diff --git a/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch b/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
new file mode 100644
index 0000000..c853ae2
--- /dev/null
+++ b/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
@@ -0,0 +1,65 @@
+From 036d6fbf3d2af9f805f28f03679afc6ae1c25282 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 17 Feb 2017 15:59:57 +0100
+Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
+
+When ipa-server-install configures PKI, it provides a configuration file
+with the parameter pki_ajp_host set to ::1. This parameter is used to configure
+Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
+ <Connector port="8009"
+ protocol="AJP/1.3"
+ redirectPort="8443"
+ address="::1" />
+ie all requests to port 8009 are redirected to port 8443 on address ::1.
+
+If the /etc/hosts config file does not define ::1 for localhost, then AJP
+redirection fails and replica install is not able to request a certificate
+for the replica.
+
+Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
+redirection with "localhost", FreeIPA does not need any more to override
+this setting.
+The code now depends on pki 10.3.5-11 which provides the fix in the template
+and the upgrade.
+
+https://fedorahosted.org/freeipa/ticket/6575
+
+Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
+---
+ freeipa.spec.in | 4 ++--
+ ipaserver/install/cainstance.py | 4 ----
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -159,8 +159,8 @@ Requires(post): systemd-units
+ Requires: selinux-policy >= %{selinux_policy_version}
+ Requires(post): selinux-policy-base >= %{selinux_policy_version}
+ Requires: slapi-nis >= %{slapi_nis_version}
+-Requires: pki-ca >= 10.3.4
+-Requires: pki-kra >= 10.3.4
++Requires: pki-ca >= 10.3.5-11
++Requires: pki-kra >= 10.3.5-11
+ Requires(preun): python systemd-units
+ Requires(postun): python systemd-units
+ Requires: zip
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance):
+ config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
+ config.set("CA", "pki_external_step_two", "True")
+
+- # PKI IPv6 Configuration
+- config.add_section("Tomcat")
+- config.set("Tomcat", "pki_ajp_host", "::1")
+-
+ # Generate configuration file
+ with open(cfg_file, "wb") as f:
+ config.write(f)
+--
+2.9.3
+
diff --git a/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch b/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch
new file mode 100644
index 0000000..23c6c40
--- /dev/null
+++ b/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch
@@ -0,0 +1,27 @@
+From c9e05427f20f79a8304a9874ae6793a0b5f54987 Mon Sep 17 00:00:00 2001
+From: Thorsten Scherf <tscherf@redhat.com>
+Date: Fri, 24 Feb 2017 11:53:46 +0100
+Subject: [PATCH] added ssl verification using IPA trust anchor
+
+https://fedorahosted.org/freeipa/ticket/6686
+
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipapython/secrets/client.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
+index d9cc7d0f5b066dfd8efba480feb5f271ed1ebe83..f2f14af694df4468b3eedaac0fc762787b62e623 100644
+--- a/ipapython/secrets/client.py
++++ b/ipapython/secrets/client.py
+@@ -94,6 +94,7 @@ class CustodiaClient(object):
+
+ # Perform request
+ r = requests.get(url, headers=headers,
++ verify=paths.IPA_CA_CRT,
+ params={'type': 'kem', 'value': request})
+ r.raise_for_status()
+ reply = r.json()
+--
+2.9.3
+
diff --git a/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
new file mode 100644
index 0000000..e8a7344
--- /dev/null
+++ b/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
@@ -0,0 +1,46 @@
+From 61156c5157ec3f8982f4f6efdbf8dfa281cb5a11 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 13 Jan 2017 20:33:45 +1000
+Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
+
+CAs consist of a FreeIPA and a corresponding Dogtag object. When
+executing ca-del, ca-enable and ca-disable, changes are made to the
+Dogtag object. In the case of ca-del, the corresponding FreeIPA
+object is deleted after the Dogtag CA is deleted.
+
+These operations were not correctly authorised; the FreeIPA
+permissions are not checked before the Dogtag operations are
+executed. This allows any user to delete, enable or disable a
+lightweight CA (except the main IPA CA, for which there are
+additional check to prevent deletion or disablement).
+
+Add the proper authorisation checks to the ca-del, ca-enable and
+ca-disable commands.
+
+https://pagure.io/freeipa/issue/6713
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/plugins/ca.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
+index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644
+--- a/ipaserver/plugins/ca.py
++++ b/ipaserver/plugins/ca.py
+@@ -192,6 +192,12 @@ class ca_del(LDAPDelete):
+ def pre_callback(self, ldap, dn, *keys, **options):
+ ca_enabled_check()
+
++ # ensure operator has permission to delete CA
++ # before contacting Dogtag
++ if not ldap.can_delete(dn):
++ raise errors.ACIError(info=_(
++ "Insufficient privilege to delete a CA."))
++
+ if keys[0] == IPA_CA_CN:
+ raise errors.ProtectedEntryError(
+ label=_("CA"),
+--
+2.9.3
+
diff --git a/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch b/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch
new file mode 100644
index 0000000..16257b5
--- /dev/null
+++ b/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch
@@ -0,0 +1,129 @@
+From e5311fbfd5ad83671c61473d7acf4ddaf157e994 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Thu, 23 Feb 2017 13:04:19 +0000
+Subject: [PATCH] compat: fix `Any` params in `batch` and `dnsrecord`
+
+The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
+were incorrectly defined as `Str` instead of `Any`.
+
+https://fedorahosted.org/freeipa/ticket/6647
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaclient/remote_plugins/2_114/batch.py | 2 +-
+ ipaclient/remote_plugins/2_114/dns.py | 2 +-
+ ipaclient/remote_plugins/2_156/batch.py | 2 +-
+ ipaclient/remote_plugins/2_156/dns.py | 2 +-
+ ipaclient/remote_plugins/2_164/batch.py | 2 +-
+ ipaclient/remote_plugins/2_164/dns.py | 2 +-
+ ipaclient/remote_plugins/2_49/batch.py | 2 +-
+ ipaclient/remote_plugins/2_49/dns.py | 2 +-
+ 8 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/ipaclient/remote_plugins/2_114/batch.py b/ipaclient/remote_plugins/2_114/batch.py
+index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
+--- a/ipaclient/remote_plugins/2_114/batch.py
++++ b/ipaclient/remote_plugins/2_114/batch.py
+@@ -50,7 +50,7 @@ class batch(Command):
+ NO_CLI = True
+
+ takes_args = (
+- parameters.Str(
++ parameters.Any(
+ 'methods',
+ required=False,
+ multivalue=True,
+diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py
+index 5d91dbcb37fcb42cb67ab76a1871fd3df6217cf8..acb8a658204fb18b088766f947f82839f053cbf3 100644
+--- a/ipaclient/remote_plugins/2_114/dns.py
++++ b/ipaclient/remote_plugins/2_114/dns.py
+@@ -326,7 +326,7 @@ class dnsrecord(Object):
+ 'dnsclass',
+ required=False,
+ ),
+- parameters.Str(
++ parameters.Any(
+ 'dnsrecords',
+ required=False,
+ label=_(u'Records'),
+diff --git a/ipaclient/remote_plugins/2_156/batch.py b/ipaclient/remote_plugins/2_156/batch.py
+index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
+--- a/ipaclient/remote_plugins/2_156/batch.py
++++ b/ipaclient/remote_plugins/2_156/batch.py
+@@ -50,7 +50,7 @@ class batch(Command):
+ NO_CLI = True
+
+ takes_args = (
+- parameters.Str(
++ parameters.Any(
+ 'methods',
+ required=False,
+ multivalue=True,
+diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py
+index 39a0b269533481bcb5b193ad8a463a48146e5275..bbfaa9fd0fb2b582430a5c85761af206d53884f9 100644
+--- a/ipaclient/remote_plugins/2_156/dns.py
++++ b/ipaclient/remote_plugins/2_156/dns.py
+@@ -326,7 +326,7 @@ class dnsrecord(Object):
+ 'dnsclass',
+ required=False,
+ ),
+- parameters.Str(
++ parameters.Any(
+ 'dnsrecords',
+ required=False,
+ label=_(u'Records'),
+diff --git a/ipaclient/remote_plugins/2_164/batch.py b/ipaclient/remote_plugins/2_164/batch.py
+index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
+--- a/ipaclient/remote_plugins/2_164/batch.py
++++ b/ipaclient/remote_plugins/2_164/batch.py
+@@ -50,7 +50,7 @@ class batch(Command):
+ NO_CLI = True
+
+ takes_args = (
+- parameters.Str(
++ parameters.Any(
+ 'methods',
+ required=False,
+ multivalue=True,
+diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py
+index b07a94f1942e3913d6d169b61d84a3b3db268671..244be87f32db6664e5264038b97bc53b704ff166 100644
+--- a/ipaclient/remote_plugins/2_164/dns.py
++++ b/ipaclient/remote_plugins/2_164/dns.py
+@@ -326,7 +326,7 @@ class dnsrecord(Object):
+ 'dnsclass',
+ required=False,
+ ),
+- parameters.Str(
++ parameters.Any(
+ 'dnsrecords',
+ required=False,
+ label=_(u'Records'),
+diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py
+index a1f351d332d56c959bf8632cb218de8540f45005..67e5978e634b71735c1940086a80943d967ff1f6 100644
+--- a/ipaclient/remote_plugins/2_49/batch.py
++++ b/ipaclient/remote_plugins/2_49/batch.py
+@@ -50,7 +50,7 @@ class batch(Command):
+ NO_CLI = True
+
+ takes_args = (
+- parameters.Str(
++ parameters.Any(
+ 'methods',
+ required=False,
+ multivalue=True,
+diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py
+index 07cef75c2a97c07a77a9ffa3997ec6fa431e3151..4b543a2c2539f7b67467b0a38ab8013a1ebe0840 100644
+--- a/ipaclient/remote_plugins/2_49/dns.py
++++ b/ipaclient/remote_plugins/2_49/dns.py
+@@ -256,7 +256,7 @@ class dnsrecord(Object):
+ label=_(u'Class'),
+ doc=_(u'DNS class'),
+ ),
+- parameters.Str(
++ parameters.Any(
+ 'dnsrecords',
+ required=False,
+ label=_(u'Records'),
+--
+2.9.3
+
diff --git a/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
deleted file mode 100644
index aed3a5a..0000000
--- a/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e4cee2aa50396b18713092ba7f4a9b4f232a3ea0 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Fri, 13 Jan 2017 20:33:45 +1000
-Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
-
-CAs consist of a FreeIPA and a corresponding Dogtag object. When
-executing ca-del, ca-enable and ca-disable, changes are made to the
-Dogtag object. In the case of ca-del, the corresponding FreeIPA
-object is deleted after the Dogtag CA is deleted.
-
-These operations were not correctly authorised; the FreeIPA
-permissions are not checked before the Dogtag operations are
-executed. This allows any user to delete, enable or disable a
-lightweight CA (except the main IPA CA, for which there are
-additional check to prevent deletion or disablement).
-
-Add the proper authorisation checks to the ca-del, ca-enable and
-ca-disable commands.
----
- ipaserver/plugins/ca.py | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
-index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644
---- a/ipaserver/plugins/ca.py
-+++ b/ipaserver/plugins/ca.py
-@@ -192,6 +192,12 @@ class ca_del(LDAPDelete):
- def pre_callback(self, ldap, dn, *keys, **options):
- ca_enabled_check()
-
-+ # ensure operator has permission to delete CA
-+ # before contacting Dogtag
-+ if not ldap.can_delete(dn):
-+ raise errors.ACIError(info=_(
-+ "Insufficient privilege to delete a CA."))
-+
- if keys[0] == IPA_CA_CN:
- raise errors.ProtectedEntryError(
- label=_("CA"),
---
-2.9.3
-
diff --git a/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch b/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
deleted file mode 100644
index 1838e70..0000000
--- a/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 1de12ed5ec503708454e76227d646e4bd63802f7 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Thu, 12 Jan 2017 18:17:15 +0100
-Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
-
-When ipa-server-install configures PKI, it provides a configuration file
-with the parameter pki_ajp_host set to ::1. This parameter is used to configure
-Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
- <Connector port="8009"
- protocol="AJP/1.3"
- redirectPort="8443"
- address="::1" />
-ie all requests to port 8009 are redirected to port 8443 on address ::1.
-
-If the /etc/hosts config file does not define ::1 for localhost, then AJP
-redirection fails and replica install is not able to request a certificate
-for the replica.
-
-Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
-redirection with "localhost", FreeIPA does not need any more to override
-this setting.
-
-https://fedorahosted.org/freeipa/ticket/6575
-
-Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
----
- freeipa.spec.in | 4 ++--
- ipaserver/install/cainstance.py | 4 ----
- 2 files changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -159,8 +159,8 @@ Requires(post): systemd-units
- Requires: selinux-policy >= %{selinux_policy_version}
- Requires(post): selinux-policy-base >= %{selinux_policy_version}
- Requires: slapi-nis >= %{slapi_nis_version}
--Requires: pki-ca >= 10.3.4
--Requires: pki-kra >= 10.3.4
-+Requires: pki-ca >= 10.3.5-11
-+Requires: pki-kra >= 10.3.5-11
- Requires(preun): python systemd-units
- Requires(postun): python systemd-units
- Requires: zip
-diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644
---- a/ipaserver/install/cainstance.py
-+++ b/ipaserver/install/cainstance.py
-@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance):
- config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
- config.set("CA", "pki_external_step_two", "True")
-
-- # PKI IPv6 Configuration
-- config.add_section("Tomcat")
-- config.set("Tomcat", "pki_ajp_host", "::1")
--
- # Generate configuration file
- with open(cfg_file, "wb") as f:
- config.write(f)
---
-2.9.3
-
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index daaa822..162d988 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name: ipa
Version: 4.4.0
-Release: 14%{?dist}.6
+Release: 14%{?dist}.7
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -51,10 +51,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -215,6 +215,10 @@ Patch0153: 0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch
Patch0154: 0154-wait_for_entry-use-only-DN-as-parameter.patch
Patch0155: 0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
Patch0156: 0156-Use-proper-logging-for-error-messages.patch
+Patch0157: 0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
+Patch0158: 0158-added-ssl-verification-using-IPA-trust-anchor.patch
+Patch0159: 0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
+Patch0160: 0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -226,9 +230,6 @@ Patch1007: 1007-Do-not-build-tests.patch
Patch1008: 1008-RCUE.patch
Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch
-Patch1011: 1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
-Patch1012: 1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
-Patch1013: ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -808,10 +809,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1547,8 +1548,13 @@ fi
%changelog
-* Thu Mar 02 2017 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos.6
-- Roll in CentOS Branding
+* Tue Mar 14 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.7
+- Resolves: #1429872 ipa-replica-install fails promotecustodia.create_replica
+ with cert errors (untrusted)
+ - added ssl verification using IPA trust anchor
+- Resolves: #1430674 batch param compatibility is incorrect
+ - compat: fix `Any` params in `batch` and `dnsrecord`
+- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream
* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.6
- Resolves: #1416488 replication race condition prevents IPA to install