diff --git a/SOURCES/0144-install-fix-command-line-option-validation.patch b/SOURCES/0144-install-fix-command-line-option-validation.patch
new file mode 100644
index 0000000..814b1f4
--- /dev/null
+++ b/SOURCES/0144-install-fix-command-line-option-validation.patch
@@ -0,0 +1,60 @@
+From 4ab54ece01d015f6b4e58542e377f60bc6726815 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Mon, 2 Nov 2015 15:32:35 +0100
+Subject: [PATCH] install: fix command line option validation
+
+The code which calls the validators was accidentally removed, re-add it.
+
+https://fedorahosted.org/freeipa/ticket/5386
+https://fedorahosted.org/freeipa/ticket/5391
+https://fedorahosted.org/freeipa/ticket/5392
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ ipapython/install/cli.py | 7 +++++--
+ ipapython/install/core.py | 3 ++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/ipapython/install/cli.py b/ipapython/install/cli.py
+index 1ba9a815c4c499dff0e7974f399f2de31eb932cd..f6cc0fc351fd1f9fc3f51987bbb938deca377fe1 100644
+--- a/ipapython/install/cli.py
++++ b/ipapython/install/cli.py
+@@ -275,7 +275,8 @@ class ConfigureTool(admintool.AdminTool):
+ kwargs = {}
+
+ transformed_cls = self._transform(self.configurable_class)
+- for owner_cls, name in transformed_cls.knobs():
++ knob_classes = {n: getattr(c, n) for c, n in transformed_cls.knobs()}
++ for name in knob_classes:
+ value = getattr(self.options, name, None)
+ if value is not None:
+ kwargs[name] = value
+@@ -287,8 +288,10 @@ class ConfigureTool(admintool.AdminTool):
+ try:
+ cfgr = transformed_cls(**kwargs)
+ except core.KnobValueError as e:
+- knob_cls = getattr(transformed_cls, e.name)
++ knob_cls = knob_classes[e.name]
+ try:
++ if self.positional_arguments is None:
++ raise IndexError
+ index = self.positional_arguments.index(e.name)
+ except IndexError:
+ cli_name = knob_cls.cli_name or e.name.replace('_', '-')
+diff --git a/ipapython/install/core.py b/ipapython/install/core.py
+index c313c278e09cbf68e4f5c4b4c57f00d6e2870bea..91ae854cdb2a8846e2a2673a5bfe54b4f75f3823 100644
+--- a/ipapython/install/core.py
++++ b/ipapython/install/core.py
+@@ -226,7 +226,8 @@ class Configurable(object):
+ except KeyError:
+ pass
+ else:
+- setattr(self, name, value)
++ prop = knob_cls(self)
++ prop.__set__(self, value)
+
+ if kwargs:
+ extra = sorted(kwargs.keys())
+--
+2.4.3
+
diff --git a/SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch b/SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch
new file mode 100644
index 0000000..fa18aa2
--- /dev/null
+++ b/SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch
@@ -0,0 +1,28 @@
+From 11856273c3819b58f8b5aa28aab2046ff113ffbe Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Thu, 19 Nov 2015 08:50:05 +0100
+Subject: [PATCH] install: export KRA agent PEM file in ipa-kra-install
+
+https://fedorahosted.org/freeipa/ticket/5462
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ ipaserver/install/krainstance.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
+index 69fe636732e6d3a8c1e0c460b641f061e519df92..0000192745b6d7f9f402267e435f7223f1bf8849 100644
+--- a/ipaserver/install/krainstance.py
++++ b/ipaserver/install/krainstance.py
+@@ -262,6 +262,8 @@ class KRAInstance(DogtagInstance):
+
+ shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
+
++ export_kra_agent_pem()
++
+ self.log.debug("completed creating KRA instance")
+
+ def __create_kra_agent(self):
+--
+2.4.3
+
diff --git a/SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch b/SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch
new file mode 100644
index 0000000..b7e43e9
--- /dev/null
+++ b/SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch
@@ -0,0 +1,111 @@
+From 09ead70bf9a081d8e2961a83d5dfe64d8f4c0399 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Mon, 9 Nov 2015 10:53:02 +0100
+Subject: [PATCH] cert renewal: make renewal of ipaCert atomic
+
+This prevents errors when renewing other certificates during the renewal of
+ipaCert.
+
+https://fedorahosted.org/freeipa/ticket/5436
+
+Reviewed-By: David Kupka <dkupka@redhat.com>
+---
+ install/restart_scripts/Makefile.am | 1 +
+ install/restart_scripts/renew_ra_cert | 5 ++++-
+ install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++
+ ipaserver/install/cainstance.py | 2 +-
+ ipaserver/install/server/upgrade.py | 4 ++--
+ 5 files changed, 26 insertions(+), 4 deletions(-)
+ create mode 100755 install/restart_scripts/renew_ra_cert_pre
+
+diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
+index 58057aa3198c892fc8ebb0df403495566ed77d1d..c4bf8195ea85ee0a9dba53fc2581e90c18a9127d 100644
+--- a/install/restart_scripts/Makefile.am
++++ b/install/restart_scripts/Makefile.am
+@@ -7,6 +7,7 @@ app_DATA = \
+ renew_ca_cert \
+ renew_ra_cert \
+ stop_pkicad \
++ renew_ra_cert_pre \
+ $(NULL)
+
+ EXTRA_DIST = \
+diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
+index 3a36f739ae53391e502356f7b6b4fd96a536c3a6..988ada946aed47d1f2b76c1add48ea8c8d64a161 100644
+--- a/install/restart_scripts/renew_ra_cert
++++ b/install/restart_scripts/renew_ra_cert
+@@ -77,8 +77,11 @@ def _main():
+
+
+ def main():
+- with certs.renewal_lock:
++ try:
+ _main()
++ finally:
++ # lock acquired in renew_ra_cert_pre
++ certs.renewal_lock.release('renew_ra_cert')
+
+
+ try:
+diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre
+new file mode 100755
+index 0000000000000000000000000000000000000000..d0f743c099162e4c5afd7d96287e58492246db35
+--- /dev/null
++++ b/install/restart_scripts/renew_ra_cert_pre
+@@ -0,0 +1,18 @@
++#!/usr/bin/python2 -E
++#
++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
++#
++
++import syslog
++import traceback
++
++from ipaserver.install import certs
++
++
++def main():
++ certs.renewal_lock.acquire('renew_ra_cert')
++
++try:
++ main()
++except Exception:
++ syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index dfe023c08c9b8d1b28f1659b7c5a6395f3afe879..d230c9bdcab68f02cce32a2aeb89ca3e2143eefe 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1305,7 +1305,7 @@ class CAInstance(DogtagInstance):
+ pin=None,
+ pinfile=paths.ALIAS_PWDFILE_TXT,
+ secdir=paths.HTTPD_ALIAS_DIR,
+- pre_command=None,
++ pre_command='renew_ra_cert_pre',
+ post_command='renew_ra_cert')
+ except RuntimeError, e:
+ self.log.error(
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index e0a45a097171613397db42e1c035f0d818a3ecf5..c8f744c392c7b859459bda63c1f397226553d4ba 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -799,7 +799,7 @@ def certificate_renewal_update(ca):
+ dogtag_constants = dogtag.configured_constants()
+
+ # bump version when requests is changed
+- version = 3
++ version = 4
+ requests = (
+ (
+ dogtag_constants.ALIAS_DIR,
+@@ -837,7 +837,7 @@ def certificate_renewal_update(ca):
+ paths.HTTPD_ALIAS_DIR,
+ 'ipaCert',
+ 'dogtag-ipa-ca-renew-agent',
+- None,
++ 'renew_ra_cert_pre',
+ 'renew_ra_cert',
+ None,
+ ),
+--
+2.4.3
+
diff --git a/SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch b/SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch
new file mode 100644
index 0000000..919da9e
--- /dev/null
+++ b/SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch
@@ -0,0 +1,73 @@
+From a41ee5aef75e47667defc7b01b89a25309bd4c8d Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Thu, 19 Nov 2015 14:33:49 +0100
+Subject: [PATCH] suppress errors arising from adding existing LDAP entries
+ during KRA install
+
+https://fedorahosted.org/freeipa/ticket/5346
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/krainstance.py | 16 ++++++++++++++--
+ ipaserver/install/service.py | 4 +++-
+ 2 files changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
+index 0000192745b6d7f9f402267e435f7223f1bf8849..a2514debae600bdc46afb92e426a5f616529fde2 100644
+--- a/ipaserver/install/krainstance.py
++++ b/ipaserver/install/krainstance.py
+@@ -47,6 +47,8 @@ from ipapython.ipa_log_manager import log_mgr
+ IPA_KRA_RECORD = "ipa-kra"
+
+
++LDAPMOD_ERR_ALREADY_EXISTS = 68
++
+ class KRAInstance(DogtagInstance):
+ """
+ We assume that the CA has already been installed, and we use the
+@@ -308,8 +310,18 @@ class KRAInstance(DogtagInstance):
+ conn.disconnect()
+
+ def __add_vault_container(self):
+- self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix})
+- self.ldap_disconnect()
++ try:
++ self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix},
++ raise_on_err=True)
++ except ipautil.CalledProcessError as e:
++ if e.returncode == LDAPMOD_ERR_ALREADY_EXISTS:
++ self.log.debug("Vault container already exists")
++ else:
++ self.log.error("Failed to add vault container: {0}".format(e))
++ finally:
++ # we need to disconnect from LDAP, because _ldap_mod() makes the
++ # connection without actually using it
++ self.ldap_disconnect()
+
+ def __apply_updates(self):
+ sub_dict = {
+diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
+index 2f5f565b16b42bf82889f9d32b80cf6fa584d438..597c20a60c712a6e521a7b9471f6732cceb27fe7 100644
+--- a/ipaserver/install/service.py
++++ b/ipaserver/install/service.py
+@@ -155,7 +155,7 @@ class Service(object):
+ self.admin_conn.unbind()
+ self.admin_conn = None
+
+- def _ldap_mod(self, ldif, sub_dict=None):
++ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=False):
+ pw_name = None
+ fd = None
+ path = ipautil.SHARE_DIR + ldif
+@@ -199,6 +199,8 @@ class Service(object):
+ try:
+ ipautil.run(args, nolog=nologlist)
+ except ipautil.CalledProcessError, e:
++ if raise_on_err:
++ raise
+ root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
+ finally:
+ if pw_name:
+--
+2.4.3
+
diff --git a/SOURCES/0148-fix-caching-in-get_ipa_config.patch b/SOURCES/0148-fix-caching-in-get_ipa_config.patch
new file mode 100644
index 0000000..af0084c
--- /dev/null
+++ b/SOURCES/0148-fix-caching-in-get_ipa_config.patch
@@ -0,0 +1,31 @@
+From 823340f96f16ee7924ba6ce54c8fe43e3ea41469 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Thu, 19 Nov 2015 13:25:49 +0100
+Subject: [PATCH] fix caching in get_ipa_config
+
+Different opbject types were compared thus always result of comparation
+was False and caching does not work.
+
+https://fedorahosted.org/freeipa/ticket/5463
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/plugins/ldap2.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
+index deb0592ab68ab8eb712a6d29fdffd8776e2e289a..5d2945f90f54ba2a099271a3715f4f9c14866e97 100644
+--- a/ipaserver/plugins/ldap2.py
++++ b/ipaserver/plugins/ldap2.py
+@@ -204,7 +204,7 @@ class ldap2(CrudBackend, LDAPClient):
+
+ try:
+ config_entry = getattr(context, 'config_entry')
+- if config_entry.conn is self.conn:
++ if config_entry.conn.conn is self.conn:
+ return config_entry
+ except AttributeError:
+ # Not in our context yet
+--
+2.4.3
+
diff --git a/SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch b/SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch
new file mode 100644
index 0000000..9513440
--- /dev/null
+++ b/SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch
@@ -0,0 +1,56 @@
+From 64dc38643ead5cb00f3f42562a92769de10ef7b5 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Fri, 20 Nov 2015 09:35:43 +0100
+Subject: [PATCH] client install: do not corrupt OpenSSH config with Match
+ sections
+
+https://fedorahosted.org/freeipa/ticket/5461
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ ipa-client/ipa-install/ipa-client-install | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
+index 793de4fc950ad73b1d88f9ab4bd5178afc8b813d..543c6f027f2312792e7ad33533db8e7c10a3cddb 100755
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -1330,6 +1330,7 @@ def change_ssh_config(filename, changes, sections):
+ section_keys = tuple(key.lower() for key in sections)
+
+ lines = []
++ in_section = False
+ for line in f:
+ line = line.rstrip('\n')
+ pline = line.strip()
+@@ -1338,7 +1339,7 @@ def change_ssh_config(filename, changes, sections):
+ continue
+ option = pline.split()[0].lower()
+ if option in section_keys:
+- lines.append(line)
++ in_section = True
+ break
+ if option in change_keys:
+ line = '#' + line
+@@ -1346,6 +1347,9 @@ def change_ssh_config(filename, changes, sections):
+ for option, value in changes.items():
+ if value is not None:
+ lines.append('%s %s' % (option, value))
++ if in_section:
++ lines.append('')
++ lines.append(line)
+ for line in f:
+ line = line.rstrip('\n')
+ lines.append(line)
+@@ -1386,7 +1390,7 @@ def configure_ssh_config(fstore, options):
+ changes['VerifyHostKeyDNS'] = 'yes'
+ changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss'
+
+- change_ssh_config(ssh_config, changes, ['Host'])
++ change_ssh_config(ssh_config, changes, ['Host', 'Match'])
+ root_logger.info('Configured %s', ssh_config)
+
+ def configure_sshd_config(fstore, options):
+--
+2.4.3
+
diff --git a/SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch b/SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch
new file mode 100644
index 0000000..d5bf1d4
--- /dev/null
+++ b/SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch
@@ -0,0 +1,221 @@
+From 7623bc99813156ce11167ae429a756f920258151 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Fri, 20 Nov 2015 11:53:06 +0100
+Subject: [PATCH] upgrade: fix migration of old dns forward zones
+
+Plugins should call self.api not the global one during upgrade
+
+https://fedorahosted.org/freeipa/ticket/5472
+
+Reviewed-By: Petr Spacek <pspacek@redhat.com>
+---
+ ipalib/plugins/dns.py | 51 +++++++++++++++++++++++++++------------------------
+ 1 file changed, 27 insertions(+), 24 deletions(-)
+
+diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
+index a3d562edb186682a872073e6c83a416b6a4cbc09..37a2c64cbacae5cc5626f17fac68848768af3242 100644
+--- a/ipalib/plugins/dns.py
++++ b/ipalib/plugins/dns.py
+@@ -1735,7 +1735,7 @@ def _normalize_zone(zone):
+ return zone
+
+
+-def _get_auth_zone_ldap(name):
++def _get_auth_zone_ldap(api, name):
+ """
+ Find authoritative zone in LDAP for name. Only active zones are considered.
+ :param name:
+@@ -1781,7 +1781,7 @@ def _get_auth_zone_ldap(name):
+ return max(matched_auth_zones, key=len), truncated
+
+
+-def _get_longest_match_ns_delegation_ldap(zone, name):
++def _get_longest_match_ns_delegation_ldap(api, zone, name):
+ """
+ Searches for deepest delegation for name in LDAP zone.
+
+@@ -1857,7 +1857,7 @@ def _get_longest_match_ns_delegation_ldap(zone, name):
+ return max(matched_records, key=len), truncated
+
+
+-def _find_subtree_forward_zones_ldap(name, child_zones_only=False):
++def _find_subtree_forward_zones_ldap(api, name, child_zones_only=False):
+ """
+ Search for forwardzone <name> and all child forwardzones
+ Filter: (|(*.<name>.)(<name>.))
+@@ -1911,7 +1911,7 @@ def _find_subtree_forward_zones_ldap(name, child_zones_only=False):
+ return result, truncated
+
+
+-def _get_zone_which_makes_fw_zone_ineffective(fwzonename):
++def _get_zone_which_makes_fw_zone_ineffective(api, fwzonename):
+ """
+ Check if forward zone is effective.
+
+@@ -1936,12 +1936,12 @@ def _get_zone_which_makes_fw_zone_ineffective(fwzonename):
+ """
+ assert isinstance(fwzonename, DNSName)
+
+- auth_zone, truncated_zone = _get_auth_zone_ldap(fwzonename)
++ auth_zone, truncated_zone = _get_auth_zone_ldap(api, fwzonename)
+ if not auth_zone:
+ return None, truncated_zone
+
+ delegation_record_name, truncated_ns =\
+- _get_longest_match_ns_delegation_ldap(auth_zone, fwzonename)
++ _get_longest_match_ns_delegation_ldap(api, auth_zone, fwzonename)
+
+ truncated = truncated_ns or truncated_zone
+
+@@ -1951,12 +1951,12 @@ def _get_zone_which_makes_fw_zone_ineffective(fwzonename):
+ return auth_zone, truncated
+
+
+-def _add_warning_fw_zone_is_not_effective(result, fwzone, version):
++def _add_warning_fw_zone_is_not_effective(api, result, fwzone, version):
+ """
+ Adds warning message to result, if required
+ """
+ authoritative_zone, truncated = \
+- _get_zone_which_makes_fw_zone_ineffective(fwzone)
++ _get_zone_which_makes_fw_zone_ineffective(api, fwzone)
+ if authoritative_zone:
+ # forward zone is not effective and forwarding will not work
+ messages.add_message(
+@@ -2072,7 +2072,7 @@ class DNSZoneBase(LDAPObject):
+ def _remove_permission(self, zone):
+ permission_name = self.permission_name(zone)
+ try:
+- api.Command['permission_del'](permission_name, force=True)
++ self.api.Command['permission_del'](permission_name, force=True)
+ except errors.NotFound, e:
+ if zone == DNSName.root: # special case root zone
+ raise
+@@ -2082,7 +2082,8 @@ class DNSZoneBase(LDAPObject):
+ zone.relativize(DNSName.root)
+ )
+ try:
+- api.Command['permission_del'](permission_name_rel, force=True)
++ self.api.Command['permission_del'](permission_name_rel,
++ force=True)
+ except errors.NotFound:
+ raise e # re-raise original exception
+
+@@ -2272,7 +2273,8 @@ class DNSZoneBase_add_permission(LDAPQuery):
+ keys[-1].relativize(DNSName.root)
+ )
+ try:
+- api.Object['permission'].get_dn_if_exists(permission_name_rel)
++ self.api.Object['permission'].get_dn_if_exists(
++ permission_name_rel)
+ except errors.NotFound:
+ pass
+ else:
+@@ -2283,7 +2285,7 @@ class DNSZoneBase_add_permission(LDAPQuery):
+ }
+ )
+
+- permission = api.Command['permission_add_noaci'](permission_name,
++ permission = self.api.Command['permission_add_noaci'](permission_name,
+ ipapermissiontype=u'SYSTEM'
+ )['result']
+
+@@ -2643,12 +2645,12 @@ class dnszone(DNSZoneBase):
+ """
+ zone = keys[-1]
+ affected_fw_zones, truncated = _find_subtree_forward_zones_ldap(
+- zone, child_zones_only=True)
++ self.api, zone, child_zones_only=True)
+ if not affected_fw_zones:
+ return
+
+ for fwzone in affected_fw_zones:
+- _add_warning_fw_zone_is_not_effective(result, fwzone,
++ _add_warning_fw_zone_is_not_effective(self.api, result, fwzone,
+ options['version'])
+
+
+@@ -2686,7 +2688,8 @@ class dnszone_add(DNSZoneBase_add):
+ dn = super(dnszone_add, self).pre_callback(
+ ldap, dn, entry_attrs, attrs_list, *keys, **options)
+
+- nameservers = [normalize_zone(x) for x in api.Object.dnsrecord.get_dns_masters()]
++ nameservers = [normalize_zone(x) for x in
++ self.api.Object.dnsrecord.get_dns_masters()]
+ server = normalize_zone(api.env.host)
+ zone = keys[-1]
+
+@@ -2735,7 +2738,7 @@ class dnszone_add(DNSZoneBase_add):
+ not zone.is_reverse() and
+ zone != DNSName.root):
+ try:
+- api.Command['realmdomains_mod'](add_domain=unicode(zone),
++ self.api.Command['realmdomains_mod'](add_domain=unicode(zone),
+ force=True)
+ except (errors.EmptyModlist, errors.ValidationError):
+ pass
+@@ -2769,8 +2772,8 @@ class dnszone_del(DNSZoneBase_del):
+ not zone.is_reverse() and zone != DNSName.root
+ ):
+ try:
+- api.Command['realmdomains_mod'](del_domain=unicode(zone),
+- force=True)
++ self.api.Command['realmdomains_mod'](
++ del_domain=unicode(zone), force=True)
+ except (errors.AttrValueNotFound, errors.ValidationError):
+ pass
+
+@@ -3476,12 +3479,12 @@ class dnsrecord(LDAPObject):
+ record_name_absolute = record_name_absolute.derelativize(zone)
+
+ affected_fw_zones, truncated = _find_subtree_forward_zones_ldap(
+- record_name_absolute)
++ self.api, record_name_absolute)
+ if not affected_fw_zones:
+ return
+
+ for fwzone in affected_fw_zones:
+- _add_warning_fw_zone_is_not_effective(result, fwzone,
++ _add_warning_fw_zone_is_not_effective(self.api, result, fwzone,
+ options['version'])
+
+
+@@ -3831,7 +3834,7 @@ class dnsrecord_mod(LDAPUpdate):
+
+ # get DNS record first so that the NotFound exception is raised
+ # before the helper would start
+- dns_record = api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result']
++ dns_record = self.api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result']
+ rec_types = [rec_type for rec_type in dns_record if rec_type in _record_attributes]
+
+ self.Backend.textui.print_plain(_("No option to modify specific record provided."))
+@@ -4019,7 +4022,7 @@ class dnsrecord_del(LDAPUpdate):
+
+ # get DNS record first so that the NotFound exception is raised
+ # before the helper would start
+- dns_record = api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result']
++ dns_record = self.api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result']
+ rec_types = [rec_type for rec_type in dns_record if rec_type in _record_attributes]
+
+ self.Backend.textui.print_plain(_("No option to delete specific record provided."))
+@@ -4334,7 +4337,7 @@ class dnsforwardzone(DNSZoneBase):
+
+ def _warning_fw_zone_is_not_effective(self, result, *keys, **options):
+ fwzone = keys[-1]
+- _add_warning_fw_zone_is_not_effective(result, fwzone,
++ _add_warning_fw_zone_is_not_effective(self.api, result, fwzone,
+ options['version'])
+
+ def _warning_if_forwarders_do_not_work(self, result, new_zone,
+@@ -4374,7 +4377,7 @@ class dnsforwardzone(DNSZoneBase):
+ # validation is configured just in named.conf per replica
+
+ ipa_dns_masters = [normalize_zone(x) for x in
+- api.Object.dnsrecord.get_dns_masters()]
++ self.api.Object.dnsrecord.get_dns_masters()]
+
+ if not ipa_dns_masters:
+ # something very bad happened, DNS is installed, but no IPA DNS
+--
+2.4.3
+
diff --git a/SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch b/SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch
new file mode 100644
index 0000000..43f99b9
--- /dev/null
+++ b/SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch
@@ -0,0 +1,62 @@
+From c54278c3c90bb5999e1b7c2ed745f6f2b2a83d19 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 20 Nov 2015 15:39:00 +1100
+Subject: [PATCH] TLS and Dogtag HTTPS request logging improvements
+
+Pretty printing the TLS peer certificate to logs on every request
+introduces a lot of noise; do not log it (subject name, key usage
+and validity are still logged).
+
+Fix and tidy up some HTTP logging messages for Dogtag requests.
+
+Part of: https://fedorahosted.org/freeipa/ticket/5269
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipapython/dogtag.py | 9 ++++-----
+ ipapython/nsslib.py | 3 ---
+ 2 files changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
+index 3f0d08154d21a3072e344c311c3e70e414d9dee4..26b2de6ca77202fa9ccc61ee16ed7623e10ecb5f 100644
+--- a/ipapython/dogtag.py
++++ b/ipapython/dogtag.py
+@@ -314,7 +314,7 @@ def _httplib_request(
+ if isinstance(host, unicode):
+ host = host.encode('utf-8')
+ uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path)
+- root_logger.debug('request %r', uri)
++ root_logger.debug('request %s %s', method, uri)
+ root_logger.debug('request body %r', request_body)
+
+ headers = headers or {}
+@@ -337,9 +337,8 @@ def _httplib_request(
+ except Exception, e:
+ raise NetworkError(uri=uri, error=str(e))
+
+- root_logger.debug('request status %d', http_status)
+- root_logger.debug('request reason_phrase %r', http_reason_phrase)
+- root_logger.debug('request headers %s', http_headers)
+- root_logger.debug('request body %r', http_body)
++ root_logger.debug('response status %d %s', http_status, http_reason_phrase)
++ root_logger.debug('response headers %s', http_headers)
++ root_logger.debug('response body %r', http_body)
+
+ return http_status, http_reason_phrase, http_headers, http_body
+diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
+index def6b104e18fa67268a8c5a8629b533783fb5a95..79b8dc5be6a26cd6136ac62a4fa49572d765a9a0 100644
+--- a/ipapython/nsslib.py
++++ b/ipapython/nsslib.py
+@@ -39,9 +39,6 @@ def auth_certificate_callback(sock, check_sig, is_server, certdb):
+
+ cert = sock.get_peer_certificate()
+
+- root_logger.debug("auth_certificate_callback: check_sig=%s is_server=%s\n%s",
+- check_sig, is_server, str(cert))
+-
+ pin_args = sock.get_pkcs11_pin_arg()
+ if pin_args is None:
+ pin_args = ()
+--
+2.4.3
+
diff --git a/SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch b/SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch
new file mode 100644
index 0000000..45b175c
--- /dev/null
+++ b/SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch
@@ -0,0 +1,38 @@
+From 08d26c374ae6198b5a1ec59556ca8814329b845f Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 20 Nov 2015 15:59:11 +1100
+Subject: [PATCH] Avoid race condition caused by profile delete and recreate
+
+When importing IPA-managed certificate profiles into Dogtag,
+profiles with the same name (usually caIPAserviceCert) are removed,
+then immediately recreated with the new profile data. This causes a
+race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
+thread could observe and process the deletion after the profile was
+recreated, disappearing it again.
+
+Update the profile instead of deleting and recreating it to avoid
+this race condition.
+
+Fixes: https://fedorahosted.org/freeipa/ticket/5269
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/cainstance.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index d230c9bdcab68f02cce32a2aeb89ca3e2143eefe..3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1812,8 +1812,7 @@ def _create_dogtag_profile(profile_id, profile_data):
+ root_logger.debug(
+ "Failed to disable profile '%s' "
+ "(it is probably already disabled)")
+- profile_api.delete_profile(profile_id)
+- profile_api.create_profile(profile_data)
++ profile_api.update_profile(profile_id, profile_data)
+
+ # enable the profile
+ try:
+--
+2.4.3
+
diff --git a/SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch b/SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch
new file mode 100644
index 0000000..f686c28
--- /dev/null
+++ b/SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch
@@ -0,0 +1,117 @@
+From 87f6b21c9bc837cf90fc8b9d0708aeff060e48f3 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Mon, 23 Nov 2015 06:38:17 +0000
+Subject: [PATCH] ipa-cacert-renew: Fix connection to ldap.
+
+https://fedorahosted.org/freeipa/ticket/5468
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/ipa_cacert_manage.py | 32 ++++++++++++++------------------
+ 1 file changed, 14 insertions(+), 18 deletions(-)
+
+diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
+index 01ec805fc2094326d119827b4358c143f45f3ec4..8790b7066d7641864f8d83c6339cd0a73c620be0 100644
+--- a/ipaserver/install/ipa_cacert_manage.py
++++ b/ipaserver/install/ipa_cacert_manage.py
+@@ -105,9 +105,7 @@ class CACertManage(admintool.AdminTool):
+
+ if ((command == 'renew' and options.external_cert_files) or
+ command == 'install'):
+- self.conn = self.ldap_connect()
+- else:
+- self.conn = None
++ self.ldap_connect()
+
+ try:
+ if command == 'renew':
+@@ -115,23 +113,21 @@ class CACertManage(admintool.AdminTool):
+ elif command == 'install':
+ rc = self.install()
+ finally:
+- if self.conn is not None:
+- self.conn.disconnect()
++ if api.Backend.ldap2.isconnected():
++ api.Backend.ldap2.disconnect()
+
+ return rc
+
+ def ldap_connect(self):
+- conn = ldap2(api)
+-
+ password = self.options.password
+ if not password:
+ try:
+ ccache = krbV.default_context().default_ccache()
+- conn.connect(ccache=ccache)
++ api.Backend.ldap2.connect(ccache=ccache)
+ except (krbV.Krb5Error, errors.ACIError):
+ pass
+ else:
+- return conn
++ return
+
+ password = installutils.read_password(
+ "Directory Manager", confirm=False, validate=False)
+@@ -139,9 +135,8 @@ class CACertManage(admintool.AdminTool):
+ raise admintool.ScriptError(
+ "Directory Manager password required")
+
+- conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
++ api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password)
+
+- return conn
+
+ def renew(self):
+ ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+@@ -202,9 +197,10 @@ class CACertManage(admintool.AdminTool):
+ "--external-cert-file=/path/to/external_ca_certificate")
+
+ def renew_external_step_2(self, ca, old_cert):
+- print "Importing the renewed CA certificate, please wait"
++ print("Importing the renewed CA certificate, please wait")
+
+ options = self.options
++ conn = api.Backend.ldap2
+ cert_file, ca_file = installutils.load_external_cert(
+ options.external_cert_files, x509.subject_base())
+
+@@ -273,21 +269,21 @@ class CACertManage(admintool.AdminTool):
+ except RuntimeError:
+ break
+ certstore.put_ca_cert_nss(
+- self.conn, api.env.basedn, ca_cert, nickname, ',,')
++ conn, api.env.basedn, ca_cert, nickname, ',,')
+
+ dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
+ ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
+ try:
+- entry = self.conn.get_entry(dn, ['usercertificate'])
++ entry = conn.get_entry(dn, ['usercertificate'])
+ entry['usercertificate'] = [cert]
+- self.conn.update_entry(entry)
++ conn.update_entry(entry)
+ except errors.NotFound:
+- entry = self.conn.make_entry(
++ entry = conn.make_entry(
+ dn,
+ objectclass=['top', 'pkiuser', 'nscontainer'],
+ cn=[self.cert_nickname],
+ usercertificate=[cert])
+- self.conn.add_entry(entry)
++ conn.add_entry(entry)
+ except errors.EmptyModlist:
+ pass
+
+@@ -362,7 +358,7 @@ class CACertManage(admintool.AdminTool):
+
+ try:
+ certstore.put_ca_cert_nss(
+- self.conn, api.env.basedn, cert, nickname, trust_flags)
++ api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags)
+ except ValueError, e:
+ raise admintool.ScriptError(
+ "Failed to install the certificate: %s" % e)
+--
+2.4.3
+
diff --git a/SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch b/SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch
new file mode 100644
index 0000000..f47d768
--- /dev/null
+++ b/SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch
@@ -0,0 +1,40 @@
+From 23adad20399216198b34d9eadaf53b95f755d0be Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Mon, 23 Nov 2015 07:48:40 +0000
+Subject: [PATCH] ipa-otptoken-import: Fix connection to ldap.
+
+https://fedorahosted.org/freeipa/ticket/5475
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/ipa_otptoken_import.py | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
+index 386ca4273c413d9f6a121956d0db3f0c44fe5c24..9be44cfe677a7d33ce3ec7725e23fdbf8141190a 100644
+--- a/ipaserver/install/ipa_otptoken_import.py
++++ b/ipaserver/install/ipa_otptoken_import.py
+@@ -507,10 +507,9 @@ class OTPTokenImport(admintool.AdminTool):
+ api.bootstrap(in_server=True)
+ api.finalize()
+
+- conn = ldap2(api)
+ try:
+ ccache = krbV.default_context().default_ccache()
+- conn.connect(ccache=ccache)
++ api.Backend.ldap2.connect(ccache=ccache)
+ except (krbV.Krb5Error, errors.ACIError):
+ raise admintool.ScriptError("Unable to connect to LDAP! Did you kinit?")
+
+@@ -525,7 +524,7 @@ class OTPTokenImport(admintool.AdminTool):
+ self.log.info("Added token: %s", keypkg.id)
+ keypkg.remove()
+ finally:
+- conn.disconnect()
++ api.Backend.ldap2.disconnect()
+
+ # Write out the XML file without the tokens that succeeded.
+ self.doc.save(self.output)
+--
+2.4.3
+
diff --git a/SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch b/SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch
new file mode 100644
index 0000000..2120e45
--- /dev/null
+++ b/SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch
@@ -0,0 +1,33 @@
+From b5aec7bdc5a164133b247925c41d1d41e29a63e5 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Mon, 23 Nov 2015 12:09:32 +1100
+Subject: [PATCH] Do not erroneously reinit NSS in Dogtag interface
+
+The Dogtag interface always attempts to (re)init NSS, which can fail
+with SEC_ERROR_BUSY. Do not reinitialise NSS when it has already
+been initialised with the given dbdir.
+
+Part of: https://fedorahosted.org/freeipa/ticket/5459
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipapython/dogtag.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
+index 26b2de6ca77202fa9ccc61ee16ed7623e10ecb5f..8996902ba92f0fdd6106e2650c2decde375c593b 100644
+--- a/ipapython/dogtag.py
++++ b/ipapython/dogtag.py
+@@ -255,7 +255,8 @@ def https_request(host, port, url, secdir, password, nickname,
+ """
+
+ def connection_factory(host, port):
+- conn = nsslib.NSSConnection(host, port, dbdir=secdir,
++ no_init = secdir == nsslib.current_dbdir
++ conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init,
+ tls_version_min=api.env.tls_version_min,
+ tls_version_max=api.env.tls_version_max)
+ conn.set_debuglevel(0)
+--
+2.4.3
+
diff --git a/SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch b/SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch
new file mode 100644
index 0000000..a3f99a6
--- /dev/null
+++ b/SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch
@@ -0,0 +1,381 @@
+From 5fb869896c9ed6327f5f004022cdee42f758f78c Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Mon, 23 Nov 2015 12:09:32 +1100
+Subject: [PATCH] Add profiles and default CA ACL on migration
+
+Profiles and the default CA ACL were not being added during replica
+install from pre-4.2 servers. Update ipa-replica-install to add
+these if they are missing.
+
+Also update the caacl plugin to prevent deletion of the default CA
+ACL and instruct the administrator to disable it instead.
+
+To ensure that the cainstance installation can add profiles, supply
+the RA certificate as part of the instance configuration.
+Certmonger renewal setup is avoided at this point because the NSSDB
+gets reinitialised later in installation procedure.
+
+Also move the addition of the default CA ACL from dsinstance
+installation to cainstance installation.
+
+Fixes: https://fedorahosted.org/freeipa/ticket/5459
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ install/share/Makefile.am | 1 -
+ install/share/default-caacl.ldif | 11 ---
+ install/updates/50-dogtag10-migration.update | 1 +
+ ipalib/plugins/caacl.py | 8 +++
+ ipaserver/install/ca.py | 5 +-
+ ipaserver/install/cainstance.py | 100 ++++++++++++++++++++-------
+ ipaserver/install/dsinstance.py | 4 --
+ ipaserver/install/server/replicainstall.py | 3 +
+ ipaserver/install/server/upgrade.py | 13 +---
+ 9 files changed, 90 insertions(+), 56 deletions(-)
+ delete mode 100644 install/share/default-caacl.ldif
+
+diff --git a/install/share/Makefile.am b/install/share/Makefile.am
+index d68c40e693a1d86c70d8ccd81ef2c915b2e1f61e..e4cca8708ab0042d6cb37eba31341e53e3cdac4d 100644
+--- a/install/share/Makefile.am
++++ b/install/share/Makefile.am
+@@ -29,7 +29,6 @@ app_DATA = \
+ bootstrap-template.ldif \
+ caJarSigningCert.cfg.template \
+ default-aci.ldif \
+- default-caacl.ldif \
+ default-hbac.ldif \
+ default-smb-group.ldif \
+ default-trust-view.ldif \
+diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif
+deleted file mode 100644
+index f3cd5b4d4e3a79bc6638dc1ffdd7028596ded254..0000000000000000000000000000000000000000
+--- a/install/share/default-caacl.ldif
++++ /dev/null
+@@ -1,11 +0,0 @@
+-# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services
+-dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX
+-changetype: add
+-objectclass: ipaassociation
+-objectclass: ipacaacl
+-ipauniqueid: autogenerate
+-cn: hosts_services_caIPAserviceCert
+-ipaenabledflag: TRUE
+-ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX
+-hostcategory: all
+-servicecategory: all
+diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update
+index 2ab9d15bd220540dbc6b3fcd7928fc15c42caf80..0070c308aefc39aa4c27a046d185ce6d268e6270 100644
+--- a/install/updates/50-dogtag10-migration.update
++++ b/install/updates/50-dogtag10-migration.update
+@@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi
+ addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
+ replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
+ replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
++addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles
+diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
+index 247d6df143aef1fba9f0ee74a9f7d8386bef5180..64dbec16e11e9fa2a67287b195b4bd1180a379e7 100644
+--- a/ipalib/plugins/caacl.py
++++ b/ipalib/plugins/caacl.py
+@@ -307,6 +307,14 @@ class caacl_del(LDAPDelete):
+
+ msg_summary = _('Deleted CA ACL "%(value)s"')
+
++ def pre_callback(self, ldap, dn, *keys, **options):
++ if keys[0] == 'hosts_services_caIPAserviceCert':
++ raise errors.ProtectedEntryError(
++ label=_("CA ACL"),
++ key=keys[0],
++ reason=_("default CA ACL can be only disabled"))
++ return dn
++
+
+ @register()
+ class caacl_mod(LDAPUpdate):
+diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
+index 498cc48a742d1b2d862eb9dfdb18743cfb211b78..0de992cb0c15f8161aae4937699baae2a94d305a 100644
+--- a/ipaserver/install/ca.py
++++ b/ipaserver/install/ca.py
+@@ -126,9 +126,10 @@ def install_step_0(standalone, replica_config, options):
+ if standalone:
+ api.Backend.ldap2.disconnect()
+
+- cainstance.install_replica_ca(replica_config, postinstall)
++ cainstance.install_replica_ca(replica_config, postinstall,
++ ra_p12=getattr(options, 'ra_p12', None))
+
+- if standalone:
++ if standalone and not api.Backend.ldap2.isconnected():
+ api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+ bind_pw=dm_password)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49..189876f3c0d980e78165d73eed86b2830ac8c5b8 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -391,7 +391,7 @@ class CAInstance(DogtagInstance):
+ cert_file=None, cert_chain_file=None,
+ master_replication_port=None,
+ subject_base=None, ca_signing_algorithm=None,
+- ca_type=None):
++ ca_type=None, ra_p12=None):
+ """Create a CA instance.
+
+ For Dogtag 9, this may involve creating the pki-ca instance.
+@@ -465,7 +465,10 @@ class CAInstance(DogtagInstance):
+ self.step("requesting RA certificate from CA", self.__request_ra_certificate)
+ self.step("issuing RA agent certificate", self.__issue_ra_cert)
+ self.step("adding RA agent as a trusted user", self.__create_ca_agent)
+- self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
++ elif ra_p12 is not None:
++ self.step("importing RA certificate from PKCS #12 file",
++ lambda: self.import_ra_cert(ra_p12, configure_renewal=False))
++ self.step("authorizing RA to modify profiles", configure_profiles_acl)
+ self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
+ self.step("configure certificate renewals", self.configure_renewal)
+ if not self.clone:
+@@ -473,9 +476,12 @@ class CAInstance(DogtagInstance):
+ self.step("configure Server-Cert certificate renewal", self.track_servercert)
+ self.step("Configure HTTP to proxy connections",
+ self.http_proxy)
+- if not self.clone:
+- self.step("restarting certificate server", self.restart_instance)
+- self.step("Importing IPA certificate profiles", import_included_profiles)
++ self.step("restarting certificate server", self.restart_instance)
++ self.step("migrating certificate profiles to LDAP",
++ migrate_profiles_to_ldap)
++ self.step("importing IPA certificate profiles",
++ import_included_profiles)
++ self.step("adding default CA ACL", ensure_default_caacl)
+
+ self.start_creation(runtime=210)
+
+@@ -887,7 +893,7 @@ class CAInstance(DogtagInstance):
+
+ export_kra_agent_pem()
+
+- def import_ra_cert(self, rafile):
++ def import_ra_cert(self, rafile, configure_renewal=True):
+ """
+ Cloned RAs will use the same RA agent cert as the master so we
+ need to import from a PKCS#12 file.
+@@ -903,7 +909,8 @@ class CAInstance(DogtagInstance):
+ finally:
+ os.remove(agent_name)
+
+- self.configure_agent_renewal()
++ if configure_renewal:
++ self.configure_agent_renewal()
+
+ export_kra_agent_pem()
+
+@@ -953,10 +960,6 @@ class CAInstance(DogtagInstance):
+
+ conn.disconnect()
+
+- def __configure_profiles_acl(self):
+- """Allow the Certificate Manager Agents group to modify profiles."""
+- configure_profiles_acl()
+-
+ def __run_certutil(self, args, database=None, pwd_file=None, stdin=None):
+ if not database:
+ database = self.ra_agent_db
+@@ -1491,7 +1494,7 @@ def replica_ca_install_check(config):
+ exit('IPA schema missing on master CA directory server')
+
+
+-def install_replica_ca(config, postinstall=False):
++def install_replica_ca(config, postinstall=False, ra_p12=None):
+ """
+ Install a CA on a replica.
+
+@@ -1533,7 +1536,7 @@ def install_replica_ca(config, postinstall=False):
+ ca.create_ra_agent_db = False
+ ca.configure_instance(config.host_name, config.domain_name,
+ config.dirman_password, config.dirman_password,
+- pkcs12_info=(cafile,),
++ pkcs12_info=(cafile,), ra_p12=ra_p12,
+ master_host=config.master_host_name,
+ master_replication_port=config.ca_ds_port,
+ subject_base=config.subject_base)
+@@ -1658,6 +1661,14 @@ def update_people_entry(dercert):
+ return True
+
+ def ensure_ldap_profiles_container():
++ ensure_entry(
++ DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
++ objectclass=['top', 'organizationalUnit'],
++ ou=['certificateProfiles'],
++ )
++
++
++def ensure_entry(dn, **attrs):
+ server_id = installutils.realm_to_serverid(api.env.realm)
+ dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+
+@@ -1665,40 +1676,39 @@ def ensure_ldap_profiles_container():
+ if not conn.isconnected():
+ conn.connect(autobind=True)
+
+- dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))
+ try:
+ conn.get_entry(dn)
+ except errors.NotFound:
+ # entry doesn't exist; add it
+- entry = conn.make_entry(
+- dn,
+- objectclass=['top', 'organizationalUnit'],
+- ou=['certificateProfiles'],
+- )
++ entry = conn.make_entry(dn, **attrs)
+ conn.add_entry(entry)
+
+ conn.disconnect()
+
+
+ def configure_profiles_acl():
++ """Allow the Certificate Manager Agents group to modify profiles."""
+ server_id = installutils.realm_to_serverid(api.env.realm)
+ dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+ updated = False
+
+ dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))
+- rule = (
++ new_rules = [
+ 'certServer.profile.configuration:read,modify:allow (read,modify) '
+ 'group="Certificate Manager Agents":'
+- 'Certificate Manager agents may modify (create/update/delete) and read profiles'
+- )
+- modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])]
++ 'Certificate Manager agents may modify (create/update/delete) and read profiles',
++
++ 'certServer.ca.account:login,logout:allow (login,logout) '
++ 'user="anybody":Anybody can login and logout',
++ ]
+
+ conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
+ if not conn.isconnected():
+ conn.connect(autobind=True)
+- rules = conn.get_entry(dn).get('resourceACLS', [])
+- if rule not in rules:
+- conn.conn.modify_s(str(dn), modlist)
++ cur_rules = conn.get_entry(dn).get('resourceACLS', [])
++ add_rules = [rule for rule in new_rules if rule not in cur_rules]
++ if add_rules:
++ conn.conn.modify_s(str(dn), [(ldap.MOD_ADD, 'resourceACLS', add_rules)])
+ updated = True
+
+ conn.disconnect()
+@@ -1718,6 +1728,17 @@ def import_included_profiles():
+ if not conn.isconnected():
+ conn.connect(autobind=True)
+
++ ensure_entry(
++ DN(('cn', 'ca'), api.env.basedn),
++ objectclass=['top', 'nsContainer'],
++ cn=['ca'],
++ )
++ ensure_entry(
++ DN(api.env.container_certprofile, api.env.basedn),
++ objectclass=['top', 'nsContainer'],
++ cn=['certprofiles'],
++ )
++
+ api.Backend.ra_certprofile._read_password()
+ api.Backend.ra_certprofile.override_port = 8443
+
+@@ -1823,6 +1844,33 @@ def _create_dogtag_profile(profile_id, profile_data):
+ "(it is probably already enabled)")
+
+
++def ensure_default_caacl():
++ """Add the default CA ACL if missing."""
++ if not api.Backend.ldap2.isconnected():
++ try:
++ api.Backend.ldap2.connect(autobind=True)
++ except errors.PublicError as e:
++ root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
++ return
++
++ ensure_entry(
++ DN(('cn', 'ca'), api.env.basedn),
++ objectclass=['top', 'nsContainer'],
++ cn=['ca'],
++ )
++ ensure_entry(
++ DN(api.env.container_caacl, api.env.basedn),
++ objectclass=['top', 'nsContainer'],
++ cn=['certprofiles'],
++ )
++
++ if not api.Command.caacl_find()['result']:
++ api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
++ hostcategory=u'all', servicecategory=u'all')
++ api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
++ certprofile=(u'caIPAserviceCert',))
++
++
+ if __name__ == "__main__":
+ standard_logging_setup("install.log")
+ ds = dsinstance.DsInstance()
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index f33a9e03a4148dde69fc61441c878f5126f8e455..d78158532c4c88d9aa9acf3c65d278f5151458d8 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -310,7 +310,6 @@ class DsInstance(service.Service):
+ self.step("adding range check plugin", self.__add_range_check_plugin)
+ if hbac_allow:
+ self.step("creating default HBAC rule allow_all", self.add_hbac)
+- self.step("creating default CA ACL rule", self.add_caacl)
+ self.step("adding entries for topology management", self.__add_topology_entries)
+
+ self.__common_post_setup()
+@@ -745,9 +744,6 @@ class DsInstance(service.Service):
+ def add_hbac(self):
+ self._ldap_mod("default-hbac.ldif", self.sub_dict)
+
+- def add_caacl(self):
+- self._ldap_mod("default-caacl.ldif", self.sub_dict)
+-
+ def change_admin_password(self, password):
+ root_logger.debug("Changing admin password")
+ dirname = config_dirname(self.serverid)
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 6f9a6141fe9af44806244ce52df59c191dc966b0..6e9157cabc49161ba27983cbf1de1428d1b48b7d 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -573,6 +573,9 @@ def install(installer):
+ options.domain_name = config.domain_name
+ options.host_name = config.host_name
+
++ if ipautil.file_exists(config.dir + "/cacert.p12"):
++ options.ra_p12 = config.dir + "/ra.p12"
++
+ ca.install(False, config, options)
+
+ krb = install_krb(config, setup_pkinit=not options.no_pkinit)
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index c8f744c392c7b859459bda63c1f397226553d4ba..945cb3ebd63767cb1d57083e1da7c5605ac5a2f9 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1321,18 +1321,7 @@ def add_default_caacl(ca):
+ return
+
+ if ca.is_configured():
+- if not api.Backend.ldap2.isconnected():
+- try:
+- api.Backend.ldap2.connect(autobind=True)
+- except ipalib.errors.PublicError as e:
+- root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
+- return
+-
+- if not api.Command.caacl_find()['result']:
+- api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
+- hostcategory=u'all', servicecategory=u'all')
+- api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
+- certprofile=(u'caIPAserviceCert',))
++ cainstance.ensure_default_caacl()
+
+ sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
+
+--
+2.4.3
+
diff --git a/SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch b/SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch
new file mode 100644
index 0000000..5f8959b
--- /dev/null
+++ b/SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch
@@ -0,0 +1,33 @@
+From 245f54de1d4e2189b1234000916a7d591fa151b9 Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Tue, 24 Nov 2015 14:43:10 +0100
+Subject: [PATCH] disconnect ldap2 backend after adding default CA ACL profiles
+
+ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
+could crash server/replica installation at later stages. This patch ensures
+that after checking default CA ACL profiles the backend is disconnected.
+
+https://fedorahosted.org/freeipa/ticket/5459
+
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ ipaserver/install/cainstance.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 189876f3c0d980e78165d73eed86b2830ac8c5b8..c72d11d1e0b86c040dc497744cda87aab22caafd 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1870,6 +1870,9 @@ def ensure_default_caacl():
+ api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
+ certprofile=(u'caIPAserviceCert',))
+
++ if api.Backend.ldap2.isconnected():
++ api.Backend.ldap2.disconnect()
++
+
+ if __name__ == "__main__":
+ standard_logging_setup("install.log")
+--
+2.4.3
+
diff --git a/SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch b/SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch
new file mode 100644
index 0000000..ddd390b
--- /dev/null
+++ b/SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch
@@ -0,0 +1,39 @@
+From bce98a84720aa6ffdec72e923248719c3cbea8d3 Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Tue, 24 Nov 2015 16:40:52 +0100
+Subject: [PATCH] do not disconnect when using existing connection to check
+ default CA ACLs
+
+https://fedorahosted.org/freeipa/ticket/5459
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/install/cainstance.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index c72d11d1e0b86c040dc497744cda87aab22caafd..c20bf39c12cff0777d90efad2b0d8d136ee37ec9 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1846,7 +1846,8 @@ def _create_dogtag_profile(profile_id, profile_data):
+
+ def ensure_default_caacl():
+ """Add the default CA ACL if missing."""
+- if not api.Backend.ldap2.isconnected():
++ is_already_connected = api.Backend.ldap2.isconnected()
++ if not is_already_connected:
+ try:
+ api.Backend.ldap2.connect(autobind=True)
+ except errors.PublicError as e:
+@@ -1870,7 +1871,7 @@ def ensure_default_caacl():
+ api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
+ certprofile=(u'caIPAserviceCert',))
+
+- if api.Backend.ldap2.isconnected():
++ if not is_already_connected:
+ api.Backend.ldap2.disconnect()
+
+
+--
+2.4.3
+
diff --git a/SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch b/SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch
new file mode 100644
index 0000000..8b3c1f3
--- /dev/null
+++ b/SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch
@@ -0,0 +1,37 @@
+From c466f49b39869ec9817cda4a0485b00a14c52782 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Wed, 25 Nov 2015 09:57:07 +0100
+Subject: [PATCH] Fix upgrade of forwardzones when zone is in realmdomains
+
+https://fedorahosted.org/freeipa/ticket/5472
+
+Reviewed-By: Petr Spacek <pspacek@redhat.com>
+---
+ ipalib/plugins/realmdomains.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
+index c53340591bd0f0f02fcc9db3142b74197aff551b..54c07a7a11a23e82717a30e4ac8a50502bfc7b51 100644
+--- a/ipalib/plugins/realmdomains.py
++++ b/ipalib/plugins/realmdomains.py
+@@ -185,7 +185,7 @@ class realmdomains_mod(LDAPUpdate):
+ if d == api.env.domain:
+ continue
+ try:
+- api.Command['dnsrecord_add'](
++ self.api.Command['dnsrecord_add'](
+ unicode(d),
+ u'_kerberos',
+ txtrecord=api.env.realm
+@@ -200,7 +200,7 @@ class realmdomains_mod(LDAPUpdate):
+ if d == api.env.domain:
+ continue
+ try:
+- api.Command['dnsrecord_del'](
++ self.api.Command['dnsrecord_del'](
+ unicode(d),
+ u'_kerberos',
+ txtrecord=api.env.realm
+--
+2.4.3
+
diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
index d61193c..4c2fd45 100644
--- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
+++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,4 +1,4 @@
-From b8147e3295b16164f62d05a78dfd25bfa6f178e2 Mon Sep 17 00:00:00 2001
+From 38e9b66a161f8e5c540c69f46a8bc699d0906636 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version
@@ -108,10 +108,10 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435
cli_metavar='NAME',
)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 6f9a6141fe9af44806244ce52df59c191dc966b0..2d34fdd02b57eb962cdffba508e53cfea0c922e1 100644
+index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..2544db2875cc29b1c0f6f8acd855bcfa02fc645a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -655,6 +655,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
+@@ -658,6 +658,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
no_pkinit = Knob(
bool, False,
@@ -120,5 +120,5 @@ index 6f9a6141fe9af44806244ce52df59c191dc966b0..2d34fdd02b57eb962cdffba508e53cfe
)
--
-2.5.1
+2.4.3
diff --git a/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch b/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch
index b1ea0d0..95a6a14 100644
--- a/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch
+++ b/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch
@@ -1,4 +1,4 @@
-From e5e637ffe268e7a8d6fe893baac181bf1f74ee86 Mon Sep 17 00:00:00 2001
+From 0ea5a5970f7661e240b6ff3ebec4ea2414c47837 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 21 Oct 2014 14:56:28 +0200
Subject: [PATCH] Do not allow installation in FIPS mode
@@ -29,10 +29,10 @@ index acad7ff3771561d5dce530317b65aaf117f153a1..cf906ccbbe5c98013a5f640e90e1f3c9
try:
check_IPA_configuration()
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
-index 793de4fc950ad73b1d88f9ab4bd5178afc8b813d..37b1547b815cbf08b2e32c6266d073e1635a1c84 100755
+index 543c6f027f2312792e7ad33533db8e7c10a3cddb..586b11bdf37cf22f50980d6b84d6dcd12cfd50e7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
-@@ -3047,6 +3047,10 @@ def main():
+@@ -3051,6 +3051,10 @@ def main():
if not os.getegid() == 0:
sys.exit("\nYou must be root to run ipa-client-install.\n")
@@ -76,5 +76,5 @@ index 55c58335c5bbc6993999da4c465e58f4ce3225aa..1994316c1ff066f7e7e615c51ea7157f
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
--
-2.5.1
+2.4.3
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 69f6d9a..a5435f8 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name: ipa
Version: 4.2.0
-Release: 15%{?dist}
+Release: 15%{?dist}.3
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -43,10 +43,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -194,6 +194,22 @@ Patch0140: 0140-vault-select-a-server-with-KRA-for-vault-operations.patch
Patch0141: 0141-schema-do-not-derive-ipaVaultPublicKey-from-ipaPubli.patch
Patch0142: 0142-upgrade-make-sure-ldap2-is-connected-in-export_kra_a.patch
Patch0143: 0143-vault-fix-private-service-vault-creation.patch
+Patch0144: 0144-install-fix-command-line-option-validation.patch
+Patch0145: 0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch
+Patch0146: 0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch
+Patch0147: 0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch
+Patch0148: 0148-fix-caching-in-get_ipa_config.patch
+Patch0149: 0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch
+Patch0150: 0150-upgrade-fix-migration-of-old-dns-forward-zones.patch
+Patch0151: 0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch
+Patch0152: 0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch
+Patch0153: 0153-ipa-cacert-renew-Fix-connection-to-ldap.patch
+Patch0154: 0154-ipa-otptoken-import-Fix-connection-to-ldap.patch
+Patch0155: 0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch
+Patch0156: 0156-Add-profiles-and-default-CA-ACL-on-migration.patch
+Patch0157: 0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch
+Patch0158: 0158-do-not-disconnect-when-using-existing-connection-to-.patch
+Patch0159: 0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -205,7 +221,6 @@ Patch1007: 1007-Do-not-build-tests.patch
Patch1008: 1008-RCUE.patch
Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch
-Patch1011: ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -337,7 +352,7 @@ Requires: systemd-python
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
-# Requires: redhat-access-plugin-ipa
+Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -546,10 +561,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1146,8 +1161,51 @@ fi
# RHEL spec file only: DELETED: Do not build tests
%changelog
-* Thu Nov 19 2015 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos
-- Roll in CentOS Branding
+* Wed Nov 25 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.3
+- Resolves: #1284052 IPA DNS Zone/DNS Forward Zone details missing after
+ upgrade from RHEL 7.0 to RHEL 7.2
+ - Fix upgrade of forwardzones when zone is in realmdomains
+
+* Tue Nov 24 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.2
+- Resolves: #1283890 installer options are not validated at the beginning of
+ installation
+ - Fix incorrectly rebased patch 0144
+- Resolves: #1284803 Default CA ACL rule is not created during
+ ipa-replica-install
+ - disconnect ldap2 backend after adding default CA ACL profiles
+ - do not disconnect when using existing connection to check default CA ACLs
+
+* Tue Nov 24 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.1
+- Resolves: #1283882 IPA certificate auto renewal fail with "Invalid
+ Credential"
+ - cert renewal: make renewal of ipaCert atomic
+- Resolves: #1283883 ipa upgrade causes vault internal error
+ - install: export KRA agent PEM file in ipa-kra-install
+- Resolves: #1283884 ipa-kra-install: fails to apply updates
+ - suppress errors arising from adding existing LDAP entries during KRA
+ install
+- Resolves: #1283890 installer options are not validated at the beginning of
+ installation
+ - install: fix command line option validation
+- Resolves: #1283915 Caching of ipaconfig does not work in framework
+ - fix caching in get_ipa_config
+- Resolves: #1284025 sshd_config change on ipa-client-install can prevent sshd
+ from starting up
+ - client install: do not corrupt OpenSSH config with Match sections
+- Resolves: #1284052 IPA DNS Zone/DNS Forward Zone details missing after
+ upgrade from RHEL 7.0 to RHEL 7.2
+ - upgrade: fix migration of old dns forward zones
+- Resolves: #1284803 Default CA ACL rule is not created during
+ ipa-replica-install
+ - TLS and Dogtag HTTPS request logging improvements
+ - Avoid race condition caused by profile delete and recreate
+ - Do not erroneously reinit NSS in Dogtag interface
+ - Add profiles and default CA ACL on migration
+- Resolves: #1284811 ipa-cacert-manage renew fails on nonexistent ldap
+ connection
+ - ipa-cacert-renew: Fix connection to ldap.
+- Resolves: #1284813 ipa-otptoken-import fails on nonexistent ldap connection
+ - ipa-otptoken-import: Fix connection to ldap.
* Tue Oct 13 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15
- Resolves: #1252556 Missing CLI param and ACL for vault service operations