diff --git a/SOURCES/0233-Less-confusing-message-for-PKINIT-configuration-duri.patch b/SOURCES/0233-Less-confusing-message-for-PKINIT-configuration-duri.patch
new file mode 100644
index 0000000..6cbca7b
--- /dev/null
+++ b/SOURCES/0233-Less-confusing-message-for-PKINIT-configuration-duri.patch
@@ -0,0 +1,50 @@
+From ad0f85945daa0b0bfbddbcde992c5388c170518f Mon Sep 17 00:00:00 2001
+From: Aleksei Slaikovskii <aslaikov@redhat.com>
+Date: Wed, 18 Oct 2017 09:52:08 +0200
+Subject: [PATCH] Less confusing message for PKINIT configuration during
+ install
+
+The message about an error during replica setup was causing the
+users to think the installation gone wrong even though this was
+an expected behavior when ipa-replica-install was ran without
+--no-pkinit flag and CA somehow is not reachable which defines
+that there is something wrong in a topology but does not lead
+to failure of the replica's installation. So now installation
+will not print error messages to stdout but rather will give a
+recomendation to user and write the old error message to log
+as a warning so it still will be easy to find if needed.
+
+https://pagure.io/freeipa/issue/7179
+
+Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
+---
+ ipaserver/install/krbinstance.py | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
+index 6b51e65d1ec985bfc01f167aea3fe3ca11c7ec29..34fe46aa8ef297bf69eb74953c956ad9c3d30def 100644
+--- a/ipaserver/install/krbinstance.py
++++ b/ipaserver/install/krbinstance.py
+@@ -494,8 +494,17 @@ class KrbInstance(service.Service):
+ self._install_pkinit_ca_bundle()
+ self.pkinit_enable()
+ except RuntimeError as e:
+- root_logger.error("PKINIT certificate request failed: %s", e)
+- root_logger.error("Failed to configure PKINIT")
++ root_logger.warning("PKINIT certificate request failed: %s", e)
++ root_logger.warning("Failed to configure PKINIT")
++
++ self.print_msg("Full PKINIT configuration did not succeed")
++ self.print_msg(
++ "The setup will only install bits "
++ "essential to the server functionality")
++ self.print_msg(
++ "You can enable PKINIT after the "
++ "setup completed using 'ipa-pkinit-manage'")
++
+ self.stop_tracking_certs()
+ self.issue_selfsigned_pkinit_certs()
+
+--
+2.13.5
+
diff --git a/SOURCES/0234-server.py-Removes-dns-server-configuration-from-ldap.patch b/SOURCES/0234-server.py-Removes-dns-server-configuration-from-ldap.patch
new file mode 100644
index 0000000..fe12f23
--- /dev/null
+++ b/SOURCES/0234-server.py-Removes-dns-server-configuration-from-ldap.patch
@@ -0,0 +1,45 @@
+From d71488fd450615ade6c10978af38d0dda27ec859 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
+Date: Tue, 6 Jun 2017 15:13:26 +0200
+Subject: [PATCH] server.py: Removes dns-server configuration from ldap
+
+After invocation of the ipa server-del <hostname>
+command there was still record in ldap if DNS
+was installed on the <hostname> server.
+
+Fixes: https://pagure.io/freeipa/issue/6572
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaserver/plugins/server.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
+index b1ee4722841509f4614c688ac39095c723aff167..e0dc953a1ef870c95fdcdb629fb6ab3103e8f999 100644
+--- a/ipaserver/plugins/server.py
++++ b/ipaserver/plugins/server.py
+@@ -692,6 +692,12 @@ class server_del(LDAPDelete):
+ message=_("You may need to manually remove them from the "
+ "tree")))
+
++ def _cleanup_server_dns_config(self, hostname):
++ try:
++ self.api.Command.dnsserver_del(hostname)
++ except errors.NotFound:
++ pass
++
+ def pre_callback(self, ldap, dn, *keys, **options):
+ pkey = self.obj.get_primary_key_from_dn(dn)
+
+@@ -731,6 +737,9 @@ class server_del(LDAPDelete):
+ # try to clean up the leftover DNS entries
+ self._cleanup_server_dns_records(pkey)
+
++ # try to clean up the DNS config from ldap
++ self._cleanup_server_dns_config(pkey)
++
+ return dn
+
+ def exc_callback(self, keys, options, exc, call_func, *call_args,
+--
+2.13.5
+
diff --git a/SOURCES/0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch b/SOURCES/0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch
new file mode 100644
index 0000000..2ff94ff
--- /dev/null
+++ b/SOURCES/0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch
@@ -0,0 +1,75 @@
+From a6b7f433c1c8c30e455f345fcd97e7428ae63322 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 9 Aug 2017 17:28:35 -0400
+Subject: [PATCH] Include the CA basic constraint in CSRs when renewing a CA
+
+The CSR generated by `ipa-cacert-manage renew --external-ca` did
+not include the CA basic constraint:
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+
+Add a flag to certmonger::resubmit_request to specify that a
+CA is being requested.
+
+Note that this also sets pathlen to -1 which means an unlimited
+pathlen. Leave it up to the issuing CA to set this.
+
+https://pagure.io/freeipa/issue/7088
+
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipalib/install/certmonger.py | 13 +++++++++++--
+ ipaserver/install/ipa_cacert_manage.py | 3 ++-
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
+index c286996ee2318e241b4af190d1a01f42e28aa9f3..d2b782ddb0c746a3dfd96d0222bb31c6a960fdff 100644
+--- a/ipalib/install/certmonger.py
++++ b/ipalib/install/certmonger.py
+@@ -519,16 +519,25 @@ def modify(request_id, ca=None, profile=None):
+ request.obj_if.modify(update)
+
+
+-def resubmit_request(request_id, ca=None, profile=None):
++def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
++ """
++ :param request_id: the certmonger numeric request ID
++ :param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign
++ :param profile: the dogtag template profile to use, e.g. SubCA
++ :param is_ca: boolean that if True adds the CA basic constraint
++ """
+ request = _get_request({'nickname': request_id})
+ if request:
+- if ca or profile:
++ if ca or profile or is_ca:
+ update = {}
+ if ca is not None:
+ cm = _certmonger()
+ update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
+ if profile is not None:
+ update['template-profile'] = profile
++ if is_ca:
++ update['template-is-ca'] = True
++ update['template-ca-path-length'] = -1 # no path length
+ request.obj_if.modify(update)
+ request.obj_if.resubmit()
+
+diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
+index fcbf09155a3abc9ce9481aa2519ed39aaa6aa9bb..9607620d6c3e63b70b9e586f94282bf478c8c53e 100644
+--- a/ipaserver/install/ipa_cacert_manage.py
++++ b/ipaserver/install/ipa_cacert_manage.py
+@@ -310,7 +310,8 @@ class CACertManage(admintool.AdminTool):
+ timeout = api.env.startup_timeout + 60
+
+ self.log.debug("resubmitting certmonger request '%s'", self.request_id)
+- certmonger.resubmit_request(self.request_id, ca=ca, profile=profile)
++ certmonger.resubmit_request(self.request_id, ca=ca, profile=profile,
++ is_ca=True)
+ try:
+ state = certmonger.wait_for_request(self.request_id, timeout)
+ except RuntimeError:
+--
+2.13.5
+
diff --git a/SOURCES/0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch b/SOURCES/0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch
new file mode 100644
index 0000000..54a13e6
--- /dev/null
+++ b/SOURCES/0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch
@@ -0,0 +1,51 @@
+From f6ce0099adc7c8508b3bf2f82102c1dd70fa08dc Mon Sep 17 00:00:00 2001
+From: Felipe Barreto <fbarreto@redhat.com>
+Date: Fri, 13 Oct 2017 09:19:43 +0200
+Subject: [PATCH] Checks if replica-s4u2proxy.ldif should be applied
+
+Before applying replica-s3u2proxy.ldif, we check
+if the values are already there. The values can be
+there if a replica installation was done in the past
+and some info was left behind. Also, the code checks
+the values independently.
+
+https://pagure.io/freeipa/issue/7174
+
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/install/dsinstance.py | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
+index c9db8ac28c3ca10539b745ca09f4d8aaece02e0c..f7edcffc5904d8c9ce46f5862d496a4df3ad8d75 100644
+--- a/ipaserver/install/dsinstance.py
++++ b/ipaserver/install/dsinstance.py
+@@ -930,7 +930,24 @@ class DsInstance(service.Service):
+ self._ldap_mod("replica-acis.ldif", self.sub_dict)
+
+ def __setup_s4u2proxy(self):
+- self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict)
++
++ def __add_principal(last_cn, principal, self):
++ dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),
++ ('cn', 'etc'), self.suffix)
++
++ value = '{principal}/{fqdn}@{realm}'.format(fqdn=self.fqdn,
++ realm=self.realm,
++ principal=principal)
++
++ entry = api.Backend.ldap2.get_entry(dn, ['memberPrincipal'])
++ try:
++ entry['memberPrincipal'].append(value)
++ api.Backend.ldap2.update_entry(entry)
++ except errors.EmptyModlist:
++ pass
++
++ __add_principal('ipa-http-delegation', 'HTTP', self)
++ __add_principal('ipa-ldap-delegation-targets', 'ldap', self)
+
+ def __create_indices(self):
+ self._ldap_mod("indices.ldif")
+--
+2.13.5
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 20d4d8b..cdf3266 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -68,7 +68,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 21%{?dist}.2.2
+Release: 22%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -76,10 +76,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -316,6 +316,10 @@ Patch0229: 0229-control-logging-of-host_port_open-from-caller.patch
Patch0230: 0230-log-progress-of-wait_for_open_ports.patch
Patch0231: 0231-Store-help-in-Schema-before-writing-to-disk.patch
Patch0232: 0232-Disable-pylint-in-get_help-function-because-of-type-.patch
+Patch0233: 0233-Less-confusing-message-for-PKINIT-configuration-duri.patch
+Patch0234: 0234-server.py-Removes-dns-server-configuration-from-ldap.patch
+Patch0235: 0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch
+Patch0236: 0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
@@ -1117,10 +1121,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
%endif # with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -1144,8 +1148,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
%make_build
@@ -1869,11 +1872,19 @@ fi
%changelog
-* Thu Oct 19 2017 Johnny Hughes <johnny@centos.org> - 4.5.0-21.el7.centos.2.2
-- set ipaplatform to rhel for compatibilty for updates
-
-* Thu Oct 19 2017 CentOS Sources <bugs@centos.org> - 4.5.0-21.el7.centos.2.2
-- Roll in CentOS Branding
+* Fri Oct 27 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-22.el7
+- Resolves: #1506528 In case full PKINIT configuration is failing during
+ server/replica install the error message should be more meaningful.
+ - Less confusing message for PKINIT configuration during install
+- Resolves: #1506526 Use X509v3 Basic Constraints "CA:TRUE" instead of
+ "CA:FALSE" IPA CA CSR
+ - Include the CA basic constraint in CSRs when renewing a CA
+- Resolves: #1506913 ipa-replica-install might fail because of an already
+ existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+ - Checks if replica-s4u2proxy.ldif should be applied
+- Resolves: #1506525 server-del doesn't remove dns-server configuration
+ from ldap
+ - server.py: Removes dns-server configuration from ldap
* Wed Sep 20 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-21.el7.2.2
- Resolves: #1493410 ipa-server-upgrade timeouts on wait_for_open ports