diff --git a/SOURCES/0046-Find-orphan-automember-rules.patch b/SOURCES/0046-Find-orphan-automember-rules.patch
new file mode 100644
index 0000000..66d5136
--- /dev/null
+++ b/SOURCES/0046-Find-orphan-automember-rules.patch
@@ -0,0 +1,214 @@
+From b78abe934c6c0038f74dd9e52309f61854d86469 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Mon, 1 Oct 2018 11:58:26 +0100
+Subject: [PATCH] Find orphan automember rules
+
+If groups or hostgroups have been removed after automember rules have been
+created using them, then automember-rebuild, automember-add, host-add and
+more commands could fail.
+
+A new command has been added to the ipa tool:
+
+ ipa automember-find-orphans --type={hostgroup,group} [--remove]
+
+This command retuns the list of orphan automember rules in the same way as
+automember-find. With the --remove option the orphan rules are also removed.
+
+The IPA API version has been increased and a test case has been added.
+
+Using ideas from a patch by: Rob Crittenden <rcritten@redhat.com>
+
+See: https://pagure.io/freeipa/issue/6476
+Signed-off-by: Thomas Woerner <twoerner@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ API.txt | 15 +++++
+ VERSION.m4 | 4 +-
+ ipaserver/plugins/automember.py | 60 +++++++++++++++++++
+ .../test_xmlrpc/test_automember_plugin.py | 48 +++++++++++++++
+ 4 files changed, 125 insertions(+), 2 deletions(-)
+
+diff --git a/API.txt b/API.txt
+index 0e09e58a6ecaa4f724fb0c92b4faaf64df9fab5a..b9dc35fb5752ce04f58aa8c4c3e89c7299f34cd7 100644
+--- a/API.txt
++++ b/API.txt
+@@ -186,6 +186,20 @@ output: Output('count', type=[<type 'int'>])
+ output: ListOfEntries('result')
+ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+ output: Output('truncated', type=[<type 'bool'>])
++command: automember_find_orphans/1
++args: 1,7,4
++arg: Str('criteria?')
++option: Flag('all', autofill=True, cli_name='all', default=False)
++option: Str('description?', autofill=False, cli_name='desc')
++option: Flag('pkey_only?', autofill=True, default=False)
++option: Flag('raw', autofill=True, cli_name='raw', default=False)
++option: Flag('remove?', autofill=True, default=False)
++option: StrEnum('type', values=[u'group', u'hostgroup'])
++option: Str('version?')
++output: Output('count', type=[<type 'int'>])
++output: ListOfEntries('result')
++output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
++output: Output('truncated', type=[<type 'bool'>])
+ command: automember_mod/1
+ args: 1,9,3
+ arg: Str('cn', cli_name='automember_rule')
+@@ -6498,6 +6512,7 @@ default: automember_default_group_set/1
+ default: automember_default_group_show/1
+ default: automember_del/1
+ default: automember_find/1
++default: automember_find_orphans/1
+ default: automember_mod/1
+ default: automember_rebuild/1
+ default: automember_remove_condition/1
+diff --git a/VERSION.m4 b/VERSION.m4
+index 81e671ed60f2ada0766b06db879c706cf7c4c77a..7ebf3410c8a688577f1fabc37d65b128e47418a6 100644
+--- a/VERSION.m4
++++ b/VERSION.m4
+@@ -82,8 +82,8 @@ define(IPA_DATA_VERSION, 20100614120000)
+ # #
+ ########################################################
+ define(IPA_API_VERSION_MAJOR, 2)
+-define(IPA_API_VERSION_MINOR, 229)
+-# Last change: Added the Certificate parameter
++define(IPA_API_VERSION_MINOR, 230)
++# Last change: Added `automember-find-orphans' command
+
+
+ ########################################################
+diff --git a/ipaserver/plugins/automember.py b/ipaserver/plugins/automember.py
+index 1e29f365784695c2cf1947f62351d99d7da0515d..3f48769f588f8db03caf65e7bc1206047796f63e 100644
+--- a/ipaserver/plugins/automember.py
++++ b/ipaserver/plugins/automember.py
+@@ -116,6 +116,11 @@ EXAMPLES:
+ """) + _("""
+ Find all of the automember rules:
+ ipa automember-find
++""") + _("""
++ Find all of the orphan automember rules:
++ ipa automember-find-orphans --type=hostgroup
++ Find all of the orphan automember rules and remove them:
++ ipa automember-find-orphans --type=hostgroup --remove
+ """) + _("""
+ Display a automember rule:
+ ipa automember-show --type=hostgroup webservers
+@@ -820,3 +825,58 @@ class automember_rebuild(Method):
+ result=result,
+ summary=unicode(summary),
+ value=pkey_to_value(None, options))
++
++
++@register()
++class automember_find_orphans(LDAPSearch):
++ __doc__ = _("""
++ Search for orphan automember rules. The command might need to be run as
++ a privileged user user to get all orphan rules.
++ """)
++ takes_options = group_type + (
++ Flag(
++ 'remove?',
++ doc=_("Remove orphan automember rules"),
++ ),
++ )
++
++ msg_summary = ngettext(
++ '%(count)d rules matched', '%(count)d rules matched', 0
++ )
++
++ def execute(self, *keys, **options):
++ results = super(automember_find_orphans, self).execute(*keys,
++ **options)
++
++ remove_option = options.get('remove')
++ pkey_only = options.get('pkey_only', False)
++ ldap = self.obj.backend
++ orphans = []
++ for entry in results["result"]:
++ am_dn_entry = entry['automembertargetgroup'][0]
++ # Make DN for --raw option
++ if not isinstance(am_dn_entry, DN):
++ am_dn_entry = DN(am_dn_entry)
++ try:
++ ldap.get_entry(am_dn_entry)
++ except errors.NotFound:
++ if pkey_only:
++ # For pkey_only remove automembertargetgroup
++ del(entry['automembertargetgroup'])
++ orphans.append(entry)
++ if remove_option:
++ ldap.delete_entry(entry['dn'])
++
++ results["result"][:] = orphans
++ results["count"] = len(orphans)
++ return results
++
++ def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args,
++ **options):
++ assert isinstance(base_dn, DN)
++ scope = ldap.SCOPE_SUBTREE
++ ndn = DN(('cn', options['type']), base_dn)
++ if options.get('pkey_only', False):
++ # For pkey_only add automembertargetgroup
++ attrs_list.append('automembertargetgroup')
++ return filters, ndn, scope
+diff --git a/ipatests/test_xmlrpc/test_automember_plugin.py b/ipatests/test_xmlrpc/test_automember_plugin.py
+index ffbc91104ab504a98099babb024f9edab114ac5b..c83e11ac9410ce07a431f818bda79a34fcc3b180 100644
+--- a/ipatests/test_xmlrpc/test_automember_plugin.py
++++ b/ipatests/test_xmlrpc/test_automember_plugin.py
+@@ -715,3 +715,51 @@ class TestMultipleAutomemberConditions(XMLRPC_test):
+
+ defaultgroup1.ensure_missing()
+ defaulthostgroup1.ensure_missing()
++
++
++@pytest.mark.tier1
++class TestAutomemberFindOrphans(XMLRPC_test):
++ def test_create_deps_for_find_orphans(self, hostgroup1, host1,
++ automember_hostgroup):
++ """ Create host, hostgroup, and automember tracker for this class
++ of tests. """
++
++ # Create hostgroup1 and automember rule with condition
++ hostgroup1.ensure_exists()
++ host1.ensure_exists()
++
++ # Manually create automember rule and condition, racker will try to
++ # remove the automember rule in the end, which is failing as the rule
++ # is already removed
++ api.Command['automember_add'](hostgroup1.cn, type=u'hostgroup')
++ api.Command['automember_add_condition'](
++ hostgroup1.cn,
++ key=u'fqdn', type=u'hostgroup',
++ automemberinclusiveregex=[hostgroup_include_regex]
++ )
++
++ hostgroup1.retrieve()
++
++ def test_find_orphan_automember_rules(self, hostgroup1):
++ """ Remove hostgroup1, find and remove obsolete automember rules. """
++ # Remove hostgroup1
++
++ hostgroup1.ensure_missing()
++
++ # Find obsolete automember rules
++ result = api.Command['automember_find_orphans'](type=u'hostgroup')
++ assert result['count'] == 1
++
++ # Find and remove obsolete automember rules
++ result = api.Command['automember_find_orphans'](type=u'hostgroup',
++ remove=True)
++ assert result['count'] == 1
++
++ # Find obsolete automember rules
++ result = api.Command['automember_find_orphans'](type=u'hostgroup')
++ assert result['count'] == 0
++
++ # Final cleanup of automember rule if it still exists
++ with raises_exact(errors.NotFound(
++ reason=u'%s: Automember rule not found' % hostgroup1.cn)):
++ api.Command['automember_del'](hostgroup1.cn, type=u'hostgroup')
+--
+2.17.2
+
diff --git a/SOURCES/0047-Add-a-shared-vault-retrieve-test.patch b/SOURCES/0047-Add-a-shared-vault-retrieve-test.patch
new file mode 100644
index 0000000..ba6a17b
--- /dev/null
+++ b/SOURCES/0047-Add-a-shared-vault-retrieve-test.patch
@@ -0,0 +1,113 @@
+From 107e20a158c867a52eadb0d65982ce2f7f3ce699 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Tue, 20 Nov 2018 17:05:30 +0100
+Subject: [PATCH] Add a shared-vault-retrieve test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add a shared-vault-retrieve test when:
+* master has KRA installed
+* replica has no KRA
+This currently fails because of issue#7691
+
+Related-to: https://pagure.io/freeipa/issue/7691
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipatests/test_integration/test_vault.py | 65 ++++++++++++++++++++++++-
+ 1 file changed, 64 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py
+index 496ccb1bbdd06407e9b356ac210f639436312a22..c3465799ff933ae175684ade83b4bf276b921a96 100644
+--- a/ipatests/test_integration/test_vault.py
++++ b/ipatests/test_integration/test_vault.py
+@@ -20,14 +20,17 @@ class TestInstallKRA(IntegrationTest):
+
+ vault_password = "password"
+ vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
++ vault_user = "vault_user"
++ vault_user_password = "vault_user_password"
+ vault_name_master = "ci_test_vault_master"
+ vault_name_master2 = "ci_test_vault_master2"
+ vault_name_master3 = "ci_test_vault_master3"
+ vault_name_replica_without_KRA = "ci_test_vault_replica_without_kra"
++ shared_vault_name_replica_without_KRA = ("ci_test_shared"
++ "_vault_replica_without_kra")
+ vault_name_replica_with_KRA = "ci_test_vault_replica_with_kra"
+ vault_name_replica_KRA_uninstalled = "ci_test_vault_replica_KRA_uninstalled"
+
+-
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(cls.master, setup_kra=True)
+@@ -89,6 +92,66 @@ class TestInstallKRA(IntegrationTest):
+
+ self._retrieve_secret([self.vault_name_replica_without_KRA])
+
++ def test_create_and_retrieve_shared_vault_replica_without_kra(self):
++ # create vault
++ self.replicas[0].run_command([
++ "ipa", "vault-add",
++ self.shared_vault_name_replica_without_KRA,
++ "--shared",
++ "--type", "standard",
++ ])
++
++ # archive secret
++ self.replicas[0].run_command([
++ "ipa", "vault-archive",
++ self.shared_vault_name_replica_without_KRA,
++ "--shared",
++ "--data", self.vault_data,
++ ])
++ time.sleep(WAIT_AFTER_ARCHIVE)
++
++ # add non-admin user
++ self.replicas[0].run_command([
++ 'ipa', 'user-add', self.vault_user,
++ '--first', self.vault_user,
++ '--last', self.vault_user,
++ '--password'],
++ stdin_text=self.vault_user_password)
++
++ # add it to vault
++ self.replicas[0].run_command([
++ "ipa", "vault-add-member",
++ self.shared_vault_name_replica_without_KRA,
++ "--shared",
++ "--users", self.vault_user,
++ ])
++
++ self.replicas[0].run_command([
++ 'kdestroy', '-A'])
++
++ user_kinit = "%s\n%s\n%s\n" % (self.vault_user_password,
++ self.vault_user_password,
++ self.vault_user_password)
++
++ self.replicas[0].run_command([
++ 'kinit', self.vault_user],
++ stdin_text=user_kinit)
++
++ # TODO: possibly refactor with:
++ # self._retrieve_secret([self.vault_name_replica_without_KRA])
++
++ self.replicas[0].run_command([
++ "ipa", "vault-retrieve",
++ "--shared",
++ self.shared_vault_name_replica_without_KRA,
++ "--out=test.txt"])
++
++ self.replicas[0].run_command([
++ 'kdestroy', '-A'])
++
++ tasks.kinit_admin(self.replicas[0])
++
++
+ def test_create_and_retrieve_vault_replica_with_kra(self):
+
+ # install KRA on replica
+--
+2.17.2
+
diff --git a/SOURCES/0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch b/SOURCES/0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch
new file mode 100644
index 0000000..26f61fb
--- /dev/null
+++ b/SOURCES/0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch
@@ -0,0 +1,35 @@
+From 93b58fdbcf1da0a952386e6c8f4e20c344db903c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
+Date: Wed, 21 Nov 2018 00:01:02 +0100
+Subject: [PATCH] Add a "Find enabled services" ACI in 20-aci.update so that
+ all users can find IPA servers and services. ACI suggested by Christian
+ Heimes.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: https://pagure.io/freeipa/issue/7691
+Signed-off-by: François Cami <fcami@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ install/updates/20-aci.update | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
+index 184749d78106c30fdf542c1fe1c52cb11b53a83e..7650cb48101d866b3a094ec9ab11378de4f68232 100644
+--- a/install/updates/20-aci.update
++++ b/install/updates/20-aci.update
+@@ -36,6 +36,10 @@ remove:aci:(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny rea
+ dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+ add:aci:(targetfilter="(objectclass=nsContainer)")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";)
+
++# Allow users to discover enabled services
++dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
++add:aci:(targetfilter = "(ipaConfigString=enabledService)")(targetattrs = "ipaConfigString")(version 3.0; acl "Find enabled services"; allow(read, search, compare) userdn = "ldap:///all";)
++
+ # Allow hosts to read masters service configuration
+ dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+ add:aci:(targetfilter = "(objectclass=nsContainer)")(targetattr = "ipaConfigString")(version 3.0; acl "Allow hosts to read masters service configuration"; allow(read, search, compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
+--
+2.17.2
+
diff --git a/SOURCES/0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch b/SOURCES/0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch
new file mode 100644
index 0000000..0959ec1
--- /dev/null
+++ b/SOURCES/0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch
@@ -0,0 +1,48 @@
+From 896c438f1dd7e4aa316503fbf68fef13963d7463 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 22 Nov 2018 18:31:38 +0100
+Subject: [PATCH] ipaldap.py: fix method creating a ldap filter for
+ IPACertificate
+
+ipa user-find --certificate and ipa host-find --certificate
+fail to return matching entries, because the method transforming
+the attribute into a LDAP filter does not properly handle
+IPACertificate objects.
+Directory Server logs show a filter with
+(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)
+
+When the attribute contains a cryptography.x509.Certificate,
+the method needs to extract the public bytes instead of calling str(value).
+
+Fixes https://pagure.io/freeipa/issue/7770
+
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipapython/ipaldap.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
+index 53fdf4967868961effea7f3f64dfb3c0edfc75f3..a44246e3ee0de5a78de77a593718ecad1aaa0f67 100644
+--- a/ipapython/ipaldap.py
++++ b/ipapython/ipaldap.py
+@@ -36,6 +36,7 @@ from six.moves.urllib.parse import urlparse
+ # pylint: enable=import-error
+
+ from cryptography import x509 as crypto_x509
++from cryptography.hazmat.primitives import serialization
+
+ import ldap
+ import ldap.sasl
+@@ -1276,6 +1277,8 @@ class LDAPClient(object):
+ ]
+ return cls.combine_filters(flts, rules)
+ elif value is not None:
++ if isinstance(value, crypto_x509.Certificate):
++ value = value.public_bytes(serialization.Encoding.DER)
+ if isinstance(value, bytes):
+ value = binascii.hexlify(value).decode('ascii')
+ # value[-2:0] is empty string for the initial '\\'
+--
+2.17.2
+
diff --git a/SOURCES/0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch b/SOURCES/0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch
new file mode 100644
index 0000000..0e5cfd3
--- /dev/null
+++ b/SOURCES/0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch
@@ -0,0 +1,86 @@
+From 489ac5a5da034394c09043d6c26700e4ae049b78 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 23 Nov 2018 10:23:40 +0100
+Subject: [PATCH] ipatests: add xmlrpc test for user|host-find --certificate
+
+There were no xmlrpc tests for ipa user-find --certificate
+or ipa host-find --certificate.
+The commit adds tests for these commands.
+
+Related to https://pagure.io/freeipa/issue/7770
+
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipatests/test_xmlrpc/test_host_plugin.py | 5 ++++
+ ipatests/test_xmlrpc/test_user_plugin.py | 31 ++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
+index 8255296d1794bfa19c1f4642bb4bfb9212567b1e..1bcc90b0c48c811356ec93813834d6aa6805a921 100644
+--- a/ipatests/test_xmlrpc/test_host_plugin.py
++++ b/ipatests/test_xmlrpc/test_host_plugin.py
+@@ -251,6 +251,11 @@ class TestCRUD(XMLRPC_test):
+ valid_not_after=fuzzy_date,
+ ))
+ host.retrieve()
++ # test host-find with --certificate
++ command = host.make_find_command(
++ fqdn=host.fqdn, usercertificate=host_cert)
++ res = command()['result']
++ assert len(res) == 1
+
+ def test_try_rename(self, host):
+ host.ensure_exists()
+diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
+index af825f79daf21720e164dd8cd01576167fb440c4..8e54d04bd79888c447368250c3a2e182029a3b44 100644
+--- a/ipatests/test_xmlrpc/test_user_plugin.py
++++ b/ipatests/test_xmlrpc/test_user_plugin.py
+@@ -25,6 +25,7 @@ Test the `ipaserver/plugins/user.py` module.
+ """
+
+ import pytest
++import base64
+ import datetime
+ import ldap
+ import re
+@@ -220,6 +221,36 @@ class TestUser(XMLRPC_test):
+ user.check_update(result)
+ user.delete()
+
++ def test_find_cert(self, user):
++ """ Add a usercertificate and perform a user-find --certificate """
++ user_cert = (
++ u"MIICszCCAZugAwIBAgICM24wDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChML\r\n"
++ "RVhBTVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjUyOVoXDTE3M\r\n"
++ "DQxOTEwMjUyOVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTEwggEiMA0GCSqGSI\r\n"
++ "b3DQEBAQUAA4IBDwAwggEKAoIBAQCq03FRQQBvq4HwYMKP8USLZuOkKzuIs2V\r\n"
++ "Pt8k/+nO1dADrzMogKDiUDjCwYoG2UM/sj6P+PJUUCNDLh5eRRI+aR5VE5y2a\r\n"
++ "K95iCsj1ByDWrugAUXgr8GUUr+UbaGc0XxHCMnQBkYhzbXY3u91KYRRh5l3lx\r\n"
++ "RSICcVeJFJ/tiMS14Vsor1DWykHGz1wm0Zjwg1XDV3oea+uwrSz5Pa6RNPlgC\r\n"
++ "+GGW6B7+8qC2XdSSEwvY7y1SAGgqyOxN/FLwvqqMDNU0uX7fww587uZ57IfYz\r\n"
++ "b8Xn5DAprRFNk40FDc46rMlkPBT+Tij1I0jedD8h2e6WEa7JRU6SGToYDbRm4\r\n"
++ "RL9xAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHqm1jXzYer9oSjYs9qh1jWpM\r\n"
++ "vTcN+0/z1uuX++Wezh3lG7IzYtypbZNxlXDECyrkUh+9oxzMJqdlZ562ko2br\r\n"
++ "uK6X5csbbM9uVsUva8NCsPPfZXDhrYaMKFvQGFY4pO3uhFGhccob037VN5Ifm\r\n"
++ "aKGM8aJ40cw2PQh38QPDdemizyVCThQ9Pcr+WgWKiG+t2Gd9NldJRLEhky0bW\r\n"
++ "2fc4zWZVbGq5nFXy1k+d/bgkHbVzf255eFZOKKy0NgZwig+uSlhVWPJjS4Z1w\r\n"
++ "LbpBKxTZp/xD0yEARs0u1ZcCELO/BkgQM50EDKmahIM4mdCs/7j1B/DdWs2i3\r\n"
++ "5lnbjxYYiUiyA=")
++ user.ensure_exists()
++ user.update(dict(usercertificate=user_cert),
++ expected_updates=dict(
++ usercertificate=[base64.b64decode(user_cert)])
++ )
++ command = user.make_find_command(uid=user.name,
++ usercertificate=user_cert)
++ res = command()['result']
++ assert len(res) == 1
++ user.delete()
++
+
+ @pytest.mark.tier1
+ class TestFind(XMLRPC_test):
+--
+2.17.2
+
diff --git a/SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch b/SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch
new file mode 100644
index 0000000..193aaa0
--- /dev/null
+++ b/SOURCES/0051-ipa-upgrade-handle-double-encoded-certificates.patch
@@ -0,0 +1,51 @@
+From 086611271c4dfbbf47e76e666142327bf950a9ca Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 26 Nov 2018 14:15:12 +0100
+Subject: [PATCH] ipa upgrade: handle double-encoded certificates
+
+Issue is linked to the ticket
+ #3477 LDAP upload CA cert sometimes double-encodes the value
+In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
+the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
+
+The fix for 3477 is only partial as it prevents double-encoding when a
+new cert is uploaded but does not fix wrong values already present in LDAP.
+
+With this commit, the code first tries to read a der cert. If it fails,
+it logs a debug message and re-writes the value caCertificate;binary
+to repair the entry.
+
+Fixes https://pagure.io/freeipa/issue/7775
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipaserver/install/plugins/upload_cacrt.py | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
+index 68d43caa76eb67093745658d20a39700adbd16c6..dc58f0863182ccb92d9fed6aa5f1c2546404b598 100644
+--- a/ipaserver/install/plugins/upload_cacrt.py
++++ b/ipaserver/install/plugins/upload_cacrt.py
+@@ -115,7 +115,18 @@ class update_upload_cacrt(Updater):
+ entry.single_value['cACertificate;binary'] = ca_cert
+ ldap.add_entry(entry)
+ else:
+- if b'' in entry['cACertificate;binary']:
++ force_write = False
++ try:
++ _cert_bin = entry['cACertificate;binary']
++ except ValueError:
++ # BZ 1644874
++ # sometimes the cert is badly stored, twice encoded
++ # force write to fix the value
++ logger.debug('Fixing the value of cACertificate;binary '
++ 'in entry %s', entry.dn)
++ force_write = True
++
++ if force_write or b'' in entry['cACertificate;binary']:
+ entry.single_value['cACertificate;binary'] = ca_cert
+ ldap.update_entry(entry)
+
+--
+2.17.2
+
diff --git a/SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch b/SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch
new file mode 100644
index 0000000..874c3f2
--- /dev/null
+++ b/SOURCES/0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch
@@ -0,0 +1,76 @@
+From 57a473bd41fbd3520871dbd7ed7dc9524946a48e Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 29 Nov 2018 15:41:33 +0100
+Subject: [PATCH] ipatests: add upgrade test for double-encoded cacert
+
+Create a test for upgrade with the following scenario:
+- install master
+- write a double-encoded cert in the entry
+cn=cacert,,cn=ipa,cn=etc,$basedn
+to simulate bug 7775
+- call ipa-server-upgrade
+- check that the upgrade fixed the value
+
+The upgrade should finish successfully and repair
+the double-encoded cert.
+
+Related to https://pagure.io/freeipa/issue/7775
+
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipatests/test_integration/test_upgrade.py | 35 +++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
+index 951747b0b37cd62459a241255190baebdf0f728a..7dbe52d57052d3c640df644705fc3e22fab14334 100644
+--- a/ipatests/test_integration/test_upgrade.py
++++ b/ipatests/test_integration/test_upgrade.py
+@@ -6,6 +6,9 @@
+ Module provides tests to verify that the upgrade script works.
+ """
+
++import base64
++from cryptography.hazmat.primitives import serialization
++from ipapython.dn import DN
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.pytest_plugins.integration import tasks
+
+@@ -19,3 +22,35 @@ class TestUpgrade(IntegrationTest):
+ cmd = self.master.run_command(['ipa-server-upgrade'],
+ raiseonerr=False)
+ assert cmd.returncode == 0
++
++ def test_double_encoded_cacert(self):
++ """Test for BZ 1644874
++
++ In old IPA version, the entry cn=CAcert,cn=ipa,cn=etc,$basedn
++ could contain a double-encoded cert, which leads to ipa-server-upgrade
++ failure.
++ Force a double-encoded value then call upgrade to check the fix.
++ """
++ # Read the current entry from LDAP
++ ldap = self.master.ldap_connect()
++ basedn = self.master.domain.basedn # pylint: disable=no-member
++ dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'), basedn)
++ entry = ldap.get_entry(dn) # pylint: disable=no-member
++ # Extract the certificate as DER then double-encode
++ cacert = entry['cacertificate;binary'][0]
++ cacert_der = cacert.public_bytes(serialization.Encoding.DER)
++ cacert_b64 = base64.b64encode(cacert_der)
++ # overwrite the value with double-encoded cert
++ entry.single_value['cACertificate;binary'] = cacert_b64
++ ldap.update_entry(entry) # pylint: disable=no-member
++
++ # try the upgrade
++ self.master.run_command(['ipa-server-upgrade'])
++
++ # read the value after upgrade, should be fixed
++ entry = ldap.get_entry(dn) # pylint: disable=no-member
++ try:
++ _cacert = entry['cacertificate;binary']
++ except ValueError:
++ raise AssertionError('%s contains a double-encoded cert'
++ % entry.dn)
+--
+2.17.2
+
diff --git a/SOURCES/0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch b/SOURCES/0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch
new file mode 100644
index 0000000..ee850b4
--- /dev/null
+++ b/SOURCES/0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch
@@ -0,0 +1,32 @@
+From 840f9cfe17737c9ef1899b9923682a5df53ff4b6 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Tue, 4 Dec 2018 16:44:54 +0100
+Subject: [PATCH] ipatests: fix TestUpgrade::test_double_encoded_cacert
+
+The test is using a stale ldap connection to the master
+(obtained before calling upgrade, and the upgrade stops
+and starts 389-ds, breaking the connection).
+
+The fix re-connects before using the ldap handle.
+
+Related to https://pagure.io/freeipa/issue/7775
+---
+ ipatests/test_integration/test_upgrade.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
+index 7dbe52d57052d3c640df644705fc3e22fab14334..b03109f7c3bb0f037c8fd6554e3e5420bc557684 100644
+--- a/ipatests/test_integration/test_upgrade.py
++++ b/ipatests/test_integration/test_upgrade.py
+@@ -47,6 +47,8 @@ class TestUpgrade(IntegrationTest):
+ # try the upgrade
+ self.master.run_command(['ipa-server-upgrade'])
+
++ # reconnect to the master (upgrade stops 389-ds)
++ ldap = self.master.ldap_connect()
+ # read the value after upgrade, should be fixed
+ entry = ldap.get_entry(dn) # pylint: disable=no-member
+ try:
+--
+2.17.2
+
diff --git a/SOURCES/0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch b/SOURCES/0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch
new file mode 100644
index 0000000..8dd6196
--- /dev/null
+++ b/SOURCES/0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch
@@ -0,0 +1,145 @@
+From 3e0e8c309c70a0d379b985189c23f1bacd62a96e Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 30 Nov 2018 15:46:25 +0100
+Subject: [PATCH] ipatest: add test for ipa-pkinit-manage enable|disable
+
+Add a test for ipa-pkinit-manage with the following scenario:
+- install master with option --no-pkinit
+- call ipa-pkinit-manage enable
+- call ipa-pkinit-manage disable
+- call ipa-pkinit-manage enable
+
+At each step, check that the PKINIT cert is consistent with the
+expectations: when pkinit is enabled, the cert is signed by IPA
+CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
+the cert is self-signed and tracked by 'SelfSign' CA helper.
+
+Related to https://pagure.io/freeipa/issue/7200
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ .../test_integration/test_pkinit_manage.py | 111 ++++++++++++++++++
+ 1 file changed, 111 insertions(+)
+ create mode 100644 ipatests/test_integration/test_pkinit_manage.py
+
+diff --git a/ipatests/test_integration/test_pkinit_manage.py b/ipatests/test_integration/test_pkinit_manage.py
+new file mode 100644
+index 0000000000000000000000000000000000000000..bc1d9e338cdf4e7a503b3c83ac12792894eecce2
+--- /dev/null
++++ b/ipatests/test_integration/test_pkinit_manage.py
+@@ -0,0 +1,111 @@
++#
++# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
++#
++
++"""
++Module provides tests for the ipa-pkinit-manage command.
++"""
++
++from __future__ import absolute_import
++
++from ipalib import x509
++from ipaplatform.paths import paths
++from ipapython.dn import DN
++from ipatests.test_integration.base import IntegrationTest
++from ipatests.pytest_ipa.integration import tasks
++
++
++SELFSIGNED_CA_HELPER = 'SelfSign'
++IPA_CA_HELPER = 'IPA'
++PKINIT_STATUS_ENABLED = 'enabled'
++PKINIT_STATUS_DISABLED = 'disabled'
++
++
++def check_pkinit_status(host, status):
++ """Ensures that ipa-pkinit-manage status returns the expected state"""
++ result = host.run_command(['ipa-pkinit-manage', 'status'],
++ raiseonerr=False)
++ assert result.returncode == 0
++ assert 'PKINIT is {}'.format(status) in result.stdout_text
++
++
++def check_pkinit_tracking(host, ca_helper):
++ """Ensures that the PKINIT cert is tracked by the expected helper"""
++ result = host.run_command(['getcert', 'list', '-f', paths.KDC_CERT],
++ raiseonerr=False)
++ assert result.returncode == 0
++ # Make sure that only one request exists
++ assert result.stdout_text.count('Request ID') == 1
++ # Make sure that the right CA helper is used to track the cert
++ assert 'CA: {}'.format(ca_helper) in result.stdout_text
++
++
++def check_pkinit_cert_issuer(host, issuer):
++ """Ensures that the PKINIT cert is signed by the expected issuer"""
++ data = host.get_file_contents(paths.KDC_CERT)
++ pkinit_cert = x509.load_pem_x509_certificate(data)
++ # Make sure that the issuer is the expected one
++ assert DN(pkinit_cert.issuer) == DN(issuer)
++
++
++def check_pkinit(host, enabled=True):
++ """Checks that PKINIT is configured as expected
++
++ If enabled:
++ ipa-pkinit-manage status must return 'PKINIT is enabled'
++ the certificate must be tracked by IPA CA helper
++ the certificate must be signed by IPA CA
++ If disabled:
++ ipa-pkinit-manage status must return 'PKINIT is disabled'
++ the certificate must be tracked by SelfSign CA helper
++ the certificate must be self-signed
++ """
++ if enabled:
++ # When pkinit is enabled:
++ # cert is tracked by IPA CA helper
++ # cert is signed by IPA CA
++ check_pkinit_status(host, PKINIT_STATUS_ENABLED)
++ check_pkinit_tracking(host, IPA_CA_HELPER)
++ check_pkinit_cert_issuer(
++ host,
++ 'CN=Certificate Authority,O={}'.format(host.domain.realm))
++ else:
++ # When pkinit is disabled
++ # cert is tracked by 'SelfSign' CA helper
++ # cert is self-signed
++ check_pkinit_status(host, PKINIT_STATUS_DISABLED)
++ check_pkinit_tracking(host, SELFSIGNED_CA_HELPER)
++ check_pkinit_cert_issuer(
++ host,
++ 'CN={},O={}'.format(host.hostname, host.domain.realm))
++
++
++class TestPkinitManage(IntegrationTest):
++ """Tests the ipa-pkinit-manage command.
++
++ ipa-pkinit-manage can be used to enable, disable or check
++ the status of PKINIT.
++ When pkinit is enabled, the kerberos server is using a certificate
++ signed either externally or by IPA CA. In the latter case, certmonger
++ is tracking the cert with IPA helper.
++ When pkinit is disabled, the kerberos server is using a self-signed
++ certificate that is tracked by certmonger with the SelfSigned helper.
++ """
++
++ @classmethod
++ def install(cls, mh):
++ # Install the master with PKINIT disabled
++ tasks.install_master(cls.master, extra_args=['--no-pkinit'])
++ check_pkinit(cls.master, enabled=False)
++
++ def test_pkinit_enable(self):
++ self.master.run_command(['ipa-pkinit-manage', 'enable'])
++ check_pkinit(self.master, enabled=True)
++
++ def test_pkinit_disable(self):
++ self.master.run_command(['ipa-pkinit-manage', 'disable'])
++ check_pkinit(self.master, enabled=False)
++
++ def test_pkinit_reenable(self):
++ self.master.run_command(['ipa-pkinit-manage', 'enable'])
++ check_pkinit(self.master, enabled=True)
+--
+2.17.2
+
diff --git a/SOURCES/0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch b/SOURCES/0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch
new file mode 100644
index 0000000..8a02d74
--- /dev/null
+++ b/SOURCES/0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch
@@ -0,0 +1,78 @@
+From 977a01a67318a9b0ce01f7803b1126a310bf4140 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 30 Nov 2018 15:49:20 +0100
+Subject: [PATCH] PKINIT: fix ipa-pkinit-manage enable|disable
+
+The command ipa-pkinit-manage enable|disable is reporting
+success even though the PKINIT cert is not re-issued.
+The command triggers the request of a new certificate
+(signed by IPA CA when state=enable, selfsigned when disabled),
+but as the cert file is still present, certmonger does not create
+a new request and the existing certificate is kept.
+
+The fix consists in deleting the cert and key file before calling
+certmonger to request a new cert.
+
+There was also an issue in the is_pkinit_enabled() function:
+if no tracking request was found for the PKINIT cert,
+is_pkinit_enabled() was returning True while it should not.
+
+Fixes https://pagure.io/freeipa/issue/7200
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipaserver/install/ipa_pkinit_manage.py | 2 ++
+ ipaserver/install/krbinstance.py | 9 ++++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/ipa_pkinit_manage.py b/ipaserver/install/ipa_pkinit_manage.py
+index 4a79bba5d1b636827a7a031965b49cf7b34c6330..86bd1baf00178a629864b210ca9f4786668149df 100644
+--- a/ipaserver/install/ipa_pkinit_manage.py
++++ b/ipaserver/install/ipa_pkinit_manage.py
+@@ -72,6 +72,8 @@ class PKINITManage(AdminTool):
+ if ca_enabled:
+ logger.warning(
+ "Failed to stop tracking certificates: %s", e)
++ # remove the cert and key
++ krb.delete_pkinit_cert()
+
+ krb.enable_ssl()
+
+diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
+index a3079bd6304a41116f9aa5e78b6c6c71d72d7aa6..6221f3f61338308afb406e23d62566b12d8c131d 100644
+--- a/ipaserver/install/krbinstance.py
++++ b/ipaserver/install/krbinstance.py
+@@ -77,7 +77,7 @@ def is_pkinit_enabled():
+ if os.path.exists(paths.KDC_CERT):
+ pkinit_request_ca = get_pkinit_request_ca()
+
+- if pkinit_request_ca != "SelfSign":
++ if pkinit_request_ca and pkinit_request_ca != "SelfSign":
+ return True
+
+ return False
+@@ -591,6 +591,10 @@ class KrbInstance(service.Service):
+ def stop_tracking_certs(self):
+ certmonger.stop_tracking(certfile=paths.KDC_CERT)
+
++ def delete_pkinit_cert(self):
++ installutils.remove_file(paths.KDC_CERT)
++ installutils.remove_file(paths.KDC_KEY)
++
+ def uninstall(self):
+ if self.is_configured():
+ self.print_msg("Unconfiguring %s" % self.service_name)
+@@ -616,8 +620,7 @@ class KrbInstance(service.Service):
+ # stop tracking and remove certificates
+ self.stop_tracking_certs()
+ installutils.remove_file(paths.CACERT_PEM)
+- installutils.remove_file(paths.KDC_CERT)
+- installutils.remove_file(paths.KDC_KEY)
++ self.delete_pkinit_cert()
+
+ if running:
+ self.restart()
+--
+2.17.2
+
diff --git a/SOURCES/0056-replication-check-remote-ds-version-before-editing-a.patch b/SOURCES/0056-replication-check-remote-ds-version-before-editing-a.patch
new file mode 100644
index 0000000..7777371
--- /dev/null
+++ b/SOURCES/0056-replication-check-remote-ds-version-before-editing-a.patch
@@ -0,0 +1,87 @@
+From e879ca9b693a10f456f03d3c471afa49321516f9 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 13 Dec 2018 14:54:07 +0100
+Subject: [PATCH] replication: check remote ds version before editing
+ attributes
+
+When the remote server has an old DS version, update of the
+replication attributes nsds5ReplicaReleaseTimeout nsds5ReplicaBackoffMax
+and nsDS5ReplicaBindDnGroupCheckInterval fails even if the remote
+schema has been updated.
+
+Check first the remote server version and update the attributes only if
+the version is high enough.
+A previous fix was already performing this check (commit 02f4a7a),
+but not in all the cases. This fix also handles when the remote server
+already has a cn=replica entry (for instance because it has already
+established replication with another host).
+
+Fixes https://pagure.io/freeipa/issue/7796
+
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipaserver/install/replication.py | 33 ++++++++++++++++++++++++++------
+ 1 file changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index 92a99cd9482f86d6820230479bf94c871669572e..70629b4528f033908c584bfaf0793cfa4ce259d4 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -215,6 +215,22 @@ def wait_for_entry(connection, dn, timeout, attr=None, attrvalue='*',
+ time.sleep(1)
+
+
++def get_ds_version(conn):
++ """Returns the DS version
++
++ Retrieves the DS version from the vendorVersion attribute stored in LDAP.
++ :param conn: LDAP connection established and authenticated to the server
++ for which we need the version
++ :return: a tuple containing the DS version
++ """
++ # Find which 389-ds is installed
++ rootdse = conn.get_entry(DN(''), ['vendorVersion'])
++ version = rootdse.single_value.get('vendorVersion')
++ mo = re.search(r'(\d+)\.(\d+)\.(\d+)[\.\d]*', version)
++ vendor_version = tuple(int(v) for v in mo.groups())
++ return vendor_version
++
++
+ class ReplicationManager(object):
+ """Manage replication agreements
+
+@@ -527,8 +543,16 @@ class ReplicationManager(object):
+ # Add the new replication manager
+ binddns.append(replica_binddn)
+
+- for key, value in REPLICA_CREATION_SETTINGS.items():
+- entry[key] = value
++ # If the remote server has 389-ds < 1.3, it does not
++ # support the attributes we are trying to set.
++ # Find which 389-ds is installed
++ vendor_version = get_ds_version(conn)
++ if vendor_version >= (1, 3, 0):
++ for key, value in REPLICA_CREATION_SETTINGS.items():
++ entry[key] = value
++ else:
++ logger.debug("replication attributes not supported "
++ "on remote master, skipping update.")
+
+ try:
+ conn.update_entry(entry)
+@@ -604,10 +628,7 @@ class ReplicationManager(object):
+ # If the remote server has 389-ds < 1.3, it does not
+ # support the attributes we are trying to set.
+ # Find which 389-ds is installed
+- rootdse = r_conn.get_entry(DN(''), ['vendorVersion'])
+- version = rootdse.single_value.get('vendorVersion')
+- mo = re.search(r'(\d+)\.(\d+)\.(\d+)[\.\d]*', version)
+- vendor_version = tuple(int(v) for v in mo.groups())
++ vendor_version = get_ds_version(r_conn)
+ if vendor_version >= (1, 3, 0):
+ # 389-ds understands the replication attributes,
+ # we can safely modify them
+--
+2.17.2
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index 6e66d45..df4ee0b 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From e94346d8c3d588056f04af1c1916617c962be4bc Mon Sep 17 00:00:00 2001
+From e443dc9390ead872bfa0c7ae35323023f21cebc9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -46,12 +46,12 @@ Subject: [PATCH] Change branding to IPA and Identity Management
install/tools/man/ipactl.8 | 2 +-
install/ui/css/patternfly.css | 2 +-
install/ui/index.html | 2 +-
- install/ui/less/brand.less | 103 ++++++++++++++---------------
- install/ui/less/patternfly.less | 48 ++++++++++++++
+ install/ui/less/brand.less | 103 ++++++++++-----------
+ install/ui/less/patternfly.less | 48 ++++++++++
install/ui/reset_password.html | 2 +-
install/ui/src/freeipa/widgets/App.js | 2 +-
install/ui/sync_otp.html | 2 +-
- ipaserver/advise/plugins/legacy_clients.py | 8 +--
+ ipaserver/advise/plugins/legacy_clients.py | 8 +-
ipaserver/install/dns.py | 2 +-
ipaserver/install/ipa_kra_install.py | 4 +-
ipaserver/install/server/install.py | 2 +-
@@ -280,7 +280,7 @@ index 19e3e6832bea774244bc949ce44a27f5ebebaed0..2a92ec6aebeb0932b58dd092ba4188e1
You may place your schema files in a subdirectory too, the code that loads
schema files processes recursively all subdirectories of schema.d.
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
-index d4e5d4c09cf6b7c1521bcecb79bb6fd7235fc799..e6618ef2e78e26f0cb74fadff214f564d000677c 100755
+index a870d136e242affe6627cd4c44a173a80a9ab1c6..f0e72b3adaa5ef27a11c11feb787019b6db71e62 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -141,11 +141,11 @@ def main():
@@ -344,7 +344,7 @@ index 4c494aab90fe307bf0a2bf82677efda4b5e67e3e..515bbddbe4de8a38a2797d6aa5e95c1a
\ No newline at end of file
+1 if an error occurred
diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1
-index ff9759ec77d54f32532c4ececfa5081daab9ec15..476f9b534d514b03200369212807fc6d001c70b8 100644
+index 9e2900f770880d3a554df5cd5d0430716e3bf70e..747fc12f71c12be9ddcd69bdb86354a3e0237944 100644
--- a/install/tools/man/ipa-backup.1
+++ b/install/tools/man/ipa-backup.1
@@ -16,7 +16,7 @@
@@ -940,10 +940,10 @@ index 7916965dddfec7e4c2aa34b081d4c1ba6fc953a7..c0d6c73f4f3d55ac3eb3636273f47541
'are all Red Hat based platforms.')
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
-index e14b353e9cb655a6e7ef228d47dfc7a1badd7286..1cd851625f225538856b9b627b3d8190ccfa47dc 100644
+index e4f73ac025dfe8aa19ef99c8d0ab9379caa32610..897c40a6c02899bfe60228dd73e5c71c0b59c3be 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
-@@ -149,7 +149,7 @@ def install_check(standalone, api, replica, options, hostname):
+@@ -150,7 +150,7 @@ def install_check(standalone, api, replica, options, hostname):
if standalone:
print("==============================================================================")
@@ -953,7 +953,7 @@ index e14b353e9cb655a6e7ef228d47dfc7a1badd7286..1cd851625f225538856b9b627b3d8190
print("This includes:")
print(" * Configure DNS (bind)")
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
-index 07e11ea69ded8832015dd69ea43ff338c5f9df95..76492c1dd9bf02d3e80ec5876214441d697e9765 100644
+index b536685f5f1f3fccab07fd37aa001958e2d38420..1a0b96b000a4c4166054dee9d63b6f239741b40f 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -90,7 +90,7 @@ class KRAInstall(admintool.AdminTool):
@@ -975,7 +975,7 @@ index 07e11ea69ded8832015dd69ea43ff338c5f9df95..76492c1dd9bf02d3e80ec5876214441d
'''
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index e96ae97c74ee1598683d1ef3f2570e8de93c9943..b5290817e4b0f849ef77353d33bc6753a7c8b42d 100644
+index a341408f78f24055d807ae49c8a0cda81bfb3ec4..eeeb2977a98790585b8b8d4467ee4ad0e6c2f217 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -377,7 +377,7 @@ def install_check(installer):
@@ -988,10 +988,10 @@ index e96ae97c74ee1598683d1ef3f2570e8de93c9943..b5290817e4b0f849ef77353d33bc6753
print("This includes:")
if setup_ca:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 33f3ae9e616b34a3ab0ff8e4257552855e817e7c..356d17cf9a2d507e98952ae0477e473562a356e2 100644
+index eb354f81ba6e4cbc3848f9c24338fb85cc7639ae..7e9a1ce5d8c2b8a6fe445148afd66e61553b0e07 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -616,7 +616,7 @@ def check_domain_level_is_supported(current):
+@@ -621,7 +621,7 @@ def check_domain_level_is_supported(current):
above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
if under_lower_bound or above_upper_bound:
@@ -1023,5 +1023,5 @@ index 6037938330f13a30d0ccfbedcaac59c567bda0d6..b8a0c82d394edb8744de34394895b86f
""") + _("""
To enable the binddn run the following command to set the password:
--
-2.14.4
+2.17.2
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index d412892..1579d1d 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From 5b587502716f71c9c71cd63e32d6b837613bc8dc Mon Sep 17 00:00:00 2001
+From ddd951ba70e11fb6332f57e94a3b1a22ded08a39 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -22,10 +22,10 @@ index 93f996c5be670e0ae374a12a85c2465b8e740927..70482ceb65639465d60b0c48fd2ccd6e
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index b58fbb4c881d247d6b5fb661f4085ec82c3cc811..cf6247a4b12e3fecc7c784c9d803670442c56fd5 100644
+index d6e467097808594756d947fa721b8cf10fe7d043..a52336fd71ffb44e3f7dfcc95656bd82065f41cd 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
-@@ -1384,9 +1384,11 @@ def replica_ca_install_check(config, promote):
+@@ -1416,9 +1416,11 @@ def replica_ca_install_check(config, promote):
else:
logger.critical(
'The master CA directory server does not have necessary schema. '
@@ -40,5 +40,5 @@ index b58fbb4c881d247d6b5fb661f4085ec82c3cc811..cf6247a4b12e3fecc7c784c9d8036704
--
-2.14.4
+2.17.2
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index a7566d3..aa68b30 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From fa0db6fe2c7343d2ba86fadd55e9f4db78ec9f8a Mon Sep 17 00:00:00 2001
+From 6f6d25da7a5e93de9f8c80e7fe3419d4b0c60a72 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
--
-2.14.4
+2.17.2
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index fc26b09..5f47da2 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From b7082747c2b6bbe2e857bd4fa20af443073dbd02 Mon Sep 17 00:00:00 2001
+From bbe70ea811007cf8426ac14565e7da47b3ae1ced Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -19,17 +19,17 @@ This reverts commits:
https://bugzilla.redhat.com/show_bug.cgi?id=1432630
---
- freeipa.spec.in | 18 -----
- ipaclient/csrgen/profiles/caIPAserviceCert.json | 15 ----
- ipaclient/csrgen/profiles/userCert.json | 15 ----
- ipaclient/csrgen/templates/openssl_macros.tmpl | 29 --------
- ipaclient/plugins/cert.py | 82 +---------------------
- ipaclient/setup.py | 7 --
- ipalib/errors.py | 28 --------
- ipatests/setup.py | 2 -
- ipatests/test_ipaclient/__init__.py | 7 --
- .../data/test_csrgen/profiles/profile.json | 8 ---
- .../data/test_csrgen/templates/identity_base.tmpl | 1 -
+ freeipa.spec.in | 18 ----
+ .../csrgen/profiles/caIPAserviceCert.json | 15 ----
+ ipaclient/csrgen/profiles/userCert.json | 15 ----
+ .../csrgen/templates/openssl_macros.tmpl | 29 -------
+ ipaclient/plugins/cert.py | 82 +------------------
+ ipaclient/setup.py | 7 --
+ ipalib/errors.py | 28 -------
+ ipatests/setup.py | 2 -
+ ipatests/test_ipaclient/__init__.py | 7 --
+ .../data/test_csrgen/profiles/profile.json | 8 --
+ .../test_csrgen/templates/identity_base.tmpl | 1 -
11 files changed, 1 insertion(+), 211 deletions(-)
delete mode 100644 ipaclient/csrgen/profiles/caIPAserviceCert.json
delete mode 100644 ipaclient/csrgen/profiles/userCert.json
@@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000
@@ -1 +0,0 @@
-{{ options|join(";") }}
--
-2.14.4
+2.17.2
diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch
index 18fca0b..4ebfa79 100644
--- a/SOURCES/1005-Removing-filesystem-encoding-check.patch
+++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
-From 5f659d56bea124335d1813ae32c809cbc8582fb6 Mon Sep 17 00:00:00 2001
+From eaa2dd2de04147dbca127673d3c2473955b9289c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Fri, 10 Aug 2018 13:16:38 +0200
Subject: [PATCH] Removing filesystem encoding check
@@ -123,5 +123,5 @@ index 8211c03515bf70b681da49d27ae11a4e8cb3b44d..a40b5d45ff8406c3ebbb69465e8d71d7
- assert p.returncode > 0, (out, err)
- assert b'System encoding must be UTF-8' in err, (out, err)
--
-2.17.1
+2.17.2
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 8be3b2a..296a45c 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -93,7 +93,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 10%{?dist}
+Release: 10%{?dist}.2
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -101,10 +101,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -154,12 +154,22 @@ Patch0042: 0042-Ensure-that-public-cert-and-CA-bundle-are-readable.patch
Patch0043: 0043-Always-make-ipa.p11-kit-world-readable.patch
Patch0044: 0044-Make-etc-httpd-alias-world-readable-executable.patch
Patch0045: 0045-Fix-permission-of-public-files-in-upgrader.patch
+Patch0046: 0046-Find-orphan-automember-rules.patch
+Patch0047: 0047-Add-a-shared-vault-retrieve-test.patch
+Patch0048: 0048-Add-a-Find-enabled-services-ACI-in-20-aci.update-so-.patch
+Patch0049: 0049-ipaldap.py-fix-method-creating-a-ldap-filter-for-IPA.patch
+Patch0050: 0050-ipatests-add-xmlrpc-test-for-user-host-find-certific.patch
+Patch0051: 0051-ipa-upgrade-handle-double-encoded-certificates.patch
+Patch0052: 0052-ipatests-add-upgrade-test-for-double-encoded-cacert.patch
+Patch0053: 0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch
+Patch0054: 0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch
+Patch0055: 0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch
+Patch0056: 0056-replication-check-remote-ds-version-before-editing-a.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1004: 1004-Remove-csrgen.patch
Patch1005: 1005-Removing-filesystem-encoding-check.patch
-Patch1006: ipa-centos-branding.patch
# RHEL spec file only: END
BuildRequires: libtool, automake, autoconf
@@ -965,10 +975,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
%endif # with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -1729,8 +1739,24 @@ fi
%changelog
-* Tue Oct 30 2018 CentOS Sources <bugs@centos.org> - 4.6.4-10.el7.centos
-- Roll in CentOS Branding
+* Tue Dec 18 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7_6.2
+- Resolves: 1659492 searching for ipa users by certificate fails
+ - ipaldap.py: fix method creating a ldap filter for IPACertificate
+ - ipatests: add xmlrpc test for user|host-find --certificate
+- Resolves: 1659509 IPA Upgrade failed with "unable to convert the attribute u'cACertificate;binary'"
+ - ipa upgrade: handle double-encoded certificates
+ - ipatests: add upgrade test for double-encoded cacert
+ - ipatests: fix TestUpgrade::test_double_encoded_cacert
+- Resolves: 1659500 'ipa vault-retrieve' is failing with "ipa: ERROR: an internal error has occurred"
+ - Add a shared-vault-retrieve test
+ - Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
+- Resolves: 1659511 ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not.
+ - ipatest: add test for ipa-pkinit-manage enable|disable
+ - PKINIT: fix ipa-pkinit-manage enable|disable
+- Resolves: 1659499 automember-rebuild crashes
+ - Find orphan automember rules
+- Resolves: 1660389 ipa-replica-install fails migrating RHEL 6 to 7
+ - replication: check remote ds version before editing attributes
* Tue Sep 18 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7
- Resolves: 1630361 PKINIT fails in FIPS mode