diff --git a/.gitignore b/.gitignore
index eb27ffd..b6c4220 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.8.7.tar.gz
+SOURCES/freeipa-4.9.0rc3.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index f2e66c8..359554f 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-0099d799a77a757eeb4a95a69a38bdec24e45026 SOURCES/freeipa-4.8.7.tar.gz
+71c0691597296f321e093d9acb36677c26593a1f SOURCES/freeipa-4.9.0rc3.tar.gz
diff --git a/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch b/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
deleted file mode 100644
index 34580fe..0000000
--- a/SOURCES/0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
+++ /dev/null
@@ -1,409 +0,0 @@
-From c2ba333b9681d008d9c528a79dbdd76ce11a3ecd Mon Sep 17 00:00:00 2001
-From: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Date: Thu, 28 May 2020 08:47:49 +0200
-Subject: [PATCH 01/22] WebUI: Fix "IPA Error 3007: RequirmentError" while
- adding idoverrideuser association
-
-Add builder for association adder dialog which allows to override behavior of the component.
-Replace default implementation with a custom one for idoverrideuser.
-Replace text filter with 'ID view' select box in the idoverrideuser dialog.
-
-Ticket: https://pagure.io/freeipa/issue/8335
-
-Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/ui/src/freeipa/association.js | 13 ++++-
- install/ui/src/freeipa/dialog.js | 73 ++++++++++++++++-----------
- install/ui/src/freeipa/group.js | 14 +++++
- install/ui/src/freeipa/idviews.js | 58 +++++++++++++++++++++
- ipaserver/plugins/internal.py | 6 +++
- 5 files changed, 133 insertions(+), 31 deletions(-)
-
-diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
-index f10ccb2a5..b083a79f9 100644
---- a/install/ui/src/freeipa/association.js
-+++ b/install/ui/src/freeipa/association.js
-@@ -25,6 +25,7 @@
- define([
- 'dojo/_base/lang',
- 'dojo/Deferred',
-+ './builder',
- './metadata',
- './ipa',
- './jquery',
-@@ -38,7 +39,7 @@ define([
- './facet',
- './search',
- './dialog'],
-- function(lang, Deferred, metadata_provider, IPA, $, metadata,
-+ function(lang, Deferred, builder, metadata_provider, IPA, $, metadata,
- navigation, phases, reg, rpc, su, text) {
-
- /**
-@@ -1209,7 +1210,8 @@ exp.association_facet = IPA.association_facet = function (spec, no_init) {
-
- var pkeys = that.data.result.result[that.get_attribute_name()];
-
-- var dialog = IPA.association_adder_dialog({
-+ var dialog = builder.build('association_adder_dialog', {
-+ $type: that.other_entity.name,
- title: title,
- entity: that.entity,
- pkey: pkey,
-@@ -1675,6 +1677,13 @@ IPA.attr_read_only_evaluator = function(spec) {
- return that;
- };
-
-+// Create a registry for adder dialogs where key is name of 'other entity'.
-+// It allows to override dialogs for some specific cases of association
-+// creation.
-+var dialog_builder = builder.get('association_adder_dialog');
-+dialog_builder.factory = IPA.association_adder_dialog;
-+reg.set('association_adder_dialog', dialog_builder.registry);
-+
- phases.on('registration', function() {
- var w = reg.widget;
- var f = reg.field;
-diff --git a/install/ui/src/freeipa/dialog.js b/install/ui/src/freeipa/dialog.js
-index c153120df..d67d63b6d 100644
---- a/install/ui/src/freeipa/dialog.js
-+++ b/install/ui/src/freeipa/dialog.js
-@@ -919,35 +919,7 @@ IPA.adder_dialog = function(spec) {
- 'class': 'input-group col-md-12 adder-dialog-top'
- }).appendTo(container);
-
-- var filter_placeholder = text.get('@i18n:association.filter_placeholder');
-- filter_placeholder = filter_placeholder.replace('${other_entity}',
-- that.other_entity.metadata.label);
--
-- that.filter_field = $('<input/>', {
-- type: 'text',
-- name: 'filter',
-- 'class': 'form-control',
-- 'placeholder': filter_placeholder,
-- keyup: function(event) {
-- if (event.keyCode === keys.ENTER) {
-- that.search();
-- return false;
-- }
-- }
-- }).appendTo(input_group);
--
-- var input_group_btn = $('<div/>', {
-- 'class': 'input-group-btn'
-- }).appendTo(input_group);
--
-- that.find_button = IPA.button({
-- name: 'find',
-- label: '@i18n:buttons.filter',
-- click: function() {
-- that.search();
-- return false;
-- }
-- }).appendTo(input_group_btn);
-+ that.filter_field = that.get_filter_field(input_group);
-
- var row = $('<div/>', { 'class': 'row adder-dialog-main'}).appendTo(container);
- //
-@@ -1132,6 +1104,49 @@ IPA.adder_dialog = function(spec) {
- return that.filter_field.val();
- };
-
-+ /**
-+ * Return field for filtering available items
-+ *
-+ * Default implementation returns text input + "Filter" button.
-+ * It can be overridden.
-+ *
-+ * @param {HTMLElement} input_group - container for a filter field
-+ * @return {HTMLElement}
-+ */
-+ that.get_filter_field = function(input_group) {
-+ var filter_placeholder = text.get(
-+ '@i18n:association.filter_placeholder'
-+ ).replace('${other_entity}', that.other_entity.metadata.label);
-+
-+ var filter_field = $('<input/>', {
-+ type: 'text',
-+ name: 'filter',
-+ 'class': 'form-control',
-+ 'placeholder': filter_placeholder,
-+ keyup: function(event) {
-+ if (event.keyCode === keys.ENTER) {
-+ that.search();
-+ return false;
-+ }
-+ }
-+ }).appendTo(input_group);
-+
-+ var input_group_btn = $('<div/>', {
-+ 'class': 'input-group-btn'
-+ }).appendTo(input_group);
-+
-+ that.find_button = IPA.button({
-+ name: 'find',
-+ label: '@i18n:buttons.filter',
-+ click: function() {
-+ that.search();
-+ return false;
-+ }
-+ }).appendTo(input_group_btn);
-+
-+ return filter_field;
-+ };
-+
- /**
- * Clear rows in available table
- */
-diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
-index e46d8c7e3..2984bd4b2 100644
---- a/install/ui/src/freeipa/group.js
-+++ b/install/ui/src/freeipa/group.js
-@@ -205,6 +205,20 @@ return {
- add_title: '@i18n:objects.group.add_into_sudo',
- remove_method: 'remove_user',
- remove_title: '@i18n:objects.group.remove_from_sudo'
-+ },
-+ {
-+ $type: 'association',
-+ name: 'member_idoverrideuser',
-+ associator: IPA.serial_associator,
-+ add_title: '@i18n:objects.group.add_idoverride_user',
-+ remove_title: '@i18n:objects.group.remove_idoverride_users',
-+ columns: [
-+ {
-+ name: 'ipaanchoruuid',
-+ label: '@i18n:objects.idoverrideuser.anchor_label',
-+ link: false
-+ }
-+ ]
- }
- ],
- standard_association_facets: true,
-diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
-index 35dc998c8..a4fca6205 100644
---- a/install/ui/src/freeipa/idviews.js
-+++ b/install/ui/src/freeipa/idviews.js
-@@ -966,6 +966,58 @@ idviews.unapply_action = function(spec) {
- return that;
- };
-
-+idviews.idoverrideuser_adder_dialog = function(spec) {
-+
-+ spec = spec || {};
-+
-+ var that = IPA.association_adder_dialog(spec);
-+
-+ that.base_search = that.search;
-+
-+ that.search = function() {
-+ // Search for users only in case a ID view is selected
-+ if (that.get_filter()) {
-+ that.base_search();
-+ }
-+ };
-+
-+ /**
-+ * Replace default text filter with a select box for filtering by ID view
-+ */
-+ that.get_filter_field = function(input_group) {
-+
-+ var filter_field = $('<select/>', {
-+ name: 'filter',
-+ 'class': 'form-control',
-+ change: function(event) {
-+ that.search();
-+ }
-+ }).appendTo(input_group);
-+
-+ rpc.command({
-+ entity: 'idview',
-+ method: 'find',
-+ on_success: function(data) {
-+ var results = data.result;
-+
-+ for (var i=0; i<results.count; i++) {
-+ var result = results.result[i];
-+ $('<option/>', {
-+ text: result.cn[0],
-+ value: result.cn[0]
-+ }).appendTo(filter_field);
-+ }
-+
-+ that.search();
-+ }
-+ }).execute();
-+
-+ return filter_field;
-+ };
-+
-+ return that;
-+};
-+
- /**
- * ID View entity specification object
- * @member idviews
-@@ -993,6 +1045,7 @@ idviews.register = function() {
- var f = reg.facet;
- var a = reg.action;
- var w = reg.widget;
-+ var ad = reg.association_adder_dialog;
-
- e.register({type: 'idview', spec: idviews.spec});
- e.register({
-@@ -1012,6 +1065,11 @@ idviews.register = function() {
-
- w.register('idviews_certs', idviews.idviews_certs_widget);
- w.register('cert_textarea', idviews.cert_textarea_widget);
-+
-+ ad.register({
-+ type: 'idoverrideuser',
-+ factory: idviews.idoverrideuser_adder_dialog
-+ });
- };
-
- phases.on('registration', idviews.register);
-diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
-index 5f2b1fdc2..7622e65dc 100644
---- a/ipaserver/plugins/internal.py
-+++ b/ipaserver/plugins/internal.py
-@@ -835,6 +835,9 @@ class i18n_messages(Command):
- "Remove users from member managers for user group "
- "'${primary_key}'"
- ),
-+ "add_idoverride_user": _(
-+ "Add user ID override into user group '${primary_key}'"
-+ ),
- "details": _("Group Settings"),
- "external": _("External"),
- "groups": _("Groups"),
-@@ -868,6 +871,9 @@ class i18n_messages(Command):
- "remove_users": _(
- "Remove users from user group '${primary_key}'"
- ),
-+ "remove_idoverride_users": _(
-+ "Remove user ID overrides from user group '${primary_key}'"
-+ ),
- "type": _("Group Type"),
- "user_groups": _("User Groups"),
- },
---
-2.26.2
-
-From f6c460aee8542d4d81cd9970d71051c240156973 Mon Sep 17 00:00:00 2001
-From: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Date: Thu, 16 Jul 2020 18:52:24 +0200
-Subject: [PATCH] WebUI: Fix error "unknown command
- 'idoverrideuser_add_member'"
-
-There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
-as a result a wrong command was sent to the server.
-
-Ticket: https://pagure.io/freeipa/issue/8416
-
-Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/ui/src/freeipa/group.js | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
-index 2984bd4b2..61c19a82f 100644
---- a/install/ui/src/freeipa/group.js
-+++ b/install/ui/src/freeipa/group.js
-@@ -209,7 +209,6 @@ return {
- {
- $type: 'association',
- name: 'member_idoverrideuser',
-- associator: IPA.serial_associator,
- add_title: '@i18n:objects.group.add_idoverride_user',
- remove_title: '@i18n:objects.group.remove_idoverride_users',
- columns: [
---
-2.26.2
-
-From e35739b7e9f6bb016b37abbd92bdaee71a59a288 Mon Sep 17 00:00:00 2001
-From: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Date: Wed, 29 Jul 2020 09:41:36 +0200
-Subject: [PATCH] WebUI tests: Add test case to cover user ID override feature
-
-The test case includes adding an user ID override to Default Trust View
-and adding the ID override to some IPA group.
-
-Ticket: https://pagure.io/freeipa/issue/8416
-
-Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_webui/test_trust.py | 41 +++++++++++++++++++++++++++++++
- 1 file changed, 41 insertions(+)
-
-diff --git a/ipatests/test_webui/test_trust.py b/ipatests/test_webui/test_trust.py
-index c04c2fcd8..605f8a2a7 100644
---- a/ipatests/test_webui/test_trust.py
-+++ b/ipatests/test_webui/test_trust.py
-@@ -21,6 +21,8 @@
- Trust tests
- """
-
-+import ipatests.test_webui.data_group as group
-+import ipatests.test_webui.data_idviews as idview
- from ipatests.test_webui.ui_driver import UI_driver
- from ipatests.test_webui.ui_driver import screenshot
- from ipatests.test_webui.task_range import range_tasks
-@@ -29,6 +31,8 @@ import pytest
- ENTITY = 'trust'
- CONFIG_ENTITY = 'trustconfig'
-
-+DEFAULT_TRUST_VIEW = 'Default Trust View'
-+
- CONFIG_DATA = {
- 'mod': [
- ['combobox', 'ipantfallbackprimarygroup', 'admins'],
-@@ -164,3 +168,40 @@ class test_trust(trust_tasks):
-
- self.mod_record(CONFIG_ENTITY, CONFIG_DATA)
- self.mod_record(CONFIG_ENTITY, CONFIG_DATA2)
-+
-+ @screenshot
-+ def test_group_member_idoverrideuser(self):
-+
-+ self.init_app()
-+
-+ # Create new trust
-+ data = self.get_data()
-+ self.add_record(ENTITY, data)
-+
-+ # Create an user ID override
-+ ad_domain = self.config.get('ad_domain')
-+ ad_admin = self.config.get('ad_admin')
-+ idoverrideuser_pkey = '{}@{}'.format(ad_admin, ad_domain).lower()
-+
-+ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
-+ self.add_record(idview.ENTITY, {
-+ 'pkey': idoverrideuser_pkey,
-+ 'add': [
-+ ('textbox', 'ipaanchoruuid_default', idoverrideuser_pkey),
-+ ],
-+ }, facet='idoverrideuser')
-+
-+ # Create new group and add the user ID override there
-+ self.navigate_to_entity(group.ENTITY)
-+ self.add_record(group.ENTITY, group.DATA)
-+ self.navigate_to_record(group.PKEY)
-+ self.add_associations([idoverrideuser_pkey],
-+ facet='member_idoverrideuser', delete=True)
-+
-+ # Clean up data
-+ self.navigate_to_entity(group.ENTITY)
-+ self.delete_record(group.PKEY)
-+ self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
-+ self.delete_record(idoverrideuser_pkey)
-+ self.navigate_to_entity(ENTITY)
-+ self.delete_record(ad_domain)
---
-2.26.2
-
diff --git a/SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch b/SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
deleted file mode 100644
index eec611f..0000000
--- a/SOURCES/0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
+++ /dev/null
@@ -1,601 +0,0 @@
-From 77fae8c48bbe0f4499f4d8ed91b268568c64cd7c Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Thu, 11 Jun 2020 11:17:25 +0200
-Subject: [PATCH] Move ipa-epn systemd files and run RPM hooks
-
-The init/systemd directory is for server only and not part of
-CLIENT_ONLY builds.
-
-It's necesary to run pre/post installation hooks to make systemd aware
-of new files.
-
-Fixes: https://pagure.io/freeipa/issue/8367
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- .gitignore | 4 +--
- client/Makefile.am | 1 +
- client/share/Makefile.am | 5 ++++
- {install => client}/share/expire_msg.template | 0
- client/systemd/Makefile.am | 27 +++++++++++++++++++
- {init => client}/systemd/ipa-epn.service.in | 0
- {init => client}/systemd/ipa-epn.timer.in | 0
- configure.ac | 24 +++++++++++++++--
- freeipa.spec.in | 15 +++++++++++
- init/systemd/Makefile.am | 8 +++---
- install/share/Makefile.am | 5 ----
- server.m4 | 19 -------------
- 12 files changed, 76 insertions(+), 32 deletions(-)
- rename {install => client}/share/expire_msg.template (100%)
- create mode 100644 client/systemd/Makefile.am
- rename {init => client}/systemd/ipa-epn.service.in (100%)
- rename {init => client}/systemd/ipa-epn.timer.in (100%)
-
-#diff --git a/.gitignore b/.gitignore
-#index 6584c3b4f..4cedb1ff2 100644
-#--- a/.gitignore
-#+++ b/.gitignore
-#@@ -94,8 +94,6 @@ freeipa2-dev-doc
-# /init/ipa_memcached
-# /init/systemd/ipa-custodia.service
-# /init/systemd/ipa.service
-#-/init/systemd/ipa-epn.service
-#-/init/systemd/ipa-epn.timer
-# /init/tmpfilesd/ipa.conf
-#
-# !/install/ui/doc/Makefile.in
-#@@ -116,6 +114,8 @@ freeipa2-dev-doc
-# /client/ipa-getkeytab
-# /client/ipa-join
-# /client/ipa-rmkeytab
-#+/client/systemd/ipa-epn.service
-#+/client/systemd/ipa-epn.timer
-#
-# /ipaplatform/override.py
-# /ipapython/version.py
-diff --git a/client/Makefile.am b/client/Makefile.am
-index 858a9369e..87da87fcd 100644
---- a/client/Makefile.am
-+++ b/client/Makefile.am
-@@ -95,6 +95,7 @@ SUBDIRS = \
- share \
- man \
- sysconfig \
-+ systemd \
- $(NULL)
- # init
-
-diff --git a/client/share/Makefile.am b/client/share/Makefile.am
-index 6d4a62d5e..1402a3a9d 100644
---- a/client/share/Makefile.am
-+++ b/client/share/Makefile.am
-@@ -4,3 +4,8 @@ appdir = $(IPA_DATA_DIR)/client
- dist_app_DATA = \
- freeipa.template \
- $(NULL)
-+
-+epnconfdir = $(IPA_SYSCONF_DIR)/epn
-+dist_epnconf_DATA = \
-+ expire_msg.template \
-+ $(NULL)
-diff --git a/install/share/expire_msg.template b/client/share/expire_msg.template
-similarity index 100%
-rename from install/share/expire_msg.template
-rename to client/share/expire_msg.template
-diff --git a/client/systemd/Makefile.am b/client/systemd/Makefile.am
-new file mode 100644
-index 000000000..1f591be83
---- /dev/null
-+++ b/client/systemd/Makefile.am
-@@ -0,0 +1,27 @@
-+# This file will be processed with automake-1.7 to create Makefile.in
-+#
-+AUTOMAKE_OPTIONS = 1.7
-+
-+NULL =
-+
-+dist_noinst_DATA = \
-+ ipa-epn.service.in \
-+ ipa-epn.timer.in \
-+ $(NULL)
-+
-+systemdsystemunit_DATA = \
-+ ipa-epn.service \
-+ ipa-epn.timer \
-+ $(NULL)
-+
-+CLEANFILES = $(systemdsystemunit_DATA)
-+
-+%: %.in Makefile
-+ sed \
-+ -e 's|@bindir[@]|$(bindir)|g' \
-+ -e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
-+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
-+ -e 's|@sbindir[@]|$(sbindir)|g' \
-+ -e 's|@libexecdir[@]|$(libexecdir)|g' \
-+ -e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
-+ '$(srcdir)/$@.in' >$@
-diff --git a/init/systemd/ipa-epn.service.in b/client/systemd/ipa-epn.service.in
-similarity index 100%
-rename from init/systemd/ipa-epn.service.in
-rename to client/systemd/ipa-epn.service.in
-diff --git a/init/systemd/ipa-epn.timer.in b/client/systemd/ipa-epn.timer.in
-similarity index 100%
-rename from init/systemd/ipa-epn.timer.in
-rename to client/systemd/ipa-epn.timer.in
-diff --git a/configure.ac b/configure.ac
-index 5ec529088..586b2532a 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -220,6 +220,25 @@ AC_ARG_WITH([runstatedir],
- [runstatedir="/run"])
- AC_SUBST([runstatedir])
-
-+dnl ---------------------------------------------------------------------------
-+dnl - Check for systemd directories
-+dnl ---------------------------------------------------------------------------
-+
-+PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
-+AC_ARG_WITH([systemdsystemunitdir],
-+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
-+ [Directory for systemd service files]),
-+ [systemdsystemunitdir=$with_systemdsystemunitdir],
-+ [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
-+AC_SUBST([systemdsystemunitdir])
-+
-+AC_ARG_WITH([systemdtmpfilesdir],
-+ AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
-+ [Directory for systemd-tmpfiles configuration files]),
-+ [systemdtmpfilesdir=$with_systemdtmpfilesdir],
-+ [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
-+AC_SUBST([systemdtmpfilesdir])
-+
- dnl ---------------------------------------------------------------------------
- dnl - Server-only configuration
- dnl ---------------------------------------------------------------------------
-@@ -544,6 +563,7 @@ AC_CONFIG_FILES([
- client/share/Makefile
- client/man/Makefile
- client/sysconfig/Makefile
-+ client/systemd/Makefile
- contrib/completion/Makefile
- contrib/Makefile
- daemons/dnssec/Makefile
-@@ -637,13 +657,13 @@ echo "
- jslint: ${JSLINT}
- LDAP libs: ${LDAP_LIBS}
- OpenSSL crypto libs: ${CRYPTO_LIBS}
-- KRB5 libs: ${KRB5_LIBS}"
-+ KRB5 libs: ${KRB5_LIBS}
-+ systemdsystemunitdir: ${systemdsystemunitdir}"
-
- AM_COND_IF([ENABLE_SERVER], [
- echo "\
- KRAD libs: ${KRAD_LIBS}
- krb5rundir: ${krb5rundir}
-- systemdsystemunitdir: ${systemdsystemunitdir}
- systemdtmpfilesdir: ${systemdtmpfilesdir}
- build mode: server & client"
- ], [
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index cec57e64e..1d8f4e6aa 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -586,6 +586,10 @@ on the machine enrolled into a FreeIPA environment
- %package client-epn
- Summary: Tools to configure Expiring Password Notification in IPA
- Group: System Environment/Base
-+Requires: systemd-units
-+Requires(post): systemd-units
-+Requires(preun): systemd-units
-+Requires(postun): systemd-units
- Requires: %{name}-client = %{version}-%{release}
-
- %description client-epn
-@@ -1003,6 +1007,17 @@ fi
- # ONLY_CLIENT
- %endif
-
-+%preun client-epn
-+%systemd_preun ipa-epn.service
-+%systemd_preun ipa-epn.timer
-+
-+%postun client-epn
-+%systemd_postun ipa-epn.service
-+%systemd_postun ipa-epn.timer
-+
-+%post client-epn
-+%systemd_post ipa-epn.service
-+%systemd_post ipa-epn.timer
-
- %post client
- if [ $1 -gt 1 ] ; then
-diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
-index 5053dbff6..175178787 100644
---- a/init/systemd/Makefile.am
-+++ b/init/systemd/Makefile.am
-@@ -2,17 +2,17 @@
- #
- AUTOMAKE_OPTIONS = 1.7
-
-+NULL =
-+
- dist_noinst_DATA = \
- ipa-custodia.service.in \
- ipa.service.in \
-- ipa-epn.service.in \
-- ipa-epn.timer.in
-+ $(NULL)
-
- systemdsystemunit_DATA = \
- ipa-custodia.service \
- ipa.service \
-- ipa-epn.service \
-- ipa-epn.timer
-+ $(NULL)
-
- CLEANFILES = $(systemdsystemunit_DATA)
-
-diff --git a/install/share/Makefile.am b/install/share/Makefile.am
-index 496e81288..e95796dfb 100644
---- a/install/share/Makefile.am
-+++ b/install/share/Makefile.am
-@@ -106,8 +106,3 @@ dist_app_DATA = \
- kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
- dist_kdcproxyconf_DATA = \
- kdcproxy.conf
--
--epnconfdir = $(IPA_SYSCONF_DIR)/epn
--dist_epnconf_DATA = \
-- expire_msg.template \
-- $(NULL)
-diff --git a/server.m4 b/server.m4
-index d35823e80..842d599d2 100644
---- a/server.m4
-+++ b/server.m4
-@@ -153,22 +153,3 @@ dnl Check for libverto
- dnl ---------------------------------------------------------------------------
-
- PKG_CHECK_MODULES([LIBVERTO], [libverto])
--
--dnl ---------------------------------------------------------------------------
--dnl - Check for systemd directories
--dnl ---------------------------------------------------------------------------
--
--PKG_CHECK_EXISTS([systemd], [], [AC_MSG_ERROR([systemd not found])])
--AC_ARG_WITH([systemdsystemunitdir],
-- AS_HELP_STRING([--with-systemdsystemunitdir=DIR],
-- [Directory for systemd service files]),
-- [systemdsystemunitdir=$with_systemdsystemunitdir],
-- [systemdsystemunitdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=systemdsystemunitdir systemd)])
--AC_SUBST([systemdsystemunitdir])
--
--AC_ARG_WITH([systemdtmpfilesdir],
-- AS_HELP_STRING([--with-systemdtmpfilesdir=DIR],
-- [Directory for systemd-tmpfiles configuration files]),
-- [systemdtmpfilesdir=$with_systemdtmpfilesdir],
-- [systemdtmpfilesdir=$($PKG_CONFIG --define-variable=prefix='${prefix}' --variable=tmpfilesdir systemd)])
--AC_SUBST([systemdtmpfilesdir])
---
-2.26.2
-
-From 23e2935e5c5cb402dd4f6f44eaa4b013e6a8188a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 22 Jun 2020 16:39:02 +0200
-Subject: [PATCH] EPN: ship the configuration file.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Ship and install /etc/ipa/epn.conf.
-Minor fixes to the associated man page.
-
-Fixes: https://pagure.io/freeipa/issue/8374
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- client/man/epn.conf.5 | 5 ++--
- client/share/Makefile.am | 7 +++++-
- client/share/epn.conf | 54 ++++++++++++++++++++++++++++++++++++++++
- freeipa.spec.in | 4 ++-
- 4 files changed, 65 insertions(+), 5 deletions(-)
- create mode 100644 client/share/epn.conf
-
-diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
-index 38e99e25d..14f5dbb75 100644
---- a/client/man/epn.conf.5
-+++ b/client/man/epn.conf.5
-@@ -71,11 +71,10 @@ Specifies the From e-mail address value in the e-mails sent. The default is
- root@localhost. Bounces will be sent here.
- .TP
- .B smtp_delay <milliseconds>
--Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue.
-+Time to wait, in milliseconds, between each e-mail sent to try to avoid overloading the mail queue. The default is 0.
- .TP
- .B mail_from <address>
--Specifies the From: e-mal address value in the e-mails sent. The default is
--noreply@ipadefaultemaildomain. This value can be found by running
-+Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
- .I ipa config-show
- .TP
- .B notify_ttls <list of days>
-diff --git a/client/share/Makefile.am b/client/share/Makefile.am
-index 1402a3a9d..472242e62 100644
---- a/client/share/Makefile.am
-+++ b/client/share/Makefile.am
-@@ -5,7 +5,12 @@ dist_app_DATA = \
- freeipa.template \
- $(NULL)
-
--epnconfdir = $(IPA_SYSCONF_DIR)/epn
-+epnconfdir = $(IPA_SYSCONF_DIR)
- dist_epnconf_DATA = \
-+ epn.conf \
-+ $(NULL)
-+
-+epntemplatedir = $(IPA_SYSCONF_DIR)/epn
-+dist_epntemplate_DATA = \
- expire_msg.template \
- $(NULL)
-diff --git a/client/share/epn.conf b/client/share/epn.conf
-new file mode 100644
-index 000000000..0e590dfc3
---- /dev/null
-+++ b/client/share/epn.conf
-@@ -0,0 +1,54 @@
-+# Global IPA-EPN [0] configuration file.
-+# For a complete explanation of each parameter, see the epn.conf(5)
-+# manual page.
-+# For best results, change no more than a single parameter at a time,
-+# and test if ipa-epn(1) still works as intended, using --dry-run when
-+# it makes sense.
-+#
-+# [0] https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-notification.md
-+
-+[global]
-+
-+# Specifies the SMTP server to use.
-+smtp_server = localhost
-+
-+# Specifies the SMTP port.
-+smtp_port = 25
-+
-+# Specifies the id of the user to authenticate with the SMTP server.
-+# Default None (empty value).
-+# smtp_user =
-+
-+# Specifies the password for the authorized user.
-+# Default None (empty value).
-+# smtp_password =
-+
-+# pecifies the number of seconds to wait for SMTP to respond.
-+smtp_timeout = 60
-+
-+# Specifies the type of secure connection to make. Options are: none,
-+# starttls and ssl.
-+smtp_security = none
-+
-+# Specifies the From e-mail address value in the e-mails sent. Bounces will
-+# be sent here.
-+smtp_admin = root@localhost
-+
-+# Time to wait, in milliseconds, between each e-mail sent to try to avoid
-+# overloading the mail queue.
-+smtp_delay = 0
-+
-+# Specifies the From: e-mail address value in the e-mails sent.
-+# The default when unset is noreply@ipadefaultemaildomain.
-+# This value can be found by running ipa config-show.
-+# mail_from =
-+
-+# The list of days before a password expiration when ipa-epn should notify
-+# a user that their password will soon require a reset.
-+notify_ttls = 28, 14, 7, 3, 1
-+
-+# Set the character set of the message.
-+msg_charset = utf8
-+
-+# Set the message's MIME sub-content type.
-+msg_subtype = plain
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 5bce6f118..8cca99697 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -1387,13 +1387,15 @@ fi
-
- %files client-epn
- %doc README.md Contributors.txt
-+%dir %{_sysconfdir}/ipa/epn
- %license COPYING
- %{_sbindir}/ipa-epn
- %{_mandir}/man1/ipa-epn.1*
- %{_mandir}/man5/epn.conf.5*
- %attr(644,root,root) %{_unitdir}/ipa-epn.service
- %attr(644,root,root) %{_unitdir}/ipa-epn.timer
--%attr(644,root,root) %{_sysconfdir}/ipa/epn/expire_msg.template
-+%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
-+%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
-
- %files -n python3-ipaclient
- %doc README.md Contributors.txt
---
-2.26.2
-
-From 3b43950d35f78b28d4edde4fda475b5aa84f4587 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 23 Jun 2020 09:39:02 +0200
-Subject: [PATCH] man pages: fix epn.conf.5 and ipa-epn.1 formatting
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fix formatting issues found with mandoc.
-
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- client/man/epn.conf.5 | 2 +-
- client/man/ipa-epn.1 | 8 ++++----
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
-index 14f5dbb75..df1f0156c 100644
---- a/client/man/epn.conf.5
-+++ b/client/man/epn.conf.5
-@@ -16,7 +16,7 @@
- .\"
- .\" Author: Rob Crittenden <rcritten@@redhat.com>
- .\"
--.TH "epn.conf" "5" "Apr 28 2020" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
- .SH "NAME"
- epn.conf \- Expiring Password Notification configuration file
- .SH "SYNOPSIS"
-diff --git a/client/man/ipa-epn.1 b/client/man/ipa-epn.1
-index 9999ea8ca..124fd4536 100644
---- a/client/man/ipa-epn.1
-+++ b/client/man/ipa-epn.1
-@@ -15,14 +15,14 @@
- .\" along with this program. If not, see <http://www.gnu.org/licenses/>.
- .\"
- .\"
--.TH "ipa-epn" "1" "Apr 24 2020" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
- .SH "NAME"
- ipa\-epn \- Send expiring password nofications
- .SH "SYNOPSIS"
--ipa\-epn \[options\]
-+ipa\-epn \fR[options\fR]
-
- .SH "DESCRIPTION"
--ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
-+ipa\-epn provides a method to warn users via email that their IPA account password is about to expire.
-
- It can be used in dry\-run mode which is recommmended during setup. The output is always JSON in this case.
-
-@@ -38,7 +38,7 @@ The \-\-to\-nbdays CLI option can be used to determine the number of notificatio
-
- If \fB\-\-from\-nbdays\fR is not specified, ipa\-epn will look within a 24\-hour long time range in <number of days> days.
-
--if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
-+if \fB\-\-from\-nbdays\fR is specified, the date range starts at \fB\-\-from\-nbdays\fR days in the future and ends at \fB\-\-to\-nbdays\fR in the future.
-
- Together, these two CLI options can be used to determine how many emails would be sent in a specific time in the future.
-
---
-2.26.2
-
-From 2648c218467792e907435eaa5267a0f3457f634f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 23 Jun 2020 13:50:02 +0200
-Subject: [PATCH] ipatests: check that EPN's configuration file is installed.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes: https://pagure.io/freeipa/issue/8374
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_epn.py | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index 7f56d4bc0..409d588d5 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -209,6 +209,20 @@ class TestEPN(IntegrationTest):
- cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
- cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
-
-+ @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
-+ def test_EPN_config_file(self):
-+ """Check that the EPN configuration file is installed.
-+ https://pagure.io/freeipa/issue/8374
-+ """
-+ epn_conf = "/etc/ipa/epn.conf"
-+ epn_template = "/etc/ipa/epn/expire_msg.template"
-+ cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
-+ assert epn_conf in cmd1.stdout_text
-+ assert epn_template in cmd1.stdout_text
-+ cmd2 = self.master.run_command(["sha256sum", epn_conf])
-+ ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
-+ assert cmd2.stdout_text.find(ck) == 0
-+
- def test_EPN_smoketest_1(self):
- """No users except admin. Check --dry-run output.
- With the default configuration, the result should be an empty list.
---
-2.26.2
-
-From 06accac8906f66ebbb31849d6528b39ae006b124 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 24 Jun 2020 23:24:36 +0200
-Subject: [PATCH] ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
-the installed version of freeipa-client-epn is not the built
-one. Temporarily force uninstall/reinstall of this package
-before running the test.
-
-Fixes: https://pagure.io/freeipa/issue/8374
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_epn.py | 20 +++++++++++++++++++-
- 1 file changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index 409d588d5..9a9fb17b9 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -209,11 +209,29 @@ class TestEPN(IntegrationTest):
- cls.master.run_command(r'rm -f /etc/pki/tls/private/postfix.key')
- cls.master.run_command(r'rm -f /etc/pki/tls/certs/postfix.pem')
-
-- @pytest.mark.xfail(reason='pr-ci issue 378', strict=True)
-+ @pytest.mark.skip_if_platform(
-+ "debian", reason="Cannot check installed packages using RPM"
-+ )
- def test_EPN_config_file(self):
- """Check that the EPN configuration file is installed.
- https://pagure.io/freeipa/issue/8374
- """
-+ # workaround for https://github.com/freeipa/freeipa-pr-ci/issues/378
-+ rpm_q_cmds = [
-+ ["rpm", "-qi", "freeipa-client"],
-+ ["rpm", "-qi", "freeipa-client-epn"],
-+ ["rpm", "-qc", "freeipa-client-epn"],
-+ ["rpm", "-V", "freeipa-client-epn"],
-+ ["rpm", "-qvc", "freeipa-client-epn"],
-+ ["ls", "-l", "/etc/ipa", "/etc/ipa/epn"],
-+ ]
-+ for cmd in rpm_q_cmds:
-+ self.master.run_command(cmd, raiseonerr=False)
-+ tasks.uninstall_packages(self.master, ["*ipa-client-epn"])
-+ tasks.install_packages(self.master, ["*ipa-client-epn"])
-+ for cmd in rpm_q_cmds:
-+ self.master.run_command(cmd, raiseonerr=False)
-+ # end workaround
- epn_conf = "/etc/ipa/epn.conf"
- epn_template = "/etc/ipa/epn/expire_msg.template"
- cmd1 = self.master.run_command(["rpm", "-qc", "freeipa-client-epn"])
---
-2.26.2
-
diff --git a/SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch b/SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
deleted file mode 100644
index f011db3..0000000
--- a/SOURCES/0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From be48983558a560dadad410a70a4a1684565ed481 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Mon, 15 Jun 2020 18:38:35 -0400
-Subject: [PATCH] Clarify AJP connector creation process
-
-We do two things:
-
- 1. Fix the xpath for AJP connector verification. An AJP connector is
- one which has protocol="AJP/1.3", NOT one that has port="8009". An
- AJP connector can exist on any port and port 8009 can have any
- protocol. Secrets only make sense on AJP connectors, so make the
- xpath match the existing comment.
-
- 2. Add some background in-line documentation about AJP secret
- provisioning. This should help future developers understand why this
- was added to IPA and what limitations there are in what PKI or IPA
- can do. Most notably, explain why Dogtag can't upgrade the AJP
- connector to have a secret in the general case.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/install/dogtaginstance.py | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index 42c9db3fb..aa3baeb7c 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -308,11 +308,12 @@ class DogtagInstance(service.Service):
- doc = server_xml.getroot()
-
- # no AJP connector means no need to update anything
-- connectors = doc.xpath('//Connector[@port="8009"]')
-+ connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
- if len(connectors) == 0:
- return
-
-- # AJP connector is set on port 8009. Use non-greedy search to find it
-+ # AJP protocol is at version 1.3. Assume there is only one as
-+ # Dogtag only provisions one.
- connector = connectors[0]
-
- # Detect tomcat version and choose the right option name
-@@ -331,11 +332,24 @@ class DogtagInstance(service.Service):
- rewrite = False
- else:
- if oldattr in connector.attrib:
-+ # Sufficiently new Dogtag versions (10.9.0-a2) handle the
-+ # upgrade for us; we need only to ensure that we're not both
-+ # attempting to upgrade server.xml at the same time.
-+ # Hopefully this is guaranteed for us.
- self.ajp_secret = connector.attrib[oldattr]
- connector.attrib[secretattr] = self.ajp_secret
- del connector.attrib[oldattr]
- else:
-- # Generate password, don't use special chars to not break XML
-+ # Generate password, don't use special chars to not break XML.
-+ #
-+ # If we hit this case, pkispawn was run on an older Dogtag
-+ # version and we're stuck migrating, choosing a password
-+ # ourselves. Dogtag can't generate one randomly because a
-+ # Dogtag administrator might've configured AJP and might
-+ # not be using IPA.
-+ #
-+ # Newer Dogtag versions will generate a random password
-+ # during pkispawn.
- self.ajp_secret = ipautil.ipa_generate_password(special=None)
- connector.attrib[secretattr] = self.ajp_secret
-
---
-2.26.2
-
-From 1e804bf19da4ee274e735fd49452d4df5d73a002 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 17 Jun 2020 16:00:25 -0400
-Subject: [PATCH] Configure PKI AJP Secret with 256-bit secret
-
-By default, PKI's AJP secret is generated as a 75-bit password. By
-generating it in IPA, we can guarantee the strength of the AJP secret.
-It makes sense to use a stronger AJP secret because it typically
-isn't rotated; access to AJP allows an attacker to impersonate an admin
-while talking to PKI.
-
-Fixes: https://pagure.io/freeipa/issue/8372
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
-Related: https://github.com/dogtagpki/pki/pull/437
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/share/ipaca_customize.ini | 1 +
- install/share/ipaca_default.ini | 2 ++
- ipaserver/install/dogtaginstance.py | 4 +++-
- 3 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/install/share/ipaca_customize.ini b/install/share/ipaca_customize.ini
-index 6d58579af..948734241 100644
---- a/install/share/ipaca_customize.ini
-+++ b/install/share/ipaca_customize.ini
-@@ -12,6 +12,7 @@
- #
- # Predefined variables
- # - ipa_ca_subject
-+# - ipa_ajp_secret
- # - ipa_fqdn
- # - ipa_subject_base
- # - pki_admin_password
-diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
-index 2b9900286..a51256116 100644
---- a/install/share/ipaca_default.ini
-+++ b/install/share/ipaca_default.ini
-@@ -12,6 +12,7 @@ ipa_ca_pem_file=/etc/ipa/ca.crt
-
- ## dynamic values
- # ipa_ca_subject=
-+# ipa_ajp_secret=
- # ipa_subject_base=
- # ipa_fqdn=
- # ipa_ocsp_uri=
-@@ -66,6 +67,7 @@ pki_issuing_ca=%(pki_issuing_ca_uri)s
- pki_replication_password=
-
- pki_enable_proxy=True
-+pki_ajp_secret=%(ipa_ajp_secret)s
- pki_restart_configured_instance=False
- pki_security_domain_hostname=%(ipa_fqdn)s
- pki_security_domain_https_port=443
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index aa3baeb7c..361d80a8c 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -840,7 +840,9 @@ class PKIIniLoader:
- pki_subsystem_type=subsystem.lower(),
- home_dir=os.path.expanduser("~"),
- # for softhsm2 testing
-- softhsm2_so=paths.LIBSOFTHSM2_SO
-+ softhsm2_so=paths.LIBSOFTHSM2_SO,
-+ # Configure a more secure AJP password by default
-+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
- )
-
- @classmethod
---
-2.26.2
-
diff --git a/SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch b/SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
deleted file mode 100644
index f87b301..0000000
--- a/SOURCES/0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From a090b429fda35c5a9c3cfb672ab42a5985d00ff9 Mon Sep 17 00:00:00 2001
-From: Petr Vobornik <pvoborni@redhat.com>
-Date: Mon, 8 Jun 2020 19:27:30 +0200
-Subject: [PATCH] baseuser: fix ipanthomedirectorydrive option name
-
-It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
-
-This fixes showing the field in Web UI and also should fix CLI as it
-probably never worked.
-
-Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- API.txt | 8 ++++----
- ipaserver/plugins/baseuser.py | 2 +-
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/API.txt b/API.txt
-index 5354a33a0..300b3d9b1 100644
---- a/API.txt
-+++ b/API.txt
-@@ -5085,7 +5085,7 @@ option: Str('in_role*', cli_name='in_roles')
- option: Str('in_sudorule*', cli_name='in_sudorules')
- option: Str('initials?', autofill=False)
- option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
--option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
-+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
- option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
- option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
- option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
-@@ -5147,7 +5147,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
- option: Str('homedirectory?', autofill=False, cli_name='homedir')
- option: Str('initials?', autofill=False)
- option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
--option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
-+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
- option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
- option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
- option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
-@@ -6185,7 +6185,7 @@ option: Str('in_role*', cli_name='in_roles')
- option: Str('in_sudorule*', cli_name='in_sudorules')
- option: Str('initials?', autofill=False)
- option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
--option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
-+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
- option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
- option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
- option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
-@@ -6250,7 +6250,7 @@ option: Str('givenname?', autofill=False, cli_name='first')
- option: Str('homedirectory?', autofill=False, cli_name='homedir')
- option: Str('initials?', autofill=False)
- option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
--option: StrEnum('ipanthomedirectoryrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
-+option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
- option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
- option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
- option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
-diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
-index a0ed65874..e1b7763f0 100644
---- a/ipaserver/plugins/baseuser.py
-+++ b/ipaserver/plugins/baseuser.py
-@@ -420,7 +420,7 @@ class baseuser(LDAPObject):
- label=_('SMB Home Directory'),
- flags=['no_create'],
- ),
-- StrEnum('ipanthomedirectoryrive?',
-+ StrEnum('ipanthomedirectorydrive?',
- cli_name='smb_home_drive',
- label=_('SMB Home Directory Drive'),
- flags=['no_create'],
---
-2.26.2
-
-From 691b3cddb275821630f443f22706fa75e7c7a5c8 Mon Sep 17 00:00:00 2001
-From: Petr Vobornik <pvoborni@redhat.com>
-Date: Mon, 8 Jun 2020 19:11:33 +0200
-Subject: [PATCH] webui: hide user attributes for SMB services section if empty
-
-This section should be hidded if user object hasn't ipantuserattrs
-object class. I.e. when trusts are not enabled.
-
-Web UI framework already supports hidding of sections if the
-section contains no visible field. So to achieve it we simply needs
-to hide the fields. Given that attributelevelrights
-contains rights only for attributes of current object classes, all
-of these are regarded as not writable.
-
-We can leverage feature of input_widget that it gets hidden
-when the attribute is not writable and has no value and widget's
-"hidden_if_empty" is set to true. Thus doing it here.
-
-For this to work, it is also required to fix an issue with
-"ipanthomedirectorydrive" which is optional (in API) but Web UI
-doesn't offer "empty" ("") value. Adding it here.
-
-fixes: https://pagure.io/freeipa/issue/8336
-
-Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
-Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/ui/src/freeipa/user.js | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
-index fb626f2a1..8f1f5cd85 100644
---- a/install/ui/src/freeipa/user.js
-+++ b/install/ui/src/freeipa/user.js
-@@ -367,36 +367,39 @@ return {
- {
- name: 'smb_attributes',
- label: '@i18n:objects.smb_attributes.title',
-- show_cond: ['oc_ipantuserattrs'],
- fields: [{
- name: 'ipantlogonscript',
- tooltip: {
- title: '@i18n:objects.smb_attributes.ipantlogonscript_tooltip'
-- }
-+ },
-+ hidden_if_empty: true
- },
- {
- name: 'ipantprofilepath',
- tooltip: {
- title: '@i18n:objects.smb_attributes.ipantprofilepath_tooltip'
-- }
-+ },
-+ hidden_if_empty: true
- },
- {
- name: 'ipanthomedirectory',
- tooltip: {
- title: '@i18n:objects.smb_attributes.ipanthomedirectory_tooltip'
-- }
-+ },
-+ hidden_if_empty: true
- },
- {
- name: 'ipanthomedirectorydrive',
- $type: 'select',
- options: IPA.create_options([
-- 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:',
-- 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
-- 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
-+ '', 'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:',
-+ 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:',
-+ 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
- ]),
- tooltip: {
- title: '@i18n:objects.smb_attributes.ipanthomedirectorydrive_tooltip'
-- }
-+ },
-+ hidden_if_empty: true
- }
- ]
- }
-@@ -482,7 +485,6 @@ return {
- IPA.user.self_service_other_user_evaluator,
- IPA.user.preserved_user_evaluator,
- IPA.user.is_locked_evaluator,
-- IPA.object_class_evaluator,
- IPA.cert.certificate_evaluator
- ],
- summary_conditions: [
---
-2.26.2
-
diff --git a/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch b/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
deleted file mode 100644
index b67d1ef..0000000
--- a/SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 42dd1628a1211363c860917e474ecc5b9c1fdb84 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Thu, 2 Jul 2020 15:50:00 +0300
-Subject: [PATCH] selinux: allow oddjobd to set up ipa_helper_t context for
- execution
-
-On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
-SELinux policy permission to use 'noatsecure'. This comes most likely
-from execve() setup by glibc.
-
-Add SELinux interface ipa_helper_noatsecure() that can be called by
-oddjob's SELinux policy definition.
-
-In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
-access SELinux configuration and produce AVC for that. Allow reading
-general userspace SELinux configuration.
-
-Fixes: https://pagure.io/freeipa/issue/8395
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.if | 18 ++++++++++++++++++
- selinux/ipa.te | 1 +
- 2 files changed, 19 insertions(+)
-
-diff --git a/selinux/ipa.if b/selinux/ipa.if
-index ea971b8fa..783db8b78 100644
---- a/selinux/ipa.if
-+++ b/selinux/ipa.if
-@@ -419,3 +419,21 @@ ifndef(`dirsrv_systemctl',`
- ps_process_pattern($1, dirsrv_t)
- ')
- ')
-+
-+
-+########################################
-+## <summary>
-+## Allow ipa_helper noatsecure
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ipa_helper_noatsecure',`
-+ gen_require(`
-+ type ipa_helper_t;
-+ ')
-+ allow $1 ipa_helper_t:process { noatsecure };
-+')
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 587e5e585..383979094 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -115,6 +115,7 @@ optional_policy(`
-
-
- allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
-+seutil_read_config(ipa_helper_t);
-
- #kernel bug
- dontaudit ipa_helper_t self:capability2 block_suspend;
---
-2.26.2
-
-From 0d70addbbf2a99e7398a518bc98d5fe109469bb5 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 3 Jul 2020 17:20:49 +0300
-Subject: [PATCH] selinux: support running ipa-custodia with PrivateTmp=yes
-
-Related: https://pagure.io/freeipa/issue/8395
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.te | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 383979094..a3381217a 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -390,3 +390,7 @@ optional_policy(`
- sssd_search_lib(ipa_custodia_t)
- sssd_stream_connect(ipa_custodia_t)
- ')
-+
-+optional_policy(`
-+ systemd_private_tmp(ipa_custodia_tmp_t)
-+')
---
-2.26.2
-
diff --git a/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch b/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch
deleted file mode 100644
index c1c7764..0000000
--- a/SOURCES/0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From 128500198d3782a76616cf1d971d5aeb17e8c1da Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Thu, 11 Jun 2020 22:42:38 +1000
-Subject: [PATCH] fix iPAddress cert issuance for >1 host/service
-
-The 'cert_request' command accumulates DNS names from the CSR,
-before checking that all IP addresses in the CSR are reachable from
-those DNS names. Before adding a DNS name to the set, we check that
-that it corresponds to the FQDN of a known host/service principal
-(including principal aliases). When a DNS name maps to a
-"alternative" principal (i.e. not the one given via the 'principal'
-argument), this check was not being performed correctly.
-Specifically, we were looking for the 'krbprincipalname' field on
-the RPC response object directly, instead of its 'result' field.
-
-To resolve the issue, dereference the RPC response to its 'result'
-field before invoking the '_dns_name_matches_principal' subroutine.
-
-Fixes: https://pagure.io/freeipa/issue/8368
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/plugins/cert.py | 6 +-
- .../test_cert_request_ip_address.py | 62 +++++++++++++++++--
- 2 files changed, 61 insertions(+), 7 deletions(-)
-
-diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
-index d353bc3ea..fe7ea34f5 100644
---- a/ipaserver/plugins/cert.py
-+++ b/ipaserver/plugins/cert.py
-@@ -827,13 +827,13 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
- try:
- if principal_type == HOST:
- alt_principal_obj = api.Command['host_show'](
-- name, all=True)
-+ name, all=True)['result']
- elif principal_type == KRBTGT:
- alt_principal = kerberos.Principal(
- (u'host', name), principal.realm)
- elif principal_type == SERVICE:
- alt_principal_obj = api.Command['service_show'](
-- alt_principal, all=True)
-+ alt_principal, all=True)['result']
- except errors.NotFound:
- # We don't want to issue any certificates referencing
- # machines we don't know about. Nothing is stored in this
-@@ -866,7 +866,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
- pass
-
- # Now check write access and caacl
-- altdn = alt_principal_obj['result']['dn']
-+ altdn = alt_principal_obj['dn']
- if not ldap.can_write(altdn, "usercertificate"):
- raise errors.ACIError(info=_(
- "Insufficient privilege to create a certificate "
-diff --git a/ipatests/test_xmlrpc/test_cert_request_ip_address.py b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
-index bf4de05bf..c0475d30d 100644
---- a/ipatests/test_xmlrpc/test_cert_request_ip_address.py
-+++ b/ipatests/test_xmlrpc/test_cert_request_ip_address.py
-@@ -28,10 +28,16 @@ from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
- from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
- from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
-
--host_fqdn = f'iptest.{api.env.domain}'
-+host_shortname = 'iptest'
-+host_fqdn = f'{host_shortname}.{api.env.domain}'
- host_princ = f'host/{host_fqdn}'
- host_ptr = f'{host_fqdn}.'
-
-+host2_shortname = 'iptest2'
-+host2_fqdn = f'{host2_shortname}.{api.env.domain}'
-+host2_princ = f'host/{host2_fqdn}'
-+host2_ptr = f'{host2_fqdn}.'
-+
- other_fqdn = f'other.{api.env.domain}'
- other_ptr = f'{other_fqdn}.'
-
-@@ -39,6 +45,10 @@ ipv4_address = '169.254.0.42'
- ipv4_revzone_s = '0.254.169.in-addr.arpa.'
- ipv4_revrec_s = '42'
-
-+host2_ipv4_address = '169.254.0.43'
-+host2_ipv4_revzone_s = '0.254.169.in-addr.arpa.'
-+host2_ipv4_revrec_s = '43'
-+
- ipv6_address = 'fe80::8f18:bdab:4299:95fa'
- ipv6_revzone_s = '0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.'
- ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
-@@ -46,7 +56,13 @@ ipv6_revrec_s = 'a.f.5.9.9.9.2.4.b.a.d.b.8.1.f.8'
-
- @pytest.fixture(scope='class')
- def host(request, xmlrpc_setup):
-- tr = HostTracker('iptest')
-+ tr = HostTracker(host_shortname)
-+ return tr.make_fixture(request)
-+
-+
-+@pytest.fixture(scope='class')
-+def host2(request, xmlrpc_setup):
-+ tr = HostTracker(host2_shortname)
- return tr.make_fixture(request)
-
-
-@@ -88,6 +104,12 @@ def ipv6_revzone(host):
- yield from _zone_setup(host, ipv6_revzone_s)
-
-
-+@pytest.fixture(scope='class')
-+def host2_ipv4_ptr(host2, ipv4_revzone):
-+ yield from _record_setup(
-+ host2, ipv4_revzone, host2_ipv4_revrec_s, ptrrecord=host2_ptr)
-+
-+
- @pytest.fixture(scope='class')
- def ipv4_ptr(host, ipv4_revzone):
- yield from _record_setup(
-@@ -100,16 +122,22 @@ def ipv6_ptr(host, ipv6_revzone):
- host, ipv6_revzone, ipv6_revrec_s, ptrrecord=host_ptr)
-
-
-+@pytest.fixture(scope='class')
-+def host2_ipv4_a(host2):
-+ yield from _record_setup(
-+ host2, api.env.domain, host2_shortname, arecord=host2_ipv4_address)
-+
-+
- @pytest.fixture(scope='class')
- def ipv4_a(host):
- yield from _record_setup(
-- host, api.env.domain, 'iptest', arecord=ipv4_address)
-+ host, api.env.domain, host_shortname, arecord=ipv4_address)
-
-
- @pytest.fixture(scope='class')
- def ipv6_aaaa(host):
- yield from _record_setup(
-- host, api.env.domain, 'iptest', aaaarecord=ipv6_address)
-+ host, api.env.domain, host_shortname, aaaarecord=ipv6_address)
-
-
- @pytest.fixture(scope='class')
-@@ -210,6 +238,12 @@ csr_cname2 = csr([
- x509.DNSName(f'cname2.{api.env.domain}'),
- x509.IPAddress(ipaddress.ip_address(ipv4_address)),
- ])
-+csr_two_dnsname_two_ip = csr([
-+ x509.DNSName(host_fqdn),
-+ x509.IPAddress(ipaddress.ip_address(ipv4_address)),
-+ x509.DNSName(host2_fqdn),
-+ x509.IPAddress(ipaddress.ip_address(host2_ipv4_address)),
-+])
-
-
- @pytest.fixture
-@@ -449,3 +483,23 @@ class TestIPAddressCNAME(XMLRPC_test):
- def test_two_levels(self, host, csr_cname2):
- with pytest.raises(errors.ValidationError, match=PAT_FWD):
- host.run_command('cert_request', csr_cname2, principal=host_princ)
-+
-+
-+@pytest.mark.tier1
-+class TestTwoHostsTwoIPAddresses(XMLRPC_test):
-+ """
-+ Test certificate issuance with CSR containing two hosts
-+ and two IP addresses (one for each host).
-+
-+ """
-+ def test_host_exists(
-+ self, host, host2, ipv4_a, ipv4_ptr, host2_ipv4_a, host2_ipv4_ptr,
-+ ):
-+ # for convenience, this test also establishes the DNS
-+ # record fixtures, which have class scope
-+ host.ensure_exists()
-+ host2.ensure_exists()
-+
-+ def test_issuance(self, host, csr_two_dnsname_two_ip):
-+ host.run_command(
-+ 'cert_request', csr_two_dnsname_two_ip, principal=host_princ)
---
-2.26.2
-
diff --git a/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch b/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch
deleted file mode 100644
index 72a73cb..0000000
--- a/SOURCES/0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 9ded9e2573a00c388533f2a09365c499a4e2961e Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 19 Jun 2020 08:48:56 -0400
-Subject: [PATCH] Specify cert_paths when calling PKIConnection
-
-PKIConnection now defaults to specifying verify=True. We've introduced
-a new parameter, cert_paths, to specify additional paths (directories or
-files) to load as certificates. Specify the IPA CA certificate file so
-we can guarantee connections succeed and validate the peer's certificate.
-
-Point to IPA CA certificate during pkispawn
-
-Bump pki_version to 10.9.0-0.4 (aka -b2)
-
-Fixes: https://pagure.io/freeipa/issue/8379
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
-Related: https://github.com/dogtagpki/pki/pull/443
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- freeipa.spec.in | 6 +++---
- install/tools/ipa-pki-wait-running.in | 3 ++-
- ipaserver/install/cainstance.py | 7 +++++++
- ipaserver/install/dogtaginstance.py | 3 ++-
- ipaserver/plugins/dogtag.py | 11 +++++------
- 5 files changed, 19 insertions(+), 11 deletions(-)
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 74e752ea5..d00b9d640 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -112,9 +112,9 @@
- # Fedora
- %endif
-
--# 10.7.3 supports LWCA key replication using AES
--# https://pagure.io/freeipa/issue/8020
--%global pki_version 10.7.3-1
-+# PKIConnection has been modified to always validate certs.
-+# https://pagure.io/freeipa/issue/8379
-+%global pki_version 10.9.0-0.4
-
- # https://pagure.io/certmonger/issue/90
- %global certmonger_version 0.79.7-1
-diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
-index 69f5ec296..4f0f2f34a 100644
---- a/install/tools/ipa-pki-wait-running.in
-+++ b/install/tools/ipa-pki-wait-running.in
-@@ -59,7 +59,8 @@ def get_conn(hostname, subsystem):
- """
- conn = PKIConnection(
- hostname=hostname,
-- subsystem=subsystem
-+ subsystem=subsystem,
-+ cert_paths=paths.IPA_CA_CRT
- )
- logger.info(
- "Created connection %s://%s:%s/%s",
-diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 706bc28cc..9294f1dba 100644
---- a/ipaserver/install/cainstance.py
-+++ b/ipaserver/install/cainstance.py
-@@ -509,6 +509,13 @@ class CAInstance(DogtagInstance):
- else:
- pki_pin = None
-
-+ # When spawning a CA instance, always point to IPA_CA_CRT if it
-+ # exists. Later, when we're performing step 2 of an external CA
-+ # installation, we'll overwrite this key to point to the real
-+ # external CA.
-+ if os.path.exists(paths.IPA_CA_CRT):
-+ cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
-+
- if self.clone:
- if self.no_db_setup:
- cfg.update(
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index 361d80a8c..7e295665c 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -70,7 +70,8 @@ def get_security_domain():
- connection = PKIConnection(
- protocol='https',
- hostname=api.env.ca_host,
-- port='8443'
-+ port='8443',
-+ cert_paths=paths.IPA_CA_CRT
- )
- domain_client = pki.system.SecurityDomainClient(connection)
- info = domain_client.get_security_domain_info()
-diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
-index 4de26d76f..b300f6b18 100644
---- a/ipaserver/plugins/dogtag.py
-+++ b/ipaserver/plugins/dogtag.py
-@@ -2082,13 +2082,12 @@ class kra(Backend):
- 'https',
- self.kra_host,
- str(self.kra_port),
-- 'kra')
-+ 'kra',
-+ cert_paths=paths.IPA_CA_CRT
-+ )
-
-- connection.session.cert = (paths.RA_AGENT_PEM, paths.RA_AGENT_KEY)
-- # uncomment the following when this commit makes it to release
-- # https://git.fedorahosted.org/cgit/pki.git/commit/?id=71ae20c
-- # connection.set_authentication_cert(paths.RA_AGENT_PEM,
-- # paths.RA_AGENT_KEY)
-+ connection.set_authentication_cert(paths.RA_AGENT_PEM,
-+ paths.RA_AGENT_KEY)
-
- try:
- yield KRAClient(connection, crypto)
---
-2.26.2
-
diff --git a/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch b/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch
deleted file mode 100644
index c94ebee..0000000
--- a/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d83b760d1f76a3ba8e527dd27551e51a600b22c0 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Wed, 15 Jul 2020 10:23:35 +0200
-Subject: [PATCH] Add missing SELinux rule for ipa-custodia.sock
-
-A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
-from upstream rules. It breaks installations on systems that don't have
-ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
-
-Fixes: https://pagure.io/freeipa/issue/8412
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index a3381217a4..c4c3fa805e 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -378,6 +378,13 @@ optional_policy(`
- ipa_search_lib(ipa_custodia_t)
- ')
-
-+optional_policy(`
-+ gen_require(`
-+ type httpd_t;
-+ ')
-+ ipa_custodia_stream_connect(httpd_t)
-+')
-+
- optional_policy(`
- pki_manage_tomcat_etc_rw(ipa_custodia_t)
- pki_read_tomcat_cert(ipa_custodia_t)
diff --git a/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch b/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch
deleted file mode 100644
index 5a96294..0000000
--- a/SOURCES/0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From ca880cfb117fc870a6e2710b9e31b2f67d5651e1 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 29 Jul 2020 13:35:49 +0200
-Subject: [PATCH] ipa-client-install: use the authselect backup during
- uninstall
-
-When ipa-client-install is run on a system with no existing
-authselect configuration (for instance a fedora 31 new install),
-uninstallation is picking sssd profile but this may lead to
-a configuration with differences compared to the pre-ipa-client
-state.
-
-Now that authselect provides an option to backup the existing
-configuration prior to setting a profile, the client install
-can save the backup name and uninstall is able to apply the
-backup in order to go back to the pre-ipa-client state.
-
-Fixes: https://pagure.io/freeipa/issue/8189
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
----
- ipaplatform/redhat/authconfig.py | 37 ++++++++++++++------------------
- 1 file changed, 16 insertions(+), 21 deletions(-)
-
-diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
-index 758376f2b..89f452d66 100644
---- a/ipaplatform/redhat/authconfig.py
-+++ b/ipaplatform/redhat/authconfig.py
-@@ -27,6 +27,7 @@ from ipaplatform.paths import paths
- from ipapython import ipautil
- from ipapython.admintool import ScriptError
- import os
-+import time
-
- FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
-
-@@ -103,28 +104,16 @@ class RedHatAuthSelect(RedHatAuthToolBase):
- def configure(self, sssd, mkhomedir, statestore, sudo=True):
- # In the statestore, the following keys are used for the
- # 'authselect' module:
-+ # Old method:
- # profile: name of the profile configured pre-installation
- # features_list: list of features configured pre-installation
- # mkhomedir: True if installation was called with --mkhomedir
- # profile and features_list are used when reverting to the
- # pre-install state
-- cfg = self._parse_authselect_output()
-- if cfg:
-- statestore.backup_state('authselect', 'profile', cfg[0])
-- statestore.backup_state(
-- 'authselect', 'features_list', " ".join(cfg[1]))
-- else:
-- # cfg = None means that the current conf is not managed by
-- # authselect but by authconfig.
-- # As we are using authselect to configure the host,
-- # it will not be possible to revert to a custom authconfig
-- # configuration later (during uninstall)
-- # Best thing to do will be to use sssd profile at this time
-- logger.warning(
-- "WARNING: The configuration pre-client installation is not "
-- "managed by authselect and cannot be backed up. "
-- "Uninstallation may not be able to revert to the original "
-- "state.")
-+ # New method:
-+ # backup: name of the authselect backup
-+ backup_name = "pre_ipaclient_{}".format(time.strftime("%Y%m%d%H%M%S"))
-+ statestore.backup_state('authselect', 'backup', backup_name)
-
- cmd = [paths.AUTHSELECT, "select", "sssd"]
- if mkhomedir:
-@@ -133,6 +122,7 @@ class RedHatAuthSelect(RedHatAuthToolBase):
- if sudo:
- cmd.append("with-sudo")
- cmd.append("--force")
-+ cmd.append("--backup={}".format(backup_name))
-
- ipautil.run(cmd)
-
-@@ -179,10 +169,15 @@ class RedHatAuthSelect(RedHatAuthToolBase):
- else:
- features = []
-
-- cmd = [paths.AUTHSELECT, "select", profile]
-- cmd.extend(features)
-- cmd.append("--force")
-- ipautil.run(cmd)
-+ backup = statestore.restore_state('authselect', 'backup')
-+ if backup:
-+ cmd = [paths.AUTHSELECT, "backup-restore", backup]
-+ ipautil.run(cmd)
-+ else:
-+ cmd = [paths.AUTHSELECT, "select", profile]
-+ cmd.extend(features)
-+ cmd.append("--force")
-+ ipautil.run(cmd)
-
- def backup(self, path):
- current = self._get_authselect_current_output()
---
-2.26.2
-
-# Not needed for 4.7.8 release
-#
-#From 3eaab97e317584bc47d4a27a607267ed90df7ff7 Mon Sep 17 00:00:00 2001
-#From: Florence Blanc-Renaud <flo@redhat.com>
-#Date: Wed, 29 Jul 2020 13:40:26 +0200
-#Subject: [PATCH] ipatests: remove the xfail for test_nfs.py
-#
-#Related: https://pagure.io/freeipa/issue/8189
-#Reviewed-By: Francois Cami <fcami@redhat.com>
-#Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-#---
-# ipatests/test_integration/test_nfs.py | 4 ----
-# 1 file changed, 4 deletions(-)
-#
-#diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
-#index 7272b0d44..832c56cca 100644
-#--- a/ipatests/test_integration/test_nfs.py
-#+++ b/ipatests/test_integration/test_nfs.py
-#@@ -363,10 +363,6 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
-# cmd = self.clients[0].run_command(sha256nsswitch_cmd)
-# assert cmd.stdout_text == orig_sha256
-#
-#- @pytest.mark.xfail(
-#- reason="https://pagure.io/freeipa/issue/8189",
-#- strict=True
-#- )
-# def test_nsswitch_backup_restore_sssd(self):
-# self.nsswitch_backup_restore()
-#
-#--
-#2.26.2
-
-From 4baf6b292f28481ece483bb8ecbd6a0807d9d45a Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 29 Jul 2020 17:57:53 +0200
-Subject: [PATCH] ipatests: fix test_authselect
-
-Before the code fix, install/uninstall on a config without
-any authselect profile was not able to restore the exact
-state but configured sssd profile instead.
-
-Now that the code is doing a pre-install backup, uninstall
-restores the exact state and the test needs to be updated
-accordingly.
-
-Related: https://pagure.io/freeipa/issue/8189
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
----
- ipatests/test_integration/test_authselect.py | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py
-index bdf7d9f77..cba23e707 100644
---- a/ipatests/test_integration/test_authselect.py
-+++ b/ipatests/test_integration/test_authselect.py
-@@ -100,7 +100,9 @@ class TestClientInstallation(IntegrationTest):
- ['rm', '-f', '/etc/authselect/authselect.conf'])
- result = self._install_client()
- assert result.returncode == 0
-- assert self.msg_warn_install in result.stderr_text
-+ # With the fix for 8189, there is no warning any more
-+ # because install is performing a pre-install backup
-+ assert self.msg_warn_install not in result.stderr_text
- # Client installation must configure the 'sssd' profile
- # with sudo
- check_authselect_profile(self.client, default_profile, ('with-sudo',))
-@@ -109,12 +111,13 @@ class TestClientInstallation(IntegrationTest):
- """
- Test client un-installation when there was no authselect profile
- """
-- # As the client did not have any authselect profile before install,
-- # uninstall must print a warning about restoring 'sssd' profile
-- # by default
-+ # The client did not have any authselect profile before install,
-+ # but uninstall must be able to restore the backup
-+ # Check that no profile is configured after uninstall
- result = self._uninstall_client()
- assert result.returncode == 0
-- check_authselect_profile(self.client, default_profile)
-+ assert not self.client.transport.file_exists(
-+ '/etc/authselect/authselect.conf')
-
- def test_install_client_preconfigured_profile(self):
- """
---
-2.26.2
-
diff --git a/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch b/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch
deleted file mode 100644
index 4144d57..0000000
--- a/SOURCES/0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 66a5a0efd538e31a190ca6ecb775bc1dfc4ee232 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 29 Jul 2020 13:42:43 -0400
-Subject: [PATCH] Replace SSLCertVerificationError with CertificateError for
- py36
-
-This exception was added in python 3.7. Use CertificateError
-instead which is an alias and will work with older python releases.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1858318
-
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipaserver/install/server/upgrade.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
-index 2c36bc0e2..2c1517865 100644
---- a/ipaserver/install/server/upgrade.py
-+++ b/ipaserver/install/server/upgrade.py
-@@ -667,7 +667,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
-
- try:
- cert.match_hostname(expect)
-- except ssl.SSLCertVerificationError:
-+ except ssl.CertificateError:
- if certs.is_ipa_issued_cert(api, cert):
- request_id = certmonger.get_request_id(
- {'cert-file': paths.HTTPD_CERT_FILE})
---
-2.26.2
-
diff --git a/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch b/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch
deleted file mode 100644
index 1298351..0000000
--- a/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Fri, 8 May 2020 15:27:01 +0200
-Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface
-
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.if | 27 +++++++++++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/selinux/ipa.if b/selinux/ipa.if
-index cefae5d90..ea971b8fa 100644
---- a/selinux/ipa.if
-+++ b/selinux/ipa.if
-@@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',`
- manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
- ')
- ')
-+
-+########################################
-+## <summary>
-+## Execute dirsrv server in the dirsrv domain.
-+## Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+ifndef(`dirsrv_systemctl',`
-+ interface(`dirsrv_systemctl',`
-+ gen_require(`
-+ type dirsrv_unit_file_t;
-+ type dirsrv_t;
-+ ')
-+
-+ systemd_exec_systemctl($1)
-+ init_reload_services($1)
-+ allow $1 dirsrv_unit_file_t:file read_file_perms;
-+ allow $1 dirsrv_unit_file_t:service manage_service_perms;
-+
-+ ps_process_pattern($1, dirsrv_t)
-+ ')
-+')
---
-2.26.2
-
-From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Thu, 7 May 2020 16:17:12 +0200
-Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services
-
-Allow ipa_helper_t connect to init using /run/systemd/private socket.
-Allow ipa_helper_t read init process state.
-Allow ipa_helper_t manage sssd and dirsrv units.
-
-See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
-See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.te | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index b1e29c8e2..587e5e585 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t)
-
- files_list_tmp(ipa_helper_t)
-
-+init_read_state(ipa_helper_t)
-+init_stream_connect(ipa_helper_t)
-+
- ipa_manage_pid_files(ipa_helper_t)
- ipa_read_lib(ipa_helper_t)
-
-@@ -156,6 +159,10 @@ optional_policy(`
- dirsrv_stream_connect(ipa_helper_t)
- ')
-
-+optional_policy(`
-+ dirsrv_systemctl(ipa_helper_t)
-+')
-+
- optional_policy(`
- ldap_stream_connect(ipa_helper_t)
- ')
-@@ -182,6 +189,7 @@ optional_policy(`
-
- optional_policy(`
- sssd_manage_lib_files(ipa_helper_t)
-+ sssd_systemctl(ipa_helper_t)
- ')
-
- ########################################
---
-2.26.2
-
diff --git a/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch b/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch
deleted file mode 100644
index ac9ddfe..0000000
--- a/SOURCES/0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 81c955e561dd42ab70a39bf636c90e82a9d7d899 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 3 Aug 2020 18:52:07 +0200
-Subject: [PATCH] CAless installation: set the perms on KDC cert file
-
-In CA less installation, the KDC certificate file does not have
-the expected 644 permissions. As a consequence, WebUI login
-fails.
-
-The fix makes sure that the KDC cert file is saved with 644 perms.
-
-Fixes: https://pagure.io/freeipa/issue/8440
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/install/krbinstance.py | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
-index 09d14693c..1910ff374 100644
---- a/ipaserver/install/krbinstance.py
-+++ b/ipaserver/install/krbinstance.py
-@@ -536,6 +536,8 @@ class KrbInstance(service.Service):
- certs.install_pem_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_CERT)
-+ # The KDC cert needs to be readable by everyone
-+ os.chmod(paths.KDC_CERT, 0o644)
- certs.install_key_from_p12(self.pkcs12_info[0],
- self.pkcs12_info[1],
- paths.KDC_KEY)
---
-2.26.2
-
-From 295dd4235f693b7b4b4270b46a28cb6e7b3d00b4 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 3 Aug 2020 18:53:47 +0200
-Subject: [PATCH] ipatests: check KDC cert permissions in CA less install
-
-The KDC certificate file must be stored with 644 permissions.
-Add a test checking the file permissions on server + replica.
-
-Related: https://pagure.io/freeipa/issue/8440
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_caless.py | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
-index a7b2cbbbc..1ea7d9896 100644
---- a/ipatests/test_integration/test_caless.py
-+++ b/ipatests/test_integration/test_caless.py
-@@ -1527,6 +1527,13 @@ class TestCertInstall(CALessBase):
- assert result.returncode == 0
-
-
-+def verify_kdc_cert_perms(host):
-+ """Verify that the KDC cert pem file has 0644 perms"""
-+ cmd = host.run_command(['stat', '-c',
-+ '"%a %G:%U"', paths.KDC_CERT])
-+ assert "644 root:root" in cmd.stdout_text
-+
-+
- class TestPKINIT(CALessBase):
- """Install master and replica with PKINIT"""
- num_replicas = 1
-@@ -1540,6 +1547,7 @@ class TestPKINIT(CALessBase):
- result = cls.install_server(pkinit_pkcs12_exists=True,
- pkinit_pin=_DEFAULT)
- assert result.returncode == 0
-+ verify_kdc_cert_perms(cls.master)
-
- @replica_install_teardown
- def test_server_replica_install_pkinit(self):
-@@ -1549,6 +1557,7 @@ class TestPKINIT(CALessBase):
- pkinit_pin=_DEFAULT)
- assert result.returncode == 0
- self.verify_installation()
-+ verify_kdc_cert_perms(self.replicas[0])
-
-
- class TestServerReplicaCALessToCAFull(CALessBase):
---
-2.26.2
-
diff --git a/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch b/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch
deleted file mode 100644
index b2655a8..0000000
--- a/SOURCES/0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From b95817e35716bbab000633043817202e17d7c53e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 6 Aug 2020 17:07:36 +0200
-Subject: [PATCH] IPA-EPN: Use a helper to retrieve LDAP attributes from an
- entry
-
-Allow for empty attributes.
-
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- ipaclient/install/ipa_epn.py | 22 +++++++++++++++-------
- 1 file changed, 15 insertions(+), 7 deletions(-)
-
-diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
-index 65f9f3d47..0d1ae2add 100644
---- a/ipaclient/install/ipa_epn.py
-+++ b/ipaclient/install/ipa_epn.py
-@@ -122,22 +122,30 @@ class EPNUserList:
- """Return len(self)."""
- return len(self._expiring_password_user_dq)
-
-+ def get_ldap_attr(self, entry, attr):
-+ """Get a single value from a multi-valued attr in a safe way"""
-+ return str(entry.get(attr, [""]).pop(0))
-+
- def add(self, entry):
- """Parses and appends an LDAP user entry with the uid, cn,
- givenname, sn, krbpasswordexpiration and mail attributes.
- """
- try:
- self._sorted = False
-+ if entry.get("mail") is None:
-+ logger.error("IPA-EPN: No mail address defined for: %s",
-+ entry.dn)
-+ return
- self._expiring_password_user_dq.append(
- dict(
-- uid=str(entry["uid"].pop(0)),
-- cn=str(entry["cn"].pop(0)),
-- givenname=str(entry["givenname"].pop(0)),
-- sn=str(entry["sn"].pop(0)),
-- krbpasswordexpiration=str(
-- entry["krbpasswordexpiration"].pop(0)
-+ uid=self.get_ldap_attr(entry, "uid"),
-+ cn=self.get_ldap_attr(entry, "cn"),
-+ givenname=self.get_ldap_attr(entry, "givenname"),
-+ sn=self.get_ldap_attr(entry, "sn"),
-+ krbpasswordexpiration=(
-+ self.get_ldap_attr(entry,"krbpasswordexpiration")
- ),
-- mail=str(entry["mail"]),
-+ mail=str(entry.get("mail")),
- )
- )
- except IndexError as e:
---
-2.26.2
-
-From 8e810d8cf38ec60d76178bd673e218fb05d56c8e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 6 Aug 2020 17:13:19 +0200
-Subject: [PATCH] IPA-EPN: fix configuration file typo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- client/share/epn.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/share/epn.conf b/client/share/epn.conf
-index 0e590dfc3..e3645801c 100644
---- a/client/share/epn.conf
-+++ b/client/share/epn.conf
-@@ -23,7 +23,7 @@ smtp_port = 25
- # Default None (empty value).
- # smtp_password =
-
--# pecifies the number of seconds to wait for SMTP to respond.
-+# Specifies the number of seconds to wait for SMTP to respond.
- smtp_timeout = 60
-
- # Specifies the type of secure connection to make. Options are: none,
---
-2.26.2
-
-From 1b1dbcbe9d83ba35f3cfdd01399f123816ec6e5b Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 6 Aug 2020 18:57:10 -0400
-Subject: [PATCH] IPA-EPN: Test that users without givenname and/or mail are
- handled
-
-The admin user does not have a givenname by default, allow for that.
-
-Report errors for users without a default e-mail address.
-
-Update the SHA256 hash with the typo fix.
-
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- ipatests/test_integration/test_epn.py | 22 +++++++++++++++++++++-
- 1 file changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index 18f73c722..c5c73835a 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -240,7 +240,7 @@ class TestEPN(IntegrationTest):
- assert epn_conf in cmd1.stdout_text
- assert epn_template in cmd1.stdout_text
- cmd2 = self.master.run_command(["sha256sum", epn_conf])
-- ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
-+ ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
- assert cmd2.stdout_text.find(ck) == 0
-
- def test_EPN_smoketest_1(self):
-@@ -591,3 +591,23 @@ class TestEPN(IntegrationTest):
- self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
- result = tasks.ipa_epn(self.master, raiseonerr=False)
- assert "smtp_delay cannot be less than zero" in result.stderr_text
-+
-+ def test_EPN_admin(self):
-+ """The admin user is special and has no givenName by default
-+ It also doesn't by default have an e-mail address
-+ Check --dry-run output.
-+ """
-+ epn_conf = textwrap.dedent('''
-+ [global]
-+ ''')
-+ self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
-+ self.master.run_command(
-+ ['ipa', 'user-mod', 'admin', '--password-expiration',
-+ datetime_to_generalized_time(
-+ datetime.datetime.utcnow() + datetime.timedelta(days=7)
-+ )]
-+ )
-+ (unused, stderr_text, _unused) = self._check_epn_output(
-+ self.master, dry_run=True
-+ )
-+ assert "uid=admin" in stderr_text
---
-2.26.2
-
diff --git a/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch b/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
deleted file mode 100644
index b905262..0000000
--- a/SOURCES/0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
+++ /dev/null
@@ -1,404 +0,0 @@
-From 9479a393a71fe1de7d62ca2b50a7d3d8698d4ba1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 4 Aug 2020 11:05:31 +0200
-Subject: [PATCH] ipatests: tasks.py: fix ipa-epn invocation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-tasks.py::ipa_epn would previously fail to invoke ipa-epn with
-from_nbdays=0.
-
-Related: https://pagure.io/freeipa/issue/8449
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/pytest_ipa/integration/tasks.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
-index a3f7cc838..c0a592750 100755
---- a/ipatests/pytest_ipa/integration/tasks.py
-+++ b/ipatests/pytest_ipa/integration/tasks.py
-@@ -1470,9 +1470,9 @@ def ipa_epn(
- cmd.append("--dry-run")
- if mailtest:
- cmd.append("--mail-test")
-- if from_nbdays:
-+ if from_nbdays is not None:
- cmd.extend(("--from-nbdays", str(from_nbdays)))
-- if to_nbdays:
-+ if to_nbdays is not None:
- cmd.extend(("--to-nbdays", str(to_nbdays)))
- return host.run_command(cmd, raiseonerr=raiseonerr)
-
---
-2.26.2
-
-From 3b8fdd87760cfb8ec739c67298f012cf0bd3ac39 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 5 Aug 2020 10:02:31 +0200
-Subject: [PATCH] ipatests: test_epn: test_EPN_nbdays enhancements
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Enhance test_EPN_nbdays so that it checks:
-* that no emails get sent when using --dry-run
-* that --from-nbdays implies --dry-run
-* that --to-nbdays requires --from-nbdays
-* illegal inputs for nbdays:
-** from-nbdays > to-nbdays
-** non-numerical input
-** decimal input
-
-Fixes: https://pagure.io/freeipa/issue/8449
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/test_integration/test_epn.py | 130 +++++++++++++++++++++++---
- 1 file changed, 117 insertions(+), 13 deletions(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index f4c123c6d..18f73c722 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -15,6 +15,13 @@
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-+######
-+# This test suite will _expectedly_ fail if run at the end of the UTC day
-+# because users would be created during day N and then EPN output checked
-+# during day N+1. This is expected and should be ignored as it does not
-+# reflect a product bug. -- fcami
-+######
-+
- from __future__ import print_function, absolute_import
-
- import base64
-@@ -178,12 +185,14 @@ class TestEPN(IntegrationTest):
- from_nbdays=None,
- to_nbdays=None,
- raiseonerr=True,
-+ validatejson=True
- ):
- result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
- from_nbdays=from_nbdays,
- to_nbdays=to_nbdays)
-- json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
-- return (result.stdout_text, result.stderr_text)
-+ if validatejson:
-+ json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
-+ return (result.stdout_text, result.stderr_text, result.returncode)
-
- @classmethod
- def install(cls, mh):
-@@ -244,12 +253,12 @@ class TestEPN(IntegrationTest):
- ''')
- self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
- # check EPN on client (LDAP+GSSAPI)
-- (stdout_text, unused) = self._check_epn_output(
-+ (stdout_text, unused, _unused) = self._check_epn_output(
- self.clients[0], dry_run=True
- )
- assert len(json.loads(stdout_text)) == 0
- # check EPN on master (LDAPI)
-- (stdout_text, unused) = self._check_epn_output(
-+ (stdout_text, unused, _unused) = self._check_epn_output(
- self.master, dry_run=True
- )
- assert len(json.loads(stdout_text)) == 0
-@@ -292,10 +301,10 @@ class TestEPN(IntegrationTest):
- ),
- ],
- )
-- (stdout_text_client, unused) = self._check_epn_output(
-+ (stdout_text_client, unused, _unused) = self._check_epn_output(
- self.clients[0], dry_run=True
- )
-- (stdout_text_master, unused) = self._check_epn_output(
-+ (stdout_text_master, unused, _unused) = self._check_epn_output(
- self.master, dry_run=True
- )
- assert stdout_text_master == stdout_text_client
-@@ -331,10 +340,10 @@ class TestEPN(IntegrationTest):
- password=None,
- )
-
-- (stdout_text_client, unused) = self._check_epn_output(
-+ (stdout_text_client, unused, _unused) = self._check_epn_output(
- self.clients[0], dry_run=True
- )
-- (stdout_text_master, unused) = self._check_epn_output(
-+ (stdout_text_master, unused, _unused) = self._check_epn_output(
- self.master, dry_run=True
- )
- assert stdout_text_master == stdout_text_client
-@@ -344,22 +353,117 @@ class TestEPN(IntegrationTest):
- expected_users = ["user1", "user3", "user7", "user14", "user28"]
- assert sorted(user_lst) == sorted(expected_users)
-
-- def test_EPN_nbdays(self):
-+ def test_EPN_nbdays_0(self, cleanupmail):
- """Test the to/from nbdays options (implies --dry-run)
-
- We have a set of users installed with varying expiration
- dates. Confirm that to/from nbdays finds them.
-+
-+ Make sure --dry-run does not accidentally send emails.
- """
-
-- # Compare the notify_ttls values
-+ # Use the notify_ttls values with a 1-day sliding window
- for i in self.notify_ttls:
- user_list = []
-- (stdout_text_client, unused) = self._check_epn_output(
-- self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True)
-+ (stdout_text_client, unused, _unused) = self._check_epn_output(
-+ self.clients[0], from_nbdays=i, to_nbdays=i + 1, dry_run=True
-+ )
- for user in json.loads(stdout_text_client):
- user_list.append(user["uid"])
- assert len(user_list) == 1
-- assert user_list[0] == "user%d" % i
-+ userid = "user{id}".format(id=i)
-+ assert user_list[0] == userid
-+
-+ # Check that the user list is expected for any given notify_ttls.
-+ (stdout_text_client, unused, _unused) = self._check_epn_output(
-+ self.clients[0], to_nbdays=i
-+ )
-+ user_list = [user["uid"] for user in json.loads(stdout_text_client)]
-+ assert len(user_list) == 1
-+ assert user_list[0] == "user{id}".format(id=i - 1)
-+
-+ # make sure no emails were sent
-+ result = self.clients[0].run_command(['ls', '-lha', '/var/mail/'])
-+ assert userid not in result.stdout_text
-+
-+ def test_EPN_nbdays_1(self, cleanupmail):
-+ """Test that for a given range, we find the users in that range"""
-+
-+ # Use hardcoded date ranges for now
-+ for date_range in [(0, 5), (7, 15), (1, 20)]:
-+ expected_user_list = ["user{i}".format(i=i)
-+ for i in range(date_range[0], date_range[1])]
-+ (stdout_text_client, unused, _unused) = self._check_epn_output(
-+ self.clients[0],
-+ from_nbdays=date_range[0],
-+ to_nbdays=date_range[1]
-+ )
-+ user_list = [user["uid"] for user in json.loads(stdout_text_client)]
-+ for user in expected_user_list:
-+ assert user in user_list
-+ for user in user_list:
-+ assert user in expected_user_list
-+
-+ # Test the to/from nbdays options behavior with illegal input
-+
-+ def test_EPN_nbdays_input_0(self):
-+ """Make sure that --to-nbdays implies --dry-run ;
-+ therefore check that the output is valid JSON and contains the
-+ expected user.
-+ """
-+
-+ (stdout_text_client, unused, _unused) = self._check_epn_output(
-+ self.clients[0], to_nbdays=5, dry_run=False
-+ )
-+ assert len(json.loads(stdout_text_client)) == 1
-+ assert json.loads(stdout_text_client)[0]["uid"] == "user4"
-+
-+ def test_EPN_nbdays_input_1(self):
-+ """Make sure that --from-nbdays cannot be used without --to-nbdays"""
-+
-+ (unused, stderr_text_client, rc) = \
-+ self._check_epn_output(
-+ self.clients[0], from_nbdays=3,
-+ raiseonerr=False, validatejson=False
-+ )
-+ assert "You cannot specify --from-nbdays without --to-nbdays" \
-+ in stderr_text_client
-+ assert rc > 0
-+
-+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-+ def test_EPN_nbdays_input_2(self):
-+ """alpha input"""
-+
-+ (unused, stderr, rc) = self._check_epn_output(
-+ self.clients[0], to_nbdays="abc",
-+ raiseonerr=False, validatejson=False
-+ )
-+ assert "error: --to-nbdays must be an integer." in stderr
-+ assert rc > 0
-+
-+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-+ def test_EPN_nbdays_input_3(self):
-+ """from_nbdays > to_nbdays"""
-+
-+ (unused, stderr, rc) = self._check_epn_output(
-+ self.clients[0], from_nbdays=9, to_nbdays=7,
-+ raiseonerr=False, validatejson=False
-+ )
-+ assert "error: --from-nbdays must be smaller than --to-nbdays." in \
-+ stderr
-+ assert rc > 0
-+
-+ @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-+ def test_EPN_nbdays_input_4(self):
-+ """decimal input"""
-+
-+ (unused, stderr, rc) = self._check_epn_output(
-+ self.clients[0], to_nbdays=7.3,
-+ raiseonerr=False, validatejson=False
-+ )
-+ logger.info(stderr)
-+ assert rc > 0
-+ assert "error: --to-nbdays must be an integer." in stderr
-
- # From here the tests build on one another:
- # 1) add auth
---
-2.26.2
-
-From b4266023e04729db12de2f7e0de4da9e1d00db38 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 7 Aug 2020 19:08:39 +0200
-Subject: [PATCH] ipatests: test_epn: update error messages
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Update error messages in the test.
-
-Fixes: https://pagure.io/freeipa/issue/8449
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/test_integration/test_epn.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index e03521193..af662140a 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -458,7 +458,7 @@ class TestEPN(IntegrationTest):
- self.clients[0], to_nbdays="abc",
- raiseonerr=False, validatejson=False
- )
-- assert "error: --to-nbdays must be an integer." in stderr
-+ assert "error: --to-nbdays must be a positive integer." in stderr
- assert rc > 0
-
- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
-@@ -483,7 +483,7 @@ class TestEPN(IntegrationTest):
- )
- logger.info(stderr)
- assert rc > 0
-- assert "error: --to-nbdays must be an integer." in stderr
-+ assert "error: --to-nbdays must be a positive integer." in stderr
-
- # From here the tests build on one another:
- # 1) add auth
---
-2.26.2
-
-From 2809084a44e3b174fa48a611e79f04358e1d6dca Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 5 Aug 2020 09:05:31 +0200
-Subject: [PATCH] IPA-EPN: enhance input validation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Enhance input validation:
-* make sure --from-nbdays and --to-nbdays are integer
-* make sure --from-nbdays < --to-nbdays
-
-Fixes: https://pagure.io/freeipa/issue/8444
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaclient/install/ipa_epn.py | 28 +++++++++++++++++++++++++--
- ipatests/test_integration/test_epn.py | 3 ---
- 2 files changed, 26 insertions(+), 5 deletions(-)
-
-diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
-index 82d7b3f57..88c926e88 100644
---- a/ipaclient/install/ipa_epn.py
-+++ b/ipaclient/install/ipa_epn.py
-@@ -246,9 +246,33 @@ class EPN(admintool.AdminTool):
-
- def validate_options(self):
- super(EPN, self).validate_options(needs_root=True)
-- if self.options.to_nbdays:
-+ if self.options.to_nbdays is not None:
-+ try:
-+ if int(self.options.to_nbdays) < 0:
-+ raise RuntimeError('Input is negative.')
-+ except Exception as e:
-+ self.option_parser.error(
-+ "--to-nbdays must be a positive integer. "
-+ "{error}".format(error=e)
-+ )
- self.options.dry_run = True
-- if self.options.from_nbdays and not self.options.to_nbdays:
-+ if self.options.from_nbdays is not None:
-+ try:
-+ if int(self.options.from_nbdays) < 0:
-+ raise RuntimeError('Input is negative.')
-+ except Exception as e:
-+ self.option_parser.error(
-+ "--from-nbdays must be a positive integer. "
-+ "{error}".format(error=e)
-+ )
-+ if self.options.from_nbdays is not None and \
-+ self.options.to_nbdays is not None:
-+ if int(self.options.from_nbdays) >= int(self.options.to_nbdays):
-+ self.option_parser.error(
-+ "--from-nbdays must be smaller than --to-nbdays."
-+ )
-+ if self.options.from_nbdays is not None and \
-+ self.options.to_nbdays is None:
- self.option_parser.error(
- "You cannot specify --from-nbdays without --to-nbdays"
- )
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index af662140a..fc26888cb 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -450,7 +450,6 @@ class TestEPN(IntegrationTest):
- in stderr_text_client
- assert rc > 0
-
-- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
- def test_EPN_nbdays_input_2(self):
- """alpha input"""
-
-@@ -461,7 +460,6 @@ class TestEPN(IntegrationTest):
- assert "error: --to-nbdays must be a positive integer." in stderr
- assert rc > 0
-
-- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
- def test_EPN_nbdays_input_3(self):
- """from_nbdays > to_nbdays"""
-
-@@ -473,7 +471,6 @@ class TestEPN(IntegrationTest):
- stderr
- assert rc > 0
-
-- @pytest.mark.xfail(reason='freeipa ticket 8444', strict=True)
- def test_EPN_nbdays_input_4(self):
- """decimal input"""
-
---
-2.26.2
-
diff --git a/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch b/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
deleted file mode 100644
index 3871c56..0000000
--- a/SOURCES/0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 3cf7fb1014ae40fd5a5278f27577a8196a4af051 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 7 Aug 2020 07:51:53 +0200
-Subject: [PATCH] ipatests: test_epn: add test_EPN_connection_refused
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add a test for EPN behavior when the configured SMTP does not
-accept connections.
-
-Fixes: https://pagure.io/freeipa/issue/8445
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_epn.py | 27 ++++++++++++++++++++++++---
- 1 file changed, 24 insertions(+), 3 deletions(-)
-
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index c5c73835a..1a25d3710 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -182,14 +182,20 @@ class TestEPN(IntegrationTest):
- self,
- host,
- dry_run=False,
-+ mailtest=False,
- from_nbdays=None,
- to_nbdays=None,
- raiseonerr=True,
- validatejson=True
- ):
-- result = tasks.ipa_epn(host, raiseonerr=raiseonerr, dry_run=dry_run,
-- from_nbdays=from_nbdays,
-- to_nbdays=to_nbdays)
-+ result = tasks.ipa_epn(
-+ host,
-+ from_nbdays=from_nbdays,
-+ to_nbdays=to_nbdays,
-+ mailtest=mailtest,
-+ dry_run=dry_run,
-+ raiseonerr=raiseonerr
-+ )
- if validatejson:
- json.dumps(json.loads(result.stdout_text), ensure_ascii=False)
- return (result.stdout_text, result.stderr_text, result.returncode)
-@@ -243,6 +249,21 @@ class TestEPN(IntegrationTest):
- ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
- assert cmd2.stdout_text.find(ck) == 0
-
-+ @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
-+ def test_EPN_connection_refused(self):
-+ """Test EPN behavior when the configured SMTP is down
-+ """
-+
-+ self.master.run_command(["systemctl", "stop", "postfix"])
-+ (unused, stderr_text, rc) = self._check_epn_output(
-+ self.master, mailtest=True,
-+ raiseonerr=False, validatejson=False
-+ )
-+ self.master.run_command(["systemctl", "start", "postfix"])
-+ assert "IPA-EPN: Could not connect to the configured SMTP server" in \
-+ stderr_text
-+ assert rc > 0
-+
- def test_EPN_smoketest_1(self):
- """No users except admin. Check --dry-run output.
- With the default configuration, the result should be an empty list.
---
-2.26.2
-
-From 53f330b053740b169d211aa16b3b36fb61157bbd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 7 Aug 2020 06:19:31 +0200
-Subject: [PATCH] IPA-EPN: Fix SMTP connection error handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Enhance error message when SMTP is down.
-
-Fixes: https://pagure.io/freeipa/issue/8445
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaclient/install/ipa_epn.py | 17 ++++++++++-------
- ipatests/test_integration/test_epn.py | 1 -
- 2 files changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
-index 0d1ae2add..82d7b3f57 100644
---- a/ipaclient/install/ipa_epn.py
-+++ b/ipaclient/install/ipa_epn.py
-@@ -38,6 +38,7 @@ from email.mime.multipart import MIMEMultipart
- from email.mime.text import MIMEText
- from email.header import Header
- from email.utils import make_msgid
-+from socket import error as socketerror
-
- from ipaplatform.paths import paths
- from ipalib import api, errors
-@@ -640,13 +641,15 @@ class MTAClient:
- port=self._smtp_port,
- timeout=self._smtp_timeout,
- )
-- except smtplib.SMTPException as e:
-- logger.error(
-- "IPA-EPN: Unable to connect to %s:%s: %s",
-- self._smtp_hostname,
-- self._smtp_port,
-- e,
-- )
-+ except (socketerror, smtplib.SMTPException) as e:
-+ msg = \
-+ "IPA-EPN: Could not connect to the configured SMTP server: " \
-+ "{host}:{port}: {error}".format(
-+ host=self._smtp_hostname,
-+ port=self._smtp_port,
-+ error=e
-+ )
-+ raise admintool.ScriptError(msg)
-
- try:
- self._conn.ehlo()
-diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
-index 1a25d3710..e03521193 100644
---- a/ipatests/test_integration/test_epn.py
-+++ b/ipatests/test_integration/test_epn.py
-@@ -249,7 +249,6 @@ class TestEPN(IntegrationTest):
- ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
- assert cmd2.stdout_text.find(ck) == 0
-
-- @pytest.mark.xfail(reason='freeipa ticket 8445', strict=True)
- def test_EPN_connection_refused(self):
- """Test EPN behavior when the configured SMTP is down
- """
---
-2.26.2
-
diff --git a/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch b/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
deleted file mode 100644
index 8f8c1df..0000000
--- a/SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 4a97145c3a76a4d9ebf52b3905410a0bd7bec856 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 4 Aug 2020 15:09:56 -0400
-Subject: [PATCH] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
-
-It was previously being set to 0444 which triggered a warning
-in freeipa-healthcheck.
-
-Even root needs DAC_OVERRIDE capability to write to a 0o444 file
-which may not be available in some environments.
-
-https://pagure.io/freeipa/issue/8441
-
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/install/certs.py | 2 +-
- ipaserver/install/server/install.py | 5 ++---
- 2 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
-index 22ee79bd1..51d9f9221 100644
---- a/ipaserver/install/certs.py
-+++ b/ipaserver/install/certs.py
-@@ -329,7 +329,7 @@ class CertDB:
- ipautil.backup_file(cacert_fname)
- root_nicknames = self.find_root_cert(nickname)[:-1]
- with open(cacert_fname, "w") as f:
-- os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
-+ os.fchmod(f.fileno(), 0o644)
- for root in root_nicknames:
- result = self.run_certutil(["-L", "-n", root, "-a"],
- capture_output=True)
-diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index b53c58e2a..6a593602f 100644
---- a/ipaserver/install/server/install.py
-+++ b/ipaserver/install/server/install.py
-@@ -891,9 +891,8 @@ def install(installer):
-
- ca.install_step_0(False, None, options, custodia=custodia)
- else:
-- # Put the CA cert where other instances expect it
-- x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
-- os.chmod(paths.IPA_CA_CRT, 0o444)
-+ # /etc/ipa/ca.crt is created as a side-effect of
-+ # dsinstance::enable_ssl() via export_ca_cert()
-
- if not options.no_pkinit:
- x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
---
-2.26.2
-
-From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 4 Aug 2020 15:12:20 -0400
-Subject: [PATCH] ipatests: Check permissions of /etc/ipa/ca.crt new
- installations
-
-It should be 0644 root:root for both CA-ful and CA-less installs.
-
-https://pagure.io/freeipa/issue/8441
-
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_integration/test_caless.py | 8 ++++++++
- ipatests/test_integration/test_installation.py | 10 ++++++++++
- 2 files changed, 18 insertions(+)
-
-diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
-index 1ea7d9896..16dfbb320 100644
---- a/ipatests/test_integration/test_caless.py
-+++ b/ipatests/test_integration/test_caless.py
-@@ -394,6 +394,14 @@ class CALessBase(IntegrationTest):
- host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
- assert cert_from_ldap == expected_cacrt
-
-+ result = host.run_command(
-+ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
-+ )
-+ (owner, group, mode) = result.stdout_text.strip().split(':')
-+ assert owner == "root"
-+ assert group == "root"
-+ assert mode == "644"
-+
- # Verify certmonger was not started
- result = host.run_command(['getcert', 'list'], raiseonerr=False)
- assert result.returncode == 0
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index 100a5a766..fb1990083 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest):
- status = tasks.wait_for_request(self.master, request_id[0], 300)
- assert status == "MONITORING"
-
-+ def test_ipa_ca_crt_permissions(self):
-+ """Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
-+ result = self.master.run_command(
-+ ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
-+ )
-+ out = str(result.stdout_text.strip())
-+ (owner, group, mode) = out.split(':')
-+ assert mode == "644"
-+ assert owner == "root"
-+ assert group == "root"
-
- class TestInstallWithCA_KRA1(InstallTestBase1):
-
---
-2.26.2
-
diff --git a/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch b/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
deleted file mode 100644
index 2e1c708..0000000
--- a/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 7 Sep 2020 11:07:21 +0200
-Subject: [PATCH] SELinux Policy: let custodia replicate keys
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Enhance the SELinux policy so that custodia can replicate sub-CA keys
-and certificates:
-allow ipa_custodia_t self:tcp_socket { bind create };
-allow ipa_custodia_t node_t:tcp_socket node_bind;
-allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
-allow ipa_custodia_t pki_tomcat_cert_t:file create;
-allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
-allow ipa_custodia_t self:process execmem;
-
-Found by: test_replica_promotion::TestSubCAkeyReplication
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- selinux/ipa.te | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index c4c3fa805..3fa4ba980 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t)
- type ipa_custodia_tmp_t;
- files_tmp_file(ipa_custodia_tmp_t)
-
-+type pki_tomcat_cert_t;
-+type node_t;
-+
- ########################################
- #
- # ipa_otpd local policy
-@@ -323,10 +326,18 @@ optional_policy(`
- allow ipa_custodia_t self:capability { setgid setuid };
- allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
- allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-+allow ipa_custodia_t self:process execmem;
- allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
- allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
-+allow ipa_custodia_t self:tcp_socket { bind create };
- allow ipa_custodia_t self:udp_socket create_socket_perms;
-
-+allow ipa_custodia_t node_t:tcp_socket node_bind;
-+
-+allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
-+allow ipa_custodia_t pki_tomcat_cert_t:file create;
-+allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
-+
- manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
- manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
- logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
---
-2.26.2
-
diff --git a/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch b/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
deleted file mode 100644
index a95c32b..0000000
--- a/SOURCES/0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-Adapted version of d1c860e59b52. to make it apply without commits
-
-34b4d9bce5 - ipatests: Test ipa user login with wrong password
-ab36d79adc - ipatests: Test for ipa-nis-manage CLI tool.
-
-From d1c860e59b5237178066ed963cc2fa50d99cd690 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 16 Sep 2020 17:07:21 +0200
-Subject: [PATCH] ipatests: check that pkispawn log is not empty
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since commits:
-https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
-https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
-pkispawn will not honor the pki_log_level configuration item.
-All 10.9 Dogtag versions have these commits.
-This affects FreeIPA in that it makes debugging Dogtag installation issues next
-to impossible.
-Adding --debug to the pkispawn CLI is required to revert to the previous
-behavior.
-Therefore check that the log is not empty and contains DEBUG+INFO lines.
-
-Fixes: https://pagure.io/freeipa/issue/8503
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_integration/test_commands.py | 23 ++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
-
-diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
-index fa6abd81e..3a12bcde2 100644
---- a/ipatests/test_integration/test_commands.py
-+++ b/ipatests/test_integration/test_commands.py
-@@ -1295,3 +1295,26 @@ class TestIPACommand(IntegrationTest):
- assert msg2 not in result.stderr_text
- finally:
- bashrc_backup.restore()
-+
-+ def test_pkispawn_log_is_present(self):
-+ """
-+ This testcase checks if pkispawn logged properly.
-+ It is a candidate from being moved out of test_commands.
-+ """
-+ result = self.master.run_command(
-+ ["ls", "/var/log/pki/"]
-+ )
-+ pkispawnlogfile = None
-+ for file in result.stdout_text.splitlines():
-+ if file.startswith("pki-ca-spawn"):
-+ pkispawnlogfile = file
-+ break
-+ assert pkispawnlogfile is not None
-+ pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
-+ pkispawnlog = self.master.get_file_contents(
-+ pkispawnlogfile, encoding='utf-8'
-+ )
-+ # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
-+ assert len(pkispawnlog) > 1024
-+ assert "DEBUG" in pkispawnlog
-+ assert "INFO" in pkispawnlog
---
-2.26.2
-
-From 97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 17 Sep 2020 07:31:59 +0200
-Subject: [PATCH] dogtaginstance.py: add --debug to pkispawn
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since commits:
-https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
-https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
-pkispawn will not honor the pki_log_level configuration item.
-All 10.9 Dogtag versions have these commits.
-This affects FreeIPA in that it makes debugging Dogtag installation issues next
-to impossible.
-Adding --debug to the pkispawn CLI is required to revert to the previous
-behavior.
-
-Fixes: https://pagure.io/freeipa/issue/8503
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/install/dogtaginstance.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
-index 524262ad7..03fdd7c0b 100644
---- a/ipaserver/install/dogtaginstance.py
-+++ b/ipaserver/install/dogtaginstance.py
-@@ -183,7 +183,8 @@ class DogtagInstance(service.Service):
- subsystem = self.subsystem
- args = [paths.PKISPAWN,
- "-s", subsystem,
-- "-f", cfg_file]
-+ "-f", cfg_file,
-+ "--debug"]
-
- with open(cfg_file) as f:
- logger.debug(
---
-2.26.2
-
diff --git a/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch b/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
deleted file mode 100644
index d271d98..0000000
--- a/SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
+++ /dev/null
@@ -1,549 +0,0 @@
-From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 17 Sep 2020 11:30:45 +0200
-Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-enhance the test suite so that it covers:
-- deleting subCAs (disabling them first)
-- checking what happens when creating a dozen+ subCAs at a time
-- adding a subCA that already exists and expect failure
-
-Related: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- .../test_replica_promotion.py | 52 +++++++++++++++++--
- 1 file changed, 47 insertions(+), 5 deletions(-)
-
-diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
-index 82117054f..f0b72e1f8 100644
---- a/ipatests/test_integration/test_replica_promotion.py
-+++ b/ipatests/test_integration/test_replica_promotion.py
-@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
- SERVER_CERT_NICK: 'u,u,u',
- }
-
-- def add_subca(self, host, name, subject):
-+ def add_subca(self, host, name, subject, raiseonerr=True):
- result = host.run_command([
- 'ipa', 'ca-add', name,
- '--subject', subject,
-- '--desc', self.SUBCA_DESC,
-+ '--desc', self.SUBCA_DESC],
-+ raiseonerr=raiseonerr
-+ )
-+ if raiseonerr:
-+ assert "ipa: ERROR:" not in result.stderr_text
-+ auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
-+ return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
-+ else:
-+ assert "ipa: ERROR:" in result.stderr_text
-+ assert result.returncode != 0
-+ return result
-+
-+ def del_subca(self, host, name):
-+ host.run_command([
-+ 'ipa', 'ca-disable', name
- ])
-- auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
-- return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
-+ result = host.run_command([
-+ 'ipa', 'ca-del', name
-+ ])
-+ assert "Deleted CA \"{}\"".format(name) in result.stdout_text
-
- def check_subca(self, host, name, cert_nick):
-- host.run_command(['ipa', 'ca-show', name])
-+ result = host.run_command(['ipa', 'ca-show', name])
-+ # ipa ca-show returns 0 even if the cert cannot be found locally.
-+ assert "ipa: ERROR:" not in result.stderr_text
- tasks.run_certutil(
- host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
- )
-@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
- ssl = replica.run_command(ssl_cmd)
- assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
-
-+ def test_del_subca_master_on_replica(self):
-+ self.del_subca(self.replicas[0], self.SUBCA_MASTER)
-+
-+ def test_del_subca_replica(self):
-+ self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
-+
-+ def test_scale_add_subca(self):
-+ master = self.master
-+ replica = self.replicas[0]
-+
-+ subcas = {}
-+ for i in range(0, 16):
-+ name = "_".join((self.SUBCA_MASTER, str(i)))
-+ cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
-+ subcas[name] = self.add_subca(master, name, cn)
-+ self.add_subca(master, name, cn, raiseonerr=False)
-+
-+ # give replication some time
-+ time.sleep(15)
-+
-+ for name in subcas:
-+ self.check_subca(replica, name, subcas[name])
-+ self.del_subca(replica, name)
-+
-
- class TestReplicaInstallCustodia(IntegrationTest):
- """
---
-2.26.2
-
-From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 18 Sep 2020 11:55:37 +0200
-Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add proper labeling, transition and policy for ipa-pki-retrieve-key.
-Make sure tomcat_t can execute ipa-pki-retrieve-key.
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.fc | 1 +
- selinux/ipa.te | 28 ++++++++++++++++++++++++++++
- 2 files changed, 29 insertions(+)
-
-diff --git a/selinux/ipa.fc b/selinux/ipa.fc
-index a98cc4665..1176f383c 100644
---- a/selinux/ipa.fc
-+++ b/selinux/ipa.fc
-@@ -30,5 +30,6 @@
- /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
- /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
- /usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
-+/usr/libexec/ipa/ipa-pki-retrieve-key -- gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
-
- /var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0)
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 3fa4ba980..26daed293 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
- type pki_tomcat_cert_t;
- type node_t;
-
-+type ipa_pki_retrieve_key_exec_t;
-+init_script_file(ipa_pki_retrieve_key_exec_t)
-+
- ########################################
- #
- # ipa_otpd local policy
-@@ -412,3 +415,28 @@ optional_policy(`
- optional_policy(`
- systemd_private_tmp(ipa_custodia_tmp_t)
- ')
-+
-+optional_policy(`
-+ gen_require(`
-+ type tomcat_t;
-+ ')
-+ can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
-+ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type devlog_t;
-+ ')
-+
-+ dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
-+')
-+
-+optional_policy(`
-+ java_exec(ipa_custodia_pki_tomcat_exec_t)
-+ # allow Java to read system status and RNG
-+ dev_read_urand(ipa_custodia_t)
-+ dev_read_rand(ipa_custodia_t)
-+ kernel_read_network_state(ipa_custodia_t)
-+ dev_read_sysfs(ipa_custodia_t)
-+')
---
-2.26.2
-
-From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 18 Sep 2020 17:45:39 +0200
-Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is used by the JVM perf counters.
-
-Related: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 26daed293..0a9ccaf83 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
-
- manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
- manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
-+mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
- files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
-
- kernel_dgram_send(ipa_custodia_t)
---
-2.26.2
-
-From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 21 Sep 2020 11:32:52 +0200
-Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t =>
- ipa_pki_retrieve_key_t
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
-ipa_pki_retrieve_key_exec_t.
-As suggested by Ondrej Mosnáček.
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 0a9ccaf83..92a3b2359 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -78,6 +78,8 @@ type node_t;
- type ipa_pki_retrieve_key_exec_t;
- init_script_file(ipa_pki_retrieve_key_exec_t)
-
-+type ipa_pki_retrieve_key_t;
-+
- ########################################
- #
- # ipa_otpd local policy
-@@ -422,7 +424,7 @@ optional_policy(`
- type tomcat_t;
- ')
- can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
-- pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
-+ pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
- ')
-
- optional_policy(`
---
-2.26.2
-
-From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 21 Sep 2020 11:37:12 +0200
-Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t =>
- ipa_custodia_pki_tomcat_t
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
-ipa_custodia_pki_tomcat_t.
-As suggested by Ondrej Mosnáček.
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 92a3b2359..b2c618a53 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t)
- type ipa_custodia_pki_tomcat_exec_t;
- init_script_file(ipa_custodia_pki_tomcat_exec_t)
-
-+type ipa_custodia_pki_tomcat_t;
-+
- type ipa_custodia_ra_agent_exec_t;
- init_script_file(ipa_custodia_ra_agent_exec_t)
-
-@@ -436,7 +438,7 @@ optional_policy(`
- ')
-
- optional_policy(`
-- java_exec(ipa_custodia_pki_tomcat_exec_t)
-+ java_exec(ipa_custodia_pki_tomcat_t)
- # allow Java to read system status and RNG
- dev_read_urand(ipa_custodia_t)
- dev_read_rand(ipa_custodia_t)
---
-2.26.2
-
-From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Sep 2020 11:36:13 +0200
-Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as
- domain_type
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index b2c618a53..42b010133 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -78,6 +78,7 @@ type pki_tomcat_cert_t;
- type node_t;
-
- type ipa_pki_retrieve_key_exec_t;
-+domain_type(ipa_pki_retrieve_key_exec_t)
- init_script_file(ipa_pki_retrieve_key_exec_t)
-
- type ipa_pki_retrieve_key_t;
---
-2.26.2
-
-From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Sep 2020 13:12:05 +0200
-Subject: [PATCH] SELinux Policy: make interfaces for kernel modules
- non-optional
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Interfaces for kernel modules do not need to be in an optional module.
-Also make sure ipa_custodia_t can log.
-Suggested by Lukas Vrabec.
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 42b010133..f984a0f94 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
- type node_t;
-
- type ipa_pki_retrieve_key_exec_t;
--domain_type(ipa_pki_retrieve_key_exec_t)
--init_script_file(ipa_pki_retrieve_key_exec_t)
--
- type ipa_pki_retrieve_key_t;
-+domain_type(ipa_pki_retrieve_key_t)
-+init_script_file(ipa_pki_retrieve_key_exec_t)
-
- ########################################
- #
-@@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
- files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
-
- kernel_dgram_send(ipa_custodia_t)
-+kernel_read_network_state(ipa_custodia_t)
-
- auth_read_passwd(ipa_custodia_t)
-
-@@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
- corecmd_exec_bin(ipa_custodia_t)
- corecmd_mmap_bin_files(ipa_custodia_t)
-
-+dev_read_urand(ipa_custodia_t)
-+dev_read_rand(ipa_custodia_t)
-+dev_read_sysfs(ipa_custodia_t)
-+
- domain_use_interactive_fds(ipa_custodia_t)
-
- files_mmap_usr_files(ipa_custodia_t)
-@@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
- libs_exec_ldconfig(ipa_custodia_t)
- libs_ldconfig_exec_entry_type(ipa_custodia_t)
-
-+logging_send_syslog_msg(ipa_custodia_t)
-+
- miscfiles_read_generic_certs(ipa_custodia_t)
- miscfiles_read_localization(ipa_custodia_t)
-
-@@ -441,8 +447,4 @@ optional_policy(`
- optional_policy(`
- java_exec(ipa_custodia_pki_tomcat_t)
- # allow Java to read system status and RNG
-- dev_read_urand(ipa_custodia_t)
-- dev_read_rand(ipa_custodia_t)
-- kernel_read_network_state(ipa_custodia_t)
-- dev_read_sysfs(ipa_custodia_t)
- ')
---
-2.26.2
-
-From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Sep 2020 13:34:40 +0200
-Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is required to fix:
-avc: denied { search } for pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
-
-Macros suggested by: Ondrej Mosnacek
-
-Fixes: https://pagure.io/freeipa/issue/8488
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
-Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
-Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
-Reviewed-By: Thomas Woerner <twoerner@redhat.com>
----
- selinux/ipa.te | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index f984a0f94..fa577191c 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -448,3 +448,11 @@ optional_policy(`
- java_exec(ipa_custodia_pki_tomcat_t)
- # allow Java to read system status and RNG
- ')
-+
-+optional_policy(`
-+ gen_require(`
-+ type tomcat_t;
-+ ')
-+ kerberos_read_config(tomcat_t)
-+ kerberos_read_keytab(tomcat_t)
-+')
---
-2.26.2
-
diff --git a/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch b/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
deleted file mode 100644
index 6ec25a7..0000000
--- a/SOURCES/0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 23 Sep 2020 09:17:53 +0200
-Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-node_t and pki_tomcat_cert_t are defined in other modules.
-Do not double-define them.
-
-Fixes: https://pagure.io/freeipa/issue/8513
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.te | 25 ++++++++++++++++---------
- 1 file changed, 16 insertions(+), 9 deletions(-)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index fa577191c..d80e64a0b 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
- type ipa_custodia_tmp_t;
- files_tmp_file(ipa_custodia_tmp_t)
-
--type pki_tomcat_cert_t;
--type node_t;
--
- type ipa_pki_retrieve_key_exec_t;
- type ipa_pki_retrieve_key_t;
- domain_type(ipa_pki_retrieve_key_t)
-@@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
- allow ipa_custodia_t self:tcp_socket { bind create };
- allow ipa_custodia_t self:udp_socket create_socket_perms;
-
--allow ipa_custodia_t node_t:tcp_socket node_bind;
--
--allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
--allow ipa_custodia_t pki_tomcat_cert_t:file create;
--allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
--
- manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
- manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
- logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
-@@ -456,3 +447,19 @@ optional_policy(`
- kerberos_read_config(tomcat_t)
- kerberos_read_keytab(tomcat_t)
- ')
-+
-+optional_policy(`
-+ gen_require(`
-+ type node_t;
-+ ')
-+ allow ipa_custodia_t node_t:tcp_socket node_bind;
-+')
-+
-+optional_policy(`
-+ gen_require(`
-+ type pki_tomcat_cert_t;
-+ ')
-+ allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
-+ allow ipa_custodia_t pki_tomcat_cert_t:file create;
-+ allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
-+')
---
-2.26.2
-
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index b252f00..2ff282b 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,7 +1,7 @@
-From f40f42dd9b8c5da54a872ef6a7de46e5ae3ba341 Mon Sep 17 00:00:00 2001
+From 801b072f7fdc3e8b961136d52704f3e09314511e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 01/78] client/man/default.conf.5: Change branding to IPA and
+Subject: [PATCH 01/93] client/man/default.conf.5: Change branding to IPA and
Identity Management
---
@@ -9,7 +9,7 @@ Subject: [PATCH 01/78] client/man/default.conf.5: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
-index 728fc0871..6ec8616bc 100644
+index 8336ed8..f85fd67 100644
--- a/client/man/default.conf.5
+++ b/client/man/default.conf.5
@@ -16,7 +16,7 @@
@@ -22,12 +22,13 @@ index 728fc0871..6ec8616bc 100644
default.conf \- IPA configuration file
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From ddf6ddd9a6b0482d01fce2df102f25d719adfa79 Mon Sep 17 00:00:00 2001
+
+From 0304c1f2a71889d069ef56928b6c200cfe8536b1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 02/78] client/man/ipa-certupdate.1: Change branding to IPA and
+Subject: [PATCH 02/93] client/man/ipa-certupdate.1: Change branding to IPA and
Identity Management
---
@@ -35,7 +36,7 @@ Subject: [PATCH 02/78] client/man/ipa-certupdate.1: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-certupdate.1 b/client/man/ipa-certupdate.1
-index d95790a36..431b395a9 100644
+index d95790a..431b395 100644
--- a/client/man/ipa-certupdate.1
+++ b/client/man/ipa-certupdate.1
@@ -16,7 +16,7 @@
@@ -48,12 +49,13 @@ index d95790a36..431b395a9 100644
ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From 100af01bbb2838c4c43159f4eaa925c57113baec Mon Sep 17 00:00:00 2001
+From 6ea76e04904faed0bb4622a25e79050cb40de03b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 03/78] client/man/ipa-client-automount.1: Change branding to
+Subject: [PATCH 03/93] client/man/ipa-client-automount.1: Change branding to
IPA and Identity Management
---
@@ -61,7 +63,7 @@ Subject: [PATCH 03/78] client/man/ipa-client-automount.1: Change branding to
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
-index 4c3caee93..3f6edabd0 100644
+index 4c3caee..3f6edab 100644
--- a/client/man/ipa-client-automount.1
+++ b/client/man/ipa-client-automount.1
@@ -16,7 +16,7 @@
@@ -74,12 +76,13 @@ index 4c3caee93..3f6edabd0 100644
ipa\-client\-automount \- Configure automount and NFS for IPA
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 497a46243f09fa8d8a295f61710065c675a91800 Mon Sep 17 00:00:00 2001
+
+From 9ce4bccbcc4270742012e548a94de7a29f809071 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 04/78] client/man/ipa-client-install.1: Change branding to IPA
+Subject: [PATCH 04/93] client/man/ipa-client-install.1: Change branding to IPA
and Identity Management
---
@@ -87,7 +90,7 @@ Subject: [PATCH 04/78] client/man/ipa-client-install.1: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
-index 2d031fb2c..64ab1bff0 100644
+index 2d031fb..64ab1bf 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -1,7 +1,7 @@
@@ -100,12 +103,13 @@ index 2d031fb2c..64ab1bff0 100644
ipa\-client\-install \- Configure an IPA client
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From 5d13b4528df055dee11ddd07c10a073b8ddd0065 Mon Sep 17 00:00:00 2001
+From b82626b957bec1d023b204d77d8c0f28b495756a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 05/78] client/man/ipa-getkeytab.1: Change branding to IPA and
+Subject: [PATCH 05/93] client/man/ipa-getkeytab.1: Change branding to IPA and
Identity Management
---
@@ -113,7 +117,7 @@ Subject: [PATCH 05/78] client/man/ipa-getkeytab.1: Change branding to IPA and
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
-index f06fcd910..01a2618ef 100644
+index a4bcd88..b57c548 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -17,7 +17,7 @@
@@ -135,12 +139,13 @@ index f06fcd910..01a2618ef 100644
.SH "EXAMPLES"
Add and retrieve a keytab for the NFS service principal on
--
-2.21.1
+2.28.0
-From c89ccf3e9cf8868c19e12716dcff110b0cc040fc Mon Sep 17 00:00:00 2001
+
+From 4f371317112e7f02d53a00b63ae4c0836923f947 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 06/78] client/man/ipa-join.1: Change branding to IPA and
+Subject: [PATCH 06/93] client/man/ipa-join.1: Change branding to IPA and
Identity Management
---
@@ -148,7 +153,7 @@ Subject: [PATCH 06/78] client/man/ipa-join.1: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-join.1 b/client/man/ipa-join.1
-index d88160784..30b667558 100644
+index 6e512b8..5eaf68f 100644
--- a/client/man/ipa-join.1
+++ b/client/man/ipa-join.1
@@ -16,7 +16,7 @@
@@ -161,12 +166,13 @@ index d88160784..30b667558 100644
ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From e691f8e132a0d7f12049015cf728e6ed1f3ca18b Mon Sep 17 00:00:00 2001
+From 32d30177deb6cd2753eb2871957b83d3421c002f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 07/78] client/man/ipa-rmkeytab.1: Change branding to IPA and
+Subject: [PATCH 07/93] client/man/ipa-rmkeytab.1: Change branding to IPA and
Identity Management
---
@@ -174,7 +180,7 @@ Subject: [PATCH 07/78] client/man/ipa-rmkeytab.1: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa-rmkeytab.1 b/client/man/ipa-rmkeytab.1
-index 53f775439..2c8218c94 100644
+index 53f7754..2c8218c 100644
--- a/client/man/ipa-rmkeytab.1
+++ b/client/man/ipa-rmkeytab.1
@@ -17,7 +17,7 @@
@@ -187,12 +193,13 @@ index 53f775439..2c8218c94 100644
ipa\-rmkeytab \- Remove a kerberos principal from a keytab
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 5bfab52a3246268a063d16700bf7063da56f3fa4 Mon Sep 17 00:00:00 2001
+
+From 57c3e0cee6397e4aa6fb2c5fe792759e6fda7d99 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 08/78] client/man/ipa.1: Change branding to IPA and Identity
+Subject: [PATCH 08/93] client/man/ipa.1: Change branding to IPA and Identity
Management
---
@@ -200,7 +207,7 @@ Subject: [PATCH 08/78] client/man/ipa.1: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/man/ipa.1 b/client/man/ipa.1
-index f9fae7c0d..2fb21b52d 100644
+index f9fae7c..2fb21b5 100644
--- a/client/man/ipa.1
+++ b/client/man/ipa.1
@@ -16,7 +16,7 @@
@@ -213,12 +220,13 @@ index f9fae7c0d..2fb21b52d 100644
ipa \- IPA command\-line interface
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From e2387735f5a4b37cec1c850ac2725ed8ddf59322 Mon Sep 17 00:00:00 2001
+From 92d2f9691d307cd8572db9c2742cb78c7179896b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 09/78] install/html/ssbrowser.html: Change branding to IPA and
+Subject: [PATCH 09/93] install/html/ssbrowser.html: Change branding to IPA and
Identity Management
---
@@ -226,7 +234,7 @@ Subject: [PATCH 09/78] install/html/ssbrowser.html: Change branding to IPA and
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
-index a48a24511..f934dbb40 100644
+index a48a245..f934dbb 100644
--- a/install/html/ssbrowser.html
+++ b/install/html/ssbrowser.html
@@ -2,7 +2,7 @@
@@ -248,12 +256,13 @@ index a48a24511..f934dbb40 100644
</nav>
--
-2.21.1
+2.28.0
-From 10b4195ec2820ddbb67bcdb6a74a8f4aa20c12fe Mon Sep 17 00:00:00 2001
+
+From 540ff1c5860d37c2042112fcaf5b8de237d8c109 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 10/78] install/html/unauthorized.html: Change branding to IPA
+Subject: [PATCH 10/93] install/html/unauthorized.html: Change branding to IPA
and Identity Management
---
@@ -261,7 +270,7 @@ Subject: [PATCH 10/78] install/html/unauthorized.html: Change branding to IPA
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/html/unauthorized.html b/install/html/unauthorized.html
-index 630982da8..b8c64d69d 100644
+index 630982d..b8c64d6 100644
--- a/install/html/unauthorized.html
+++ b/install/html/unauthorized.html
@@ -2,7 +2,7 @@
@@ -283,12 +292,13 @@ index 630982da8..b8c64d69d 100644
</nav>
--
-2.21.1
+2.28.0
+
-From 8293605a01b9b45d4ab87d7fd9342b9e832ba3ce Mon Sep 17 00:00:00 2001
+From b4b7601be41d0c814d55d64f38cfc3a3c08c1628 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 11/78] install/migration/index.html: Change branding to IPA
+Subject: [PATCH 11/93] install/migration/index.html: Change branding to IPA
and Identity Management
---
@@ -296,7 +306,7 @@ Subject: [PATCH 11/78] install/migration/index.html: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/migration/index.html b/install/migration/index.html
-index fca517cdc..b5ac1f6df 100644
+index fca517c..b5ac1f6 100644
--- a/install/migration/index.html
+++ b/install/migration/index.html
@@ -2,7 +2,7 @@
@@ -309,12 +319,13 @@ index fca517cdc..b5ac1f6df 100644
<!--[if IE]>
<meta id="ie-detector">
--
-2.21.1
+2.28.0
-From 6a479bab8581f2960a628d309a705d42ef9dfdbf Mon Sep 17 00:00:00 2001
+
+From 69b03b7ca83ecb54cd6a8542a92c9c7cb102b3f6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 12/78] install/share/schema.d/README: Change branding to IPA
+Subject: [PATCH 12/93] install/share/schema.d/README: Change branding to IPA
and Identity Management
---
@@ -322,7 +333,7 @@ Subject: [PATCH 12/78] install/share/schema.d/README: Change branding to IPA
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/share/schema.d/README b/install/share/schema.d/README
-index 19e3e6832..2a92ec6ae 100644
+index 19e3e68..2a92ec6 100644
--- a/install/share/schema.d/README
+++ b/install/share/schema.d/README
@@ -7,8 +7,8 @@ schema files during the run of ipa-server-upgrade utility. Therefore, they are
@@ -337,12 +348,13 @@ index 19e3e6832..2a92ec6ae 100644
You may place your schema files in a subdirectory too, the code that loads
schema files processes recursively all subdirectories of schema.d.
--
-2.21.1
+2.28.0
+
-From c52b451a88bc8d18d1e08f237e5bcf648861c650 Mon Sep 17 00:00:00 2001
+From e8db20893eadd919dd295d65b31e509fca87930c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 13/78] install/tools/ipa-adtrust-install.in: Change branding
+Subject: [PATCH 13/93] install/tools/ipa-adtrust-install.in: Change branding
to IPA and Identity Management
---
@@ -350,7 +362,7 @@ Subject: [PATCH 13/78] install/tools/ipa-adtrust-install.in: Change branding
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
-index 7d94b718e..80f5d27a7 100644
+index 93365cc..707b887 100644
--- a/install/tools/ipa-adtrust-install.in
+++ b/install/tools/ipa-adtrust-install.in
@@ -141,11 +141,11 @@ def main():
@@ -368,12 +380,13 @@ index 7d94b718e..80f5d27a7 100644
# print " * Add a SID to all users and Posix groups"
print("")
--
-2.21.1
+2.28.0
-From 7213f732557deb560aede21286abd2404a0e6f9e Mon Sep 17 00:00:00 2001
+
+From dc37f813fce1df41e3bbf5adf3791b32bca3d87c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 14/78] install/tools/ipa-replica-conncheck.in: Change branding
+Subject: [PATCH 14/93] install/tools/ipa-replica-conncheck.in: Change branding
to IPA and Identity Management
---
@@ -381,10 +394,10 @@ Subject: [PATCH 14/78] install/tools/ipa-replica-conncheck.in: Change branding
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/ipa-replica-conncheck.in b/install/tools/ipa-replica-conncheck.in
-index b22db1139..b86ce4569 100644
+index fdc3224..a749778 100644
--- a/install/tools/ipa-replica-conncheck.in
+++ b/install/tools/ipa-replica-conncheck.in
-@@ -290,7 +290,7 @@ class PortResponder(threading.Thread):
+@@ -291,7 +291,7 @@ class PortResponder(threading.Thread):
self._sockets = []
self._close = False
self._close_lock = threading.Lock()
@@ -394,12 +407,13 @@ index b22db1139..b86ce4569 100644
self.ports_open_cond = threading.Condition()
--
-2.21.1
+2.28.0
+
-From 1f2a34a5fcb88b3ca94949a513523eb3862e99c1 Mon Sep 17 00:00:00 2001
+From 223ff47bcb51ba58dd8123b764dfadfdc28fbaec Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 15/78] install/tools/man/ipa-adtrust-install.1: Change
+Subject: [PATCH 15/93] install/tools/man/ipa-adtrust-install.1: Change
branding to IPA and Identity Management
---
@@ -407,7 +421,7 @@ Subject: [PATCH 15/78] install/tools/man/ipa-adtrust-install.1: Change
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
-index b11065806..f70f316f6 100644
+index b110658..f70f316 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -16,7 +16,7 @@
@@ -429,12 +443,13 @@ index b11065806..f70f316f6 100644
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
--
-2.21.1
+2.28.0
-From 5742d0b0fa19dc744f81aeed6727c472d2e5505f Mon Sep 17 00:00:00 2001
+
+From 33cde0005c9cb310d07071a6ca6d27fb320af952 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:39 +0300
-Subject: [PATCH 16/78] install/tools/man/ipa-advise.1: Change branding to IPA
+Subject: [PATCH 16/93] install/tools/man/ipa-advise.1: Change branding to IPA
and Identity Management
---
@@ -442,7 +457,7 @@ Subject: [PATCH 16/78] install/tools/man/ipa-advise.1: Change branding to IPA
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-advise.1 b/install/tools/man/ipa-advise.1
-index 4c494aab9..515bbddbe 100644
+index 4c494aa..515bbdd 100644
--- a/install/tools/man/ipa-advise.1
+++ b/install/tools/man/ipa-advise.1
@@ -16,7 +16,7 @@
@@ -462,12 +477,13 @@ index 4c494aab9..515bbddbe 100644
\ No newline at end of file
+1 if an error occurred
--
-2.21.1
+2.28.0
+
-From 650e5f89bb097c559b52a961866296380f3f94d5 Mon Sep 17 00:00:00 2001
+From 41eb935c96c0a6495f233fd0934be3e92a19407f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 17/78] install/tools/man/ipa-backup.1: Change branding to IPA
+Subject: [PATCH 17/93] install/tools/man/ipa-backup.1: Change branding to IPA
and Identity Management
---
@@ -475,7 +491,7 @@ Subject: [PATCH 17/78] install/tools/man/ipa-backup.1: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-backup.1 b/install/tools/man/ipa-backup.1
-index 2f0bc9e6a..77d5d7caa 100644
+index 2f0bc9e..77d5d7c 100644
--- a/install/tools/man/ipa-backup.1
+++ b/install/tools/man/ipa-backup.1
@@ -16,7 +16,7 @@
@@ -488,12 +504,13 @@ index 2f0bc9e6a..77d5d7caa 100644
ipa\-backup \- Back up an IPA master
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From f8849ddf92e83d23b0c317b1c5f59ad9af1e3e1c Mon Sep 17 00:00:00 2001
+
+From 1af2634f0f24d36bf9225a1b84e40294b914725f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 18/78] install/tools/man/ipa-ca-install.1: Change branding to
+Subject: [PATCH 18/93] install/tools/man/ipa-ca-install.1: Change branding to
IPA and Identity Management
---
@@ -501,7 +518,7 @@ Subject: [PATCH 18/78] install/tools/man/ipa-ca-install.1: Change branding to
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
-index 3ebe32c0a..8e57c0092 100644
+index 3ebe32c..8e57c00 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -16,7 +16,7 @@
@@ -514,12 +531,13 @@ index 3ebe32c0a..8e57c0092 100644
ipa\-ca\-install \- Install a CA on a server
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From 625ae452bc457003c9f4559884abb9afa2bb41ca Mon Sep 17 00:00:00 2001
+From 8ff8e7e56ce9efd49c597157b70189a76a588a42 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 19/78] install/tools/man/ipa-cacert-manage.1: Change branding
+Subject: [PATCH 19/93] install/tools/man/ipa-cacert-manage.1: Change branding
to IPA and Identity Management
---
@@ -527,7 +545,7 @@ Subject: [PATCH 19/78] install/tools/man/ipa-cacert-manage.1: Change branding
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1
-index b76ee1816..4359b12e3 100644
+index 3f8c346..c992384 100644
--- a/install/tools/man/ipa-cacert-manage.1
+++ b/install/tools/man/ipa-cacert-manage.1
@@ -16,7 +16,7 @@
@@ -540,12 +558,13 @@ index b76ee1816..4359b12e3 100644
ipa\-cacert\-manage \- Manage CA certificates in IPA
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 13ebf098b64a5aefd39aac7a1eef1367170bc284 Mon Sep 17 00:00:00 2001
+
+From 3dfaf75f7260a9dceb15089e98dc0d564078432c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 20/78] install/tools/man/ipa-compat-manage.1: Change branding
+Subject: [PATCH 20/93] install/tools/man/ipa-compat-manage.1: Change branding
to IPA and Identity Management
---
@@ -553,7 +572,7 @@ Subject: [PATCH 20/78] install/tools/man/ipa-compat-manage.1: Change branding
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-compat-manage.1 b/install/tools/man/ipa-compat-manage.1
-index f22b1743e..26470331a 100644
+index f22b174..2647033 100644
--- a/install/tools/man/ipa-compat-manage.1
+++ b/install/tools/man/ipa-compat-manage.1
@@ -16,7 +16,7 @@
@@ -566,12 +585,13 @@ index f22b1743e..26470331a 100644
ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From 2dfc9079680b04f286eeed4f65ce4f02914c55b7 Mon Sep 17 00:00:00 2001
+From 9af2e4cdb0ad3ab9147d0a357153cc55d0bcc481 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 21/78] install/tools/man/ipa-csreplica-manage.1: Change
+Subject: [PATCH 21/93] install/tools/man/ipa-csreplica-manage.1: Change
branding to IPA and Identity Management
---
@@ -579,7 +599,7 @@ Subject: [PATCH 21/78] install/tools/man/ipa-csreplica-manage.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1
-index ab5bfddd8..6d039751e 100644
+index ab5bfdd..6d03975 100644
--- a/install/tools/man/ipa-csreplica-manage.1
+++ b/install/tools/man/ipa-csreplica-manage.1
@@ -16,7 +16,7 @@
@@ -592,12 +612,13 @@ index ab5bfddd8..6d039751e 100644
ipa\-csreplica\-manage \- Manage an IPA CS replica
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 4858e90ba2b7aca2af1e2375b2442b3fa5c30f9c Mon Sep 17 00:00:00 2001
+
+From b5b6885eb4503f63ced3fe1e9f1741c1ab4c84af Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 22/78] install/tools/man/ipa-dns-install.1: Change branding to
+Subject: [PATCH 22/93] install/tools/man/ipa-dns-install.1: Change branding to
IPA and Identity Management
---
@@ -605,7 +626,7 @@ Subject: [PATCH 22/78] install/tools/man/ipa-dns-install.1: Change branding to
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
-index 14e4cd51f..029001eca 100644
+index 14e4cd5..029001e 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -1,7 +1,7 @@
@@ -627,12 +648,13 @@ index 14e4cd51f..029001eca 100644
This command requires that an IPA server is already installed and configured.
--
-2.21.1
+2.28.0
+
-From aeb6e9ae2e4ebf5d627e80f0a495a45589c0455f Mon Sep 17 00:00:00 2001
+From 1a4935f79690a6d4fb0158f854fde1af754edd95 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 23/78] install/tools/man/ipa-kra-install.1: Change branding to
+Subject: [PATCH 23/93] install/tools/man/ipa-kra-install.1: Change branding to
IPA and Identity Management
---
@@ -640,7 +662,7 @@ Subject: [PATCH 23/78] install/tools/man/ipa-kra-install.1: Change branding to
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
-index 6c8523aa0..5476a4e71 100644
+index 6c8523a..5476a4e 100644
--- a/install/tools/man/ipa-kra-install.1
+++ b/install/tools/man/ipa-kra-install.1
@@ -16,7 +16,7 @@
@@ -653,12 +675,13 @@ index 6c8523aa0..5476a4e71 100644
ipa\-kra\-install \- Install a KRA on a server
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From d71a89b2b1ebe588672e76f04c7edd6d7a287837 Mon Sep 17 00:00:00 2001
+
+From 294662f5ac3ba2c96f0f37b9107f40b7f991590c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 24/78] install/tools/man/ipa-ldap-updater.1: Change branding
+Subject: [PATCH 24/93] install/tools/man/ipa-ldap-updater.1: Change branding
to IPA and Identity Management
---
@@ -666,7 +689,7 @@ Subject: [PATCH 24/78] install/tools/man/ipa-ldap-updater.1: Change branding
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1
-index 4893802c2..7ead55bd9 100644
+index 4893802..7ead55b 100644
--- a/install/tools/man/ipa-ldap-updater.1
+++ b/install/tools/man/ipa-ldap-updater.1
@@ -16,7 +16,7 @@
@@ -679,12 +702,13 @@ index 4893802c2..7ead55bd9 100644
ipa\-ldap\-updater \- Update the IPA LDAP configuration
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From acdf99fd7afbfd614b2db75bddf647ad12d2767f Mon Sep 17 00:00:00 2001
+From 356e3e24c2df2f8da159be229cd73416b5808097 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 25/78] install/tools/man/ipa-managed-entries.1: Change
+Subject: [PATCH 25/93] install/tools/man/ipa-managed-entries.1: Change
branding to IPA and Identity Management
---
@@ -692,7 +716,7 @@ Subject: [PATCH 25/78] install/tools/man/ipa-managed-entries.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-managed-entries.1 b/install/tools/man/ipa-managed-entries.1
-index 3d5ca22b8..edaa0a90d 100644
+index 3d5ca22..edaa0a9 100644
--- a/install/tools/man/ipa-managed-entries.1
+++ b/install/tools/man/ipa-managed-entries.1
@@ -16,7 +16,7 @@
@@ -705,12 +729,13 @@ index 3d5ca22b8..edaa0a90d 100644
ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 2cbdc087d8f18733d36e60788faddef5a914821a Mon Sep 17 00:00:00 2001
+
+From 03ab99f72d60f2e8240aa6222939384f227d4ba8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 26/78] install/tools/man/ipa-nis-manage.1: Change branding to
+Subject: [PATCH 26/93] install/tools/man/ipa-nis-manage.1: Change branding to
IPA and Identity Management
---
@@ -718,7 +743,7 @@ Subject: [PATCH 26/78] install/tools/man/ipa-nis-manage.1: Change branding to
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1
-index 93278487c..1107b7790 100644
+index 9327848..1107b77 100644
--- a/install/tools/man/ipa-nis-manage.1
+++ b/install/tools/man/ipa-nis-manage.1
@@ -16,7 +16,7 @@
@@ -731,12 +756,13 @@ index 93278487c..1107b7790 100644
ipa\-nis\-manage \- Enables or disables the NIS listener plugin
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From 3af61d4b26532726492bc7d121ec8b39bb68dce6 Mon Sep 17 00:00:00 2001
+From d840ef02568c90384dcb597cdc3fa06148401e4b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 27/78] install/tools/man/ipa-otptoken-import.1: Change
+Subject: [PATCH 27/93] install/tools/man/ipa-otptoken-import.1: Change
branding to IPA and Identity Management
---
@@ -744,7 +770,7 @@ Subject: [PATCH 27/78] install/tools/man/ipa-otptoken-import.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-otptoken-import.1 b/install/tools/man/ipa-otptoken-import.1
-index 920a08ca2..fe91040fa 100644
+index 920a08c..fe91040 100644
--- a/install/tools/man/ipa-otptoken-import.1
+++ b/install/tools/man/ipa-otptoken-import.1
@@ -16,7 +16,7 @@
@@ -757,12 +783,13 @@ index 920a08ca2..fe91040fa 100644
ipa\-otptoken\-import \- Imports OTP tokens from RFC 6030 XML file
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 426c1370d990dcd44612427abc75f8b21178f279 Mon Sep 17 00:00:00 2001
+
+From e8488e7d4657538a407fcb6af8b65db03acc01f4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 28/78] install/tools/man/ipa-pkinit-manage.1: Change branding
+Subject: [PATCH 28/93] install/tools/man/ipa-pkinit-manage.1: Change branding
to IPA and Identity Management
---
@@ -770,7 +797,7 @@ Subject: [PATCH 28/78] install/tools/man/ipa-pkinit-manage.1: Change branding
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-pkinit-manage.1 b/install/tools/man/ipa-pkinit-manage.1
-index 5018ce8aa..50d63e921 100644
+index 5018ce8..50d63e9 100644
--- a/install/tools/man/ipa-pkinit-manage.1
+++ b/install/tools/man/ipa-pkinit-manage.1
@@ -1,7 +1,7 @@
@@ -783,12 +810,13 @@ index 5018ce8aa..50d63e921 100644
ipa\-pkinit\-manage \- Enables or disables PKINIT
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From 7553161cbb48d42e76babe540ae878d328cb462b Mon Sep 17 00:00:00 2001
+From 0d46f57eb6b80d9c807f30ca357b5a6e740f1aad Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 29/78] install/tools/man/ipa-replica-conncheck.1: Change
+Subject: [PATCH 29/93] install/tools/man/ipa-replica-conncheck.1: Change
branding to IPA and Identity Management
---
@@ -796,7 +824,7 @@ Subject: [PATCH 29/78] install/tools/man/ipa-replica-conncheck.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
-index 6451f3545..ed441e3be 100644
+index 6451f35..ed441e3 100644
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -16,7 +16,7 @@
@@ -809,12 +837,13 @@ index 6451f3545..ed441e3be 100644
ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 3676e1a1040aa6ae858134828cfcd7b35e74d4f5 Mon Sep 17 00:00:00 2001
+
+From 3eff0ac28e58ce96c2ba9e439501654cefe7458f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 30/78] install/tools/man/ipa-replica-install.1: Change
+Subject: [PATCH 30/93] install/tools/man/ipa-replica-install.1: Change
branding to IPA and Identity Management
---
@@ -822,7 +851,7 @@ Subject: [PATCH 30/78] install/tools/man/ipa-replica-install.1: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
-index 19d1d9110..44fce10ba 100644
+index 19d1d91..44fce10 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -1,7 +1,7 @@
@@ -853,12 +882,13 @@ index 19d1d9110..44fce10ba 100644
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
--
-2.21.1
+2.28.0
+
-From 139ddf89255aa4423499208d5b4191dbc7b829dd Mon Sep 17 00:00:00 2001
+From 2b097ebacacba27dd7af501ab4bdf521e9affac8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 31/78] install/tools/man/ipa-replica-manage.1: Change branding
+Subject: [PATCH 31/93] install/tools/man/ipa-replica-manage.1: Change branding
to IPA and Identity Management
---
@@ -866,7 +896,7 @@ Subject: [PATCH 31/78] install/tools/man/ipa-replica-manage.1: Change branding
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
-index 239f1591c..2c94278ca 100644
+index 239f159..2c94278 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -16,7 +16,7 @@
@@ -879,12 +909,13 @@ index 239f1591c..2c94278ca 100644
ipa\-replica\-manage \- Manage an IPA replica
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 773bf31555e662f24f807e4b69b8dcf1f88e3f83 Mon Sep 17 00:00:00 2001
+
+From 78a43b16ab8b2914e243465642fef5de519adbe9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 32/78] install/tools/man/ipa-restore.1: Change branding to IPA
+Subject: [PATCH 32/93] install/tools/man/ipa-restore.1: Change branding to IPA
and Identity Management
---
@@ -892,7 +923,7 @@ Subject: [PATCH 32/78] install/tools/man/ipa-restore.1: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-restore.1 b/install/tools/man/ipa-restore.1
-index 5843d5546..bc0755baa 100644
+index 5843d55..bc0755b 100644
--- a/install/tools/man/ipa-restore.1
+++ b/install/tools/man/ipa-restore.1
@@ -16,7 +16,7 @@
@@ -905,12 +936,13 @@ index 5843d5546..bc0755baa 100644
ipa\-restore \- Restore an IPA master
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From c00d47be96e91102bf3eeecf0a2363cf21f260eb Mon Sep 17 00:00:00 2001
+From 4c99b9799d6ba16191cb6a8c0bec5c89f2c1ed41 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 33/78] install/tools/man/ipa-server-certinstall.1: Change
+Subject: [PATCH 33/93] install/tools/man/ipa-server-certinstall.1: Change
branding to IPA and Identity Management
---
@@ -918,7 +950,7 @@ Subject: [PATCH 33/78] install/tools/man/ipa-server-certinstall.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
-index 79bd7c885..3f12a5af2 100644
+index 8798819..0aa5315 100644
--- a/install/tools/man/ipa-server-certinstall.1
+++ b/install/tools/man/ipa-server-certinstall.1
@@ -16,7 +16,7 @@
@@ -931,12 +963,13 @@ index 79bd7c885..3f12a5af2 100644
ipa\-server\-certinstall \- Install new SSL server certificates
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From b95e2315685e4142b7f0d5ea1fdaa7b4a1b2a9d7 Mon Sep 17 00:00:00 2001
+
+From 6a1ad17abeff8606049746caa7bd79bb7d1e8a5d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 34/78] install/tools/man/ipa-server-install.1: Change branding
+Subject: [PATCH 34/93] install/tools/man/ipa-server-install.1: Change branding
to IPA and Identity Management
---
@@ -944,7 +977,7 @@ Subject: [PATCH 34/78] install/tools/man/ipa-server-install.1: Change branding
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
-index 1a4d2f658..fdb0f4cb3 100644
+index 1a4d2f6..fdb0f4c 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -1,7 +1,7 @@
@@ -966,12 +999,13 @@ index 1a4d2f658..fdb0f4cb3 100644
.TP
\fB\-\-setup\-dns\fR
--
-2.21.1
+2.28.0
+
-From e63c333515020e37c3be9a9e2a3f67304badad2e Mon Sep 17 00:00:00 2001
+From 4db5773eb5b53b6f5cf94875241ca3110f0b08f8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 35/78] install/tools/man/ipa-server-upgrade.1: Change branding
+Subject: [PATCH 35/93] install/tools/man/ipa-server-upgrade.1: Change branding
to IPA and Identity Management
---
@@ -979,7 +1013,7 @@ Subject: [PATCH 35/78] install/tools/man/ipa-server-upgrade.1: Change branding
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
-index cbbdc5901..3db19b0f1 100644
+index cbbdc59..3db19b0 100644
--- a/install/tools/man/ipa-server-upgrade.1
+++ b/install/tools/man/ipa-server-upgrade.1
@@ -2,7 +2,7 @@
@@ -992,12 +1026,13 @@ index cbbdc5901..3db19b0f1 100644
ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From 7dfbdf73de322616cc6235db57bd8f3fd0805ac5 Mon Sep 17 00:00:00 2001
+
+From cccdfc43e3350f07b09c3ebfc8b42b2fe34fcb11 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 36/78] install/tools/man/ipa-winsync-migrate.1: Change
+Subject: [PATCH 36/93] install/tools/man/ipa-winsync-migrate.1: Change
branding to IPA and Identity Management
---
@@ -1005,7 +1040,7 @@ Subject: [PATCH 36/78] install/tools/man/ipa-winsync-migrate.1: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-winsync-migrate.1 b/install/tools/man/ipa-winsync-migrate.1
-index 88702bad6..1812f6348 100644
+index 88702ba..1812f63 100644
--- a/install/tools/man/ipa-winsync-migrate.1
+++ b/install/tools/man/ipa-winsync-migrate.1
@@ -16,7 +16,7 @@
@@ -1018,12 +1053,13 @@ index 88702bad6..1812f6348 100644
ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
+
-From 79d8cc19a6a65a00006ded393bc7b1716522bca1 Mon Sep 17 00:00:00 2001
+From 88d658bc5fc1d48974eb81d5b06d8368cc51425e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 37/78] install/tools/man/ipactl.8: Change branding to IPA and
+Subject: [PATCH 37/93] install/tools/man/ipactl.8: Change branding to IPA and
Identity Management
---
@@ -1031,7 +1067,7 @@ Subject: [PATCH 37/78] install/tools/man/ipactl.8: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/tools/man/ipactl.8 b/install/tools/man/ipactl.8
-index fb533aae2..d7aaaf8ed 100644
+index fb533aa..d7aaaf8 100644
--- a/install/tools/man/ipactl.8
+++ b/install/tools/man/ipactl.8
@@ -16,7 +16,7 @@
@@ -1044,12 +1080,13 @@ index fb533aae2..d7aaaf8ed 100644
ipactl \- IPA Server Control Interface
.SH "SYNOPSIS"
--
-2.21.1
+2.28.0
-From a4ee86f8c53ebb9dbec7ffd75a40f06c8104ad9a Mon Sep 17 00:00:00 2001
+
+From 32f17868c89b47f0ee775279a63e670b44c766d8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 38/78] install/ui/css/patternfly.css: Change branding to IPA
+Subject: [PATCH 38/93] install/ui/css/patternfly.css: Change branding to IPA
and Identity Management
---
@@ -1057,7 +1094,7 @@ Subject: [PATCH 38/78] install/ui/css/patternfly.css: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/css/patternfly.css b/install/ui/css/patternfly.css
-index ee920530b..de574a84c 100644
+index ee92053..de574a8 100644
--- a/install/ui/css/patternfly.css
+++ b/install/ui/css/patternfly.css
@@ -4,4 +4,4 @@
@@ -1069,12 +1106,13 @@ index ee920530b..de574a84c 100644
+ */.bootstrap-select.btn-group,.bootstrap-select.btn-group[class*=span]{float:none;display:inline-block;margin-bottom:10px;margin-left:0}.form-horizontal .bootstrap-select.btn-group,.form-inline .bootstrap-select.btn-group,.form-search .bootstrap-select.btn-group{margin-bottom:0}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none}.bootstrap-select.btn-group.pull-right,.bootstrap-select.btn-group[class*=span].pull-right,.row-fluid .bootstrap-select.btn-group[class*=span].pull-right{float:right}.input-append .bootstrap-select.btn-group{margin-left:-1px}.input-prepend .bootstrap-select.btn-group{margin-right:-1px}.bootstrap-select:not([class*=span]):not([class*=col-]):not([class*=form-control]){width:220px}.bootstrap-select{width:220px\9}.bootstrap-select.form-control:not([class*=span]){width:100%}.bootstrap-select>.btn{width:100%}.error .bootstrap-select .btn{border:1px solid #b94a48}.dropdown-menu{z-index:2000}.bootstrap-select.show-menu-arrow.open>.btn{z-index:2051}.bootstrap-select .btn:focus{outline:thin dotted #333!important;outline:5px auto -webkit-focus-ring-color!important;outline-offset:-2px}.bootstrap-select.btn-group .btn .filter-option{overflow:hidden;position:absolute;left:12px;right:25px;text-align:left}.bootstrap-select.btn-group .btn .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.bootstrap-select.btn-group .dropdown-menu li.disabled>a,.bootstrap-select.btn-group>.disabled{cursor:not-allowed}.bootstrap-select.btn-group>.disabled:focus{outline:0!important}.bootstrap-select.btn-group[class*=span] .btn{width:100%}.bootstrap-select.btn-group .dropdown-menu{min-width:100%;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}.bootstrap-select.btn-group .dropdown-menu.inner{position:static;border:0;padding:0;margin:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.bootstrap-select.btn-group .dropdown-menu dt{display:block;padding:3px 20px;cursor:default}.bootstrap-select.btn-group .div-contain{overflow:hidden}.bootstrap-select.btn-group .dropdown-menu li{position:relative}.bootstrap-select.btn-group .dropdown-menu li>a.opt{position:relative;padding-left:35px}.bootstrap-select.btn-group .dropdown-menu li>a{cursor:pointer}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a i.check-mark{display:inline-block;position:absolute;right:15px;margin-top:2.5px}.bootstrap-select.btn-group .dropdown-menu li a i.check-mark{display:none}.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select.btn-group .dropdown-menu li small{padding-left:.5em}.bootstrap-select.btn-group .dropdown-menu li.active:not(.disabled)>a small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled)>a:hover small{color:#64b1d8;color:rgba(255,255,255,.4)}.bootstrap-select.btn-group .dropdown-menu li>dt small{font-weight:400}.bootstrap-select.show-menu-arrow .dropdown-toggle:before{content:'';display:inline-block;border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid #CCC;border-bottom-color:rgba(0,0,0,.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle:after{content:'';display:inline-block;border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid #fff;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before{bottom:auto;top:-3px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,.2)}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after{bottom:auto;top:-3px;border-top:6px solid #fff;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:after,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle:before{display:block}.bootstrap-select.btn-group .no-results{padding:3px;background:#f5f5f5;margin:0 5px}.mobile-device{position:absolute;top:0;left:0;display:block!important;width:100%;height:100%!important;opacity:0}.bootstrap-select.fit-width{width:auto!important}.bootstrap-select.btn-group.fit-width .btn .filter-option{position:static}.bootstrap-select.btn-group.fit-width .btn .caret{position:static;top:auto;margin-top:-1px}.control-group.error .bootstrap-select .dropdown-toggle{border-color:#b94a48}.bootstrap-select-searchbox{padding:4px 8px}.bootstrap-select-searchbox input{margin-bottom:0}.alert{border-width:1px;padding-left:47px;padding-right:14px;position:relative}.alert .alert-link{color:#0088ce}.alert .alert-link:hover{color:#00659c}.alert>.btn.pull-right{margin-top:-3px}.alert>.pficon{font-size:22px;position:absolute;left:13px;top:10px}.alert .close{opacity:.85;filter:alpha(opacity=85)}.alert .close:focus,.alert .close:hover{opacity:1;filter:alpha(opacity=100)}.alert .pficon-info{color:#4d5258}.alert-dismissable{padding-right:28px}.alert-dismissable .close{right:-13px;top:1px}.badge{margin-left:6px}.nav-pills>li>a>.badge{margin-left:6px}.bootstrap-select.btn-group.form-control{margin-bottom:0}.bootstrap-select.btn-group .btn{-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.bootstrap-select.btn-group .btn:hover{border-color:#7dc3e8}.bootstrap-select.btn-group .btn .caret{margin-top:-4px}.bootstrap-select.btn-group .btn:focus{border-color:#0088ce;outline:0!important;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6);box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 8px rgba(0,136,206,.6)}.has-error .bootstrap-select.btn-group .btn{border-color:#c00}.has-error .bootstrap-select.btn-group .btn:focus{border-color:#900;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #f33}.has-success .bootstrap-select.btn-group .btn{border-color:#3c763d}.has-success .bootstrap-select.btn-group .btn:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #67b168}.has-warning .bootstrap-select.btn-group .btn{border-color:#ec7a08}.has-warning .bootstrap-select.btn-group .btn:focus{border-color:#bb6106;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60;box-shadow:inset 0 1px 1px rgba(3,3,3,.075),0 0 6px #faad60}.bootstrap-select.btn-group .dropdown-menu>.active>a,.bootstrap-select.btn-group .dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.bootstrap-select.btn-group .dropdown-menu>.active>a small,.bootstrap-select.btn-group .dropdown-menu>.active>a:active small{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.disabled>a{color:#9c9c9c!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.bootstrap-select.btn-group .dropdown-menu>.selected>a small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu .divider{background:#ededed!important;margin:4px 1px!important}.bootstrap-select.btn-group .dropdown-menu dt{color:#8b8d8f;font-weight:400;padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li>a.opt{padding:1px 10px}.bootstrap-select.btn-group .dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.bootstrap-select.btn-group .dropdown-menu li a:focus small,.bootstrap-select.btn-group .dropdown-menu li a:hover small{color:#9c9c9c}.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:focus small,.bootstrap-select.btn-group .dropdown-menu li:not(.disabled) a:hover small{color:#9c9c9c}.combobox-container.combobox-selected .glyphicon-remove{display:inline-block}.combobox-container .caret{margin-left:0}.combobox-container .combobox::-ms-clear{display:none}.combobox-container .dropdown-menu{margin-top:-1px;width:100%}.combobox-container .glyphicon-remove{display:none;top:auto;width:12px}.combobox-container .glyphicon-remove:before{content:"\e60b";font-family:PatternFlyIcons-webfont}.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;position:relative}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.combobox-container .input-group-addon:focus,.combobox-container .input-group-addon:hover,.open .dropdown-toggle.combobox-container .input-group-addon{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.combobox-container .input-group-addon.active,.combobox-container .input-group-addon:active,.open .dropdown-toggle.combobox-container .input-group-addon{background-image:none}.combobox-container .input-group-addon.active.focus,.combobox-container .input-group-addon.active:focus,.combobox-container .input-group-addon.active:hover,.combobox-container .input-group-addon:active.focus,.combobox-container .input-group-addon:active:focus,.combobox-container .input-group-addon:active:hover,.open .dropdown-toggle.combobox-container .input-group-addon.focus,.open .dropdown-toggle.combobox-container .input-group-addon:focus,.open .dropdown-toggle.combobox-container .input-group-addon:hover{background-color:#e5e5e5;border-color:#a9a9a9}.combobox-container .input-group-addon.disabled,.combobox-container .input-group-addon.disabled.active,.combobox-container .input-group-addon.disabled:active,.combobox-container .input-group-addon.disabled:focus,.combobox-container .input-group-addon.disabled:hover,.combobox-container .input-group-addon[disabled],.combobox-container .input-group-addon[disabled].active,.combobox-container .input-group-addon[disabled]:active,.combobox-container .input-group-addon[disabled]:focus,.combobox-container .input-group-addon[disabled]:hover,fieldset[disabled] .combobox-container .input-group-addon,fieldset[disabled] .combobox-container .input-group-addon.active,fieldset[disabled] .combobox-container .input-group-addon:active,fieldset[disabled] .combobox-container .input-group-addon:focus,fieldset[disabled] .combobox-container .input-group-addon:hover{background-color:#f1f1f1;border-color:#bbb}.combobox-container .input-group-addon:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.treeview .list-group{border-top:0}.treeview .list-group-item{background:0 0;border-bottom:1px solid transparent!important;border-top:1px solid transparent!important;margin-bottom:0;padding:0 10px}.treeview .list-group-item:hover{background:#def3ff!important;border-color:#bee1f4!important}.treeview .list-group-item.node-selected{background:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.treeview span.icon{display:inline-block;font-size:13px;min-width:10px;text-align:center}.treeview span.icon>[class*=fa-angle]{font-size:15px}.treeview span.indent{margin-right:5px}.breadcrumb{padding-left:0}.breadcrumb>.active strong{font-weight:600}.breadcrumb>li{display:inline}.breadcrumb>li+li:before{color:#9c9c9c;content:"\f101";font-family:FontAwesome;font-size:11px;padding:0 9px 0 7px}.btn{-webkit-box-shadow:0 2px 3px rgba(3,3,3,.1);box-shadow:0 2px 3px rgba(3,3,3,.1)}.btn:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{background-color:#fafafa!important;background-image:none!important;border-color:#d1d1d1!important;color:#8b8d8f!important;opacity:1}.btn.disabled:active,.btn[disabled]:active,fieldset[disabled] .btn:active{-webkit-box-shadow:none;box-shadow:none}.btn.disabled.btn-link,.btn[disabled].btn-link,fieldset[disabled] .btn.btn-link{background-color:transparent!important;border:0}.btn-danger{background-color:#a30000;background-image:-webkit-linear-gradient(top,#c00 0,#a30000 100%);background-image:-o-linear-gradient(top,#c00 0,#a30000 100%);background-image:linear-gradient(to bottom,#c00 0,#a30000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffcc0000', endColorstr='#ffa30000', GradientType=0);border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.btn-danger:focus,.btn-danger:hover,.open .dropdown-toggle.btn-danger{background-color:#a30000;background-image:none;border-color:#8b0000;color:#fff}.btn-danger.active,.btn-danger:active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.active.focus,.btn-danger.active:focus,.btn-danger.active:hover,.btn-danger:active.focus,.btn-danger:active:focus,.btn-danger:active:hover,.open .dropdown-toggle.btn-danger.focus,.open .dropdown-toggle.btn-danger:focus,.open .dropdown-toggle.btn-danger:hover{background-color:#8a0000;border-color:#670000}.btn-danger.disabled,.btn-danger.disabled.active,.btn-danger.disabled:active,.btn-danger.disabled:focus,.btn-danger.disabled:hover,.btn-danger[disabled],.btn-danger[disabled].active,.btn-danger[disabled]:active,.btn-danger[disabled]:focus,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger.active,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:hover{background-color:#a30000;border-color:#8b0000}.btn-default{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.btn-default:focus,.btn-default:hover,.open .dropdown-toggle.btn-default{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.btn-default.active,.btn-default:active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.active.focus,.btn-default.active:focus,.btn-default.active:hover,.btn-default:active.focus,.btn-default:active:focus,.btn-default:active:hover,.open .dropdown-toggle.btn-default.focus,.open .dropdown-toggle.btn-default:focus,.open .dropdown-toggle.btn-default:hover{background-color:#e5e5e5;border-color:#a9a9a9}.btn-default.disabled,.btn-default.disabled.active,.btn-default.disabled:active,.btn-default.disabled:focus,.btn-default.disabled:hover,.btn-default[disabled],.btn-default[disabled].active,.btn-default[disabled]:active,.btn-default[disabled]:focus,.btn-default[disabled]:hover,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default.active,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:hover{background-color:#f1f1f1;border-color:#bbb}.btn-link,.btn-link:active{-webkit-box-shadow:none;box-shadow:none}.btn-primary{background-color:#0088ce;background-image:-webkit-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:-o-linear-gradient(top,#39a5dc 0,#0088ce 100%);background-image:linear-gradient(to bottom,#39a5dc 0,#0088ce 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff39a5dc', endColorstr='#ff0088ce', GradientType=0);border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.btn-primary:focus,.btn-primary:hover,.open .dropdown-toggle.btn-primary{background-color:#0088ce;background-image:none;border-color:#00659c;color:#fff}.btn-primary.active,.btn-primary:active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.active.focus,.btn-primary.active:focus,.btn-primary.active:hover,.btn-primary:active.focus,.btn-primary:active:focus,.btn-primary:active:hover,.open .dropdown-toggle.btn-primary.focus,.open .dropdown-toggle.btn-primary:focus,.open .dropdown-toggle.btn-primary:hover{background-color:#0077b5;border-color:#004e78}.btn-primary.disabled,.btn-primary.disabled.active,.btn-primary.disabled:active,.btn-primary.disabled:focus,.btn-primary.disabled:hover,.btn-primary[disabled],.btn-primary[disabled].active,.btn-primary[disabled]:active,.btn-primary[disabled]:focus,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary.active,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:hover{background-color:#0088ce;border-color:#00659c}.btn-group-xs .btn,.btn-group-xs>.btn,.btn-xs{font-weight:400}.close{text-shadow:none;opacity:.6;filter:alpha(opacity=60)}.close:focus,.close:hover{opacity:.9;filter:alpha(opacity=90)}.ColVis_Button:active:focus{outline:0}.ColVis_catcher{position:absolute;z-index:999}.ColVis_collection{background-color:#fff;border:1px solid #bbb;border-radius:1px;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);background-clip:padding-box;list-style:none;margin:-1px 0 0 0;padding:5px 10px;width:150px;z-index:1000}.ColVis_collection label{font-weight:400;margin-bottom:5px;margin-top:5px;padding-left:20px}.ColVis_collectionBackground{background-color:#fff;height:100%;left:0;position:fixed;top:0;width:100%;z-index:998}.dataTables_header{background-color:#f5f5f5;border:1px solid #d1d1d1;border-bottom:none;padding:5px;position:relative;text-align:center}.dataTables_header .btn{-webkit-box-shadow:none;box-shadow:none}.dataTables_header .ColVis{position:absolute;right:5px;text-align:left;top:5px}.dataTables_header .ColVis+.dataTables_info{padding-right:30px}.dataTables_header .dataTables_filter{position:absolute}.dataTables_header .dataTables_filter input{border:1px solid #bbb;height:24px}@media (max-width:767px){.dataTables_header .dataTables_filter input{width:100px}}.dataTables_header .dataTables_info{padding:2px 0}@media (max-width:480px){.dataTables_header .dataTables_info{text-align:right}}.dataTables_header .dataTables_info b{font-weight:700}.dataTables_footer{background-color:#fff;border:1px solid #d1d1d1;border-top:none;overflow:hidden}.dataTables_paginate{background:#fafafa;float:right;margin:0}.dataTables_paginate .pagination{float:left;margin:0}.dataTables_paginate .pagination>li>span{border-color:#fff #d1d1d1 #f5f5f5;border-width:0 1px;font-size:16px;font-weight:400;padding:0;text-align:center;width:31px}.dataTables_paginate .pagination>li>span:focus,.dataTables_paginate .pagination>li>span:hover{filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination>li.last>span{border-right:none}.dataTables_paginate .pagination>li.disabled>span{background:#f5f5f5;border-left-color:#ededed;border-right-color:#ededed;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dataTables_paginate .pagination-input{float:left;font-size:12px;line-height:1em;padding:4px 15px 0;text-align:right}.dataTables_paginate .pagination-input .paginate_input{border:1px solid #d1d1d1;-webkit-box-shadow:inset 0 1px 1px rgba(3,3,3,.075);box-shadow:inset 0 1px 1px rgba(3,3,3,.075);font-size:12px;font-weight:600;height:19px;margin-right:8px;padding-right:3px;text-align:right;width:30px}.dataTables_paginate .pagination-input .paginate_of{position:relative}.dataTables_paginate .pagination-input .paginate_of b{margin-left:3px}.dataTables_wrapper{margin:20px 0}@media (max-width:767px){.dataTables_wrapper .table-responsive{margin-bottom:0}}.DTCR_clonedTable{background-color:rgba(255,255,255,.7);z-index:202}.DTCR_pointer{background-color:#0088ce;width:1px;z-index:201}table.datatable{margin-bottom:0;max-width:none!important}table.datatable thead .sorting,table.datatable thead .sorting_asc,table.datatable thead .sorting_asc_disabled,table.datatable thead .sorting_desc,table.datatable thead .sorting_desc_disabled{cursor:pointer}table.datatable thead .sorting_asc,table.datatable thead .sorting_desc{color:#0088ce!important;position:relative}table.datatable thead .sorting_asc:after,table.datatable thead .sorting_desc:after{content:"\f107";font-family:FontAwesome;font-size:10px;font-weight:400;height:9px;left:7px;line-height:12px;position:relative;top:2px;vertical-align:baseline;width:12px}table.datatable thead .sorting_asc:before,table.datatable thead .sorting_desc:before{background:#0088ce;content:'';height:2px;position:absolute;left:0;top:0;width:100%}table.datatable thead .sorting_asc:after{content:"\f106";top:-3px}table.datatable th:active{outline:0}.caret{font-family:FontAwesome;font-weight:400;height:9px;position:relative;vertical-align:baseline;width:12px}.caret:before{bottom:0;content:"\f107";left:0;line-height:12px;position:absolute;text-align:center;top:-1px;right:0}.dropup .caret:before{content:"\f106"}.dropdown-menu .divider{background-color:#ededed;height:1px;margin:4px 1px;overflow:hidden}.dropdown-menu>li>a{border-color:transparent;border-style:solid;border-width:1px 0;padding:1px 10px}.dropdown-menu>li>a:focus,.dropdown-menu>li>a:hover{border-color:#bee1f4;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>li>a:active{background-color:#0088ce;border-color:#0088ce;color:#fff!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.active>a,.dropdown-menu>.active>a:focus,.dropdown-menu>.active>a:hover{background-color:#0088ce!important;border-color:#0088ce!important;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-menu>.disabled>a:focus,.dropdown-menu>.disabled>a:hover{border-color:transparent}.dropdown-header{padding-left:10px;padding-right:10px;text-transform:uppercase}.btn-group>.dropdown-menu,.dropdown>.dropdown-menu,.input-group-btn>.dropdown-menu{margin-top:-1px}.dropup .dropdown-menu{margin-bottom:-1px}.dropdown-submenu{position:relative}.dropdown-submenu:hover>a{background-color:#def3ff;border-color:#bee1f4}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu.pull-left{float:none!important}.dropdown-submenu.pull-left>.dropdown-menu{left:auto;margin-left:10px;right:100%}.dropdown-submenu>a{padding-right:20px!important}.dropdown-submenu>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:2px}.dropdown-submenu>.dropdown-menu{left:100%;margin-top:0;top:-6px}.dropup .dropdown-submenu>.dropdown-menu{bottom:-5px;top:auto}.open .dropdown-submenu.active>.dropdown-menu{display:block}.dropdown-kebab-pf .btn-link{color:#252525;font-size:16px;line-height:1;padding:4px 0}.dropdown-kebab-pf .btn-link:active,.dropdown-kebab-pf .btn-link:focus,.dropdown-kebab-pf .btn-link:hover{color:#0088ce}.dropdown-kebab-pf .dropdown-menu{left:-15px;margin-top:11px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right{left:auto;right:-15px}.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:after,.dropdown-kebab-pf .dropdown-menu.dropdown-menu-right:before{left:auto;right:6px}.dropdown-kebab-pf .dropdown-menu:after,.dropdown-kebab-pf .dropdown-menu:before{border-bottom-color:#bbb;border-bottom-style:solid;border-bottom-width:10px;border-left:10px solid transparent;border-right:10px solid transparent;content:"";display:inline-block;left:6px;position:absolute;top:-11px}.dropdown-kebab-pf .dropdown-menu:after{border-bottom-color:#fff;top:-10px}.dropdown-kebab-pf.dropup .dropdown-menu{margin-bottom:11px;margin-top:0}.dropdown-kebab-pf.dropup .dropdown-menu:after,.dropdown-kebab-pf.dropup .dropdown-menu:before{border-bottom:none;border-top-color:#bbb;border-top-style:solid;border-top-width:10px;bottom:-11px;top:auto}.dropdown-kebab-pf.dropup .dropdown-menu:after{border-top-color:#fff;bottom:-10px}@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;src:local('Open Sans'),local('OpenSans'),url(../fonts/open-sans/OpenSans-Regular.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:300;src:local('OpenSans-Light'),local('Open Sans Light'),url(../fonts/open-sans/OpenSans-Light.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:600;src:local('Open Sans Semibold'),local('OpenSans-Semibold'),url(../fonts/open-sans/OpenSans-Semibold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:700;src:local('Open Sans Bold'),local('OpenSans-Bold'),url(../fonts/open-sans/OpenSans-Bold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:normal;font-weight:800;src:local('Open Sans Extrabold'),local('OpenSans-Extrabold'),url(../fonts/open-sans/OpenSans-ExtraBold.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:300;src:local('Open Sans Light Italic'),local('OpenSansLight-Italic'),url(../fonts/open-sans/OpenSans-LightItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:400;src:local('Open Sans Italic'),local('OpenSans-Italic'),url(../fonts/open-sans/OpenSans-Italic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:600;src:local('Open Sans Semibold Italic'),local('OpenSans-SemiboldItalic'),url(../fonts/open-sans/OpenSans-SemiboldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:700;src:local('Open Sans Bold Italic'),local('OpenSans-BoldItalic'),url(../fonts/open-sans/OpenSans-BoldItalic.ttf) format('truetype')}@font-face{font-family:'Open Sans';font-style:italic;font-weight:800;src:local('Open Sans Extrabold Italic'),local('OpenSans-ExtraboldItalic'),url(../fonts/open-sans/OpenSans-ExtraBoldItalic.ttf) format('truetype')}.chars-remaining-pf span{font-weight:600;padding-right:5px}.chars-warn-remaining-pf{color:#c00}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f}.form-control[disabled]:hover,.form-control[readonly]:hover,fieldset[disabled] .form-control:hover{border-color:#bbb}.form-control:hover{border-color:#7dc3e8}.has-error .form-control:hover{border-color:#900}.has-success .form-control:hover{border-color:#2b542c}.has-warning .form-control:hover{border-color:#bb6106}.has-error .checkbox,.has-error .checkbox-inline,.has-error .control-label,.has-error .radio,.has-error .radio-inline,.has-error.checkbox label,.has-error.checkbox-inline label,.has-error.radio label,.has-error.radio-inline label,.has-success .checkbox,.has-success .checkbox-inline,.has-success .control-label,.has-success .radio,.has-success .radio-inline,.has-success.checkbox label,.has-success.checkbox-inline label,.has-success.radio label,.has-success.radio-inline label,.has-warning .checkbox,.has-warning .checkbox-inline,.has-warning .control-label,.has-warning .radio,.has-warning .radio-inline,.has-warning.checkbox label,.has-warning.checkbox-inline label,.has-warning.radio label,.has-warning.radio-inline label{color:#363636}.help-block{margin-bottom:0}.input-group .input-group-btn .btn{-webkit-box-shadow:none;box-shadow:none}label{font-weight:600}.navbar-nav>li>.dropdown-menu.infotip{border-top-width:1px!important;margin-top:10px}@media (max-width:767px){.navbar-pf .navbar-nav .open .dropdown-menu.infotip{background-color:#fff!important;margin-top:0}}.infotip{min-width:235px;padding:0}.infotip .list-group{border-top:0;margin:0;padding:8px 0}.infotip .list-group .list-group-item{border:none;margin:0 15px 0 34px;padding:5px 0}.infotip .list-group .list-group-item>.i{color:#4d5258;font-size:13px;left:-20px;position:absolute;top:8px}.infotip .list-group .list-group-item>a{color:#4d5258;line-height:13px}.infotip .list-group .list-group-item>.close{float:right}.infotip .footer{background-color:#f5f5f5;padding:6px 15px}.infotip .footer a:hover{color:#0088ce}.infotip .arrow,.infotip .arrow:after{border-color:transparent;border-style:solid;display:block;height:0;position:absolute;width:0}.infotip .arrow{border-width:11px}.infotip .arrow:after{border-width:10px;content:""}.infotip.bottom .arrow,.infotip.bottom-left .arrow,.infotip.bottom-right .arrow{border-bottom-color:#999;border-bottom-color:#bbb;border-top-width:0;left:50%;margin-left:-11px;top:-11px}.infotip.bottom .arrow:after,.infotip.bottom-left .arrow:after,.infotip.bottom-right .arrow:after{border-top-width:0;border-bottom-color:#fff;content:" ";margin-left:-10px;top:1px}.infotip.bottom-left .arrow{left:20%}.infotip.bottom-right .arrow{left:80%}.infotip.top .arrow{border-bottom-width:0;border-top-color:#999;border-top-color:#bbb;bottom:-11px;left:50%;margin-left:-11px}.infotip.top .arrow:after{border-bottom-width:0;border-top-color:#f5f5f5;bottom:1px;content:" ";margin-left:-10px}.infotip.right .arrow{border-left-width:0;border-right-color:#999;border-right-color:#bbb;left:-11px;margin-top:-11px;top:50%}.infotip.right .arrow:after{bottom:-10px;border-left-width:0;border-right-color:#fff;content:" ";left:1px}.infotip.left .arrow{border-left-color:#999;border-left-color:#bbb;border-right-width:0;margin-top:-11px;right:-11px;top:50%}.infotip.left .arrow:after{border-left-color:#fff;border-right-width:0;bottom:-10px;content:" ";right:1px}.label{border-radius:0;font-size:100%;font-weight:600}h1 .label,h2 .label,h3 .label,h4 .label,h5 .label,h6 .label{font-size:75%}.list-group{border-top:1px solid #ededed}.list-group .list-group-item:first-child{border-top:0}.list-group-item{border-top:0;border-left:0;border-right:0;margin-bottom:0}.list-group-item-heading{font-weight:600}.list-group-item.active,.list-group-item.active:focus,.list-group-item.active:hover{border-top:solid 1px #39a5dc;margin-top:-1px;z-index:auto}.list-group-item.active:first-child{border-top:1px solid #39a5dc!important;margin-top:-1px}.login-pf{height:100%}.login-pf #brand{position:relative;top:-70px}.login-pf #brand img{display:block;height:18px;margin:0 auto;max-width:100%}@media (min-width:768px){.login-pf #brand img{margin:0;text-align:left}}.login-pf #badge{display:block;margin:20px auto 70px;position:relative;text-align:center}@media (min-width:768px){.login-pf #badge{float:right;margin-right:64px;margin-top:50px}}.login-pf body{background:#1a1a1a url(../img/bg-login.jpg) repeat-x 50% 0;background-size:auto}@media (min-width:768px){.login-pf body{background-size:100% auto}}.login-pf .container{background-color:transparent;clear:right;color:#fff;padding-bottom:40px;padding-top:20px;width:auto}@media (min-width:768px){.login-pf .container{bottom:13%;padding-left:80px;position:absolute;width:100%}}.login-pf .container [class^=alert]{background:0 0;color:#fff}.login-pf .container .details p:first-child{border-top:1px solid rgba(255,255,255,.3);padding-top:25px;margin-top:25px}@media (min-width:768px){.login-pf .container .details{border-left:1px solid rgba(255,255,255,.3);padding-left:40px}.login-pf .container .details p:first-child{border-top:0;padding-top:0;margin-top:0}}.login-pf .container .details p{margin-bottom:2px}.login-pf .container .form-horizontal .control-label{font-size:13px;font-weight:400;text-align:left}.login-pf .container .form-horizontal .form-group:last-child,.login-pf .container .form-horizontal .form-group:last-child .help-block:last-child{margin-bottom:0}.login-pf .container .help-block{color:#fff}@media (min-width:768px){.login-pf .container .login{padding-right:40px}}.login-pf .container .submit{text-align:right}.modal-header{background-color:#f5f5f5;border-bottom:none;padding:10px 18px}.modal-header .close{margin-top:2px}.modal-title{font-size:13px;font-weight:700}.modal-footer{border-top:none;margin-top:15px;padding:14px 15px 15px}.modal-footer>.btn{padding-left:10px;padding-right:10px}.modal-footer>.btn>.fa-angle-left{margin-right:5px}.modal-footer>.btn>.fa-angle-right{margin-left:5px}.navbar-pf{background:#393F45;border:0;border-radius:0;border-top:3px solid #c00;margin-bottom:0;min-height:0}.navbar-pf .navbar-brand{color:#fff;height:auto;padding:12px 0;margin:0 0 0 20px}.navbar-pf .navbar-brand img{display:block}.navbar-pf .navbar-collapse{border-top:0;-webkit-box-shadow:none;box-shadow:none;padding:0}.navbar-pf .navbar-header{border-bottom:1px solid #53565b;float:none}.navbar-pf .navbar-nav{margin:0}.navbar-pf .navbar-nav>.active>a,.navbar-pf .navbar-nav>.active>a:focus,.navbar-pf .navbar-nav>.active>a:hover{background-color:#454C53;color:#fff}.navbar-pf .navbar-nav>li>a{color:#dbdada;line-height:1;padding:10px 20px;text-shadow:none}.navbar-pf .navbar-nav>li>a:focus,.navbar-pf .navbar-nav>li>a:hover{color:#fff}.navbar-pf .navbar-nav>.open>a,.navbar-pf .navbar-nav>.open>a:focus,.navbar-pf .navbar-nav>.open>a:hover{background-color:#454C53;color:#fff}@media (max-width:767px){.navbar-pf .navbar-nav .active .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent,.navbar-pf .navbar-nav .open .dropdown-menu{background-color:#3c434a!important;margin-left:0;padding-bottom:0;padding-top:0}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .active .dropdown-menu>.active>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:focus,.navbar-pf .navbar-nav .active .navbar-persistent>.active>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:focus,.navbar-pf .navbar-nav .open .dropdown-menu>.active>a:hover{background-color:#424950!important;color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent>li>a,.navbar-pf .navbar-nav .open .dropdown-menu>li>a{background-color:transparent;border:0;color:#dbdada;outline:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu>li>a:hover,.navbar-pf .navbar-nav .active .navbar-persistent>li>a:hover,.navbar-pf .navbar-nav .open .dropdown-menu>li>a:hover{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .divider,.navbar-pf .navbar-nav .active .navbar-persistent .divider,.navbar-pf .navbar-nav .open .dropdown-menu .divider{background-color:#53565b;margin:0 1px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-header{padding-bottom:0;padding-left:30px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-toggle,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.open .dropdown-toggle{color:#fff}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.pull-left,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu.pull-left{float:none!important}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu>a:after,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu>a:after{display:none}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-header,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-header{padding-left:45px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu{border:0;bottom:auto;-webkit-box-shadow:none;box-shadow:none;display:block;float:none;margin:0;min-width:0;padding:0;position:relative;left:auto;right:auto;top:auto}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu>li>a{padding:5px 15px 5px 45px;line-height:20px}.navbar-pf .navbar-nav .active .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu .dropdown-menu>li>a,.navbar-pf .navbar-nav .open .dropdown-menu .dropdown-submenu .dropdown-menu .dropdown-menu>li>a{padding-left:60px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu.open .dropdown-menu{display:block}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu>a:after{display:inline-block!important;position:relative;right:auto;top:1px}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-menu{display:none}.navbar-pf .navbar-nav .active .navbar-persistent .dropdown-submenu .dropdown-submenu>a:after{display:none!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu{background-color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active{background-color:#def3ff!important;border-color:#bee1f4!important;color:#363636!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.active>a:active small{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.disabled>a{color:#9c9c9c!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active{background-color:#0088ce!important;border-color:#0088ce!important;color:#fff!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu>.selected>a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li>a.opt{border-bottom:1px solid transparent;border-top:1px solid transparent;color:#363636;padding-left:10px;padding-right:10px}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:active small{color:rgba(255,255,255,.5)!important}.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:focus small,.navbar-pf .navbar-nav .context-bootstrap-select .open>.dropdown-menu li a:hover small{color:#9c9c9c}.navbar-pf .navbar-nav .context-bootstrap-select>.open>.dropdown-menu{padding-bottom:5px;padding-top:5px}}.navbar-pf .navbar-persistent{display:none}.navbar-pf .active>.navbar-persistent{display:block}.navbar-pf .navbar-primary{float:none}.navbar-pf .navbar-primary .context{border-bottom:1px solid #53565b}.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group,.navbar-pf .navbar-primary .context.context-bootstrap-select .bootstrap-select.btn-group[class*=span]{margin:8px 20px 9px;width:auto}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a{position:relative}.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{content:"\f107";display:inline-block;font-family:FontAwesome;font-weight:400}@media (max-width:767px){.navbar-pf .navbar-primary>li>.navbar-persistent>.dropdown-submenu>a:after{height:10px;margin-left:4px;vertical-align:baseline}}.navbar-pf .navbar-toggle{border:0;margin:0;padding:10px 20px}.navbar-pf .navbar-toggle:focus,.navbar-pf .navbar-toggle:hover{background-color:transparent;outline:0}.navbar-pf .navbar-toggle:focus .icon-bar,.navbar-pf .navbar-toggle:hover .icon-bar{-webkit-box-shadow:0 0 3px #fff;box-shadow:0 0 3px #fff}.navbar-pf .navbar-toggle .icon-bar{background-color:#fff}.navbar-pf .navbar-utility{border-bottom:1px solid #53565b}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:36px;position:relative}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:20px;position:absolute;top:10px}@media (max-width:767px){.navbar-pf .navbar-utility>li+li{border-top:1px solid #53565b}}@media (min-width:768px){.navbar-pf .navbar-brand{padding:7px 0 8px}.navbar-pf .navbar-nav>li>a{padding-bottom:14px;padding-top:14px}.navbar-pf .navbar-persistent{font-size:14px}.navbar-pf .navbar-primary{font-size:14px;background-image:-webkit-linear-gradient(top,#474c50 0,#383f43 100%);background-image:-o-linear-gradient(top,#474c50 0,#383f43 100%);background-image:linear-gradient(to bottom,#474c50 0,#383f43 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff474c50', endColorstr='#ff383f43', GradientType=0)}.navbar-pf .navbar-primary.persistent-secondary .context .dropdown-menu{top:auto}.navbar-pf .navbar-primary.persistent-secondary .dropup .dropdown-menu{bottom:-5px;top:auto}.navbar-pf .navbar-primary.persistent-secondary>li{position:static}.navbar-pf .navbar-primary.persistent-secondary>li.active{margin-bottom:32px}.navbar-pf .navbar-primary.persistent-secondary>li.active>.navbar-persistent{display:block;left:0;position:absolute}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent{background:#f6f6f6;border-bottom:1px solid #cecdcd;padding:0;width:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent a{text-decoration:none!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active:hover>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active>a:hover{color:#0088ce!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.active .active>a{color:#fff}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu:hover>.dropdown-menu{display:none}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-menu{display:block;left:20px;margin-top:1px;top:100%}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu.open>.dropdown-toggle:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle{padding-right:35px!important}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.dropdown-submenu>.dropdown-toggle:after{position:absolute;right:20px;top:10px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open:before,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:20px;position:absolute;right:20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li.open>a:after,.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li:hover>a:after{border-top-color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a{background-color:transparent;display:block;line-height:1;padding:9px 20px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle{padding-right:35px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a.dropdown-toggle:after{font-size:15px;position:absolute;right:20px;top:9px}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li>a:hover{color:#252525}.navbar-pf .navbar-primary.persistent-secondary>li>.navbar-persistent>li a{color:#4d5258}.navbar-pf .navbar-primary>li>a{border-bottom:1px solid transparent;border-top:1px solid transparent;position:relative;margin:-1px 0 0}.navbar-pf .navbar-primary>li>a:hover{background-color:#4b5053;border-top-color:#949699;color:#dbdada;background-image:-webkit-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:-o-linear-gradient(top,#5c6165 0,#4b5053 100%);background-image:linear-gradient(to bottom,#5c6165 0,#4b5053 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5c6165', endColorstr='#ff4b5053', GradientType=0)}.navbar-pf .navbar-primary>.active>a,.navbar-pf .navbar-primary>.active>a:focus,.navbar-pf .navbar-primary>.active>a:hover,.navbar-pf .navbar-primary>.open>a,.navbar-pf .navbar-primary>.open>a:focus,.navbar-pf .navbar-primary>.open>a:hover{background-color:#64686c;border-bottom-color:#64686c;border-top-color:#949699;-webkit-box-shadow:none;box-shadow:none;color:#fff;background-image:-webkit-linear-gradient(top,#72757a 0,#64686c 100%);background-image:-o-linear-gradient(top,#72757a 0,#64686c 100%);background-image:linear-gradient(to bottom,#72757a 0,#64686c 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff72757a', endColorstr='#ff64686c', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select .filter-option{max-width:160px;text-overflow:ellipsis}.navbar-pf .navbar-primary li.context.dropdown{border-bottom:0}.navbar-pf .navbar-primary li.context.context-bootstrap-select,.navbar-pf .navbar-primary li.context>a{background-color:#505458;border-bottom-color:#65696d;border-right:1px solid #65696d;border-top-color:#64696d;font-weight:600;background-image:-webkit-linear-gradient(top,#585d61 0,#505458 100%);background-image:-o-linear-gradient(top,#585d61 0,#505458 100%);background-image:linear-gradient(to bottom,#585d61 0,#505458 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff585d61', endColorstr='#ff505458', GradientType=0)}.navbar-pf .navbar-primary li.context.context-bootstrap-select:hover,.navbar-pf .navbar-primary li.context>a:hover{background-color:#5a5e62;border-bottom-color:#6e7276;border-right-color:#6e7276;border-top-color:#6c7276;background-image:-webkit-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:-o-linear-gradient(top,#62676b 0,#5a5e62 100%);background-image:linear-gradient(to bottom,#62676b 0,#5a5e62 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff62676b', endColorstr='#ff5a5e62', GradientType=0)}.navbar-pf .navbar-primary li.context.open>a{background-color:#65696d;border-bottom-color:#6e7276;border-right-color:#777a7e;border-top-color:#767a7e;background-image:-webkit-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:-o-linear-gradient(top,#6b7175 0,#65696d 100%);background-image:linear-gradient(to bottom,#6b7175 0,#65696d 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6b7175', endColorstr='#ff65696d', GradientType=0)}.navbar-pf .navbar-utility{border-bottom:0;font-size:11px;position:absolute;right:0;top:0}.navbar-pf .navbar-utility>.active>a,.navbar-pf .navbar-utility>.active>a:focus,.navbar-pf .navbar-utility>.active>a:hover,.navbar-pf .navbar-utility>.open>a,.navbar-pf .navbar-utility>.open>a:focus,.navbar-pf .navbar-utility>.open>a:hover{background:#5b6165;color:#fff}.navbar-pf .navbar-utility>li>a{border-left:1px solid #53565b;color:#fff!important;padding:7px 10px}.navbar-pf .navbar-utility>li>a:hover{background:#4a5053;border-left-color:#636466}.navbar-pf .navbar-utility>li.open>a{border-left-color:#6c6e70;color:#fff!important}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle{padding-left:26px}.navbar-pf .navbar-utility li.dropdown>.dropdown-toggle .pficon-user{left:10px;top:7px}.navbar-pf .navbar-utility .open .dropdown-menu{left:auto;right:0}.navbar-pf .navbar-utility .open .dropdown-menu .dropdown-menu{left:auto;right:100%}.navbar-pf .navbar-utility .open .dropdown-menu{border-top-width:0}.navbar-pf .open .dropdown-submenu>.dropdown-menu,.navbar-pf .open.bootstrap-select .dropdown-menu{border-top-width:1px!important}}@media (max-width:360px){.navbar-pf .navbar-brand{margin-left:10px;width:75%}.navbar-pf .navbar-brand img{height:auto;max-width:100%}.navbar-pf .navbar-toggle{padding-left:0}}.drawer-pf{background-color:#fafafa;border:1px solid #d1d1d1;-webkit-box-shadow:0 6px 12px rgba(3,3,3,.175);box-shadow:0 6px 12px rgba(3,3,3,.175);overflow-y:auto;position:absolute;right:0;width:320px;z-index:2}.drawer-pf .panel{border-bottom:none;border-left:none;border-right:none}.drawer-pf .panel-group .panel-heading+.panel-collapse .panel-body{border-top:none;border-bottom:1px solid #d1d1d1;padding:0}.drawer-pf .panel-counter{display:block;font-style:italic;line-height:1.2;padding-left:18px;padding-top:5px}.drawer-pf .panel-heading{border-bottom:1px solid #d1d1d1}.drawer-pf .panel-group{bottom:0;margin-bottom:0;position:absolute;top:25px;width:100%}.drawer-pf .panel-title a{cursor:pointer;display:block}.drawer-pf.drawer-pf-expanded{left:270px;width:inherit}.drawer-pf.drawer-pf-expanded .drawer-pf-toggle-expand:before{content:"\f101"}.drawer-pf-toggle-expand{color:inherit;cursor:pointer;left:0;padding:2px 5px;position:absolute}.drawer-pf-toggle-expand:before{content:"\f100";font-family:FontAwesome}.drawer-pf-toggle-expand:focus,.drawer-pf-toggle-expand:hover{color:inherit;text-decoration:none}.drawer-pf-action .btn-link{color:#0088ce;padding:10px 0}.drawer-pf-action .btn-link:hover{color:#00659c}.drawer-pf-loading{color:#4d5258;font-size:14px;padding:20px 15px}.drawer-pf-notification{border-bottom:1px solid #d1d1d1;padding:15px}.drawer-pf-notification .date{border-right:1px solid #aaa;display:inline-block;line-height:1;margin-right:5px;padding-right:9px}.drawer-pf-notification .pficon{font-size:14px;margin-top:3px}.drawer-pf-notification:last-of-type{border-bottom:none}.drawer-pf-notification:hover{background-color:#def3ff}.drawer-pf-notification.unread .drawer-pf-notification-message{font-weight:700}.drawer-pf-notification.expanded-notification .date{border-right:none;padding-right:0}.drawer-pf-notification-info,.drawer-pf-notification-message{display:block;padding-left:27px;padding-right:19px}.expanded-notification .drawer-pf-notification-info,.expanded-notification .drawer-pf-notification-message{display:inline-block}.drawer-pf-notifications-non-clickable .drawer-pf-notification:hover{background-color:#fff}.drawer-pf-title{background-color:#fafafa;border-bottom:1px solid #d1d1d1;position:absolute;width:318px}.drawer-pf-title h3{font-size:12px;margin:0;padding:6px 15px}.navbar-pf-vertical .drawer-pf{height:calc(100vh - 80px);top:58px}.navbar-pf-vertical .nav .drawer-pf-trigger .drawer-pf-trigger-icon{border-left:1px solid #53565b;border-right:1px solid #53565b;padding-left:15px;padding-right:15px}.navbar-pf-vertical .nav .drawer-pf-trigger.open .drawer-pf-trigger-icon{background-color:#4a5053}.navbar-pf .drawer-pf{height:calc(100vh - 46px);top:26px}.navbar-pf .drawer-pf-trigger-icon{cursor:pointer}.pager li>a,.pager li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;font-weight:600;line-height:22px;padding:2px 14px}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>a:focus,.pager li>a:hover,.pager li>span.active,.pager li>span:active,.pager li>span:focus,.pager li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pager li>a,.open .dropdown-toggle.pager li>span,.pager li>a.active,.pager li>a:active,.pager li>span.active,.pager li>span:active{background-image:none}.open .dropdown-toggle.pager li>a.focus,.open .dropdown-toggle.pager li>a:focus,.open .dropdown-toggle.pager li>a:hover,.open .dropdown-toggle.pager li>span.focus,.open .dropdown-toggle.pager li>span:focus,.open .dropdown-toggle.pager li>span:hover,.pager li>a.active.focus,.pager li>a.active:focus,.pager li>a.active:hover,.pager li>a:active.focus,.pager li>a:active:focus,.pager li>a:active:hover,.pager li>span.active.focus,.pager li>span.active:focus,.pager li>span.active:hover,.pager li>span:active.focus,.pager li>span:active:focus,.pager li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pager li>a.disabled,.pager li>a.disabled.active,.pager li>a.disabled:active,.pager li>a.disabled:focus,.pager li>a.disabled:hover,.pager li>a[disabled],.pager li>a[disabled].active,.pager li>a[disabled]:active,.pager li>a[disabled]:focus,.pager li>a[disabled]:hover,.pager li>span.disabled,.pager li>span.disabled.active,.pager li>span.disabled:active,.pager li>span.disabled:focus,.pager li>span.disabled:hover,.pager li>span[disabled],.pager li>span[disabled].active,.pager li>span[disabled]:active,.pager li>span[disabled]:focus,.pager li>span[disabled]:hover,fieldset[disabled] .pager li>a,fieldset[disabled] .pager li>a.active,fieldset[disabled] .pager li>a:active,fieldset[disabled] .pager li>a:focus,fieldset[disabled] .pager li>a:hover,fieldset[disabled] .pager li>span,fieldset[disabled] .pager li>span.active,fieldset[disabled] .pager li>span:active,fieldset[disabled] .pager li>span:focus,fieldset[disabled] .pager li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pager li>a>.i,.pager li>span>.i{font-size:18px;vertical-align:top;margin:2px 0}.pager li>a:hover>a:focus{color:#4d5258}.pager li a:active{background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(3,3,3,.125);box-shadow:inset 0 3px 5px rgba(3,3,3,.125);outline:0}.pager .disabled>a,.pager .disabled>a:active,.pager .disabled>a:focus,.pager .disabled>a:hover,.pager .disabled>span{background:#f5f5f5;-webkit-box-shadow:none;box-shadow:none;color:#8b8d8f;cursor:default}.pager .next>a>.i,.pager .next>span>.i{margin-left:5px}.pager .previous>a>.i,.pager .previous>span>.i{margin-right:5px}.pager-sm li>a,.pager-sm li>span{font-weight:400;line-height:16px;padding:1px 10px}.pager-sm li>a>.i,.pager-sm li>span>.i{font-size:12px}.pagination>li>a,.pagination>li>span{background-color:#f1f1f1;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0);border-color:#bbb;color:#4d5258;cursor:default;font-weight:600;padding:2px 10px}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>a:focus,.pagination>li>a:hover,.pagination>li>span.active,.pagination>li>span:active,.pagination>li>span:focus,.pagination>li>span:hover{background-color:#f1f1f1;background-image:none;border-color:#bbb;color:#4d5258}.open .dropdown-toggle.pagination>li>a,.open .dropdown-toggle.pagination>li>span,.pagination>li>a.active,.pagination>li>a:active,.pagination>li>span.active,.pagination>li>span:active{background-image:none}.open .dropdown-toggle.pagination>li>a.focus,.open .dropdown-toggle.pagination>li>a:focus,.open .dropdown-toggle.pagination>li>a:hover,.open .dropdown-toggle.pagination>li>span.focus,.open .dropdown-toggle.pagination>li>span:focus,.open .dropdown-toggle.pagination>li>span:hover,.pagination>li>a.active.focus,.pagination>li>a.active:focus,.pagination>li>a.active:hover,.pagination>li>a:active.focus,.pagination>li>a:active:focus,.pagination>li>a:active:hover,.pagination>li>span.active.focus,.pagination>li>span.active:focus,.pagination>li>span.active:hover,.pagination>li>span:active.focus,.pagination>li>span:active:focus,.pagination>li>span:active:hover{background-color:#e5e5e5;border-color:#a9a9a9}.pagination>li>a.disabled,.pagination>li>a.disabled.active,.pagination>li>a.disabled:active,.pagination>li>a.disabled:focus,.pagination>li>a.disabled:hover,.pagination>li>a[disabled],.pagination>li>a[disabled].active,.pagination>li>a[disabled]:active,.pagination>li>a[disabled]:focus,.pagination>li>a[disabled]:hover,.pagination>li>span.disabled,.pagination>li>span.disabled.active,.pagination>li>span.disabled:active,.pagination>li>span.disabled:focus,.pagination>li>span.disabled:hover,.pagination>li>span[disabled],.pagination>li>span[disabled].active,.pagination>li>span[disabled]:active,.pagination>li>span[disabled]:focus,.pagination>li>span[disabled]:hover,fieldset[disabled] .pagination>li>a,fieldset[disabled] .pagination>li>a.active,fieldset[disabled] .pagination>li>a:active,fieldset[disabled] .pagination>li>a:focus,fieldset[disabled] .pagination>li>a:hover,fieldset[disabled] .pagination>li>span,fieldset[disabled] .pagination>li>span.active,fieldset[disabled] .pagination>li>span:active,fieldset[disabled] .pagination>li>span:focus,fieldset[disabled] .pagination>li>span:hover{background-color:#f1f1f1;border-color:#bbb}.pagination>li>a>.i,.pagination>li>span>.i{font-size:15px;vertical-align:top;margin:2px 0}.pagination>li>a:active,.pagination>li>span:active{-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2)}.pagination>.active>a,.pagination>.active>a:focus,.pagination>.active>a:hover,.pagination>.active>span,.pagination>.active>span:focus,.pagination>.active>span:hover{background-color:#f1f1f1;border-color:#bbb;-webkit-box-shadow:inset 0 2px 8px rgba(3,3,3,.2);box-shadow:inset 0 2px 8px rgba(3,3,3,.2);color:#4d5258;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination>.disabled>a,.pagination>.disabled>a:focus,.pagination>.disabled>a:hover,.pagination>.disabled>span,.pagination>.disabled>span:focus,.pagination>.disabled>span:hover{-webkit-box-shadow:none;box-shadow:none;cursor:default;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.pagination-sm>li>a,.pagination-sm>li>span{padding:2px 6px;font-size:11px;line-height:1.5}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:1px;border-top-left-radius:1px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:1px;border-top-right-radius:1px}.pagination-sm>li>a,.pagination-sm>li>span{font-weight:400}.pagination-sm>li>a>.i,.pagination-sm>li>span>.i{font-size:12px;margin-top:2px}.panel-title{font-weight:700}.panel-group .panel{color:#4d5258}.panel-group .panel+.panel{margin-top:-1px}.panel-group .panel-default{border-color:#bbb;border-top-color:#bbb}.panel-group .panel-heading{background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #d1d1d1}.panel-group .panel-title{font-weight:500;line-height:1}.panel-group .panel-title>a{color:#4d5258;font-weight:600}.panel-group .panel-title>a:before{content:"\f107";display:inline-block;font-family:FontAwesome;font-size:13px;margin-right:5px;text-align:center;vertical-align:0;width:8px}.panel-group .panel-title>a:focus{outline:0;text-decoration:none}.panel-group .panel-title>a:hover{text-decoration:none}.panel-group .panel-title>a.collapsed:before{content:"\f105"}.popover{-webkit-box-shadow:0 2px 2px rgba(3,3,3,.08);box-shadow:0 2px 2px rgba(3,3,3,.08);padding:0}.popover-content{color:#4d5258;line-height:18px;padding:10px 14px}.popover-title{border-bottom:none;border-radius:0;color:#4d5258;font-size:13px;font-weight:700;min-height:34px}.popover-title .close{height:22px;position:absolute;right:8px;top:6px}.popover-title.closable{padding-right:30px}@-webkit-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}.progress{-webkit-box-shadow:inset 0 0 1px rgba(3,3,3,.25);box-shadow:inset 0 0 1px rgba(3,3,3,.25)}.progress.progress-label-left,.progress.progress-label-top-right{overflow:visible;position:relative}.progress.progress-label-left{margin-left:40px}.progress.progress-sm{height:14px;margin-bottom:14px}.progress.progress-xs{height:6px;margin-bottom:6px}td>.progress:first-child:last-child{margin-bottom:0;margin-top:3px}.progress-bar{box-shadow:none}.progress-label-left .progress-bar span,.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{color:#363636;position:absolute;text-align:right}.progress-label-left .progress-bar span{font-size:14px;left:-40px;top:0;width:35px}.progress-label-right .progress-bar span,.progress-label-top-right .progress-bar span{font-size:11px;overflow:hidden;right:0;text-overflow:ellipsis;white-space:nowrap}.progress-label-right .progress-bar span strong,.progress-label-top-right .progress-bar span strong{font-weight:600}.progress-label-right .progress-bar span{max-width:85px;top:0}.progress-label-top-right .progress-bar span{max-width:47%;top:-30px}.progress-label-left.progress-sm .progress-bar span,.progress-label-top-right.progress-sm .progress-bar span{font-size:12px}.progress-sm .progress-bar{line-height:14px}.progress-xs .progress-bar{line-height:6px}.progress-bar-remaining{background:0 0}.progress-container{position:relative}.progress-container.progress-description-left{padding-left:90px}.progress-container.progress-label-right{padding-right:90px}.progress-description{margin-bottom:10px;max-width:52%;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.progress-description .count{font-size:20px;font-weight:300;line-height:1;margin-right:5px}.progress-description .fa,.progress-description .pficon{font-size:14px;margin-right:3px}.progress-description-left .progress-description{left:0;margin-bottom:0;max-width:85px;position:absolute;top:0}.progress-description .tooltip{white-space:normal}.search-pf.has-button{border-collapse:separate;display:table}.search-pf.has-button .form-group{display:table-cell;width:100%}.search-pf.has-button .form-group .btn{-webkit-box-shadow:none;box-shadow:none;float:left;margin-left:-1px}.search-pf.has-button .form-group .btn.btn-lg{font-size:14.5px}.search-pf.has-button .form-group .btn.btn-sm{font-size:10.7px}.search-pf.has-button .form-group .form-control{float:left}.search-pf .has-clear .clear{background:0 0;background:rgba(255,255,255,0);border:0;height:25px;line-height:1;padding:0;position:absolute;right:1px;top:1px;width:28px}.search-pf .has-clear .clear:focus{outline:0}.search-pf .has-clear .form-control{padding-right:30px}.search-pf .has-clear .form-control::-ms-clear{display:none}.search-pf .has-clear .input-lg+.clear{height:31px;width:28px}.search-pf .has-clear .input-sm+.clear{height:20px;width:28px}.search-pf .has-clear .input-sm+.clear span{font-size:10px}.search-pf .has-clear .search-pf-input-group{position:relative}.sidebar-header{border-bottom:1px solid #ececec;padding-bottom:11px;margin:50px 0 20px}.sidebar-header .actions{margin-top:-2px}.sidebar-pf .sidebar-header+.list-group{border-top:0;margin-top:-10px}.sidebar-pf .sidebar-header+.list-group .list-group-item{background:0 0;border-color:#ececec;padding-left:0}.sidebar-pf .sidebar-header+.list-group .list-group-item-heading{font-size:12px}.sidebar-pf .nav-category h2{color:#9c9c9c;font-size:12px;font-weight:400;line-height:21px;margin:0;padding:8px 0}.sidebar-pf .nav-category+.nav-category{margin-top:10px}.sidebar-pf .nav-pills>li.active>a{background:#0088ce!important;border-color:#0088ce!important;color:#fff}@media (min-width:768px){.sidebar-pf .nav-pills>li.active>a:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}.sidebar-pf .nav-pills>li.active>a .fa{color:#fff}.sidebar-pf .nav-pills>li>a{border-bottom:1px solid transparent;border-radius:0;border-top:1px solid transparent;color:#363636;font-size:13px;line-height:21px;padding:1px 20px}.sidebar-pf .nav-pills>li>a:hover{background:#def3ff;border-color:#bee1f4}.sidebar-pf .nav-pills>li>a .fa{color:#6a7079;font-size:15px;margin-right:10px;text-align:center;vertical-align:middle;width:15px}.sidebar-pf .nav-stacked{margin-left:-20px;margin-right:-20px}.sidebar-pf .nav-stacked li+li{margin-top:0}.sidebar-pf .panel{background:0 0}.sidebar-pf .panel-body{padding:6px 20px}.sidebar-pf .panel-body .nav-pills>li>a{padding-left:37px}.sidebar-pf .panel-heading{padding:9px 20px}.sidebar-pf .panel-title{font-size:12px}.sidebar-pf .panel-title>a:before{display:inline-block;margin-left:1px;margin-right:4px;width:9px}.sidebar-pf .panel-title>a.collapsed:before{margin-left:3px;margin-right:2px}@media (min-width:767px){.sidebar-header-bleed-left{margin-left:-20px}.sidebar-header-bleed-left>h2{margin-left:20px}.sidebar-header-bleed-right{margin-right:-20px}.sidebar-header-bleed-right .actions{margin-right:20px}.sidebar-header-bleed-right>h2{margin-right:20px}.sidebar-header-bleed-right+.list-group{margin-right:-20px}.sidebar-pf .panel-group .panel-default,.sidebar-pf .treeview{border-left:0;border-right:0;margin-left:-20px;margin-right:-20px}.sidebar-pf .treeview{margin-top:5px}.sidebar-pf .treeview .list-group-item{padding-left:20px;padding-right:20px}.sidebar-pf .treeview .list-group-item.node-selected:after{content:"\f105";font-family:FontAwesome;display:block;position:absolute;right:10px;top:1px}}@media (min-width:768px){.sidebar-pf{background:#fafafa}.sidebar-pf.sidebar-pf-left{border-right:1px solid #d1d1d1}.sidebar-pf.sidebar-pf-right{border-left:1px solid #d1d1d1}.sidebar-pf>.nav-category,.sidebar-pf>.nav-stacked{margin-top:5px}}@-webkit-keyframes rotation{from{-webkit-transform:rotate(0)}to{-webkit-transform:rotate(359deg)}}@keyframes rotation{from{transform:rotate(0)}to{transform:rotate(359deg)}}.spinner{-webkit-animation:rotation .6s infinite linear;animation:rotation .6s infinite linear;border-bottom:4px solid rgba(3,3,3,.25);border-left:4px solid rgba(3,3,3,.25);border-right:4px solid rgba(3,3,3,.25);border-radius:100%;border-top:4px solid rgba(3,3,3,.75);height:24px;margin:0 auto;position:relative;width:24px}.spinner.spinner-inline{display:inline-block;margin-right:3px}.spinner.spinner-lg{border-width:5px;height:30px;width:30px}.spinner.spinner-sm{border-width:3px;height:18px;width:18px}.spinner.spinner-xs{border-width:2px;height:12px;width:12px}.spinner.spinner-inverse{border-bottom-color:rgba(255,255,255,.25);border-left-color:rgba(255,255,255,.25);border-right-color:rgba(255,255,255,.25);border-top-color:rgba(255,255,255,.75)}.ie9 .spinner{background:url(../img/spinner.gif) no-repeat;border:0}.ie9 .spinner.spinner-inverse{background-image:url(../img/spinner-inverse.gif)}.ie9 .spinner.spinner-inverse-lg{background-image:url(../img/spinner-inverse-lg.gif)}.ie9 .spinner.spinner-inverse-sm{background-image:url(../img/spinner-inverse-sm.gif)}.ie9 .spinner.spinner-inverse-xs{background-image:url(../img/spinner-inverse-xs.gif)}.ie9 .spinner.spinner-lg{background-image:url(../img/spinner-lg.gif)}.ie9 .spinner.spinner-sm{background-image:url(../img/spinner-sm.gif)}.ie9 .spinner.spinner-xs{background-image:url(../img/spinner-xs.gif)}.prettyprint .atn,.prettyprint .com,.prettyprint .fun,.prettyprint .var{color:#3f9c35}.prettyprint .atv,.prettyprint .str{color:#a30000}.prettyprint .clo,.prettyprint .dec,.prettyprint .kwd,.prettyprint .opn,.prettyprint .pln,.prettyprint .pun{color:#363636}.prettyprint .lit,.prettyprint .tag,.prettyprint .typ{color:#00659c}.prettyprint ol.linenums{margin-bottom:0}.table>tbody>tr>td,.table>tbody>tr>th,.table>tfoot>tr>td,.table>tfoot>tr>th,.table>thead>tr>td,.table>thead>tr>th{padding:2px 10px 3px}.table>tbody>tr>td>a:hover,.table>tbody>tr>th>a:hover,.table>tfoot>tr>td>a:hover,.table>tfoot>tr>th>a:hover,.table>thead>tr>td>a:hover,.table>thead>tr>th>a:hover{text-decoration:none}.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>th{font-family:'Open Sans';font-style:normal;font-weight:600}.table>thead{background-clip:padding-box;background-color:#f5f5f5;background-image:-webkit-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:-o-linear-gradient(top,#fafafa 0,#ededed 100%);background-image:linear-gradient(to bottom,#fafafa 0,#ededed 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffafafa', endColorstr='#ffededed', GradientType=0)}.table-bordered{border:1px solid #d1d1d1}.table-bordered>tbody>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border:1px solid #d1d1d1}.table-bordered>thead>tr>td,.table-bordered>thead>tr>th{border-bottom-width:1px}.table-striped>tbody>tr:nth-of-type(even){background-color:#f5f5f5}.table-striped>tbody>tr:nth-of-type(odd){background-color:transparent}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#def3ff;border-bottom-color:#7dc3e8}.table-treegrid span.indent{margin-left:10px;margin-right:10px}.table-treegrid span.icon{display:inline-block;font-size:13px;margin-right:5px;min-width:10px;text-align:center}.table-treegrid span.collapse-icon,.table-treegrid span.expand-icon{cursor:pointer}.table-treegrid>tbody>tr.odd{background-color:#f5f5f5}.nav-tabs{font-size:14px}.nav-tabs>li>a{color:#4d5258;margin-right:-1px;padding-bottom:5px;padding-top:5px}.nav-tabs>li>a:active,.nav-tabs>li>a:focus,.nav-tabs>li>a:hover{background:0 0;border-color:#ededed;color:#252525}.nav-tabs>li>.dropdown-menu{border-top:0;border-color:#ededed}.nav-tabs>li>.dropdown-menu.pull-right{right:-1px}.nav-tabs+.nav-tabs-pf{font-size:12px}.nav-tabs+.nav-tabs-pf>li:first-child>a{padding-left:15px}.nav-tabs+.nav-tabs-pf>li:first-child>a:before{left:15px!important}.nav-tabs .open>a,.nav-tabs .open>a:focus,.nav-tabs .open>a:hover{background-color:transparent;border-color:#ededed}@media (min-width:768px){.nav-tabs-pf.nav-justified{border-bottom:1px solid #ededed}}.nav-tabs-pf.nav-justified>li:first-child>a{padding-left:15px}.nav-tabs-pf.nav-justified>li>a{border-bottom:0}.nav-tabs-pf.nav-justified>li>a:before{left:0!important;right:0!important}.nav-tabs-pf>li{margin-bottom:0}.nav-tabs-pf>li.active>a:before{background:#0088ce;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li.active>a,.nav-tabs-pf>li.active>a:active,.nav-tabs-pf>li.active>a:focus,.nav-tabs-pf>li.active>a:hover{background-color:transparent;border:0!important;color:#0088ce}.nav-tabs-pf>li.active>a:active:before,.nav-tabs-pf>li.active>a:before,.nav-tabs-pf>li.active>a:focus:before,.nav-tabs-pf>li.active>a:hover:before{background:#0088ce}.nav-tabs-pf>li:first-child>a{padding-left:0}.nav-tabs-pf>li:first-child>a:before{left:0!important}.nav-tabs-pf>li>a{border:0;line-height:1;margin-right:0;padding-bottom:10px;padding-top:10px}.nav-tabs-pf>li>a:active:before,.nav-tabs-pf>li>a:focus:before,.nav-tabs-pf>li>a:hover:before{background:#bbb;bottom:-1px;content:'';display:block;height:2px;left:15px;position:absolute;right:15px}.nav-tabs-pf>li>.dropdown-menu{left:15px;margin-top:1px}.nav-tabs-pf>li>.dropdown-menu.pull-right{left:auto;right:15px}.nav-tabs-pf .open>a,.nav-tabs-pf .open>a:focus,.nav-tabs-pf .open>a:hover{background-color:transparent}.tooltip{font-size:12px;line-height:1.4}.tooltip-inner{padding:7px 12px;text-align:left}.h1,.h2,h1,h2{font-weight:300}.page-header .actions{margin-top:8px}.page-header .actions a>.pficon{margin-right:4px}@media (min-width:767px){.page-header-bleed-left{margin-left:-20px}.page-header-bleed-right{margin-right:-20px}.page-header-bleed-right .actions{margin-right:20px}}
\ No newline at end of file
--
-2.21.1
+2.28.0
+
-From 751cb8d5cb432bcb9d5c7ada7c365a12ca6a95ee Mon Sep 17 00:00:00 2001
+From c69eb7c719c91d5e7f2be2d4d5e471d3111cf2e3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 39/78] install/ui/index.html: Change branding to IPA and
+Subject: [PATCH 39/93] install/ui/index.html: Change branding to IPA and
Identity Management
---
@@ -1082,7 +1120,7 @@ Subject: [PATCH 39/78] install/ui/index.html: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/index.html b/install/ui/index.html
-index bc0f0cd1e..d1eacaf53 100644
+index bc0f0cd..d1eacaf 100644
--- a/install/ui/index.html
+++ b/install/ui/index.html
@@ -2,7 +2,7 @@
@@ -1095,12 +1133,13 @@ index bc0f0cd1e..d1eacaf53 100644
<!--[if IE]>
<meta id="ie-detector">
--
-2.21.1
+2.28.0
-From 8a4169a5d81b3c2376081d61a3beaf6601e318cf Mon Sep 17 00:00:00 2001
+
+From a773fe485555a73d594116fc9f1acc7d28728a0c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 40/78] install/ui/less/brand.less: Change branding to IPA and
+Subject: [PATCH 40/93] install/ui/less/brand.less: Change branding to IPA and
Identity Management
---
@@ -1108,7 +1147,7 @@ Subject: [PATCH 40/78] install/ui/less/brand.less: Change branding to IPA and
1 file changed, 50 insertions(+), 53 deletions(-)
diff --git a/install/ui/less/brand.less b/install/ui/less/brand.less
-index c9030bb0b..7488eaf91 100644
+index c9030bb..7488eaf 100644
--- a/install/ui/less/brand.less
+++ b/install/ui/less/brand.less
@@ -20,58 +20,55 @@
@@ -1222,12 +1261,13 @@ index c9030bb0b..7488eaf91 100644
}
\ No newline at end of file
--
-2.21.1
+2.28.0
+
-From 2946405ea45ea7163c520c367f764808f112d7f2 Mon Sep 17 00:00:00 2001
+From b0f0bac0f7cb307de0dcb3b3b70319a67c0cf16a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 41/78] install/ui/less/patternfly.less: Change branding to IPA
+Subject: [PATCH 41/93] install/ui/less/patternfly.less: Change branding to IPA
and Identity Management
---
@@ -1235,7 +1275,7 @@ Subject: [PATCH 41/78] install/ui/less/patternfly.less: Change branding to IPA
1 file changed, 48 insertions(+)
diff --git a/install/ui/less/patternfly.less b/install/ui/less/patternfly.less
-index a2e30c85b..97a8d5c26 100644
+index a2e30c8..97a8d5c 100644
--- a/install/ui/less/patternfly.less
+++ b/install/ui/less/patternfly.less
@@ -129,3 +129,51 @@
@@ -1291,12 +1331,13 @@ index a2e30c85b..97a8d5c26 100644
+@navbar-pf-navbar-utility-open-bg-color: #5b6165;
+@navbar-pf-navbar-utility-open-border-color: #6c6e70;
--
-2.21.1
+2.28.0
-From beb52f0f27401d439755107be31e74210343e784 Mon Sep 17 00:00:00 2001
+
+From 8373bb029e9f01647643174ec6cd35cf29a4140b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 42/78] install/ui/reset_password.html: Change branding to IPA
+Subject: [PATCH 42/93] install/ui/reset_password.html: Change branding to IPA
and Identity Management
---
@@ -1304,7 +1345,7 @@ Subject: [PATCH 42/78] install/ui/reset_password.html: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/reset_password.html b/install/ui/reset_password.html
-index e5700c964..a4ea1ce0e 100644
+index e5700c9..a4ea1ce 100644
--- a/install/ui/reset_password.html
+++ b/install/ui/reset_password.html
@@ -2,7 +2,7 @@
@@ -1317,12 +1358,13 @@ index e5700c964..a4ea1ce0e 100644
<!--[if IE]>
<meta id="ie-detector">
--
-2.21.1
+2.28.0
+
-From 288607c7080be4f35a00b853f3de9fdd0752376d Mon Sep 17 00:00:00 2001
+From 7aa607335fa7fd1b95a5b5bb44674f3e1f45ddac Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 43/78] install/ui/src/freeipa/widgets/App.js: Change branding
+Subject: [PATCH 43/93] install/ui/src/freeipa/widgets/App.js: Change branding
to IPA and Identity Management
---
@@ -1330,7 +1372,7 @@ Subject: [PATCH 43/78] install/ui/src/freeipa/widgets/App.js: Change branding
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/widgets/App.js b/install/ui/src/freeipa/widgets/App.js
-index 3a139555a..b0f75885d 100644
+index 3a13955..b0f7588 100644
--- a/install/ui/src/freeipa/widgets/App.js
+++ b/install/ui/src/freeipa/widgets/App.js
@@ -187,7 +187,7 @@ define(['dojo/_base/declare',
@@ -1343,12 +1385,13 @@ index 3a139555a..b0f75885d 100644
return this.brand_node;
--
-2.21.1
+2.28.0
-From 5573b887c32228f2c404413fd58560da95ef954d Mon Sep 17 00:00:00 2001
+
+From 47e67dd83c26507fe2a40c7dab437379d891b460 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 44/78] install/ui/sync_otp.html: Change branding to IPA and
+Subject: [PATCH 44/93] install/ui/sync_otp.html: Change branding to IPA and
Identity Management
---
@@ -1356,7 +1399,7 @@ Subject: [PATCH 44/78] install/ui/sync_otp.html: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/sync_otp.html b/install/ui/sync_otp.html
-index 5814b6c57..36a51ca62 100644
+index 5814b6c..36a51ca 100644
--- a/install/ui/sync_otp.html
+++ b/install/ui/sync_otp.html
@@ -2,7 +2,7 @@
@@ -1369,12 +1412,13 @@ index 5814b6c57..36a51ca62 100644
<!--[if IE]>
<meta id="ie-detector">
--
-2.21.1
+2.28.0
+
-From 86d40a59a18f9b1439387bf8d5794437be0fb8b9 Mon Sep 17 00:00:00 2001
+From b87532edeebde90e4b293dff3e6ec4d14fe85d08 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 45/78] install/ui/test/data/ipa_init_commands.json: Change
+Subject: [PATCH 45/93] install/ui/test/data/ipa_init_commands.json: Change
branding to IPA and Identity Management
---
@@ -1382,7 +1426,7 @@ Subject: [PATCH 45/78] install/ui/test/data/ipa_init_commands.json: Change
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
-index c35946b34..6d3667473 100644
+index 8fa4999..4b51d97 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -8689,7 +8689,7 @@
@@ -1404,12 +1448,13 @@ index c35946b34..6d3667473 100644
"no_update"
],
--
-2.21.1
+2.28.0
-From 7e027d4836251b4f824b5e420e8ef6cfa8bb4505 Mon Sep 17 00:00:00 2001
+
+From 72fea1fb9d0de429cb8f2b1774dfd0df8d0ee685 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 46/78] install/ui/test/data/ipa_init_objects.json: Change
+Subject: [PATCH 46/93] install/ui/test/data/ipa_init_objects.json: Change
branding to IPA and Identity Management
---
@@ -1417,7 +1462,7 @@ Subject: [PATCH 46/78] install/ui/test/data/ipa_init_objects.json: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
-index 6f9b13e92..08aaafd61 100644
+index 6f9b13e..08aaafd 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_init_objects.json
@@ -21190,7 +21190,7 @@
@@ -1430,12 +1475,13 @@ index 6f9b13e92..08aaafd61 100644
"cli_metavar" : "INT",
"default" : 0,
--
-2.21.1
+2.28.0
+
-From 799fc53a7d6503d76452617998da0a936527116c Mon Sep 17 00:00:00 2001
+From 29125fa720c618e7ee73f0613138dd250fca2e5d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 47/78] ipaclient/install/client.py: Change branding to IPA and
+Subject: [PATCH 47/93] ipaclient/install/client.py: Change branding to IPA and
Identity Management
---
@@ -1443,10 +1489,10 @@ Subject: [PATCH 47/78] ipaclient/install/client.py: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index 34b2d1a6e..d3bffb05f 100644
+index 175a56c..e6f364d 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
-@@ -2033,7 +2033,7 @@ def install_check(options):
+@@ -2069,7 +2069,7 @@ def install_check(options):
global client_domain
global cli_basedn
@@ -1456,12 +1502,13 @@ index 34b2d1a6e..d3bffb05f 100644
print("")
--
-2.21.1
+2.28.0
-From 2c5f5f196ec959eed754b0966fc80daa1d1b6ff7 Mon Sep 17 00:00:00 2001
+
+From 419fba1f044fd8bae44e0345d4a1553e01e69bdd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:40 +0300
-Subject: [PATCH 48/78] ipaclient/remote_plugins/2_114/otptoken.py: Change
+Subject: [PATCH 48/93] ipaclient/remote_plugins/2_114/otptoken.py: Change
branding to IPA and Identity Management
---
@@ -1469,7 +1516,7 @@ Subject: [PATCH 48/78] ipaclient/remote_plugins/2_114/otptoken.py: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaclient/remote_plugins/2_114/otptoken.py b/ipaclient/remote_plugins/2_114/otptoken.py
-index 632c97ea2..d3edb589d 100644
+index 632c97e..d3edb58 100644
--- a/ipaclient/remote_plugins/2_114/otptoken.py
+++ b/ipaclient/remote_plugins/2_114/otptoken.py
@@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1500,12 +1547,13 @@ index 632c97ea2..d3edb589d 100644
),
parameters.Int(
--
-2.21.1
+2.28.0
+
-From 521d5c9ebee2fe4df8650ebdc53b91d25232d631 Mon Sep 17 00:00:00 2001
+From 9ee6cabb2996ce6ebf34a3d521c854aab8de92a2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 49/78] ipaclient/remote_plugins/2_156/otptoken.py: Change
+Subject: [PATCH 49/93] ipaclient/remote_plugins/2_156/otptoken.py: Change
branding to IPA and Identity Management
---
@@ -1513,7 +1561,7 @@ Subject: [PATCH 49/78] ipaclient/remote_plugins/2_156/otptoken.py: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaclient/remote_plugins/2_156/otptoken.py b/ipaclient/remote_plugins/2_156/otptoken.py
-index 0b2b54c6e..e674d465d 100644
+index 0b2b54c..e674d46 100644
--- a/ipaclient/remote_plugins/2_156/otptoken.py
+++ b/ipaclient/remote_plugins/2_156/otptoken.py
@@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1544,12 +1592,13 @@ index 0b2b54c6e..e674d465d 100644
),
parameters.Int(
--
-2.21.1
+2.28.0
-From 0a29cb7c05dfc8a75afdbdadcb9c7a67e9e90b50 Mon Sep 17 00:00:00 2001
+
+From 61cfaa8ab75ed6075076b8da960382fc4e76a35d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 50/78] ipaclient/remote_plugins/2_164/otptoken.py: Change
+Subject: [PATCH 50/93] ipaclient/remote_plugins/2_164/otptoken.py: Change
branding to IPA and Identity Management
---
@@ -1557,7 +1606,7 @@ Subject: [PATCH 50/78] ipaclient/remote_plugins/2_164/otptoken.py: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaclient/remote_plugins/2_164/otptoken.py b/ipaclient/remote_plugins/2_164/otptoken.py
-index 0b2b54c6e..e674d465d 100644
+index 0b2b54c..e674d46 100644
--- a/ipaclient/remote_plugins/2_164/otptoken.py
+++ b/ipaclient/remote_plugins/2_164/otptoken.py
@@ -132,7 +132,7 @@ class otptoken(Object):
@@ -1588,12 +1637,13 @@ index 0b2b54c6e..e674d465d 100644
),
parameters.Int(
--
-2.21.1
+2.28.0
+
-From fec6eff7f15ff4ae4bf28d816ca4b231f77b15ca Mon Sep 17 00:00:00 2001
+From 82b07fb868dce69b7f1531b9b518f168531113fc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 51/78] ipalib/pkcs10.py: Change branding to IPA and Identity
+Subject: [PATCH 51/93] ipalib/pkcs10.py: Change branding to IPA and Identity
Management
---
@@ -1601,7 +1651,7 @@ Subject: [PATCH 51/78] ipalib/pkcs10.py: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
-index 2756c8568..590ce0757 100644
+index 2756c85..590ce07 100644
--- a/ipalib/pkcs10.py
+++ b/ipalib/pkcs10.py
@@ -2,7 +2,7 @@ from __future__ import print_function
@@ -1614,12 +1664,13 @@ index 2756c8568..590ce0757 100644
file=sys.stderr
)
--
-2.21.1
+2.28.0
-From e364a5187b1a49ea81653f5282825485a58827df Mon Sep 17 00:00:00 2001
+
+From df262a92dc2ea0db0bd4902a196f0867c682fd45 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 52/78] ipalib/rpc.py: Change branding to IPA and Identity
+Subject: [PATCH 52/93] ipalib/rpc.py: Change branding to IPA and Identity
Management
---
@@ -1627,10 +1678,10 @@ Subject: [PATCH 52/78] ipalib/rpc.py: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
-index 1ef0f5e95..f1be90522 100644
+index 01746cb..c3d0513 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
-@@ -284,7 +284,7 @@ class _JSONPrimer(dict):
+@@ -282,7 +282,7 @@ class _JSONPrimer(dict):
Prepare a data structure for JSON serialization. In an ideal world, priming
could be handled by the default hook of json.dumps(). Unfortunately the
@@ -1640,12 +1691,13 @@ index 1ef0f5e95..f1be90522 100644
The primer uses a couple of tricks to archive maximum performance:
--
-2.21.1
+2.28.0
+
-From e1367d8a71cd5d1aa0f57793238577fa69324594 Mon Sep 17 00:00:00 2001
+From 969752d92a1f20cf6fb777c43193edf94c8d9833 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 53/78] ipalib/util.py: Change branding to IPA and Identity
+Subject: [PATCH 53/93] ipalib/util.py: Change branding to IPA and Identity
Management
---
@@ -1653,10 +1705,10 @@ Subject: [PATCH 53/78] ipalib/util.py: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/util.py b/ipalib/util.py
-index e0c658c51..3378db043 100644
+index e3a510f..f63ae1b 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
-@@ -236,7 +236,7 @@ def normalize_zone(zone):
+@@ -242,7 +242,7 @@ def normalize_zone(zone):
def get_proper_tls_version_span(tls_version_min, tls_version_max):
"""
This function checks whether the given TLS versions are known in
@@ -1666,12 +1718,13 @@ index e0c658c51..3378db043 100644
`ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`).
--
-2.21.1
+2.28.0
-From e980e233c6c48fe2ebc8d10f5bd18db5dea6ff94 Mon Sep 17 00:00:00 2001
+
+From c72847fcf0feef3a2404c82934e1c67a3d8f3e72 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 54/78] ipalib/x509.py: Change branding to IPA and Identity
+Subject: [PATCH 54/93] ipalib/x509.py: Change branding to IPA and Identity
Management
---
@@ -1679,10 +1732,10 @@ Subject: [PATCH 54/78] ipalib/x509.py: Change branding to IPA and Identity
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
-index 1f612a379..dfe66e1b4 100644
+index 0ee710f..402e0e9 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
-@@ -88,7 +88,7 @@ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
+@@ -92,7 +92,7 @@ SAN_KRB5PRINCIPALNAME = '1.3.6.1.5.2.2'
class IPACertificate:
"""
A proxy class wrapping a python-cryptography certificate representation for
@@ -1692,12 +1745,13 @@ index 1f612a379..dfe66e1b4 100644
def __init__(self, cert, backend=None):
"""
--
-2.21.1
+2.28.0
+
-From 38ca6711b3cb6c24c9ae16e172339a680613f2af Mon Sep 17 00:00:00 2001
+From d74025cc8306ea5ab1a75105109b82d4eb31d723 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 55/78] ipaserver/advise/plugins/legacy_clients.py: Change
+Subject: [PATCH 55/93] ipaserver/advise/plugins/legacy_clients.py: Change
branding to IPA and Identity Management
---
@@ -1705,7 +1759,7 @@ Subject: [PATCH 55/78] ipaserver/advise/plugins/legacy_clients.py: Change
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
-index 2a56922b8..0e322fe96 100644
+index 2a56922..0e322fe 100644
--- a/ipaserver/advise/plugins/legacy_clients.py
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -94,7 +94,7 @@ class config_redhat_sssd_before_1_9(config_base_legacy_client):
@@ -1745,12 +1799,13 @@ index 2a56922b8..0e322fe96 100644
'are all Red Hat based platforms.')
--
-2.21.1
+2.28.0
-From f6fa8b8edd7a4123cf3f409c169e4eee12a3ed3c Mon Sep 17 00:00:00 2001
+
+From ddd2cde38edb70271ba593e3b05c77c3c62c075c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 56/78] ipaserver/advise/plugins/smart_card_auth.py: Change
+Subject: [PATCH 56/93] ipaserver/advise/plugins/smart_card_auth.py: Change
branding to IPA and Identity Management
---
@@ -1758,7 +1813,7 @@ Subject: [PATCH 56/78] ipaserver/advise/plugins/smart_card_auth.py: Change
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
-index c43c74e5b..ce50cec83 100644
+index 0709ec4..a067f36 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -97,7 +97,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
@@ -1785,12 +1840,13 @@ index c43c74e5b..ce50cec83 100644
"allow smart card logins to desktop")
--
-2.21.1
+2.28.0
+
-From 4b528a73ed9d914997f8e7ed44076211e6fef239 Mon Sep 17 00:00:00 2001
+From ee5e37f145d55536232681eb3cce6e4a17bffcb3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 57/78] ipaserver/install/dns.py: Change branding to IPA and
+Subject: [PATCH 57/93] ipaserver/install/dns.py: Change branding to IPA and
Identity Management
---
@@ -1798,10 +1854,10 @@ Subject: [PATCH 57/78] ipaserver/install/dns.py: Change branding to IPA and
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
-index 9f08e86f9..7d6d7fe7c 100644
+index 9cd8978..b51b92b 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
-@@ -151,7 +151,7 @@ def install_check(standalone, api, replica, options, hostname):
+@@ -154,7 +154,7 @@ def install_check(standalone, api, replica, options, hostname):
if standalone:
print("==============================================================================")
@@ -1811,12 +1867,13 @@ index 9f08e86f9..7d6d7fe7c 100644
print("This includes:")
print(" * Configure DNS (bind)")
--
-2.21.1
+2.28.0
-From b4bf196e8f7eb5193d5be111820b9b9d13b7c25c Mon Sep 17 00:00:00 2001
+
+From bab43eae498b96e574aea685a5790608aca8cd96 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 58/78] ipaserver/install/ipa_kra_install.py: Change branding
+Subject: [PATCH 58/93] ipaserver/install/ipa_kra_install.py: Change branding
to IPA and Identity Management
---
@@ -1824,7 +1881,7 @@ Subject: [PATCH 58/78] ipaserver/install/ipa_kra_install.py: Change branding
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
-index 2d6e4bf09..076c20666 100644
+index 159f02e..04ac94b 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -93,7 +93,7 @@ class KRAInstall(admintool.AdminTool):
@@ -1846,12 +1903,13 @@ index 2d6e4bf09..076c20666 100644
'''
--
-2.21.1
+2.28.0
+
-From 2831a3d84888547b38803681019f9f5bdfb34b2e Mon Sep 17 00:00:00 2001
+From ac3620bc3050bad623be7f47de35b76485f3236b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 59/78] ipaserver/install/plugins/dns.py: Change branding to
+Subject: [PATCH 59/93] ipaserver/install/plugins/dns.py: Change branding to
IPA and Identity Management
---
@@ -1859,7 +1917,7 @@ Subject: [PATCH 59/78] ipaserver/install/plugins/dns.py: Change branding to
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
-index baa19c38e..a7a1748d9 100644
+index ad875b4..9d6ca47 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -161,11 +161,11 @@ class update_ipaconfigstring_dnsversion_to_ipadnsversion(Updater):
@@ -1904,12 +1962,13 @@ index baa19c38e..a7a1748d9 100644
"""
backup_filename = u'dns-forwarding-empty-zones-%Y-%m-%d-%H-%M-%S.ldif'
--
-2.21.1
+2.28.0
-From 76ae883950cbe20c50f456ddc7d24d209d78232e Mon Sep 17 00:00:00 2001
+
+From 2fdf8d86d71afff004b14998649ef45c460fa6e8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 60/78] ipaserver/install/replication.py: Change branding to
+Subject: [PATCH 60/93] ipaserver/install/replication.py: Change branding to
IPA and Identity Management
---
@@ -1917,10 +1976,10 @@ Subject: [PATCH 60/78] ipaserver/install/replication.py: Change branding to
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
-index 1fefe3ebf..87794b7f4 100644
+index e8407f3..95bb810 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
-@@ -1760,7 +1760,7 @@ class ReplicationManager:
+@@ -1799,7 +1799,7 @@ class ReplicationManager:
Ensure that the 'cn=replication managers,cn=sysaccounts' group exists
and contains the principals for master and remote replica
@@ -1930,12 +1989,13 @@ index 1fefe3ebf..87794b7f4 100644
"""
my_dn = DN(
--
-2.21.1
+2.28.0
+
-From 4324a4f3653d3322ef75406b0b9b2cd68fb17995 Mon Sep 17 00:00:00 2001
+From 6225f0e67f618460d4327950effdeb2a15f4ba96 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 61/78] ipaserver/install/server/install.py: Change branding to
+Subject: [PATCH 61/93] ipaserver/install/server/install.py: Change branding to
IPA and Identity Management
---
@@ -1943,10 +2003,10 @@ Subject: [PATCH 61/78] ipaserver/install/server/install.py: Change branding to
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index afce0d73a..b62c08baa 100644
+index c0d33f3..103cfcc 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
-@@ -414,7 +414,7 @@ def install_check(installer):
+@@ -427,7 +427,7 @@ def install_check(installer):
print("======================================="
"=======================================")
@@ -1956,12 +2016,13 @@ index afce0d73a..b62c08baa 100644
print("")
print("This includes:")
--
-2.21.1
+2.28.0
-From 55b2630e53494d831fb65a0c520aabe1c895b13d Mon Sep 17 00:00:00 2001
+
+From 53f918cd0bc8c7633007986f61a091ee267db634 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 62/78] ipaserver/install/server/replicainstall.py: Change
+Subject: [PATCH 62/93] ipaserver/install/server/replicainstall.py: Change
branding to IPA and Identity Management
---
@@ -1969,10 +2030,10 @@ Subject: [PATCH 62/78] ipaserver/install/server/replicainstall.py: Change
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 71ea091a3..0ea48f18e 100644
+index f75f5fd..73967a2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -619,7 +619,7 @@ def check_domain_level_is_supported(current):
+@@ -623,7 +623,7 @@ def check_domain_level_is_supported(current):
above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
if under_lower_bound or above_upper_bound:
@@ -1982,12 +2043,13 @@ index 71ea091a3..0ea48f18e 100644
"this domain. The Domain Level needs to be "
"raised before installing a replica with "
--
-2.21.1
+2.28.0
+
-From 649e159570278e417922a68e23c2fc44ef6eeb44 Mon Sep 17 00:00:00 2001
+From f6f4a5cc0f0e4d5ba28aa7ed849fb4ced31e74f3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 63/78] ipaserver/plugins/certmap.py: Change branding to IPA
+Subject: [PATCH 63/93] ipaserver/plugins/certmap.py: Change branding to IPA
and Identity Management
---
@@ -1995,7 +2057,7 @@ Subject: [PATCH 63/78] ipaserver/plugins/certmap.py: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py
-index ee8f0c15f..cdbc38f70 100644
+index ee8f0c1..cdbc38f 100644
--- a/ipaserver/plugins/certmap.py
+++ b/ipaserver/plugins/certmap.py
@@ -614,7 +614,7 @@ class certmap_match(Search):
@@ -2008,12 +2070,13 @@ index ee8f0c15f..cdbc38f70 100644
"""
sssd = _sssd()
--
-2.21.1
+2.28.0
-From 926ce56e094b8b54c10d867d9c1150d73af088f5 Mon Sep 17 00:00:00 2001
+
+From bca6ca20a626caf6425381ce6f90c762fdbad32f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 64/78] ipaserver/plugins/otptoken.py: Change branding to IPA
+Subject: [PATCH 64/93] ipaserver/plugins/otptoken.py: Change branding to IPA
and Identity Management
---
@@ -2021,7 +2084,7 @@ Subject: [PATCH 64/78] ipaserver/plugins/otptoken.py: Change branding to IPA
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
-index 72ed5393d..46e4d5e8d 100644
+index 72ed539..46e4d5e 100644
--- a/ipaserver/plugins/otptoken.py
+++ b/ipaserver/plugins/otptoken.py
@@ -245,7 +245,7 @@ class otptoken(LDAPObject):
@@ -2034,12 +2097,13 @@ index 72ed5393d..46e4d5e8d 100644
autofill=True,
flags=('no_update'),
--
-2.21.1
+2.28.0
+
-From aaa3824fd7e96be447529183033aa37cad016264 Mon Sep 17 00:00:00 2001
+From f17dbc16c6c0a40775c412af960d89982c6dd786 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 65/78] ipaserver/plugins/sudorule.py: Change branding to IPA
+Subject: [PATCH 65/93] ipaserver/plugins/sudorule.py: Change branding to IPA
and Identity Management
---
@@ -2047,7 +2111,7 @@ Subject: [PATCH 65/78] ipaserver/plugins/sudorule.py: Change branding to IPA
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/sudorule.py b/ipaserver/plugins/sudorule.py
-index 643215985..68baa0174 100644
+index 6432159..68baa01 100644
--- a/ipaserver/plugins/sudorule.py
+++ b/ipaserver/plugins/sudorule.py
@@ -47,7 +47,7 @@ give certain users (or groups of users) the ability to run some (or all)
@@ -2069,165 +2133,906 @@ index 643215985..68baa0174 100644
""") + _("""
To enable the binddn run the following command to set the password:
--
-2.21.1
+2.28.0
-From 4285adc257bfdf7eb836c4bfdb61a8e34aa0e87d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 66/78] po/de.po: Change branding to IPA and Identity
- Management
+
+From 412f3c83d2d634a3803eb4dd64d6476690065e43 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 3 Apr 2020 14:27:35 +0200
+Subject: [PATCH 66/93] client/man/ipa-client-samba.1: Change branding to IPA
+ and Identity Management
---
- po/de.po | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ client/man/ipa-client-samba.1 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/po/de.po b/po/de.po
-index 8f9c2209b..95626fc68 100644
---- a/po/de.po
-+++ b/po/de.po
-@@ -3668,7 +3668,7 @@ msgstr "TOTP Sychnronisierungsfenster"
- msgid "TOTP authentication Window"
- msgstr "TOTP Authentifizierungsfenster"
+diff --git a/client/man/ipa-client-samba.1 b/client/man/ipa-client-samba.1
+index ea83715..5ed6c71 100644
+--- a/client/man/ipa-client-samba.1
++++ b/client/man/ipa-client-samba.1
+@@ -1,7 +1,7 @@
+ .\" A man page for ipa-client-samba
+ .\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license
+ .\"
+-.TH "ipa-client-samba" "1" "Jun 10 2019" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-client-samba" "1" "Jun 10 2019" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-client\-samba \- Configure Samba file server on an IPA client
+ .SH "SYNOPSIS"
+@@ -39,7 +39,7 @@ The ipa\-client\-samba script assumes that the machine has alreaby been enrolled
+ .SS "IPA Master Requirements"
+ At least one IPA master must hold a \fBTrust Controller\fR role. This can be achieved by running ipa\-adtrust\-install on the IPA master. The utility will configure IPA master to be a domain controller for IPA domain.
--msgid "TOTP token / FreeIPA server time difference"
-+msgid "TOTP token / IPA server time difference"
- msgstr "Differenz zwischen Token und Serverzeit"
+-IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with FreeIPA 4.8.0 or later release.
++IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with IPA 4.8.0 or later release.
- msgid "Target"
+ .SH "OPTIONS"
+ .SS "BASIC OPTIONS"
--
-2.21.1
+2.28.0
-From 68b461d299352e515457ff2ef8a40d82afc35bc0 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 67/78] po/es.po: Change branding to IPA and Identity
- Management
+
+From 74bd1541d58e30319c99ac42a78f78b4e65a8117 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 3 Apr 2020 14:28:22 +0200
+Subject: [PATCH 67/93] contrib/lite-server.py: Change branding to IPA and
+ Identity Management
---
- po/es.po | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
+ contrib/lite-server.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/po/es.po b/po/es.po
-index b9e9fc126..6970d31f5 100644
---- a/po/es.po
-+++ b/po/es.po
-@@ -3101,7 +3101,7 @@ msgid ""
- "The profile configuration format is the raw property-list format\n"
- "used by Dogtag Certificate System. The XML format is not supported.\n"
- "\n"
--"The following restrictions apply to profiles managed by FreeIPA:\n"
-+"The following restrictions apply to profiles managed by IPA:\n"
- "\n"
- "- When importing a profile the \"profileId\" field, if present, must\n"
- " match the ID given on the command line.\n"
-@@ -3159,7 +3159,7 @@ msgstr ""
- "propiedad\n"
- "usado por Dogtag Certificate System. No está soportado el formato XML.\n"
- "\n"
--"A los perfiles manejados por FreeIPA se les aplican las siguientes "
-+"A los perfiles manejados por IPA se les aplican las siguientes "
- "restricciones:\n"
- "\n"
- "- Cuando se importa un perfil el campo \"profileId\", si está presente, debe "
-@@ -4948,7 +4948,7 @@ msgid ""
- "commands as root or another user while providing an audit trail of the\n"
- "commands and their arguments.\n"
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
-+"IPA provides a means to configure the various aspects of Sudo:\n"
- " Users: The user(s)/group(s) allowed to invoke Sudo.\n"
- " Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
- "Sudo.\n"
-@@ -4963,7 +4963,7 @@ msgid ""
- "are evaluated (if the client supports it). This order is an integer and\n"
- "must be unique.\n"
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
- "To enable the binddn run the following command to set the password:\n"
-@@ -4971,7 +4971,7 @@ msgid ""
- "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
- "dc=com\n"
- "\n"
--"For more information, see the FreeIPA Documentation to Sudo.\n"
-+"For more information, see the IPA Documentation to Sudo.\n"
- msgstr ""
- "\n"
- "Reglas Sudo\n"
-@@ -4984,7 +4984,7 @@ msgstr ""
- "auditoria de\n"
- " los comandos y sus argumentos.\n"
- "\n"
--"FreeIPA proporciona un medio para configurar diversos aspectos de Sudo:\n"
-+"IPA proporciona un medio para configurar diversos aspectos de Sudo:\n"
- " Users: Los usuario(s)/grupos(s) que tienen permitido llamar a Sudo.\n"
- " Hosts: Loshost(s)/grupo(s) de host a los que el usuario permite llamar a "
- "Sudo.\n"
-@@ -5002,7 +5002,7 @@ msgstr ""
- "será evaluada\n"
- "(si el cliente lo soporta). Este orden es un entero y debe ser único.\n"
- "\n"
--"FreeIPA suministra un binddn designado para usar con Sudo situado en :\n"
-+"IPA suministra un binddn designado para usar con Sudo situado en :\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- "\n"
- "Para habilitar el binddn ejecute el siguiente comando para fijar la "
-@@ -5011,7 +5011,7 @@ msgstr ""
- "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
- "dc=com\n"
- "\n"
--"Para más información, vea la Documentación FreeIPA para Sudo.\n"
-+"Para más información, vea la Documentación IPA para Sudo.\n"
-
- msgid ""
- "\n"
-@@ -12742,8 +12742,8 @@ msgstr "Variación del tiempo de autenticación TOTP (segundos)"
- msgid "TOTP synchronization time variance (seconds)"
- msgstr "Variación del tiempo de sincronización TOTP (segundos)"
+diff --git a/contrib/lite-server.py b/contrib/lite-server.py
+index 51f7c08..badbfdb 100755
+--- a/contrib/lite-server.py
++++ b/contrib/lite-server.py
+@@ -140,7 +140,7 @@ class StaticFilesMiddleware(SharedDataMiddleware):
--msgid "TOTP token / FreeIPA server time difference"
--msgstr "Ficha TOTP / Diferencia de hora del servidor FreeIPA"
-+msgid "TOTP token / IPA server time difference"
-+msgstr "Ficha TOTP / Diferencia de hora del servidor IPA"
- msgid "Take a revoked certificate off hold."
- msgstr "Tomar un certificado revocado de espera."
+ def init_api(ccname):
+- """Initialize FreeIPA API from command line
++ """Initialize IPA API from command line
+ """
+ from ipalib import __file__ as ipalib_file
+ from ipalib import api
--
-2.21.1
+2.28.0
-From 1d49558b613ae9f1c763e3108166b47a59b743be Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 68/78] po/fr.po: Change branding to IPA and Identity
- Management
+
+From 46c3a350be1140eb7fbb529586bf11c986bbc8ae Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 3 Apr 2020 14:28:56 +0200
+Subject: [PATCH 68/93] ipaserver/dcerpc.py: Change branding to IPA and
+ Identity Management
---
- po/fr.po | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
+ ipaserver/dcerpc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/po/fr.po b/po/fr.po
-index 88253e172..23a4ba3ea 100644
---- a/po/fr.po
-+++ b/po/fr.po
-@@ -2575,17 +2575,17 @@ msgstr ""
-
- msgid ""
- "\n"
--"FreeIPA provides a designated binddn to use with Sudo located at:\n"
-+"IPA provides a designated binddn to use with Sudo located at:\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
- msgstr ""
- "\n"
--"FreeIPA permet la désignation d'un « binddn » à utiliser avec sudo situé "
-+"IPA permet la désignation d'un « binddn » à utiliser avec sudo situé "
- "à :\n"
- "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index ff56270..753d171 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -1483,7 +1483,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):
+ def communicate(td):
+ td.init_lsa_pipe(td.info['dc'])
+ netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds)
+- # Older FreeIPA versions used netr_DsrEnumerateDomainTrusts call
++ # Older IPA versions used netr_DsrEnumerateDomainTrusts call
+ # but it doesn't provide information about non-domain UPNs associated
+ # with the forest, thus we have to use netr_DsRGetForestTrustInformation
+ domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], None, 0)
+--
+2.28.0
+
+
+From c9ccf5ec0927e25a32060a556e5248d3bc3cda66 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 3 Apr 2020 14:29:21 +0200
+Subject: [PATCH 69/93] ipaserver/install/ipa_cert_fix.py: Change branding to
+ IPA and Identity Management
+
+---
+ ipaserver/install/ipa_cert_fix.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
+index 1b2f543..735fcd7 100644
+--- a/ipaserver/install/ipa_cert_fix.py
++++ b/ipaserver/install/ipa_cert_fix.py
+@@ -45,7 +45,7 @@ msg = """
+ WARNING
- msgid ""
- "\n"
--"FreeIPA provides a means to configure the various aspects of Sudo:\n"
+ ipa-cert-fix is intended for recovery when expired certificates
+-prevent the normal operation of FreeIPA. It should ONLY be used
++prevent the normal operation of IPA. It should ONLY be used
+ in such scenarios, and backup of the system, especially certificates
+ and keys, is STRONGLY RECOMMENDED.
+
+--
+2.28.0
+
+
+From 8f24640b50dc24dbae3f24726d2a05993d9a42b7 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 3 Apr 2020 14:29:43 +0200
+Subject: [PATCH 70/93] ipaserver/plugins/config.py: Change branding to IPA and
+ Identity Management
+
+---
+ ipaserver/plugins/config.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
+index e96e519..ace66e5 100644
+--- a/ipaserver/plugins/config.py
++++ b/ipaserver/plugins/config.py
+@@ -462,7 +462,7 @@ class config(LDAPObject):
+
+ known_domains = self.gather_trusted_domains()
+
+- # add FreeIPA domain to the list of domains. This one is always enabled
++ # add IPA domain to the list of domains. This one is always enabled
+ known_domains.update({self.api.env.domain: True})
+
+ for domain in submitted_domains:
+--
+2.28.0
+
+
+From cbc3d2ebc95d5d27a142846a016a2f947b21d369 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 3 Apr 2020 14:30:01 +0200
+Subject: [PATCH 71/93] ipaserver/plugins/certprofile.py: Change branding to
+ IPA and Identity Management
+
+---
+ ipaserver/plugins/certprofile.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
+index ffede6e..978fce8 100644
+--- a/ipaserver/plugins/certprofile.py
++++ b/ipaserver/plugins/certprofile.py
+@@ -57,7 +57,7 @@ PROFILE CONFIGURATION FORMAT:
+ The profile configuration format is the raw property-list format
+ used by Dogtag Certificate System. The XML format is not supported.
+
+-The following restrictions apply to profiles managed by FreeIPA:
++The following restrictions apply to profiles managed by IPA:
+
+ - When importing a profile the "profileId" field, if present, must
+ match the ID given on the command line.
+--
+2.28.0
+
+
+From dbc6bef407c6a0907965281f61f1d271972bf5ac Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 3 Apr 2020 14:30:20 +0200
+Subject: [PATCH 72/93] doc/designs/adtrust/samba-domain-member.md: Change
+ branding to IPA and Identity Management
+
+---
+ doc/designs/adtrust/samba-domain-member.md | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/doc/designs/adtrust/samba-domain-member.md b/doc/designs/adtrust/samba-domain-member.md
+index 95e3c01..83e84dd 100644
+--- a/doc/designs/adtrust/samba-domain-member.md
++++ b/doc/designs/adtrust/samba-domain-member.md
+@@ -46,11 +46,11 @@ performing a remote authentication using Kerberos, a remote system has to
+ present a Kerberos ticket to the domain member's SMB service, like with any
+ other Kerberos services.
+
+-To operate as a domain member in a FreeIPA domain, thus, Samba needs a FreeIPA
+-master to be configured as a domain controller and a FreeIPA client needs to be
++To operate as a domain member in a IPA domain, thus, Samba needs a IPA
++master to be configured as a domain controller and a IPA client needs to be
+ configured in a specific way to allow Samba to talk to a domain controller.
+ This document overviews a set of implementation tasks to achieve the domain
+-member operation. Most of these tasks are related to FreeIPA components but
++member operation. Most of these tasks are related to IPA components but
+ some of changes required do belong to Samba itself.
+
+ ## Domain member configuration overview
+@@ -102,16 +102,16 @@ password rotation.
+
+ The knowledge of the machine account password is recorded in a special
+ database, `secrets.tdb`, during the process of a machine join to the domain.
+-For FreeIPA client the join process is different from the one Samba uses for
++For IPA client the join process is different from the one Samba uses for
+ Active Directory, thus we need to seed the machine account password separately
+-to enrolling FreeIPA client. Note that FreeIPA machine enrollment does not
++to enrolling IPA client. Note that IPA machine enrollment does not
+ allow to share clear text machine account password as it is not recorded
+ anywhere.
+
+ ## Domain controller side configuration overview
+
+ See [samba-domain-controller] for the details of how Samba domain controller is
+-set up and configured in FreeIPA.
++set up and configured in IPA.
+
+ ## Changes required on domain member
+
+--
+2.28.0
+
+
+From 0f0f606a3fee4607a57110f429b38a6fb38d5dea Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:36:01 +0100
+Subject: [PATCH 73/93] po/ipa.pot: Change branding to IPA and Identity
+ Management
+
+---
+ po/ipa.pot | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/po/ipa.pot b/po/ipa.pot
+index e49bb7e..56dab55 100644
+--- a/po/ipa.pot
++++ b/po/ipa.pot
+@@ -25055,7 +25055,7 @@ msgstr ""
+ #: ipaclient/remote_plugins/2_164/otptoken.py:266
+ #: ipaclient/remote_plugins/2_164/otptoken.py:556
+ #: ipaserver/plugins/otptoken.py:248
+-msgid "TOTP token / FreeIPA server time difference"
++msgid "TOTP token / IPA server time difference"
+ msgstr ""
+
+ #: ipaclient/remote_plugins/2_114/otptoken.py:140
+@@ -28858,7 +28858,7 @@ msgid ""
+ "commands as root or another user while providing an audit trail of the\n"
+ "commands and their arguments.\n"
+ "\n"
+-"FreeIPA provides a means to configure the various aspects of Sudo:\n"
++"IPA provides a means to configure the various aspects of Sudo:\n"
+ " Users: The user(s)/group(s) allowed to invoke Sudo.\n"
+ " Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
+ "Sudo.\n"
+@@ -28873,7 +28873,7 @@ msgid ""
+ "are evaluated (if the client supports it). This order is an integer and\n"
+ "must be unique.\n"
+ "\n"
+-"FreeIPA provides a designated binddn to use with Sudo located at:\n"
++"IPA provides a designated binddn to use with Sudo located at:\n"
+ "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
+ "\n"
+ "To enable the binddn run the following command to set the password:\n"
+@@ -31529,7 +31529,7 @@ msgid ""
+ "The profile configuration format is the raw property-list format\n"
+ "used by Dogtag Certificate System. The XML format is not supported.\n"
+ "\n"
+-"The following restrictions apply to profiles managed by FreeIPA:\n"
++"The following restrictions apply to profiles managed by IPA:\n"
+ "\n"
+ "- When importing a profile the \"profileId\" field, if present, must\n"
+ " match the ID given on the command line.\n"
+@@ -36221,7 +36221,7 @@ msgid ""
+ "commands as root or another user while providing an audit trail of the\n"
+ "commands and their arguments.\n"
+ "\n"
+-"FreeIPA provides a means to configure the various aspects of Sudo:\n"
++"IPA provides a means to configure the various aspects of Sudo:\n"
+ " Users: The user(s)/group(s) allowed to invoke Sudo.\n"
+ " Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
+ "Sudo.\n"
+@@ -36236,7 +36236,7 @@ msgid ""
+ "are evaluated (if the client supports it). This order is an integer and\n"
+ "must be unique.\n"
+ "\n"
+-"FreeIPA provides a designated binddn to use with Sudo located at:\n"
++"IPA provides a designated binddn to use with Sudo located at:\n"
+ "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
+ "\n"
+ "To enable the binddn run the following command to set the password:\n"
+@@ -36244,7 +36244,7 @@ msgid ""
+ "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
+ "dc=com\n"
+ "\n"
+-"For more information, see the FreeIPA Documentation to Sudo.\n"
++"For more information, see the IPA Documentation to Sudo.\n"
+ msgstr ""
+
+ #: ipaclient/remote_plugins/2_49/sudorule.py:382
+@@ -39846,7 +39846,7 @@ msgid ""
+ "The profile configuration format is the raw property-list format\n"
+ "used by Dogtag Certificate System. The XML format is not supported.\n"
+ "\n"
+-"The following restrictions apply to profiles managed by FreeIPA:\n"
++"The following restrictions apply to profiles managed by IPA:\n"
+ "\n"
+ "- When importing a profile the \"profileId\" field, if present, must\n"
+ " match the ID given on the command line.\n"
+@@ -49076,7 +49076,7 @@ msgstr ""
+ #: ipaserver/plugins/sudorule.py:49
+ msgid ""
+ "\n"
+-"FreeIPA provides a means to configure the various aspects of Sudo:\n"
++"IPA provides a means to configure the various aspects of Sudo:\n"
+ " Users: The user(s)/group(s) allowed to invoke Sudo.\n"
+ " Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
+ "Sudo.\n"
+@@ -49099,7 +49099,7 @@ msgstr ""
+ #: ipaserver/plugins/sudorule.py:62
+ msgid ""
+ "\n"
+-"FreeIPA provides a designated binddn to use with Sudo located at:\n"
++"IPA provides a designated binddn to use with Sudo located at:\n"
+ "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
+ msgstr ""
+
+--
+2.28.0
+
+
+From 05e5469dfac9361cdfae113947faeefa7fd0be17 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 74/93] client/man/epn.conf.5: Change branding to IPA and
+ Identity Management
+
+---
+ client/man/epn.conf.5 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/client/man/epn.conf.5 b/client/man/epn.conf.5
+index 60508d2..9f0ec59 100644
+--- a/client/man/epn.conf.5
++++ b/client/man/epn.conf.5
+@@ -16,7 +16,7 @@
+ .\"
+ .\" Author: Rob Crittenden <rcritten@@redhat.com>
+ .\"
+-.TH "EPN.CONF" "5" "April 28, 2020" "FreeIPA" "FreeIPA Manual Pages"
++.TH "EPN.CONF" "5" "April 28, 2020" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ epn.conf \- Expiring Password Notification configuration file
+ .SH "SYNOPSIS"
+--
+2.28.0
+
+
+From 334dc4d3b5509b10bb5bbf5f13b06604260c83af Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 75/93] client/man/ipa-epn.1: Change branding to IPA and
+ Identity Management
+
+---
+ client/man/ipa-epn.1 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/client/man/ipa-epn.1 b/client/man/ipa-epn.1
+index 124fd45..5e8438b 100644
+--- a/client/man/ipa-epn.1
++++ b/client/man/ipa-epn.1
+@@ -15,7 +15,7 @@
+ .\" along with this program. If not, see <http://www.gnu.org/licenses/>.
+ .\"
+ .\"
+-.TH "IPA-EPN" "1" "April 24, 2020" "FreeIPA" "FreeIPA Manual Pages"
++.TH "IPA-EPN" "1" "April 24, 2020" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-epn \- Send expiring password nofications
+ .SH "SYNOPSIS"
+--
+2.28.0
+
+
+From b8f4a8717acacbaed2b89fcad4d0e7e52db33302 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 76/93] install/share/ipaca_default.ini: Change branding to IPA
+ and Identity Management
+
+---
+ install/share/ipaca_default.ini | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
+index e71edac..3a3dfd0 100644
+--- a/install/share/ipaca_default.ini
++++ b/install/share/ipaca_default.ini
+@@ -2,7 +2,7 @@
+ # Dogtag PKI configuration file
+ #
+ # The ipaca_default.ini contains hard-coded defaults that cannot be modified
+-# by a user without breaking FreeIPA internals.
++# by a user without breaking IPA internals.
+ #
+ # Note: "%" must be quoted as "%%".
+ #
+--
+2.28.0
+
+
+From 8ebd6ce9596ca0871772ae6eac4e61e4e2aecd1b Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 77/93] install/tools/man/ipa-acme-manage.1: Change branding to
+ IPA and Identity Management
+
+---
+ install/tools/man/ipa-acme-manage.1 | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/install/tools/man/ipa-acme-manage.1 b/install/tools/man/ipa-acme-manage.1
+index 07ee48d..e15d25b 100644
+--- a/install/tools/man/ipa-acme-manage.1
++++ b/install/tools/man/ipa-acme-manage.1
+@@ -1,17 +1,17 @@
+ .\"
+ .\" Copyright (C) 2020 FreeIPA Contributors see COPYING for license
+ .\"
+-.TH "ipa-acme-manage" "1" "Jun 2 2020" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-acme-manage" "1" "Jun 2 2020" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+-ipa\-acme\-manage \- Manage the FreeIPA ACME service
++ipa\-acme\-manage \- Manage the IPA ACME service
+ .SH "SYNOPSIS"
+ ipa\-acme\-manage enable|disable|status
+ .SH "DESCRIPTION"
+
+ Use the \fIipa-acme-manage\fR command to enable, disable or retrieve
+-the status of the ACME service on a FreeIPA CA server.
++the status of the ACME service on a IPA CA server.
+
+-In a FreeIPA topology all CA servers capable of ACME will
++In a IPA topology all CA servers capable of ACME will
+ have the ACME service deployed. The service is not enabled
+ by default. It is expected that the ACME service will either be
+ enabled on all CA servers, or disabled on all CA servers. However
+@@ -33,6 +33,6 @@ Display the status of the ACME service.
+
+ 1 if an error occurred
+
+-2 if the host is not a FreeIPA server
++2 if the host is not a IPA server
+
+ 3 if the host is not a CA server
+--
+2.28.0
+
+
+From 44e59d1aa53d0f24eff221c6dcfcbb0e47833736 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 78/93] install/tools/man/ipa-cert-fix.1: Change branding to
+ IPA and Identity Management
+
+---
+ install/tools/man/ipa-cert-fix.1 | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/install/tools/man/ipa-cert-fix.1 b/install/tools/man/ipa-cert-fix.1
+index 3edef31..1ce6559 100644
+--- a/install/tools/man/ipa-cert-fix.1
++++ b/install/tools/man/ipa-cert-fix.1
+@@ -1,7 +1,7 @@
+ .\"
+ .\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
+ .\"
+-.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-cert-fix" "1" "Mar 25 2019" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-cert\-fix \- Renew expired certificates
+ .SH "SYNOPSIS"
+@@ -9,7 +9,7 @@ ipa\-cert\-fix [options]
+ .SH "DESCRIPTION"
+
+ \fIipa-cert-fix\fR is a tool for recovery when expired certificates
+-prevent the normal operation of FreeIPA. It should ONLY be used in
++prevent the normal operation of IPA. It should ONLY be used in
+ such scenarios, and backup of the system, especially certificates
+ and keys, is \fBSTRONGLY RECOMMENDED\fR.
+
+@@ -22,7 +22,7 @@ This tool cannot renew certificates signed by external CAs. To
+ install new, externally-signed HTTP, LDAP or KDC certificates, use
+ \fIipa-server-certinstall(1)\fR.
+
+-\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
++\fIipa-cert-fix\fR will examine IPA and Certificate System
+ certificates and renew certificates that are expired, or close to
+ expiry (less than two weeks). If any "shared" certificates are
+ renewed, \fIipa-cert-fix\fR will set the current server to be the CA
+--
+2.28.0
+
+
+From 48d4752286f1bd8ca8089348d1c68275b37cbd6f Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 79/93] install/tools/man/ipa-crlgen-manage.1: Change branding
+ to IPA and Identity Management
+
+---
+ install/tools/man/ipa-crlgen-manage.1 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/install/tools/man/ipa-crlgen-manage.1 b/install/tools/man/ipa-crlgen-manage.1
+index 1fa48ce..f17573b 100644
+--- a/install/tools/man/ipa-crlgen-manage.1
++++ b/install/tools/man/ipa-crlgen-manage.1
+@@ -1,7 +1,7 @@
+ .\"
+ .\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
+ .\"
+-.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "FreeIPA" "FreeIPA Manual Pages"
++.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "IPA" "IPA Manual Pages"
+ .SH "NAME"
+ ipa\-crlgen\-manage \- Enables or disables CRL generation
+ .SH "SYNOPSIS"
+--
+2.28.0
+
+
+From 253ba05abbe1899c7eaf9cdaf23014a7773243bd Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 80/93] ipaclient/remote_plugins/2_114/sudorule.py: Change
+ branding to IPA and Identity Management
+
+---
+ ipaclient/remote_plugins/2_114/sudorule.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipaclient/remote_plugins/2_114/sudorule.py b/ipaclient/remote_plugins/2_114/sudorule.py
+index 808720e..4b02073 100644
+--- a/ipaclient/remote_plugins/2_114/sudorule.py
++++ b/ipaclient/remote_plugins/2_114/sudorule.py
+@@ -24,7 +24,7 @@ give certain users (or groups of users) the ability to run some (or all)
+ commands as root or another user while providing an audit trail of the
+ commands and their arguments.
+
+-FreeIPA provides a means to configure the various aspects of Sudo:
++IPA provides a means to configure the various aspects of Sudo:
+ Users: The user(s)/group(s) allowed to invoke Sudo.
+ Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
+ Allow Command: The specific command(s) permitted to be run via Sudo.
+@@ -37,7 +37,7 @@ An order can be added to a sudorule to control the order in which they
+ are evaluated (if the client supports it). This order is an integer and
+ must be unique.
+
+-FreeIPA provides a designated binddn to use with Sudo located at:
++IPA provides a designated binddn to use with Sudo located at:
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+ To enable the binddn run the following command to set the password:
+--
+2.28.0
+
+
+From 6f09a8be31d9929ee6863808a1497c3f27d6252f Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 81/93] ipaclient/remote_plugins/2_156/certprofile.py: Change
+ branding to IPA and Identity Management
+
+---
+ ipaclient/remote_plugins/2_156/certprofile.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaclient/remote_plugins/2_156/certprofile.py b/ipaclient/remote_plugins/2_156/certprofile.py
+index b612342..1727f6d 100644
+--- a/ipaclient/remote_plugins/2_156/certprofile.py
++++ b/ipaclient/remote_plugins/2_156/certprofile.py
+@@ -55,7 +55,7 @@ PROFILE CONFIGURATION FORMAT:
+ The profile configuration format is the raw property-list format
+ used by Dogtag Certificate System. The XML format is not supported.
+
+-The following restrictions apply to profiles managed by FreeIPA:
++The following restrictions apply to profiles managed by IPA:
+
+ - When importing a profile the "profileId" field, if present, must
+ match the ID given on the command line.
+--
+2.28.0
+
+
+From d8213c572ff439f7833fd80d15c67706cb5a4063 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 82/93] ipaclient/remote_plugins/2_156/sudorule.py: Change
+ branding to IPA and Identity Management
+
+---
+ ipaclient/remote_plugins/2_156/sudorule.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipaclient/remote_plugins/2_156/sudorule.py b/ipaclient/remote_plugins/2_156/sudorule.py
+index 5d185ed..d475e68 100644
+--- a/ipaclient/remote_plugins/2_156/sudorule.py
++++ b/ipaclient/remote_plugins/2_156/sudorule.py
+@@ -24,7 +24,7 @@ give certain users (or groups of users) the ability to run some (or all)
+ commands as root or another user while providing an audit trail of the
+ commands and their arguments.
+
+-FreeIPA provides a means to configure the various aspects of Sudo:
++IPA provides a means to configure the various aspects of Sudo:
+ Users: The user(s)/group(s) allowed to invoke Sudo.
+ Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
+ Allow Command: The specific command(s) permitted to be run via Sudo.
+@@ -37,7 +37,7 @@ An order can be added to a sudorule to control the order in which they
+ are evaluated (if the client supports it). This order is an integer and
+ must be unique.
+
+-FreeIPA provides a designated binddn to use with Sudo located at:
++IPA provides a designated binddn to use with Sudo located at:
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+ To enable the binddn run the following command to set the password:
+--
+2.28.0
+
+
+From dc5781178e7902c2aa99e34d1f59add4a4289ceb Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 83/93] ipaclient/remote_plugins/2_164/certprofile.py: Change
+ branding to IPA and Identity Management
+
+---
+ ipaclient/remote_plugins/2_164/certprofile.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaclient/remote_plugins/2_164/certprofile.py b/ipaclient/remote_plugins/2_164/certprofile.py
+index b612342..1727f6d 100644
+--- a/ipaclient/remote_plugins/2_164/certprofile.py
++++ b/ipaclient/remote_plugins/2_164/certprofile.py
+@@ -55,7 +55,7 @@ PROFILE CONFIGURATION FORMAT:
+ The profile configuration format is the raw property-list format
+ used by Dogtag Certificate System. The XML format is not supported.
+
+-The following restrictions apply to profiles managed by FreeIPA:
++The following restrictions apply to profiles managed by IPA:
+
+ - When importing a profile the "profileId" field, if present, must
+ match the ID given on the command line.
+--
+2.28.0
+
+
+From c9fdd62a896eac4a9a1ab1c49dce93701a12b2b8 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 84/93] ipaclient/remote_plugins/2_164/sudorule.py: Change
+ branding to IPA and Identity Management
+
+---
+ ipaclient/remote_plugins/2_164/sudorule.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipaclient/remote_plugins/2_164/sudorule.py b/ipaclient/remote_plugins/2_164/sudorule.py
+index 5d185ed..d475e68 100644
+--- a/ipaclient/remote_plugins/2_164/sudorule.py
++++ b/ipaclient/remote_plugins/2_164/sudorule.py
+@@ -24,7 +24,7 @@ give certain users (or groups of users) the ability to run some (or all)
+ commands as root or another user while providing an audit trail of the
+ commands and their arguments.
+
+-FreeIPA provides a means to configure the various aspects of Sudo:
++IPA provides a means to configure the various aspects of Sudo:
+ Users: The user(s)/group(s) allowed to invoke Sudo.
+ Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
+ Allow Command: The specific command(s) permitted to be run via Sudo.
+@@ -37,7 +37,7 @@ An order can be added to a sudorule to control the order in which they
+ are evaluated (if the client supports it). This order is an integer and
+ must be unique.
+
+-FreeIPA provides a designated binddn to use with Sudo located at:
++IPA provides a designated binddn to use with Sudo located at:
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+ To enable the binddn run the following command to set the password:
+--
+2.28.0
+
+
+From a7f9d11f32a6f2ff0cbba60e078c2557704703a9 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 17:38:57 +0100
+Subject: [PATCH 85/93] ipaclient/remote_plugins/2_49/sudorule.py: Change
+ branding to IPA and Identity Management
+
+---
+ ipaclient/remote_plugins/2_49/sudorule.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py
+index 3d01ecd..912a0b1 100644
+--- a/ipaclient/remote_plugins/2_49/sudorule.py
++++ b/ipaclient/remote_plugins/2_49/sudorule.py
+@@ -24,7 +24,7 @@ give certain users (or groups of users) the ability to run some (or all)
+ commands as root or another user while providing an audit trail of the
+ commands and their arguments.
+
+-FreeIPA provides a means to configure the various aspects of Sudo:
++IPA provides a means to configure the various aspects of Sudo:
+ Users: The user(s)/group(s) allowed to invoke Sudo.
+ Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.
+ Allow Command: The specific command(s) permitted to be run via Sudo.
+@@ -37,13 +37,13 @@ An order can be added to a sudorule to control the order in which they
+ are evaluated (if the client supports it). This order is an integer and
+ must be unique.
+
+-FreeIPA provides a designated binddn to use with Sudo located at:
++IPA provides a designated binddn to use with Sudo located at:
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+ To enable the binddn run the following command to set the password:
+ LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+-For more information, see the FreeIPA Documentation to Sudo.
++For more information, see the IPA Documentation to Sudo.
+ """)
+
+ register = Registry()
+--
+2.28.0
+
+
+From d121657377c727b7c444045e3a980572476a31af Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 18:07:58 +0100
+Subject: [PATCH 86/93] po/de.po: Change branding to IPA and Identity
+ Management
+
+---
+ po/de.po | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/po/de.po b/po/de.po
+index 0685c23..275ac3f 100644
+--- a/po/de.po
++++ b/po/de.po
+@@ -3642,7 +3642,7 @@ msgstr "TOTP Sychnronisierungsfenster"
+ msgid "TOTP authentication Window"
+ msgstr "TOTP Authentifizierungsfenster"
+
+-msgid "TOTP token / FreeIPA server time difference"
++msgid "TOTP token / IPA server time difference"
+ msgstr "Differenz zwischen Token und Serverzeit"
+
+ msgid "Target"
+--
+2.28.0
+
+
+From d1ee5f4c8f60e390b6dc5b82514cde56c41aab4e Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 18:07:58 +0100
+Subject: [PATCH 87/93] po/es.po: Change branding to IPA and Identity
+ Management
+
+---
+ po/es.po | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/po/es.po b/po/es.po
+index 89c0ee1..9d94232 100644
+--- a/po/es.po
++++ b/po/es.po
+@@ -3056,7 +3056,7 @@ msgid ""
+ "The profile configuration format is the raw property-list format\n"
+ "used by Dogtag Certificate System. The XML format is not supported.\n"
+ "\n"
+-"The following restrictions apply to profiles managed by FreeIPA:\n"
++"The following restrictions apply to profiles managed by IPA:\n"
+ "\n"
+ "- When importing a profile the \"profileId\" field, if present, must\n"
+ " match the ID given on the command line.\n"
+@@ -3114,7 +3114,7 @@ msgstr ""
+ "propiedad\n"
+ "usado por Dogtag Certificate System. No está soportado el formato XML.\n"
+ "\n"
+-"A los perfiles manejados por FreeIPA se les aplican las siguientes "
++"A los perfiles manejados por IPA se les aplican las siguientes "
+ "restricciones:\n"
+ "\n"
+ "- Cuando se importa un perfil el campo \"profileId\", si está presente, debe "
+@@ -4903,7 +4903,7 @@ msgid ""
+ "commands as root or another user while providing an audit trail of the\n"
+ "commands and their arguments.\n"
+ "\n"
+-"FreeIPA provides a means to configure the various aspects of Sudo:\n"
++"IPA provides a means to configure the various aspects of Sudo:\n"
+ " Users: The user(s)/group(s) allowed to invoke Sudo.\n"
+ " Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
+ "Sudo.\n"
+@@ -4918,7 +4918,7 @@ msgid ""
+ "are evaluated (if the client supports it). This order is an integer and\n"
+ "must be unique.\n"
+ "\n"
+-"FreeIPA provides a designated binddn to use with Sudo located at:\n"
++"IPA provides a designated binddn to use with Sudo located at:\n"
+ "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
+ "\n"
+ "To enable the binddn run the following command to set the password:\n"
+@@ -4926,7 +4926,7 @@ msgid ""
+ "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
+ "dc=com\n"
+ "\n"
+-"For more information, see the FreeIPA Documentation to Sudo.\n"
++"For more information, see the IPA Documentation to Sudo.\n"
+ msgstr ""
+ "\n"
+ "Reglas Sudo\n"
+@@ -4939,7 +4939,7 @@ msgstr ""
+ "auditoria de\n"
+ " los comandos y sus argumentos.\n"
+ "\n"
+-"FreeIPA proporciona un medio para configurar diversos aspectos de Sudo:\n"
++"IPA proporciona un medio para configurar diversos aspectos de Sudo:\n"
+ " Users: Los usuario(s)/grupos(s) que tienen permitido llamar a Sudo.\n"
+ " Hosts: Loshost(s)/grupo(s) de host a los que el usuario permite llamar a "
+ "Sudo.\n"
+@@ -4957,7 +4957,7 @@ msgstr ""
+ "será evaluada\n"
+ "(si el cliente lo soporta). Este orden es un entero y debe ser único.\n"
+ "\n"
+-"FreeIPA suministra un binddn designado para usar con Sudo situado en :\n"
++"IPA suministra un binddn designado para usar con Sudo situado en :\n"
+ "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
+ "\n"
+ "Para habilitar el binddn ejecute el siguiente comando para fijar la "
+@@ -4966,7 +4966,7 @@ msgstr ""
+ "ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
+ "dc=com\n"
+ "\n"
+-"Para más información, vea la Documentación FreeIPA para Sudo.\n"
++"Para más información, vea la Documentación IPA para Sudo.\n"
+
+ msgid ""
+ "\n"
+@@ -12604,8 +12604,8 @@ msgstr "Variación del tiempo de autenticación TOTP (segundos)"
+ msgid "TOTP synchronization time variance (seconds)"
+ msgstr "Variación del tiempo de sincronización TOTP (segundos)"
+
+-msgid "TOTP token / FreeIPA server time difference"
+-msgstr "Ficha TOTP / Diferencia de hora del servidor FreeIPA"
++msgid "TOTP token / IPA server time difference"
++msgstr "Ficha TOTP / Diferencia de hora del servidor IPA"
+
+ msgid "Take a revoked certificate off hold."
+ msgstr "Tomar un certificado revocado de espera."
+--
+2.28.0
+
+
+From c21b51f2d19889f928202452ca6572f042ff8d72 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 18:07:58 +0100
+Subject: [PATCH 88/93] po/fr.po: Change branding to IPA and Identity
+ Management
+
+---
+ po/fr.po | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/po/fr.po b/po/fr.po
+index c8b99e2..ac602cc 100644
+--- a/po/fr.po
++++ b/po/fr.po
+@@ -2575,17 +2575,17 @@ msgstr ""
+
+ msgid ""
+ "\n"
+-"FreeIPA provides a designated binddn to use with Sudo located at:\n"
++"IPA provides a designated binddn to use with Sudo located at:\n"
+ "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
+ msgstr ""
+ "\n"
+-"FreeIPA permet la désignation d'un « binddn » à utiliser avec sudo situé "
++"IPA permet la désignation d'un « binddn » à utiliser avec sudo situé "
+ "à :\n"
+ "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
+
+ msgid ""
+ "\n"
+-"FreeIPA provides a means to configure the various aspects of Sudo:\n"
+"IPA provides a means to configure the various aspects of Sudo:\n"
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
@@ -2259,7 +3064,7 @@ index 88253e172..23a4ba3ea 100644
"\n"
"- Lors de l'import d'un profil, le champ « profileId » s'il est présent "
"doit\n"
-@@ -15658,8 +15658,8 @@ msgstr "Durée de la fenêtre d'authentification TOTP (secondes)"
+@@ -15617,8 +15617,8 @@ msgstr "Durée de la fenêtre d'authentification TOTP (secondes)"
msgid "TOTP synchronization time variance (seconds)"
msgstr "Variance temporelle de synchronisation TOTP (secondes)"
@@ -2271,12 +3076,38 @@ index 88253e172..23a4ba3ea 100644
msgid "TSIG record"
msgstr "Enregistrement TSIG"
--
-2.21.1
+2.28.0
-From 28d5217ccc838e037f60dbdfce72ae0eaa1fbdd8 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 69/78] po/ru.po: Change branding to IPA and Identity
+
+From b9123b82127a918effcb62b06c537f0f1e1193ff Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 18:07:58 +0100
+Subject: [PATCH 89/93] po/ipa.pot: Change branding to IPA and Identity
+ Management
+
+---
+ po/ipa.pot | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/po/ipa.pot b/po/ipa.pot
+index 56dab55..8848bb9 100644
+--- a/po/ipa.pot
++++ b/po/ipa.pot
+@@ -1,5 +1,5 @@
+ # SOME DESCRIPTIVE TITLE.
+-# Copyright (C) YEAR FreeIPA Contributors
++# Copyright (C) YEAR IPA Contributors
+ # This file is distributed under the same license as the freeipa package.
+ # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+ #
+--
+2.28.0
+
+
+From bddd0a70b16f2921b498aaa39f353401fd37466c Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 18:07:58 +0100
+Subject: [PATCH 90/93] po/ru.po: Change branding to IPA and Identity
Management
---
@@ -2284,10 +3115,10 @@ Subject: [PATCH 69/78] po/ru.po: Change branding to IPA and Identity
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/po/ru.po b/po/ru.po
-index 7d663a7a8..699979b74 100644
+index 47ae8a4..ffeb889 100644
--- a/po/ru.po
+++ b/po/ru.po
-@@ -5308,17 +5308,17 @@ msgstr ""
+@@ -5261,17 +5261,17 @@ msgstr ""
msgid ""
"\n"
@@ -2308,7 +3139,7 @@ index 7d663a7a8..699979b74 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -5330,7 +5330,7 @@ msgid ""
+@@ -5283,7 +5283,7 @@ msgid ""
" Options: The various Sudoers Options that can modify Sudo's behavior.\n"
msgstr ""
"\n"
@@ -2317,7 +3148,7 @@ index 7d663a7a8..699979b74 100644
" Users: пользователь (пользователи) или группа (группы), которые могут "
"вызывать Sudo.\n"
" Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -7826,7 +7826,7 @@ msgid ""
+@@ -7779,7 +7779,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2326,7 +3157,7 @@ index 7d663a7a8..699979b74 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -7880,7 +7880,7 @@ msgstr ""
+@@ -7833,7 +7833,7 @@ msgstr ""
"свойств, который используется системой сертификации Dogtag Certificate "
"System. Поддержка формата XML не предусмотрена.\n"
"\n"
@@ -2335,7 +3166,7 @@ index 7d663a7a8..699979b74 100644
"\n"
"- При импорте профиля значение поля \"profileId\", если это поле имеется, "
"должно совпадать с идентификатором, указанным в командной строке.\n"
-@@ -7936,7 +7936,7 @@ msgid ""
+@@ -7889,7 +7889,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2344,7 +3175,7 @@ index 7d663a7a8..699979b74 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -7992,7 +7992,7 @@ msgstr ""
+@@ -7945,7 +7945,7 @@ msgstr ""
"свойств, который используется системой сертификации Dogtag Certificate "
"System. Поддержка формата XML не предусмотрена.\n"
"\n"
@@ -2353,7 +3184,7 @@ index 7d663a7a8..699979b74 100644
"\n"
"- При импорте профиля значение поля \"profileId\", если это поле имеется, "
"должно совпадать с идентификатором, указанным в командной строке.\n"
-@@ -13772,7 +13772,7 @@ msgid ""
+@@ -13725,7 +13725,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2362,7 +3193,7 @@ index 7d663a7a8..699979b74 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -13787,7 +13787,7 @@ msgid ""
+@@ -13740,7 +13740,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2371,7 +3202,7 @@ index 7d663a7a8..699979b74 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -13825,7 +13825,7 @@ msgstr ""
+@@ -13778,7 +13778,7 @@ msgstr ""
"пользователя \"root\" или другого пользователя, вместе с тем предоставляя "
"журнал аудита команд и их аргументов.\n"
"\n"
@@ -2380,7 +3211,7 @@ index 7d663a7a8..699979b74 100644
" Users: пользователь (пользователи) или группа (группы), которые могут "
"вызывать Sudo.\n"
" Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -13846,7 +13846,7 @@ msgstr ""
+@@ -13799,7 +13799,7 @@ msgstr ""
"Порядок определяется числовым индексом (целое число), который не должен "
"повторяться.\n"
"\n"
@@ -2389,7 +3220,7 @@ index 7d663a7a8..699979b74 100644
"Sudo:\n"
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
-@@ -13887,7 +13887,7 @@ msgid ""
+@@ -13840,7 +13840,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2398,7 +3229,7 @@ index 7d663a7a8..699979b74 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -13902,7 +13902,7 @@ msgid ""
+@@ -13855,7 +13855,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2407,7 +3238,7 @@ index 7d663a7a8..699979b74 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -13910,7 +13910,7 @@ msgid ""
+@@ -13863,7 +13863,7 @@ msgid ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2416,7 +3247,7 @@ index 7d663a7a8..699979b74 100644
msgstr ""
"\n"
"Правила Sudo\n"
-@@ -13921,7 +13921,7 @@ msgstr ""
+@@ -13874,7 +13874,7 @@ msgstr ""
"пользователя \"root\" или другого пользователя, вместе с тем предоставляя "
"журнал аудита команд и их аргументов.\n"
"\n"
@@ -2425,7 +3256,7 @@ index 7d663a7a8..699979b74 100644
" Users: пользователь (пользователи) или группа (группы), которые могут "
"вызывать Sudo.\n"
" Hosts: узел (узлы) или группа (группы) узлов, пользователи которых могут "
-@@ -13942,7 +13942,7 @@ msgstr ""
+@@ -13895,7 +13895,7 @@ msgstr ""
"Порядок определяется числовым индексом (целое число), который не должен "
"повторяться.\n"
"\n"
@@ -2434,7 +3265,7 @@ index 7d663a7a8..699979b74 100644
"Sudo:\n"
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
-@@ -13951,7 +13951,7 @@ msgstr ""
+@@ -13904,7 +13904,7 @@ msgstr ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2443,7 +3274,7 @@ index 7d663a7a8..699979b74 100644
msgid ""
"\n"
-@@ -27252,8 +27252,8 @@ msgstr "Отклонение по времени TOTP-аутентификаци
+@@ -27149,8 +27149,8 @@ msgstr "Отклонение по времени TOTP-аутентификаци
msgid "TOTP synchronization time variance (seconds)"
msgstr "Отклонение по времени TOTP-синхронизации (в секундах)"
@@ -2455,12 +3286,38 @@ index 7d663a7a8..699979b74 100644
msgid "TSIG record"
msgstr "Запись TSIG"
--
-2.21.1
+2.28.0
-From 41e8beb8aa6bcaf48de38b48939fdf40cf8819b5 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 70/78] po/uk.po: Change branding to IPA and Identity
+
+From 2f862e5f4c7601a8bc50c9334ca5d3a59d7f8a57 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 18:07:58 +0100
+Subject: [PATCH 91/93] po/tr.po: Change branding to IPA and Identity
+ Management
+
+---
+ po/tr.po | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/po/tr.po b/po/tr.po
+index 9eccfe4..cf9b98a 100644
+--- a/po/tr.po
++++ b/po/tr.po
+@@ -1,5 +1,5 @@
+ # SOME DESCRIPTIVE TITLE.
+-# Copyright (C) YEAR FreeIPA Contributors
++# Copyright (C) YEAR IPA Contributors
+ # This file is distributed under the same license as the freeipa package.
+ # Oğuz Ersen <oguzersen@protonmail.com>, 2020.
+ msgid ""
+--
+2.28.0
+
+
+From aa4d887e7cef21959c4b4b3db57f6bd9ced965eb Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 18:07:58 +0100
+Subject: [PATCH 92/93] po/uk.po: Change branding to IPA and Identity
Management
---
@@ -2468,10 +3325,10 @@ Subject: [PATCH 70/78] po/uk.po: Change branding to IPA and Identity
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/po/uk.po b/po/uk.po
-index a17396796..ca864c8a4 100644
+index 0757e2f..fd1de90 100644
--- a/po/uk.po
+++ b/po/uk.po
-@@ -5403,17 +5403,17 @@ msgstr ""
+@@ -5411,17 +5411,17 @@ msgstr ""
msgid ""
"\n"
@@ -2492,7 +3349,7 @@ index a17396796..ca864c8a4 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -5425,7 +5425,7 @@ msgid ""
+@@ -5433,7 +5433,7 @@ msgid ""
" Options: The various Sudoers Options that can modify Sudo's behavior.\n"
msgstr ""
"\n"
@@ -2501,7 +3358,7 @@ index a17396796..ca864c8a4 100644
" Users: користувачі або групи, які можуть викликати sudo.\n"
" Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
" Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -7948,7 +7948,7 @@ msgid ""
+@@ -9393,7 +9393,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2510,7 +3367,7 @@ index a17396796..ca864c8a4 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -8002,7 +8002,7 @@ msgstr ""
+@@ -9447,7 +9447,7 @@ msgstr ""
"властивостей, що використовується системою сертифікації Dogtag.\n"
"Підтримки формату XML не передбачено.\n"
"\n"
@@ -2519,7 +3376,7 @@ index a17396796..ca864c8a4 100644
"\n"
"- Під час імпортування профілю поле «profileId», якщо таке є, має\n"
" містити значення, що збігається з ідентифікатором, вказаним у рядку "
-@@ -8059,7 +8059,7 @@ msgid ""
+@@ -9504,7 +9504,7 @@ msgid ""
"The profile configuration format is the raw property-list format\n"
"used by Dogtag Certificate System. The XML format is not supported.\n"
"\n"
@@ -2528,7 +3385,7 @@ index a17396796..ca864c8a4 100644
"\n"
"- When importing a profile the \"profileId\" field, if present, must\n"
" match the ID given on the command line.\n"
-@@ -8114,7 +8114,7 @@ msgstr ""
+@@ -9559,7 +9559,7 @@ msgstr ""
"властивостей, що використовується системою сертифікації Dogtag.\n"
"Підтримки формату XML не передбачено.\n"
"\n"
@@ -2537,7 +3394,7 @@ index a17396796..ca864c8a4 100644
"\n"
"- Під час імпортування профілю поле «profileId», якщо таке є, має\n"
" містити значення, що збігається з ідентифікатором, вказаним у рядку "
-@@ -13887,7 +13887,7 @@ msgid ""
+@@ -15481,7 +15481,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2546,7 +3403,7 @@ index a17396796..ca864c8a4 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -13902,7 +13902,7 @@ msgid ""
+@@ -15496,7 +15496,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2555,7 +3412,7 @@ index a17396796..ca864c8a4 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -13940,7 +13940,7 @@ msgstr ""
+@@ -15534,7 +15534,7 @@ msgstr ""
"користувача, зберігаючи водночас журнал виконання команд та\n"
"аргументів.\n"
"\n"
@@ -2564,7 +3421,7 @@ index a17396796..ca864c8a4 100644
" Users: користувачі або групи, які можуть викликати sudo.\n"
" Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
" Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -13958,7 +13958,7 @@ msgstr ""
+@@ -15552,7 +15552,7 @@ msgstr ""
"обробки записів (якщо такий порядок передбачено на клієнтському боці).\n"
"Порядок визначається числовим індексом, який не повинен повторюватися.\n"
"\n"
@@ -2573,7 +3430,7 @@ index a17396796..ca864c8a4 100644
"розташовано у\n"
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
-@@ -13998,7 +13998,7 @@ msgid ""
+@@ -15592,7 +15592,7 @@ msgid ""
"commands as root or another user while providing an audit trail of the\n"
"commands and their arguments.\n"
"\n"
@@ -2582,7 +3439,7 @@ index a17396796..ca864c8a4 100644
" Users: The user(s)/group(s) allowed to invoke Sudo.\n"
" Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke "
"Sudo.\n"
-@@ -14013,7 +14013,7 @@ msgid ""
+@@ -15607,7 +15607,7 @@ msgid ""
"are evaluated (if the client supports it). This order is an integer and\n"
"must be unique.\n"
"\n"
@@ -2591,7 +3448,7 @@ index a17396796..ca864c8a4 100644
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
"To enable the binddn run the following command to set the password:\n"
-@@ -14021,7 +14021,7 @@ msgid ""
+@@ -15615,7 +15615,7 @@ msgid ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2600,7 +3457,7 @@ index a17396796..ca864c8a4 100644
msgstr ""
"\n"
"Правила sudo\n"
-@@ -14032,7 +14032,7 @@ msgstr ""
+@@ -15626,7 +15626,7 @@ msgstr ""
"користувача, зберігаючи водночас журнал виконання команд та\n"
"аргументів.\n"
"\n"
@@ -2609,7 +3466,7 @@ index a17396796..ca864c8a4 100644
" Users: користувачі або групи, які можуть викликати sudo.\n"
" Hosts: вузли або групи вузлів, користувачі якого можуть викликати sudo.\n"
" Allow Command: специфічні команди, які можна виконувати за допомогою "
-@@ -14050,7 +14050,7 @@ msgstr ""
+@@ -15644,7 +15644,7 @@ msgstr ""
"обробки записів (якщо такий порядок передбачено на клієнтському боці).\n"
"Порядок визначається числовим індексом, який не повинен повторюватися.\n"
"\n"
@@ -2618,7 +3475,7 @@ index a17396796..ca864c8a4 100644
"розташовано у\n"
"uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n"
"\n"
-@@ -14059,7 +14059,7 @@ msgstr ""
+@@ -15653,7 +15653,7 @@ msgstr ""
"ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,"
"dc=com\n"
"\n"
@@ -2627,24 +3484,25 @@ index a17396796..ca864c8a4 100644
msgid ""
"\n"
-@@ -27264,8 +27264,8 @@ msgstr "Відхилення часу розпізнавання TOTP (у сек
+@@ -29242,8 +29242,8 @@ msgstr "Відхилення часу розпізнавання TOTP (у сек
msgid "TOTP synchronization time variance (seconds)"
msgstr "Відхилення часу синхронізації TOTP (у секундах)"
-msgid "TOTP token / FreeIPA server time difference"
--msgstr "Часова розбіжність між ключем TOTP і сервером FreeIPA"
+-msgstr "Часова розбіжність між ключем TOTP і сервером FreeIPA"
+msgid "TOTP token / IPA server time difference"
-+msgstr "Часова розбіжність між ключем TOTP і сервером IPA"
++msgstr "Часова розбіжність між ключем TOTP і сервером IPA"
msgid "TSIG record"
msgstr "Запис TSIG"
--
-2.21.1
+2.28.0
-From 703f4aa1ba942db3f614190de1dc291216d20e86 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sun, 7 Oct 2018 12:25:41 +0300
-Subject: [PATCH 71/78] po/zh_CN.po: Change branding to IPA and Identity
+
+From 9de5307e8111992181a775d3bd9bf279033c1b1e Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Wed, 18 Nov 2020 18:07:59 +0100
+Subject: [PATCH 93/93] po/zh_CN.po: Change branding to IPA and Identity
Management
---
@@ -2652,7 +3510,7 @@ Subject: [PATCH 71/78] po/zh_CN.po: Change branding to IPA and Identity
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/po/zh_CN.po b/po/zh_CN.po
-index dec79967d..bc2269701 100644
+index 1963a5f..480c958 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -298,7 +298,7 @@ msgstr ""
@@ -2673,7 +3531,7 @@ index dec79967d..bc2269701 100644
" 用户:用户/用户组允许调用Sudo。\n"
" 主机:主机/主机组上的用户允许调用Sudo。\n"
" 允许的命令:指定命令允许通过Sudo来运行。\n"
-@@ -9923,8 +9923,8 @@ msgstr "TOTP认证时间差异(秒)"
+@@ -9885,8 +9885,8 @@ msgstr "TOTP认证时间差异(秒)"
msgid "TOTP synchronization time variance (seconds)"
msgstr "TOTP同步时间差异(秒)"
@@ -2685,222 +3543,5 @@ index dec79967d..bc2269701 100644
msgid "TSIG record"
msgstr "TSIG记录"
--
-2.21.1
-
-From 51756934d7214104a0da2a5a57d74194ecb054c9 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:27:35 +0200
-Subject: [PATCH 72/78] client/man/ipa-client-samba.1: Change branding to IPA
- and Identity Management
-
----
- client/man/ipa-client-samba.1 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/client/man/ipa-client-samba.1 b/client/man/ipa-client-samba.1
-index ea83715ff..5ed6c7150 100644
---- a/client/man/ipa-client-samba.1
-+++ b/client/man/ipa-client-samba.1
-@@ -1,7 +1,7 @@
- .\" A man page for ipa-client-samba
- .\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license
- .\"
--.TH "ipa-client-samba" "1" "Jun 10 2019" "FreeIPA" "FreeIPA Manual Pages"
-+.TH "ipa-client-samba" "1" "Jun 10 2019" "IPA" "IPA Manual Pages"
- .SH "NAME"
- ipa\-client\-samba \- Configure Samba file server on an IPA client
- .SH "SYNOPSIS"
-@@ -39,7 +39,7 @@ The ipa\-client\-samba script assumes that the machine has alreaby been enrolled
- .SS "IPA Master Requirements"
- At least one IPA master must hold a \fBTrust Controller\fR role. This can be achieved by running ipa\-adtrust\-install on the IPA master. The utility will configure IPA master to be a domain controller for IPA domain.
-
--IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with FreeIPA 4.8.0 or later release.
-+IPA master holding a \fBTrust Controller\fR role has also to have support for a special service command to create SMB service, \fBipa service-add-smb\fR. This command is available with IPA 4.8.0 or later release.
-
- .SH "OPTIONS"
- .SS "BASIC OPTIONS"
---
-2.21.1
-
-From 9cb31fd0f81511252170f539b354a67b2bd1e96a Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:28:22 +0200
-Subject: [PATCH 73/78] contrib/lite-server.py: Change branding to IPA and
- Identity Management
-
----
- contrib/lite-server.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/contrib/lite-server.py b/contrib/lite-server.py
-index bd73b0763..9feffdada 100755
---- a/contrib/lite-server.py
-+++ b/contrib/lite-server.py
-@@ -139,7 +139,7 @@ class StaticFilesMiddleware(SharedDataMiddleware):
-
-
- def init_api(ccname):
-- """Initialize FreeIPA API from command line
-+ """Initialize IPA API from command line
- """
- from ipalib import __file__ as ipalib_file
- from ipalib import api
---
-2.21.1
-
-From a8bc392551a963cb33e3e9748a771fd0f1201541 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:28:56 +0200
-Subject: [PATCH 74/78] ipaserver/dcerpc.py: Change branding to IPA and
- Identity Management
-
----
- ipaserver/dcerpc.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
-index 27d075425..8d3384f12 100644
---- a/ipaserver/dcerpc.py
-+++ b/ipaserver/dcerpc.py
-@@ -1483,7 +1483,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):
- def communicate(td):
- td.init_lsa_pipe(td.info['dc'])
- netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds)
-- # Older FreeIPA versions used netr_DsrEnumerateDomainTrusts call
-+ # Older IPA versions used netr_DsrEnumerateDomainTrusts call
- # but it doesn't provide information about non-domain UPNs associated
- # with the forest, thus we have to use netr_DsRGetForestTrustInformation
- domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], None, 0)
---
-2.21.1
-
-From 8bcae9d325453cae61cbc18b9114e9ba8b716993 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:29:21 +0200
-Subject: [PATCH 75/78] ipaserver/install/ipa_cert_fix.py: Change branding to
- IPA and Identity Management
-
----
- ipaserver/install/ipa_cert_fix.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
-index 6b952d34f..e79d7ddc4 100644
---- a/ipaserver/install/ipa_cert_fix.py
-+++ b/ipaserver/install/ipa_cert_fix.py
-@@ -45,7 +45,7 @@ msg = """
- WARNING
-
- ipa-cert-fix is intended for recovery when expired certificates
--prevent the normal operation of FreeIPA. It should ONLY be used
-+prevent the normal operation of IPA. It should ONLY be used
- in such scenarios, and backup of the system, especially certificates
- and keys, is STRONGLY RECOMMENDED.
-
---
-2.21.1
-
-From 8e3fb91139f51439164b38003cf0917af137158d Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:29:43 +0200
-Subject: [PATCH 76/78] ipaserver/plugins/config.py: Change branding to IPA and
- Identity Management
-
----
- ipaserver/plugins/config.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
-index e96e51971..ace66e589 100644
---- a/ipaserver/plugins/config.py
-+++ b/ipaserver/plugins/config.py
-@@ -462,7 +462,7 @@ class config(LDAPObject):
-
- known_domains = self.gather_trusted_domains()
-
-- # add FreeIPA domain to the list of domains. This one is always enabled
-+ # add IPA domain to the list of domains. This one is always enabled
- known_domains.update({self.api.env.domain: True})
-
- for domain in submitted_domains:
---
-2.21.1
-
-From 65a663bd7fb5559316f1a8e5f04e0d4827bfb0b6 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:30:01 +0200
-Subject: [PATCH 77/78] ipaserver/plugins/certprofile.py: Change branding to
- IPA and Identity Management
-
----
- ipaserver/plugins/certprofile.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
-index 6e2e91dc6..03fbe4d3e 100644
---- a/ipaserver/plugins/certprofile.py
-+++ b/ipaserver/plugins/certprofile.py
-@@ -57,7 +57,7 @@ PROFILE CONFIGURATION FORMAT:
- The profile configuration format is the raw property-list format
- used by Dogtag Certificate System. The XML format is not supported.
-
--The following restrictions apply to profiles managed by FreeIPA:
-+The following restrictions apply to profiles managed by IPA:
-
- - When importing a profile the "profileId" field, if present, must
- match the ID given on the command line.
---
-2.21.1
-
-From 0801d5ad45d4fa9b64e0bfb4152af658ead0e514 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Fri, 3 Apr 2020 14:30:20 +0200
-Subject: [PATCH 78/78] doc/designs/adtrust/samba-domain-member.md: Change
- branding to IPA and Identity Management
-
----
- doc/designs/adtrust/samba-domain-member.md | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/doc/designs/adtrust/samba-domain-member.md b/doc/designs/adtrust/samba-domain-member.md
-index 95e3c014c..83e84ddb8 100644
---- a/doc/designs/adtrust/samba-domain-member.md
-+++ b/doc/designs/adtrust/samba-domain-member.md
-@@ -46,11 +46,11 @@ performing a remote authentication using Kerberos, a remote system has to
- present a Kerberos ticket to the domain member's SMB service, like with any
- other Kerberos services.
-
--To operate as a domain member in a FreeIPA domain, thus, Samba needs a FreeIPA
--master to be configured as a domain controller and a FreeIPA client needs to be
-+To operate as a domain member in a IPA domain, thus, Samba needs a IPA
-+master to be configured as a domain controller and a IPA client needs to be
- configured in a specific way to allow Samba to talk to a domain controller.
- This document overviews a set of implementation tasks to achieve the domain
--member operation. Most of these tasks are related to FreeIPA components but
-+member operation. Most of these tasks are related to IPA components but
- some of changes required do belong to Samba itself.
-
- ## Domain member configuration overview
-@@ -102,16 +102,16 @@ password rotation.
-
- The knowledge of the machine account password is recorded in a special
- database, `secrets.tdb`, during the process of a machine join to the domain.
--For FreeIPA client the join process is different from the one Samba uses for
-+For IPA client the join process is different from the one Samba uses for
- Active Directory, thus we need to seed the machine account password separately
--to enrolling FreeIPA client. Note that FreeIPA machine enrollment does not
-+to enrolling IPA client. Note that IPA machine enrollment does not
- allow to share clear text machine account password as it is not recorded
- anywhere.
-
- ## Domain controller side configuration overview
-
- See [samba-domain-controller] for the details of how Samba domain controller is
--set up and configured in FreeIPA.
-+set up and configured in IPA.
-
- ## Changes required on domain member
-
---
-2.21.1
+2.28.0
diff --git a/SOURCES/1002-4.8.0-Remove-csrgen.patch b/SOURCES/1002-4.8.0-Remove-csrgen.patch
index 8b7e374..e6ba316 100644
--- a/SOURCES/1002-4.8.0-Remove-csrgen.patch
+++ b/SOURCES/1002-4.8.0-Remove-csrgen.patch
@@ -100,23 +100,23 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1432630
delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl
delete mode 100644 ipatests/test_ipaclient/test_csrgen.py
-diff -urN freeipa-4.8.0/freeipa.spec.in freeipa-4.8.0.removed_csrgen/freeipa.spec.in
---- freeipa-4.8.0/freeipa.spec.in 2019-06-29 10:01:30.458735813 +0200
-+++ freeipa-4.8.0.removed_csrgen/freeipa.spec.in 2019-07-03 13:24:38.471222723 +0200
-@@ -1247,13 +1247,6 @@
- %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
- %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
- %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
--%dir %{python3_sitelib}/ipaclient/csrgen
--%dir %{python3_sitelib}/ipaclient/csrgen/profiles
--%{python3_sitelib}/ipaclient/csrgen/profiles/*.json
--%dir %{python3_sitelib}/ipaclient/csrgen/rules
--%{python3_sitelib}/ipaclient/csrgen/rules/*.json
--%dir %{python3_sitelib}/ipaclient/csrgen/templates
--%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
- %{python3_sitelib}/ipaclient-*.egg-info
-
-
+#diff -urN freeipa-4.8.0/freeipa.spec.in freeipa-4.8.0.removed_csrgen/freeipa.spec.in
+#--- freeipa-4.8.0/freeipa.spec.in 2019-06-29 10:01:30.458735813 +0200
+#+++ freeipa-4.8.0.removed_csrgen/freeipa.spec.in 2019-07-03 13:24:38.471222723 +0200
+#@@ -1247,13 +1247,6 @@
+# %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
+# %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
+# %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
+#-%dir %{python3_sitelib}/ipaclient/csrgen
+#-%dir %{python3_sitelib}/ipaclient/csrgen/profiles
+#-%{python3_sitelib}/ipaclient/csrgen/profiles/*.json
+#-%dir %{python3_sitelib}/ipaclient/csrgen/rules
+#-%{python3_sitelib}/ipaclient/csrgen/rules/*.json
+#-%dir %{python3_sitelib}/ipaclient/csrgen/templates
+#-%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
+# %{python3_sitelib}/ipaclient-*.egg-info
+#
+#
diff -urN freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json
--- freeipa-4.8.0/ipaclient/csrgen/profiles/caIPAserviceCert.json 2019-07-03 08:42:41.844539797 +0200
+++ freeipa-4.8.0.removed_csrgen/ipaclient/csrgen/profiles/caIPAserviceCert.json 1970-01-01 01:00:00.000000000 +0100
diff --git a/SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch b/SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
index 981d18c..1c9c5b8 100644
--- a/SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
+++ b/SOURCES/1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
@@ -35,19 +35,19 @@ This reverts commit d986e844bbd37ccc7a532175631a55acd315cda3.
# - systemd
# - 389-ds-base-dev
# - libssl-dev
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index b6eb79593..a4682497a 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -191,7 +191,7 @@ BuildRequires: libsss_idmap-devel
- BuildRequires: libsss_certmap-devel
- BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
- BuildRequires: nodejs(abi)
--BuildRequires: python3-rjsmin
-+BuildRequires: uglify-js
- BuildRequires: libverto-devel
- BuildRequires: libunistring-devel
- # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
+#diff --git a/freeipa.spec.in b/freeipa.spec.in
+#index b6eb79593..a4682497a 100755
+#--- a/freeipa.spec.in
+#+++ b/freeipa.spec.in
+#@@ -191,7 +191,7 @@ BuildRequires: libsss_idmap-devel
+# BuildRequires: libsss_certmap-devel
+# BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
+# BuildRequires: nodejs(abi)
+#-BuildRequires: python3-rjsmin
+#+BuildRequires: uglify-js
+# BuildRequires: libverto-devel
+# BuildRequires: libunistring-devel
+# # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
diff --git a/install/ui/build/freeipa/Makefile.am b/install/ui/build/freeipa/Makefile.am
index f4d97819e..05e82f4da 100644
--- a/install/ui/build/freeipa/Makefile.am
@@ -98,37 +98,37 @@ index 2c4e0ecac..0772532d4 100644
-Full Dojo license is in LICENSE file.
+Full Dojo license is in LICENSE file.
\ No newline at end of file
-diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
-index 1516b815f..d14f90ab0 100755
---- a/install/ui/util/compile.sh
-+++ b/install/ui/util/compile.sh
-@@ -26,14 +26,14 @@ RDIR=$DIR/../release
- usage() {
- cat <<-__EOF__;
- NAME
-- compile.sh - Compiles layer file of Dojo build using Python rjsmin.
-+ compile.sh - Compiles layer file of Dojo build using uglify.js.
- Deletes all other files.
-
- SYNOPSIS
- path/to/compile.sh [--help] --release RELEASE --layer NAME/NAME
-
- DESCRIPTION
-- Compiles layer file of Dojo build output using Python rjsmin.
-+ Compiles layer file of Dojo build output using uglify.js.
- Deletes all other files.
-
- OPTIONS
-@@ -105,7 +105,7 @@ if [[ ! $OUTPUT_FILE ]] ; then
- OUTPUT_FILE=$RDIR/$RELEASE/$LAYER.js
- fi
-
--# compile using python rjsmin
-+# compile using uglifyjs
- echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
- echo "Target file: $OUTPUT_FILE"
--${PYTHON:-python3} -m rjsmin < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
-+uglifyjs $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
---
-2.26.2
+#diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
+#index 1516b815f..d14f90ab0 100755
+#--- a/install/ui/util/compile.sh
+#+++ b/install/ui/util/compile.sh
+#@@ -26,14 +26,14 @@ RDIR=$DIR/../release
+# usage() {
+# cat <<-__EOF__;
+# NAME
+#- compile.sh - Compiles layer file of Dojo build using Python rjsmin.
+#+ compile.sh - Compiles layer file of Dojo build using uglify.js.
+# Deletes all other files.
+#
+# SYNOPSIS
+# path/to/compile.sh [--help] --release RELEASE --layer NAME/NAME
+#
+# DESCRIPTION
+#- Compiles layer file of Dojo build output using Python rjsmin.
+#+ Compiles layer file of Dojo build output using uglify.js.
+# Deletes all other files.
+#
+# OPTIONS
+#@@ -105,7 +105,7 @@ if [[ ! $OUTPUT_FILE ]] ; then
+# OUTPUT_FILE=$RDIR/$RELEASE/$LAYER.js
+# fi
+#
+#-# compile using python rjsmin
+#+# compile using uglifyjs
+# echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
+# echo "Target file: $OUTPUT_FILE"
+#-${PYTHON:-python3} -m rjsmin < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
+#+uglifyjs $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
+#--
+#2.26.2
diff --git a/SOURCES/freeipa-4.8.7.tar.gz.asc b/SOURCES/freeipa-4.8.7.tar.gz.asc
deleted file mode 100644
index 0dae99e..0000000
--- a/SOURCES/freeipa-4.8.7.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl7hNhYACgkQRxniuKu/
-Yhq2rxAAnK8YHbQtivjssWz6BBRiU5TKootA3fSqfvbhACYG14629/Dpc5IIkYZ1
-0AE4CUFA7Oi92emFbxrLJyeSuxuzTxSVmydJ5HW/OTkRRSnmjL5oeBg2D++B9OaO
-qVAXRZbi5YNfW5y//9BIRzCGw0RHpbR/QjZ1ipDymky6nr5IS+EhfZ0iHeEyiNXd
-OP3OJv538HSvRrv3mJvz52pKVfegw1OTd8yUnmuPEc9ClQfPQHjXqsOeFYCbR8fg
-59y0twMMrOc2J4eL0OkNE/By+o+1vAMUwEs736sCdbJJPigerfuK0e7ZxP+x98BP
-bmIBxv7eUf20Rn3An7+vTqQP60V4tS+FOnc2LD3OpHH4vy34ovWZfYZWVKbg0z1+
-5E/0TWifhlibbRZctDaxkZfFVchQnixHnO0Awv8wNxRzh/XvvsTPz1zJXk5kHk3r
-Ws2/GbeWTiJLe8sIXJz0MNTayWLnsDJG6BCRf+K0HwCdL80p4TG71dTwa9PW5HEy
-UklxW/zfr+chS1AszNgb8wJa6WtDHfQnktJwSSj7CkD3JdUVx+L/cJiOfbCM+WUi
-BRzhVhNUDX/FkpGUyvC4AYXX+wcwHph9BDChUDqcG886aIK28TAsie3Vwz/F7hKP
-TYpF1+YIImcRfUQ737pnbHL12o5yzfhkBfD2GMsojEd0x71B3PY=
-=B33Z
------END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.9.0rc3.tar.gz.asc b/SOURCES/freeipa-4.9.0rc3.tar.gz.asc
new file mode 100644
index 0000000..a53a7fa
--- /dev/null
+++ b/SOURCES/freeipa-4.9.0rc3.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl/SSecACgkQRxniuKu/
+YhrlPQ//a+dJrg29AsJIYlLbFqcR3IEtCtt7H2Mr6TJ2xWWg1oLTJhQslrf82YeN
+WznHHj09cHV1Ga0kGJmg+KhudpC7OFviUvxrz69+N3j6/+39OeWvOAEUQgCphZ7G
+/UnBTxW2Fhf8zklFf+vT7phcE0YemY4GNjyYJqni4/9uua0Q8pJJQTy30Yw6UrDL
+pXHjTVXgQv7Ryf/LWEMOaHKUGiZCsL59Chrp5uaefzIat8pHG2xnf1Ah6tUwG4Fs
+rf4QfgUW7Q2nwrAmZKzPvp3wQVFZZ5CiklSO9hfRwZ9De1wIdlUD66cmcE2TeJla
+7DpsfQPSCrghwmvPYpeJcwG2DrPoz3i1j14BQ//LqhAmsvJy5iFg3+tF1YcNYqnP
+neGK3/6QeUvKKe5H7VGMAA4N4YDMri8a8/QKgqG1lWf+X7x8d2lwlib2JNpNnN7N
+TlVTRWhKRvQyBn23uSdcLXdaVdU4Z++7yhHcveyGGDVtElFWeSV83d3ekVZ4rsoq
+stv7S2Ay8D6pH7fVd2aXA9i+r12BCF3Lmrikc+g+aAuJV5K3GwoCBwgWLCs0WXru
+Q67j99HZ4R+A4cNMZ8+VAUIzZT7S62aHX75lGgw/e3CvGoiIEosa01YdXiP+DT6V
+JFH5PnuKStu8LqrFpICgHFrFKQAHopKO9JVINGHwQB426xycwaM=
+=0OcN
+-----END PGP SIGNATURE-----
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index ba9d77e..db3673a 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -1,12 +1,24 @@
+# ipatests enabled by default, can be disabled with --without ipatests
+%bcond_without ipatests
+# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
+# On RHEL 8 we should use --with ipa_join_xml
+%bcond_without ipa_join_xml
+
+# Linting is disabled by default, needed for upstream testing
+%bcond_with lint
+
+# Build documentation with sphinx
+%bcond_with doc
+
+# Build Python wheels
+%bcond_with wheels
+
# 389-ds-base 1.4 no longer supports i686 platform, build only client
# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
-%if 0%{?fedora} >= 28 || 0%{?rhel} > 7
- %ifarch %{ix86}
- %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
- %endif
+%ifarch %{ix86}
+ %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
%endif
-
# Define ONLY_CLIENT to only make the ipa-client and ipa-python
# subpackages
%{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
@@ -16,37 +28,27 @@
%global enable_server_option --enable-server
%endif
-# Build ipatests
-%if 0%{?rhel}
+%if %{ONLY_CLIENT}
%global with_ipatests 0
%endif
-%if ! %{ONLY_CLIENT}
- %{!?with_ipatests:%global with_ipatests 1}
-%endif
-%if 0%{?with_ipatests}
+
+# Whether to build ipatests
+%if %{with ipatests}
%global with_ipatests_option --with-ipatests
%else
%global with_ipatests_option --without-ipatests
%endif
-# Python 2/3 packages and default Python interpreter
-%if 0%{?rhel} > 7
- %global with_default_python 3
-%endif
-
-%if 0%{?fedora} >= 29
- # F29 only supports Python 3 as default Python
- %global with_default_python 3
+# Whether to use XML-RPC with ipa-join
+%if %{with ipa_join_xml}
+ %global with_ipa_join_xml_option --with-ipa-join-xml
+%else
+ %global with_ipa_join_xml_option --without-ipa-join-xml
%endif
-%{!?with_default_python:%global with_default_python 3}
-
-%global with_python3 1
-%global python %{__python3}
-
# lint is not executed during rpmbuild
# %%global with_lint 1
-%if 0%{?with_lint}
+%if %{with lint}
%global linter_options --enable-pylint --with-jslint
%else
%global linter_options --disable-pylint --without-jslint
@@ -68,43 +70,45 @@
%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
%global samba_version 4.12.3-12
-%global slapi_nis_version 0.56.4
-# Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files
-# SELinux context for /etc/named directory, RHBZ#1759495
%global selinux_policy_version 3.14.3-52
-%global slapi_nis_version 0.56.1-4
+%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
# python3-lib389
# Fix for "Installation fails: Replica Busy"
# https://pagure.io/389-ds-base/issue/49818
%global ds_version 1.4.2.4-6
-%global httpd_version 2.4.6-31
+# Fix for TLS 1.3 PHA, RHBZ#1775158
+%global httpd_version 2.4.37-21
+%global bind_version 9.11.20-6
%else
# Fedora
%global package_name freeipa
%global alt_name ipa
-# Fix for CVE-2018-20217
-%global krb5_version 1.17-17
-%global krb5_kdb_version 7.0
+# Fix for CVE-2020-28196
+%global krb5_version 1.18.2-29
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
-#global samba_version 2:4.12
-%global samba_version 2:4.9.0
-# SELinux context for /etc/named directory, RHBZ#1759495
-#global selinux_policy_version 3.14.3-52
-%global selinux_policy_version 3.14.3-41
-#global slapi_nis_version 0.56.4
-%global slapi_nis_version 0.56.3
+%global samba_version 2:4.12.10
+
+# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
+%global selinux_policy_version 3.14.5-45
+%global slapi_nis_version 0.56.5
+
+%global krb5_kdb_version 8.0
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1
-# Fix for create suffix
-# https://pagure.io/389-ds-base/issue/49984
-%global ds_version 1.4.1.1
+# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
+# https://pagure.io/freeipa/issue/8515
+%global ds_version 1.4.3
+
+# Fix for TLS 1.3 PHA, RHBZ#1775146
+%global httpd_version 2.4.41-9
+%global bind_version 9.11.24-1
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
@@ -112,26 +116,45 @@
# Fedora
%endif
+# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
+# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
+%if 0%{?fedora} || 0%{?rhel} >= 9
+ %global openssl_pkcs11_version 0.4.10-6
+ %global softhsm_version 2.5.0-4
+%else
+ %global with_bind_pkcs11 1
+%endif
+
+%if 0%{?rhel} == 8
# PKIConnection has been modified to always validate certs.
# https://pagure.io/freeipa/issue/8379
%global pki_version 10.9.0-0.4
+%else
+# New KRA profile, ACME support
+# https://pagure.io/freeipa/issue/8545
+%global pki_version 10.10.0-2
+%endif
-# https://pagure.io/certmonger/issue/90
+# RHEL 8.3+, F32+ has 0.79.13
%global certmonger_version 0.79.7-3
-# NSS release with fix for p11-kit-proxy issue, affects F28
-# https://pagure.io/freeipa/issue/7810
-%if 0%{?fedora} == 28
-%global nss_version 3.41.0-3
-%else
+# RHEL 8.2+, F32+ has 3.58
%global nss_version 3.44.0-4
-%endif
-%global sssd_version 2.2.3-11
+# RHEL 8.3+, F32+
+%global sssd_version 2.4.0
-%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
+%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%global kdcproxy_version 0.4-3
+%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
+# systemd with resolved enabled
+# see https://pagure.io/freeipa/issue/8275
+%global systemd_version 246.6-3
+%else
+%global systemd_version 239
+%endif
+
%global plugin_dir %{_libdir}/dirsrv/plugins
%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
@@ -140,22 +163,29 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.7
+%define IPA_VERSION 4.9.0
+# Release candidate version -- uncomment with one percent for RC versions
+%global rc_version rc3
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
%define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
%endif
+%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil")
+
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 12%{?dist}
+Release: 0.5%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
URL: http://www.freeipa.org/
-Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
-Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
+Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz
+# Only use detached signature for the distribution builds. If it is a developer build, skip it
+%if %{NON_DEVELOPER_BUILD}
+Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
+%endif
# RHEL spec file only: START: Change branding to IPA and Identity Management
# Moved branding logos and background to redhat-logos-ipa-80.4:
@@ -164,31 +194,14 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
# RHEL spec file only: END: Change branding to IPA and Identity Management
# RHEL spec file only: START
-Patch0001: 0001-WebUI-Fix-IPA-Error-3007-RequirmentError-while-addin_rhbz#1757045.patch
-Patch0002: 0002-EPN-does-not-ship-its-default-configuration_rhbz#1847999.patch
-Patch0003: 0003-Use-256-bit-AJP-secret_rhbz#1849914.patch
-Patch0004: 0004-baseuser-fix-ipanthomedirectorydrive-option-name_rhbz#1851411.patch
-Patch0005: 0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
-Patch0006: 0006-fix-iPAddress-cert-issuance-for-1-host-service_rhbz#1846352.patch
-Patch0007: 0007-Specify-cert_paths-when-calling-PKIConnection_rhbz#1849155.patch
-Patch0008: 0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch
-Patch0009: 0009-ipa-client-install-use-the-authselect-backup-during_rhbz#1810179.patch
-Patch0010: 0010-Replace-SSLCertVerificationError-with-CertificateErr_rhbz#1858318.patch
-Patch0011: 0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch
-Patch0012: 0012-CAless-installation-set-the-perms-on-KDC-cert-file_rhbz#1863616.patch
-Patch0013: 0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1866938.patch
-Patch0014: 0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch
-Patch0015: 0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch
-Patch0016: 0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
-Patch0017: 0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch
-Patch0018: 0018-dogtaginstance.py-add-debug-to-pkispawn_rhbz#1879604.patch
-Patch0019: 0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
-Patch0020: 0020-SELinux-do-not-double-define-node_t-and-pki_tomcat_c_rhbz#1870202.patch
+%if 0%{?rhel} == 8 && %{NON_DEVELOPER_BUILD}
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
+%endif
# RHEL spec file only: END
+
# For the timestamp trick in patch application
BuildRequires: diffstat
@@ -198,20 +211,29 @@ BuildRequires: openldap-devel
# DAL version change may cause code crash or memory leaks, it is better to fail early.
BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version}
+BuildRequires: krb5-devel >= %{krb5_version}
+BuildRequires: pkgconfig(krb5)
+%if %{with ipa_join_xml}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4
+%else
+BuildRequires: libcurl-devel
+BuildRequires: jansson-devel
+%endif
BuildRequires: popt-devel
BuildRequires: gcc
BuildRequires: make
BuildRequires: pkgconfig
+BuildRequires: pkgconf
BuildRequires: autoconf
BuildRequires: automake
+BuildRequires: make
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: gettext-devel
BuildRequires: python3-devel
BuildRequires: python3-setuptools
-BuildRequires: systemd
+BuildRequires: systemd >= %{systemd_version}
# systemd-tmpfiles which is executed from make install requires apache user
BuildRequires: httpd
BuildRequires: nspr-devel
@@ -224,17 +246,23 @@ BuildRequires: samba-devel >= %{samba_version}
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
BuildRequires: libuuid-devel
+BuildRequires: libpwquality-devel
BuildRequires: libsss_idmap-devel
BuildRequires: libsss_certmap-devel
-# 1.15.3: sss_nss_getlistbycert (https://pagure.io/SSSD/sssd/issue/3050)
BuildRequires: libsss_nss_idmap-devel >= %{sssd_version}
-BuildRequires: nodejs
+BuildRequires: nodejs(abi)
+# use old dependency on RHEL 8 for now
+%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9
+BuildRequires: python3-rjsmin
+%else
BuildRequires: uglify-js
+%endif
BuildRequires: libverto-devel
BuildRequires: libunistring-devel
# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
# 0.13.0-2: fix for missing dependency on python-six
BuildRequires: python3-lesscpy >= 0.13.0-2
+BuildRequires: cracklib-dicts
# ONLY_CLIENT
%endif
@@ -249,11 +277,12 @@ BuildRequires: python3-netaddr >= %{python_netaddr_version}
BuildRequires: python3-pyasn1
BuildRequires: python3-pyasn1-modules
BuildRequires: python3-six
+BuildRequires: python3-psutil
#
# Build dependencies for wheel packaging and PyPI upload
#
-%if 0%{?with_wheels}
+%if %{with wheels}
BuildRequires: dbus-glib-devel
BuildRequires: libffi-devel
BuildRequires: python3-tox
@@ -266,14 +295,22 @@ BuildRequires: python3-wheel
# with_wheels
%endif
+%if %{with doc}
+BuildRequires: python3-sphinx
+BuildRequires: python3-m2r
+%endif
+
#
# Build dependencies for lint and fastcheck
#
-%if 0%{?with_lint}
+%if %{with lint}
+BuildRequires: git
BuildRequires: jsl
+BuildRequires: nss-tools
BuildRequires: rpmlint
BuildRequires: softhsm
+BuildRequires: keyutils
BuildRequires: python3-augeas
BuildRequires: python3-cffi
BuildRequires: python3-cryptography >= 1.6
@@ -281,6 +318,7 @@ BuildRequires: python3-custodia >= 0.3.1
BuildRequires: python3-dateutil
BuildRequires: python3-dbus
BuildRequires: python3-dns >= 1.15
+BuildRequires: python3-docker
BuildRequires: python3-gssapi >= 1.2.0
BuildRequires: python3-jinja2
BuildRequires: python3-jwcrypto >= 0.4.2
@@ -298,7 +336,7 @@ BuildRequires: python3-polib
BuildRequires: python3-pyasn1
BuildRequires: python3-pyasn1-modules
BuildRequires: python3-pycodestyle
-%if 0%{?fedora} >= 29
+%if 0%{?fedora} || 0%{?rhel} > 8
# https://bugzilla.redhat.com/show_bug.cgi?id=1648299
BuildRequires: python3-pylint >= 2.1.1-2
%else
@@ -313,6 +351,7 @@ BuildRequires: python3-sss
BuildRequires: python3-sss-murmur
BuildRequires: python3-sssdconfig >= %{sssd_version}
BuildRequires: python3-systemd
+BuildRequires: python3-yaml
BuildRequires: python3-yubico
# with_lint
%endif
@@ -328,7 +367,7 @@ BuildRequires: krb5-server >= %{krb5_version}
%endif
# Build dependencies for SELinux policy
-%if 0%{?with_selinux}
+%if %{with selinux}
BuildRequires: selinux-policy-devel >= %{selinux_policy_version}
%endif
@@ -353,7 +392,8 @@ Requires: 389-ds-base >= %{ds_version}
Requires: openldap-clients > 2.4.35-4
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
-Requires(post): krb5-kdb-version = %{krb5_kdb_version}
+Requires(post): krb5-server >= %{krb5_base_version}
+Requires: krb5-kdb-version = %{krb5_kdb_version}
Requires: krb5-pkinit-openssl >= %{krb5_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
@@ -369,17 +409,19 @@ Requires: mod_session >= %{httpd_version}
# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
Requires: mod_lookup_identity >= 0.9.9
Requires: acl
-Requires: systemd-units >= 38
+Requires: systemd-units >= %{systemd_version}
+Requires(pre): systemd-units >= %{systemd_version}
+Requires(post): systemd-units >= %{systemd_version}
+Requires(preun): systemd-units >= %{systemd_version}
+Requires(postun): systemd-units >= %{systemd_version}
Requires(pre): shadow-utils
-Requires(pre): systemd-units
-Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= %{slapi_nis_version}
Requires: pki-ca >= %{pki_version}
Requires: pki-kra >= %{pki_version}
-Requires(preun): systemd-units
-Requires(postun): systemd-units
+# pki-acme package was split out in pki-10.10.0
+Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0)
Requires: policycoreutils >= 2.1.12-5
Requires: tar
Requires(pre): certmonger >= %{certmonger_version}
@@ -395,6 +437,8 @@ Requires: oddjob
# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
+Requires: libpwquality
+Requires: cracklib-dicts
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@@ -412,8 +456,10 @@ Obsoletes: %{name}-server <= 4.2.0
Conflicts: nss-pam-ldapd < 0.8.4
# RHEL spec file only: START: Do not build tests
+%if 0%{?rhel} == 8
# ipa-tests subpackage was moved to separate srpm
Conflicts: ipa-tests < 3.3.3-9
+%endif
# RHEL spec file only: END: Do not build tests
%description server
@@ -444,7 +490,14 @@ Requires: python3-lxml
Requires: python3-pki >= %{pki_version}
Requires: python3-pyasn1 >= 0.3.2-2
Requires: python3-sssdconfig >= %{sssd_version}
+Requires: python3-psutil
Requires: rpm-libs
+# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
+%if 0%{?rhel}
+Requires: python3-urllib3 >= 1.24.2-3
+%else
+Requires: python3-urllib3 >= 1.25.7
+%endif
%description -n python3-ipaserver
IPA is an integrated solution to provide centrally managed Identity (users,
@@ -460,9 +513,9 @@ Summary: Common files used by IPA server
BuildArch: noarch
Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= %{httpd_version}
-Requires: systemd-units >= 38
+Requires: systemd-units >= %{systemd_version}
Requires: custodia >= 0.3.1
-%if 0%{?rhel} > 7
+%if 0%{?rhel} >= 8
Requires: redhat-logos-ipa >= 80.4
%endif
@@ -484,11 +537,18 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
-Requires: bind >= 9.11.0-6.P2
-Requires: bind-utils >= 9.11.0-6.P2
-Requires: bind-pkcs11 >= 9.11.0-6.P2
-Requires: bind-pkcs11-utils >= 9.11.0-6.P2
-Requires: opendnssec >= 1.4.6-4
+Requires: bind >= %{bind_version}
+Requires: bind-utils >= %{bind_version}
+%if %{with bind_pkcs11}
+Requires: bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11-utils >= %{bind_version}
+%else
+Requires: softhsm >= %{softhsm_version}
+Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+%endif
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
+# RHEL 8.3+ and Fedora 32+ have 2.1
+Requires: opendnssec >= 2.1.6-5
%{?systemd_requires}
Provides: %{alt_name}-server-dns = %{version}
@@ -511,8 +571,9 @@ Requires: %{name}-common = %{version}-%{release}
Requires: samba >= %{samba_version}
Requires: samba-winbind
Requires: libsss_idmap
+%if 0%{?rhel}
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
-
+%endif
Requires(post): python3
Requires: python3-samba
Requires: python3-libsss_nss_idmap
@@ -553,9 +614,14 @@ Requires: krb5-workstation >= %{krb5_version}
Requires: authselect >= 0.4-2
Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
+# All Fedora 28+ and RHEL8+ contain the service in hostname package
Requires: hostname
Requires: libcurl >= 7.21.7-2
+%if %{with ipa_join_xml}
Requires: xmlrpc-c >= 1.27.4
+%else
+Requires: jansson
+%endif
Requires: sssd-ipa >= %{sssd_version}
Requires: certmonger >= %{certmonger_version}
Requires: nss-tools >= %{nss_version}
@@ -579,8 +645,10 @@ Obsoletes: %{alt_name}-admintools < 4.4.1
Obsoletes: %{name}-admintools < 4.4.1
Provides: %{name}-admintools = %{version}-%{release}
+%if 0%{?rhel} == 8
# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module
Conflicts: crypto-policies < 20200629-1
+%endif
%description client
IPA is an integrated solution to provide centrally managed Identity (users,
@@ -609,16 +677,18 @@ Requires: cifs-utils
This package provides command-line tools to deploy Samba domain member
on the machine enrolled into a FreeIPA environment
-%if ! %{ONLY_CLIENT}
%package client-epn
Summary: Tools to configure Expiring Password Notification in IPA
Group: System Environment/Base
Requires: %{name}-client = %{version}-%{release}
+Requires: systemd-units >= %{systemd_version}
+Requires(post): systemd-units >= %{systemd_version}
+Requires(preun): systemd-units >= %{systemd_version}
+Requires(postun): systemd-units >= %{systemd_version}
%description client-epn
This package provides a service to collect and send expiring password
notifications via email (SMTP).
-%endif
%package -n python3-ipaclient
Summary: Python libraries used by IPA client
@@ -630,7 +700,6 @@ Requires: python3-ipalib = %{version}-%{release}
Requires: python3-augeas
Requires: python3-dns >= 1.15
Requires: python3-jinja2
-# RHEL spec file only: DELETED: Remove csrgen
%description -n python3-ipaclient
IPA is an integrated solution to provide centrally managed Identity (users,
@@ -641,7 +710,6 @@ and integration with Active Directory based infrastructures (Trusts).
If your network uses IPA for authentication, this package should be
installed on every client machine.
-
%package client-common
Summary: Common files used by IPA client
BuildArch: noarch
@@ -649,6 +717,12 @@ BuildArch: noarch
Provides: %{alt_name}-client-common = %{version}
Conflicts: %{alt_name}-client-common
Obsoletes: %{alt_name}-client-common < %{version}
+# python2-ipa* packages are no longer available in 4.8.
+Obsoletes: python2-ipaclient < 4.8.0-1
+Obsoletes: python2-ipalib < 4.8.0-1
+Obsoletes: python2-ipaserver < 4.8.0-1
+Obsoletes: python2-ipatests < 4.8.0-1
+
%description client-common
IPA is an integrated solution to provide centrally managed Identity (users,
@@ -744,11 +818,11 @@ Obsoletes: %{alt_name}-common < %{version}
Conflicts: %{alt_name}-python < %{version}
-%if 0%{?with_selinux}
+%if %{with selinux}
# This ensures that the *-selinux package and all it’s dependencies are not
# pulled into containers and other systems that do not use SELinux. The
# policy defines types and file contexts for client and server.
-Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
%description common
@@ -760,7 +834,7 @@ and integration with Active Directory based infrastructures (Trusts).
If you are using IPA, you need to install this package.
-%if 0%{?with_ipatests}
+%if %{with ipatests}
%package -n python3-ipatests
Summary: IPA tests and test tools
@@ -769,18 +843,25 @@ BuildArch: noarch
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
-Requires: ldns-utils
Requires: python3-coverage
Requires: python3-cryptography >= 1.6
+%if 0%{?fedora}
+# These packages do not exist on RHEL and for ipatests use
+# they are installed on the controller through other means
+Requires: ldns-utils
Requires: python3-polib
Requires: python3-pytest >= 3.9.1
Requires: python3-pytest-multihost >= 0.5
Requires: python3-pytest-sourceorder
+Requires: sshpass
+%endif
Requires: python3-sssdconfig >= %{sssd_version}
Requires: tar
Requires: xz
Requires: openssh-clients
-Requires: sshpass
+%if 0%{?rhel}
+AutoReqProv: no
+%endif
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
@@ -790,11 +871,11 @@ features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
This package contains tests that verify IPA functionality under Python 3.
-# with_ipatests
+# with ipatests
%endif
-%if 0%{?with_selinux}
+%if %{with selinux}
# SELinux subpackage
%package selinux
Summary: FreeIPA SELinux policy
@@ -805,12 +886,11 @@ Requires(post): selinux-policy-%{selinuxtype}
%description selinux
Custom SELinux policy module for FreeIPA
-# with_selinux
+# with selinux
%endif
%prep
-# RHEL spec file only: START
# Update timestamps on the files touched by a patch, to avoid non-equal
# .pyc/.pyo files across the multilib peers within a build, where "Level"
# is the patch prefix option (e.g. -p1)
@@ -826,9 +906,7 @@ UpdateTimestamps() {
done
}
-%setup -n freeipa-%{version} -q
-
-# RHEL spec file only: START
+%setup -n freeipa-%{version}%{?rc_version} -q
# To allow proper application patches to the stripped po files, strip originals
pushd po
@@ -843,28 +921,17 @@ for p in %patches ; do
UpdateTimestamps -p1 $p
done
-# RHEL spec file only: END
-
-# RHEL spec file only: START
-# Moved branding logos and background to redhat-logos-ipa-80.4:
-# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
-# product-name.png
-# RHEL spec file only: END
-
%build
-# RHEL spec file only: START
-autoreconf -i -f
-# RHEL spec file only: END
-
# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
export PATH=/usr/bin:/usr/sbin:$PATH
export PYTHON=%{__python3}
+autoreconf -ivf
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{with_ipa_join_xml_option} \
+ %{linter_options}
# run build in default dir
# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@@ -884,18 +951,29 @@ make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
# All files and directories created by spec install should be marked as ghost.
# (These are typically configuration files created by IPA installer.)
# All other artifacts should be created by make install.
-#
-%{__make} python_install DESTDIR=%{?buildroot} INSTALL="%{__install} -p"
-
-# default installation
-# This installs all Python packages twice and overrides the ipa-test
-# commands. We'll fix the command links later with ln --force.
%make_install
+# don't package ipasphinx for now
+rm -rf %{buildroot}%{python3_sitelib}/ipasphinx*
+
+%if %{with ipatests}
+mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
+mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
+mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
+ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3
+ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3
+ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3
+ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
+ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
+ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
+# with_ipatests
+%endif
+
# remove files which are useful only for make uninstall
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
+%if 0%{?rhel}
# RHEL spec file only: START
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
@@ -904,6 +982,7 @@ rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
+%endif
# RHEL spec file only: END
%find_lang %{gettext_domain}
@@ -955,18 +1034,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
# ONLY_CLIENT
%endif
-%if %{ONLY_CLIENT}
-# Remove ipa-epn parts as we don't have ipa-epn systemd integration generated
-# for client-only build
-rm %{buildroot}/%{_sbindir}/ipa-epn
-rm %{buildroot}/%{_sysconfdir}/ipa/epn.conf
-rm -rf %{buildroot}/%{_sysconfdir}/ipa/epn
-rm %{buildroot}/%{_mandir}/man1/ipa-epn.1*
-rm %{buildroot}/%{_mandir}/man5/epn.conf.5*
-rm %{buildroot}/%{_unitdir}/ipa-epn.service
-rm %{buildroot}/%{_unitdir}/ipa-epn.timer
-%endif
-
%if ! %{ONLY_CLIENT}
%post server
@@ -983,7 +1050,7 @@ fi
%posttrans server
# don't execute upgrade and restart of IPA when server is not installed
-%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
if [ $? -eq 0 ]; then
# This is necessary for Fedora system upgrades which by default
@@ -999,6 +1066,11 @@ if [ $? -eq 0 ]; then
if [ $? -eq 0 ]; then
/bin/systemctl restart ipa.service >/dev/null
fi
+
+ /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1
+ if [ $? -eq 1 ]; then
+ /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null
+ fi
fi
# END
@@ -1062,7 +1134,7 @@ fi
%posttrans server-trust-ad
-%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
if [ $? -eq 0 ]; then
# NOTE: systemd specific section
/bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
@@ -1080,6 +1152,17 @@ fi
# ONLY_CLIENT
%endif
+%preun client-epn
+%systemd_preun ipa-epn.service
+%systemd_preun ipa-epn.timer
+
+%postun client-epn
+%systemd_postun ipa-epn.service
+%systemd_postun ipa-epn.timer
+
+%post client-epn
+%systemd_post ipa-epn.service
+%systemd_post ipa-epn.timer
%post client
if [ $1 -gt 1 ] ; then
@@ -1103,20 +1186,17 @@ if [ $1 -gt 1 ] ; then
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
fi
- %{python} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
- fi
-
- if [ $restore -ge 2 ]; then
- %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
- fi
-
- if [ $restore -ge 2 ]; then
- sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
+ %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
+ %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
+ SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
+ if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
+ sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
+ fi
fi
fi
-%if 0%{?with_selinux}
+%if %{with selinux}
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
@@ -1138,7 +1218,7 @@ fi
%endif
-%triggerin client -- openssh-server
+%triggerin client -- openssh-server < 8.2
# Has the client been configured?
restore=0
test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
@@ -1174,6 +1254,38 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
fi
+%triggerin client -- openssh-server >= 8.2
+# Has the client been configured?
+restore=0
+test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
+
+if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
+ # If the snippet already exists, skip
+ if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
+ # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf
+ grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf
+ # Remove the values from sshd_conf
+ sed -ri '
+ /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d
+ ' /etc/ssh/sshd_config
+
+ /bin/systemctl condrestart sshd.service 2>&1 || :
+ fi
+ # If the snippet has been created, ensure that it is included
+ # either by /etc/ssh/sshd_config.d/*.conf or directly
+ if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then
+ if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
+ if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then
+ # Include the snippet
+ echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew
+ cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew
+ mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
+ fi
+ fi
+ fi
+fi
+
+
%if ! %{ONLY_CLIENT}
%files server
@@ -1202,14 +1314,11 @@ fi
%{_sbindir}/ipa-pkinit-manage
%{_sbindir}/ipa-crlgen-manage
%{_sbindir}/ipa-cert-fix
+%{_sbindir}/ipa-acme-manage
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard
%dir %{_libexecdir}/ipa
-%dir %{_libexecdir}/ipa/custodia
-%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
-%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
-%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
-%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
+%{_libexecdir}/ipa/ipa-ccache-sweeper
%{_libexecdir}/ipa/ipa-custodia
%{_libexecdir}/ipa/ipa-custodia-check
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
@@ -1218,6 +1327,11 @@ fi
%{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd
%{_libexecdir}/ipa/ipa-print-pac
+%dir %{_libexecdir}/ipa/custodia
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped
+%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
@@ -1229,6 +1343,8 @@ fi
%attr(644,root,root) %{_unitdir}/ipa.service
%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
+%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service
+%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer
# END
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
@@ -1237,7 +1353,6 @@ fi
%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
-%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
%attr(755,root,root) %{plugin_dir}/libipa_dns.so
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
@@ -1270,6 +1385,7 @@ fi
%{_mandir}/man1/ipa-pkinit-manage.1*
%{_mandir}/man1/ipa-crlgen-manage.1*
%{_mandir}/man1/ipa-cert-fix.1*
+%{_mandir}/man1/ipa-acme-manage.1*
%files -n python3-ipaserver
@@ -1294,6 +1410,7 @@ fi
%{_usr}/share/ipa/kdcproxy.wsgi
%{_usr}/share/ipa/ipaca*.ini
%{_usr}/share/ipa/*.ldif
+%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
%dir %{_usr}/share/ipa/advise
@@ -1326,10 +1443,15 @@ fi
%{_usr}/share/ipa/ui/js/freeipa/core.js
%dir %{_usr}/share/ipa/ui/js/plugins
%dir %{_usr}/share/ipa/ui/images
+%if 0%{?rhel}
%{_usr}/share/ipa/ui/images/facet-*.png
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
# product-name.png
+%else
+%{_usr}/share/ipa/ui/images/*.jpg
+%{_usr}/share/ipa/ui/images/*.png
+%endif
%dir %{_usr}/share/ipa/wsgi
%{_usr}/share/ipa/wsgi/plugins.py*
%dir %{_sysconfdir}/ipa
@@ -1387,6 +1509,8 @@ fi
%{_sbindir}/ipa-adtrust-install
%{_usr}/share/ipa/smb.conf.empty
%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
+%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
+%{_datadir}/ipa/ipa-cldap-conf.ldif
%{_mandir}/man1/ipa-adtrust-install.1*
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -1416,6 +1540,8 @@ fi
%{_mandir}/man1/ipa-client-automount.1*
%{_mandir}/man1/ipa-certupdate.1*
%{_mandir}/man1/ipa-join.1*
+%dir %{_libexecdir}/ipa/acme
+%{_libexecdir}/ipa/acme/certbot-dns-ipa
%files client-samba
%doc README.md Contributors.txt
@@ -1423,7 +1549,7 @@ fi
%{_sbindir}/ipa-client-samba
%{_mandir}/man1/ipa-client-samba.1*
-%if ! %{ONLY_CLIENT}
+
%files client-epn
%doc README.md Contributors.txt
%dir %{_sysconfdir}/ipa/epn
@@ -1435,7 +1561,7 @@ fi
%attr(644,root,root) %{_unitdir}/ipa-epn.timer
%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
-%endif
+
%files -n python3-ipaclient
%doc README.md Contributors.txt
@@ -1455,7 +1581,17 @@ fi
%dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
+%if 0%{?rhel}
# RHEL spec file only: DELETED: Remove csrgen
+%else
+%dir %{python3_sitelib}/ipaclient/csrgen
+%dir %{python3_sitelib}/ipaclient/csrgen/profiles
+%{python3_sitelib}/ipaclient/csrgen/profiles/*.json
+%dir %{python3_sitelib}/ipaclient/csrgen/rules
+%{python3_sitelib}/ipaclient/csrgen/rules/*.json
+%dir %{python3_sitelib}/ipaclient/csrgen/templates
+%{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
+%endif
%{python3_sitelib}/ipaclient-*.egg-info
@@ -1493,7 +1629,7 @@ fi
%doc README.md Contributors.txt
%license COPYING
%dir %{_usr}/share/ipa
-
+%dir %{_libexecdir}/ipa
%files -n python3-ipalib
%doc README.md Contributors.txt
@@ -1507,7 +1643,7 @@ fi
%{python3_sitelib}/ipaplatform-*.egg-info
-%if 0%{?with_ipatests}
+%if %{with ipatests}
%files -n python3-ipatests
@@ -1515,6 +1651,12 @@ fi
%license COPYING
%{python3_sitelib}/ipatests
%{python3_sitelib}/ipatests-*.egg-info
+%{_bindir}/ipa-run-tests-3
+%{_bindir}/ipa-test-config-3
+%{_bindir}/ipa-test-task-3
+%{_bindir}/ipa-run-tests-%{python3_version}
+%{_bindir}/ipa-test-config-%{python3_version}
+%{_bindir}/ipa-test-task-%{python3_version}
%{_bindir}/ipa-run-tests
%{_bindir}/ipa-test-config
%{_bindir}/ipa-test-task
@@ -1522,28 +1664,84 @@ fi
%{_mandir}/man1/ipa-test-config.1*
%{_mandir}/man1/ipa-test-task.1*
-# with_ipatests
+# with ipatests
%endif
-%if 0%{?with_selinux}
+%if %{with selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
-# with_selinux
+# with selinux
%endif
%changelog
-* Wed Sep 23 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-12
-- Require selinux sub package in the proper version
- Related: RHBZ#1868432
-- SELinux: do not double-define node_t and pki_tomcat_cert_t
- Related: RHBZ#1868432
-- SELinux: add dedicated policy for ipa-pki-retrieve-key + ipatests
- Related: RHBZ#1868432
-- dogtaginstance.py: add --debug to pkispawn
- Resolves: RHBZ#1879604
+* Fri Dec 11 2020 Thomas Woerner <twoerner@redhat.com> - 4.9.0-0.5.rc3
+- Upstream pre release FreeIPA 4.9.0rc3
+ Related: RHBZ#1891832
+
+* Fri Dec 4 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.3.rc2
+- Remove ipa-server dependency from ipa-selinux subpackage
+- Related: RHBZ#1891832
+
+* Fri Dec 4 2020 Thomas Woerner <twoerner@redhat.com> - 4.9.0-0.2.rc2
+- Upstream pre release FreeIPA 4.9.0rc2
+ Related: RHBZ#1891832
+- Synchronize spec file with upstream and Fedora
+ Related: RHBZ#1891832
+- Traceback while doing ipa-backup
+ Resolves: RHBZ#1901068
+- ipa-client-install changes system wide ssh configuration
+ Resolves: RRBZ#1544379
+- ipa-kdb: support subordinate/superior UPN suffixes
+ Resolves: RHBZ#1891056
+- KRA Transport and Storage Certificates do not renew
+ Resolves: RHBZ#1872603
+- Move where the restore state is marked during IPA server upgrade
+ Resolves: RHBZ#1569011
+- Intermittent IdM Client Registration Failures
+ Resolves: RHBZ#1812871
+- Nightly test failure in test_acme.py::TestACME::test_third_party_certs
+ (updates-testing)
+ Resolves: RHBZ#1903025
+- Add IPA RA Agent to ACME group on the CA
+ Resolves: RHBZ#1902727
+
+* Mon Nov 23 2020 Thomas Woerner <twoerner@redhat.com> - 4.9.0-0.1.rc1
+- Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub
+ package
+ Related: RHBZ#1891832
+
+* Mon Nov 23 2020 Thomas Woerner <twoerner@redhat.com> - 4.9.0-0.rc1
+- Upstream pre release FreeIPA 4.9.0rc1
+ Resolves: RHBZ#1891832
+- Requirements and design for libpwquality integration
+ Resolves: RHBZ#1340463
+- When parsing options require name/value pairs
+ Resolves: RHBZ#1357495
+- WebUI: Fix issue with opening links in new tab/window
+ Resolves: RHBZ#1484088
+- Use a state to determine if a 389-ds upgrade is in progress
+ Resolves: RHBZ#1569011
+- Unlock user accounts after a password reset and replicate that unlock to
+ all IdM servers
+ Resolves: RHBZ#1784657
+- Set the certmonger subject with a string, not an object
+ Resolves: RHBZ#1810148
+- Implement ACME certificate enrolment
+ Resolves: RHBZ#1851835
+- [WebUI] Backport jQuery patches from newer versions of the library (e.g.
+ 3.5.0)
+ Resolves: RHBZ#1859249
+- It is not possible to edit KDC database when the FreeIPA server is running
+ Resolves: RHBZ#1875001
+- Fix nsslapd-db-lock tuning of BDB backend
+ Resolves: RHBZ#1882340
+- ipa-kdb: support subordinate/superior UPN suffixes
+ Resolves: RHBZ#1891056
+- wgi/plugins.py: ignore empty plugin directories
+ Resolves: RHBZ#1894800
* Thu Sep 10 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.7-11
- SELinux Policy: let custodia replicate keys