diff --git a/SOURCES/0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch b/SOURCES/0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch
new file mode 100644
index 0000000..e94b45c
--- /dev/null
+++ b/SOURCES/0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch
@@ -0,0 +1,59 @@
+From accc490a5f1db734c94e739d9b9638d44d60d21c Mon Sep 17 00:00:00 2001
+From: Aleksei Slaikovskii <aslaikov@redhat.com>
+Date: Mon, 23 Oct 2017 11:17:32 +0200
+Subject: [PATCH] Add a notice to restart ipa services after certs are
+ installed
+
+Adding notice for user to restart services after
+ipa-server-certinstall.
+
+https://pagure.io/freeipa/issue/7016
+
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ install/tools/man/ipa-server-certinstall.1 | 3 ++-
+ ipaserver/install/ipa_server_certinstall.py | 5 +++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
+index 35cd8c6c711119d7c782c6a89ac78b4894cec073..00fd03b6bc2184ec2bbc099fd9799551c07d2390 100644
+--- a/install/tools/man/ipa-server-certinstall.1
++++ b/install/tools/man/ipa-server-certinstall.1
+@@ -28,7 +28,8 @@ PKCS#12 is a file format used to safely transport SSL certificates and public/pr
+
+ They may be generated and managed using the NSS pk12util command or the OpenSSL pkcs12 command.
+
+-The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory and/or Apache servers.
++The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory, Apache and/or Krb5kdc servers.
++
+ .SH "OPTIONS"
+ .TP
+ \fB\-d\fR, \fB\-\-dirsrv\fR
+diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
+index 9c8f6e81a802e1a87bab1fd15f729e10676fe3a3..ec283705a4038239ddf0c6bacaac200936ed04e8 100644
+--- a/ipaserver/install/ipa_server_certinstall.py
++++ b/ipaserver/install/ipa_server_certinstall.py
+@@ -17,6 +17,7 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program. If not, see <http://www.gnu.org/licenses/>.
+ #
++from __future__ import print_function
+
+ import os
+ import os.path
+@@ -121,6 +122,10 @@ class ServerCertInstall(admintool.AdminTool):
+ if self.options.kdc:
+ self.install_kdc_cert()
+
++ print(
++ "Please restart ipa services after installing certificate "
++ "(ipactl restart)")
++
+ api.Backend.ldap2.disconnect()
+
+ def install_dirsrv_cert(self):
+--
+2.14.3
+
diff --git a/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch b/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch
new file mode 100644
index 0000000..0c0e1b7
--- /dev/null
+++ b/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch
@@ -0,0 +1,93 @@
+From 20ab0c731eea95327c8c2dc296461b612c6e98ae Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Wed, 21 Feb 2018 23:39:55 -0500
+Subject: [PATCH] Fix OTP validation in FIPS mode
+
+NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
+this, we encrypt the input key using an ephemeral key and then unwrap the
+encrypted key.
+
+https://pagure.io/freeipa/issue/7168
+
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ daemons/ipa-slapi-plugins/libotp/hotp.c | 47 +++++++++++++++++++++++++++++++--
+ 1 file changed, 45 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
+index 619bc63ab1bee99d71c2f0fb887809762107c94c..0c9de96d37183e597867b736d6324db60fa1b3bb 100644
+--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
++++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
+@@ -46,6 +46,7 @@
+ #include <time.h>
+
+ #include <nss.h>
++#include <blapit.h>
+ #include <pk11pub.h>
+ #include <hasht.h>
+ #include <prnetdb.h>
+@@ -66,6 +67,49 @@ static const struct {
+ { }
+ };
+
++static PK11SymKey *
++import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
++{
++ uint8_t ct[(key->len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE];
++ uint8_t iv[AES_BLOCK_SIZE] = {};
++ SECItem ivitem = { .data = iv, .len = sizeof(iv), .type = siBuffer };
++ SECItem ctitem = { .data = ct, .len = sizeof(ct), .type = siBuffer };
++ PK11SymKey *ekey = NULL;
++ PK11SymKey *skey = NULL;
++
++ /* Try to import the key directly. */
++ skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
++ CKA_SIGN, key, NULL);
++ if (skey)
++ return skey;
++
++ /* If we get here, we are probably in FIPS mode. Let's encrypt the key so
++ * that we can unseal it instead of loading it directly. */
++
++ /* Generate an ephemeral key. */
++ ekey = PK11_TokenKeyGenWithFlags(slot, CKM_AES_CBC_PAD, NULL,
++ AES_128_KEY_LENGTH, NULL,
++ CKF_ENCRYPT | CKF_UNWRAP,
++ PK11_ATTR_SESSION |
++ PK11_ATTR_PRIVATE |
++ PK11_ATTR_SENSITIVE, NULL);
++ if (!ekey)
++ goto egress;
++
++ /* Encrypt the input key. */
++ if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
++ ctitem.len, key->data, key->len) != SECSuccess)
++ goto egress;
++
++ /* Unwrap the input key. */
++ skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
++ &ctitem, mech, CKA_SIGN, key->len);
++
++egress:
++ PK11_FreeSymKey(ekey);
++ return skey;
++}
++
+ /*
+ * This code is mostly cargo-cult taken from here:
+ * http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html
+@@ -90,8 +134,7 @@ static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in,
+ }
+ }
+
+- symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
+- CKA_SIGN, key, NULL);
++ symkey = import_key(slot, mech, key);
+ if (symkey == NULL)
+ goto done;
+
+--
+2.14.3
+
diff --git a/SOURCES/0040-Increase-the-default-token-key-size.patch b/SOURCES/0040-Increase-the-default-token-key-size.patch
new file mode 100644
index 0000000..77a44f8
--- /dev/null
+++ b/SOURCES/0040-Increase-the-default-token-key-size.patch
@@ -0,0 +1,34 @@
+From ab2eaf607dd3746dd239595315dbaaebade06320 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Thu, 22 Feb 2018 14:04:10 -0500
+Subject: [PATCH] Increase the default token key size
+
+The previous default token key size would fail in FIPS mode for the sha384
+and sha512 algorithms. With the updated key size, the default will work in
+all cases.
+
+https://pagure.io/freeipa/issue/7168
+
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/plugins/otptoken.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
+index c66f0980f0fc2ed49b4224be40a18ce528a6da7b..a6e423f949659d8157c8471d0fbc3ee8a299ac98 100644
+--- a/ipaserver/plugins/otptoken.py
++++ b/ipaserver/plugins/otptoken.py
+@@ -72,7 +72,7 @@ TOKEN_TYPES = {
+ }
+
+ # NOTE: For maximum compatibility, KEY_LENGTH % 5 == 0
+-KEY_LENGTH = 20
++KEY_LENGTH = 35
+
+ class OTPTokenKey(Bytes):
+ """A binary password type specified in base32."""
+--
+2.14.3
+
diff --git a/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch b/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch
new file mode 100644
index 0000000..a8818c2
--- /dev/null
+++ b/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch
@@ -0,0 +1,86 @@
+From 6d813f6b03811a285c3c6dae85942c0086b619a6 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Mon, 26 Feb 2018 09:48:22 -0500
+Subject: [PATCH] Revert "Don't allow OTP or RADIUS in FIPS mode"
+
+This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622.
+
+OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
+traffic in a VPN.
+
+https://pagure.io/freeipa/issue/7168
+https://pagure.io/freeipa/issue/7243
+
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/plugins/baseuser.py | 3 ---
+ ipaserver/plugins/config.py | 16 ----------------
+ 2 files changed, 19 deletions(-)
+
+diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
+index bb8a73ded0fed135d5829ec0b0829a936f2196fb..bf24dbf542d3b481671dfe4e8cee14a2edcc26e0 100644
+--- a/ipaserver/plugins/baseuser.py
++++ b/ipaserver/plugins/baseuser.py
+@@ -32,7 +32,6 @@ from .baseldap import (
+ add_missing_object_class)
+ from ipaserver.plugins.service import (
+ validate_certificate, validate_realm, normalize_principal)
+-from ipaserver.plugins.config import check_fips_auth_opts
+ from ipalib.request import context
+ from ipalib import _
+ from ipalib.constants import PATTERN_GROUPUSER_NAME
+@@ -478,7 +477,6 @@ class baseuser_add(LDAPCreate):
+ **options):
+ assert isinstance(dn, DN)
+ set_krbcanonicalname(entry_attrs)
+- check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+ self.obj.convert_usercertificate_pre(entry_attrs)
+
+ def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
+@@ -602,7 +600,6 @@ class baseuser_mod(LDAPUpdate):
+ assert isinstance(dn, DN)
+ add_sshpubkey_to_attrs_pre(self.context, attrs_list)
+
+- check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+ self.check_namelength(ldap, **options)
+
+ self.check_mail(entry_attrs)
+diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
+index c9033fa8e7a2a0bfe77464fa4f9c62278bd814f6..ce15e6096f5b84dc45ee21d5aecc73ecf86eba07 100644
+--- a/ipaserver/plugins/config.py
++++ b/ipaserver/plugins/config.py
+@@ -85,20 +85,6 @@ EXAMPLES:
+
+ register = Registry()
+
+-
+-def check_fips_auth_opts(fips_mode, **options):
+- """
+- OTP and RADIUS are not allowed in FIPS mode since they use MD5
+- checksums (OTP uses our RADIUS responder daemon ipa-otpd).
+- """
+- if 'ipauserauthtype' in options and fips_mode:
+- if ('otp' in options['ipauserauthtype'] or
+- 'radius' in options['ipauserauthtype']):
+- raise errors.InvocationError(
+- 'OTP and RADIUS authentication in FIPS is '
+- 'not yet supported')
+-
+-
+ @register()
+ class config(LDAPObject):
+ """
+@@ -412,8 +398,6 @@ class config_mod(LDAPUpdate):
+
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ assert isinstance(dn, DN)
+- check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+-
+ if 'ipadefaultprimarygroup' in entry_attrs:
+ group=entry_attrs['ipadefaultprimarygroup']
+ try:
+--
+2.14.3
+
diff --git a/SOURCES/0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch b/SOURCES/0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch
new file mode 100644
index 0000000..4ee49e1
--- /dev/null
+++ b/SOURCES/0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch
@@ -0,0 +1,59 @@
+From b9194a0292ce57418b3c9f5faf2ee5509f0fb749 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 1 Mar 2018 14:25:55 -0500
+Subject: [PATCH] Log errors from NSS during FIPS OTP key import
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
+---
+ daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
+index 0c9de96d37183e597867b736d6324db60fa1b3bb..1b9110ebf89a705c9c670d4d33fc7ed615ad25f3 100644
+--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
++++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
+@@ -49,7 +49,9 @@
+ #include <blapit.h>
+ #include <pk11pub.h>
+ #include <hasht.h>
++#include <prerror.h>
+ #include <prnetdb.h>
++#include <syslog.h>
+
+ struct digest_buffer {
+ uint8_t buf[SHA512_LENGTH];
+@@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
+ PK11_ATTR_SESSION |
+ PK11_ATTR_PRIVATE |
+ PK11_ATTR_SENSITIVE, NULL);
+- if (!ekey)
++ if (!ekey) {
++ syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d",
++ PR_GetError());
+ goto egress;
++ }
+
+ /* Encrypt the input key. */
+ if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
+- ctitem.len, key->data, key->len) != SECSuccess)
++ ctitem.len, key->data, key->len) != SECSuccess) {
++ syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d",
++ PR_GetError());
+ goto egress;
++ }
+
+ /* Unwrap the input key. */
+ skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
+ &ctitem, mech, CKA_SIGN, key->len);
++ if (!skey) {
++ syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d",
++ PR_GetError());
++ }
+
+ egress:
+ PK11_FreeSymKey(ekey);
+--
+2.14.3
+
diff --git a/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch b/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch
new file mode 100644
index 0000000..0a475e2
--- /dev/null
+++ b/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch
@@ -0,0 +1,111 @@
+From 13d111faedfd5cbd0a7382e566edda7bd9ffc7ad Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 14 Mar 2018 16:13:17 +0100
+Subject: [PATCH] ipa-replica-install: make sure that certmonger picks the
+ right master
+
+During ipa-replica-install, http installation first creates a service
+principal for http/hostname (locally on the soon-to-be-replica), then
+waits for this entry to be replicated on the master picked for the
+install.
+In a later step, the installer requests a certificate for HTTPd. The local
+certmonger first tries the master defined in xmlrpc_uri (which is
+pointing to the soon-to-be-replica), but fails because the service is not
+up yet. Then certmonger tries to find a master by using the DNS and looking
+for a ldap service. This step can pick a different master, where the
+principal entry has not always be replicated yet.
+As the certificate request adds the principal if it does not exist, we can
+end by re-creating the principal and have a replication conflict.
+
+The replication conflict later causes kerberos issues, preventing
+from installing a new replica.
+
+The proposed fix forces xmlrpc_uri to point to the same master as the one
+picked for the installation, in order to make sure that the master already
+contains the principal entry.
+
+https://pagure.io/freeipa/issue/7041
+
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/install/server/replicainstall.py | 42 +++++++++++++++++++++++++++---
+ 1 file changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 6aa1157133423e854514de61a69810433e436d2f..5a37aea0ac913d5c9cb88346345ba5760a9e923d 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -194,7 +194,16 @@ def install_dns_records(config, options, remote_api):
+ 'on master: %s', str(e))
+
+
+-def create_ipa_conf(fstore, config, ca_enabled):
++def create_ipa_conf(fstore, config, ca_enabled, master=None):
++ """
++ Create /etc/ipa/default.conf master configuration
++ :param fstore: sysrestore file store used for backup and restore of
++ the server configuration
++ :param config: replica config
++ :param ca_enabled: True if the topology includes a CA
++ :param master: if set, the xmlrpc_uri parameter will use the provided
++ master instead of this host
++ """
+ # Save client file on Domain Level 1
+ target_fname = paths.IPA_DEFAULT_CONF
+ fstore.backup_file(target_fname)
+@@ -203,8 +212,12 @@ def create_ipa_conf(fstore, config, ca_enabled):
+ ipaconf.setOptionAssignment(" = ")
+ ipaconf.setSectionNameDelimiters(("[", "]"))
+
+- xmlrpc_uri = 'https://{0}/ipa/xml'.format(
+- ipautil.format_netloc(config.host_name))
++ if master:
++ xmlrpc_uri = 'https://{0}/ipa/xml'.format(
++ ipautil.format_netloc(master))
++ else:
++ xmlrpc_uri = 'https://{0}/ipa/xml'.format(
++ ipautil.format_netloc(config.host_name))
+ ldapi_uri = 'ldapi://%2fvar%2frun%2fslapd-{0}.socket\n'.format(
+ installutils.realm_to_serverid(config.realm_name))
+
+@@ -1431,6 +1444,25 @@ def install(installer):
+ # we now need to enable ssl on the ds
+ ds.enable_ssl()
+
++ if promote:
++ # We need to point to the master when certmonger asks for
++ # HTTP certificate.
++ # During http installation, the HTTP/hostname principal is created
++ # locally then the installer waits for the entry to appear on the
++ # master selected for the installation.
++ # In a later step, the installer requests a SSL certificate through
++ # Certmonger (and the op adds the principal if it does not exist yet).
++ # If xmlrpc_uri points to the soon-to-be replica,
++ # the httpd service is not ready yet to handle certmonger requests
++ # and certmonger tries to find another master. The master can be
++ # different from the one selected for the installation, and it is
++ # possible that the principal has not been replicated yet. This
++ # may lead to a replication conflict.
++ # This is why we need to force the use of the same master by
++ # setting xmlrpc_uri
++ create_ipa_conf(fstore, config, ca_enabled,
++ master=config.master_host_name)
++
+ install_http(
+ config,
+ auto_redirect=not options.no_ui_redirect,
+@@ -1439,6 +1471,10 @@ def install(installer):
+ ca_is_configured=ca_enabled,
+ ca_file=cafile)
+
++ if promote:
++ # Need to point back to ourself after the cert for HTTP is obtained
++ create_ipa_conf(fstore, config, ca_enabled)
++
+ otpd = otpdinstance.OtpdInstance()
+ otpd.create_instance('OTPD', config.host_name,
+ ipautil.realm_to_suffix(config.realm_name))
+--
+2.14.3
+
diff --git a/SOURCES/0044-replica-install-pass-ip-address-to-client-install.patch b/SOURCES/0044-replica-install-pass-ip-address-to-client-install.patch
new file mode 100644
index 0000000..cdb3af3
--- /dev/null
+++ b/SOURCES/0044-replica-install-pass-ip-address-to-client-install.patch
@@ -0,0 +1,38 @@
+From d1506d6a44b4c4b85772cd0764113f2b20a147fe Mon Sep 17 00:00:00 2001
+From: Stanislav Laznicka <slaznick@redhat.com>
+Date: Fri, 6 Apr 2018 09:10:20 +0200
+Subject: [PATCH] replica-install: pass --ip-address to client install
+
+In replica DL1 installation, the --ip-address option was not passed
+down to the ipa-client-install script (when not promoting client).
+This resulted in creating DNS records for all of the host's interface
+IP adresses instead of just those specified.
+
+This patch passes all the --ip-address options down to the client
+installation script.
+
+https://pagure.io/freeipa/issue/7405
+
+Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
+---
+ ipaserver/install/server/replicainstall.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 5a37aea0ac913d5c9cb88346345ba5760a9e923d..42e4615ad2dc1f604f5d8d14f8e57e3e4674bcb9 100644
+--- a/ipaserver/install/server/replicainstall.py
++++ b/ipaserver/install/server/replicainstall.py
+@@ -942,6 +942,10 @@ def ensure_enrolled(installer):
+ args.append("--mkhomedir")
+ if installer.force_join:
+ args.append("--force-join")
++ if installer.ip_addresses:
++ for ip in installer.ip_addresses:
++ # installer.ip_addresses is of type [CheckedIPAddress]
++ args.extend(("--ip-address", str(ip)))
+
+ try:
+ # Call client install script
+--
+2.14.3
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index a577d73..c62497d 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From 70850c65eaefffc73d4f39cd9cc5490a6a5bb785 Mon Sep 17 00:00:00 2001
+From 0efc9d0a7e4c04d44eee4c408d426f91dc76be9c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -113,7 +113,7 @@ index 319952cb6ffe82339b578e8d7fe3eb7a83d53169..e631b89c6774b8ea43f5156293fee137
ipa\-client\-install \- Configure an IPA client
.SH "SYNOPSIS"
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
-index 08f6ec40d362b88a974e6ec735ed37c271e01882..3db48cc9204908dc63fdee6b3917331da43cd424 100644
+index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..bf1e72a3672a72554f9563a41d4eeed88bfd272b 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -17,7 +17,7 @@
@@ -125,7 +125,7 @@ index 08f6ec40d362b88a974e6ec735ed37c271e01882..3db48cc9204908dc63fdee6b3917331d
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a Kerberos principal
.SH "SYNOPSIS"
-@@ -112,7 +112,7 @@ GSSAPI or EXTERNAL.
+@@ -117,7 +117,7 @@ GSSAPI or EXTERNAL.
\fB\-r\fR
Retrieve mode. Retrieve an existing key from the server instead of generating a
new one. This is incompatibile with the \-\-password option, and will work only
@@ -545,7 +545,7 @@ index 4fc55e8bf585f3612310f31282e9d3705c824dd1..6c4d94b7d67da016ec37a89b040ec819
ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
.SH "SYNOPSIS"
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
-index 7d241324818dd3a5294da5e84b67a19d0d9a31b6..f1ed8860d7ecebd7a23d60a621adea0947eca9da 100644
+index a1284135ac67de2b67b322aec3f6bbfb05f1a8ec..4301128afc65780ab73654d8c213a4f8ce4763a2 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -1,7 +1,7 @@
@@ -566,7 +566,7 @@ index 7d241324818dd3a5294da5e84b67a19d0d9a31b6..f1ed8860d7ecebd7a23d60a621adea09
If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica.
-@@ -229,7 +229,7 @@ ldapmodify command info the directory server.
+@@ -232,7 +232,7 @@ ldapmodify command info the directory server.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
@@ -615,7 +615,7 @@ index 5f401818a47b64854c2f25fcab4ebb8f96cd3b9e..80a1e70bff1871678259c8436915420c
ipa\-restore \- Restore an IPA master
.SH "SYNOPSIS"
diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
-index 35cd8c6c711119d7c782c6a89ac78b4894cec073..7ba159b29d005337d806b38b7c35de07a2d5d71e 100644
+index 00fd03b6bc2184ec2bbc099fd9799551c07d2390..aa9bb7b8567beadcd068e03f7de21043373af281 100644
--- a/install/tools/man/ipa-server-certinstall.1
+++ b/install/tools/man/ipa-server-certinstall.1
@@ -16,7 +16,7 @@
@@ -998,7 +998,7 @@ index 3e08f4da94651b49876e1427daddbd957f0027ae..c2af9f8462d776d452e4b90d9779f38c
'''
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index 97cbc6d8c84ee8fc21b6f8983c7897dc5d30c42d..eb42d1aa905a30ddc83de5a145d4e8d1348fbab9 100644
+index 422474fa915b4876530f304ef9424f6b31cf26cc..8f2cca4f6096fc4093f180c84da7888e8710765a 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -373,7 +373,7 @@ def install_check(installer):
@@ -1011,10 +1011,10 @@ index 97cbc6d8c84ee8fc21b6f8983c7897dc5d30c42d..eb42d1aa905a30ddc83de5a145d4e8d1
print("This includes:")
if setup_ca:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 6aa1157133423e854514de61a69810433e436d2f..1b3fdb238db46e6cd15dccb7d8d88b08f70d3066 100644
+index 42e4615ad2dc1f604f5d8d14f8e57e3e4674bcb9..7726b782f36f884e098ca4a5f5a136f7742e5e97 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
-@@ -601,7 +601,7 @@ def check_domain_level_is_supported(current):
+@@ -614,7 +614,7 @@ def check_domain_level_is_supported(current):
above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
if under_lower_bound or above_upper_bound:
@@ -1046,5 +1046,5 @@ index 28c3f21f113fd14160abd518663f2d582f8653fd..f70943576d861ce7b3a8bc4c29e9ded8
""") + _("""
To enable the binddn run the following command to set the password:
--
-2.9.5
+2.14.3
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index 744cd83..f3a2a0c 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From 0cb701b1b4492b8e7234991eef30b5ac77dbd328 Mon Sep 17 00:00:00 2001
+From 154c041a95be7e6cdbcc8e116ff0fc2a785d730f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -10,10 +10,10 @@ This reverts commit f4c7f1dd8a9ce530a8291219a904686ee47e59c7.
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
-index a8b5ce81fcf9bdb61cd3707e6b68b6f2196e0776..5fc0982188da4f7a3a1438bd5c67aac7bed195a8 100644
+index 80ae98c5515f64a8df8d981ad5e91b05c84e31c1..86189d56ded05dac695d3a7a19f726e197979dc5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
-@@ -1293,6 +1293,7 @@ fi
+@@ -1292,6 +1292,7 @@ fi
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
@@ -22,10 +22,10 @@ index a8b5ce81fcf9bdb61cd3707e6b68b6f2196e0776..5fc0982188da4f7a3a1438bd5c67aac7
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 62f79b28000b015edb66f4c39a270097ab3ed666..d876c5b385a250f3bd9c2689f9794ef7f89720a6 100644
+index 20635eae22268ff72de73b8b9c430050114bb45b..190f8d851b3567638f8a41e2a4ce10e40e2ec1af 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
-@@ -1311,9 +1311,11 @@ def replica_ca_install_check(config, promote):
+@@ -1321,9 +1321,11 @@ def replica_ca_install_check(config, promote):
else:
root_logger.critical(
'The master CA directory server does not have necessary schema. '
@@ -40,5 +40,5 @@ index 62f79b28000b015edb66f4c39a270097ab3ed666..d876c5b385a250f3bd9c2689f9794ef7
--
-2.9.5
+2.14.3
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index d4638ad..8a9757c 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From cf83189d36e1615444b83dc2bf3b27fad215b322 Mon Sep 17 00:00:00 2001
+From c96e727aff6be11c1d90c7b693b77f36d6deeaac Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@ index 01bf9a4f97fc0cf197c0ad12743affa597b54911..d3389ec5d34dba6429986b1c2a6dfb21
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off
--
-2.9.5
+2.14.3
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index dabefc9..0ebfcc1 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From f6463c332aebb40be39bcfdf458f20f1dc3d2bbe Mon Sep 17 00:00:00 2001
+From 4f3522e47d1a1c26dc8283c6aa4fc72a33d7133e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -75,7 +75,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1432630
delete mode 100644 ipatests/test_ipaclient/test_csrgen.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b7654671bcb9 100644
+index 86189d56ded05dac695d3a7a19f726e197979dc5..3cefeeced78de60ced36759acce5ab5c1a0ddd0d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -198,7 +198,6 @@ BuildRequires: python-sssdconfig
@@ -94,7 +94,7 @@ index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b765
BuildRequires: python3-augeas
%endif # with_python3
%endif # with_lint
-@@ -545,7 +543,6 @@ Requires: %{name}-client-common = %{version}-%{release}
+@@ -544,7 +542,6 @@ Requires: %{name}-client-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python2-ipalib = %{version}-%{release}
Requires: python-dns >= 1.15
@@ -102,7 +102,7 @@ index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b765
%description -n python2-ipaclient
IPA is an integrated solution to provide centrally managed Identity (users,
-@@ -568,7 +565,6 @@ Requires: %{name}-client-common = %{version}-%{release}
+@@ -567,7 +564,6 @@ Requires: %{name}-client-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipalib = %{version}-%{release}
Requires: python3-dns >= 1.15
@@ -110,7 +110,7 @@ index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b765
%description -n python3-ipaclient
IPA is an integrated solution to provide centrally managed Identity (users,
-@@ -1434,13 +1430,6 @@ fi
+@@ -1433,13 +1429,6 @@ fi
%{python_sitelib}/ipaclient/remote_plugins/*.py*
%dir %{python_sitelib}/ipaclient/remote_plugins/2_*
%{python_sitelib}/ipaclient/remote_plugins/2_*/*.py*
@@ -124,7 +124,7 @@ index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b765
%{python_sitelib}/ipaclient-*.egg-info
-@@ -1465,13 +1454,6 @@ fi
+@@ -1464,13 +1453,6 @@ fi
%dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
@@ -1649,5 +1649,5 @@ index 556f8e096976387d24057084c06d53bcb9998a69..00000000000000000000000000000000
- _script = generator.csr_script(
- principal, {}, 'example', 'identity')
--
-2.9.5
+2.14.3
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 6b2a564..3cd06b2 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -72,7 +72,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 10%{?dist}
+Release: 10%{?dist}.1
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -80,10 +80,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -125,12 +125,18 @@ Patch0034: 0034-WebUI-Add-positive-number-validator.patch
Patch0035: 0035-WebUI-change-validator-of-page-size-settings.patch
Patch0036: 0036-WebUI-fix-jslint-error.patch
Patch0037: 0037-ipa-advise-for-smartcards-updated.patch
+Patch0038: 0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch
+Patch0039: 0039-Fix-OTP-validation-in-FIPS-mode.patch
+Patch0040: 0040-Increase-the-default-token-key-size.patch
+Patch0041: 0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch
+Patch0042: 0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch
+Patch0043: 0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch
+Patch0044: 0044-replica-install-pass-ip-address-to-client-install.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1004: 1004-Remove-csrgen.patch
-Patch1005: ipa-centos-branding.patch
# RHEL spec file only: END
BuildRequires: libtool, automake, autoconf
@@ -932,10 +938,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
%endif # with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -1688,8 +1694,18 @@ fi
%changelog
-* Tue Apr 10 2018 CentOS Sources <bugs@centos.org> - 4.5.4-10.el7.centos
-- Roll in CentOS Branding
+* Tue Apr 10 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.5.4-11.el7
+- Resolves: #1565519 Clarify the need to restart services in ipa-server-certinstall(1)
+ - Add a notice to restart ipa services after certs are installed
+- Resolves: #1564390 OTP and Radius Authentication does not work in FIPS mode
+ - Fix OTP validation in FIPS mode
+ - Increase the default token key size
+ - Revert "Don't allow OTP or RADIUS in FIPS mode"
+ - Log errors from NSS during FIPS OTP key import
+- Resolves: #1565520 ipa client pointing to replica shows KDC has no support for encryption type
+ - ipa-replica-install: make sure that certmonger picks the right master
+- Resolves: #1565605 DNS records updated with all IPAddresses of an interface when IPA server/replica try to install with Specific IP address of that interface
+ - replica-install: pass --ip-address to client install
* Wed Feb 07 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.5.4-10.el7
- Resolves: #1540361 ipa-advise for smartcards is out-of-date