENT
99b6f7
99b6f7 
mkdir -p %{buildroot}%{_sysconfdir}/ipa/
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
99b6f7 
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
e3ffab 
mkdir -p %{buildroot}%{_sysconfdir}/ipa/nssdb
99b6f7 
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
99b6f7 
mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
99b6f7 
install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
e3ffab
e3ffab 
%if ! %{ONLY_CLIENT}
99b6f7 
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
99b6f7
99b6f7 
(cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f  | \
99b6f7 
    sed -e 's,\.py.*$,.*,g' | sort -u | \
99b6f7 
    sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list
e3ffab
e3ffab 
# RHEL spec file only: DELETED: Do not build tests
403b09
403b09 
mkdir -p %{buildroot}%{_sysconfdir}/ipa/custodia
403b09
99b6f7 
%endif # ONLY_CLIENT
99b6f7
403b09
99b6f7 
%clean
99b6f7 
rm -rf %{buildroot}
99b6f7
403b09
99b6f7 
%if ! %{ONLY_CLIENT}
403b09
99b6f7 
%post server
99b6f7 
# NOTE: systemd specific section
99b6f7 
    /bin/systemctl --system daemon-reload 2>&1 || :
99b6f7 
# END
99b6f7 
if [ $1 -gt 1 ] ; then
99b6f7 
    /bin/systemctl condrestart certmonger.service 2>&1 || :
99b6f7 
fi
403b09 
/bin/systemctl reload-or-try-restart dbus
403b09 
/bin/systemctl reload-or-try-restart oddjobd
99b6f7
99b6f7
403b09 
%posttrans server
403b09 
# don't execute upgrade and restart of IPA when server is not installed
e3ffab 
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
403b09
99b6f7 
if [  $? -eq 0 ]; then
403b09 
    # This must be run in posttrans so that updates from previous
403b09 
    # execution that may no longer be shipped are not applied.
403b09 
    /usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
403b09
403b09 
    # Restart IPA processes. This must be also run in postrans so that plugins
403b09 
    # and software is in consistent state
403b09 
    # NOTE: systemd specific section
403b09
e3ffab 
    /bin/systemctl is-enabled ipa.service >/dev/null 2>&1
e3ffab 
    if [  $? -eq 0 ]; then
e3ffab 
        /bin/systemctl restart ipa.service >/dev/null 2>&1 || :
e3ffab 
    fi
99b6f7 
fi
99b6f7 
# END
99b6f7
403b09
99b6f7 
%preun server
99b6f7 
if [ $1 = 0 ]; then
99b6f7 
# NOTE: systemd specific section
99b6f7 
    /bin/systemctl --quiet stop ipa.service || :
99b6f7 
    /bin/systemctl --quiet disable ipa.service || :
403b09 
    /bin/systemctl reload-or-try-restart dbus
403b09 
    /bin/systemctl reload-or-try-restart oddjobd
99b6f7 
# END
99b6f7 
fi
99b6f7
403b09
99b6f7 
%pre server
99b6f7 
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
99b6f7 
# zombie process when we're done.
99b6f7 
if [ -e /usr/sbin/ipa_kpasswd ]; then
99b6f7 
# NOTE: systemd specific section
99b6f7 
    /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
99b6f7 
# END
99b6f7 
fi
99b6f7
403b09
99b6f7 
%postun server-trust-ad
99b6f7 
if [ "$1" -ge "1" ]; then
99b6f7 
    if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
99b6f7 
        %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
99b6f7 
    fi
99b6f7 
fi
99b6f7
403b09
99b6f7 
%post server-trust-ad
99b6f7 
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
99b6f7 
        winbind_krb5_locator.so /dev/null 90
590d18 
/bin/systemctl reload-or-try-restart dbus
590d18 
/bin/systemctl reload-or-try-restart oddjobd
99b6f7
403b09
99b6f7 
%posttrans server-trust-ad
e3ffab 
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
99b6f7 
if [  $? -eq 0 ]; then
99b6f7 
# NOTE: systemd specific section
99b6f7 
    /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
99b6f7 
# END
99b6f7 
fi
99b6f7
403b09
99b6f7 
%preun server-trust-ad
99b6f7 
if [ $1 -eq 0 ]; then
99b6f7 
    %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
590d18 
    /bin/systemctl reload-or-try-restart dbus
590d18 
    /bin/systemctl reload-or-try-restart oddjobd
99b6f7 
fi
e3ffab
99b6f7 
%endif # ONLY_CLIENT
99b6f7
403b09
99b6f7 
%post client
99b6f7 
if [ $1 -gt 1 ] ; then
99b6f7 
    # Has the client been configured?
99b6f7 
    restore=0
99b6f7 
    test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
99b6f7
99b6f7 
    if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
99b6f7 
        if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
99b6f7 
            echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
99b6f7 
            cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
590d18 
            mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
99b6f7 
        fi
99b6f7 
    fi
e3ffab
e3ffab 
    if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
e3ffab 
        if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
e3ffab 
            sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
590d18 
            mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
e3ffab
e3ffab 
            /bin/systemctl condrestart ntpd.service 2>&1 || :
e3ffab 
        fi
e3ffab 
    fi
e3ffab
403b09 
    if [ $restore -ge 2 ]; then
403b09 
        python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
e3ffab 
    fi
99b6f7 
fi
99b6f7
403b09
403b09 
%triggerin client -- openssh-server
99b6f7 
# Has the client been configured?
99b6f7 
restore=0
99b6f7 
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
99b6f7
99b6f7 
if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
99b6f7 
    if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
99b6f7 
        sed -r '
99b6f7 
            /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
99b6f7 
        ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew
99b6f7
99b6f7 
        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
99b6f7 
            sed -ri '
99b6f7 
                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
99b6f7 
                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
99b6f7 
            ' /etc/ssh/sshd_config.ipanew
99b6f7 
        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
99b6f7 
            sed -ri '
99b6f7 
                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
99b6f7 
                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
99b6f7 
            ' /etc/ssh/sshd_config.ipanew
99b6f7 
        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
99b6f7 
            sed -ri '
99b6f7 
                s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
99b6f7 
                s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
99b6f7 
            ' /etc/ssh/sshd_config.ipanew
99b6f7 
        fi
99b6f7
590d18 
        mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
99b6f7 
        chmod 600 /etc/ssh/sshd_config
99b6f7
99b6f7 
        /bin/systemctl condrestart sshd.service 2>&1 || :
99b6f7 
    fi
99b6f7 
fi
99b6f7
403b09
99b6f7 
%if ! %{ONLY_CLIENT}
403b09
403b09 
%files server
99b6f7 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
e3ffab 
%{_sbindir}/ipa-backup
e3ffab 
%{_sbindir}/ipa-restore
99b6f7 
%{_sbindir}/ipa-ca-install
590d18 
%{_sbindir}/ipa-kra-install
99b6f7 
%{_sbindir}/ipa-server-install
99b6f7 
%{_sbindir}/ipa-replica-conncheck
99b6f7 
%{_sbindir}/ipa-replica-install
99b6f7 
%{_sbindir}/ipa-replica-prepare
99b6f7 
%{_sbindir}/ipa-replica-manage
99b6f7 
%{_sbindir}/ipa-csreplica-manage
99b6f7 
%{_sbindir}/ipa-server-certinstall
590d18 
%{_sbindir}/ipa-server-upgrade
99b6f7 
%{_sbindir}/ipa-ldap-updater
e3ffab 
%{_sbindir}/ipa-otptoken-import
99b6f7 
%{_sbindir}/ipa-compat-manage
99b6f7 
%{_sbindir}/ipa-nis-manage
99b6f7 
%{_sbindir}/ipa-managed-entries
99b6f7 
%{_sbindir}/ipactl
99b6f7 
%{_sbindir}/ipa-upgradeconfig
99b6f7 
%{_sbindir}/ipa-advise
e3ffab 
%{_sbindir}/ipa-cacert-manage
590d18 
%{_sbindir}/ipa-winsync-migrate
e3ffab 
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
e3ffab 
%{_libexecdir}/certmonger/ipa-server-guard
99b6f7 
%{_libexecdir}/ipa-otpd
e3ffab 
%dir %{_libexecdir}/ipa
590d18 
%{_libexecdir}/ipa/ipa-dnskeysyncd
590d18 
%{_libexecdir}/ipa/ipa-dnskeysync-replica
590d18 
%{_libexecdir}/ipa/ipa-ods-exporter
590d18 
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
403b09 
%{_libexecdir}/ipa/ipa-pki-retrieve-key
403b09 
%dir %{_libexecdir}/ipa/oddjob
403b09 
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
403b09 
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
403b09 
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
403b09 
%dir %{_libexecdir}/ipa/certmonger
403b09 
%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
99b6f7 
# NOTE: systemd specific section
99b6f7 
%attr(644,root,root) %{_unitdir}/ipa.service
99b6f7 
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
99b6f7 
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
590d18 
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
590d18 
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
590d18 
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
e3ffab 
# END
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_dns.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
403b09 
%attr(755,root,root) %{plugin_dir}/libtopology.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
403b09 
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
403b09 
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
403b09 
%{_mandir}/man1/ipa-replica-conncheck.1.gz
403b09 
%{_mandir}/man1/ipa-replica-install.1.gz
403b09 
%{_mandir}/man1/ipa-replica-manage.1.gz
403b09 
%{_mandir}/man1/ipa-csreplica-manage.1.gz
403b09 
%{_mandir}/man1/ipa-replica-prepare.1.gz
403b09 
%{_mandir}/man1/ipa-server-certinstall.1.gz
403b09 
%{_mandir}/man1/ipa-server-install.1.gz
403b09 
%{_mandir}/man1/ipa-server-upgrade.1.gz
403b09 
%{_mandir}/man1/ipa-ca-install.1.gz
403b09 
%{_mandir}/man1/ipa-kra-install.1.gz
403b09 
%{_mandir}/man1/ipa-compat-manage.1.gz
403b09 
%{_mandir}/man1/ipa-nis-manage.1.gz
403b09 
%{_mandir}/man1/ipa-managed-entries.1.gz
403b09 
%{_mandir}/man1/ipa-ldap-updater.1.gz
403b09 
%{_mandir}/man8/ipactl.8.gz
403b09 
%{_mandir}/man8/ipa-upgradeconfig.8.gz
403b09 
%{_mandir}/man1/ipa-backup.1.gz
403b09 
%{_mandir}/man1/ipa-restore.1.gz
403b09 
%{_mandir}/man1/ipa-advise.1.gz
403b09 
%{_mandir}/man1/ipa-otptoken-import.1.gz
403b09 
%{_mandir}/man1/ipa-cacert-manage.1.gz
403b09 
%{_mandir}/man1/ipa-winsync-migrate.1.gz
403b09
403b09
403b09 
%files -n python2-ipaserver -f server-python.list
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
403b09 
%{python_sitelib}/freeipa-*.egg-info
99b6f7 
%dir %{python_sitelib}/ipaserver
99b6f7 
%dir %{python_sitelib}/ipaserver/install
99b6f7 
%dir %{python_sitelib}/ipaserver/install/plugins
590d18 
%dir %{python_sitelib}/ipaserver/install/server
99b6f7 
%dir %{python_sitelib}/ipaserver/advise
99b6f7 
%dir %{python_sitelib}/ipaserver/advise/plugins
99b6f7 
%dir %{python_sitelib}/ipaserver/plugins
403b09
403b09
403b09 
%files server-common
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
403b09 
%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
403b09 
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
403b09 
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
403b09 
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
403b09 
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
403b09 
%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
403b09 
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
403b09 
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
403b09 
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
403b09 
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
403b09 
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
403b09 
# NOTE: systemd specific section
403b09 
%{_tmpfilesdir}/%{name}.conf
403b09 
%attr(644,root,root) %{_unitdir}/ipa_memcached.service
403b09 
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
403b09 
%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
403b09 
# END
99b6f7 
%dir %{_usr}/share/ipa
99b6f7 
%{_usr}/share/ipa/wsgi.py*
99b6f7 
%{_usr}/share/ipa/copy-schema-to-ca.py*
99b6f7 
%{_usr}/share/ipa/*.ldif
99b6f7 
%{_usr}/share/ipa/*.uldif
99b6f7 
%{_usr}/share/ipa/*.template
99b6f7 
%dir %{_usr}/share/ipa/advise
99b6f7 
%dir %{_usr}/share/ipa/advise/legacy
99b6f7 
%{_usr}/share/ipa/advise/legacy/*.template
590d18 
%dir %{_usr}/share/ipa/profiles
590d18 
%{_usr}/share/ipa/profiles/*.cfg
99b6f7 
%dir %{_usr}/share/ipa/ffextension
99b6f7 
%{_usr}/share/ipa/ffextension/bootstrap.js
99b6f7 
%{_usr}/share/ipa/ffextension/install.rdf
99b6f7 
%{_usr}/share/ipa/ffextension/chrome.manifest
99b6f7 
%dir %{_usr}/share/ipa/ffextension/chrome
99b6f7 
%dir %{_usr}/share/ipa/ffextension/chrome/content
99b6f7 
%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth.js
99b6f7 
%{_usr}/share/ipa/ffextension/chrome/content/kerberosauth_overlay.xul
99b6f7 
%dir %{_usr}/share/ipa/ffextension/locale
99b6f7 
%dir %{_usr}/share/ipa/ffextension/locale/en-US
99b6f7 
%{_usr}/share/ipa/ffextension/locale/en-US/kerberosauth.properties
99b6f7 
%dir %{_usr}/share/ipa/html
99b6f7 
%{_usr}/share/ipa/html/ffconfig.js
99b6f7 
%{_usr}/share/ipa/html/ffconfig_page.js
99b6f7 
%{_usr}/share/ipa/html/ssbrowser.html
99b6f7 
%{_usr}/share/ipa/html/browserconfig.html
99b6f7 
%{_usr}/share/ipa/html/unauthorized.html
99b6f7 
%dir %{_usr}/share/ipa/migration
99b6f7 
%{_usr}/share/ipa/migration/error.html
99b6f7 
%{_usr}/share/ipa/migration/index.html
99b6f7 
%{_usr}/share/ipa/migration/invalid.html
99b6f7 
%{_usr}/share/ipa/migration/migration.py*
99b6f7 
%dir %{_usr}/share/ipa/ui
99b6f7 
%{_usr}/share/ipa/ui/index.html
99b6f7 
%{_usr}/share/ipa/ui/reset_password.html
e3ffab 
%{_usr}/share/ipa/ui/sync_otp.html
99b6f7 
%{_usr}/share/ipa/ui/*.ico
99b6f7 
%{_usr}/share/ipa/ui/*.css
99b6f7 
%{_usr}/share/ipa/ui/*.js
e3ffab 
%dir %{_usr}/share/ipa/ui/css
e3ffab 
%{_usr}/share/ipa/ui/css/*.css
9991ea 
%dir %{_usr}/share/ipa/ui/js
99b6f7 
%dir %{_usr}/share/ipa/ui/js/dojo
99b6f7 
%{_usr}/share/ipa/ui/js/dojo/dojo.js
99b6f7 
%dir %{_usr}/share/ipa/ui/js/libs
99b6f7 
%{_usr}/share/ipa/ui/js/libs/*.js
99b6f7 
%dir %{_usr}/share/ipa/ui/js/freeipa
99b6f7 
%{_usr}/share/ipa/ui/js/freeipa/app.js
e3ffab 
%{_usr}/share/ipa/ui/js/freeipa/core.js
99b6f7 
%dir %{_usr}/share/ipa/ui/js/plugins
99b6f7 
%dir %{_usr}/share/ipa/ui/images
e3ffab 
%{_usr}/share/ipa/ui/images/*.jpg
99b6f7 
%{_usr}/share/ipa/ui/images/*.png
99b6f7 
%dir %{_usr}/share/ipa/wsgi
99b6f7 
%{_usr}/share/ipa/wsgi/plugins.py*
99b6f7 
%dir %{_sysconfdir}/ipa
99b6f7 
%dir %{_sysconfdir}/ipa/html
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
99b6f7 
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
99b6f7 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
99b6f7 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
590d18 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
99b6f7 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
590d18 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
403b09 
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
99b6f7 
%{_usr}/share/ipa/ipa.conf
99b6f7 
%{_usr}/share/ipa/ipa-rewrite.conf
99b6f7 
%{_usr}/share/ipa/ipa-pki-proxy.conf
590d18 
%{_usr}/share/ipa/kdcproxy.conf
99b6f7 
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
99b6f7 
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
99b6f7 
%dir %{_usr}/share/ipa/updates/
99b6f7 
%{_usr}/share/ipa/updates/*
99b6f7 
%dir %{_localstatedir}/lib/ipa
e3ffab 
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
99b6f7 
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
99b6f7 
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
99b6f7 
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
99b6f7 
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
e3ffab 
%ghost %{_localstatedir}/named/dyndb-ldap/ipa
403b09 
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
403b09
590d18
590d18 
%files server-dns
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
590d18 
%{_sbindir}/ipa-dns-install
590d18 
%{_mandir}/man1/ipa-dns-install.1.gz
99b6f7
403b09
99b6f7 
%files server-trust-ad
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
99b6f7 
%{_sbindir}/ipa-adtrust-install
99b6f7 
%{_usr}/share/ipa/smb.conf.empty
99b6f7 
%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
99b6f7 
%{_mandir}/man1/ipa-adtrust-install.1.gz
99b6f7 
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
590d18 
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
590d18 
%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
403b09 
%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
99b6f7
99b6f7 
%endif # ONLY_CLIENT
99b6f7
403b09
99b6f7 
%files client
99b6f7 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
99b6f7 
%{_sbindir}/ipa-client-install
99b6f7 
%{_sbindir}/ipa-client-automount
e3ffab 
%{_sbindir}/ipa-certupdate
99b6f7 
%{_sbindir}/ipa-getkeytab
99b6f7 
%{_sbindir}/ipa-rmkeytab
99b6f7 
%{_sbindir}/ipa-join
99b6f7 
%{_mandir}/man1/ipa-getkeytab.1.gz
99b6f7 
%{_mandir}/man1/ipa-rmkeytab.1.gz
99b6f7 
%{_mandir}/man1/ipa-client-install.1.gz
99b6f7 
%{_mandir}/man1/ipa-client-automount.1.gz
e3ffab 
%{_mandir}/man1/ipa-certupdate.1.gz
99b6f7 
%{_mandir}/man1/ipa-join.1.gz
403b09
403b09
403b09 
%files -n python2-ipaclient
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
403b09 
%dir %{python_sitelib}/ipaclient
403b09 
%{python_sitelib}/ipaclient/*.py*
403b09 
%{python_sitelib}/ipaclient/plugins/*.py*
403b09 
%{python_sitelib}/ipaclient/remote_plugins/*.py*
403b09 
%{python_sitelib}/ipaclient/remote_plugins/2_*/*.py*
403b09 
%{python_sitelib}/ipaclient-*.egg-info
403b09
403b09
403b09 
%if 0%{?with_python3}
403b09
403b09 
%files -n python3-ipaclient
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
403b09 
%dir %{python3_sitelib}/ipaclient
403b09 
%{python3_sitelib}/ipaclient/*.py
403b09 
%{python3_sitelib}/ipaclient/__pycache__/*.py*
403b09 
%{python3_sitelib}/ipaclient/plugins/*.py
403b09 
%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
403b09 
%{python3_sitelib}/ipaclient/remote_plugins/*.py
403b09 
%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
403b09 
%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
403b09 
%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
403b09 
%{python3_sitelib}/ipaclient-*.egg-info
403b09
403b09 
%endif # with_python3
403b09
403b09
403b09 
%files client-common
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
403b09 
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
403b09 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
403b09 
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
403b09 
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
403b09 
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
403b09 
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
403b09 
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
403b09 
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
403b09 
%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
403b09 
%dir %{_usr}/share/ipa
403b09 
%dir %{_localstatedir}/lib/ipa-client
403b09 
%dir %{_localstatedir}/lib/ipa-client/sysrestore
99b6f7 
%{_mandir}/man5/default.conf.5.gz
99b6f7
403b09
99b6f7 
%files admintools
99b6f7 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
99b6f7 
%{_bindir}/ipa
99b6f7 
%config %{_sysconfdir}/bash_completion.d
99b6f7 
%{_mandir}/man1/ipa.1.gz
99b6f7
403b09
403b09 
%files python-compat
99b6f7 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
403b09
403b09
403b09 
%files -n python2-ipalib
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
99b6f7 
%dir %{python_sitelib}/ipapython
99b6f7 
%{python_sitelib}/ipapython/*.py*
590d18 
%dir %{python_sitelib}/ipapython/dnssec
590d18 
%{python_sitelib}/ipapython/dnssec/*.py*
590d18 
%dir %{python_sitelib}/ipapython/install
590d18 
%{python_sitelib}/ipapython/install/*.py*
403b09 
%dir %{python_sitelib}/ipapython/secrets
403b09 
%{python_sitelib}/ipapython/secrets/*.py*
99b6f7 
%dir %{python_sitelib}/ipalib
99b6f7 
%{python_sitelib}/ipalib/*
e3ffab 
%dir %{python_sitelib}/ipaplatform
e3ffab 
%{python_sitelib}/ipaplatform/*
99b6f7 
%{python_sitelib}/ipapython-*.egg-info
403b09 
%{python_sitelib}/ipalib-*.egg-info
e3ffab 
%{python_sitelib}/ipaplatform-*.egg-info
db5969
a809a6
403b09 
%files common -f %{gettext_domain}.lang
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
d3dad6
0843e2
403b09 
%if 0%{?with_python3}
aa60fb
403b09 
%files -n python3-ipalib
403b09 
%defattr(-,root,root,-)
403b09 
%doc README Contributors.txt
403b09 
%license COPYING
aa60fb
403b09 
%{python3_sitelib}/ipapython/
403b09 
%{python3_sitelib}/ipalib/
403b09 
%{python3_sitelib}/ipaplatform/
403b09 
%{python3_sitelib}/ipapython-*.egg-info
403b09 
%{python3_sitelib}/ipalib-*.egg-info
403b09 
%{python3_sitelib}/ipaplatform-*.egg-info
aa60fb
403b09 
%endif # with_python3
aa60fb
aa60fb
403b09 
# RHEL spec file only: DELETED: Do not build tests
aa60fb
e0ab38
403b09 
%changelog
ff14fa 
* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.6
ff14fa 
- Resolves: #1416488 replication race condition prevents IPA to install
ff14fa 
  - wait_for_entry: use only DN as parameter
ff14fa 
  - Wait until HTTPS principal entry is replicated to replica
ff14fa 
  - Use proper logging for error messages
ff14fa
ff14fa 
* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.5
ff14fa 
- Resolves: #1410760 ipa-ca-install fails on replica when IPA Master is
ff14fa 
  installed without CA
ff14fa 
  - Set up DS TLS on replica in CA-less topology
ff14fa 
- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for
ff14fa 
  ca-del, ca-disable and ca-enable commands
ff14fa 
  - ca: correctly authorise ca-del, ca-enable and ca-disable
ff14fa 
- Resolves: #1416481 IPA replica install fails with dirsrv errors.
ff14fa 
  - Do not configure PKI ajp redirection to use "::1"
8ffc8b
34b659 
* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.4
53a374 
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
53a374 
  by abusing password policy
53a374 
  - ipa-kdb: search for password policies globally
34b659 
- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream
34b659
34b659 
* Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.3
34b659 
- Resolves: #1404338 Check IdM Topology for broken record caused by replication
34b659 
  conflict before upgrading it
34b659 
  - Check for conflict entries before raising domain level
34b659
34b659 
* Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.2
34b659 
- Resolves: #1401953 ipa-ca-install on promoted replica hangs on creating a
34b659 
  temporary CA admin
34b659 
  - replication: ensure bind DN group check interval is set on replica config
34b659 
  - add missing attribute to ipaca replica during CA topology update
34b659 
- Resolves: #1404169 IPA upgrade of replica without DNS fails during restart of
34b659 
  named-pkcs11
34b659 
  - bindinstance: use data in named.conf to determine configuration status
34b659 
- Resolves: #1404171 Creation of replica for disconnected environment is
34b659 
  failing with CA issuance errors; Need good steps.
34b659 
  - gracefully handle setting replica bind dn group on old masters
53a374
53a374 
* Mon Dec 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1
53a374 
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
53a374 
  by abusing password policy
53a374 
  - password policy: Add explicit default password policy for hosts and
53a374 
    services
53a374 
- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in
53a374 
  certprofile-mod
53a374 
  - certprofile-mod: correctly authorise config update
a46197
fef02c 
* Tue Nov  1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14
fef02c 
- Resolves: #1378353 Replica install fails with old IPA master sometimes during
fef02c 
  replication process
fef02c 
  - spec file: bump minimal required version of 389-ds-base
fef02c 
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
fef02c 
  - Fix missing file that fails DL1 replica installation
fef02c 
- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade
fef02c 
  - WebUI: services without canonical name are shown correctly
fef02c 
- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run
fef02c 
  - trustdomain-del: fix the way how subdomain is searched
fef02c
fef02c 
* Mon Oct 31 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-13
fef02c 
- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca
fef02c 
  - Keep NSS trust flags of existing certificates
fef02c 
- Resolves: #1360813 ipa-server-certinstall does not update all certificate
fef02c 
  stores and doesn't set proper trust permissions
fef02c 
  - Add cert checks in ipa-server-certinstall
fef02c 
- Resolves: #1371479 cert-find --all does not show information about revocation
fef02c 
  - cert: add revocation reason back to cert-find output
fef02c 
- Resolves: #1375133 WinSync users who have First.Last casing creates users who
fef02c 
  can have their password set
fef02c 
  - ipa passwd: use correct normalizer for user principals
fef02c 
- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers
fef02c 
  - Properly handle LDAP socket closures in ipa-otpd
fef02c 
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
fef02c 
  - Make httpd publish its CA certificate on DL1
21794d
403b09 
* Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12
403b09 
- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.
403b09 
- Resolves: #1375269 ipa trust-fetch-domains throws internal error
403b09
403b09 
* Tue Sep 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-11
403b09 
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
403b09 
  - Fix regression introduced in ipa-certupdate
403b09
403b09 
* Wed Sep  7 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-10
403b09 
- Resolves: #1355753 adding two way non transitive(external) trust displays
403b09 
  internal error on the console
403b09 
  - Always fetch forest info from root DCs when establishing two-way trust
403b09 
  - factor out `populate_remote_domain` method into module-level function
403b09 
  - Always fetch forest info from root DCs when establishing one-way trust
403b09 
- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger
403b09 
  after `ipa-replica-install`
403b09 
  - Track lightweight CAs on replica installation
403b09 
- Resolves: #1357488 ipa command stuck forever on higher versioned client with
403b09 
  lower versioned server
403b09 
  - compat: Save server's API version in for pre-schema servers
403b09 
  - compat: Fix ping command call
403b09 
  - schema cache: Store and check info for pre-schema servers
403b09 
- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag
403b09 
  - Fix man page ipa-replica-manage: remove duplicate -c option
403b09 
    from --no-lookup
403b09 
- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA
403b09 
  when revoking certificate
403b09 
  - cert: include CA name in cert command output
403b09 
  - WebUI add support for sub-CAs while revoking certificates
403b09 
- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI
403b09 
  - Add support for additional options taken from table facet
403b09 
  - WebUI: Fix showing certificates issued by sub-CA
403b09 
- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts
403b09 
  internactively
403b09 
  - dns: normalize record type read interactively in dnsrecord_add
403b09 
  - dns: prompt for missing record parts in CLI
403b09 
  - dns: fix crash in interactive mode against old servers
403b09 
- Resolves: #1370519 Certificate revocation in service-del and host-del isn't
403b09 
  aware of Sub CAs
403b09 
  - cert: fix cert-find --certificate when the cert is not in LDAP
403b09 
  - Make host/service cert revocation aware of lightweight CAs
403b09 
- Resolves: #1371901 Use OAEP padding with custodia
403b09 
  - Use RSA-OAEP instead of RSA PKCS#1 v1.5
403b09 
- Resolves: #1371915 When establishing external two-way trust, forest root
403b09 
  Administrator account is used to fetch domain info
403b09 
  - do not use trusted forest name to construct domain admin principal
403b09 
- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in
403b09 
  certificate request
403b09 
  - Fix CA ACL Check on SubjectAltNames
403b09 
- Resolves: #1373272 CLI always sends default command version
403b09 
  - cli: use full name when executing a command
403b09 
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
403b09 
  - Fix ipa-certupdate for CA-less installation
403b09 
- Resolves: #1373540 client-install with IPv6 address fails on link-local
403b09 
  address (always)
403b09 
  - Fix parse errors with link-local addresses
403b09
403b09 
* Fri Sep  2 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-9
403b09 
- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env
403b09 
  - Fix ipa-server-install in pure IPv6 environment
403b09 
- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as
403b09 
  reachable via the forest root
403b09 
  - trust: make sure ID range is created for the child domain even if it exists
403b09 
  - ipa-kdb: simplify trusted domain parent search
403b09 
- Resolves: #1335567 Update Warning in IdM Web UI API browser
403b09 
  - WebUI: add API browser is tech preview warning
403b09 
- Resolves: #1348560 Mulitple domain Active Directory Trust conflict
403b09 
  - ipaserver/dcerpc: reformat to make the code closer to pep8
403b09 
  - trust: automatically resolve DNS trust conflicts for triangle trusts
403b09 
- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
403b09 
  certificate revocation
403b09 
  - cert-revoke: fix permission check bypass (CVE-2016-5404)
403b09 
- Resolves: #1353936 custodia.conf and server.keys file is world-readable.
403b09 
  - Remove Custodia server keys from LDAP
403b09 
  - Secure permissions of Custodia server.keys
403b09 
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
403b09 
  converted from CA-less to CA-full
403b09 
  - custodia: include known CA certs in the PKCS#12 file for Dogtag
403b09 
  - custodia: force reconnect before retrieving CA certs from LDAP
403b09 
- Resolves: #1362333 ipa vault container owner cannot add vault
403b09 
  - Fix: container owner should be able to add vault
403b09 
- Resolves: #1365546 External trust with root domain is transitive
403b09 
  - trust: make sure external trust topology is correctly rendered
403b09 
- Resolves: #1365572 IPA server broken after upgrade
403b09 
  - Require pki-core-10.3.3-7
403b09 
- Resolves: #1367864 Server assumes latest version of command instead of
403b09 
  version 1 for old / 3rd party clients
403b09 
  - rpcserver: assume version 1 for unversioned command calls
403b09 
  - rpcserver: fix crash in XML-RPC system commands
403b09 
- Resolves: #1367773 thin client ignores locale change
403b09 
  - schema cache: Fallback to 'en_us' when locale is not available
403b09 
- Resolves: #1368754 ipa server uninstall fails with Python "Global Name error"
403b09 
  - Fail on topology disconnect/last role removal
403b09 
- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP
403b09 
  - otptoken, permission: Convert custom type parameters on server
403b09 
- Resolves: #1369414 ipa server-del fails with Python stack trace
403b09 
  - Handled empty hostname in server-del command
403b09 
- Resolves: #1369761 ipa-server must depend on a version of httpd that support
403b09 
  mod_proxy with UDS
403b09 
  - Require httpd 2.4.6-31 with mod_proxy Unix socket support
403b09 
- Resolves: #1370512 Received ACIError instead of DuplicatedError in
403b09 
  stageuser_tests
403b09 
  - Raise DuplicatedEnrty error when user exists in delete_container
403b09 
- Resolves: #1371479 cert-find --all does not show information about revocation
403b09 
  - cert: add missing param values to cert-find output
403b09 
- Renamed patch 1011 to 0100, as it was merged upstream
403b09
403b09 
* Wed Aug 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-8
403b09 
- Resolves: #1298288 [RFE] Improve performance in large environments.
403b09 
  - cert: speed up cert-find
403b09 
- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card
403b09 
  authentication
403b09 
  - service: add flag to allow S4U2Self
403b09 
  - Add 'trusted to auth as user' checkbox
403b09 
  - Added new authentication method
403b09 
- Resolves: #1353881 ipa-replica-install suggests about
403b09 
  non-existent --force-ntpd option
403b09 
  - Don't show --force-ntpd option in replica install
403b09 
- Resolves: #1354441 DNS forwarder check is too strict: unable to add
403b09 
  sub-domain to already-broken domain
403b09 
  - DNS: allow to add forward zone to already broken sub-domain
403b09 
- Resolves: #1356146 performance regression in CLI help
403b09 
  - schema: Speed up schema cache
403b09 
  - frontend: Change doc, summary, topic and NO_CLI to class properties
403b09 
  - schema: Introduce schema cache format
403b09 
  - schema: Generate bits for help load them on request
403b09 
  - help: Do not create instances to get information about commands and topics
403b09 
  - schema cache: Do not reset ServerInfo dirty flag
403b09 
  - schema cache: Do not read fingerprint and format from cache
403b09 
  - Access data for help separately
403b09 
  - frontent: Add summary class property to CommandOverride
403b09 
  - schema cache: Read server info only once
403b09 
  - schema cache: Store API schema cache in memory
403b09 
  - client: Do not create instance just to check isinstance
403b09 
  - schema cache: Read schema instead of rewriting it when SchemaUpToDate
403b09 
- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file
403b09 
  - server install: do not prompt for cert file PIN repeatedly
403b09 
- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create
403b09 
  cache directory: [Errno 13] Permission denied: '/home/test_user'
403b09 
  - schema: Speed up schema cache
403b09 
- Resolves: #1366604 `cert-find` crashes on invalid certificate data
403b09 
  - cert: do not crash on invalid data in cert-find
403b09 
- Resolves: #1366612 Middle replica uninstallation in line topology works
403b09 
  without '--ignore-topology-disconnect'
403b09 
  - Fail on topology disconnect/last role removal
403b09 
- Resolves: #1366626 caacl-add-service: incorrect error message when service
403b09 
  does not exists
403b09 
  - Fix ipa-caalc-add-service error message
403b09 
- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11
403b09 
  does not happen to run during dnf upgrade
403b09 
  - DNS server upgrade: do not fail when DNS server did not respond
403b09 
- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server
403b09 
  with CA
403b09 
  - Add warning about only one existing CA server
403b09 
  - Set servers list as default facet in topology facet group
403b09 
- Resolves: #1367773 thin client ignores locale change
403b09 
  - schema check: Check current client language against cached one
403b09
403b09 
* Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-7
403b09 
- Resolves: #1361119 UPN-based search for AD users does not match an entry in
403b09 
  slapi-nis map cache
403b09 
  - support multiple uid values in schema compatibility tree
403b09
403b09 
* Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-6
403b09 
- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
403b09 
  - Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
403b09 
- Resolves: #1341249 Subsequent external CA installation fails
403b09 
  - install: fix external CA cert validation
403b09 
- Resolves: #1353831 ipa-server-install fails in container because of
403b09 
  hostnamectl set-hostname
403b09 
  - server-install: Fix --hostname option to always override api.env values
403b09 
  - install: Call hostnamectl set-hostname only if --hostname option is used
403b09 
- Resolves: #1356091 ipa-cacert-manage --help and man differ
403b09 
  - Improvements for the ipa-cacert-manage man and help
403b09 
- Resolves: #1360631 ipa-backup is not keeping the
403b09 
  /etc/tmpfiles.d/dirsrv-<instance>.conf
403b09 
  - ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
403b09 
- Resolves: #1361047 ipa-replica-install --help usage line suggests the replica
403b09 
  file is needed
403b09 
  - Update ipa-replica-install documentation
403b09 
- Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does
403b09 
  not rpm-require it
403b09 
  - client: RPM require initscripts to get *-domainname.service
403b09 
- Resolves: #1364197 caacl: error when instantiating rules with service
403b09 
  principals
403b09 
  - caacl: fix regression in rule instantiation
403b09 
- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm
403b09 
  - parameters: move the `confirm` kwarg to Param
403b09 
- Resolves: #1364464 Topology graph: ca and domain adders shows question marks
403b09 
  instead of plus icon
403b09 
  - Fix unicode characters in ca and domain adders
403b09 
- Resolves: #1365083 Incomplete output returned for command ipa vault-add
403b09 
  - client: add missing output params to client-side commands
403b09 
- Resolves: #1365526 build fails during "make check"
403b09 
  - ipa-kdb: Fix unit test after packaging changes in krb5
403b09
403b09 
* Fri Aug  5 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-5
403b09 
- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file.
403b09 
  - Do not initialize API in ipa-client-automount uninstall
403b09 
- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin
403b09 
  client changes
403b09 
  - idrange: fix unassigned global variable
403b09 
- Resolves: #1360792 Migrating users doesn't update krbCanonicalName
403b09 
  - re-set canonical principal name on migrated users
403b09 
- Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str'
403b09 
  and 'bool' objects
403b09 
  - Fix ipa hbactest output
403b09 
- Resolves: #1362260 ipa vault-mod no longer allows defining salt
403b09 
  - vault: add missing salt option to vault_mod
403b09 
- Resolves: #1362312 ipa vault-retrieve internal error when using the wrong
403b09 
  public key
403b09 
  - vault: Catch correct exception in decrypt
403b09 
- Resolves: #1362537 ipa-server-install fails to create symlink from
403b09 
  /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/
403b09 
  - Correct path to HTTPD's systemd service directory
403b09 
- Resolves: #1363756 Increase length of passwords generated by installer
403b09 
  - Increase default length of auto generated passwords
403b09
403b09 
* Fri Jul 29 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-4
403b09 
- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos
403b09 
  aliases)
403b09 
  - harden the check for trust namespace overlap in new principals
403b09 
- Resolves: #1351142 CLI is not using session cookies for communication with
403b09 
  IPA API
403b09 
  - Fix session cookies
403b09 
- Resolves: #1353888 Fix the help for ipa otp and other topics
403b09 
  - help: Add dnsserver commands to help topic 'dns'
403b09 
- Resolves: #1354406 host-del updatedns options complains about missing ptr
403b09 
  record for host
403b09 
  - Host-del: fix behavior of --updatedns and PTR records
403b09 
- Resolves: #1355718 ipa-replica-manage man page example output differs actual
403b09 
  command output
403b09 
  - Minor fix in ipa-replica-manage MAN page
403b09 
- Resolves: #1358229 Traceback message should be fixed, seen while editing
403b09 
  winsync migrated user information in Default trust view.
403b09 
  - baseldap: Fix MidairCollision instantiation during entry modification
403b09 
- Resolves: #1358849 CA replica install logs to wrong log file
403b09 
  - unite log file name of ipa-ca-install
403b09 
- Resolves: #1359130 ipa-server-install command fails to install IPA server.
403b09 
  - DNS Locations: fix update-system-records unpacking error
403b09 
- Resolves: #1359237 AVC on dirsrv config caused by IPA installer
403b09 
  - Use copy when replacing files to keep SELinux context
403b09 
- Resolves: #1359692 ipa-client-install join fail with traceback against
403b09 
  RHEL-6.8 ipa-server
403b09 
  - compat: fix ping call
403b09 
- Resolves: #1359738 ipa-replica-install --domain=<IPA primary domain> option
403b09 
  does not work
403b09 
  - replica-install: Fix --domain
403b09 
- Resolves: #1360778 Vault commands are available in CLI even when the server
403b09 
  does not support them
403b09 
  - Revert "Enable vault-* commands on client"
403b09 
  - client: fix hiding of commands which lack server support
403b09 
- Related: #1281704 Rebase to softhsm 2.1.0
403b09 
  - Remove the workaround for softhsm bug #1293340
403b09 
- Related: #1298288 [RFE] Improve performance in large environments.
403b09 
  - Create indexes for krbCanonicalName attribute
403b09
403b09 
* Fri Jul 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-3
403b09 
- Resolves: #1296140 Remove redhat-access-plugin-ipa support
403b09 
  - Obsolete and conflict redhat-access-plugin-ipa
403b09 
- Resolves: #1351119 Multiple issues while uninstalling ipa-server
403b09 
  - server uninstall fails to remove krb principals
403b09 
- Resolves: #1351758 ipa commands not showing expected error messages
403b09 
  - frontend: copy command arguments to output params on client
403b09 
  - Show full error message for selinuxusermap-add-hostgroup
403b09 
- Resolves: #1352883 Traceback on adding default automember group and hostgroup
403b09 
  set
403b09 
  - allow 'value' output param in commands without primary key
403b09 
- Resolves: #1353888 Fix the help for ipa otp and other topics
403b09 
  - schema: Fix subtopic -> topic mapping
403b09 
- Resolves: #1354348 ipa trustconfig-show throws internal error.
403b09 
  - allow 'value' output param in commands without primary key
403b09 
- Resolves: #1354381 ipa trust-add with raw option gives internal error.
403b09 
  - trust-add: handle `--all/--raw` options properly
403b09 
- Resolves: #1354493 Replica install fails with old IPA master
403b09 
  - DNS install: Ensure that DNS servers container exists
403b09 
- Resolves: #1354628 ipa hostgroup-add-member does not return error message
403b09 
  when adding itself as member
403b09 
  - frontend: copy command arguments to output params on client
403b09 
- Resolves: #1355856 ipa otptoken-add --type=totp gives internal error
403b09 
  - messages: specify message type for ResultFormattingError
403b09 
- Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter
403b09 
  secret key
403b09 
  - expose `--secret` option in radiusproxy-* commands
403b09 
  - prevent search for RADIUS proxy servers by secret
403b09 
- Resolves: #1356099 Bug in the ipapwd plugin
403b09 
  - Heap corruption in ipapwd plugin
403b09 
- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin
403b09 
  client changes
403b09 
  - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
403b09 
- Resolves: #1356964 Renaming a user removes all of his principal aliases
403b09 
  - Preserve user principal aliases during rename operation
403b09
403b09 
* Fri Jul 15 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-2.1
403b09 
- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas
403b09 
- Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD
403b09 
- Related: #1356134 'kinit -E' does not work for IPA user
403b09
403b09 
* Thu Jul 14 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-2
403b09 
- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA
403b09 
  with certmonger
403b09 
  - uninstall: untrack lightweight CA certs
403b09 
- Resolves: #1351807 ipa-nis-manage config.get_dn missing
403b09 
  - ipa-nis-manage: Use server API to retrieve plugin status
403b09 
- Resolves: #1353452 ipa-compat-manage command failed,
403b09 
  exception: NotImplementedError: config.get_dn()
403b09 
  - ipa-compat-manage: use server API to retrieve plugin status
403b09 
- Resolves: #1353899 ipa-advise: object of type 'type' has no len()
403b09 
  - ipa-advise: correct handling of plugin namespace iteration
403b09 
- Resolves: #1356134 'kinit -E' does not work for IPA user
403b09 
  - kdb: check for local realm in enterprise principals
403b09 
- Resolves: #1353072 ipa unknown command vault-add
403b09 
  - Enable vault-* commands on client
403b09 
  - vault-add: set the default vault type on the client side if none was given
403b09 
- Resolves: #1353995 Default CA can be used without a CA ACL
403b09 
  - caacl: expand plugin documentation
403b09 
- Resolves: #1356144 host-find should not print SSH keys by default, only
403b09 
  SSH fingerprints
403b09 
  - host-find: do not show SSH key by default
403b09 
- Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3
403b09 
  - Removed unused method parameter from migrate-ds
403b09
403b09 
* Fri Jul  1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-1
403b09 
- Resolves: #747612 [RFE] IPA should support and manage DNS sites
403b09 
- Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0)
403b09 
  in the default global_policy in IPA sets user's password expiration
403b09 
  (krbPasswordExpiration) to be 90 days
403b09 
- Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records
403b09 
- Resolves: #1084018 [RFE] Add IdM user password change support for legacy
403b09 
  client compat tree
403b09 
- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos
403b09 
  aliases)
403b09 
  - Fix incorrect check for principal type when evaluating CA ACLs
403b09 
- Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI
403b09 
- Resolves: #1238190 ipasam unable to lookup group in directory yet manual
403b09 
  search works
403b09 
- Resolves: #1250110 search by users which don't have read rights for all attrs
403b09 
  in search_attributes fails
403b09 
- Resolves: #1263764 Show Certificate displays in useless format
403b09 
- Resolves: #1272491 [WebUI] Certificate action dropdown does not display all
403b09 
  the options after adding new certificate
403b09 
- Resolves: #1292141 Rebase to FreeIPA 4.4+
403b09 
  - Rebase to 4.4.0
403b09 
- Resolves: #1294503 IPA fails to issue 3rd party certs
403b09 
- Resolves: #1298242 [RFE] API compatibility - compatibility of clients
403b09 
- Resolves: #1298848 [RFE] Centralized topology management
403b09 
- Resolves: #1298966 [RFE] Extend Smart Card support
403b09 
- Resolves: #1315146 Multiple clients cannot join domain simultaneously:
403b09 
  /var/run/httpd/ipa/clientcaches race condition?
403b09 
- Resolves: #1318903 ipa server install failing when SUBCA signs the cert
403b09 
- Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper
403b09 
  console output
403b09 
- Resolves: #1324055 IPA always qualify requests for admin
403b09 
- Resolves: #1328552 [RFE] Allow users to authenticate with alternative names
403b09 
- Resolves: #1334582 Inconsistent UI and CLI options for removing certificate
403b09 
  hold
403b09 
- Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl)
403b09 
- Resolves: #1349281 Fix `Conflicts` with ipa-python
403b09 
- Resolves: #1350695 execution of copy-schema script fails
403b09 
- Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z
403b09 
- Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test
403b09 
  execution to 7.3
403b09 
- Resolves: #1351276 ipa-server-install with dns cannot resolve itself to
403b09 
  create ipa-ca entry
403b09 
- Related: #1343422 [RFE] Add GssapiImpersonate option
403b09
403b09 
* Wed Jun 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-0.2.alpha1
403b09 
- Resolves: #1348948 IPA server install fails with build
403b09 
  ipa-server-4.4.0-0.el7.1.alpha1
403b09 
  - Revert "Increased mod_wsgi socket-timeout"
403b09
403b09 
* Wed Jun 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-0.1.alpha1
403b09 
- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while
403b09 
  setting password for default sudo binddn.
403b09 
- Resolves: #747612 [RFE] IPA should support and manage DNS sites
403b09 
- Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name
403b09 
- Resolves: #825391 [RFE] Replica installation should provide a means for
403b09 
  inheriting nssldap security access settings
403b09 
- Resolves: #921497 Incorrect *.py[co] files placement
403b09 
- Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support
403b09 
- Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas
403b09 
- Resolves: #1196958 IPA replica installation failing with high number of users
403b09 
  (160000).
403b09 
- Resolves: #1219402 IPA suggests to uninstall a client when the user needs to
403b09 
  uninstall a replica
403b09 
- Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on
403b09 
  Authentication Indicator
403b09 
- Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos
403b09 
  principal expiration"
403b09 
- Resolves: #1234223 [WebUI] General invalid password error message appearing
403b09 
  for "Locked user"
403b09 
- Resolves: #1254267 ipa-server-install failure applying ldap updates with
403b09 
  limits exceeded
403b09 
- Resolves: #1258626 realmdomains-mod --add-domain command throwing error when
403b09 
  doamin already is in forwardzone.
403b09 
- Resolves: #1259020 ipa-server-adtrust-install doesn't allow
403b09 
  NetBIOS-name=EXAMPLE-TEST.COM (dash character)
403b09 
- Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error
403b09 
  message when DNSSEC master not installed
403b09 
- Resolves: #1262747 dnssec options missing in ipa-dns-install man page
403b09 
- Resolves: #1265900 Fail installation immediately after dirsrv fails to
403b09 
  install using ipa-server-install
403b09 
- Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not
403b09 
  resolvable anymore
403b09 
- Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace -
403b09 
  LimitsExceeded: limits exceeded for this query
403b09 
- Resolves: #1269089 Certificate of managed-by host/service fails to resubmit
403b09 
- Resolves: #1269200 ipa-server crashing while trying to preserve admin user
403b09 
- Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults
403b09 
- Resolves: #1271579 Automember rule expressions disappear from tables on
403b09 
  single expression delete
403b09 
- Resolves: #1275816 Incomplete ports for IPA ad-trust
403b09 
- Resolves: #1276351 [RFE] Remove
403b09 
  /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases
403b09 
- Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in
403b09 
  the IPA UI
403b09 
- Resolves: #1278426 Better error message needed for invalid ca-signing-algo
403b09 
  option
403b09 
- Resolves: #1279932 ipa-client-install --request-cert needs workaround in
403b09 
  anaconda chroot
403b09 
- Resolves: #1282521 Creating a user w/o private group fails when doing so in
403b09 
  WebUI
403b09 
- Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced
403b09 
  by "IPA is not configured on this system"
403b09 
- Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert
403b09 
  file
403b09 
- Resolves: #1287194 [RFE] Support of UPN for trusted domains
403b09 
- Resolves: #1288967 Normalize Manager entry in ipa user-add
403b09 
- Resolves: #1289487 Priority field missing in Password Policy detail tab
403b09 
- Resolves: #1291140 ipa client should configure kpasswd_server directive in
403b09 
  krb5.conf
403b09 
- Resolves: #1292141 Rebase to FreeIPA 4.4+
403b09 
  - Rebase to 4.4.0.alpha1
403b09 
- Resolves: #1298848 [RFE] Centralized topology management
403b09 
- Resolves: #1300576 Browser setup page includes instructions for Internet
403b09 
  Explorer
403b09 
- Resolves: #1301586 ipa host-del --updatedns should remove related dns
403b09 
  entries.
403b09 
- Resolves: #1304618 Residual Files After IPA Server Uninstall
403b09 
- Resolves: #1305144 ipa-python does not require its dependencies
403b09 
- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
403b09 
- Resolves: #1313798 Console output post ipa-winsync-migrate command should be
403b09 
  corrected.
403b09 
- Resolves: #1314786 [RFE] External Trust with Active Directory domain
403b09 
- Resolves: #1319023 Include description for 'status' option in man page for
403b09 
  ipactl command.
403b09 
- Resolves: #1319912 ipa-server-install does not completely change hostname and
403b09 
  named-pkcs11 fails
403b09 
- Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord':
403b09 
  Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given
403b09 
- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on
403b09 
  revocation reasons
403b09 
- Resolves: #1328549 "ipa-kra-install" command reports incorrect message when
403b09 
  it is executed on server already installed with KRA.
403b09 
- Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap'
403b09 
  to 'rpcbind'
403b09 
- Resolves: #1329275 ipa-nis-manage command should include status option
403b09 
- Resolves: #1330843 'man ipa' should be updated with latest commands
403b09 
- Resolves: #1333755 ipa cert-request causes internal server error while
403b09 
  requesting certificate
403b09 
- Resolves: #1337484 EOF is not handled for ipa-client-install command
403b09 
- Resolves: #1338031 Insufficient 'write' privilege on some attributes for the
403b09 
  members of the role which has "User Administrators" privilege.
403b09 
- Resolves: #1343142 IPA DNS should do better verification of DNS zones
403b09 
- Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in
403b09 
  browser
403b09
403b09 
* Wed May 25 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605241723GIT1b427d3.1
403b09 
- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files
403b09 
  - Fix incorrect rebase of patch 1001
403b09
403b09 
* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605241723GIT1b427d3
403b09 
- Resolves: #1339233 CA installed on replica is always marked as renewal master
403b09 
- Related: #1292141 Rebase to FreeIPA 4.4+
403b09 
  - Rebase to 4.3.1.201605241723GIT1b427d3
403b09
403b09 
* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605191449GITf8edf37.1
403b09 
- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install
403b09 
  because of missing dependencies
403b09 
  - Rebuild with krb5-1.14.1
403b09
403b09 
* Fri May 20 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605191449GITf8edf37
403b09 
- Resolves: #837369 [RFE] Switch to client promotion to replica model
403b09 
- Resolves: #1199516 [RFE] Move replication topology to the shared tree
403b09 
- Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology
403b09 
- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)
403b09 
- Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also
403b09 
  list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend
403b09 
- Resolves: #1267206 ipa-server-install uninstall should warn if no
403b09 
  installation found
403b09 
- Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when
403b09 
  ipa-client-automount is executed.
403b09 
- Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly
403b09 
  displayed when certificate generated using IPA on RHEL 7.2up2.
403b09 
- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install
403b09 
  because of missing dependencies
403b09 
- Related: #1292141 Rebase to FreeIPA 4.4+
403b09 
  - Rebase to 4.3.1.201605191449GITf8edf37
e0ab38
403b09 
* Mon Apr 18 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-16
403b09 
- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid
403b09 
  Credential"
403b09 
  - cert renewal: make renewal of ipaCert atomic
403b09 
- Resolves: #1278330 installer options are not validated at the beginning of
403b09 
  installation
403b09 
  - install: fix command line option validation
403b09 
- Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd
403b09 
  from starting up
403b09 
  - client install: do not corrupt OpenSSH config with Match sections
403b09 
- Resolves: #1282935 ipa upgrade causes vault internal error
403b09 
  - install: export KRA agent PEM file in ipa-kra-install
403b09 
- Resolves: #1283429 Default CA ACL rule is not created during
403b09 
  ipa-replica-install
403b09 
  - TLS and Dogtag HTTPS request logging improvements
403b09 
  - Avoid race condition caused by profile delete and recreate
403b09 
  - Do not erroneously reinit NSS in Dogtag interface
403b09 
  - Add profiles and default CA ACL on migration
403b09 
  - disconnect ldap2 backend after adding default CA ACL profiles
403b09 
  - do not disconnect when using existing connection to check default CA ACLs
403b09 
- Resolves: #1283430 ipa-kra-install: fails to apply updates
403b09 
  - suppress errors arising from adding existing LDAP entries during KRA
403b09 
    install
403b09 
- Resolves: #1283748 Caching of ipaconfig does not work in framework
403b09 
  - fix caching in get_ipa_config
403b09 
- Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after
403b09 
  upgrade from RHEL 7.0 to RHEL 7.2
403b09 
  - upgrade: fix migration of old dns forward zones
403b09 
  - Fix upgrade of forwardzones when zone is in realmdomains
403b09 
- Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap
403b09 
  connection
403b09 
  - ipa-cacert-renew: Fix connection to ldap.
403b09 
- Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection
403b09 
  - ipa-otptoken-import: Fix connection to ldap.
403b09 
- Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using
e0ab38 
  "yum update ipa* sssd"
e0ab38 
  - Set minimal required version for openssl
403b09 
- Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps
e0ab38 
  - Upgrade: Fix upgrade of NIS Server configuration
403b09 
- Resolves: #1289311 umask setting causes named-pkcs11 issue with directory
e0ab38 
  permissions on /var/lib/ipa/dnssec
e0ab38 
  - DNS: fix file permissions
e0ab38 
  - Explicitly call chmod on newly created directories
e0ab38 
  - Fix: replace mkdir with chmod
403b09 
- Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison
e0ab38 
  - Fix version comparison
e0ab38 
  - use FFI call to rpmvercmp function for version comparison
403b09 
- Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix
403b09 
  groups are missing
403b09 
  - ipa-kdb: map_groups() consider all results
403b09 
- Resolves: #1293870 User should be notified for wrong password in password
403b09 
  reset page
403b09 
  - Fixed login error message box in LoginScreen page
403b09 
- Resolves: #1296196 Sysrestore did not restore state if a key is specified in
e0ab38 
  mixed case
e0ab38 
  - Allow to used mixed case for sysrestore
403b09 
- Resolves: #1296214 DNSSEC key purging is not handled properly
e0ab38 
  - DNSSEC: Improve error reporting from ipa-ods-exporter
e0ab38 
  - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in
e0ab38 
    LDAP
e0ab38 
  - DNSSEC: Make sure that current key state in LDAP matches key state in BIND
e0ab38 
  - DNSSEC: remove obsolete TODO note
e0ab38 
  - DNSSEC: add debug mode to ldapkeydb.py
e0ab38 
  - DNSSEC: logging improvements in ipa-ods-exporter
e0ab38 
  - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
e0ab38 
  - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
e0ab38 
  - DNSSEC: ipa-ods-exporter: add ldap-cleanup command
e0ab38 
  - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
e0ab38 
  - DNSSEC: Log debug messages at log level DEBUG
403b09 
- Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running
e0ab38 
  - prevent crash of CA-less server upgrade due to absent certmonger
403b09 
  - always start certmonger during IPA server configuration upgrade
403b09 
- Resolves: #1297811 The ipa -e skip_version_check=1 still issues
e0ab38 
  incompatibility error when called against RHEL 6 server
e0ab38 
  - ipalib: assume version 2.0 when skip_version_check is enabled
403b09 
- Resolves: #1298289 install fails when locale is "fr_FR.UTF-8"
403b09 
  - Do not decode HTTP reason phrase from Dogtag
403b09 
- Resolves: #1300252 shared certificateProfiles container is missing on a
403b09 
  freshly installed RHEL7.2 system
403b09 
  - upgrade: unconditional import of certificate profiles into LDAP
403b09 
- Resolves: #1301674 --setup-dns and other options is forgotten for using an
403b09 
  external PKI
403b09 
  - installer: Propagate option values from components instead of copying them.
403b09 
  - installer: Fix logic of reading option values from cache.
403b09 
- Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA
403b09 
  IPA setup
403b09 
  - ipa-ca-install: print more specific errors when CA is already installed
403b09 
  - cert renewal: import all external CA certs on IPA CA cert renewal
403b09 
  - CA install: explicitly set dogtag_version to 10
403b09 
  - fix standalone installation of externally signed CA on IPA master
403b09 
  - replica install: validate DS and HTTP server certificates
403b09 
  - replica install: improvements in the handling of CA-related IPA config
403b09 
    entries
403b09 
- Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups
403b09 
  - slapi-nis: update configuration to allow external members of IPA groups
403b09 
- Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find
403b09 
  returns "0 trusts matched"
403b09 
  - upgrade: fix config of sidgen and extdom plugins
403b09 
  - trusts: use ipaNTTrustPartner attribute to detect trust entries
403b09 
  - Warn user if trust is broken
403b09 
  - fix upgrade: wait for proper DS socket after DS restart
403b09 
  - Insure the admin_conn is disconnected on stop
403b09 
  - Fix connections to DS during installation
403b09 
  - Fix broken trust warnings
403b09 
- Resolves: #1321092 Installers fail when there are multiple versions of the
403b09 
  same certificate
403b09 
  - certdb: never use the -r option of certutil
403b09 
- Related: #1317381 Crash during IPA upgrade due to slapd
403b09 
  - spec file: update minimum required version of slapi-nis
403b09 
- Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
403b09 
  CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws
403b09 
  [rhel-7.3]
403b09 
  - Rebuild against newer Samba version
8eb28c
590d18 
* Tue Oct 13 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15
590d18 
- Resolves: #1252556 Missing CLI param and ACL for vault service operations
590d18 
  - vault: fix private service vault creation
590d18
590d18 
* Mon Oct 12 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-14
590d18 
- Resolves: #1262996 ipa vault internal error on replica without KRA
590d18 
  - upgrade: make sure ldap2 is connected in export_kra_agent_pem
590d18 
- Resolves: #1270608 IPA upgrade fails for server with CA cert signed by
590d18 
  external CA
590d18 
  - schema: do not derive ipaVaultPublicKey from ipaPublicKey
590d18
590d18 
* Thu Oct  8 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-13
590d18 
- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens
590d18 
  - Fix an integer underflow bug in libotp
590d18 
- Resolves: #1262996 ipa vault internal error on replica without KRA
590d18 
  - install: always export KRA agent PEM file
590d18 
  - vault: select a server with KRA for vault operations
590d18 
- Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files
590d18 
  - do not overwrite files with local users/groups when restoring authconfig
590d18 
- Renamed patch 1011 to 0138, as it was merged upstream
590d18
590d18 
* Wed Sep 23 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-12
590d18 
- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to
590d18 
  Trusts
590d18 
  - winsync-migrate: Convert entity names to posix friendly strings
590d18 
  - winsync-migrate: Properly handle collisions in the names of external groups
590d18 
- Resolves: #1261074 Adjust Firefox configuration to new extension signing
590d18 
  policy
590d18 
  - webui: use manual Firefox configuration for Firefox >= 40
590d18 
- Resolves: #1263337 IPA Restore failed with installed KRA
590d18 
  - ipa-backup: Add mechanism to store empty directory structure
590d18 
- Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate
590d18 
  and private key in world readable file [rhel-7.2]
590d18 
  - install: fix KRA agent PEM file permissions
590d18 
- Resolves: #1265086 Mark IdM API Browser as experimental
590d18 
  - WebUI: add API browser is experimental warning
590d18 
- Resolves: #1265277 Fix kdcproxy user creation
590d18 
  - install: create kdcproxy user during server install
590d18 
  - platform: add option to create home directory when adding user
590d18 
  - install: fix kdcproxy user home directory
590d18 
- Resolves: #1265559 GSS failure after ipa-restore
590d18 
  - destroy httpd ccache after stopping the service
590d18
590d18 
* Thu Sep 17 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-11
590d18 
- Resolves: #1258965 ipa vault: set owner of vault container
590d18 
  - baseldap: make subtree deletion optional in LDAPDelete
590d18 
  - vault: add vault container commands
590d18 
  - vault: set owner to current user on container creation
590d18 
  - vault: update access control
590d18 
  - vault: add permissions and administrator privilege
590d18 
  - install: support KRA update
590d18 
- Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses
590d18 
  - config: allow user/host attributes with tagging options
590d18 
- Resolves: #1262315 Unable to establish winsync replication
590d18 
  - winsync: Add inetUser objectclass to the passsync sysaccount
590d18
590d18 
* Wed Sep 16 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-10
590d18 
- Resolves: #1260663 crash of ipa-dnskeysync-replica component during
590d18 
  ipa-restore
590d18 
  - IPA Restore: allows to specify files that should be removed
590d18 
- Resolves: #1261806 Installing ipa-server package breaks httpd
590d18 
  - Handle timeout error in ipa-httpd-kdcproxy
590d18 
- Resolves: #1262322 Failed to backup CS.cfg message in upgrade.
590d18 
  - Server Upgrade: backup CS.cfg when dogtag is turned off
590d18
590d18 
* Wed Sep  9 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-9
590d18 
- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not
590d18 
  tracked
590d18 
  - cert renewal: Include KRA users in Dogtag LDAP update
590d18 
  - cert renewal: Automatically update KRA agent PEM file
590d18 
- Resolves: #1257163 renaming certificatte profile with --rename option leads
590d18 
  to integrity issues
590d18 
  - certprofile: remove 'rename' option
590d18 
- Resolves: #1257968 kinit stop working after ipa-restore
590d18 
  - Backup: back up the hosts file
590d18 
- Resolves: #1258926 Remove 'DNSSEC is experimental' warnings
590d18 
  - DNSSEC: remove "DNSSEC is experimental" warnings
590d18 
- Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts
590d18 
  - Installer: do not modify /etc/hosts before user agreement
590d18 
- Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1
590d18 
  zone
590d18 
  - DNSSEC: backup and restore opendnssec zone list file
590d18 
  - DNSSEC: remove ccache and keytab of ipa-ods-exporter
590d18 
  - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart
590d18 
  - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
590d18 
  - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC
590d18 
    key master
590d18 
  - DNSSEC: Fix key metadata export
590d18 
  - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.
590d18 
- Resolves: #1258964 revert to use ldapi to add kra agent in KRA install
590d18 
  - Using LDAPI to setup CA and KRA agents.
590d18 
- Resolves: #1259848 server closes connection and refuses commands after
590d18 
  deleting user that is still logged in
590d18 
  - ldap: Make ldap2 connection management thread-safe again
590d18 
- Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute
590d18 
  'ra_certprofile' while ipa-ca-install
590d18 
  - load RA backend plugins during standalone CA install on CA-less IPA master
590d18
590d18 
* Wed Aug 26 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-8
590d18 
- Resolves: #1254689 Storing big file as a secret in vault raises traceback
590d18 
  - vault: Limit size of data stored in vault
590d18 
- Resolves: #1255880 ipactl status should distinguish between different
590d18 
  pki-tomcat services
590d18 
  - ipactl: Do not start/stop/restart single service multiple times
590d18
590d18 
* Wed Aug 26 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-7
590d18 
- Resolves: #1256840 [webui] majority of required fields is no longer marked as
590d18 
  required
590d18 
  - fix missing information in object metadata
590d18 
- Resolves: #1256842 [webui] no option to choose trust type when creating a
590d18 
  trust
590d18 
  - webui: add option to establish bidirectional trust
590d18 
- Resolves: #1256853 Clear text passwords in KRA install log
590d18 
  - Removed clear text passwords from KRA install log.
590d18 
- Resolves: #1257072 The "Standard Vault" MUST not be the default and must be
590d18 
  discouraged
590d18 
  - vault: change default vault type to symmetric
590d18 
- Resolves: #1257163 renaming certificatte profile with --rename option leads
590d18 
  to integrity issues
590d18 
  - certprofile: prevent rename (modrdn)
590d18
590d18 
* Wed Aug 26 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-6
590d18 
- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone
590d18 
  - DNSSEC: fix forward zone forwarders checks
590d18 
- Resolves: #1250190 idrange is not added for sub domain
590d18 
  - trusts: format Kerberos principal properly when fetching trust topology
590d18 
- Resolves: #1252334 User life cycle: missing ability to provision a stage user
590d18 
  from a preserved user
590d18 
  - Add user-stage command
590d18 
- Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to
590d18 
  start.
590d18 
  - spec file: Add Requires(post) on selinux-policy
590d18 
- Resolves: #1254304 Changing vault encryption attributes
590d18 
  - Change internal rsa_(public|private)_key variable names
590d18 
  - Added support for changing vault encryption.
590d18 
- Resolves: #1256715 Executing user-del --preserve twice removes the user
590d18 
  pernamently
590d18 
  - improve the usability of `ipa user-del --preserve` command
590d18
590d18 
* Wed Aug 19 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-5
590d18 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
590d18 
  - user-undel: Fix error messages.
590d18 
- Resolves: #1200694 [RFE] Support for multiple cert profiles
590d18 
  - Prohibit deletion of predefined profiles
590d18 
- Resolves: #1232819 testing ipa-restore on fresh system install fails
590d18 
  - Backup/resore authentication control configuration
590d18 
- Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0
590d18 
  server
590d18 
  - Require Dogtag PKI >= 10.2.6
590d18 
- Resolves: #1245225 Asymmetric vault drops traceback when the key is not
590d18 
  proper
590d18 
  - Asymmetric vault: validate public key in client
590d18 
- Resolves: #1248399 Missing DNSSEC related files in backup
590d18 
  - fix typo in BasePathNamespace member pointing to ods exporter config
590d18 
  - ipa-backup: archive DNSSEC zone file and kasp.db
590d18 
- Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is
590d18 
  finished
590d18 
  - winsync-migrate: Add warning about passsync
590d18 
  - winsync-migrate: Expand the man page
590d18 
- Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME"
590d18 
  - adjust search so that it works for non-admin users
590d18 
- Resolves: #1250093 ipa certprofile-import accepts invalid config
590d18 
  - Require Dogtag PKI >= 10.2.6
590d18 
- Resolves: #1250107 IPA framework should not allow modifying trust on AD trust
590d18 
  agents
590d18 
  - trusts: Detect missing Samba instance
590d18 
- Resolves: #1250111 User lifecycle - preserved users can be assigned
590d18 
  membership
590d18 
  - ULC: Prevent preserved users from being assigned membership
590d18 
- Resolves: #1250145 Add permission for user to bypass caacl enforcement
590d18 
  - Add permission for bypassing CA ACL enforcement
590d18 
- Resolves: #1250190 idrange is not added for sub domain
590d18 
  - idranges: raise an error when local IPA ID range is being modified
590d18 
  - trusts: harden trust-fetch-domains oddjobd-based script
590d18 
- Resolves: #1250928 Man page for ipa-server-install is out of sync
590d18 
  - install: Fix server and replica install options
590d18 
- Resolves: #1251225 IPA default CAACL does not allow cert-request for services
590d18 
  after upgrade
590d18 
  - Fix default CA ACL added during upgrade
590d18 
- Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey
590d18 
  - validate mutually exclusive options in vault-add
590d18 
- Resolves: #1251579 ipa vault-add --user should set container owner equal to
590d18 
  user on first run
590d18 
  - Fixed vault container ownership.
590d18 
- Resolves: #1252517 cert-request rejects request with correct
590d18 
  krb5PrincipalName SAN
590d18 
  - Fix KRB5PrincipalName / UPN SAN comparison
590d18 
- Resolves: #1252555 ipa vault-find doesn't work for services
590d18 
  - vault: Add container information to vault command results
590d18 
  - Add flag to list all service and user vaults
590d18 
- Resolves: #1252556 Missing CLI param and ACL for vault service operations
590d18 
  - Added CLI param and ACL for vault service operations.
590d18 
- Resolves: #1252557 certprofile: improve profile format documentation
590d18 
  - certprofile-import: improve profile format documentation
590d18 
  - certprofile: add profile format explanation
590d18 
- Resolves: #1253443 ipa vault-add creates vault with invalid type
590d18 
  - vault: validate vault type
590d18 
- Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing
590d18 
  owner
590d18 
  - baseldap: Allow overriding member param label in LDAPModMember
590d18 
  - vault: Fix param labels in output of vault owner commands
590d18 
- Resolves: #1253511 ipa vault-find does not use criteria
590d18 
  - vault: Fix vault-find with criteria
590d18 
- Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10
590d18 
  - install: Fix replica install with custom certificates
590d18 
- Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc
590d18 
  - improve the handling of krb5-related errors in dnssec daemons
590d18 
- Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with
590d18 
  starting CA and named-pkcs11.service
590d18 
  - Server Upgrade: Start DS before CA is started.
590d18 
- Resolves: #1254637 Add ACI and permission for managing user userCertificate
590d18 
  attribute
590d18 
  - add permission: System: Manage User Certificates
590d18 
- Resolves: #1254641 Remove CSR allowed-extensions restriction
590d18 
  - cert-request: remove allowed extensions check
590d18 
- Resolves: #1254693 vault --service does not normalize service principal
590d18 
  - vault: normalize service principal in service vault operations
590d18 
- Resolves: #1254785 ipa-client-install does not properly handle dual stacked
590d18 
  hosts
590d18 
  - client: Add support for multiple IP addresses during installation.
590d18 
  - Add dependency to SSSD 1.13.1
590d18 
  - client: Add description of --ip-address and --all-ip-addresses to man page
590d18
590d18 
* Tue Aug 11 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-4
590d18 
- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to
590d18 
  users in IdM
590d18 
  - store certificates issued for user entries as
590d18 
  - user-show: add --out option to save certificates to file
590d18 
- Resolves: #1145748 [RFE] IPA running with One Way Trust
590d18 
  - Fix upgrade of sidgen and extdom plugins
590d18 
- Resolves: #1195339 ipa-client-install changes the label on various files
590d18 
  which causes SELinux denials
590d18 
  - Use 'mv -Z' in specfile to restore SELinux context
590d18 
- Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior
590d18 
  for combinations of "User authentication types"
590d18 
  - webui: add LDAP vs Kerberos behavior description to user auth
590d18 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
590d18 
  - ULC: Fix stageused-add --from-delete command
590d18 
- Resolves: #1200694 [RFE] Support for multiple cert profiles
590d18 
  - certprofile-import: do not require profileId in profile data
590d18 
  - Give more info on virtual command access denial
590d18 
  - Allow SAN extension for cert-request self-service
590d18 
  - Add profile for DNP3 / IEC 62351-8 certificates
590d18 
  - Work around python-nss bug on unrecognised OIDs
590d18 
- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality
590d18 
  - Validate vault's file parameters
590d18 
  - Fixed missing KRA agent cert on replica.
590d18 
- Resolves: #1225866 display browser config options that apply to the browser.
590d18 
  - webui: add Kerberos configuration instructions for Chrome
590d18 
  - Remove ico files from Makefile
590d18 
- Resolves: #1246342 Unapply idview raises internal error
590d18 
  - idviews: Check for the Default Trust View only if applying the view
590d18 
- Resolves: #1248102 [webui] regression - incorrect/no failed auth messages
590d18 
  - webui: fix regressions failed auth messages
590d18 
- Resolves: #1248396 Internal error in DomainValidator.__search_in_dc
590d18 
  - dcerpc: Fix UnboundLocalError for ccache_name
590d18 
- Resolves: #1249455 ipa trust-add failed CIFS server configuration does not
590d18 
  allow access to \\pipe\lsarpc
590d18 
  - Fix selector of protocol for LSA RPC binding string
590d18 
  - dcerpc: Simplify generation of LSA-RPC binding strings
590d18 
- Resolves: #1250192 Error in ipa trust-fecth-domains
590d18 
  - Fix incorrect type comparison in trust-fetch-domains
590d18 
- Resolves: #1251553 Winsync setup fails with unexpected error
590d18 
  - replication: Fix incorrect exception invocation
590d18 
- Resolves: #1251854 ipa aci plugin is not parsing aci's correctly.
590d18 
  - ACI plugin: correctly parse bind rules enclosed in
590d18 
- Resolves: #1252414 Trust agent install does not detect available replicas to
590d18 
  add to master
590d18 
  - adtrust-install: Correctly determine 4.2 FreeIPA servers
590d18
590d18 
* Fri Jul 24 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-3
590d18 
- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains
590d18 
  that conflicts with AD DC
590d18 
  - trusts: Check for AD root domain among our trusted domains
590d18 
- Resolves: #1195339 ipa-client-install changes the label on various files
590d18 
  which causes SELinux denials
590d18 
  - sysrestore: copy files instead of moving them to avoind SELinux issues
590d18 
- Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned
590d18 
  commands / ntpd -qgc $tmpfile hangs
590d18 
  - enable debugging of ntpd during client installation
590d18 
- Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled
590d18 
  - migration: Use api.env variables.
590d18 
- Resolves: #1212719 abort-clean-ruv subcommand should allow
590d18 
  replica-certifyall: no
590d18 
  - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand
590d18 
- Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has
590d18 
  occurred
590d18 
  - dcerpc: Expand explanation for WERR_ACCESS_DENIED
590d18 
  - dcerpc: Fix UnboundLocalError for ccache_name
590d18 
- Resolves: #1222778 idoverride group-del can delete user and user-del can
590d18 
  delete group
590d18 
  - dcerpc: Add get_trusted_domain_object_type method
590d18 
  - idviews: Restrict anchor to name and name to anchor conversions
590d18 
  - idviews: Enforce objectclass check in idoverride*-del
590d18 
- Resolves: #1234919 Be able to request certificates without certmonger service
590d18 
  running
590d18 
  - cermonger: Use private unix socket when DBus SystemBus is not available.
590d18 
  - ipa-client-install: Do not (re)start certmonger and DBus daemons.
590d18 
- Resolves: #1240939 Please add dependency on bind-pkcs11
590d18 
  - Create server-dns sub-package.
590d18 
  - ipaplatform: Add constants submodule
590d18 
  - DNS: check if DNS package is installed
590d18 
- Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow
590d18 
  calling out oddjobd-activated services
590d18 
  - selinux: enable httpd_run_ipa to allow communicating with oddjobd services
590d18 
- Resolves: #1243261 non-admin users cannot search hbac rules
590d18 
  - fix hbac rule search for non-admin users
590d18 
  - fix selinuxusermap search for non-admin users
590d18 
- Resolves: #1243652 Client has missing dependency on memcache
590d18 
  - do not import memcache on client
590d18 
- Resolves: #1243835 [webui] user change password dialog does not work
590d18 
  - webui: fix user reset password dialog
590d18 
- Resolves: #1244802 spec: selinux denial during kdcproxy user creation
590d18 
  - Fix selinux denial during kdcproxy user creation
590d18 
- Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user
590d18 
  - oddjob: avoid chown keytab to sssd if sssd user does not exist
590d18 
- Resolves: #1246136 Adding a privilege to a permission avoids validation
590d18 
  - Validate adding privilege to a permission
590d18 
- Resolves: #1246141 DNS Administrators cannot search in zones
590d18 
  - DNS: Consolidate DNS RR types in API and schema
590d18 
- Resolves: #1246143 User plugin - user-find doesn't work properly with manager
590d18 
  option
590d18 
  - fix broken search for users by their manager
590d18
590d18 
* Wed Jul 15 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-2
590d18 
- Resolves: #1131907 [ipa-client-install] cannot write certificate file
590d18 
  '/etc/ipa/ca.crt.new': must be string or buffer, not None
590d18 
- Resolves: #1195775 unsaved changes dialog internally inconsistent
590d18 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
590d18 
  - Stageusedr-activate: show username instead of DN
590d18 
- Resolves: #1200694 [RFE] Support for multiple cert profiles
590d18 
  - Prevent to rename certprofile profile id
590d18 
- Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error
590d18 
- Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files
590d18 
  - copy-schema-to-ca: allow to overwrite schema files
590d18 
- Resolves: #1241941 kdc component installation of IPA failed
590d18 
  - spec file: Update minimum required version of krb5
590d18 
- Resolves: #1242036 Replica install fails to update DNS records
590d18 
  - Fix DNS records installation for replicas
590d18 
- Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy
590d18 
  - Start dirsrv for kdcproxy upgrade
590d18
590d18 
* Thu Jul  9 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-1
590d18 
- Resolves: #846033  [RFE] Documentation for JSONRPC IPA API
590d18 
- Resolves: #989091  Ability to manage IdM/IPA directly from a standard LDAP
590d18 
  client
590d18 
- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to
590d18 
  users in IdM
590d18 
- Resolves: #1115294 [RFE] Add support for DNSSEC
590d18 
- Resolves: #1145748 [RFE] IPA running with One Way Trust
590d18 
- Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade
590d18 
- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities
590d18 
- Resolves: #1200694 [RFE] Support for multiple cert profiles
590d18 
- Resolves: #1200728 [RFE] Replicate PKI Profile information
590d18 
- Resolves: #1200735 [RFE] Allow issuing certificates for user accounts
590d18 
- Resolves: #1204054 SSSD database is not cleared between installs and
590d18 
  uninstalls of ipa
590d18 
- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to
590d18 
  Trusts
590d18 
- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality
590d18 
- Resolves: #1204504 [RFE] Add access control so hosts can create their own
590d18 
  services
590d18 
- Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default
590d18 
- Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default
590d18 
- Resolves: #1209476 package ipa-client does not require package dbus-python
590d18 
- Resolves: #1211589 [RFE] Add option to skip the verify_client_version
590d18 
- Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597)
590d18 
- Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone
590d18 
- Resolves: #1217010 OTP Manager field is not exposed in the UI
590d18 
- Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp
590d18 
  00007fffd68b2340 error 6 in libc-2.17.so
590d18 
- Related:  #1204809 Rebase ipa to 4.2
590d18 
  - Update to upstream 4.2.0
590d18 
  - Move /etc/ipa/kdcproxy to the server subpackage
590d18
590d18 
* Tue Jun 23 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-0.2.alpha1
590d18 
- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install
590d18 
- Related:  #1204809 Rebase ipa to 4.2
590d18 
  - Fix minimum version of slapi-nis
590d18 
  - Require python-sss and python-sss-murmur (provided by sssd-1.13.0)
590d18
590d18 
* Mon Jun 22 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-0.1.alpha1
590d18 
- Resolves: #805188  [RFE] "ipa migrate-ds" ldapsearches with scope=1
590d18 
- Resolves: #1019272 With 20000+ users, adding a user to a group intermittently
590d18 
  throws Internal server error
590d18 
- Resolves: #1035494 Unable to add Kerberos principal via kadmin.local
590d18 
- Resolves: #1045153 ipa-managed-entries --list -p <badpassword> still requires
590d18 
  DM password
590d18 
- Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389
590d18 
  from ldap_port_t
590d18 
- Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI
590d18 
- Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not
590d18 
  matching uidgid
590d18 
- Resolves: #1176036 IDM client registration failure in a high load environment
590d18 
- Resolves: #1183116 Remove Requires: subscription-manager
590d18 
- Resolves: #1186054 permission-add does not prompt to enter --right option in
590d18 
  interactive mode
590d18 
- Resolves: #1187524 Replication agreement with replica not disabled when
590d18 
  ipa-restore done without IPA installed
590d18 
- Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as
590d18 
  normal user.
590d18 
- Resolves: #1189034 "an internal error has occurred" during ipa host-del
590d18 
  --updatedns
590d18 
- Resolves: #1193554 ipa-client-automount: failing with error LDAP server
590d18 
  returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled.
590d18 
- Resolves: #1193759 IPA extdom plugin fails when encountering large groups
590d18 
- Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode
590d18 
  certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments.
590d18 
- Resolves: #1194633 Default trust view can be deleted in lower case
590d18 
- Resolves: #1196455 ipa-server-install step [8/27]: starting certificate
590d18 
  server instance - confusing CA staus message on TLS error
590d18 
- Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis
590d18 
- Resolves: #1199527 [RFE] Use datepicker component for datetime fields
590d18 
- Resolves: #1200867 [RFE] Make OTP validation window configurable
590d18 
- Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi
590d18 
- Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using
590d18 
  get_user_grouplist() [rhel-7.2]
590d18 
- Resolves: #1204637 slow group operations
590d18 
- Resolves: #1204642 migrate-ds: slow add o users to default group
590d18 
- Resolves: #1208461 IPA CA master server update stuck on checking getStatus
590d18 
  via https
590d18 
- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)
590d18 
- Resolves: #1211708 ipa-client-install gets stuck during NTP sync
590d18 
- Resolves: #1215197 ipa-client-install ignores --ntp-server option during time
590d18 
  sync
590d18 
- Resolves: #1215200 ipa-client-install configures IPA server as NTP source
590d18 
  even if IPA server has not ntpd configured
590d18 
- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens
590d18 
- Related:  #1204809 Rebase ipa to 4.2
590d18 
  - Update to upstream 4.2.0.alpha1
ba521e
0201d8 
* Thu Mar 19 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.3
0201d8 
- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate:
0201d8 
  (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312)
0201d8
0201d8 
* Wed Mar 18 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.0-18.2
0201d8 
- IPA extdom plugin fails when encountering large groups (#1193759)
0201d8 
- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r()
590d18 
  (#1202998)
0201d8
0201d8 
* Thu Mar  5 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.1
0201d8 
- "an internal error has occurred" during ipa host-del --updatedns (#1198431)
0201d8 
- Renamed patch 1013 to 0114, as it was merged upstream
0201d8 
- Fax number not displayed for user-show when kinit'ed as normal user.
0201d8 
  (#1198430)
0201d8 
- Replication agreement with replica not disabled when ipa-restore done without
0201d8 
  IPA installed (#1199060)
0201d8 
- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128)
0201d8
0201d8 
* Thu Jan 29 2015 Martin Kosek <mkosek@redhat.com> - 4.1.0-18
e3ffab 
- Fix ipa-pwd-extop global configuration caching (#1187342)
e3ffab 
- group-detach does not add correct objectclasses (#1187540)
e3ffab
e3ffab 
* Tue Jan 27 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-17
e3ffab 
- Wrong directories created on full restore (#1186398)
e3ffab 
- ipa-restore crashes if replica is unreachable (#1186396)
e3ffab 
- idoverrideuser-add option --sshpubkey does not work (#1185410)
e3ffab
e3ffab 
* Wed Jan 21 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-16
e3ffab 
- PassSync does not sync passwords due to missing ACIs (#1181093)
e3ffab 
- ipa-replica-manage list does not list synced domain (#1181010)
e3ffab 
- Do not assume certmonger is running in httpinstance (#1181767)
e3ffab 
- ipa-replica-manage disconnect fails without password (#1183279)
e3ffab 
- Put LDIF files to their original location in ipa-restore (#1175277)
e3ffab 
- DUA profile not available anonymously (#1184149)
e3ffab 
- IPA replica missing data after master upgraded (#1176995)
e3ffab
e3ffab 
* Wed Jan 14 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-15
e3ffab 
- Re-add accidentally removed patches for #1170695 and #1164896
e3ffab
e3ffab 
* Wed Jan 14 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-14
e3ffab 
- IPA Replicate creation fails with error "Update failed! Status: [10 Total
e3ffab 
  update abortedLDAP error: Referral]" (#1166265)
e3ffab 
- running ipa-server-install --setup-dns results in a crash (#1072502)
e3ffab 
- DNS zones are not migrated into forward zones if 4.0+ replica is added
e3ffab 
  (#1175384)
e3ffab 
- gid is overridden by uid in default trust view (#1168904)
e3ffab 
- When migrating warn user if compat is enabled (#1177133)
e3ffab 
- Clean up debug log for trust-add (#1168376)
e3ffab 
- No error message thrown on restore(full kind) on replica from full backup
e3ffab 
  taken on master (#1175287)
e3ffab 
- ipa-restore proceed even IPA not configured (#1175326)
e3ffab 
- Data replication not working as expected after data restore from full backup
e3ffab 
  (#1175277)
e3ffab 
- IPA externally signed CA cert expiration warning missing from log (#1178128)
e3ffab 
- ipa-upgradeconfig fails in CA-less installs (#1181767)
e3ffab 
- IPA certs fail to autorenew simultaneouly (#1173207)
e3ffab 
- More validation required on ipa-restore's options (#1176034)
e3ffab
e3ffab 
* Wed Dec 17 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-13
e3ffab 
- Expand the token auth/sync windows (#919228)
e3ffab 
- Access is not rejected for disabled domain (#1172598)
e3ffab 
- krb5kdc crash in ldap_pvt_search (#1170695)
e3ffab 
- RHEL7.1 IPA server httpd avc denials after upgrade (#1164896)
e3ffab
e3ffab 
* Wed Dec 10 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-12
e3ffab 
- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible
e3ffab 
  (#1169591)
e3ffab 
- CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression)
e3ffab 
  (#1172578)
e3ffab
e3ffab 
* Tue Dec  9 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-11
e3ffab 
- Throw zonemgr error message before installation proceeds (#1163849)
e3ffab 
- Winsync: Setup is broken due to incorrect import of certificate (#1169867)
e3ffab 
- Enable last token deletion when password auth type is configured (#919228)
e3ffab 
- ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641)
e3ffab 
- add --hosts and --hostgroup options to allow/retrieve keytab methods
e3ffab 
  (#1007367)
e3ffab 
- Extend host-show to add the view attribute in set of default attributes
e3ffab 
  (#1168916)
e3ffab 
- Prefer TCP connections to UDP in krb5 clients (#919228)
e3ffab 
- [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214)
e3ffab 
- webui: increase notification duration (#1171089)
e3ffab 
- RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931)
e3ffab 
- RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert
e3ffab 
  (#1170003)
e3ffab 
- Improve validation of --instance and --backend options in ipa-restore
e3ffab 
  (#951581)
e3ffab 
- RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964)
e3ffab 
- Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466)
e3ffab
e3ffab 
* Wed Nov 26 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-10
e3ffab 
- Use NSS protocol range API to set available TLS protocols (#1156466)
e3ffab
e3ffab 
* Tue Nov 25 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-9
e3ffab 
- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1
e3ffab 
  build fails (#1167196)
e3ffab 
- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756)
e3ffab 
- "ipa trust-add ... " cmd says : (Trust status: Established and verified)
e3ffab 
  while in the logs we see "WERR_ACCESS_DENIED" during verification step.
e3ffab 
  (#1144121)
e3ffab 
- POODLE: force using safe ciphers (non-SSLv3) in IPA client and server
e3ffab 
  (#1156466)
e3ffab 
- Add support/hooks for a one-time password system like SecureID in IPA
e3ffab 
  (#919228)
e3ffab 
- Tracebacks with latest build for --zonemgr cli option (#1167270)
e3ffab 
- ID Views: Support migration from the sync solution to the trust solution
e3ffab 
  (#891984)
e3ffab
e3ffab 
* Mon Nov 24 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-8
e3ffab 
- Improve otptoken help messages (#919228)
e3ffab 
- Ensure users exist when assigning tokens to them (#919228)
e3ffab 
- Enable QR code display by default in otptoken-add (#919228)
e3ffab 
- Show warning instead of error if CA did not start (#1158410)
e3ffab 
- CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774)
e3ffab 
- Traceback when adding zone with long name (#1164859)
e3ffab 
- Backup & Restore mechanism (#951581)
e3ffab 
- ignoring user attributes in migrate-ds does not work if uppercase characters
e3ffab 
  are returned by ldap (#1159816)
e3ffab 
- Allow ipa-getkeytab to optionally fetch existing keys (#1007367)
e3ffab 
- Failure when installing on dual stacked system with external ca (#1128380)
e3ffab 
- ipa-server should keep backup of CS.cfg (#1059135)
e3ffab 
- Tracebacks with latest build for --zonemgr cli option (#1167270)
e3ffab 
- webui: use domain name instead of domain SID in idrange adder dialog
e3ffab 
  (#891984)
e3ffab 
- webui: normalize idview tab labels (#891984)
e3ffab
e3ffab 
* Wed Nov 19 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-7
e3ffab 
- ipa-csreplica-manage connect fails (#1157735)
e3ffab 
- error message which is not understandable when IDNA2003 characters are
e3ffab 
  present in --zonemgr (#1163849)
e3ffab 
- Fix warning message should not contain CLI commands (#1114013)
e3ffab 
- Renewing the CA signing certificate does not extend its validity period end
e3ffab 
  (#1163498)
e3ffab 
- RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for
e3ffab 
  httpd (#1159330)
e3ffab
e3ffab 
* Thu Nov 13 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-6
e3ffab 
- Fix: DNS installer adds invalid zonemgr email (#1056202)
e3ffab 
- ipaplatform: Use the dirsrv service, not target (#951581)
e3ffab 
- Fix: DNS policy upgrade raises asertion error (#1161128)
e3ffab 
- Fix upgrade referint plugin (#1161128)
e3ffab 
- Upgrade: fix trusts objectclass violationi (#1161128)
e3ffab 
- group-add doesn't accept gid parameter (#1149124)
e3ffab
e3ffab 
* Tue Nov 11 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-5
e3ffab 
- Update slapi-nis dependency to pull 0.54-2 (#891984)
e3ffab 
- ipa-restore: Don't crash if AD trust is not installed (#951581)
e3ffab 
- Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791)
e3ffab 
- Trust setting not restored for CA cert with ipa-restore command (#1159011)
e3ffab 
- ipa-server-install fails when restarting named (#1162340)
e3ffab
e3ffab 
* Thu Nov 06 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-4
e3ffab 
- Update Requires on pki-ca to 10.1.2-4 (#1129558)
e3ffab 
- build: increase java stack size for all arches
e3ffab 
- Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984)
e3ffab 
- Fix dns zonemgr validation regression (#1056202)
e3ffab 
- Handle profile changes in dogtag-ipa-ca-renew-agent (#886645)
e3ffab 
- Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
e3ffab 
  (#886645)
e3ffab 
- Add bind-dyndb-ldap working dir to IPA specfile
e3ffab 
- Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
e3ffab 
  (#886645)
e3ffab 
- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756)
e3ffab 
- Deadlock in schema compat plugin (#1161131)
e3ffab 
- ipactl stop should stop dirsrv last (#1161129)
e3ffab 
- Upgrade 3.3.5 to 4.1 failed (#1161128)
e3ffab 
- CVE-2014-7828 freeipa: password not required when OTP in use (#1160877)
e3ffab
e3ffab 
* Wed Oct 22 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-3
e3ffab 
- Do not check if port 8443 is available in step 2 of external CA install
e3ffab 
  (#1129481)
e3ffab
e3ffab 
* Wed Oct 22 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-2
e3ffab 
- Update Requires on selinux-policy to 3.13.1-4
e3ffab
e3ffab 
* Tue Oct 21 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-1
e3ffab 
- Update to upstream 4.1.0 (#1109726)
e3ffab
e3ffab 
* Mon Sep 29 2014 Jan Cholasta <jcholast@redhat.com> - 4.1.0-0.1.alpha1
e3ffab 
- Update to upstream 4.1.0 Alpha 1 (#1109726)
e3ffab
e3ffab 
* Fri Sep 26 2014 Petr Vobornik <pvoborni@redhat.com> - 4.0.3-3
e3ffab 
- Add redhat-access-plugin-ipa dependency
e3ffab
e3ffab 
* Thu Sep 25 2014 Jan Cholasta <jcholast@redhat.com> - 4.0.3-2
e3ffab 
- Re-enable otptoken_yubikey plugin
e3ffab
e3ffab 
* Mon Sep 15 2014 Jan Cholasta <jcholast@redhat.com> - 4.0.3-1
e3ffab 
- Update to upstream 4.0.3 (#1109726)
e3ffab
e3ffab 
* Thu Aug 14 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-29
031d60 
- Server installation fails using external signed certificates with
e3ffab 
  "IndexError: list index out of range" (#1111320)
031d60 
- Add rhino to BuildRequires to fix Web UI build error
10ca37
9991ea 
* Tue Apr  1 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28
9991ea 
- ipa-client-automount fails with incompatibility error when installed against
9991ea 
  older IPA server (#1083108)
9991ea
9991ea 
* Wed Mar 26 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-27
9991ea 
- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future
9991ea 
  PKI versions (#1080865)
9991ea
9991ea 
* Tue Mar 25 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-26
9991ea 
- When IdM server trusts multiple AD forests, IPA client returns invalid group
9991ea 
  membership info (#1079498)
9991ea
9991ea 
* Thu Mar 13 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-25
9991ea 
- Deletion of active subdomain range should not be allowed (#1075615)
9991ea
9991ea 
* Thu Mar 13 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-24
9991ea 
- PKI database is ugraded during replica installation (#1075118)
9991ea
9991ea 
* Wed Mar 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-23
9991ea 
- Unable to add trust successfully with --trust-secret (#1075704)
9991ea
9991ea 
* Wed Mar 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-22
9991ea 
- ipa-replica-install never checks for 7389 port (#1075165)
9991ea 
- Non-terminated string may be passed to LDAP search (#1075091)
9991ea 
- ipa-sam may fail to translate group SID into GID (#1073829)
9991ea 
- Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)
9991ea
9991ea 
* Thu Mar  6 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-21
9991ea 
- Do not fetch a principal two times, remove potential memory leak (#1070924)
9991ea
9991ea 
* Wed Mar  5 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-20
9991ea 
- trustdomain-find with pkey-only fails (#1068611)
9991ea 
- Invalid credential cache in trust-add (#1069182)
9991ea 
- ipa-replica-install prints unexpected error (#1069722)
9991ea 
- Too big font in input fields in details facet in Firefox (#1069720)
9991ea 
- trust-add for POSIX AD does not fetch trustdomains (#1070925)
9991ea 
- Misleading trust-add error message in some cases (#1070926)
9991ea 
- Access is not rejected for disabled domain (#1070924)
9991ea
9991ea 
* Wed Feb 26 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-19
9991ea 
- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)
9991ea
9991ea 
* Wed Feb 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-18
9991ea 
- Display server name in ipa command's verbose mode (#1061703)
9991ea 
- Remove sourcehostcategory from default HBAC rule (#1061187)
9991ea 
- dnszone-add cannot add classless PTR zones (#1058688)
9991ea 
- Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)
9991ea
9991ea 
* Tue Feb  4 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-17
9991ea 
- Lockout plugin crashed during ipa-server-install (#912725)
9991ea
9991ea 
* Fri Jan 31 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-16
9991ea 
- Fallback to global policy in ipa lockout plugin (#912725)
9991ea 
- Migration does not add users to default group (#903232)
9991ea
9991ea 
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.3.3-15
9991ea 
- Mass rebuild 2014-01-24
9991ea
9991ea 
* Thu Jan 23 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-14
9991ea 
- Fix NetBIOS name generation in CLDAP plugin (#1030517)
9991ea
9991ea 
* Mon Jan 20 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-13
9991ea 
- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218)
9991ea 
- Increase default timeout for IPA services (#1033273)
9991ea 
- Error while running trustdomain-find (#1054376)
9991ea 
- group-show lists SID instead of name for external groups (#1054391)
9991ea 
- Fix IPA server NetBIOS name in samba configuration (#1030517)
9991ea 
- dnsrecord-mod produces missing API version warning (#1054869)
9991ea 
- Hide trust-resolve command as internal (#1052860)
9991ea 
- Add Trust domain Web UI (#1054870)
9991ea 
- ipasam cannot delete multiple child trusted domains (#1056120)
9991ea
9991ea 
* Wed Jan 15 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-12
9991ea 
- Missing objectclasses when empty password passed to host-add (#1052979)
9991ea 
- sudoOrder missing in sudoers (#1052983)
9991ea 
- Missing examples in sudorule help (#1049464)
9991ea 
- Client automount does not uninstall when fstore is empty (#910899)
9991ea 
- Error not clear for invalid realm given to trust-fetch-domains (#1052981)
9991ea 
- trust-fetch-domains does not add idrange for subdomains found (#1049926)
9991ea 
- Add option to show if an AD subdomain is enabled/disabled (#1052973)
9991ea 
- ipa-adtrust-install still failed with long NetBIOS names (#1030517)
9991ea 
- Error not clear for invalid relam given to trustdomain-find (#1049455)
9991ea 
- renewed client cert not recognized during IPA CA renewal (#1033273)
9991ea
9991ea 
* Fri Jan 10 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-11
9991ea 
- hbactest does not work for external users (#848531)
9991ea
9991ea 
* Wed Jan 08 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-10
9991ea 
- PKI service restart after CA renewal failed (#1040018)
9991ea
9991ea 
* Mon Jan 06 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-9
9991ea 
- Move ipa-tests package to separate srpm (#1032668)
9991ea
9991ea 
* Fri Jan  3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-8
9991ea 
- Fix status trust-add command status message (#910453)
9991ea 
- NetBIOS was not trimmed at 15 characters (#1030517)
9991ea 
- Harden CA subsystem certificate renewal on CA clones (#1040018)
9991ea
9991ea 
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.3.3-7
9991ea 
- Mass rebuild 2013-12-27
9991ea
9991ea 
* Mon Dec  2 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-6
9991ea 
- Remove "Listen 443 http" hack from deployed nss.conf (#1029046)
9991ea 
- Re-adding existing trust fails (#1033216)
9991ea 
- IPA uninstall exits with a samba error (#1033075)
9991ea 
- Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260)
9991ea 
- Fixed ownership of /usr/share/ipa/ui/js (#1026260)
9991ea 
- ipa-tests: support external names for hosts (#1032668)
9991ea 
- ipa-client-install fail due fail to obtain host TGT (#1029354)
9991ea
99b6f7 
* Fri Nov 22 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
99b6f7 
- Trust add tries to add same value of --base-id for sub domain,
99b6f7 
  causing an error (#1033068)
99b6f7 
- Improved error reporting for adding trust case (#1029856)
99b6f7
99b6f7 
* Wed Nov 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-4
99b6f7 
- Winsync agreement cannot be created (#1023085)
99b6f7
99b6f7 
* Wed Nov  6 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-3
99b6f7 
- Installer did not detect different server and IPA domain (#1026845)
99b6f7 
- Allow kernel keyring CCACHE when supported (#1026861)
99b6f7
99b6f7 
* Tue Nov  5 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-2
99b6f7 
- ipa-server-install crashes when AD subpackage is not installed (#1026434)
99b6f7
99b6f7 
* Fri Nov  1 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-1
99b6f7 
- Update to upstream 3.3.3 (#991064)
99b6f7
99b6f7 
* Tue Oct 29 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-5
99b6f7 
- Temporarily move ipa-backup and ipa-restore functionality
99b6f7 
  back to make them available in public Beta (#1003933)
99b6f7
99b6f7 
* Tue Oct 29 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-4
99b6f7 
- Server install failure during client enrollment shouldn't
99b6f7 
  roll back (#1023086)
99b6f7 
- nsds5ReplicaStripAttrs are not set on agreements (#1023085)
99b6f7 
- ipa-server conflicts with mod_ssl (#1018172)
99b6f7
99b6f7 
* Wed Oct 16 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-3
99b6f7 
- Reinstalling ipa server hangs when configuring certificate
99b6f7 
  server (#1018804)
99b6f7
99b6f7 
* Fri Oct 11 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-2
99b6f7 
- Deprecate --serial-autoincrement option (#1016645)
99b6f7 
- CA installation always failed on replica (#1005446)
99b6f7 
- Re-initializing a winsync connection exited with error (#994980)
99b6f7
99b6f7 
* Fri Oct  4 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
99b6f7 
- Update to upstream 3.3.2 (#991064)
99b6f7 
- Add delegation info to MS-PAC (#915799)
99b6f7 
- Warn about incompatibility with AD when IPA realm and domain
99b6f7 
  differs (#1009044)
99b6f7 
- Allow PKCS#12 files with empty password in install tools (#1002639)
99b6f7 
- Privilege "SELinux User Map Administrators" did not list
99b6f7 
  permissions (#997085)
99b6f7 
- SSH key upload broken when client joins an older server (#1009024)
99b6f7
99b6f7 
* Mon Sep 23 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-5
99b6f7 
- Remove dependency on python-paramiko (#1002884)
99b6f7 
- Broken redirection when deleting last entry of DNS resource
99b6f7 
  record (#1006360)
99b6f7
99b6f7 
* Tue Sep 10 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-4
99b6f7 
- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)
99b6f7
99b6f7 
* Mon Sep  9 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-3
99b6f7 
- Replica installation fails for RHEL 6.4 master (#1004680)
99b6f7 
- Server uninstallation crashes if DS is not available (#998069)
99b6f7
99b6f7 
* Thu Sep  5 2013 Martin Kosek <mkosek@redhat.com> - 3.3.1-2
99b6f7 
- Unable to remove replica by ipa-replica-manage (#1001662)
99b6f7 
- Before uninstalling a server, warn about active replicas (#998069)
99b6f7
99b6f7 
* Thu Aug 29 2013 Rob Crittenden <rcritten@redhat.com> - 3.3.1-1
99b6f7 
- Update to upstream 3.3.1 (#991064)
99b6f7 
- Update minimum version of bind-dyndb-ldap to 3.5
99b6f7
99b6f7 
* Tue Aug 20 2013 Rob Crittenden <rcritten@redhat.com> - 3.3.0-7
99b6f7 
- Fix replica installation failing on certificate subject (#983075)
99b6f7
99b6f7 
* Tue Aug 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-6
99b6f7 
- Allow ipa-tests to work with older version (1.7.7) of python-paramiko
99b6f7
99b6f7 
* Tue Aug 13 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-5
99b6f7 
- Prevent multilib failures in *.pyo and *.pyc files
99b6f7
99b6f7 
* Mon Aug 12 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-4
99b6f7 
- ipa-server-install fails if --subject parameter is other than default
99b6f7 
  realm (#983075)
99b6f7 
- do not allow configuring bind-dyndb-ldap without persistent search (#967876)
99b6f7
99b6f7 
* Mon Aug 12 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-3
99b6f7 
- diffstat was missing as a build dependency causing multilib problems
99b6f7
99b6f7 
* Thu Aug  8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-2
99b6f7 
- Remove ipa-server-selinux obsoletes as upgrades from version prior to
99b6f7 
  3.3.0 are not allowed
99b6f7 
- Wrap server-trust-ad subpackage description better
9991ea 
- Add (noreplace) flag for %%{_sysconfdir}/tmpfiles.d/ipa.conf
99b6f7 
- Change permissions on default_encoding_utf8.so to fix ipa-python Provides
99b6f7
99b6f7 
* Thu Aug  8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-1
99b6f7 
- Update to upstream 3.3.0 (#991064)
99b6f7
99b6f7 
* Thu Aug  8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-0.2.beta2
99b6f7 
- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release
99b6f7
99b6f7 
* Wed Aug  7 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-0.1.beta2
99b6f7 
- Update to upstream 3.3.0 Beta 2 (#991064)
99b6f7
99b6f7 
* Thu Jul 18 2013 Martin Kosek <mkosek@redhat.com> - 3.2.2-1
99b6f7 
- Update to upstream 3.2.2
99b6f7 
- Drop ipa-server-selinux subpackage
99b6f7 
- Drop redundant directory /var/cache/ipa/sessions
99b6f7 
- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
99b6f7 
- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
99b6f7 
  issues when there are still old parts of software (like entitlements plugin)
99b6f7
99b6f7 
* Fri Jun 14 2013 Martin Kosek <mkosek@redhat.com> - 3.2.1-1
99b6f7 
- Update to upstream 3.2.1
99b6f7 
- Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0
99b6f7
99b6f7 
* Tue May 14 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-2
99b6f7 
- Add OTP patches
99b6f7 
- Add patch to set KRB5CCNAME for 389-ds-base
99b6f7
99b6f7 
* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
99b6f7 
- Update to upstream 3.2.0 GA
99b6f7 
- ipa-client-install fails if /etc/ipa does not exist (#961483)
99b6f7 
- Certificate status is not visible in Service and Host page (#956718)
99b6f7 
- ipa-client-install removes needed options from ldap.conf (#953991)
99b6f7 
- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)
99b6f7 
- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
99b6f7 
- Require nss 3.14.3-12.0 to address certutil certificate import
99b6f7 
  errors (#953485)
99b6f7 
- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
99b6f7 
  environments. (#953464)
99b6f7 
- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
99b6f7 
- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
99b6f7 
- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
99b6f7 
  socket based connections (#960222)
99b6f7 
- Require libsss_nss_idmap-python
99b6f7 
- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
99b6f7 
  member is now done automatically and having it in the config file raises
99b6f7 
  an error.
99b6f7 
- Add backup and restore tools, directory.
99b6f7 
- require at least systemd 38 which provides the journal (we no longer
99b6f7 
  need to require syslog.target)
99b6f7 
- Update Requires on policycoreutils to 2.1.14-37
99b6f7 
- Update Requires on selinux-policy to 3.12.1-42
99b6f7 
- Update Requires on 389-ds-base to 1.3.1.0
99b6f7 
- Remove a Requires for java-atk-wrapper
99b6f7
99b6f7 
* Tue Apr 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.4.beta1
99b6f7 
- Remove release from krb5-server in strict sub-package to allow for rebuilds.
99b6f7
99b6f7 
* Mon Apr 22 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.3.beta1
99b6f7 
- Add a Requires for java-atk-wrapper until we can determine which package
99b6f7 
  should be pulling it in, dogtag or tomcat.
99b6f7
99b6f7 
* Tue Apr 16 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.2.beta1
99b6f7 
- Update to upstream 3.2.0 Beta 1
99b6f7
99b6f7 
* Tue Apr  2 2013 Martin Kosek <mkosek@redhat.com> - 3.2.0-0.1.pre1
99b6f7 
- Update to upstream 3.2.0 Prerelease 1
99b6f7 
- Use upstream reference spec file as a base for Fedora spec file
99b6f7
99b6f7 
* Sat Mar 30 2013 Kevin Fenzi <kevin@scrye.com> 3.1.2-4
99b6f7 
- Rebuild for broken deps
99b6f7 
- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1
99b6f7
99b6f7 
* Sat Feb 23 2013 Kevin Fenzi <kevin@scrye.com> - 3.1.2-3
99b6f7 
- Rebuild for broken deps in rawhide
99b6f7 
- Fix 389-ds-base strict dep to be 1.3.0.3
99b6f7
99b6f7 
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1.2-2
99b6f7 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
99b6f7
99b6f7 
* Wed Jan 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.2-1
99b6f7 
- Update to upstream 3.1.2
99b6f7 
- CVE-2012-4546: Incorrect CRLs publishing
99b6f7 
- CVE-2012-5484: MITM Attack during Join process
99b6f7 
- CVE-2013-0199: Cross-Realm Trust key leak
99b6f7 
- Updated strict dependencies to 389-ds-base = 1.3.0.2 and
99b6f7 
  pki-ca = 10.0.1
99b6f7
99b6f7 
* Thu Dec 20 2012 Martin Kosek <mkosek@redhat.com> - 3.1.0-2
99b6f7 
- Remove redundat Requires versions that are already in Fedora 17
99b6f7 
- Replace python-crypto Requires with m2crypto
99b6f7 
- Add missing Requires(post) for client and server-trust-ad subpackages
99b6f7 
- Restart httpd service when server-trust-ad subpackage is installed
99b6f7 
- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes
99b6f7
99b6f7 
* Mon Dec 10 2012 Rob Crittenden <rcritten@redhat.com> - 3.1.0-1
99b6f7 
- Updated to upstream 3.1.0 GA
99b6f7 
- Set minimum for sssd to 1.9.2
99b6f7 
- Set minimum for pki-ca to 10.0.0-1
99b6f7 
- Set minimum for 389-ds-base to 1.3.0
99b6f7 
- Set minimum for selinux-policy to 3.11.1-60
99b6f7 
- Remove unneeded dogtag package requires
99b6f7
99b6f7 
* Tue Oct 23 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-3
99b6f7 
- Update Requires on krb5-server to 1.11
99b6f7
99b6f7 
* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-2
99b6f7 
- Configure CA replication to use TLS instead of SSL
99b6f7
99b6f7 
* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-1
99b6f7 
- Updated to upstream 3.0.0 GA
99b6f7 
- Set minimum for samba to 4.0.0-153.
99b6f7 
- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
99b6f7 
  plugin to /dev/null since they cannot be used when trusts are configured
99b6f7 
- Restrict krb5-server to 1.10.
99b6f7 
- Update BR for 389-ds-base to 1.3.0
99b6f7 
- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
99b6f7 
- Add Requires on zip for generating FF browser extension
99b6f7
99b6f7 
* Fri Oct  5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.10
99b6f7 
- Updated to upstream 3.0.0 rc 2
99b6f7 
- Include new FF configuration extension
99b6f7 
- Set minimum Requires of selinux-policy to 3.11.1-33
99b6f7 
- Set minimum Requires dogtag to 10.0.0-0.43.b1
99b6f7 
- Add new optional strict sub-package to allow users to limit other
99b6f7 
  package upgrades.
99b6f7
99b6f7 
* Tue Oct  2 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.9
99b6f7 
- Require samba packages instead of obsoleted samba4 packages
99b6f7
99b6f7 
* Fri Sep 21 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.8
99b6f7 
- Updated to upstream 3.0.0 rc 1
99b6f7 
- Update BR for 389-ds-base to 1.2.11.14
99b6f7 
- Update BR for krb5 to 1.10
99b6f7 
- Update BR for samba4-devel to 4.0.0-139 (rc1)
99b6f7 
- Add BR for python-polib
99b6f7 
- Update BR and Requires on sssd to 1.9.0
99b6f7 
- Update Requires on policycoreutils to 2.1.12-5
99b6f7 
- Update Requires on 389-ds-base to 1.2.11.14
99b6f7 
- Update Requires on selinux-policy to 3.11.1-21
99b6f7 
- Update Requires on dogtag to 10.0.0-0.33.a1
99b6f7 
- Update Requires on certmonger to 0.60
99b6f7 
- Update Requires on tomcat to 7.0.29
99b6f7 
- Update minimum version of bind to 9.9.1-10.P3
99b6f7 
- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1
99b6f7 
- Remove Requires on authconfig from python sub-package
99b6f7
99b6f7 
* Wed Sep  5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.7
99b6f7 
- Rebuild against samba4 beta8
99b6f7
99b6f7 
* Fri Aug 31 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.6
99b6f7 
- Rebuild against samba4 beta7
99b6f7
99b6f7 
* Wed Aug 22 2012 Alexander Bokovoy <abokovoy@redhat.com> - 3.0.0-0.5
99b6f7 
- Adopt to samba4 beta6 (libsecurity -> libsamba-security)
99b6f7 
- Add dependency to samba4-winbind
99b6f7
99b6f7 
* Fri Aug 17 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.4
99b6f7 
- Updated to upstream 3.0.0 beta 2
99b6f7
99b6f7 
* Mon Aug  6 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.3
99b6f7 
- Updated to current upstream state of 3.0.0 beta 2 development
99b6f7
99b6f7 
* Mon Jul 23 2012 Alexander Bokovoy <abokovy@redhat.com> - 3.0.0-0.2
99b6f7 
- Rebuild against samba4 beta4
99b6f7
99b6f7 
* Mon Jul  2 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.1
99b6f7 
- Updated to upstream 3.0.0 beta 1
99b6f7
99b6f7 
* Thu May  3 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-1
99b6f7 
- Updated to upstream 2.2.0 GA
99b6f7 
- Update minimum n-v-r of certmonger to 0.53
99b6f7 
- Update minimum n-v-r of slapi-nis to 0.40
99b6f7 
- Add Requires in client to oddjob-mkhomedir and python-krbV
99b6f7 
- Update minimum selinux-policy to 3.10.0-110
99b6f7
99b6f7 
* Mon Mar 19 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.2
99b6f7 
- Update to upstream 2.2.0 beta 1 (2.1.90.rc1)
99b6f7 
- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18.
99b6f7 
- Add Conflicts on mod_ssl
99b6f7 
- Update minimum n-v-r of 389-ds-base to 1.2.10.4
99b6f7 
- Update minimum n-v-r of sssd to 1.8.0
99b6f7 
- Update minimum n-v-r of slapi-nis to 0.38
99b6f7 
- Update minimum n-v-r of pki-* to 9.0.18
99b6f7 
- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1
99b6f7 
- Update conflicts on bind to < 9.9.0-1
99b6f7 
- Drop requires on krb5-server-ldap
99b6f7 
- Add patch to remove escaping arguments to pkisilent
99b6f7
99b6f7 
* Mon Feb 06 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.1
99b6f7 
- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)
99b6f7
99b6f7 
* Wed Feb 01 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-5
99b6f7 
- Force to use 389-ds 1.2.10-0.8.a7 or above
99b6f7 
- Improve upgrade script to handle systemd 389-ds change
99b6f7 
- Fix freeipa to work with python-ldap 2.4.6
99b6f7
99b6f7 
* Wed Jan 11 2012 Martin Kosek <mkosek@redhat.com> - 2.1.4-4
99b6f7 
- Fix ipa-replica-install crashes
99b6f7 
- Fix ipa-server-install and ipa-dns-install logging
99b6f7 
- Set minimum version of pki-ca to 9.0.17 to fix sslget problem
99b6f7 
  caused by FEDORA-2011-17400 update (#771357)
99b6f7
99b6f7 
* Wed Dec 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-3
99b6f7 
- Allow Web-based migration to work with tightened SE Linux policy (#769440)
99b6f7 
- Rebuild slapi plugins against re-enterant version of libldap
99b6f7
99b6f7 
* Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2
99b6f7 
- Allow longer dirsrv startup with systemd:
99b6f7 
  - IPAdmin class will wait until dirsrv instance is available up to 10 seconds
99b6f7 
  - Helps with restarts during upgrade for ipa-ldap-updater
99b6f7 
- Fix pylint warnings from F16 and Rawhide
99b6f7
99b6f7 
* Tue Dec  6 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.4-1
99b6f7 
- Update to upstream 2.1.4 (CVE-2011-3636)
99b6f7
99b6f7 
* Mon Dec  5 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-8
99b6f7 
- Update SELinux policy to allow ipa_kpasswd to connect ldap and
99b6f7 
  read /dev/urandom. (#759679)
99b6f7
99b6f7 
* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-7
99b6f7 
- Fix wrong path in packaging freeipa-systemd-upgrade
99b6f7
99b6f7 
* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-6
99b6f7 
- Introduce upgrade script to recover existing configuration after systemd migration
99b6f7 
  as user has no means to recover FreeIPA from systemd migration
99b6f7 
- Upgrade script:
99b6f7 
  - recovers symlinks in Dogtag instance install
99b6f7 
  - recovers systemd configuration for FreeIPA's directory server instances
99b6f7 
  - recovers freeipa.service
99b6f7 
  - migrates directory server and KDC configs to use proper keytabs for systemd services
99b6f7
99b6f7 
* Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-5
99b6f7 
- Rebuilt for glibc bug#747377
99b6f7
99b6f7 
* Wed Oct 19 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-4
e3ffab 
- clean up spec
99b6f7 
- Depend on sssd >= 1.6.2 for better user experience
99b6f7
99b6f7 
* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-3
99b6f7 
- Fix Fedora package changelog after merging systemd changes
99b6f7
99b6f7 
* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-2
99b6f7 
- Fix postin scriplet for F-15/F-16
99b6f7
99b6f7 
* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-1
99b6f7 
- 2.1.3
99b6f7
99b6f7 
* Mon Oct 17 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.2-1
99b6f7 
- Default to systemd for Fedora 16 and onwards
99b6f7
99b6f7 
* Tue Aug 16 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.0-1
99b6f7 
- Update to upstream 2.1.0
99b6f7
99b6f7 
* Fri May  6 2011 Simo Sorce <ssorce@redhat.com> - 2.0.1-2
99b6f7 
- Fix bug #702633
99b6f7
99b6f7 
* Mon May  2 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.1-1
99b6f7 
- Update minimum selinux-policy to 3.9.16-18
99b6f7 
- Update minimum pki-ca and pki-selinux to 9.0.7
99b6f7 
- Update minimum 389-ds-base to 1.2.8.0-1
99b6f7 
- Update to upstream 2.0.1
99b6f7
99b6f7 
* Thu Mar 24 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-1
99b6f7 
- Update to upstream GA release
99b6f7 
- Automatically apply updates when the package is upgraded
99b6f7
99b6f7 
* Fri Feb 25 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.4.rc2
99b6f7 
- Update to upstream freeipa-2.0.0.rc2
99b6f7 
- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in
99b6f7 
- Set minimum version of sssd to 1.5.1
99b6f7 
- Patch to include SuiteSpotGroup when setting up 389-ds instances
99b6f7 
- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled
99b6f7
99b6f7 
* Tue Feb 15 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.3.rc1
99b6f7 
- Set the N-V-R so rc1 is an update to beta2.
99b6f7
99b6f7 
* Mon Feb 14 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.rc1
99b6f7 
- Set minimum version of sssd to 1.5.1
99b6f7 
- Update to upstream freeipa-2.0.0.rc1
99b6f7 
- Move server-only binaries from admintools subpackage to server
99b6f7
99b6f7 
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.0-0.2.beta2
99b6f7 
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
99b6f7
99b6f7 
* Thu Feb  3 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta2
99b6f7 
- Set min version of 389-ds-base to 1.2.8
99b6f7 
- Set min version of mod_nss 1.0.8-10
99b6f7 
- Set min version of selinux-policy to 3.9.7-27
99b6f7 
- Add dogtag themes to Requires
99b6f7 
- Update to upstream freeipa-2.0.0.pre2
99b6f7
99b6f7 
* Thu Jan 27 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.2.beta.git80e87e7
99b6f7 
- Remove unnecessary moving of v1 CA serial number file in post script
99b6f7 
- Add Obsoletes for server-selinxu subpackage
99b6f7 
- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da
99b6f7
99b6f7 
* Wed Jan 26 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta.git80e87e7
99b6f7 
- Prepare spec file for release
99b6f7 
- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503
99b6f7
99b6f7 
* Tue Jan 25 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-41
99b6f7 
- Re-arrange doc and defattr to clean up rpmlint warnings
99b6f7 
- Remove conditionals on older releases
99b6f7 
- Move some man pages into admintools subpackage
99b6f7 
- Remove some explicit Requires in client that aren't needed
99b6f7 
- Consistent use of buildroot vs RPM_BUILD_ROOT
99b6f7
99b6f7 
* Wed Jan 19 2011 Adam Young <ayoung@redhat.com> - 1.99-40
99b6f7 
- Moved directory install/static to install/ui
99b6f7
99b6f7 
* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-39
99b6f7 
- Remove dependency on nss_ldap/nss-pam-ldapd
99b6f7 
- The official client is sssd and that's what we use by default.
99b6f7
99b6f7 
* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-38
99b6f7 
- Remove radius subpackages
99b6f7
99b6f7 
* Thu Jan 13 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-37
99b6f7 
- Set minimum pki-ca and pki-silent versions to 9.0.0
99b6f7
99b6f7 
* Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-36
99b6f7 
- Drop BuildRequires on mozldap-devel
99b6f7
99b6f7 
* Mon Dec 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-35
99b6f7 
- Add Requires on krb5-pkinit-openssl
99b6f7
99b6f7 
* Fri Dec 10 2010 Jr Aquino <jr.aquino@citrix.com> - 1.99-34
99b6f7 
- Add ipa-host-net-manage script
99b6f7
99b6f7 
* Tue Dec  7 2010 Simo Sorce <ssorce@redhat.com> - 1.99-33
99b6f7 
- Add ipa init script
99b6f7
99b6f7 
* Fri Nov 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-32
99b6f7 
- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin
99b6f7
99b6f7 
* Wed Nov  3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-31
99b6f7 
- remove ipa-fix-CVE-2008-3274
99b6f7
99b6f7 
* Wed Oct  6 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-30
99b6f7 
- Remove duplicate %%files entries on share/ipa/static
99b6f7 
- Add python default encoding shared library
99b6f7
99b6f7 
* Mon Sep 20 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-29
99b6f7 
- Drop requires on python-configobj (not used any more)
99b6f7 
- Drop ipa-ldap-updater message, upgrades are done differently now
99b6f7
99b6f7 
* Wed Sep  8 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-28
99b6f7 
- Drop conflicts on mod_nss
99b6f7 
- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847)
99b6f7 
- Drop a slew of conditionals on older Fedora releases (< 12)
99b6f7 
- Add a few conditionals against RHEL 6
99b6f7 
- Add Requires of nss-tools on ipa-client
99b6f7
99b6f7 
* Fri Aug 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-27
99b6f7 
- Set minimum version of certmonger to 0.26 (to pck up #621670)
99b6f7 
- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm)
99b6f7 
- Set minimum version of pki-ca to 1.3.6
99b6f7 
- Set minimum version of sssd to 1.2.1
99b6f7
99b6f7 
* Tue Aug 10 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-26
99b6f7 
- Add BuildRequires for authconfig
99b6f7
99b6f7 
* Mon Jul 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-25
99b6f7 
- Bump up minimum version of python-nss to pick up nss_is_initialize() API
99b6f7
99b6f7 
* Thu Jun 24 2010 Adam Young <ayoung@redhat.com> - 1.99-24
99b6f7 
- Removed python-asset based webui
99b6f7
99b6f7 
* Thu Jun 24 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-23
99b6f7 
- Change Requires from fedora-ds-base to 389-ds-base
99b6f7 
- Set minimum level of 389-ds-base to 1.2.6 for the replication
99b6f7 
  version plugin.
99b6f7
99b6f7 
* Tue Jun  1 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-22
99b6f7 
- Drop Requires of python-krbV on ipa-client
99b6f7
99b6f7 
* Mon May 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-21
99b6f7 
- Load ipa_dogtag.pp in post install
99b6f7
99b6f7 
* Mon Apr 26 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-20
99b6f7 
- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.
99b6f7
99b6f7 
* Thu Mar  4 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-19
99b6f7 
- No need to create /var/log/ipa_error.log since we aren't using
99b6f7 
  TurboGears any more.
99b6f7
99b6f7 
* Mon Mar 1 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-18
99b6f7 
- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included
99b6f7
99b6f7 
* Wed Feb 24 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-17
99b6f7 
- Added Require mod_wsgi, added share/ipa/wsgi.py
99b6f7
99b6f7 
* Thu Feb 11 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-16
99b6f7 
- Require python-wehjit >= 0.2.2
99b6f7
99b6f7 
* Wed Feb  3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-15
99b6f7 
- Add sssd and certmonger as a Requires on ipa-client
99b6f7
99b6f7 
* Wed Jan 27 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-14
99b6f7 
- Require python-wehjit >= 0.2.0
99b6f7
99b6f7 
* Fri Dec  4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-13
99b6f7 
- Add ipa-rmkeytab tool
99b6f7
99b6f7 
* Tue Dec  1 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-12
99b6f7 
- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1
99b6f7 
  Any type
99b6f7
99b6f7 
* Wed Nov 25 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-11
99b6f7 
- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf
99b6f7
99b6f7 
* Fri Nov 13 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-10
99b6f7 
- Add bash completion script and own /etc/bash_completion.d in case it
99b6f7 
  doesn't already exist
99b6f7
99b6f7 
* Tue Nov  3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
99b6f7 
- Remove ipa_webgui, its functions rolled into ipa_httpd
99b6f7
99b6f7 
* Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
99b6f7 
- Removed python-cherrypy from BuildRequires and Requires
99b6f7 
- Added Requires python-assets, python-wehjit
99b6f7
99b6f7 
* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
99b6f7 
- Added httpd SELinux policy so CRLs can be read
99b6f7
99b6f7 
* Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
99b6f7 
- Move ipalib to ipa-python subpackage
99b6f7 
- Bump minimum version of slapi-nis to 0.15
99b6f7
99b6f7 
* Wed May  6 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-5
99b6f7 
- Set 0.14 as minimum version for slapi-nis
99b6f7
99b6f7 
* Wed Apr 22 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-4
99b6f7 
- Add Requires: python-nss to ipa-python sub-package
99b6f7
99b6f7 
* Thu Mar  5 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-3
99b6f7 
- Remove the IPA DNA plugin, use the DS one
99b6f7
99b6f7 
* Wed Mar  4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-2
99b6f7 
- Build radius separately
99b6f7 
- Fix a few minor issues
99b6f7
99b6f7 
* Tue Feb  3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-1
99b6f7 
- Replace TurboGears requirement with python-cherrypy
99b6f7
99b6f7 
* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.1-3
99b6f7 
- rebuild with new openssl
99b6f7
99b6f7 
* Fri Dec 19 2008 Dan Walsh <dwalsh@redhat.com> - 1.2.1-2
99b6f7 
- Fix SELinux code
99b6f7
99b6f7 
* Mon Dec 15 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-1
99b6f7 
- Fix breakage caused by python-kerberos update to 1.1
99b6f7
99b6f7 
* Fri Dec 5 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-0
99b6f7 
- New upstream release 1.2.1
99b6f7
99b6f7 
* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 1.2.0-4
99b6f7 
- Rebuild for Python 2.6
99b6f7
99b6f7 
* Fri Nov 14 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-3
99b6f7 
- Respin after the tarball has been re-released upstream
99b6f7 
  New hash is 506c9c92dcaf9f227cba5030e999f177
99b6f7
99b6f7 
* Thu Nov 13 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-2
99b6f7 
- Conditionally restart also dirsrv and httpd when upgrading
99b6f7
99b6f7 
* Wed Oct 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.2.0-1
99b6f7 
- Update to upstream version 1.2.0
99b6f7 
- Set fedora-ds-base minimum version to 1.1.3 for winsync header
99b6f7 
- Set the minimum version for SELinux policy
99b6f7 
- Remove references to Fedora 7
99b6f7
99b6f7 
* Wed Jul 23 2008 Simo Sorce <ssorce@redhat.com> - 1.1.0-3
99b6f7 
- Fix for CVE-2008-3274
99b6f7 
- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface
99b6f7 
- Add fix for bug #453185
99b6f7 
- Rebuild against openldap libraries, mozldap ones do not work properly
99b6f7 
- TurboGears is currently broken in rawhide. Added patch to not build
99b6f7 
  the UI locales and removed them from the ipa-server files section.
99b6f7
99b6f7 
* Wed Jun 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-2
99b6f7 
- Add call to /usr/sbin/upgradeconfig to post install
99b6f7
99b6f7 
* Wed Jun 11 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-1
99b6f7 
- Update to upstream version 1.1.0
99b6f7 
- Patch for indexing memberof attribute
99b6f7 
- Patch for indexing uidnumber and gidnumber
99b6f7 
- Patch to change DNA default values for replicas
99b6f7 
- Patch to fix uninitialized variable in ipa-getkeytab
99b6f7
99b6f7 
* Fri May 16 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-5
99b6f7 
- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum
99b6f7 
  version to 1.0.7-4 so we pick up the NSS fixes.
99b6f7 
- Add selinux-policy-base(post) to Requires (446496)
99b6f7
99b6f7 
* Tue Apr 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-4
99b6f7 
- Add missing entry for /var/cache/ipa/kpasswd (444624)
99b6f7 
- Added patch to fix permissions problems with the Apache NSS database.
99b6f7 
- Added patch to fix problem with DNS querying where the query could be
99b6f7 
  returned as the answer.
99b6f7 
- Fix spec error where patch1 was in the wrong section
99b6f7
99b6f7 
* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-3
99b6f7 
- Added patch to fix problem reported by ldapmodify
99b6f7
99b6f7 
* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-2
99b6f7 
- Fix Requires for krb5-server that was missing for Fedora versions > 9
99b6f7 
- Remove quotes around test for fedora version to package egg-info
99b6f7
99b6f7 
* Fri Apr 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
99b6f7 
- Update to upstream version 1.0.0
99b6f7
99b6f7 
* Tue Mar 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-12
99b6f7 
- Pull upstream changelog 722
99b6f7 
- Add Conflicts mod_ssl (435360)
99b6f7
99b6f7 
* Fri Feb 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-11
99b6f7 
- Pull upstream changelog 698
99b6f7 
- Fix ownership of /var/log/ipa_error.log during install (435119)
99b6f7 
- Add pwpolicy command and man page
99b6f7
99b6f7 
* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-10
99b6f7 
- Pull upstream changelog 678
99b6f7 
- Add new subpackage, ipa-server-selinux
99b6f7 
- Add Requires: authconfig to ipa-python (bz #433747)
99b6f7 
- Package i18n files
99b6f7
99b6f7 
* Mon Feb 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-9
99b6f7 
- Pull upstream changelog 641
99b6f7 
- Require minimum version of krb5-server on F-7 and F-8
99b6f7 
- Package some new files
99b6f7
99b6f7 
* Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> 0.99-8
99b6f7 
- Marked with wrong license. IPA is GPLv2.
99b6f7
99b6f7 
* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-7
99b6f7 
- Ensure that /etc/ipa exists before moving user-modifiable html files there
99b6f7 
- Put html files into /etc/ipa/html instead of /etc/ipa
99b6f7
99b6f7 
* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-6
99b6f7 
- Pull upstream changelog 608 which renamed several files
99b6f7
99b6f7 
* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-5
99b6f7 
- package the sessions dir /var/cache/ipa/sessions
99b6f7 
- Pull upstream changelog 597
99b6f7
99b6f7 
* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-4
99b6f7 
- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the
99b6f7 
  UI to not start.
99b6f7
99b6f7 
* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-3
99b6f7 
- Included LICENSE and README in all packages for documentation
99b6f7 
- Move user-modifiable content to /etc/ipa and linked back to
99b6f7 
  /usr/share/ipa/html
99b6f7 
- Changed some references to /usr to the {_usr} macro and /etc
99b6f7 
  to {_sysconfdir}
99b6f7 
- Added popt-devel to BuildRequires for Fedora 8 and higher and
99b6f7 
  popt for Fedora 7
99b6f7 
- Package the egg-info for Fedora 9 and higher for ipa-python
99b6f7
99b6f7 
* Tue Jan 22 2008 Rob Crittenden <rcritten@redhat.com> 0.99-2
99b6f7 
- Added auto* BuildRequires
99b6f7
99b6f7 
* Mon Jan 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-1
99b6f7 
- Unified spec file
99b6f7
99b6f7 
* Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
99b6f7 
- Fixed License in specfile
99b6f7 
- Include files from /usr/lib/python*/site-packages/ipaserver
99b6f7
99b6f7 
* Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
99b6f7 
- Version bump for release
99b6f7
99b6f7 
* Wed Nov 21 2007 Karl MacMillan <kmacmill@mentalrootkit.com> - 0.5.0-1
99b6f7 
- Preverse mode on ipa-keytab-util
99b6f7 
- Version bump for relase and rpm name change
99b6f7
99b6f7 
* Thu Nov 15 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.1-2
99b6f7 
- Broke invididual Requires and BuildRequires onto separate lines and
99b6f7 
  reordered them
99b6f7 
- Added python-tgexpandingformwidget as a dependency
99b6f7 
- Require at least fedora-ds-base 1.1
99b6f7
99b6f7 
* Thu Nov  1 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1
99b6f7 
- Version bump for release
99b6f7
99b6f7 
* Wed Oct 31 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-6
99b6f7 
- Add dep for freeipa-admintools and acl
99b6f7
99b6f7 
* Wed Oct 24 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-5
99b6f7 
- Add dependency for python-krbV
99b6f7
99b6f7 
* Fri Oct 19 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-4
99b6f7 
- Require mod_nss-1.0.7-2 for mod_proxy fixes
99b6f7
99b6f7 
* Thu Oct 18 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-3
99b6f7 
- Convert to autotools-based build
99b6f7
99b6f7 
* Tue Sep 25 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-2
99b6f7
99b6f7 
* Fri Sep 7 2007 Karl MacMillan <kmacmill@redhat.com> - 0.3.0-1
99b6f7 
- Added support for libipa-dna-plugin
99b6f7
99b6f7 
* Fri Aug 10 2007 Karl MacMillan <kmacmill@redhat.com> - 0.2.0-1
99b6f7 
- Added support for ipa_kpasswd and ipa_pwd_extop
99b6f7
99b6f7 
* Sun Aug  5 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-3
99b6f7 
- Abstracted client class to work directly or over RPC
99b6f7
99b6f7 
* Wed Aug  1 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-2
99b6f7 
- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
99b6f7 
- Remove references to admin server in ipa-server-setupssl
99b6f7 
- Generate a client certificate for the XML-RPC server to connect to LDAP with
99b6f7 
- Create a keytab for Apache
99b6f7 
- Create an ldif with a test user
99b6f7 
- Provide a certmap.conf for doing SSL client authentication
99b6f7
99b6f7 
* Fri Jul 27 2007 Karl MacMillan <kmacmill@redhat.com> - 0.1.0-1
99b6f7 
- Initial rpm version

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation