diff --git a/SOURCES/0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch b/SOURCES/0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch
new file mode 100644
index 0000000..2bb8cdd
--- /dev/null
+++ b/SOURCES/0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch
@@ -0,0 +1,54 @@
+From b2cb212a12982cb6c9901ae0e71198c49e915258 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 14 Dec 2018 14:02:26 +0200
+Subject: [PATCH] ipa-sidgen: make internal fetch_attr helper really internal
+
+With 389-ds landing a change for
+https://pagure.io/389-ds-base/issue/49950, fetch_attr() helper function
+is exposed in slapi-plugin.h. However, in order to be able to build
+FreeIPA plugins against older 389-ds versions, prefer using a local
+variant of it.
+
+Rename fetch_attr() to ipa_sidgen_fetch_attr() so that it doesn't
+conflict at all.
+
+Fixes: https://pagure.io/freeipa/issue/7811
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
+index 9e474e83dd0e1bfc52b2e2da3fda12420d2ea281..007b1c945d0e37c4061f6a33cfdd667c45118c99 100644
+--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
+@@ -63,7 +63,7 @@ struct worker_ctx {
+ struct range_info **ranges;
+ };
+
+-static const char *fetch_attr(Slapi_Entry *e, const char *attrname,
++static const char *ipa_sidgen_fetch_attr(Slapi_Entry *e, const char *attrname,
+ const char *default_val)
+ {
+ Slapi_Attr *attr;
+@@ -242,7 +242,7 @@ int sidgen_task_add(Slapi_PBlock *pb, Slapi_Entry *e,
+
+ worker_ctx->plugin_id = global_sidgen_plugin_id;
+
+- str = fetch_attr(e, "delay", NULL);
++ str = ipa_sidgen_fetch_attr(e, "delay", NULL);
+ if (str != NULL) {
+ errno = 0;
+ worker_ctx->delay = strtol(str, &endptr, 10);
+@@ -255,7 +255,7 @@ int sidgen_task_add(Slapi_PBlock *pb, Slapi_Entry *e,
+ }
+ LOG("delay is [%li].\n", worker_ctx->delay);
+
+- str = fetch_attr(e, "nsslapd-basedn", NULL);
++ str = ipa_sidgen_fetch_attr(e, "nsslapd-basedn", NULL);
+ if (str == NULL) {
+ LOG_FATAL("Missing nsslapd-basedn!\n");
+ *returncode = LDAP_CONSTRAINT_VIOLATION;
+--
+2.20.1
+
diff --git a/SOURCES/0058-replica-installation-add-master-record-only-if-in-ma.patch b/SOURCES/0058-replica-installation-add-master-record-only-if-in-ma.patch
new file mode 100644
index 0000000..ff6ff8a
--- /dev/null
+++ b/SOURCES/0058-replica-installation-add-master-record-only-if-in-ma.patch
@@ -0,0 +1,61 @@
+From 0ed1632ac9f659734f9397c21d0b2de3c2c2d895 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Tue, 15 Jan 2019 17:53:55 +0100
+Subject: [PATCH] replica installation: add master record only if in managed
+ zone
+
+Scenario: install a replica with DNS, whose IP address is part of a
+forward zone.
+Currently, the replica installation fails because the installer is
+trying to add a A/AAAA record for the replica in the zone
+when setting up the bind instance, and addition of records in a
+forward zone is forbidden.
+
+The bind installer should check if the IP address is in a master zone
+(i.e. a DNS zone managed by IdM, not a forward zone), and avoid
+creating the record if it's not the case.
+
+During uninstallation, perform the same check before removing the
+DNS record (if in a forward zone, no need to call dnsrecord-del).
+Fixes: https://pagure.io/freeipa/issue/7369
+Reviewed-By: Francois Cami <fcami@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipaserver/install/bindinstance.py | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
+index 7c858aab4417ccf3a4999fcaaa1c7e0f93464e4d..3b03e536117677f0f073fc1f06a28ebab0cfe006 100644
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -844,10 +844,13 @@ class BindInstance(service.Service):
+
+ # Add forward and reverse records to self
+ for addr in addrs:
+- try:
++ # Check first if the zone is a master zone
++ # (if it is a forward zone, dns_zone_exists will return False)
++ if dns_zone_exists(zone, api=self.api):
+ add_fwd_rr(zone, host, addr, self.api)
+- except errors.NotFound:
+- pass
++ else:
++ logger.debug("Skip adding record %s to a zone %s "
++ "not managed by IPA", addr, zone)
+
+ reverse_zone = find_reverse_zone(addr, self.api)
+ if reverse_zone:
+@@ -1063,6 +1066,10 @@ class BindInstance(service.Service):
+ self.fqdn = fqdn
+ self.domain = domain_name
+
++ if not dns_zone_exists(zone, api=self.api):
++ # Zone may be a forward zone, skip update
++ return
++
+ areclist = get_fwd_rr(zone, host, api=self.api)
+ for rdata in areclist:
+ del_fwd_rr(zone, host, rdata, api=self.api)
+--
+2.20.1
+
diff --git a/SOURCES/0059-ipatests-add-test-for-replica-in-forward-zone.patch b/SOURCES/0059-ipatests-add-test-for-replica-in-forward-zone.patch
new file mode 100644
index 0000000..1a49fcb
--- /dev/null
+++ b/SOURCES/0059-ipatests-add-test-for-replica-in-forward-zone.patch
@@ -0,0 +1,130 @@
+From 8e5149c36651eaded5d06a32fd94e78fc2e3dcb0 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Thu, 17 Jan 2019 11:10:52 +0100
+Subject: [PATCH] ipatests: add test for replica in forward zone
+
+Scenario:
+install a replica with DNS, with the replica part of a forward zone.
+The replica installation should proceed successfully and avoid
+trying to add a DNS record for the replica in the forward zone,
+as the forward zone is not managed by IPA DNS.
+
+Test added to nightly definitions.
+
+Related to https://pagure.io/freeipa/issue/7369
+
+Reviewed-By: Francois Cami <fcami@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ .../test_replica_promotion.py | 98 +++++++++++++++++++
+ 1 file changed, 98 insertions(+)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index 7fdc12dc4a4269772c77ff543239be49c46d199a..c635d932bc92ed8c0a147379718933aabaae0f16 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
++++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -644,3 +644,101 @@ class TestSubCAkeyReplication(IntegrationTest):
+ ssl_cmd = ['openssl', 'x509', '-text', '-in', TEST_CRT_FILE]
+ ssl = replica.run_command(ssl_cmd)
+ assert 'Issuer: CN = {}'.format(self.SUBCA) in ssl.stdout_text
++
++
++def update_etc_hosts(host, ip, old_hostname, new_hostname):
++ '''Adds or update /etc/hosts
++
++ If /etc/hosts contains an entry for old_hostname, replace it with
++ new_hostname.
++ If /etc/hosts did not contain the entry, create one for new_hostname with
++ the provided ip.
++ The function makes a backup in /etc/hosts.sav
++
++ :param host the machine on which /etc/hosts needs to be update_dns_records
++ :param ip the ip address for the new record
++ :param old_hostname the hostname to replace
++ :param new_hostname the new hostname to put in /etc/hosts
++ '''
++ # Make a backup
++ host.run_command(['/usr/bin/cp',
++ paths.HOSTS,
++ '%s.sav' % paths.HOSTS])
++ contents = host.get_file_contents(paths.HOSTS, encoding='utf-8')
++ # If /etc/hosts already contains old_hostname, simply replace
++ pattern = r'^(.*\s){}(\s)'.format(old_hostname)
++ new_contents, mods = re.subn(pattern, r'\1{}\2'.format(new_hostname),
++ contents, flags=re.MULTILINE)
++ # If it didn't contain any entry for old_hostname, just add new_hostname
++ if mods == 0:
++ short = new_hostname.split(".", 1)[0]
++ new_contents = new_contents + "\n{}\t{} {}\n".format(ip,
++ new_hostname,
++ short)
++ host.put_file_contents(paths.HOSTS, new_contents)
++
++
++def restore_etc_hosts(host):
++ '''Restores /etc/hosts.sav into /etc/hosts
++ '''
++ host.run_command(['/usr/bin/mv',
++ '%s.sav' % paths.HOSTS,
++ paths.HOSTS],
++ raiseonerr=False)
++
++
++class TestReplicaInForwardZone(IntegrationTest):
++ """
++ Pagure Reference: https://pagure.io/freeipa/issue/7369
++
++ Scenario: install a replica whose name is in a forwarded zone
++ """
++
++ forwardzone = 'forward.test'
++ num_replicas = 1
++
++ @classmethod
++ def install(cls, mh):
++ tasks.install_master(cls.master, setup_dns=True)
++
++ def test_replica_install_in_forward_zone(self):
++ master = self.master
++ replica = self.replicas[0]
++
++ # Create a forward zone on the master
++ master.run_command(['ipa', 'dnsforwardzone-add', self.forwardzone,
++ '--skip-overlap-check',
++ '--forwarder', master.config.dns_forwarder])
++
++ # Configure the client with a name in the forwardzone
++ r_shortname = replica.hostname.split(".", 1)[0]
++ r_new_hostname = '{}.{}'.format(r_shortname,
++ self.forwardzone)
++
++ # Update /etc/hosts on the master with an entry for the replica
++ # otherwise replica conncheck would fail
++ update_etc_hosts(master, replica.ip, replica.hostname,
++ r_new_hostname)
++ # Remove the replica previous hostname from /etc/hosts
++ # and add the replica new hostname
++ # otherwise replica install will complain because
++ # hostname does not match
++ update_etc_hosts(replica, replica.ip, replica.hostname,
++ r_new_hostname)
++
++ try:
++ # install client with a hostname in the forward zone
++ tasks.install_client(self.master, replica,
++ extra_args=['--hostname', r_new_hostname])
++
++ replica.run_command(['ipa-replica-install',
++ '--principal', replica.config.admin_name,
++ '--admin-password',
++ replica.config.admin_password,
++ '--setup-dns',
++ '--forwarder', master.config.dns_forwarder,
++ '-U'])
++ finally:
++ # Restore /etc/hosts on master and replica
++ restore_etc_hosts(master)
++ restore_etc_hosts(replica)
+--
+2.20.1
+
diff --git a/SOURCES/0060-Add-workaround-for-slow-host-service-del.patch b/SOURCES/0060-Add-workaround-for-slow-host-service-del.patch
new file mode 100644
index 0000000..af4a5cd
--- /dev/null
+++ b/SOURCES/0060-Add-workaround-for-slow-host-service-del.patch
@@ -0,0 +1,50 @@
+From c63b6cbe536987d3e1818542a2f8530e44948812 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Fri, 25 Jan 2019 16:12:11 +0100
+Subject: [PATCH] Add workaround for slow host/service del
+
+host-del and service-del are slow because cert revokation is implemented
+inefficiently. The internal cert_find() call retrieves all certificates
+from Dogtag.
+
+The workaround special cases service and host find without additional RA
+search options. A search for service and host certs limits the scope to
+certificate with matching subject common name.
+
+See: https://pagure.io/freeipa/issue/7835
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/plugins/cert.py | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
+index ed78388c8b8b4688873a5b047fb1b67e417a8a6d..b6a132ffdb27b4d7b1f761c4bee835f46c5d9721 100644
+--- a/ipaserver/plugins/cert.py
++++ b/ipaserver/plugins/cert.py
+@@ -1470,6 +1470,22 @@ class cert_find(Search, CertMethod):
+ result = collections.OrderedDict()
+ complete = bool(ra_options)
+
++ # workaround for RHBZ#1669012
++ # Improve performance for service and host case by also searching
++ # for subject. This limits the amount of certificate retrieved from
++ # Dogtag. The special case is only used, when no ra_options are set
++ # and exactly one service or host is supplied.
++ # The complete flag is left to False.
++ if not ra_options:
++ services = options.get('service', ())
++ hosts = options.get('host', ())
++ if len(services) == 1 and not hosts:
++ principal = kerberos.Principal(options['service'][0])
++ if principal.is_service:
++ ra_options['subject'] = principal.hostname
++ elif len(hosts) == 1 and not services:
++ ra_options['subject'] = options['host'][0]
++
+ try:
+ ca_enabled_check(self.api)
+ except errors.NotFound:
+--
+2.20.1
+
diff --git a/SOURCES/0061-Optimize-cert-remove-case.patch b/SOURCES/0061-Optimize-cert-remove-case.patch
new file mode 100644
index 0000000..b642e25
--- /dev/null
+++ b/SOURCES/0061-Optimize-cert-remove-case.patch
@@ -0,0 +1,70 @@
+From 964a4d858e7f30e62691e6e0a1abdcd55cc68405 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Fri, 25 Jan 2019 16:18:59 +0100
+Subject: [PATCH] Optimize cert remove case
+
+The cert_remove and mod subcommands for service and host now pass in the
+name to cert_find() to benefit from special cases.
+
+See: https://pagure.io/freeipa/issue/7835
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/plugins/host.py | 8 ++++++--
+ ipaserver/plugins/service.py | 7 +++++--
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
+index 306105d67a58fd4343933349db70a1d786eaa4b2..c74a3e58f8af6b33e284ba54b5763a684d91bac3 100644
+--- a/ipaserver/plugins/host.py
++++ b/ipaserver/plugins/host.py
+@@ -899,7 +899,9 @@ class host_mod(LDAPUpdate):
+ old_certs = entry_attrs_old.get('usercertificate', [])
+ removed_certs = set(old_certs) - set(certs)
+ for cert in removed_certs:
+- rm_certs = api.Command.cert_find(certificate=cert)['result']
++ rm_certs = api.Command.cert_find(
++ certificate=cert,
++ host=keys)['result']
+ revoke_certs(rm_certs)
+
+ if certs:
+@@ -1335,7 +1337,9 @@ class host_remove_cert(LDAPRemoveAttributeViaOption):
+ assert isinstance(dn, DN)
+
+ for cert in options.get('usercertificate', []):
+- revoke_certs(api.Command.cert_find(certificate=cert)['result'])
++ revoke_certs(api.Command.cert_find(
++ certificate=cert,
++ host=keys)['result'])
+
+ return dn
+
+diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
+index be31f810275214eb28a3f6b7ed9e6dc8ec808ae0..d176adddff8d2590d64ba4059018606ff1eb8d48 100644
+--- a/ipaserver/plugins/service.py
++++ b/ipaserver/plugins/service.py
+@@ -703,7 +703,8 @@ class service_mod(LDAPUpdate):
+ removed_certs = set(old_certs) - set(certs)
+ for cert in removed_certs:
+ rm_certs = api.Command.cert_find(
+- certificate=cert.public_bytes(x509.Encoding.DER))['result']
++ certificate=cert.public_bytes(x509.Encoding.DER),
++ service=keys)['result']
+ revoke_certs(rm_certs)
+
+ if certs:
+@@ -983,7 +984,9 @@ class service_remove_cert(LDAPRemoveAttributeViaOption):
+ assert isinstance(dn, DN)
+
+ for cert in options.get('usercertificate', []):
+- revoke_certs(api.Command.cert_find(certificate=cert)['result'])
++ revoke_certs(api.Command.cert_find(
++ certificate=cert,
++ service=keys)['result'])
+
+ return dn
+
+--
+2.20.1
+
diff --git a/SOURCES/0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch b/SOURCES/0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch
new file mode 100644
index 0000000..adc804c
--- /dev/null
+++ b/SOURCES/0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch
@@ -0,0 +1,125 @@
+From 964d13237029e0568f56342917ae386746c0b281 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 1 Feb 2019 10:30:40 -0500
+Subject: [PATCH] Update mod_nss cipher list so there is overlap with a 4.x
+ master
+
+dogtag updated its cipher list, disabling a lot of ciphers, which
+causes an overlap problem with a RHEL 6.x IPA master.
+
+This update script adds the two available ciphers to the nss.conf
+so that creating a CA replica is possible.
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ contrib/copy-schema-to-ca-RHEL6.py | 79 ++++++++++++++++++++++++++++++
+ 1 file changed, 79 insertions(+)
+
+diff --git a/contrib/copy-schema-to-ca-RHEL6.py b/contrib/copy-schema-to-ca-RHEL6.py
+index 3ed16555e9a63867162b58fe99531db46e867a8b..2b866a52ba99f59db913a127f271c6da63a65b95 100755
+--- a/contrib/copy-schema-to-ca-RHEL6.py
++++ b/contrib/copy-schema-to-ca-RHEL6.py
+@@ -31,6 +31,12 @@ from ipaserver.install.dsinstance import DS_USER
+ from ipaserver.install.cainstance import PKI_USER
+ from ipapython import services
+
++# for mod_nss
++from ipaserver.install.httpinstance import NSS_CONF
++from ipaserver.install.httpinstance import HTTPInstance
++from ipaserver.install import installutils
++from ipapython import sysrestore
++
+ SERVERID = "PKI-IPA"
+ SCHEMA_FILENAMES = (
+ "60kerberos.ldif",
+@@ -100,6 +106,77 @@ def restart_pki_ds():
+ services.service('dirsrv').restart(SERVERID)
+
+
++# The ipa-3-0 set_directive() has very loose comparision of directive
++# which would cause multiple NSSCipherSuite to be added so provide
++# a custom function for it.
++def set_directive(filename, directive, value, quotes=True, separator=' '):
++ """Set a name/value pair directive in a configuration file.
++
++ A value of None means to drop the directive.
++
++ This has only been tested with nss.conf
++ """
++ valueset = False
++ st = os.stat(filename)
++ fd = open(filename)
++ newfile = []
++ for line in fd:
++ if line.lstrip().startswith(directive):
++ valueset = True
++ if value is not None:
++ if quotes:
++ newfile.append('%s%s"%s"\n' %
++ (directive, separator, value))
++ else:
++ newfile.append('%s%s%s\n' % (directive, separator, value))
++ else:
++ newfile.append(line)
++ fd.close()
++ if not valueset:
++ if value is not None:
++ if quotes:
++ newfile.append('%s%s"%s"\n' % (directive, separator, value))
++ else:
++ newfile.append('%s%s%s\n' % (directive, separator, value))
++
++ fd = open(filename, "w")
++ fd.write("".join(newfile))
++ fd.close()
++ os.chown(filename, st.st_uid, st.st_gid) # reset perms
++
++
++def update_mod_nss_cipher_suite():
++ add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha']
++ ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite')
++
++ # Run through once to see if any of the new ciphers are there but
++ # disabled. If they are then enable them.
++ lciphers = ciphers.split(',')
++ new_ciphers = []
++ for cipher in lciphers:
++ for add in add_ciphers:
++ if cipher.endswith(add):
++ if cipher.startswith('-'):
++ cipher = '+%s' % add
++ new_ciphers.append(cipher)
++
++ # Run through again and add remaining ciphers as enabled.
++ for add in add_ciphers:
++ if add not in ciphers:
++ new_ciphers.append('+%s' % add)
++
++ ciphers = ','.join(new_ciphers)
++ set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False)
++ root_logger.info('Updated Apache cipher list')
++
++
++def restart_http():
++ root_logger.info('Restarting HTTP')
++ fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
++ http = HTTPInstance(fstore)
++ http.restart()
++
++
+ def main():
+ if os.getegid() != 0:
+ sys.exit("Must be root to run this script")
+@@ -110,6 +187,8 @@ def main():
+
+ add_ca_schema()
+ restart_pki_ds()
++ update_mod_nss_cipher_suite()
++ restart_http()
+
+ root_logger.info('Schema updated successfully')
+
+--
+2.20.1
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 59504d5..449fa3e 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -93,7 +93,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 10%{?dist}.2
+Release: 10%{?dist}.3
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -101,10 +101,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -165,6 +165,12 @@ Patch0053: 0053-ipatests-fix-TestUpgrade-test_double_encoded_cacert.patch
Patch0054: 0054-ipatest-add-test-for-ipa-pkinit-manage-enable-disabl.patch
Patch0055: 0055-PKINIT-fix-ipa-pkinit-manage-enable-disable.patch
Patch0056: 0056-replication-check-remote-ds-version-before-editing-a.patch
+Patch0057: 0057-ipa-sidgen-make-internal-fetch_attr-helper-really-in.patch
+Patch0058: 0058-replica-installation-add-master-record-only-if-in-ma.patch
+Patch0059: 0059-ipatests-add-test-for-replica-in-forward-zone.patch
+Patch0060: 0060-Add-workaround-for-slow-host-service-del.patch
+Patch0061: 0061-Optimize-cert-remove-case.patch
+Patch0062: 0062-Update-mod_nss-cipher-list-so-there-is-overlap-with-.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -975,10 +981,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
%endif # with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -1002,8 +1008,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
%make_build
@@ -1024,8 +1029,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
popd
%endif # with_python3
@@ -1741,8 +1745,17 @@ fi
%changelog
-* Tue Jan 29 2019 CentOS Sources <bugs@centos.org> - 4.6.4-10.el7.centos.2
-- Roll in CentOS Branding
+* Mon Feb 4 2019 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7_6.3
+- Resolves: 1672343 pki spawn fails for IPA replica install from RHEL6 IPA master
+ - Update mod_nss cipher list so there is overlap with a 4.x master
+- Resolves: 1672342 Fix compile issue with new 389-ds
+ - ipa-sidgen: make internal fetch_attr helper really internal
+- Resolves: 1672176 host_del and host_disable fails, ra.find() search for every certificates instead of the host's certificate by subject
+ - Add workaround for slow host/service del
+ - Optimize cert remove case
+- Resolves: 1672238 The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain record
+ - replica installation: add master record only if in managed zone
+ - ipatests: add test for replica in forward zone
* Tue Dec 18 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.4-10.el7_6.2
- Resolves: 1659492 searching for ipa users by certificate fails