diff --git a/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch b/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch
deleted file mode 100644
index 729a5b9..0000000
--- a/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 8de62d5187f54b0e994c160a1d39dbece4615aa5 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Tue, 15 Nov 2016 14:02:54 +1000
-Subject: [PATCH] certprofile-mod: correctly authorise config update
-
-Certificate profiles consist of an FreeIPA object, and a
-corresponding Dogtag configuration object. When updating profile
-configuration, changes to the Dogtag configuration are not properly
-authorised, allowing unprivileged operators to modify (but not
-create or delete) profiles. This could result in issuance of
-certificates with fraudulent subject naming information, improper
-key usage, or other badness.
-
-Update certprofile-mod to ensure that the operator has permission to
-modify FreeIPA certprofile objects before modifying the Dogtag
-configuration.
-
-https://fedorahosted.org/freeipa/ticket/6560
-
-Reviewed-By: Jan Cholasta <jcholast@redhat.com>
----
- ipaserver/plugins/certprofile.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
-index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
---- a/ipaserver/plugins/certprofile.py
-+++ b/ipaserver/plugins/certprofile.py
-@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
- raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
- reason=_('Certificate profiles cannot be renamed'))
- if 'file' in options:
-+ # ensure operator has permission to update a certprofile
-+ if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
-+ raise errors.ACIError(info=_(
-+ "Insufficient privilege to modify a certificate profile."))
-+
- with self.api.Backend.ra_certprofile as profile_api:
- profile_api.disable_profile(keys[0])
- try:
---
-2.10.2
-
diff --git a/SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch b/SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch
new file mode 100644
index 0000000..245f42b
--- /dev/null
+++ b/SOURCES/0145-replication-ensure-bind-DN-group-check-interval-is-s.patch
@@ -0,0 +1,37 @@
+From 405446b0f08551fa82fd0f6d71f219d68641732b Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Wed, 23 Nov 2016 16:58:39 +0100
+Subject: [PATCH] replication: ensure bind DN group check interval is set on
+ replica config
+
+This is a safeguard ensuring valid replica configuration against incorrectly
+upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on
+their domain/ca topology config.
+
+https://fedorahosted.org/freeipa/ticket/6508
+
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/install/replication.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index b8b665267ea8debba9f0ce01f54a78cd67d88292..e9624894d7d1e745be8072268fa76d51a8c117e3 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -452,6 +452,12 @@ class ReplicationManager(object):
+ if replica_groupdn not in binddn_groups:
+ mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
+ replica_groupdn))
++
++ if 'nsds5replicabinddngroupcheckinterval' not in entry:
++ mod.append(
++ (ldap.MOD_ADD,
++ 'nsds5replicabinddngroupcheckinterval',
++ '60'))
+ if mod:
+ conn.modify_s(dn, mod)
+
+--
+2.7.4
+
diff --git a/SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch b/SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch
new file mode 100644
index 0000000..268bb59
--- /dev/null
+++ b/SOURCES/0146-bindinstance-use-data-in-named.conf-to-determine-con.patch
@@ -0,0 +1,38 @@
+From b84a175ad6a8c2b25d6db388fa88e6441d97ae94 Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Tue, 6 Dec 2016 12:13:34 +0100
+Subject: [PATCH] bindinstance: use data in named.conf to determine
+ configuration status
+
+Instead of checking sysrestore status which leads to incorrect
+evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, look
+into named.conf to see whther it was already modified by IPA installer.
+
+https://fedorahosted.org/freeipa/ticket/6503
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaserver/install/bindinstance.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
+index 7538e145cbe37dfc21963d97dea0e835e3bd5072..a65b065fd654655ff034e277eb7e0ad49e4a418e 100644
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -1170,6 +1170,13 @@ class BindInstance(service.Service):
+ self.api.Command.dnsconfig_show.output_for_cli(textui, result, None,
+ reverse=False)
+
++ def is_configured(self):
++ """
++ Override the default logic querying StateFile for configuration status
++ and look whether named.conf was already modified by IPA installer.
++ """
++ return named_conf_exists()
++
+ def uninstall(self):
+ if self.is_configured():
+ self.print_msg("Unconfiguring %s" % self.service_name)
+--
+2.7.4
+
diff --git a/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch b/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch
deleted file mode 100644
index 9c4e4af..0000000
--- a/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch
+++ /dev/null
@@ -1,192 +0,0 @@
-From 016631a08b67bda3dc996b84061f863e0f5cdc7f Mon Sep 17 00:00:00 2001
-From: David Kupka <dkupka@redhat.com>
-Date: Thu, 29 Sep 2016 15:59:34 +0200
-Subject: [PATCH] password policy: Add explicit default password policy for
- hosts and services
-
-Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
-cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
-Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
-CoS so no attributes are really added.
-
-The default policies effectively disable any enforcement or lockout for hosts
-and services. Since hosts and services use keytabs passwords enforcements
-doesn't make much sense. Also the lockout policy could be used for easy and
-cheap DoS.
-
-https://fedorahosted.org/freeipa/ticket/6561
-
-Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
----
- install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
- install/updates/Makefile.am | 1 +
- ipaserver/install/service.py | 1 +
- 3 files changed, 135 insertions(+)
- create mode 100644 install/updates/20-default_password_policy.update
-
-diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
-new file mode 100644
-index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
---- /dev/null
-+++ b/install/updates/20-default_password_policy.update
-@@ -0,0 +1,133 @@
-+# Default password policies for hosts, services and Kerberos services
-+# Setting all attributes to zero effectively disables any password policy
-+# We can do this because hosts and services uses keytabs instead of passwords
-+
-+# hosts
-+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
-+default:objectClass: krbPwdPolicy
-+default:objectClass: nsContainer
-+default:objectClass: top
-+default:cn: Default Host Password Policy
-+default:krbMinPwdLife: 0
-+default:krbPwdMinDiffChars: 0
-+default:krbPwdMinLength: 0
-+default:krbPwdHistoryLength: 0
-+default:krbMaxPwdLife: 0
-+default:krbPwdMaxFailure: 0
-+default:krbPwdFailureCountInterval: 0
-+default:krbPwdLockoutDuration: 0
-+
-+# services
-+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
-+default:objectClass: krbPwdPolicy
-+default:objectClass: nsContainer
-+default:objectClass: top
-+default:cn: Default Service Password Policy
-+default:krbMinPwdLife: 0
-+default:krbPwdMinDiffChars: 0
-+default:krbPwdMinLength: 0
-+default:krbPwdHistoryLength: 0
-+default:krbMaxPwdLife: 0
-+default:krbPwdMaxFailure: 0
-+default:krbPwdFailureCountInterval: 0
-+default:krbPwdLockoutDuration: 0
-+
-+# kerberos policy container
-+# this is necessary to avoid mixing the Kerberos sevice password policy
-+# with group-membership based user password policies
-+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-+default:objectClass: nsContainer
-+default:objectClass: top
-+default:cn: Kerberos Service Password Policy
-+
-+# kerberos services
-+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-+default:objectClass: krbPwdPolicy
-+default:objectClass: nsContainer
-+default:objectClass: top
-+default:cn: Default Kerberos Service Password Policy
-+default:krbMinPwdLife: 0
-+default:krbPwdMinDiffChars: 0
-+default:krbPwdMinLength: 0
-+default:krbPwdHistoryLength: 0
-+default:krbMaxPwdLife: 0
-+default:krbPwdMaxFailure: 0
-+default:krbPwdFailureCountInterval: 0
-+default:krbPwdLockoutDuration: 0
-+
-+# default password policies for hosts, services and kerberos services
-+# cosPriority is set intentionally to higher number than FreeIPA API allows
-+# to set to ensure that these password policies have always lower priority
-+# than any defined by user.
-+
-+# hosts
-+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-+default:objectclass: top
-+default:objectclass: nsContainer
-+default:cn: cosTemplates
-+
-+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-+default:objectclass: top
-+default:objectclass: cosTemplate
-+default:objectclass: extensibleObject
-+default:objectclass: krbContainer
-+default:cn: Default Password Policy
-+default:cosPriority: 10000000000
-+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
-+
-+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
-+default:description: Default Password Policy for Hosts
-+default:objectClass: top
-+default:objectClass: ldapsubentry
-+default:objectClass: cosSuperDefinition
-+default:objectClass: cosPointerDefinition
-+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-+default:cosAttribute: krbPwdPolicyReference default
-+
-+# services
-+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-+default:objectclass: top
-+default:objectclass: nsContainer
-+default:cn: cosTemplates
-+
-+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-+default:objectclass: top
-+default:objectclass: cosTemplate
-+default:objectclass: extensibleObject
-+default:objectclass: krbContainer
-+default:cn: Default Password Policy
-+default:cosPriority: 10000000000
-+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
-+
-+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
-+default:description: Default Password Policy for Services
-+default:objectClass: top
-+default:objectClass: ldapsubentry
-+default:objectClass: cosSuperDefinition
-+default:objectClass: cosPointerDefinition
-+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-+default:cosAttribute: krbPwdPolicyReference default
-+
-+# kerberos services
-+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-+default:objectclass: top
-+default:objectclass: nsContainer
-+default:cn: cosTemplates
-+
-+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-+default:objectclass: top
-+default:objectclass: cosTemplate
-+default:objectclass: extensibleObject
-+default:objectclass: krbContainer
-+default:cn: Default Password Policy
-+default:cosPriority: 10000000000
-+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-+
-+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-+default:description: Default Password Policy for Kerberos Services
-+default:objectClass: top
-+default:objectClass: ldapsubentry
-+default:objectClass: cosSuperDefinition
-+default:objectClass: cosPointerDefinition
-+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-+default:cosAttribute: krbPwdPolicyReference default
-diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
-index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644
---- a/install/updates/Makefile.am
-+++ b/install/updates/Makefile.am
-@@ -23,6 +23,7 @@ app_DATA = \
- 20-winsync_index.update \
- 20-idoverride_index.update \
- 20-uuid.update \
-+ 20-default_password_policy.update \
- 21-replicas_container.update \
- 21-ca_renewal_container.update \
- 21-certstore_container.update \
-diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
-index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644
---- a/ipaserver/install/service.py
-+++ b/ipaserver/install/service.py
-@@ -252,6 +252,7 @@ class Service(object):
- # There is no service in the wrong location, nothing to do.
- # This can happen when installing a replica
- return None
-+ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr
- newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
- hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
- self.admin_conn.delete_entry(entry)
---
-2.10.2
-
diff --git a/SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch b/SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch
new file mode 100644
index 0000000..ab2aa23
--- /dev/null
+++ b/SOURCES/0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch
@@ -0,0 +1,93 @@
+From 32b222610532b543d713d4d4b5ce02eed15a66d5 Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Tue, 6 Dec 2016 18:07:50 +0100
+Subject: [PATCH] gracefully handle setting replica bind dn group on old
+ masters
+
+Pre-3.3 masters do not support setting 'nsds5replicabinddngroup'
+attribute on existing replica entry during setup of initial replication.
+In this case UNWILLING_TO_PERFORM is returned. The code can interpret
+this error as an indication of old master and fall back to just adding
+its LDAP principal to entry's 'nsds5replicabinddn' attribute.
+
+https://fedorahosted.org/freeipa/ticket/6532
+
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/install/replication.py | 48 ++++++++++++++++++++++++++--------------
+ 1 file changed, 32 insertions(+), 16 deletions(-)
+
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index e9624894d7d1e745be8072268fa76d51a8c117e3..5f03ddeadfc515255509a1f49d3b38687e561b9f 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -429,6 +429,34 @@ class ReplicationManager(object):
+ return DN(('cn', 'replica'), ('cn', self.db_suffix),
+ ('cn', 'mapping tree'), ('cn', 'config'))
+
++ def set_replica_binddngroup(self, r_conn, entry, replica_groupdn):
++ """
++ Set nsds5replicabinddngroup attribute on remote master's replica entry.
++ Older masters (ipa < 3.3) may not support setting this attribute. In
++ this case log the error and fall back to setting replica's binddn
++ directly.
++ """
++ binddn_groups = {
++ DN(p) for p in entry.get('nsds5replicabinddngroup', [])}
++
++ mod = []
++ if replica_groupdn not in binddn_groups:
++ mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
++ replica_groupdn))
++
++ if 'nsds5replicabinddngroupcheckinterval' not in entry:
++ mod.append(
++ (ldap.MOD_ADD,
++ 'nsds5replicabinddngroupcheckinterval',
++ '60'))
++ if mod:
++ try:
++ r_conn.modify_s(entry.dn, mod)
++ except ldap.UNWILLING_TO_PERFORM:
++ root_logger.debug(
++ "nsds5replicabinddngroup attribute not supported on "
++ "remote master.")
++
+ def replica_config(self, conn, replica_id, replica_binddn):
+ assert isinstance(replica_binddn, DN)
+ dn = self.replica_dn()
+@@ -440,27 +468,15 @@ class ReplicationManager(object):
+ try:
+ entry = conn.get_entry(dn)
+ managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])}
+- binddn_groups = {
+- DN(p) for p in entry.get('nsds5replicabinddngroup', [])}
+
+- mod = []
+ if replica_binddn not in managers:
+ # Add the new replication manager
+- mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN',
+- replica_binddn))
+-
+- if replica_groupdn not in binddn_groups:
+- mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
+- replica_groupdn))
+-
+- if 'nsds5replicabinddngroupcheckinterval' not in entry:
+- mod.append(
+- (ldap.MOD_ADD,
+- 'nsds5replicabinddngroupcheckinterval',
+- '60'))
+- if mod:
++ mod = [(ldap.MOD_ADD, 'nsDS5ReplicaBindDN',
++ replica_binddn)]
+ conn.modify_s(dn, mod)
+
++ self.set_replica_binddngroup(conn, entry, replica_groupdn)
++
+ # replication is already configured
+ return
+ except errors.NotFound:
+--
+2.7.4
+
diff --git a/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch b/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch
deleted file mode 100644
index 96cc471..0000000
--- a/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From a90a67fc7c4ef114e5f5336d868009fd0caa956b Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Thu, 15 Dec 2016 16:30:00 +0200
-Subject: [PATCH] ipa-kdb: search for password policies globally
-
-With the CoS templates now used to create additional password policies
-per object type that are placed under the object subtrees, DAL driver
-needs to search for the policies in the whole tree.
-
-Individual policies referenced by the krbPwdPolicyReference attribute
-are always searched by their full DN and with the base scope. However,
-when KDC asks a DAL driver to return a password policy by name, we don't
-have any specific base to search. The original code did search by the
-realm subtree.
-
-Fixes https://fedorahosted.org/freeipa/ticket/6561
-
-Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
-index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644
---- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
-+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
-@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
- }
-
- kerr = ipadb_simple_search(ipactx,
-- ipactx->realm_base, LDAP_SCOPE_SUBTREE,
-+ ipactx->base, LDAP_SCOPE_SUBTREE,
- src_filter, std_pwdpolicy_attrs, &res);
- if (kerr) {
- goto done;
---
-2.10.2
-
diff --git a/SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch b/SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch
new file mode 100644
index 0000000..6844cbb
--- /dev/null
+++ b/SOURCES/0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch
@@ -0,0 +1,60 @@
+From 3ff9fc2141e16e7cbd4fa30c16d60e915c2c3ee4 Mon Sep 17 00:00:00 2001
+From: Martin Babinsky <mbabinsk@redhat.com>
+Date: Wed, 7 Dec 2016 14:00:09 +0100
+Subject: [PATCH] add missing attribute to ipaca replica during CA topology
+ update
+
+'nsds5replicabinddngroupcheckinterval' attribute was not properly added
+to 'o=ipaca' replica attribute during upgrade. The CA topology update
+plugin should now add it to the entry if it exists.
+
+https://fedorahosted.org/freeipa/ticket/6508
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaserver/install/plugins/update_ca_topology.py | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py
+index d76849bf9de46b1e4ad52dbae7081b4d3aec5273..f82926b19175c3fd42bd794205ec4216fc776707 100644
+--- a/ipaserver/install/plugins/update_ca_topology.py
++++ b/ipaserver/install/plugins/update_ca_topology.py
+@@ -2,8 +2,10 @@
+ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+ #
+
++from ipalib import errors
+ from ipalib import Registry
+ from ipalib import Updater
++from ipapython.dn import DN
+ from ipaserver.install import certs, cainstance
+ from ipaserver.install import ldapupdate
+ from ipaplatform.paths import paths
+@@ -31,4 +33,24 @@ class update_ca_topology(Updater):
+
+ ld.update([paths.CA_TOPOLOGY_ULDIF])
+
++ ldap = self.api.Backend.ldap2
++
++ ca_replica_dn = DN(
++ ('cn', 'replica'),
++ ('cn', 'o=ipaca'),
++ ('cn', 'mapping tree'),
++ ('cn', 'config'))
++
++ check_interval_attr = 'nsds5replicabinddngroupcheckinterval'
++ default_check_interval = ['60']
++
++ try:
++ ca_replica_entry = ldap.get_entry(ca_replica_dn)
++ except errors.NotFound:
++ pass
++ else:
++ if check_interval_attr not in ca_replica_entry:
++ ca_replica_entry[check_interval_attr] = default_check_interval
++ ldap.update_entry(ca_replica_entry)
++
+ return False, []
+--
+2.7.4
+
diff --git a/SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch b/SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch
new file mode 100644
index 0000000..a3fd173
--- /dev/null
+++ b/SOURCES/0149-Check-for-conflict-entries-before-raising-domain-lev.patch
@@ -0,0 +1,64 @@
+From 81a1bdae1743c4cd7aab296cb0a7474b9bd52b33 Mon Sep 17 00:00:00 2001
+From: Ludwig Krispenz <lkrispen@redhat.com>
+Date: Fri, 9 Dec 2016 15:04:21 +0100
+Subject: [PATCH] Check for conflict entries before raising domain level
+
+Checking of conflicts is not only done in topology container as
+tests showed it can occurs elsewhere
+
+https://fedorahosted.org/freeipa/ticket/6534
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ ipaserver/plugins/domainlevel.py | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py
+index 23fa2a1b2f0f681ac215e96a651d688294df4b99..d8c508a64dd91a0a18e061d2af3080c8f1b38260 100644
+--- a/ipaserver/plugins/domainlevel.py
++++ b/ipaserver/plugins/domainlevel.py
+@@ -48,6 +48,30 @@ def get_domainlevel_range(master_entry):
+ return DomainLevelRange(0, 0)
+
+
++def check_conflict_entries(ldap, api, desired_value):
++ """
++ Check if conflict entries exist in topology subtree
++ """
++
++ container_dn = DN(
++ ('cn', 'ipa'),
++ ('cn', 'etc'),
++ api.env.basedn
++ )
++ conflict = "(nsds5replconflict=*)"
++ subentry = "(|(objectclass=ldapsubentry)(objectclass=*))"
++ try:
++ ldap.get_entries(
++ filter="(& %s %s)" % (conflict, subentry),
++ base_dn=container_dn,
++ scope=ldap.SCOPE_SUBTREE)
++ message = _("Domain Level cannot be raised to {0}, "
++ "existing replication conflicts have to be resolved."
++ .format(desired_value))
++ raise errors.InvalidDomainLevelError(reason=message)
++ except errors.NotFound:
++ pass
++
+ def get_master_entries(ldap, api):
+ """
+ Returns list of LDAPEntries representing IPA masters.
+@@ -131,6 +155,10 @@ class domainlevel_set(Command):
+ .format(desired_value, master['cn'][0]))
+ raise errors.InvalidDomainLevelError(reason=message)
+
++ # Check if conflict entries exist in topology subtree
++ # should be resolved first
++ check_conflict_entries(ldap, self.api, desired_value)
++
+ current_entry.single_value['ipaDomainLevel'] = desired_value
+ ldap.update_entry(current_entry)
+
+--
+2.7.4
+
diff --git a/SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch b/SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch
new file mode 100644
index 0000000..55acdcc
--- /dev/null
+++ b/SOURCES/0150-certprofile-mod-correctly-authorise-config-update.patch
@@ -0,0 +1,43 @@
+From 59e072eab0d58af195a14d53240de20ee4a3171f Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 15 Nov 2016 14:02:54 +1000
+Subject: [PATCH] certprofile-mod: correctly authorise config update
+
+Certificate profiles consist of an FreeIPA object, and a
+corresponding Dogtag configuration object. When updating profile
+configuration, changes to the Dogtag configuration are not properly
+authorised, allowing unprivileged operators to modify (but not
+create or delete) profiles. This could result in issuance of
+certificates with fraudulent subject naming information, improper
+key usage, or other badness.
+
+Update certprofile-mod to ensure that the operator has permission to
+modify FreeIPA certprofile objects before modifying the Dogtag
+configuration.
+
+https://fedorahosted.org/freeipa/ticket/6560
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/plugins/certprofile.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
+index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
+--- a/ipaserver/plugins/certprofile.py
++++ b/ipaserver/plugins/certprofile.py
+@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
+ raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
+ reason=_('Certificate profiles cannot be renamed'))
+ if 'file' in options:
++ # ensure operator has permission to update a certprofile
++ if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
++ raise errors.ACIError(info=_(
++ "Insufficient privilege to modify a certificate profile."))
++
+ with self.api.Backend.ra_certprofile as profile_api:
+ profile_api.disable_profile(keys[0])
+ try:
+--
+2.7.4
+
diff --git a/SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch b/SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch
new file mode 100644
index 0000000..22ac7ff
--- /dev/null
+++ b/SOURCES/0151-password-policy-Add-explicit-default-password-policy.patch
@@ -0,0 +1,192 @@
+From 018266f9dcc06cedcfe679ed32870dd3eda2ece7 Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Thu, 29 Sep 2016 15:59:34 +0200
+Subject: [PATCH] password policy: Add explicit default password policy for
+ hosts and services
+
+Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
+cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
+Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
+CoS so no attributes are really added.
+
+The default policies effectively disable any enforcement or lockout for hosts
+and services. Since hosts and services use keytabs passwords enforcements
+doesn't make much sense. Also the lockout policy could be used for easy and
+cheap DoS.
+
+https://fedorahosted.org/freeipa/ticket/6561
+
+Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
+---
+ install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
+ install/updates/Makefile.am | 1 +
+ ipaserver/install/service.py | 1 +
+ 3 files changed, 135 insertions(+)
+ create mode 100644 install/updates/20-default_password_policy.update
+
+diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
+new file mode 100644
+index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
+--- /dev/null
++++ b/install/updates/20-default_password_policy.update
+@@ -0,0 +1,133 @@
++# Default password policies for hosts, services and Kerberos services
++# Setting all attributes to zero effectively disables any password policy
++# We can do this because hosts and services uses keytabs instead of passwords
++
++# hosts
++dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Host Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# services
++dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Service Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# kerberos policy container
++# this is necessary to avoid mixing the Kerberos sevice password policy
++# with group-membership based user password policies
++dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Kerberos Service Password Policy
++
++# kerberos services
++dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Kerberos Service Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# default password policies for hosts, services and kerberos services
++# cosPriority is set intentionally to higher number than FreeIPA API allows
++# to set to ensure that these password policies have always lower priority
++# than any defined by user.
++
++# hosts
++dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
++
++dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
++default:description: Default Password Policy for Hosts
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
++
++# services
++dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
++
++dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
++default:description: Default Password Policy for Services
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
++
++# kerberos services
++dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++
++dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:description: Default Password Policy for Kerberos Services
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
+diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
+index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644
+--- a/install/updates/Makefile.am
++++ b/install/updates/Makefile.am
+@@ -23,6 +23,7 @@ app_DATA = \
+ 20-winsync_index.update \
+ 20-idoverride_index.update \
+ 20-uuid.update \
++ 20-default_password_policy.update \
+ 21-replicas_container.update \
+ 21-ca_renewal_container.update \
+ 21-certstore_container.update \
+diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
+index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644
+--- a/ipaserver/install/service.py
++++ b/ipaserver/install/service.py
+@@ -252,6 +252,7 @@ class Service(object):
+ # There is no service in the wrong location, nothing to do.
+ # This can happen when installing a replica
+ return None
++ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr
+ newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
+ hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
+ self.admin_conn.delete_entry(entry)
+--
+2.7.4
+
diff --git a/SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch b/SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch
new file mode 100644
index 0000000..c92f812
--- /dev/null
+++ b/SOURCES/0152-ipa-kdb-search-for-password-policies-globally.patch
@@ -0,0 +1,38 @@
+From 3e27ba027208df0408c77307e403bc8382aa3395 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 15 Dec 2016 16:30:00 +0200
+Subject: [PATCH] ipa-kdb: search for password policies globally
+
+With the CoS templates now used to create additional password policies
+per object type that are placed under the object subtrees, DAL driver
+needs to search for the policies in the whole tree.
+
+Individual policies referenced by the krbPwdPolicyReference attribute
+are always searched by their full DN and with the base scope. However,
+when KDC asks a DAL driver to return a password policy by name, we don't
+have any specific base to search. The original code did search by the
+realm subtree.
+
+Fixes https://fedorahosted.org/freeipa/ticket/6561
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644
+--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
+ }
+
+ kerr = ipadb_simple_search(ipactx,
+- ipactx->realm_base, LDAP_SCOPE_SUBTREE,
++ ipactx->base, LDAP_SCOPE_SUBTREE,
+ src_filter, std_pwdpolicy_attrs, &res);
+ if (kerr) {
+ goto done;
+--
+2.7.4
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index d301bee..ed206ac 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name: ipa
Version: 4.4.0
-Release: 14%{?dist}.1.1
+Release: 14%{?dist}.4
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -51,10 +51,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -203,9 +203,14 @@ Patch0141: 0141-WebUI-services-without-canonical-name-are-shown-corr.patch
Patch0142: 0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
Patch0143: 0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
Patch0144: 0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
-Patch0145: 0145-certprofile-mod-correctly-authorise-config-update.patch
-Patch0146: 0146-password-policy-Add-explicit-default-password-policy.patch
-Patch0147: 0147-ipa-kdb-search-for-password-policies-globally.patch
+Patch0145: 0145-replication-ensure-bind-DN-group-check-interval-is-s.patch
+Patch0146: 0146-bindinstance-use-data-in-named.conf-to-determine-con.patch
+Patch0147: 0147-gracefully-handle-setting-replica-bind-dn-group-on-o.patch
+Patch0148: 0148-add-missing-attribute-to-ipaca-replica-during-CA-top.patch
+Patch0149: 0149-Check-for-conflict-entries-before-raising-domain-lev.patch
+Patch0150: 0150-certprofile-mod-correctly-authorise-config-update.patch
+Patch0151: 0151-password-policy-Add-explicit-default-password-policy.patch
+Patch0152: 0152-ipa-kdb-search-for-password-policies-globally.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -217,7 +222,6 @@ Patch1007: 1007-Do-not-build-tests.patch
Patch1008: 1008-RCUE.patch
Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch
-Patch1011: ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -797,10 +801,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1536,14 +1540,28 @@ fi
%changelog
-* Mon Jan 02 2017 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos.1.1
-- Roll in CentOS Branding
-
-* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1.1
+* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.4
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
by abusing password policy
- ipa-kdb: search for password policies globally
-- Renamed patches 1011 and 1012 to 0146 and 0145, as they were merged upstream
+- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream
+
+* Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.3
+- Resolves: #1404338 Check IdM Topology for broken record caused by replication
+ conflict before upgrading it
+ - Check for conflict entries before raising domain level
+
+* Tue Dec 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.2
+- Resolves: #1401953 ipa-ca-install on promoted replica hangs on creating a
+ temporary CA admin
+ - replication: ensure bind DN group check interval is set on replica config
+ - add missing attribute to ipaca replica during CA topology update
+- Resolves: #1404169 IPA upgrade of replica without DNS fails during restart of
+ named-pkcs11
+ - bindinstance: use data in named.conf to determine configuration status
+- Resolves: #1404171 Creation of replica for disconnected environment is
+ failing with CA issuance errors; Need good steps.
+ - gracefully handle setting replica bind dn group on old masters
* Mon Dec 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services