Blob Blame History Raw
%define ipa_requires_gt()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")

# ipatests enabled by default, can be disabled with --without ipatests
%bcond_without ipatests
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
# On RHEL 8 we should use --with ipa_join_xml
%bcond_with ipa_join_xml

# Linting is disabled by default, needed for upstream testing
%bcond_with lint

# Build documentation with sphinx
%bcond_with doc

# Build Python wheels
%bcond_with wheels

# 389-ds-base 1.4 no longer supports i686 platform, build only client
# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
%ifarch %{ix86}
    %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
%endif

# Define ONLY_CLIENT to only make the ipa-client and ipa-python
# subpackages
%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
%if %{ONLY_CLIENT}
    %global enable_server_option --disable-server
%else
    %global enable_server_option --enable-server
%endif

%if %{ONLY_CLIENT}
    %global with_ipatests 0
%endif

# Whether to build ipatests
%if %{with ipatests}
    %global with_ipatests_option --with-ipatests
%else
    %global with_ipatests_option --without-ipatests
%endif

# Whether to use XML-RPC with ipa-join
%if %{with ipa_join_xml}
    %global with_ipa_join_xml_option --with-ipa-join-xml
%else
    %global with_ipa_join_xml_option --without-ipa-join-xml
%endif

# lint is not executed during rpmbuild
# %%global with_lint 1
%if %{with lint}
    %global linter_options --enable-pylint --without-jslint --enable-rpmlint
%else
    %global linter_options --disable-pylint --without-jslint --disable-rpmlint
%endif

# Include SELinux subpackage
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
    %global with_selinux 1
    %global selinuxtype targeted
    %global modulename ipa
%endif

%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
%global krb5_version 1.20.1-1
%global krb5_kdb_version 9.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
%global samba_version 4.17.4-101
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
%if 0%{?rhel} < 9
# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
%global ds_version 1.4.3.16-12
%global selinux_policy_version 3.14.3-107
%else
# DNA interval enabled
%global ds_version 2.0.5-1
%global selinux_policy_version 38.1.1-1
%endif

# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
%global bind_version 9.11.20-6

# Fix for https://github.com/SSSD/sssd/issues/6331
%global sssd_version 2.8.0

%else
# Fedora
%global package_name freeipa
%global alt_name ipa
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
%global samba_version 2:4.12.10

# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
# 36.16-1 fixes BZ#2115691
%if 0%{?fedora} < 36
%global selinux_policy_version 3.14.5-45
%else
%global selinux_policy_version 36.16-1
%endif
%global slapi_nis_version 0.56.5

%if 0%{?fedora} < 38
# Fix for CVE-2020-28196
%global krb5_version 1.18.2-29
%global krb5_kdb_version 8.0
%else
# Fix for CVE-2020-28196
%global krb5_version 1.20.1-3
%global krb5_kdb_version 9.0
%endif

# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1

# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
# and has DNA interval enabled
%if 0%{?fedora} < 34
%global ds_version 1.4.4.16-1
%else
%global ds_version 2.0.7-1
%endif

# Fix for TLS 1.3 PHA, RHBZ#1775146
%global httpd_version 2.4.41-9

# Fix for RHBZ#2117342
%if 0%{?fedora} < 37
%global bind_version 9.11.24-1
%else
%global bind_version 32:9.18.7-1
%endif
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
%{?python_disable_dependency_generator}

%if 0%{?fedora} < 37
# F35+, adds IdP integration
%global sssd_version 2.7.0
%else
# Fix for https://github.com/SSSD/sssd/issues/6331
%global sssd_version 2.8.0
%endif

# Fedora
%endif

# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
%if 0%{?fedora} || 0%{?rhel} >= 9
    %global openssl_pkcs11_version 0.4.10-6
    %global softhsm_version 2.5.0-4
%else
    %global with_bind_pkcs11 1
%endif

%if 0%{?rhel} == 8
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
%global pki_version 10.10.5
%else
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
%global pki_version 10.10.5
%endif

# RHEL 8.3+, F32+ has 0.79.13
%global certmonger_version 0.79.7-3

# RHEL 8.2+, F32+ has 3.58
%global nss_version 3.44.0-4

%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%global kdcproxy_version 0.4-3

%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
# systemd with resolved enabled
# see https://pagure.io/freeipa/issue/8275
%global systemd_version 246.6-3
%else
%global systemd_version 239
%endif

# augeas support for new chrony options
# see https://pagure.io/freeipa/issue/8676
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
%if 0%{?fedora} >= 33
%global augeas_version 1.12.0-6
%else
%if 0%{?rhel} >= 9
%global augeas_version 1.12.1-0
%else
%global augeas_version 1.12.0-3
%endif
%endif

%global plugin_dir %{_libdir}/dirsrv/plugins
%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa

%define _hardened_build 1

# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.10.1
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
    %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
%endif

%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil")

Name:           %{package_name}
Version:        %{IPA_VERSION}
Release:        6%{?rc_version:.%rc_version}%{?dist}
Summary:        The Identity, Policy and Audit system

License:        GPLv3+
URL:            http://www.freeipa.org/
Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz
# Only use detached signature for the distribution builds. If it is a developer build, skip it
%if %{NON_DEVELOPER_BUILD}
Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
%endif

# RHEL spec file only: START: Change branding to IPA and Identity Management
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
# product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management

# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} == 8
Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
%endif
%if 0%{?rhel} == 9
Patch0001:      0001-updates-fix-memberManager-ACI-to-allow-managers-from.patch
Patch0002:      0002-Spec-file-ipa-client-depends-on-krb5-pkinit-openssl.patch
Patch0003:      0003-server-install-remove-error-log-about-missing-bkup-f.patch
Patch0004:      0004-ipa-tests-Add-LANG-before-kinit-command-to-fix-issue.patch
Patch0005:      0005-trust-add-handle-missing-msSFU30MaxGidNumber.patch
Patch0006:      0006-doc-Design-for-certificate-pruning.patch
Patch0007:      0007-ipa-acme-manage-add-certificate-request-pruning-mana.patch
Patch0008:      0008-doc-add-the-run-command-for-manual-job-execution.patch
Patch0009:      0009-tests-add-wrapper-around-ACME-RSNv3-test.patch
Patch0010:      0010-automember-rebuild-add-a-notice-about-high-CPU-usage.patch
Patch0011:      0011-Fix-setting-values-of-0-in-ACME-pruning.patch
Patch0012:      0012-Wipe-the-ipa-ca-DNS-record-when-updating-system-reco.patch
Patch0013:      0013-ipa-kdb-PAC-consistency-checker-needs-to-handle-chil.patch
Patch0014:      0014-Add-test-for-SSH-with-GSSAPI-auth.patch
Patch0015:      0015-webui-tests-fix-assertion-in-test_subid.py.patch
Patch0016:      0016-ipatests-mark-test_smb-as-xfail.patch
Patch0017:      0017-Tests-force-key-type-in-ACME-tests.patch
Patch0018:      0018-tests-Add-ipa_ca_name-checking-to-DNS-system-records.patch
Patch0019:      0019-tests-Add-new-ipa-ca-error-messages-to-IPADNSSystemR.patch
Patch0020:      0020-ipatests-tests-for-certificate-pruning.patch
Patch0021:      0021-ipatests-ensure-that-ipa-automember-rebuild-prints-a.patch
Patch0022:      0022-ipatests-fix-tests-in-TestACMEPrune.patch
Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
# RHEL spec file only: END

BuildRequires:  openldap-devel
# For KDB DAL version, make explicit dependency so that increase of version
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
BuildRequires:  krb5-kdb-version = %{krb5_kdb_version}
BuildRequires:  krb5-kdb-devel-version = %{krb5_kdb_version}
BuildRequires:  krb5-devel >= %{krb5_version}
BuildRequires:  pkgconfig(krb5)
%if %{with ipa_join_xml}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires:  xmlrpc-c-devel >= 1.27.4
%else
BuildRequires:  libcurl-devel
BuildRequires:  jansson-devel
%endif
BuildRequires:  popt-devel
BuildRequires:  gcc
BuildRequires:  make
BuildRequires:  pkgconfig
BuildRequires:  pkgconf
BuildRequires:  autoconf
BuildRequires:  automake
BuildRequires:  make
BuildRequires:  libtool
BuildRequires:  gettext
BuildRequires:  gettext-devel
BuildRequires:  python3-devel
BuildRequires:  python3-setuptools
BuildRequires:  systemd >= %{systemd_version}
# systemd-tmpfiles which is executed from make install requires apache user
BuildRequires:  httpd
BuildRequires:  nspr-devel
BuildRequires:  openssl-devel
BuildRequires:  libini_config-devel
BuildRequires:  cyrus-sasl-devel
%if ! %{ONLY_CLIENT}
BuildRequires:  389-ds-base-devel >= %{ds_version}
BuildRequires:  samba-devel >= %{samba_version}
BuildRequires:  libtalloc-devel
BuildRequires:  libtevent-devel
BuildRequires:  libuuid-devel
BuildRequires:  libpwquality-devel
BuildRequires:  libsss_idmap-devel
BuildRequires:  libsss_certmap-devel
BuildRequires:  libsss_nss_idmap-devel >= %{sssd_version}
BuildRequires:  nodejs(abi)
# use old dependency on RHEL 8 for now
%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9
BuildRequires:  python3-rjsmin
%else
BuildRequires:  uglify-js
%endif
BuildRequires:  libverto-devel
BuildRequires:  libunistring-devel
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
# 0.13.0-2: fix for missing dependency on python-six
BuildRequires:  python3-lesscpy >= 0.13.0-2
BuildRequires:  cracklib-dicts
# ONLY_CLIENT
%endif

#
# Build dependencies for makeapi/makeaci
#
BuildRequires:  python3-cffi
BuildRequires:  python3-dns
BuildRequires:  python3-ldap >= %{python_ldap_version}
BuildRequires:  python3-libsss_nss_idmap
BuildRequires:  python3-netaddr >= %{python_netaddr_version}
BuildRequires:  python3-pyasn1
BuildRequires:  python3-pyasn1-modules
BuildRequires:  python3-six
BuildRequires:  python3-psutil

#
# Build dependencies for wheel packaging and PyPI upload
#
%if %{with wheels}
BuildRequires:  dbus-glib-devel
BuildRequires:  libffi-devel
BuildRequires:  python3-tox
%if 0%{?fedora} <= 28
BuildRequires:  python3-twine
%else
BuildRequires:  twine
%endif
BuildRequires:  python3-wheel
# with_wheels
%endif

%if %{with doc}
BuildRequires: python3-sphinx
BuildRequires: plantuml
BuildRequires: fontconfig
BuildRequires: google-noto-sans-vf-fonts
%endif

#
# Build dependencies for lint and fastcheck
#
%if %{with lint}

# python3-pexpect might not be available in RHEL9
%if 0%{?fedora} || 0%{?rhel} < 9
BuildRequires:  python3-pexpect
%endif

# jsl is orphaned in Fedora 34+
%if 0%{?fedora} < 34
BuildRequires:  jsl
%endif

BuildRequires:  git
BuildRequires:  nss-tools
BuildRequires:  rpmlint
BuildRequires:  softhsm

BuildRequires:  keyutils
BuildRequires:  python3-augeas
BuildRequires:  python3-cffi
BuildRequires:  python3-cryptography >= 1.6
BuildRequires:  python3-dateutil
BuildRequires:  python3-dbus
BuildRequires:  python3-dns >= 1.15
BuildRequires:  python3-docker
BuildRequires:  python3-gssapi >= 1.2.0
BuildRequires:  python3-jinja2
BuildRequires:  python3-jwcrypto >= 0.4.2
BuildRequires:  python3-ldap >= %{python_ldap_version}
BuildRequires:  python3-ldap >= %{python_ldap_version}
BuildRequires:  python3-lib389 >= %{ds_version}
BuildRequires:  python3-libipa_hbac
BuildRequires:  python3-libsss_nss_idmap
BuildRequires:  python3-lxml
BuildRequires:  python3-netaddr >= %{python_netaddr_version}
BuildRequires:  python3-netifaces
BuildRequires:  python3-pki >= %{pki_version}
BuildRequires:  python3-polib
BuildRequires:  python3-pyasn1
BuildRequires:  python3-pyasn1-modules
BuildRequires:  python3-pycodestyle
# .wheelconstraints.in limits pylint version in Azure and tox tests
BuildRequires:  python3-pylint
BuildRequires:  python3-pytest-multihost
BuildRequires:  python3-pytest-sourceorder
BuildRequires:  python3-qrcode-core >= 5.0.0
BuildRequires:  python3-samba
BuildRequires:  python3-six
BuildRequires:  python3-sss
BuildRequires:  python3-sss-murmur
BuildRequires:  python3-sssdconfig >= %{sssd_version}
BuildRequires:  python3-systemd
BuildRequires:  python3-yaml
BuildRequires:  python3-yubico
# with_lint
%endif

#
# Build dependencies for unit tests
#
%if ! %{ONLY_CLIENT}
BuildRequires:  libcmocka-devel
# Required by ipa_kdb_tests
BuildRequires:  krb5-server >= %{krb5_version}
# ONLY_CLIENT
%endif

# Build dependencies for SELinux policy
%if %{with selinux}
BuildRequires:  selinux-policy-devel >= %{selinux_policy_version}
%endif

%description
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).


%if ! %{ONLY_CLIENT}

%package server
Summary: The IPA authentication server
Requires: %{name}-server-common = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: python3-ldap >= %{python_ldap_version}
Requires: 389-ds-base >= %{ds_version}
Requires: openldap-clients > 2.4.35-4
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
Requires(post): krb5-server >= %{krb5_base_version}
Requires: krb5-kdb-version = %{krb5_kdb_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
Requires: httpd >= %{httpd_version}
Requires(preun): python3
Requires(postun): python3
Requires: python3-gssapi >= 1.2.0-5
Requires: python3-systemd
Requires: python3-mod_wsgi
Requires: mod_auth_gssapi >= 1.5.0
Requires: mod_ssl >= %{httpd_version}
Requires: mod_session >= %{httpd_version}
# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
Requires: mod_lookup_identity >= 0.9.9
Requires: acl
Requires: systemd-units >= %{systemd_version}
Requires(pre): systemd-units >= %{systemd_version}
Requires(post): systemd-units >= %{systemd_version}
Requires(preun): systemd-units >= %{systemd_version}
Requires(postun): systemd-units >= %{systemd_version}
Requires(pre): shadow-utils
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= %{slapi_nis_version}
Requires: pki-ca >= %{pki_version}
Requires: pki-kra >= %{pki_version}
# pki-acme package was split out in pki-10.10.0
Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0)
Requires: policycoreutils >= 2.1.12-5
Requires: tar
Requires(pre): certmonger >= %{certmonger_version}
Requires(pre): 389-ds-base >= %{ds_version}
Requires: fontawesome-fonts
Requires: open-sans-fonts
%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
# https://pagure.io/freeipa/issue/8632
Requires: openssl > 1.1.1i
%else
Requires: openssl
%endif
Requires: softhsm >= 2.0.0rc1-1
Requires: p11-kit
Requires: %{etc_systemd_dir}
Requires: gzip
Requires: oddjob
# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
Requires: libpwquality
Requires: cracklib-dicts
# NDR libraries are internal in Samba and change with version without changing SONAME
%ipa_requires_gt samba-client-libs

Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
Obsoletes: %{alt_name}-server < %{version}

# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
# entire SELinux policy is stored in the system policy
Obsoletes: freeipa-server-selinux < 3.3.0

# upgrade path from monolithic -server to -server + -server-dns
Obsoletes: %{name}-server <= 4.2.0

# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
# member.
Conflicts: nss-pam-ldapd < 0.8.4

# RHEL spec file only: START: Do not build tests
%if 0%{?rhel} == 8
# ipa-tests subpackage was moved to separate srpm
Conflicts: ipa-tests < 3.3.3-9
%endif
# RHEL spec file only: END: Do not build tests

%description server
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If you are installing an IPA server, you need to install this package.


%package -n python3-ipaserver
Summary: Python libraries used by IPA server
BuildArch: noarch
%{?python_provide:%python_provide python3-ipaserver}
Requires: %{name}-server-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
# we need pre-requires since earlier versions may break upgrade
Requires(pre): python3-ldap >= %{python_ldap_version}
Requires: python3-augeas
Requires: augeas-libs >= %{augeas_version}
Requires: python3-dbus
Requires: python3-dns >= 1.15
Requires: python3-gssapi >= 1.2.0
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-kdcproxy >= %{kdcproxy_version}
Requires: python3-lxml
Requires: python3-pki >= %{pki_version}
Requires: python3-pyasn1 >= 0.3.2-2
Requires: python3-sssdconfig >= %{sssd_version}
Requires: python3-psutil
Requires: rpm-libs
# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
%if 0%{?rhel}
Requires: python3-urllib3 >= 1.24.2-3
%else
Requires: python3-urllib3 >= 1.25.7
%endif

%description -n python3-ipaserver
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If you are installing an IPA server, you need to install this package.


%package server-common
Summary: Common files used by IPA server
BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= %{httpd_version}
Requires: systemd-units >= %{systemd_version}
%if 0%{?rhel} >= 8 && ! 0%{?eln}
Requires: system-logos-ipa >= 80.4
%endif

Provides: %{alt_name}-server-common = %{version}
Conflicts: %{alt_name}-server-common
Obsoletes: %{alt_name}-server-common < %{version}

%description server-common
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If you are installing an IPA server, you need to install this package.


%package server-dns
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
# bind-dnssec-utils is required by the OpenDNSSec integration
# https://pagure.io/freeipa/issue/9026
Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
%endif
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
# RHEL 8.3+ and Fedora 32+ have 2.1
Requires: opendnssec >= 2.1.6-5
%{?systemd_requires}

Provides: %{alt_name}-server-dns = %{version}
Conflicts: %{alt_name}-server-dns
Obsoletes: %{alt_name}-server-dns < %{version}

# upgrade path from monolithic -server to -server + -server-dns
Obsoletes: %{name}-server <= 4.2.0

%description server-dns
IPA integrated DNS server with support for automatic DNSSEC signing.
Integrated DNS server is BIND 9. OpenDNSSEC provides key management.


%package server-trust-ad
Summary: Virtual package to install packages required for Active Directory trusts
Requires: %{name}-server = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}

Requires: samba >= %{samba_version}
Requires: samba-winbind
Requires: sssd-winbind-idmap
Requires: libsss_idmap
%if 0%{?rhel}
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
%endif
Requires(post): python3
Requires: python3-samba
Requires: python3-libsss_nss_idmap
Requires: python3-sss

# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
# on the installes where server-trust-ad subpackage is installed because
# IPA AD trusts cannot be used at the same time with the locator plugin
# since Winbindd will be configured in a different mode
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
Requires(preun): %{_sbindir}/update-alternatives

Provides: %{alt_name}-server-trust-ad = %{version}
Conflicts: %{alt_name}-server-trust-ad
Obsoletes: %{alt_name}-server-trust-ad < %{version}

%description server-trust-ad
Cross-realm trusts with Active Directory in IPA require working Samba 4
installation. This package is provided for convenience to install all required
dependencies at once.

# ONLY_CLIENT
%endif


%package client
Summary: IPA authentication for use on clients
Requires: %{name}-client-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python3-gssapi >= 1.2.0-5
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ldap >= %{python_ldap_version}
Requires: python3-sssdconfig >= %{sssd_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
Requires: krb5-workstation >= %{krb5_version}
# support pkinit with client install
Requires: krb5-pkinit-openssl >= %{krb5_version}
# authselect: sssd profile with-subid
%if 0%{?fedora} >= 36
Requires: authselect >= 1.4.0
%else
Requires: authselect >= 1.2.5
%endif
Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
# All Fedora 28+ and RHEL8+ contain the service in hostname package
Requires: hostname
Requires: libcurl >= 7.21.7-2
%if %{with ipa_join_xml}
Requires: xmlrpc-c >= 1.27.4
%else
Requires: jansson
%endif
Requires: sssd-ipa >= %{sssd_version}
Requires: sssd-idp >= %{sssd_version}
Requires: certmonger >= %{certmonger_version}
Requires: nss-tools >= %{nss_version}
Requires: bind-utils
Requires: oddjob-mkhomedir
Requires: libsss_autofs
Requires: autofs
Requires: libnfsidmap
Requires: nfs-utils
Requires: sssd-tools >= %{sssd_version}
Requires(post): policycoreutils

# https://pagure.io/freeipa/issue/8530
Recommends: libsss_sudo
Recommends: sudo
Requires: (libsss_sudo if sudo)

Provides: %{alt_name}-client = %{version}
Conflicts: %{alt_name}-client
Obsoletes: %{alt_name}-client < %{version}

Provides: %{alt_name}-admintools = %{version}
Conflicts: %{alt_name}-admintools
Obsoletes: %{alt_name}-admintools < 4.4.1

Obsoletes: %{name}-admintools < 4.4.1
Provides: %{name}-admintools = %{version}-%{release}

%if 0%{?rhel} == 8
# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module
Conflicts: crypto-policies < 20200629-1
%endif

%if 0%{?rhel} == 9
# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
# AD-SUPPORT-LEGACY policy modules
Conflicts: crypto-policies < 20220223-1
%endif

%description client
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If your network uses IPA for authentication, this package should be
installed on every client machine.
This package provides command-line tools for IPA administrators.

%package client-samba
Summary: Tools to configure Samba on IPA client
Group: System Environment/Base
Requires: %{name}-client = %{version}-%{release}
Requires: python3-samba
Requires: samba-client
Requires: samba-winbind
Requires: samba-common-tools
Requires: samba
Requires: sssd-winbind-idmap
Requires: tdb-tools
Requires: cifs-utils

%description client-samba
This package provides command-line tools to deploy Samba domain member
on the machine enrolled into a FreeIPA environment

%package client-epn
Summary: Tools to configure Expiring Password Notification in IPA
Group: System Environment/Base
Requires: %{name}-client = %{version}-%{release}
Requires: systemd-units >= %{systemd_version}
Requires(post): systemd-units >= %{systemd_version}
Requires(preun): systemd-units >= %{systemd_version}
Requires(postun): systemd-units >= %{systemd_version}

%description client-epn
This package provides a service to collect and send expiring password
notifications via email (SMTP).

%package -n python3-ipaclient
Summary: Python libraries used by IPA client
BuildArch: noarch
%{?python_provide:%python_provide python3-ipaclient}
Requires: %{name}-client-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipalib = %{version}-%{release}
Requires: python3-augeas
Requires: augeas-libs >= %{augeas_version}
Requires: python3-dns >= 1.15
Requires: python3-jinja2

%description -n python3-ipaclient
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If your network uses IPA for authentication, this package should be
installed on every client machine.

%package client-common
Summary: Common files used by IPA client
BuildArch: noarch

Provides: %{alt_name}-client-common = %{version}
Conflicts: %{alt_name}-client-common
Obsoletes: %{alt_name}-client-common < %{version}
# python2-ipa* packages are no longer available in 4.8.
Obsoletes: python2-ipaclient < 4.8.0-1
Obsoletes: python2-ipalib < 4.8.0-1
Obsoletes: python2-ipaserver < 4.8.0-1
Obsoletes: python2-ipatests < 4.8.0-1


%description client-common
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If your network uses IPA for authentication, this package should be
installed on every client machine.


%package python-compat
Summary: Compatiblity package for Python libraries used by IPA
BuildArch: noarch
Obsoletes: %{name}-python < 4.2.91
Provides: %{name}-python = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipalib = %{version}-%{release}

Provides: %{alt_name}-python-compat = %{version}
Conflicts: %{alt_name}-python-compat
Obsoletes: %{alt_name}-python-compat < %{version}

Obsoletes: %{alt_name}-python < 4.2.91
Provides: %{alt_name}-python = %{version}

%description python-compat
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
This is a compatibility package to accommodate %{name}-python split into
python3-ipalib and %{name}-common. Packages still depending on
%{name}-python should be fixed to depend on python2-ipaclient or
%{name}-common instead.


%package -n python3-ipalib
Summary: Python3 libraries used by IPA
BuildArch: noarch
%{?python_provide:%python_provide python3-ipalib}
Provides: python3-ipapython = %{version}-%{release}
%{?python_provide:%python_provide python3-ipapython}
Provides: python3-ipaplatform = %{version}-%{release}
%{?python_provide:%python_provide python3-ipaplatform}
Requires: %{name}-common = %{version}-%{release}
# we need pre-requires since earlier versions may break upgrade
Requires(pre): python3-ldap >= %{python_ldap_version}
Requires: gnupg2
Requires: keyutils
Requires: python3-cffi
Requires: python3-cryptography >= 1.6
Requires: python3-dateutil
Requires: python3-dbus
Requires: python3-dns >= 1.15
Requires: python3-gssapi >= 1.2.0
Requires: python3-jwcrypto >= 0.4.2
Requires: python3-libipa_hbac
Requires: python3-netaddr >= %{python_netaddr_version}
Requires: python3-netifaces >= 0.10.4
Requires: python3-pyasn1 >= 0.3.2-2
Requires: python3-pyasn1-modules >= 0.3.2-2
Requires: python3-pyusb
Requires: python3-qrcode-core >= 5.0.0
Requires: python3-requests
Requires: python3-six
Requires: python3-sss-murmur
Requires: python3-yubico >= 1.3.2-7
%if 0%{?rhel} && 0%{?rhel} == 8
Requires: platform-python-setuptools
%else
Requires: python3-setuptools
%endif

%description -n python3-ipalib
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If you are using IPA with Python 3, you need to install this package.


%package common
Summary: Common files used by IPA
BuildArch: noarch
Conflicts: %{name}-python < 4.2.91

Provides: %{alt_name}-common = %{version}
Conflicts: %{alt_name}-common
Obsoletes: %{alt_name}-common < %{version}

Conflicts: %{alt_name}-python < %{version}

%if %{with selinux}
# This ensures that the *-selinux package and all it’s dependencies are not
# pulled into containers and other systems that do not use SELinux. The
# policy defines types and file contexts for client and server.
Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif

%description common
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If you are using IPA, you need to install this package.


%if %{with ipatests}

%package -n python3-ipatests
Summary: IPA tests and test tools
BuildArch: noarch
%{?python_provide:%python_provide python3-ipatests}
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
Requires: python3-cryptography >= 1.6
%if 0%{?fedora}
# These packages do not exist on RHEL and for ipatests use
# they are installed on the controller through other means
Requires: ldns-utils
Requires: python3-pexpect
# update-crypto-policies
Requires: crypto-policies-scripts
Requires: python3-polib
Requires: python3-pytest >= 3.9.1
Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
Requires: sshpass
%endif
Requires: python3-sssdconfig >= %{sssd_version}
Requires: tar
Requires: xz
Requires: openssh-clients
%if 0%{?rhel}
AutoReqProv: no
%endif

%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
This package contains tests that verify IPA functionality under Python 3.

# with ipatests
%endif


%if %{with selinux}
# SELinux subpackage
%package selinux
Summary:             FreeIPA SELinux policy
BuildArch:           noarch
Requires:            selinux-policy-%{selinuxtype}
Requires(post):      selinux-policy-%{selinuxtype}
%{?selinux_requires}

%description selinux
Custom SELinux policy module for FreeIPA
# with selinux
%endif


%prep
%autosetup -n freeipa-%{version}%{?rc_version} -N -p1

# To allow proper application patches to the stripped po files, strip originals
pushd po
for i in *.po ; do
    msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1
    mv $i.tmp $i || exit 1
done
popd

%autopatch -p1

%build
# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
export PATH=/usr/bin:/usr/sbin:$PATH

export PYTHON=%{__python3}
autoreconf -ivf
%configure --with-vendor-suffix=-%{release} \
           %{enable_server_option} \
           %{with_ipatests_option} \
           %{with_ipa_join_xml_option} \
           %{linter_options}

# run build in default dir
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
%make_build -Onone


%check
make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}


%install
# Please put as much logic as possible into make install. It allows:
# - easier porting to other distributions
# - rapid devel & install cycle using make install
#   (instead of full RPM build and installation each time)
#
# All files and directories created by spec install should be marked as ghost.
# (These are typically configuration files created by IPA installer.)
# All other artifacts should be created by make install.

%make_install

# don't package ipasphinx for now
rm -rf %{buildroot}%{python3_sitelib}/ipasphinx*

%if %{with ipatests}
mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3
ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3
ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3
ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
# with_ipatests
%endif

# remove files which are useful only for make uninstall
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;

%if 0%{?rhel}
# RHEL spec file only: START
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
# product-name.png
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
%endif
# RHEL spec file only: END

%find_lang %{gettext_domain}

%if ! %{ONLY_CLIENT}
# Remove .la files from libtool - we don't want to package
# these files
rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la
rm %{buildroot}/%{plugin_dir}/libipa_winsync.la
rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la
rm %{buildroot}/%{plugin_dir}/libipa_uuid.la
rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la
rm %{buildroot}/%{plugin_dir}/libipa_lockout.la
rm %{buildroot}/%{plugin_dir}/libipa_cldap.la
rm %{buildroot}/%{plugin_dir}/libipa_dns.la
rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la
rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la
rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la
rm %{buildroot}/%{plugin_dir}/libtopology.la
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la

# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con

mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so

# ONLY_CLIENT
%endif

/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt

%if ! %{ONLY_CLIENT}
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
# ONLY_CLIENT
%endif

%if ! %{ONLY_CLIENT}

%post server
# NOTE: systemd specific section
    /bin/systemctl --system daemon-reload 2>&1 || :
# END
if [ $1 -gt 1 ] ; then
    /bin/systemctl condrestart certmonger.service 2>&1 || :
fi
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd

%tmpfiles_create ipa.conf

%posttrans server
# don't execute upgrade and restart of IPA when server is not installed
%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1

if [  $? -eq 0 ]; then
    # This is necessary for Fedora system upgrades which by default
    # work with the network being offline
    /bin/systemctl start network-online.target

    # Restart IPA processes. This must be also run in postrans so that plugins
    # and software is in consistent state. This will also perform the
    # system upgrade.
    # NOTE: systemd specific section

    /bin/systemctl is-enabled ipa.service >/dev/null 2>&1
    if [  $? -eq 0 ]; then
        /bin/systemctl restart ipa.service >/dev/null
    fi

    /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1
    if [  $? -eq 1 ]; then
        /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null
    fi
fi
# END


%preun server
if [ $1 = 0 ]; then
# NOTE: systemd specific section
    /bin/systemctl --quiet stop ipa.service || :
    /bin/systemctl --quiet disable ipa.service || :
    /bin/systemctl reload-or-try-restart dbus
    /bin/systemctl reload-or-try-restart oddjobd
# END
fi


%pre server
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
# zombie process when we're done.
if [ -e /usr/sbin/ipa_kpasswd ]; then
# NOTE: systemd specific section
    /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || :
# END
fi


%pre server-common
# create users and groups
# create kdcproxy group and user
getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy
# create ipaapi group and user
getent group ipaapi >/dev/null || groupadd -f -r ipaapi
getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi
# add apache to ipaaapi group
id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi


%post server-dns
%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service

%preun server-dns
%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service

%postun server-dns
%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service


%postun server-trust-ad
if [ "$1" -ge "1" ]; then
    if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
        %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null
    fi
fi


%post server-trust-ad
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
        winbind_krb5_locator.so /dev/null 90
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd


%posttrans server-trust-ad
%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
if [  $? -eq 0 ]; then
# NOTE: systemd specific section
    /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
# END
fi


%preun server-trust-ad
if [ $1 -eq 0 ]; then
    %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
    /bin/systemctl reload-or-try-restart dbus
    /bin/systemctl reload-or-try-restart oddjobd
fi

# ONLY_CLIENT
%endif

%preun client-epn
%systemd_preun ipa-epn.service
%systemd_preun ipa-epn.timer

%postun client-epn
%systemd_postun ipa-epn.service
%systemd_postun ipa-epn.timer

%post client-epn
%systemd_post ipa-epn.service
%systemd_post ipa-epn.timer

%post client
if [ $1 -gt 1 ] ; then
    # Has the client been configured?
    restore=0
    test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')

    if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
        if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
            echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
            cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
            mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
        fi
    fi

    if [ $restore -ge 2 ]; then
        if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then
            sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew
            mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
            cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
            cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
        fi

        %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
        %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
        chmod 0600 /var/log/ipaupgrade.log
        SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
        if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
            sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
        fi
    fi
fi


%if %{with selinux}
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}

%post selinux
semodule -d ipa_custodia &> /dev/null || true;
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2

%postun selinux
if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
    semodule -e ipa_custodia &> /dev/null || true;
fi

%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
# with_selinux
%endif


%triggerin client -- openssh-server < 8.2
# Has the client been configured?
restore=0
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')

if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
    if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then
        sed -r '
            /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
        ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew

        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
            sed -ri '
                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
            ' /etc/ssh/sshd_config.ipanew
        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
            sed -ri '
                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
            ' /etc/ssh/sshd_config.ipanew
        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
            sed -ri '
                s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
                s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
            ' /etc/ssh/sshd_config.ipanew
        fi

        mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
        chmod 600 /etc/ssh/sshd_config

        /bin/systemctl condrestart sshd.service 2>&1 || :
    fi
fi


%triggerin client -- openssh-server >= 8.2
# Has the client been configured?
restore=0
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')

if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
    # If the snippet already exists, skip
    if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
        # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf
        grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf
        # Remove the values from sshd_conf
        sed -ri '
            /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d
        ' /etc/ssh/sshd_config

        /bin/systemctl condrestart sshd.service 2>&1 || :
    fi
    # If the snippet has been created, ensure that it is included
    # either by /etc/ssh/sshd_config.d/*.conf or directly
    if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
        if ! grep -E -q  '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
            if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
                # Include the snippet
                echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew
                cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew
                mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
            fi
        fi
    fi
fi


%if ! %{ONLY_CLIENT}

%files server
%doc README.md Contributors.txt
%license COPYING
%{_sbindir}/ipa-backup
%{_sbindir}/ipa-restore
%{_sbindir}/ipa-ca-install
%{_sbindir}/ipa-kra-install
%{_sbindir}/ipa-server-install
%{_sbindir}/ipa-replica-conncheck
%{_sbindir}/ipa-replica-install
%{_sbindir}/ipa-replica-manage
%{_sbindir}/ipa-csreplica-manage
%{_sbindir}/ipa-server-certinstall
%{_sbindir}/ipa-server-upgrade
%{_sbindir}/ipa-ldap-updater
%{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage
%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-managed-entries
%{_sbindir}/ipactl
%{_sbindir}/ipa-advise
%{_sbindir}/ipa-cacert-manage
%{_sbindir}/ipa-winsync-migrate
%{_sbindir}/ipa-pkinit-manage
%{_sbindir}/ipa-crlgen-manage
%{_sbindir}/ipa-cert-fix
%{_sbindir}/ipa-acme-manage
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard
%dir %{_libexecdir}/ipa
%{_libexecdir}/ipa/ipa-ccache-sweeper
%{_libexecdir}/ipa/ipa-custodia
%{_libexecdir}/ipa/ipa-custodia-check
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
%{_libexecdir}/ipa/ipa-httpd-pwdreader
%{_libexecdir}/ipa/ipa-pki-retrieve-key
%{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd
%{_libexecdir}/ipa/ipa-print-pac
%{_libexecdir}/ipa/ipa-subids
%dir %{_libexecdir}/ipa/custodia
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
%dir %{_libexecdir}/ipa/certmonger
%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
# NOTE: systemd specific section
%attr(644,root,root) %{_unitdir}/ipa.service
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service
%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer
# END
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
%attr(755,root,root) %{plugin_dir}/libipa_dns.so
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
%attr(755,root,root) %{plugin_dir}/libtopology.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1*
%{_mandir}/man1/ipa-replica-install.1*
%{_mandir}/man1/ipa-replica-manage.1*
%{_mandir}/man1/ipa-csreplica-manage.1*
%{_mandir}/man1/ipa-server-certinstall.1*
%{_mandir}/man1/ipa-server-install.1*
%{_mandir}/man1/ipa-server-upgrade.1*
%{_mandir}/man1/ipa-ca-install.1*
%{_mandir}/man1/ipa-kra-install.1*
%{_mandir}/man1/ipa-compat-manage.1*
%{_mandir}/man1/ipa-nis-manage.1*
%{_mandir}/man1/ipa-managed-entries.1*
%{_mandir}/man1/ipa-ldap-updater.1*
%{_mandir}/man8/ipactl.8*
%{_mandir}/man1/ipa-backup.1*
%{_mandir}/man1/ipa-restore.1*
%{_mandir}/man1/ipa-advise.1*
%{_mandir}/man1/ipa-otptoken-import.1*
%{_mandir}/man1/ipa-cacert-manage.1*
%{_mandir}/man1/ipa-winsync-migrate.1*
%{_mandir}/man1/ipa-pkinit-manage.1*
%{_mandir}/man1/ipa-crlgen-manage.1*
%{_mandir}/man1/ipa-cert-fix.1*
%{_mandir}/man1/ipa-acme-manage.1*


%files -n python3-ipaserver
%doc README.md Contributors.txt
%license COPYING
%{python3_sitelib}/ipaserver
%{python3_sitelib}/ipaserver-*.egg-info


%files server-common
%doc README.md Contributors.txt
%license COPYING
%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
# NOTE: systemd specific section
%{_tmpfilesdir}/ipa.conf
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END
%{_usr}/share/ipa/wsgi.py*
%{_usr}/share/ipa/kdcproxy.wsgi
%{_usr}/share/ipa/ipaca*.ini
%{_usr}/share/ipa/*.ldif
%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
%dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy
%{_usr}/share/ipa/advise/legacy/*.template
%dir %{_usr}/share/ipa/profiles
%{_usr}/share/ipa/profiles/README
%{_usr}/share/ipa/profiles/*.cfg
%dir %{_usr}/share/ipa/html
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/unauthorized.html
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/index.html
%{_usr}/share/ipa/migration/migration.py*
%dir %{_usr}/share/ipa/ui
%{_usr}/share/ipa/ui/index.html
%{_usr}/share/ipa/ui/reset_password.html
%{_usr}/share/ipa/ui/sync_otp.html
%{_usr}/share/ipa/ui/*.ico
%{_usr}/share/ipa/ui/*.css
%dir %{_usr}/share/ipa/ui/css
%{_usr}/share/ipa/ui/css/*.css
%dir %{_usr}/share/ipa/ui/js
%dir %{_usr}/share/ipa/ui/js/dojo
%{_usr}/share/ipa/ui/js/dojo/dojo.js
%dir %{_usr}/share/ipa/ui/js/libs
%{_usr}/share/ipa/ui/js/libs/*.js
%dir %{_usr}/share/ipa/ui/js/freeipa
%{_usr}/share/ipa/ui/js/freeipa/app.js
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
%dir %{_usr}/share/ipa/ui/images
%if 0%{?rhel}
%{_usr}/share/ipa/ui/images/facet-*.png
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
# product-name.png
%else
%{_usr}/share/ipa/ui/images/*.jpg
%{_usr}/share/ipa/ui/images/*.png
%endif
%dir %{_usr}/share/ipa/wsgi
%{_usr}/share/ipa/wsgi/plugins.py*
%dir %{_sysconfdir}/ipa
%dir %{_sysconfdir}/ipa/html
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%dir %{_localstatedir}/lib/ipa
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish
%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
%dir %{_usr}/share/ipa/schema.d
%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README
%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login
%{_usr}/share/ipa/ipakrb5.aug

%files server-dns
%doc README.md Contributors.txt
%license COPYING
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
%{_libexecdir}/ipa/ipa-dnskeysyncd
%{_libexecdir}/ipa/ipa-dnskeysync-replica
%{_libexecdir}/ipa/ipa-ods-exporter
%{_sbindir}/ipa-dns-install
%{_mandir}/man1/ipa-dns-install.1*
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service

%files server-trust-ad
%doc README.md Contributors.txt
%license COPYING
%{_sbindir}/ipa-adtrust-install
%{_usr}/share/ipa/smb.conf.empty
%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
%{_datadir}/ipa/ipa-cldap-conf.ldif
%{_mandir}/man1/ipa-adtrust-install.1*
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains

# ONLY_CLIENT
%endif


%files client
%doc README.md Contributors.txt
%license COPYING
%{_sbindir}/ipa-client-install
%{_sbindir}/ipa-client-automount
%{_sbindir}/ipa-certupdate
%{_sbindir}/ipa-getkeytab
%{_sbindir}/ipa-rmkeytab
%{_sbindir}/ipa-join
%{_bindir}/ipa
%config %{_sysconfdir}/bash_completion.d
%config %{_sysconfdir}/sysconfig/certmonger
%{_mandir}/man1/ipa.1*
%{_mandir}/man1/ipa-getkeytab.1*
%{_mandir}/man1/ipa-rmkeytab.1*
%{_mandir}/man1/ipa-client-install.1*
%{_mandir}/man1/ipa-client-automount.1*
%{_mandir}/man1/ipa-certupdate.1*
%{_mandir}/man1/ipa-join.1*
%dir %{_libexecdir}/ipa/acme
%{_libexecdir}/ipa/acme/certbot-dns-ipa

%files client-samba
%doc README.md Contributors.txt
%license COPYING
%{_sbindir}/ipa-client-samba
%{_mandir}/man1/ipa-client-samba.1*


%files client-epn
%doc README.md Contributors.txt
%dir %{_sysconfdir}/ipa/epn
%license COPYING
%{_sbindir}/ipa-epn
%{_mandir}/man1/ipa-epn.1*
%{_mandir}/man5/epn.conf.5*
%attr(644,root,root) %{_unitdir}/ipa-epn.service
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template

%files -n python3-ipaclient
%doc README.md Contributors.txt
%license COPYING
%dir %{python3_sitelib}/ipaclient
%{python3_sitelib}/ipaclient/*.py
%{python3_sitelib}/ipaclient/__pycache__/*.py*
%dir %{python3_sitelib}/ipaclient/install
%{python3_sitelib}/ipaclient/install/*.py
%{python3_sitelib}/ipaclient/install/__pycache__/*.py*
%dir %{python3_sitelib}/ipaclient/plugins
%{python3_sitelib}/ipaclient/plugins/*.py
%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
%dir %{python3_sitelib}/ipaclient/remote_plugins
%{python3_sitelib}/ipaclient/remote_plugins/*.py
%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
%dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
%{python3_sitelib}/ipaclient-*.egg-info


%files client-common
%doc README.md Contributors.txt
%license COPYING
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
# old dbm format
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
# new sql format
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
%dir %{_localstatedir}/lib/ipa-client
%dir %{_localstatedir}/lib/ipa-client/pki
%dir %{_localstatedir}/lib/ipa-client/sysrestore
%{_mandir}/man5/default.conf.5*
%dir %{_usr}/share/ipa/client
%{_usr}/share/ipa/client/*.template


%files python-compat
%doc README.md Contributors.txt
%license COPYING


%files common -f %{gettext_domain}.lang
%doc README.md Contributors.txt
%license COPYING
%dir %{_usr}/share/ipa
%dir %{_libexecdir}/ipa

%files -n python3-ipalib
%doc README.md Contributors.txt
%license COPYING

%{python3_sitelib}/ipapython/
%{python3_sitelib}/ipalib/
%{python3_sitelib}/ipaplatform/
%{python3_sitelib}/ipapython-*.egg-info
%{python3_sitelib}/ipalib-*.egg-info
%{python3_sitelib}/ipaplatform-*.egg-info


%if %{with ipatests}


%files -n python3-ipatests
%doc README.md Contributors.txt
%license COPYING
%{python3_sitelib}/ipatests
%{python3_sitelib}/ipatests-*.egg-info
%{_bindir}/ipa-run-tests-3
%{_bindir}/ipa-test-config-3
%{_bindir}/ipa-test-task-3
%{_bindir}/ipa-run-tests-%{python3_version}
%{_bindir}/ipa-test-config-%{python3_version}
%{_bindir}/ipa-test-task-%{python3_version}
%{_bindir}/ipa-run-tests
%{_bindir}/ipa-test-config
%{_bindir}/ipa-test-task
%{_mandir}/man1/ipa-run-tests.1*
%{_mandir}/man1/ipa-test-config.1*
%{_mandir}/man1/ipa-test-task.1*

# with ipatests
%endif


%if %{with selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
# with selinux
%endif

%changelog
* Tue May 09 2023 CentOS Sources <bugs@centos.org> - 4.10.1-6.el9.centos
- Apply debranding changes

* Wed Feb 22 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-6
- Resolves: rhbz#2169632 Backport latest test fixes in python3-ipatests

* Mon Feb 13 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-5
- Resolves: rhbz#2162656 Passwordless (GSSAPI) SSH not working for subdomain
- Resolves: rhbz#2166326 Removing the last DNS type for ipa-ca does not work
- Resolves: rhbz#2167473 RFE - Add a warning note about possible performance impact of the Auto Member rebuild task
- Resolves: rhbz#2168244 requestsearchtimelimit=0 doesn't seems to be work with ipa-acme-manage pruning command

* Mon Feb 06 2023 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-4
- Resolves: rhbz#2161284 'ERROR Could not remove /tmp/tmpbkw6hawo.ipabkp' can be seen prior to 'ipa-client-install' command was successful
- Resolves: rhbz#2164403 ipa-trust-add with --range-type=ipa-ad-trust-posix fails while creating an ID range
- Resolves: rhbz#2162677 RFE: Implement support for PKI certificate and request pruning
- Resolves: rhbz#2167312 - Backport latest test fixes in python3-ipatests

* Wed Dec 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.10.1-3
- Rebuild against krb5 1.20.1 ABI
- Resolves: rhbz#2155425

* Fri Dec 9 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-2
- Resolves: rhbz#2148887 MemberManager with groups fails
- Resolves: rhbz#2150335 idm:client is missing dependency on krb5-pkinit

* Fri Nov 25 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.1-1
- Resolves: rhbz#2141315 [Rebase] Rebase ipa to latest 4.10.x release for RHEL 9.2
- Resolves: rhbz#2094673 ipa-client-install should just use system wide CA store and do not specify TLS_CACERT in ldap.conf
- Resolves: rhbz#2117167 After leapp upgrade on ipa-client ipa-server package installation failed. (`REQ_FULL_WITH_MEMBERS` returns object from wrong domain)
- Resolves: rhbz#2127833 Password Policy Grace login limit allows invalid maximum value
- Resolves: rhbz#2143224 [RFE] add certificate support to ipa-client instead of one time password
- Resolves: rhbz#2144736 vault interoperability with older RHEL systems is broken
- Resolves: rhbz#2148258 ipa-client-install does not maintain server affinity during installation
- Resolves: rhbz#2148379 Add warning for empty targetattr when creating ACI with RBAC
- Resolves: rhbz#2148380 OTP token sync always returns OK even with random numbers
- Resolves: rhbz#2148381 Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones
- Resolves: rhbz#2148382 Introduction of URI records for kerberos breaks location functionality

* Tue Oct 25 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.10.0-7
- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail
- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]

* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
- Resolves: rhbz#2115495 group password policy by default does not allow grace logins
- Resolves: rhbz#2116966 ipa-replica-manage displays traceback: Unexpected error: 'bool' object has no attribute 'lower'

* Thu Jul 28 2022 Francisco Trivino <ftrivino@redhat.com> - 4.10.0-5
- Resolves: rhbz#2109645
  - Rebuild for samba-4.16.3-101.el9

* Thu Jul 21 2022 Francisco Trivino <ftrivino@redhat.com> - 4.10.0-4
- Resolves: rhbz#2109645
  - Rebuild for samba-4.16.3-100.el9

* Fri Jul 15 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-3
- Resolves: rhbz#2105294 IdM WebUI Pagination Size should not allow empty value

* Thu Jun 30 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.10.0-2
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind

* Thu Jun 30 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.10.0-1
- Resolves: rhbz#747959 [RFE] Support random serial numbers in IPA certificates
- Resolves: rhbz#2100227 [UX] Preserving a user account produces output saying it was deleted

* Fri Jun 17 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.10-1
- Resolves: rhbz#2079469 [Rebase] Rebase ipa to latest 4.9.x release
- Resolves: rhbz#2012911 named journalctl logs shows 'zone testrealm.test/IN: serial (serialnumber) write back to LDAP failed.'
- Resolves: rhbz#2069202 [RFE] add support for authenticating against external IdP services using OAUTH2 preauthenticaiton mechanism provided by SSSD
- Resolves: rhbz#2083218 ipa-dnskeysyncd floods /var/log/messages with DEBUG messages
- Resolves: rhbz#2089750 RFE: Improve error message with more detail for ipa-replica-install command
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind
- Resolves: rhbz#2094400 [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf
- Resolves: rhbz#2096922 secret in ipa-pki-proxy.conf is not changed if new requiredSecret value is present in /etc/pki/pki-tomcat/server.xml

* Wed Apr 06 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-8
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
  - tests: ensure AD-SUPPORT subpolicy is active in more cases
  - ipatests: fix check for AD topology being present

* Thu Mar 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-7
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
  - KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
  - tests: ensure AD-SUPPORT subpolicy is active
  - ipatests: extend AES keyset to SHA2-based ones
  - freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
  - Kerberos instance: default to AES256-SHA2 for master key encryption
  - test_otp: do not use paramiko unless it is really needed
  - test_krbtpolicy: skip SPAKE-related tests in FIPS mode
  - Support AES for KRA archival wrapping
  - Set AES as default for KRA archival wrapping

* Thu Feb 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-6
- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests
  - ipatests: Tests for Autoprivate group.
  - mark xfail for test_idoverride_with_auto_private_group[hybrid]
  - Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid]

* Mon Feb 14 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-5
- Resolves: rhbz#2053025
  - add IPA test suite fixes

* Mon Feb 14 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-4
- Resolves: rhbz#2053586 IPA LDAP plugin ipa-cldap memory leak
  - fix memory leak in CLDAP responder

* Fri Feb 11 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-3
- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes
  - Don't always override the port in import_included_profiles
- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation
  - Test ipa-ccache-sweep.timer enabled by default during installation
  - Enable the ccache sweep timer during installation
- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output
  - Remove ipa-join errors from behind the debug option

* Thu Feb 03 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-2
- Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed'
  - Config plugin: return EmptyModlist when no change is applied
  - config plugin: add a test ensuring EmptyModlist is returned
- Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests
  - ipatests: webui: Tests for subordinate ids.
  - ipatests: webui: Use safe-loader for loading YAML configuration file
  - ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
  - Test cases for ipa-replica-conncheck command
  - PEP8 Fixes
  - ipatests: Test empty cert request doesn't force certmonger to segfault
  - ipatests: Test default value of nsslapd-sizelimit.
  - Extend test to see if replica is not shown when running `ipa-replica-manage list -v <FQDN>`
  - Added test automation for SHA384withRSA CSR support
- Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened
  - ipa-kdb: do not remove keys for hardened auth-enabled users
  - ipatests: add case for hardened-only ticket policy
- Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy
  - ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus

* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-1
- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade
- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump
- Resolves: rhbz#1986054 - fix automountlocation-tofiles output
- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec
- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
  - ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
  - ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates

* Tue Oct 5 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-9
- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance'
  - Parse getStatus as JSON not XML
  - Parse cert chain as JSON not XML
  - Specify PKI installation log paths
  - Make Dogtag return XML for ipa cert-find

* Fri Sep 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-8
- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding
 - Don't store entries with a usercertificate in the LDAP cache
 - ipatests: Test that a user can be issued multiple certificates

* Fri Sep 10 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-7
- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
  - selinux policy: allow custodia to access /proc/cpuinfo
- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
  - extdom: return LDAP_NO_SUCH_OBJECT if domains differ
- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID.
  - subid: subid-match: display the owner's ID not DN
- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled
  - migrate-ds: workaround to detect compat tree

* Thu Aug 26 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-6
- Resolves: rhbz#1998098 - Backport latest test fixes in python3-ipatests
  - ipatests: Test unsecure nsupdate.
  - ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
  - ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
  - ipatests: test to renew certs on replica using ipa-cert-fix
  - ipatests: wait while http/ldap/pkinit cert get renew on replica
  - ipatests: refactor test_ipa_cert_fix with tasks
  - ipatests: use whole date for journalctl --since
* Tue Aug 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-5
- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided 
  - ipa-getkeytab: add option to discover servers using DNS SRV
  - ipa-getkeytab: fix compiler warnings
  - ipatests: test ipa-getkeytab server option
- Resolves: rhbz#1986329 ipa-server install failure without DNS
  - Fix ldapupdate.get_sub_dict() for missing named user
- Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg
  - freeipa.spec.in: remove python3-pexpect from Requires
- Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests
  - ipatests: use whole date when calling journalctl --since
  - ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
  - ipatests: test_ipahealthcheck: print a message if a system is healthy
  - ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
  - webui tests: close notification when revoking cert
  - ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
  - webui tests: fix algo for finding available idrange
  - ipatests: smbclient "-k" => "--use-kerberos=desired"
  - test_acme: refactor with tasks
  - test_acme: make password renewal more robust
  - tasks.py: fix flake8-reported issues
  - ipatests: Test for OTP when the LDAP connection timed out.
  - ipatests: verify that getcert output includes the issued date
  - ipatests: Look for warning into stderr instead of stdout
  - ipatests: use krb5_trace in TestIpaAdTrustInstall
  - ipatests: Test ldapsearch with base scope works with compat tree.
  - ipatests: skip test_basesearch_compat_tree on fedora.
  - ipatests: Refactor test_check_otpd_after_idle_timeout

* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.6-4.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688

* Fri Jul 23 2021 Rob Crittenden <rcritten@redhat.com> - 4.9.6-4
- Use new method in check to prevent removal of last KRA (#1985072)
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL (#1982952)
- Fix index definition for memberOf (#1952028)

* Thu Jul 15 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-3
- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
- Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota"
- Resolves: rhbz#1952028 [RFE] Add support for managing subuids and subgids in FreeIPA
- Resolves: rhbz#1981789 [man page] contradiction in ipa-server-upgrade command's man page and usage

* Fri Jul 9 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-2
- Resolves: rhbz#1955440 ipa installation fails to configure chrony
- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage
- Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add
- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services

* Wed Jun 30 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-1
- Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version
- Resolves: rhbz#1976288 ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache
- Resolves: rhbz#1975139 Upgrade error: Add failure missing required attribute "objectclass"
- Resolves: rhbz#1973024 CA_less ipa-server-install fails if CA cert subject contains non ascii chars
- Resolves: rhbz#1966101 [RFE] - IDM - Allow specifying permanent logging settings for BIND
- Resolves: rhbz#1962570 IPA in c9s should not require redhat-logos-ipa as a runtime package 
- Resolves: rhbz#1957736 [RFE] IPA to allow configuring auto-private-groups at idrange level 

* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.3-2.1
- Rebuilt for RHEL 9 BETA for openssl 3.0
  Related: rhbz#1971065

* Tue Apr 20 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.3-2
- RHEL 9 Beta mass rebuild. Resolves: rhbz#1951304

* Wed Mar 31 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.3-1
- Upstream release FreeIPA 4.9.3

* Fri Feb 26 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-4
- Rebuild against 389-ds and PKI to fix https://github.com/389ds/389-ds-base/issues/4609

* Tue Feb 23 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-3
- Only use python-platform on RHEL 8

* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-2
- Fix ipatests dependency to python3-pexpect

* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
- Upstream release FreeIPA 4.9.2

* Wed Jan 27 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.1-1
- Upstream release FreeIPA 4.9.1

* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.0-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Wed Jan 20 2021 Rob Crittenden <rcritten@redhat.com> - 4.9.0-2
- Set client keytab location for 389ds (RHBZ#1918075)

* Wed Dec 23 17:05:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-1
- FreeIPA 4.9.0 final release

* Wed Dec 16 07:52:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.6.rc3
- Refactor DNSSEC paths creation code (upstream PR#5340)

* Thu Dec 10 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.5.rc3
- FreeIPA 4.9.0 release candidate 3
- Enforce C.UTF-8 locale in systemd service units
- Fold up fixes from Rawhide and RHEL 8.4 testing

* Wed Dec  9 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.4.rc2
- Fix upgrade script for CA rule rewrites
- Fix permissions for /run/ipa/ccaches

* Fri Dec  4 22:17:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.3.rc2
- Correct SELinux policy requirements

* Fri Dec  4 13:41:28 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.2.rc2
- FreeIPA 4.9.0 release candidate 2

* Thu Nov 19 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.1.rc1
- Use correct bind PKCS11 engine dependencies
- Fix SELinux build requirement
- Fix linting requirements

* Wed Nov 18 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.rc1
- FreeIPA 4.9.0 release candidate 1
- Synchronize spec file with upstream and RHEL

* Wed Oct 28 2020 Adam Williamson <awilliam@redhat.com> - 4.8.10-7
- Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+

* Tue Oct 13 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-6
- Handle sshd_config upgrade properly
  Fixes: rhbz#1887928

* Tue Sep 29 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-5
- Properly handle upgrade case when systemd-resolved is enabled

* Mon Sep 28 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-4
- Fix permissions for /etc/systemd/resolved.conf.d/zzz-ipa.conf
- Add NetworkManager and systemd-resolved configuration files to backup

* Sun Sep 27 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-3
- Fix dependency between freeipa-selinux and freeipa-common
- Resolves: rhbz#1883005

* Sat Sep 26 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-2
- Support upgrade F32 -> F33 with systemd-resolved

* Sat Sep 26 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-1
- Upstream release FreeIPA 4.8.10

* Fri Aug 21 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.9-2
- Backport fix for detecting older installations on upgrade

* Thu Aug 20 2020 François Cami <fcami@redhat.com> - 4.8.9-1
- Upstream release FreeIPA 4.8.9

* Mon Aug 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-5
- Make use of unshare+chroot in ipa-extdom-extop unittests to work against glibc 2.32

* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.7-4
- Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Thu Jul 30 2020 Merlin Mathesius <mmathesi@redhat.com> - 4.8.7-3
- Conditional fixes for ELN to set krb5-kdb version appropriately

* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Wed Jun 10 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.7-1
- Upstream release FreeIPA 4.8.7

* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 4.8.6-2
- Rebuilt for Python 3.9

* Fri Mar 27 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.6-1
- Upstream release FreeIPA 4.8.6

* Sat Mar 21 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.5-2
- Roll up post-release fixes from upstream
- Move freeipa-selinux to be a dependency of freeipa-common

* Wed Mar 18 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.5-1
- Upstream release FreeIPA 4.8.5
- Depend on selinux-policy-devel 3.14.6-9 for build due to a makefile issue in
  SELinux external policy support

* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-8
- Support opendnssec 2.1
- Resolves: #1809492

* Mon Feb 17 2020 François Cami <fcami@redhat.com> - 4.8.4-7
- Fix audit_as_req() callback usage
- Resolves: #1803786

* Sat Feb 01 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-6
- Fix constraint delegation for krb5 1.18 update
- Resolves: #1797096

* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Tue Jan 28 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-4
- Rebuild against krb5 1.18 beta

* Sun Jan 26 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-3
- Rebuild against Samba 4.12RC1

* Mon Dec 16 2019 Adam Williamson <awilliam@redhat.com> - 4.8.4-2
- Backport PR #4045 to fix overlapping DNS zone check bugs

* Sat Dec 14 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-1
- New upstream release 4.8.4

* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
- New upstream release 4.8.3
- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch

* Tue Nov 12 2019 Rob Crittenden <rcritten@redhat.com> - 4.8.2-1
- New upstream release 4.8.2
- Replace %%{_libdir} macro in BuildRequires (#1746882)
- Restore user-nsswitch.conf before calling authselect (#1746557)
- ipa service-find does not list cifs service created by
  ipa-client-samba (#1731433)
- Occasional 'whoami.data is undefined' error in FreeIPA web UI
  (#1699109)
- ipa-kra-install fails due to fs.protected_regular=1 (#1698384)

* Sun Oct 20 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-5
- Don't create log files from helper scripts
- Fixes: rhbz#1754189

* Tue Oct 08 2019 Christian Heimes <cheimes@redhat.com> - 4.8.1-4
- Fix compatibility issue with preexec_fn in Python 3.8
- Fixes: rhbz#1759290

* Tue Oct  1 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-3
- Fix ipasam for compatibility with Samba 4.11
- Fixes: rhbz#1757089

* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 4.8.1-2
- Rebuilt for Python 3.8

* Wed Aug 14 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-1
- New upstream release 4.8.1
- Fixes: rhbz#1732528
- Fixes: rhbz#1732524

* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Wed Jul 03 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-1
- New upstream release 4.8.0
- New subpackage: freeipa-client-samba

* Sat May 11 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-6
- Upgrade: handle situation when trusts were configured but not established yet
  Fixed: rhbz#1708808

* Fri May  3 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-5
- Add krb5-kdb-server dependency provided by krb5-server >= 1.17-17

* Fri May  3 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-4
- Rebuild to drop upper limit for Kerberos package
  After krb5-server will provide krb5-kdb-version, we'll switch to it

* Wed May  1 2019 Adam Williamson <awilliam@redhat.com> - 4.7.90.pre1-3
- Backport PR #3104 to fix a font path error

* Wed May  1 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-2
- Revert MINSSF defaults because realmd cannot join FreeIPA right now
  as it uses anonymous LDAP connection for the discovery and validation

* Mon Apr 29 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-1
- First release candidate for FreeIPA 4.8.0

* Sat Apr 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-8
- Fixed: rhbz#1696963 (Failed to install replica)
  
* Sat Apr 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-7
- Support Samba 4.10
- Support 389-ds 1.4.1.2-2.fc30 or later

* Thu Feb 28 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-6
- Support new nfs-utils behavior (#1668836)
- ipa-client-automount now works without /etc/sysconfig/nfs

* Tue Feb 19 2019 François Cami <fcami@redhat.com> - 4.7.2-5
- Fix FTBS due to Samba having removed talloc_strackframe.h
  and memory.h (#1678670)
- Fix CA setup when fs.protected_regular=1 (#1677027)

* Mon Feb 11 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-4
- Disable python dependency generator in Rawhide as not all required packages support it yet
- Require python-kdcproxy 0.4.1 or later on Rawhide

* Fri Feb 8 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-3
- Fix compile issues after a mass rebuild using upstream patches

* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Mon Dec 03 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.2-1
- Upstream release FreeIPA 4.7.2

* Wed Nov 28 2018 Adam Williamson <awilliam@redhat.com> - 4.7.1-4
- Update PR #2610 patch to tiran's modified version

* Tue Nov 27 2018 Adam Williamson <awilliam@redhat.com> - 4.7.1-3
- Backport PR #2610 to fix for authselect 1.0.2+ (see #1645708)

* Sun Nov 11 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.1-2
- Rebuild for krb5-1.17 (#1648673)
- Bump required SSSD version to 2.0.0-4 to get back pysss.getgrouplist() API

* Fri Oct  5 2018 Rob Crittenden <rcritten@redhat.com> - 4.7.1-1
- Update to upstream 4.7.1

* Tue Sep 25 2018 Christian Heimes <cheimes@redhat.com> - 4.7.0-5
- Remove Python 2 support from Fedora 30
- https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal

* Tue Sep  4 2018 Thomas Woerner <twoerner@redhat.com> - 4.7.0-4
- Enable python2 client packages for f30 for now again

* Tue Sep  4 2018 Thomas Woerner <twoerner@redhat.com> - 4.7.0-3
- Force generation of aclocal.m4 and configuration scripts
- Fix only client build for Fedora>=28 and RHEL>7
- Bring back special patch handling for Fedora

* Mon Sep  3 2018 Thomas Woerner <twoerner@redhat.com> - 4.7.0-2
- Restore SELinux context of session_dir /etc/httpd/alias (pagure#7662)
- Restore SELinux context of template_dir /var/log/dirsrv/slapd-X (pagure#7662)
- Add "389-ds-base-legacy-tools" to requires
- Refactor os-release and platform information (#1609475)
- Don't check for systemd service (#1609475)
- Switched to upstream spec file with small adaptions

* Thu Jul 26 2018 Thomas Woerner <twoerner@redhat.com> - 4.7.0-1
- Update to upstream 4.7.0
- New BuildRequires for nodejs and uglify-js
- New Requires for 389-ds-base-legacy-tools in server (RHBZ#1606541)
- Do not build python2-ipaserver and python2-ipatests for Fedora 29 and up
- Do not build any python2 packages for Fedora 30
- Added ipatest man pages to python3-ipatests packages also
- Added ipatest bindir links to python3-ipatests for Fedora up to 28
- Dropped explicit copy of freeipa.template, install is doing this now
- Added upstream fix: (f3faecb) Fix $-style format string in ipa_ldap_init
- Added upstream fix: (4b592fe,1a7baa2) Added reason to raise of errors.NotFound

* Mon Jul 16 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre2-11
- Use version-aware macros for Python

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.90.pre2-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 4.6.90.pre2-9
- Rebuilt for Python 3.7

* Wed Jun 27 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-8
- Build UI using py3-lesscpy

* Tue Jun 19 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-7
- *-domainname.service moved to the hostname package in F29 (#1592355)

* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 4.6.90.pre2-6
- Rebuilt for Python 3.7

* Fri Jun 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-5
- Change BuildRequires from python-lesscpy to python3-lesscpy

* Fri Jun 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-4.1
- Rename service fedora-domainname.service to nis-domainname.service
  (#1588192)
- Fix bad date in changelog

* Wed May 16 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre2-3
- Fine tune packaging of server templates so that it doesn't include
  freeipa.template which always go to freeipa-client-common

* Tue May 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-2
- Exclude /usr/share from client-only builds

* Tue May 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-1
- Update to upstream 4.6.90.pre2

* Wed May 02 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-7
- Fix upgrade when named.conf does not exist
- Resolves rhbz#1573671
- Requires newer slapi-nis to avoid hitting rhbz#1573636

* Wed Mar 21 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-6.1
- Change upgrade code to use DIR-based ccache and no kinit (#1558818)
- Require pki-symkey until pki-core has proper dependencies

* Wed Mar 21 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-6
- Change upgrade code to use DIR-based ccache and no kinit (#1558818)

* Tue Mar 20 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-5
- Apply upstream fix for #1558354
- Run upgrade under file-based ccache (#1558818)
- Fix OTP token issuance due to regression in https://pagure.io/389-ds-base/issue/49617

* Tue Mar 20 2018 Adam Williamson <awilliam@redhat.com> - 4.6.90.pre1-4
- Fix upgrades harder (extension of -3 patch) (#1558354)

* Tue Mar 20 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-3
- Fix upgrade from F27 to F28 (#1558354)

* Mon Mar 19 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre1-2
- Patch to fix GUI login for non-admin users (#1557609)

* Fri Mar 16 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre1-1
- Update to upstream 4.6.90.pre1

* Tue Feb 20 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-5
- Disable i686 server builds because 389-ds no longer provides
  builds on that arch. (#1544386)

* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.6.3-4
- Escape macros in %%changelog

* Thu Feb  8 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-3
- Don't fail on upgrades if KRA is not installed
- Remove Conflicts between mod_wsgi and python3-mod_wsgi

* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Wed Jan 31 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-1
- Update to upstream 4.6.3

* Wed Jan 03 2018 Lumír Balhar <lbalhar@redhat.com> - 4.6.1-5
- Fix directory ownership in python3 subpackage

* Tue Oct 17 2017 Rob Crittenden <rcritten@redhat.com> - 4.6.1-4
- Update workaround patch to prevent SELinux execmem AVC (#1491508)

* Mon Oct 16 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.1-3
- Another attempt at fix for bug #1491053

* Fri Oct 06 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.1-2
- Rebuild against krb5-1.16

* Fri Sep 22 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.1-1
- Fixes #1491053  Firefox reports insecure TLS configuration when visiting
  FreeIPA web UI after standard server deployment

* Wed Sep 13 2017 Adam Williamson <awilliam@redhat.com> - 4.6.0-3
- Fixes #1490762 Ipa-server-install update dse.ldif with wrong SELinux context
- Fixes #1491056 FreeIPA enrolment via kickstart fails

* Wed Sep 06 2017 Adam Williamson <awilliam@redhat.com> - 4.6.0-2
- Fixes #1488640 "unknown command 'undefined'" error when changing password in web UI
- BuildRequires diffstat (for the use in patch application)

* Mon Sep 04 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.0-1
- Rebase to upstream 4.6.0

* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Fri Jul 21 2017 Tomas Krizek <tkrizek@redhat.com> - 4.5.3-1
- Update to upstream 4.5.3 - see https://www.freeipa.org/page/Releases/4.5.3

* Thu Jul 13 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.5.2-4
- Make sure tmpfiles.d snippet for replica is in place after install

* Mon Jul 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.5.2-3
- Fix build with Samba 4.7.0-RC1
- Increase java stack for rhino calls to get around crashes on ppc64-le

* Tue Jun 20 2017 Tomas Krizek <tkrizek@redhat.com> - 4.5.2-2
- Patch: Fix IP address checks
- Patch: python-netifaces fix

* Sun Jun 18 2017 Tomas Krizek <tkrizek@redhat.com> - 4.5.2-1
- Update to upstream 4.5.2 - see https://www.freeipa.org/page/Releases/4.5.2

* Thu May 25 2017 Tomas Krizek <tkrizek@redhat.com> - 4.5.1-1
- Update to upstream 4.5.1 - see https://www.freeipa.org/page/Releases/4.5.1
- Fixes #1168266 UI drops "Enknown Error" when the ipa record in /etc/hosts changes

* Tue May 23 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.4-2
- Fixes #1448049 Subpackage freeipa-server-common has unmet dependencies on Rawhide
- Fixes #1430247 FreeIPA server deployment runs ipa-custodia on Python 3, should use Python 2
- Fixes #1446744 python2-ipaclient subpackage does not own %%{python_sitelib}/ipaclient/plugins
- Fixes #1440525 surplus 'the' in output of `ipa-adtrust-install`
- Fixes #1411810 ipa-replica-install fails with 406 Client Error
- Fixes #1405814 ipa plugins: ERROR an internal error occured

* Fri Mar 24 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.4-1
- Update to upstream 4.4.4 - see https://www.freeipa.org/page/Releases/4.4.4
- Add upstream signature file for tarball

* Wed Mar  1 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.3-8
- Use different method to keep /usr/bin/ipa on Python 2
- Fixes #1426847

* Mon Feb 27 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.3-7
- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for
  ca-del, ca-disable and ca-enable commands

* Mon Feb 27 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.3-6
- Rebuild to pick up system-python dependency change
- Fixes #1426847 - Cannot upgrade freeipa-client on rawhide

* Wed Feb 15 2017 Tomas Krizek <tkrizek@redhat.com> - 4.4.3-5
- Fixes #1403352 - bind-dyndb-ldap: support new named.conf API in BIND 9.11
- Fixes #1412739 - ipa-kdb: support DAL version 6.1

* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Sat Jan 21 2017 Igor Gnatenko <ignatenko@redhat.com> - 4.4.3-3
- Rebuild for xmlrpc-c

* Thu Dec 22 2016 Miro Hrončok <mhroncok@redhat.com> - 4.4.3-2
- Rebuild for Python 3.6

* Fri Dec 16 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.3-1
- Update to upstream 4.4.3 - see http://www.freeipa.org/page/Releases/4.4.3

* Wed Dec 14 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.2-4
- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
  by abusing password policy

* Tue Nov 29 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-3
- Fixes 1389866  krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV

* Fri Oct 21 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-2
- Rebuild against krb5-1.15

* Thu Oct 13 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-1
- Update to upstream 4.4.2 - see http://www.freeipa.org/page/Releases/4.4.2

* Thu Sep 01 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.4.1-1
- Update to upstream 4.4.1 - see http://www.freeipa.org/page/Releases/4.4.1

* Fri Aug 19 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.2-2
- Fixes 1365669 - The ipa-server-upgrade command failed when named-pkcs11 does
  not happen to run during dnf upgrade
- Fixes 1367883 - CVE-2016-5404 freeipa: ipa: Insufficient privileges check
  in certificate revocation
- Fixes 1364338 - Freeipa cannot be build on fedora 25

* Fri Jul 22 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.2-1
- Update to upstream 4.3.2 - see http://www.freeipa.org/page/Releases/4.3.2

* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.3.1-2
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages

* Thu Mar 24 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.1-1
- Update to upstream 4.3.1 - see http://www.freeipa.org/page/Releases/4.3.1

* Thu Feb 04 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.0-3
- Fix build with Samba 4.4
- Update SELinux requires to fix connection check during installation

* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 4.3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Fri Dec 18 2015 Petr Vobornik <pvoborni@redhat.com> - 4.3.0-1
- Update to upstream 4.3.0 - see http://www.freeipa.org/page/Releases/4.3.0

* Mon Dec 07 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-2
- Workarounds for SELinux execmem violations in cryptography

* Mon Nov 02 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.3-1
- Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3
- fix #1274905

* Wed Oct 21 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.2-2
- Depend on samba-common-tools for the trust-ad subpackage after
  samba package split
- Rebuild against krb5 1.14 to fix bug #1273957

* Thu Oct 8 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.2-1
- Update to upstream 4.2.2 - see http://www.freeipa.org/page/Releases/4.2.2

* Mon Sep 7 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.1-1
- Update to upstream 4.2.1 - see http://www.freeipa.org/page/Releases/4.2.1

* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.1.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Tue May 12 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.4-4
- Fix typo in the patch to fix bug #1219834

* Mon May 11 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.4-3
- Fix FreeIPA trusts to AD feature with Samba 4.2 (#1219834)

* Mon Mar 30 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.4-2
- Replace mod_auth_kerb usage with mod_auth_gssapi

* Thu Mar 26 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.4-1
- Update to upstream 4.1.4 - see http://www.freeipa.org/page/Releases/4.1.4
- fix CVE-2015-1827 (#1206047)
- Require slapi-nis 0.54.2 and newer for CVE-2015-0283 fixes

* Tue Mar 17 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-3
- Timeout ipa-client install if ntp server is unreachable #4842
- Skip time sync during client install when using --no-ntp #4842

* Wed Mar 04 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-2
- Add missing sssd python dependencies
- https://bugzilla.redhat.com/show_bug.cgi?id=1197218

* Wed Feb 18 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-1
- Update to upstream 4.1.3 - see http://www.freeipa.org/page/Releases/4.1.3

* Mon Jan 19 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.2-2
- Fix broken build after Samba ABI change and rename of libpdb to libsamba-passdb
- Use python-dateutil15 until we validate python-dateutil 2.x

* Tue Nov 25 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.2-1
- Update to upstream 4.1.2 - see http://www.freeipa.org/page/Releases/4.1.2
- fix CVE-2014-7850

* Thu Nov 20 2014 Simo Sorce <simo@redhat.com> - 4.1.1-2
- Patch blokers and feature freze exceptions
- Resolves: bz1165674
- Resolves: bz1165856 (CVE-2014-7850)
- Fixes DNS install issue that prevents the server from working

* Thu Nov 06 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.1-1
- Update to upstream 4.1.1 - see http://www.freeipa.org/page/Releases/4.1.1
- fix CVE-2014-7828

* Wed Oct 22 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.0-2
- fix armv7hl stack oversize build failure
- fix https://fedorahosted.org/freeipa/ticket/4660

* Tue Oct 21 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.0-1
- Update to upstream 4.1.0 - see http://www.freeipa.org/page/Releases/4.1.0

* Fri Sep 12 2014 Petr Viktorin <pviktori@redhat.com> - 4.0.3-1
- Update to upstream 4.0.3 - see http://www.freeipa.org/page/Releases/4.0.3

* Fri Sep 05 2014 Petr Viktorin <pviktori@redhat.com> - 4.0.2-1
- Update to upstream 4.0.1 - see http://www.freeipa.org/page/Releases/4.0.2

* Tue Sep 02 2014 Pádraig Brady <pbrady@redhat.com> - 4.0.1-3
- rebuild for libunistring soname bump

* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Fri Jul 25 2014 Martin Kosek <mkosek@redhat.com> 4.0.1-1
- Update to upstream 4.0.1

* Mon Jul 07 2014 Petr Viktorin <pviktori@redhat.com> 4.0.0-1
- Update to upstream 4.0.0
- Remove the server-strict package

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.3.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Wed May 21 2014 Petr Vobornik <pvoborni@redhat.com> 3.3.5-3
- Increase Java stack size for Web UI build on aarch64

* Wed Apr 16 2014 Peter Robinson <pbrobinson@fedoraproject.org> 3.3.5-2
- Add rhino as dependency to fix FTBFS

* Fri Mar 28 2014 Martin Kosek <mkosek@redhat.com> - 3.3.5-1
- Update to upstream 3.3.5

* Tue Feb 11 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-3
- Move ipa-otpd socket directory to /var/run/krb5kdc
- Require krb5-server 1.11.5-3 supporting the new directory
- ipa_lockout plugin did not work with users's without krbPwdPolicyReference

* Wed Jan 29 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-2
- Fix hardened build

* Tue Jan 28 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-1
- Update to upstream 3.3.4
- Install CA anchor into standard location (#928478)
- ipa-client-install part of ipa-server-install fails on reinstall (#1044994)
- Remove mod_ssl workaround (RHEL bug #1029046)
- Enable syncrepl plugin to support bind-dyndb-ldap 4.0

* Fri Jan 3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
- Build crashed with rhino exception on s390 architectures (#1040576)

* Thu Dec 12 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-4
- Build crashed with rhino exception on PPC architectures (#1040576)

* Tue Dec 3 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-3
- Fix -Werror=format-security errors (#1037070)

* Mon Nov 4 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-2
- ipa-server-install crashed when freeipa-server-trust-ad subpackage was not
  installed

* Fri Nov 1 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-1
- Update to upstream 3.3.3

* Fri Oct 4 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
- Update to upstream 3.3.2

* Thu Aug 29 2013 Petr Viktorin <pviktori@redhat.com> - 3.3.1-1
- Bring back Fedora-only changes

* Thu Aug 29 2013 Petr Viktorin <pviktori@redhat.com> - 3.3.1-0
- Update to upstream 3.3.1

* Wed Aug 14 2013 Alexander Bokovoy <abokovoy@redhat.com> - 3.3.0-2
- Remove freeipa-systemd-upgrade as non-systemd installs are not supported
  anymore by Fedora project

* Wed Aug 7 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-1
- Update to upstream 3.3.0

* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Wed Jul 17 2013 Martin Kosek <mkosek@redhat.com> - 3.2.2-1
- Update to upstream 3.2.2
- Drop freeipa-server-selinux subpackage
- Drop redundant directory /var/cache/ipa/sessions
- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
  issues when there are still old parts of software (like entitlements plugin)

* Fri Jun  7 2013 Martin Kosek <mkosek@redhat.com> - 3.2.1-1
- Update to upstream 3.2.1

* Tue May 14 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-2
- Add OTP patches
- Add patch to set KRB5CCNAME for 389-ds-base

* Fri May 10 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-1
- Update to upstream 3.2.0 GA
- ipa-client-install fails if /etc/ipa does not exist (#961483)
- Certificate status is not visible in Service and Host page (#956718)
- ipa-client-install removes needed options from ldap.conf (#953991)
- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957)
- Add triggerin scriptlet to support OpenSSH 6.2 (#953617)
- Require nss 3.14.3-12.0 to address certutil certificate import
  errors (#953485)
- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6
  environments. (#953464)
- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453)
- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432)
- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
  socket based connections (#960222)
- Require libsss_nss_idmap-python
- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to
  member is now done automatically and having it in the config file raises
  an error.
- Add backup and restore tools, directory.
- require at least systemd 38 which provides the journal (we no longer
  need to require syslog.target)
- Update Requires on policycoreutils to 2.1.14-37
- Update Requires on selinux-policy to 3.12.1-42
- Update Requires on 389-ds-base to 1.3.1.0
- Remove a Requires for java-atk-wrapper

* Tue Apr 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.4.beta1
- Remove release from krb5-server in strict sub-package to allow for rebuilds.

* Mon Apr 22 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.3.beta1
- Add a Requires for java-atk-wrapper until we can determine which package
  should be pulling it in, dogtag or tomcat.

* Tue Apr 16 2013 Rob Crittenden <rcritten@redhat.com> - 3.2.0-0.2.beta1
- Update to upstream 3.2.0 Beta 1

* Tue Apr  2 2013 Martin Kosek <mkosek@redhat.com> - 3.2.0-0.1.pre1
- Update to upstream 3.2.0 Prerelease 1
- Use upstream reference spec file as a base for Fedora spec file

* Sat Mar 30 2013 Kevin Fenzi <kevin@scrye.com> 3.1.2-4
- Rebuild for broken deps
- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1

* Sat Feb 23 2013 Kevin Fenzi <kevin@scrye.com> - 3.1.2-3
- Rebuild for broken deps in rawhide
- Fix 389-ds-base strict dep to be 1.3.0.3

* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Wed Jan 23 2013 Rob Crittenden <rcritten@redhat.com> - 3.1.2-1
- Update to upstream 3.1.2
- CVE-2012-4546: Incorrect CRLs publishing
- CVE-2012-5484: MITM Attack during Join process
- CVE-2013-0199: Cross-Realm Trust key leak
- Updated strict dependencies to 389-ds-base = 1.3.0.2 and
  pki-ca = 10.0.1

* Thu Dec 20 2012 Martin Kosek <mkosek@redhat.com> - 3.1.0-2
- Remove redundat Requires versions that are already in Fedora 17
- Replace python-crypto Requires with m2crypto
- Add missing Requires(post) for client and server-trust-ad subpackages
- Restart httpd service when server-trust-ad subpackage is installed
- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes

* Mon Dec 10 2012 Rob Crittenden <rcritten@redhat.com> - 3.1.0-1
- Updated to upstream 3.1.0 GA
- Set minimum for sssd to 1.9.2
- Set minimum for pki-ca to 10.0.0-1
- Set minimum for 389-ds-base to 1.3.0
- Set minimum for selinux-policy to 3.11.1-60
- Remove unneeded dogtag package requires

* Tue Oct 23 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-3
- Update Requires on krb5-server to 1.11

* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-2
- Configure CA replication to use TLS instead of SSL

* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-1
- Updated to upstream 3.0.0 GA
- Set minimum for samba to 4.0.0-153.
- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so
  plugin to /dev/null since they cannot be used when trusts are configured
- Restrict krb5-server to 1.10.
- Update BR for 389-ds-base to 1.3.0
- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
- Add Requires on zip for generating FF browser extension

* Fri Oct  5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.10
- Updated to upstream 3.0.0 rc 2
- Include new FF configuration extension
- Set minimum Requires of selinux-policy to 3.11.1-33
- Set minimum Requires dogtag to 10.0.0-0.43.b1
- Add new optional strict sub-package to allow users to limit other
  package upgrades.

* Tue Oct  2 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.9
- Require samba packages instead of obsoleted samba4 packages

* Fri Sep 21 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.8
- Updated to upstream 3.0.0 rc 1
- Update BR for 389-ds-base to 1.2.11.14
- Update BR for krb5 to 1.10
- Update BR for samba4-devel to 4.0.0-139 (rc1)
- Add BR for python-polib
- Update BR and Requires on sssd to 1.9.0
- Update Requires on policycoreutils to 2.1.12-5
- Update Requires on 389-ds-base to 1.2.11.14
- Update Requires on selinux-policy to 3.11.1-21
- Update Requires on dogtag to 10.0.0-0.33.a1
- Update Requires on certmonger to 0.60
- Update Requires on tomcat to 7.0.29
- Update minimum version of bind to 9.9.1-10.P3
- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1
- Remove Requires on authconfig from python sub-package

* Wed Sep  5 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.7
- Rebuild against samba4 beta8

* Fri Aug 31 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.6
- Rebuild against samba4 beta7

* Wed Aug 22 2012 Alexander Bokovoy <abokovoy@redhat.com> - 3.0.0-0.5
- Adopt to samba4 beta6 (libsecurity -> libsamba-security)
- Add dependency to samba4-winbind

* Fri Aug 17 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.4
- Updated to upstream 3.0.0 beta 2

* Mon Aug  6 2012 Martin Kosek <mkosek@redhat.com> - 3.0.0-0.3
- Updated to current upstream state of 3.0.0 beta 2 development

* Mon Jul 23 2012 Alexander Bokovoy <abokovy@redhat.com> - 3.0.0-0.2
- Rebuild against samba4 beta4

* Mon Jul  2 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-0.1
- Updated to upstream 3.0.0 beta 1

* Thu May  3 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-1
- Updated to upstream 2.2.0 GA
- Update minimum n-v-r of certmonger to 0.53
- Update minimum n-v-r of slapi-nis to 0.40
- Add Requires in client to oddjob-mkhomedir and python-krbV
- Update minimum selinux-policy to 3.10.0-110

* Mon Mar 19 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.2
- Update to upstream 2.2.0 beta 1 (2.1.90.rc1)
- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18.
- Add Conflicts on mod_ssl
- Update minimum n-v-r of 389-ds-base to 1.2.10.4
- Update minimum n-v-r of sssd to 1.8.0
- Update minimum n-v-r of slapi-nis to 0.38
- Update minimum n-v-r of pki-* to 9.0.18
- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1
- Update conflicts on bind to < 9.9.0-1
- Drop requires on krb5-server-ldap
- Add patch to remove escaping arguments to pkisilent

* Mon Feb 06 2012 Rob Crittenden <rcritten@redhat.com> - 2.1.90-0.1
- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1)

* Wed Feb 01 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-5
- Force to use 389-ds 1.2.10-0.8.a7 or above
- Improve upgrade script to handle systemd 389-ds change
- Fix freeipa to work with python-ldap 2.4.6

* Wed Jan 11 2012 Martin Kosek <mkosek@redhat.com> - 2.1.4-4
- Fix ipa-replica-install crashes
- Fix ipa-server-install and ipa-dns-install logging
- Set minimum version of pki-ca to 9.0.17 to fix sslget problem
  caused by FEDORA-2011-17400 update (#771357)

* Wed Dec 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-3
- Allow Web-based migration to work with tightened SE Linux policy (#769440)
- Rebuild slapi plugins against re-enterant version of libldap

* Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2
- Allow longer dirsrv startup with systemd:
  - IPAdmin class will wait until dirsrv instance is available up to 10 seconds
  - Helps with restarts during upgrade for ipa-ldap-updater
- Fix pylint warnings from F16 and Rawhide

* Tue Dec  6 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.4-1
- Update to upstream 2.1.4 (CVE-2011-3636)

* Mon Dec  5 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-8
- Update SELinux policy to allow ipa_kpasswd to connect ldap and
  read /dev/urandom. (#759679)

* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-7
- Fix wrong path in packaging freeipa-systemd-upgrade

* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-6
- Introduce upgrade script to recover existing configuration after systemd migration
  as user has no means to recover FreeIPA from systemd migration
- Upgrade script:
  - recovers symlinks in Dogtag instance install
  - recovers systemd configuration for FreeIPA's directory server instances
  - recovers freeipa.service
  - migrates directory server and KDC configs to use proper keytabs for systemd services

* Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-5
- Rebuilt for glibc bug#747377

* Wed Oct 19 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-4
- clean up spec
- Depend on sssd >= 1.6.2 for better user experience

* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-3
- Fix Fedora package changelog after merging systemd changes

* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-2
- Fix postin scriplet for F-15/F-16

* Tue Oct 18 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-1
- 2.1.3

* Mon Oct 17 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.2-1
- Default to systemd for Fedora 16 and onwards

* Tue Aug 16 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.0-1
- Update to upstream 2.1.0

* Fri May  6 2011 Simo Sorce <ssorce@redhat.com> - 2.0.1-2
- Fix bug #702633

* Mon May  2 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.1-1
- Update minimum selinux-policy to 3.9.16-18
- Update minimum pki-ca and pki-selinux to 9.0.7
- Update minimum 389-ds-base to 1.2.8.0-1
- Update to upstream 2.0.1

* Thu Mar 24 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-1
- Update to upstream GA release
- Automatically apply updates when the package is upgraded

* Fri Feb 25 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.4.rc2
- Update to upstream freeipa-2.0.0.rc2
- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in
- Set minimum version of sssd to 1.5.1
- Patch to include SuiteSpotGroup when setting up 389-ds instances
- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled

* Tue Feb 15 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.3.rc1
- Set the N-V-R so rc1 is an update to beta2.

* Mon Feb 14 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.rc1
- Set minimum version of sssd to 1.5.1
- Update to upstream freeipa-2.0.0.rc1
- Move server-only binaries from admintools subpackage to server

* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.0-0.2.beta2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Thu Feb  3 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta2
- Set min version of 389-ds-base to 1.2.8
- Set min version of mod_nss 1.0.8-10
- Set min version of selinux-policy to 3.9.7-27
- Add dogtag themes to Requires
- Update to upstream freeipa-2.0.0.pre2

* Thu Jan 27 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.2.beta.git80e87e7
- Remove unnecessary moving of v1 CA serial number file in post script
- Add Obsoletes for server-selinxu subpackage
- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da

* Wed Jan 26 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.0-0.1.beta.git80e87e7
- Prepare spec file for release
- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503

* Tue Jan 25 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-41
- Re-arrange doc and defattr to clean up rpmlint warnings
- Remove conditionals on older releases
- Move some man pages into admintools subpackage
- Remove some explicit Requires in client that aren't needed
- Consistent use of buildroot vs RPM_BUILD_ROOT

* Wed Jan 19 2011 Adam Young <ayoung@redhat.com> - 1.99-40
- Moved directory install/static to install/ui

* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-39
- Remove dependency on nss_ldap/nss-pam-ldapd
- The official client is sssd and that's what we use by default.

* Thu Jan 13 2011 Simo Sorce <ssorce@redhat.com> - 1.99-38
- Remove radius subpackages

* Thu Jan 13 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-37
- Set minimum pki-ca and pki-silent versions to 9.0.0

* Wed Jan 12 2011 Rob Crittenden <rcritten@redhat.com> - 1.99-36
- Drop BuildRequires on mozldap-devel

* Mon Dec 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-35
- Add Requires on krb5-pkinit-openssl

* Fri Dec 10 2010 Jr Aquino <jr.aquino@citrix.com> - 1.99-34
- Add ipa-host-net-manage script

* Tue Dec  7 2010 Simo Sorce <ssorce@redhat.com> - 1.99-33
- Add ipa init script

* Fri Nov 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-32
- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin

* Wed Nov  3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-31
- remove ipa-fix-CVE-2008-3274

* Wed Oct  6 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-30
- Remove duplicate %%files entries on share/ipa/static
- Add python default encoding shared library

* Mon Sep 20 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-29
- Drop requires on python-configobj (not used any more)
- Drop ipa-ldap-updater message, upgrades are done differently now

* Wed Sep  8 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-28
- Drop conflicts on mod_nss
- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847)
- Drop a slew of conditionals on older Fedora releases (< 12)
- Add a few conditionals against RHEL 6
- Add Requires of nss-tools on ipa-client

* Fri Aug 13 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-27
- Set minimum version of certmonger to 0.26 (to pck up #621670)
- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm)
- Set minimum version of pki-ca to 1.3.6
- Set minimum version of sssd to 1.2.1

* Tue Aug 10 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-26
- Add BuildRequires for authconfig

* Mon Jul 19 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-25
- Bump up minimum version of python-nss to pick up nss_is_initialize() API

* Thu Jun 24 2010 Adam Young <ayoung@redhat.com> - 1.99-24
- Removed python-asset based webui

* Thu Jun 24 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-23
- Change Requires from fedora-ds-base to 389-ds-base
- Set minimum level of 389-ds-base to 1.2.6 for the replication
  version plugin.

* Tue Jun  1 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-22
- Drop Requires of python-krbV on ipa-client

* Mon May 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-21
- Load ipa_dogtag.pp in post install

* Mon Apr 26 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-20
- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.

* Thu Mar  4 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-19
- No need to create /var/log/ipa_error.log since we aren't using
  TurboGears any more.

* Mon Mar 1 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-18
- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included

* Wed Feb 24 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-17
- Added Require mod_wsgi, added share/ipa/wsgi.py

* Thu Feb 11 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-16
- Require python-wehjit >= 0.2.2

* Wed Feb  3 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-15
- Add sssd and certmonger as a Requires on ipa-client

* Wed Jan 27 2010 Jason Gerard DeRose <jderose@redhat.com> - 1.99-14
- Require python-wehjit >= 0.2.0

* Fri Dec  4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-13
- Add ipa-rmkeytab tool

* Tue Dec  1 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-12
- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1
  Any type

* Wed Nov 25 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-11
- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf

* Fri Nov 13 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-10
- Add bash completion script and own /etc/bash_completion.d in case it
  doesn't already exist

* Tue Nov  3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
- Remove ipa_webgui, its functions rolled into ipa_httpd

* Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
- Removed python-cherrypy from BuildRequires and Requires
- Added Requires python-assets, python-wehjit

* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
- Added httpd SELinux policy so CRLs can be read

* Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
- Move ipalib to ipa-python subpackage
- Bump minimum version of slapi-nis to 0.15

* Wed May  6 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-5
- Set 0.14 as minimum version for slapi-nis

* Wed Apr 22 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-4
- Add Requires: python-nss to ipa-python sub-package

* Thu Mar  5 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-3
- Remove the IPA DNA plugin, use the DS one

* Wed Mar  4 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-2
- Build radius separately
- Fix a few minor issues

* Tue Feb  3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-1
- Replace TurboGears requirement with python-cherrypy

* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.1-3
- rebuild with new openssl

* Fri Dec 19 2008 Dan Walsh <dwalsh@redhat.com> - 1.2.1-2
- Fix SELinux code

* Mon Dec 15 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-1
- Fix breakage caused by python-kerberos update to 1.1

* Fri Dec 5 2008 Simo Sorce <ssorce@redhat.com> - 1.2.1-0
- New upstream release 1.2.1

* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 1.2.0-4
- Rebuild for Python 2.6

* Fri Nov 14 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-3
- Respin after the tarball has been re-released upstream
  New hash is 506c9c92dcaf9f227cba5030e999f177

* Thu Nov 13 2008 Simo Sorce <ssorce@redhat.com> - 1.2.0-2
- Conditionally restart also dirsrv and httpd when upgrading

* Wed Oct 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.2.0-1
- Update to upstream version 1.2.0
- Set fedora-ds-base minimum version to 1.1.3 for winsync header
- Set the minimum version for SELinux policy
- Remove references to Fedora 7

* Wed Jul 23 2008 Simo Sorce <ssorce@redhat.com> - 1.1.0-3
- Fix for CVE-2008-3274
- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface
- Add fix for bug #453185
- Rebuild against openldap libraries, mozldap ones do not work properly
- TurboGears is currently broken in rawhide. Added patch to not build
  the UI locales and removed them from the ipa-server files section.

* Wed Jun 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-2
- Add call to /usr/sbin/upgradeconfig to post install

* Wed Jun 11 2008 Rob Crittenden <rcritten@redhat.com> - 1.1.0-1
- Update to upstream version 1.1.0
- Patch for indexing memberof attribute
- Patch for indexing uidnumber and gidnumber
- Patch to change DNA default values for replicas
- Patch to fix uninitialized variable in ipa-getkeytab

* Fri May 16 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-5
- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum
  version to 1.0.7-4 so we pick up the NSS fixes.
- Add selinux-policy-base(post) to Requires (446496)

* Tue Apr 29 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-4
- Add missing entry for /var/cache/ipa/kpasswd (444624)
- Added patch to fix permissions problems with the Apache NSS database.
- Added patch to fix problem with DNS querying where the query could be
  returned as the answer.
- Fix spec error where patch1 was in the wrong section

* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-3
- Added patch to fix problem reported by ldapmodify

* Fri Apr 25 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-2
- Fix Requires for krb5-server that was missing for Fedora versions > 9
- Remove quotes around test for fedora version to package egg-info

* Fri Apr 18 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
- Update to upstream version 1.0.0

* Tue Mar 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-12
- Pull upstream changelog 722
- Add Conflicts mod_ssl (435360)

* Fri Feb 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-11
- Pull upstream changelog 698
- Fix ownership of /var/log/ipa_error.log during install (435119)
- Add pwpolicy command and man page

* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-10
- Pull upstream changelog 678
- Add new subpackage, ipa-server-selinux
- Add Requires: authconfig to ipa-python (bz #433747)
- Package i18n files

* Mon Feb 18 2008 Rob Crittenden <rcritten@redhat.com> 0.99-9
- Pull upstream changelog 641
- Require minimum version of krb5-server on F-7 and F-8
- Package some new files

* Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> 0.99-8
- Marked with wrong license. IPA is GPLv2.

* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-7
- Ensure that /etc/ipa exists before moving user-modifiable html files there
- Put html files into /etc/ipa/html instead of /etc/ipa

* Tue Jan 29 2008 Rob Crittenden <rcritten@redhat.com> 0.99-6
- Pull upstream changelog 608 which renamed several files

* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-5
- package the sessions dir /var/cache/ipa/sessions
- Pull upstream changelog 597

* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-4
- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the
  UI to not start.

* Thu Jan 24 2008 Rob Crittenden <rcritten@redhat.com> 0.99-3
- Included LICENSE and README in all packages for documentation
- Move user-modifiable content to /etc/ipa and linked back to
  /usr/share/ipa/html
- Changed some references to /usr to the {_usr} macro and /etc
  to {_sysconfdir}
- Added popt-devel to BuildRequires for Fedora 8 and higher and
  popt for Fedora 7
- Package the egg-info for Fedora 9 and higher for ipa-python

* Tue Jan 22 2008 Rob Crittenden <rcritten@redhat.com> 0.99-2
- Added auto* BuildRequires

* Mon Jan 21 2008 Rob Crittenden <rcritten@redhat.com> 0.99-1
- Unified spec file

* Thu Jan 17 2008 Rob Crittenden <rcritten@redhat.com> - 0.6.0-2
- Fixed License in specfile
- Include files from /usr/lib/python*/site-packages/ipaserver

* Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
- Version bump for release

* Wed Nov 21 2007 Karl MacMillan <kmacmill@mentalrootkit.com> - 0.5.0-1
- Preverse mode on ipa-keytab-util
- Version bump for relase and rpm name change

* Thu Nov 15 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.1-2
- Broke invididual Requires and BuildRequires onto separate lines and
  reordered them
- Added python-tgexpandingformwidget as a dependency
- Require at least fedora-ds-base 1.1

* Thu Nov  1 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.1-1
- Version bump for release

* Wed Oct 31 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-6
- Add dep for freeipa-admintools and acl

* Wed Oct 24 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-5
- Add dependency for python-krbV

* Fri Oct 19 2007 Rob Crittenden <rcritten@redhat.com> - 0.4.0-4
- Require mod_nss-1.0.7-2 for mod_proxy fixes

* Thu Oct 18 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-3
- Convert to autotools-based build

* Tue Sep 25 2007 Karl MacMillan <kmacmill@redhat.com> - 0.4.0-2

* Fri Sep 7 2007 Karl MacMillan <kmacmill@redhat.com> - 0.3.0-1
- Added support for libipa-dna-plugin

* Fri Aug 10 2007 Karl MacMillan <kmacmill@redhat.com> - 0.2.0-1
- Added support for ipa_kpasswd and ipa_pwd_extop

* Sun Aug  5 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-3
- Abstracted client class to work directly or over RPC

* Wed Aug  1 2007 Rob Crittenden <rcritten@redhat.com> - 0.1.0-2
- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires
- Remove references to admin server in ipa-server-setupssl
- Generate a client certificate for the XML-RPC server to connect to LDAP with
- Create a keytab for Apache
- Create an ldif with a test user
- Provide a certmap.conf for doing SSL client authentication

* Fri Jul 27 2007 Karl MacMillan <kmacmill@redhat.com> - 0.1.0-1
- Initial rpm version